{ "type": "URL", "indicator": "https://250awww.youtube.lu", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://250awww.youtube.lu", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3746623782, "indicator": "https://250awww.youtube.lu", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 11, "pulses": [ { "id": "65eb9b88c811f35e060a2aa5", "name": "Emotet | YouTube \u2022 Darklivity Podcast \"Crimes of Tracey Richter\"", "description": "", "modified": "2024-08-14T06:01:01.267000", "created": "2024-03-08T23:13:12.950000", "tags": [ "communicating", "replacement", "unauthorized", "cyber attack", "emotet", "suspicious", "ransom", "Jays Youtube Bot.exe", "united", "unknown", "passive dns", "gmt server", "gmt etag", "accept encoding", "scan endpoints", "all octoseek", "ipv4", "pulse submit", "accept", "pragma", "injection", "downloader", "as44273 host", "search", "record value", "status", "nxdomain", "content type", "next", "body", "entries", "object", "com cnt", "dem fin", "gov int", "nav onl", "phy pre", "pur sta", "win32", "as15169 google", "aaaa", "domain", "pulse pulses", "urls", "contacted", "contacted urls", "whois whois", "pcname", "machinename", "execution", "bundled", "whois sneaky", "smokeloader", "amadey", "android", "youtube", "darklivity podcast", "tracey richter", "michael roberts", "server redirect", "hacking", "botnet", "application/binary", "jomax", "early, iowa", "hacker", "ruthless", "colorado", "pitman and or dentist hired roberts obvi", "song culture", "tsara brashears" ], "references": [ "www.youtube.com/watch?v=GyuMozsVyYs [Emotet] Songculture linked to Darklivity Podcast", "https://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2 [https://b.link/infringementhttps://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2]", "message.htm.com [Ransom | Malware Spreader]", "Ransom: FileHash-MD5 cece27e27fcad115504a2dc155358dae", "Ransom: FileHash-SHA1 90f739d446a6cab0a73086e56b1473e3c05ab752", "Ransom: FileHash-SHA256 c2f7df5c2fd585ba533fca2c2f1933bec36c4713ed5351a3656ddefee71c4cea", "Tracey Richter Roberts convicted murderer framed IMO] Michael Roberts suspect [self promoting hacker/PI]", "Jays Youtube Bot.exe: FileHash-SHA256 00514527e00ee001d042e5963b7c69f01060c4b4bc5064319c4af853a3d162c5 \u2022 303 status redirect to Bot server.", "host.secureserver.net \u2022 htm.com \u2022 rue.services \u2022 199.22.109.208.host.secureserver.net \u2022 n1s.18b.mywebsitetransfer.com \u2022 mywebsitetransfer.com", "godaddy.com \u2022 prod.phx3.secureserver.net", "Trojan.Win32.Snovir.kfmibf | FreeYTVDownloader.exe: FileHash-SHA256 3f5576bcd7bab6cf302bfaaa151f5807aac0b80ad01879662c01ca83ebf457ab", "Tea Conquer Bot.exe | FileHash-SHA256 00fc3c28ee517b91128d25c65eeddcd8dac2328447566e94732a3c92b71bfee5", "Amadey: FileHash-MD5 9a0b7ee713610b8395c8f0580a3b1e3d", "Amadey: FileHash-SHA1\te44a9e7ec6fe06ae6ba1b9518db78e95ad451942", "Amadey: FileHash-SHA256 6b8e428cff996c49aa52e017213c7016880a2bc1583d051240c74992bf83c357", "Amadey: IP 104.26.5.15", "CS IDS: ET INFO Android Device Connectivity Check [Low Risk] was executed.", "Attempted to send viewer to own server.", "How about stop harming people" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Trojan.Win32.Snovir.kfmibf", "display_name": "Trojan.Win32.Snovir.kfmibf", "target": null }, { "id": "AMADEY", "display_name": "AMADEY", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "65ea64dbc3938c6472fd5e7b", "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 121, "FileHash-SHA1": 120, "FileHash-SHA256": 1086, "URL": 391, "domain": 285, "hostname": 369, "email": 1 }, "indicator_count": 2373, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "656 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e843669f4ba77affa4b297", "name": "Emotet | YouTube \u2022 Darklivity Podcast \"Unhinged Horror\"", "description": "303 Error redirect target to desired service. | Likely using infected, updated apple Product. | Jays Youtube Bot.exe found. | Target saw episode subject, was suspicious due to 'diabolical women' connection promoted by Rexxfield[.] com (Tracey Richters ex-husband). I believe she was framed as is target I have come across. YouTube accounts are only told from the perspective of 2 ex-husbands, 1 doctor, 1 hacker and dentist[assaulter] who abused power. This trap makes targets look crazy, non credible leaving them traumatized. Attorneys or law enforcement likely overwhelmed, wild stories. I often consider truth is can be much stranger than fiction. Fiction often loosely based on truth.", "modified": "2024-04-05T09:00:01.502000", "created": "2024-03-06T10:20:22.440000", "tags": [ "communicating", "replacement", "unauthorized", "cyber attack", "emotet", "suspicious", "ransom", "Jays Youtube Bot.exe", "united", "unknown", "passive dns", "gmt server", "gmt etag", "accept encoding", "scan endpoints", "all octoseek", "ipv4", "pulse submit", "accept", "pragma", "injection", "downloader", "as44273 host", "search", "record value", "status", "nxdomain", "content type", "next", "body", "entries", "object", "com cnt", "dem fin", "gov int", "nav onl", "phy pre", "pur sta", "win32", "as15169 google", "aaaa", "domain", "pulse pulses", "urls", "contacted", "contacted urls", "whois whois", "pcname", "machinename", "execution", "bundled", "whois sneaky", "smokeloader", "amadey", "android", "youtube", "darklivity podcast", "tracey richter", "michael roberts", "server redirect", "hacking", "botnet", "application/binary", "jomax", "early, iowa", "hacker", "ruthless", "colorado", "pitman and or dentist hired roberts obvi", "song culture", "tsara brashears" ], "references": [ "www.youtube.com/watch?v=GyuMozsVyYs [Emotet] Songculture linked to Darklivity Podcast", "https://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2 [https://b.link/infringementhttps://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2]", "message.htm.com [Ransom | Malware Spreader]", "Ransom: FileHash-MD5 cece27e27fcad115504a2dc155358dae", "Ransom: FileHash-SHA1 90f739d446a6cab0a73086e56b1473e3c05ab752", "Ransom: FileHash-SHA256 c2f7df5c2fd585ba533fca2c2f1933bec36c4713ed5351a3656ddefee71c4cea", "Tracey Richter Roberts convicted murderer framed IMO] Michael Roberts suspect [self promoting hacker/PI]", "Jays Youtube Bot.exe: FileHash-SHA256 00514527e00ee001d042e5963b7c69f01060c4b4bc5064319c4af853a3d162c5 \u2022 303 status redirect to Bot server.", "host.secureserver.net \u2022 htm.com \u2022 rue.services \u2022 199.22.109.208.host.secureserver.net \u2022 n1s.18b.mywebsitetransfer.com \u2022 mywebsitetransfer.com", "godaddy.com \u2022 prod.phx3.secureserver.net", "Trojan.Win32.Snovir.kfmibf | FreeYTVDownloader.exe: FileHash-SHA256 3f5576bcd7bab6cf302bfaaa151f5807aac0b80ad01879662c01ca83ebf457ab", "Tea Conquer Bot.exe | FileHash-SHA256 00fc3c28ee517b91128d25c65eeddcd8dac2328447566e94732a3c92b71bfee5", "Amadey: FileHash-MD5 9a0b7ee713610b8395c8f0580a3b1e3d", "Amadey: FileHash-SHA1\te44a9e7ec6fe06ae6ba1b9518db78e95ad451942", "Amadey: FileHash-SHA256 6b8e428cff996c49aa52e017213c7016880a2bc1583d051240c74992bf83c357", "Amadey: IP 104.26.5.15", "CS IDS: ET INFO Android Device Connectivity Check [Low Risk] was executed.", "Attempted to send viewer to own server.", "How about stop harming people" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Trojan.Win32.Snovir.kfmibf", "display_name": "Trojan.Win32.Snovir.kfmibf", "target": null }, { "id": "AMADEY", "display_name": "AMADEY", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 52, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 115, "FileHash-SHA1": 114, "FileHash-SHA256": 952, "URL": 285, "domain": 257, "hostname": 285, "email": 1 }, "indicator_count": 2009, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "787 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65ea64dbc3938c6472fd5e7b", "name": "Emotet | YouTube \u2022 Darklivity Podcast \"Unhinged Horror\" Crimes of Tracey Richter", "description": "", "modified": "2024-04-05T09:00:01.502000", "created": "2024-03-08T01:07:39.514000", "tags": [ "communicating", "replacement", "unauthorized", "cyber attack", "emotet", "suspicious", "ransom", "Jays Youtube Bot.exe", "united", "unknown", "passive dns", "gmt server", "gmt etag", "accept encoding", "scan endpoints", "all octoseek", "ipv4", "pulse submit", "accept", "pragma", "injection", "downloader", "as44273 host", "search", "record value", "status", "nxdomain", "content type", "next", "body", "entries", "object", "com cnt", "dem fin", "gov int", "nav onl", "phy pre", "pur sta", "win32", "as15169 google", "aaaa", "domain", "pulse pulses", "urls", "contacted", "contacted urls", "whois whois", "pcname", "machinename", "execution", "bundled", "whois sneaky", "smokeloader", "amadey", "android", "youtube", "darklivity podcast", "tracey richter", "michael roberts", "server redirect", "hacking", "botnet", "application/binary", "jomax", "early, iowa", "hacker", "ruthless", "colorado", "pitman and or dentist hired roberts obvi", "song culture", "tsara brashears" ], "references": [ "www.youtube.com/watch?v=GyuMozsVyYs [Emotet] Songculture linked to Darklivity Podcast", "https://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2 [https://b.link/infringementhttps://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2]", "message.htm.com [Ransom | Malware Spreader]", "Ransom: FileHash-MD5 cece27e27fcad115504a2dc155358dae", "Ransom: FileHash-SHA1 90f739d446a6cab0a73086e56b1473e3c05ab752", "Ransom: FileHash-SHA256 c2f7df5c2fd585ba533fca2c2f1933bec36c4713ed5351a3656ddefee71c4cea", "Tracey Richter Roberts convicted murderer framed IMO] Michael Roberts suspect [self promoting hacker/PI]", "Jays Youtube Bot.exe: FileHash-SHA256 00514527e00ee001d042e5963b7c69f01060c4b4bc5064319c4af853a3d162c5 \u2022 303 status redirect to Bot server.", "host.secureserver.net \u2022 htm.com \u2022 rue.services \u2022 199.22.109.208.host.secureserver.net \u2022 n1s.18b.mywebsitetransfer.com \u2022 mywebsitetransfer.com", "godaddy.com \u2022 prod.phx3.secureserver.net", "Trojan.Win32.Snovir.kfmibf | FreeYTVDownloader.exe: FileHash-SHA256 3f5576bcd7bab6cf302bfaaa151f5807aac0b80ad01879662c01ca83ebf457ab", "Tea Conquer Bot.exe | FileHash-SHA256 00fc3c28ee517b91128d25c65eeddcd8dac2328447566e94732a3c92b71bfee5", "Amadey: FileHash-MD5 9a0b7ee713610b8395c8f0580a3b1e3d", "Amadey: FileHash-SHA1\te44a9e7ec6fe06ae6ba1b9518db78e95ad451942", "Amadey: FileHash-SHA256 6b8e428cff996c49aa52e017213c7016880a2bc1583d051240c74992bf83c357", "Amadey: IP 104.26.5.15", "CS IDS: ET INFO Android Device Connectivity Check [Low Risk] was executed.", "Attempted to send viewer to own server.", "How about stop harming people" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Trojan.Win32.Snovir.kfmibf", "display_name": "Trojan.Win32.Snovir.kfmibf", "target": null }, { "id": "AMADEY", "display_name": "AMADEY", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "65e843669f4ba77affa4b297", "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 115, "FileHash-SHA1": 114, "FileHash-SHA256": 952, "URL": 285, "domain": 257, "hostname": 285, "email": 1 }, "indicator_count": 2009, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "787 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e576d419524d75af35a36e", "name": "FormBook", "description": "FormBook is an infostealer malware (malicious spyware). malicious code uses various hooks to gain access to keystrokes, screenshots, and other functions. The malware can also receive commands from its operator to steal information from browsers or download and execute other malware. As a MaaS offering, FormBook malware may be deployed by various threat actors. It's currently being use by a ,legal teams masquerading as government (might be \nlegitimate attorneys) law firm modifying and deleting front facing threats on various platforms. One firm has very poor reviews Corrupt. Others initiate malicious prosecution law suits. Social; engineering , intertwining malicious behavior.in every aspect of targets life from business banking, ancestry to aggressive match making attempts.", "modified": "2024-04-03T05:03:03.527000", "created": "2024-03-04T07:23:00.177000", "tags": [ "resolutions", "referrer", "siblings", "asn owner", "historical ssl", "contacted", "high level", "hackers", "formbook", "name verdict", "falcon sandbox", "report", "united", "registrar", "creation date", "search", "emails", "name", "name servers", "showing", "unknown", "scan endpoints", "date", "next", "root ca", "pattern match", "authority", "beginstring", "class", "mitre att", "global root", "ck id", "show technique", "ck matrix", "null", "accept", "refresh", "span", "error", "tools", "body", "look", "verify", "restart", "hybrid", "local", "click", "strings", "files files", "ssl certificate", "tsara brashears", "highly targeted", "ransomware", "dark power", "play ransomware", "malware", "core", "installer", "awful", "snatch", "metro", "service", "critical", "copy", "execution", "location united", "asn as15169", "less whois", "as15169 google", "status", "entries", "record value", "servers", "trojan", "win32", "aaaa", "worm", "passive dns", "gmt cache", "sameorigin", "all scoreblue", "ipv4", "lowfi", "domain related", "urls", "domain", "nxdomain", "hostname", "users", "yara detections", "alerts", "high", "filehash", "pulse pulses", "av detections", "ids detections", "musicmaid", "reader", "office standard", "high process", "injection t1055", "t1055", "x00x00", "icmp traffic", "injection", "hijacker", "password", "stealer", "corruption", "targeting", "172.31.13.249" ], "references": [ "gstatic.com", "Unsupported/Fake Windows NT Version 5.0", "Login privileges", "172.31.13.249" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Trojan:Win32/Dorv.B!rfn", "display_name": "Trojan:Win32/Dorv.B!rfn", "target": "/malware/Trojan:Win32/Dorv.B!rfn" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "Trojan:Win32/Antavmu.D", "display_name": "Trojan:Win32/Antavmu.D", "target": "/malware/Trojan:Win32/Antavmu.D" }, { "id": "PWS:MSIL/Dcstl.GD!MTB", "display_name": "PWS:MSIL/Dcstl.GD!MTB", "target": "/malware/PWS:MSIL/Dcstl.GD!MTB" }, { "id": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01", "display_name": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01", "target": null }, { "id": "Win32:MalwareX-gen\\ [Trj]", "display_name": "Win32:MalwareX-gen\\ [Trj]", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1447", "name": "Delete Device Data", "display_name": "T1447 - Delete Device Data" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1002", "name": "Data Compressed", "display_name": "T1002 - Data Compressed" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3117, "FileHash-MD5": 280, "FileHash-SHA1": 286, "FileHash-SHA256": 3773, "domain": 1264, "hostname": 1595, "email": 6, "CVE": 5 }, "indicator_count": 10326, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "789 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e57f32581a900dfb272d05", "name": "FormBook | 172.31.13.249", "description": "", "modified": "2024-04-03T05:03:03.527000", "created": "2024-03-04T07:58:42.074000", "tags": [ "resolutions", "referrer", "siblings", "asn owner", "historical ssl", "contacted", "high level", "hackers", "formbook", "name verdict", "falcon sandbox", "report", "united", "registrar", "creation date", "search", "emails", "name", "name servers", "showing", "unknown", "scan endpoints", "date", "next", "root ca", "pattern match", "authority", "beginstring", "class", "mitre att", "global root", "ck id", "show technique", "ck matrix", "null", "accept", "refresh", "span", "error", "tools", "body", "look", "verify", "restart", "hybrid", "local", "click", "strings", "files files", "ssl certificate", "tsara brashears", "highly targeted", "ransomware", "dark power", "play ransomware", "malware", "core", "installer", "awful", "snatch", "metro", "service", "critical", "copy", "execution", "location united", "asn as15169", "less whois", "as15169 google", "status", "entries", "record value", "servers", "trojan", "win32", "aaaa", "worm", "passive dns", "gmt cache", "sameorigin", "all scoreblue", "ipv4", "lowfi", "domain related", "urls", "domain", "nxdomain", "hostname", "users", "yara detections", "alerts", "high", "filehash", "pulse pulses", "av detections", "ids detections", "musicmaid", "reader", "office standard", "high process", "injection t1055", "t1055", "x00x00", "icmp traffic", "injection", "hijacker", "password", "stealer", "corruption", "targeting", "172.31.13.249" ], "references": [ "gstatic.com", "Unsupported/Fake Windows NT Version 5.0", "Login privileges", "172.31.13.249" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Trojan:Win32/Dorv.B!rfn", "display_name": "Trojan:Win32/Dorv.B!rfn", "target": "/malware/Trojan:Win32/Dorv.B!rfn" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "Trojan:Win32/Antavmu.D", "display_name": "Trojan:Win32/Antavmu.D", "target": "/malware/Trojan:Win32/Antavmu.D" }, { "id": "PWS:MSIL/Dcstl.GD!MTB", "display_name": "PWS:MSIL/Dcstl.GD!MTB", "target": "/malware/PWS:MSIL/Dcstl.GD!MTB" }, { "id": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01", "display_name": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01", "target": null }, { "id": "Win32:MalwareX-gen\\ [Trj]", "display_name": "Win32:MalwareX-gen\\ [Trj]", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1447", "name": "Delete Device Data", "display_name": "T1447 - Delete Device Data" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1002", "name": "Data Compressed", "display_name": "T1002 - Data Compressed" } ], "industries": [], "TLP": "white", "cloned_from": "65e576d419524d75af35a36e", "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3117, "FileHash-MD5": 280, "FileHash-SHA1": 286, "FileHash-SHA256": 3773, "domain": 1264, "hostname": 1595, "email": 6, "CVE": 5 }, "indicator_count": 10326, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "789 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a127b18f314c64abf0ca", "name": "MITRE ATT&C - T1140 - Deobfuscate/Decode Files or Information", "description": "", "modified": "2023-12-06T16:28:23.639000", "created": "2023-12-06T16:28:23.639000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1651, "FileHash-MD5": 32, "FileHash-SHA1": 25, "hostname": 939, "domain": 339, "URL": 2307, "email": 2 }, "indicator_count": 5295, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a11eb966ec5b823d2ae8", "name": "Drive By Malware", "description": "", "modified": "2023-12-06T16:28:14.217000", "created": "2023-12-06T16:28:14.217000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1651, "FileHash-MD5": 32, "FileHash-SHA1": 25, "hostname": 939, "domain": 339, "URL": 2307, "email": 2 }, "indicator_count": 5295, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a11966ff39f73aed8c7d", "name": "Fileless Malware", "description": "", "modified": "2023-12-06T16:28:09.128000", "created": "2023-12-06T16:28:09.128000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1651, "FileHash-MD5": 32, "FileHash-SHA1": 25, "hostname": 939, "domain": 339, "URL": 2307, "email": 2 }, "indicator_count": 5295, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64ee7075f37dad88d73c3830", "name": "Fileless Malware", "description": "An example of 1 dangerous exploit. \nThis happened on Brand New fully updated locked down Apple iPhone, Samsung. If you happen to be looking at your phone, you may witness the following: Google logo on appengine.goohke .com Drive By will have a disclaimer that it is NOT affiliate.\nYou will see:\nhttps://accounts.google.com/AccountChooser?continue\nAll of your Gmail accounts will be displayed your primary account will be checked. The drive by happens at tspeed of 2 -3 seconds. Without clicking, your entire phone is compromised. Every account, locations, maps, YouTube, voice, camera, , keyloggers installed. This is not your fault. You are a target. There are empty hashes. It's fileless malware which does not write to storage. \nPhishing, malware hosting, other IoC s.\nExtremely hazardous, renders phone a zombie. New network and data plan all without your explicit consent.\nWelcome to the BotNetwork.\nhttp://appengine.google.com/\naccounts.google.com\nconsent.google.com/m?---- (Forced Consent on iOS device)", "modified": "2023-09-28T21:05:16.310000", "created": "2023-08-29T22:25:53.474000", "tags": [ "as15169 google", "united", "aaaa", "domain", "search", "cname", "passive dns", "urls", "entries", "dashboard", "date", "sha1", "ssdeep", "tnull file", "magic", "file size", "software", "ioctype", "iocvalue", "refunds", "show less", "line", "value", "august", "variables", "recordimlel", "fcssrowkey", "ijvalues", "wjdd object", "berr", "mxndff boolean", "url age" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 339, "email": 2, "FileHash-MD5": 32, "FileHash-SHA1": 25, "FileHash-SHA256": 1651, "hostname": 939, "URL": 2307 }, "indicator_count": 5295, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "976 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64ee70f9eaecf035471ff80c", "name": "Drive By Malware ", "description": "", "modified": "2023-09-28T21:05:16.310000", "created": "2023-08-29T22:28:09.867000", "tags": [ "as15169 google", "united", "aaaa", "domain", "search", "cname", "passive dns", "urls", "entries", "dashboard", "date", "sha1", "ssdeep", "tnull file", "magic", "file size", "software", "ioctype", "iocvalue", "refunds", "show less", "line", "value", "august", "variables", "recordimlel", "fcssrowkey", "ijvalues", "wjdd object", "berr", "mxndff boolean", "url age" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "64ee7075f37dad88d73c3830", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 339, "email": 2, "FileHash-MD5": 32, "FileHash-SHA1": 25, "FileHash-SHA256": 1651, "hostname": 939, "URL": 2307 }, "indicator_count": 5295, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "976 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64eed9e039cd84d4b7b9aa54", "name": "MITRE ATT&C - T1140 - Deobfuscate/Decode Files or Information ", "description": "", "modified": "2023-09-28T21:05:16.310000", "created": "2023-08-30T05:55:44.012000", "tags": [ "as15169 google", "united", "aaaa", "domain", "search", "cname", "passive dns", "urls", "entries", "dashboard", "date", "sha1", "ssdeep", "tnull file", "magic", "file size", "software", "ioctype", "iocvalue", "refunds", "show less", "line", "value", "august", "variables", "recordimlel", "fcssrowkey", "ijvalues", "wjdd object", "berr", "mxndff boolean", "url age" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "64ee70f9eaecf035471ff80c", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 339, "email": 2, "FileHash-MD5": 32, "FileHash-SHA1": 25, "FileHash-SHA256": 1651, "hostname": 939, "URL": 2307 }, "indicator_count": 5295, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "976 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Amadey: FileHash-MD5 9a0b7ee713610b8395c8f0580a3b1e3d", "www.youtube.com/watch?v=GyuMozsVyYs [Emotet] Songculture linked to Darklivity Podcast", "Amadey: IP 104.26.5.15", "Amadey: FileHash-SHA1\te44a9e7ec6fe06ae6ba1b9518db78e95ad451942", "Amadey: FileHash-SHA256 6b8e428cff996c49aa52e017213c7016880a2bc1583d051240c74992bf83c357", "Ransom: FileHash-MD5 cece27e27fcad115504a2dc155358dae", "Ransom: FileHash-SHA1 90f739d446a6cab0a73086e56b1473e3c05ab752", "Login privileges", "message.htm.com [Ransom | Malware Spreader]", "host.secureserver.net \u2022 htm.com \u2022 rue.services \u2022 199.22.109.208.host.secureserver.net \u2022 n1s.18b.mywebsitetransfer.com \u2022 mywebsitetransfer.com", "How about stop harming people", "Unsupported/Fake Windows NT Version 5.0", "CS IDS: ET INFO Android Device Connectivity Check [Low Risk] was executed.", "Ransom: FileHash-SHA256 c2f7df5c2fd585ba533fca2c2f1933bec36c4713ed5351a3656ddefee71c4cea", "Trojan.Win32.Snovir.kfmibf | FreeYTVDownloader.exe: FileHash-SHA256 3f5576bcd7bab6cf302bfaaa151f5807aac0b80ad01879662c01ca83ebf457ab", "gstatic.com", "Jays Youtube Bot.exe: FileHash-SHA256 00514527e00ee001d042e5963b7c69f01060c4b4bc5064319c4af853a3d162c5 \u2022 303 status redirect to Bot server.", "Tea Conquer Bot.exe | FileHash-SHA256 00fc3c28ee517b91128d25c65eeddcd8dac2328447566e94732a3c92b71bfee5", "172.31.13.249", "Tracey Richter Roberts convicted murderer framed IMO] Michael Roberts suspect [self promoting hacker/PI]", "godaddy.com \u2022 prod.phx3.secureserver.net", "https://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2 [https://b.link/infringementhttps://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2]", "Attempted to send viewer to own server." ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Trojan.win32.snovir.kfmibf", "Win32:malwarex-gen\\ [trj]", "#lowfienabledtcontinueafterunpacking", "Trojan:win32/antavmu.d", "Pws:msil/dcstl.gd!mtb", "Formbook", "Trojan:win32/zombie.a", "Trojan:win32/dorv.b!rfn", "Trojan:win32/qqpass", "Worm:win32/mofksys.rnd!mtb", "#lowfi:hstr:msil/possibledownloader.s01", "Emotet", "Amadey" ], "industries": [], "unique_indicators": 17405 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/youtube.lu", "whois": "http://whois.domaintools.com/youtube.lu", "domain": "youtube.lu", "hostname": "250awww.youtube.lu" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 11, "pulses": [ { "id": "65eb9b88c811f35e060a2aa5", "name": "Emotet | YouTube \u2022 Darklivity Podcast \"Crimes of Tracey Richter\"", "description": "", "modified": "2024-08-14T06:01:01.267000", "created": "2024-03-08T23:13:12.950000", "tags": [ "communicating", "replacement", "unauthorized", "cyber attack", "emotet", "suspicious", "ransom", "Jays Youtube Bot.exe", "united", "unknown", "passive dns", "gmt server", "gmt etag", "accept encoding", "scan endpoints", "all octoseek", "ipv4", "pulse submit", "accept", "pragma", "injection", "downloader", "as44273 host", "search", "record value", "status", "nxdomain", "content type", "next", "body", "entries", "object", "com cnt", "dem fin", "gov int", "nav onl", "phy pre", "pur sta", "win32", "as15169 google", "aaaa", "domain", "pulse pulses", "urls", "contacted", "contacted urls", "whois whois", "pcname", "machinename", "execution", "bundled", "whois sneaky", "smokeloader", "amadey", "android", "youtube", "darklivity podcast", "tracey richter", "michael roberts", "server redirect", "hacking", "botnet", "application/binary", "jomax", "early, iowa", "hacker", "ruthless", "colorado", "pitman and or dentist hired roberts obvi", "song culture", "tsara brashears" ], "references": [ "www.youtube.com/watch?v=GyuMozsVyYs [Emotet] Songculture linked to Darklivity Podcast", "https://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2 [https://b.link/infringementhttps://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2]", "message.htm.com [Ransom | Malware Spreader]", "Ransom: FileHash-MD5 cece27e27fcad115504a2dc155358dae", "Ransom: FileHash-SHA1 90f739d446a6cab0a73086e56b1473e3c05ab752", "Ransom: FileHash-SHA256 c2f7df5c2fd585ba533fca2c2f1933bec36c4713ed5351a3656ddefee71c4cea", "Tracey Richter Roberts convicted murderer framed IMO] Michael Roberts suspect [self promoting hacker/PI]", "Jays Youtube Bot.exe: FileHash-SHA256 00514527e00ee001d042e5963b7c69f01060c4b4bc5064319c4af853a3d162c5 \u2022 303 status redirect to Bot server.", "host.secureserver.net \u2022 htm.com \u2022 rue.services \u2022 199.22.109.208.host.secureserver.net \u2022 n1s.18b.mywebsitetransfer.com \u2022 mywebsitetransfer.com", "godaddy.com \u2022 prod.phx3.secureserver.net", "Trojan.Win32.Snovir.kfmibf | FreeYTVDownloader.exe: FileHash-SHA256 3f5576bcd7bab6cf302bfaaa151f5807aac0b80ad01879662c01ca83ebf457ab", "Tea Conquer Bot.exe | FileHash-SHA256 00fc3c28ee517b91128d25c65eeddcd8dac2328447566e94732a3c92b71bfee5", "Amadey: FileHash-MD5 9a0b7ee713610b8395c8f0580a3b1e3d", "Amadey: FileHash-SHA1\te44a9e7ec6fe06ae6ba1b9518db78e95ad451942", "Amadey: FileHash-SHA256 6b8e428cff996c49aa52e017213c7016880a2bc1583d051240c74992bf83c357", "Amadey: IP 104.26.5.15", "CS IDS: ET INFO Android Device Connectivity Check [Low Risk] was executed.", "Attempted to send viewer to own server.", "How about stop harming people" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Trojan.Win32.Snovir.kfmibf", "display_name": "Trojan.Win32.Snovir.kfmibf", "target": null }, { "id": "AMADEY", "display_name": "AMADEY", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "65ea64dbc3938c6472fd5e7b", "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 121, "FileHash-SHA1": 120, "FileHash-SHA256": 1086, "URL": 391, "domain": 285, "hostname": 369, "email": 1 }, "indicator_count": 2373, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "656 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e843669f4ba77affa4b297", "name": "Emotet | YouTube \u2022 Darklivity Podcast \"Unhinged Horror\"", "description": "303 Error redirect target to desired service. | Likely using infected, updated apple Product. | Jays Youtube Bot.exe found. | Target saw episode subject, was suspicious due to 'diabolical women' connection promoted by Rexxfield[.] com (Tracey Richters ex-husband). I believe she was framed as is target I have come across. YouTube accounts are only told from the perspective of 2 ex-husbands, 1 doctor, 1 hacker and dentist[assaulter] who abused power. This trap makes targets look crazy, non credible leaving them traumatized. Attorneys or law enforcement likely overwhelmed, wild stories. I often consider truth is can be much stranger than fiction. Fiction often loosely based on truth.", "modified": "2024-04-05T09:00:01.502000", "created": "2024-03-06T10:20:22.440000", "tags": [ "communicating", "replacement", "unauthorized", "cyber attack", "emotet", "suspicious", "ransom", "Jays Youtube Bot.exe", "united", "unknown", "passive dns", "gmt server", "gmt etag", "accept encoding", "scan endpoints", "all octoseek", "ipv4", "pulse submit", "accept", "pragma", "injection", "downloader", "as44273 host", "search", "record value", "status", "nxdomain", "content type", "next", "body", "entries", "object", "com cnt", "dem fin", "gov int", "nav onl", "phy pre", "pur sta", "win32", "as15169 google", "aaaa", "domain", "pulse pulses", "urls", "contacted", "contacted urls", "whois whois", "pcname", "machinename", "execution", "bundled", "whois sneaky", "smokeloader", "amadey", "android", "youtube", "darklivity podcast", "tracey richter", "michael roberts", "server redirect", "hacking", "botnet", "application/binary", "jomax", "early, iowa", "hacker", "ruthless", "colorado", "pitman and or dentist hired roberts obvi", "song culture", "tsara brashears" ], "references": [ "www.youtube.com/watch?v=GyuMozsVyYs [Emotet] Songculture linked to Darklivity Podcast", "https://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2 [https://b.link/infringementhttps://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2]", "message.htm.com [Ransom | Malware Spreader]", "Ransom: FileHash-MD5 cece27e27fcad115504a2dc155358dae", "Ransom: FileHash-SHA1 90f739d446a6cab0a73086e56b1473e3c05ab752", "Ransom: FileHash-SHA256 c2f7df5c2fd585ba533fca2c2f1933bec36c4713ed5351a3656ddefee71c4cea", "Tracey Richter Roberts convicted murderer framed IMO] Michael Roberts suspect [self promoting hacker/PI]", "Jays Youtube Bot.exe: FileHash-SHA256 00514527e00ee001d042e5963b7c69f01060c4b4bc5064319c4af853a3d162c5 \u2022 303 status redirect to Bot server.", "host.secureserver.net \u2022 htm.com \u2022 rue.services \u2022 199.22.109.208.host.secureserver.net \u2022 n1s.18b.mywebsitetransfer.com \u2022 mywebsitetransfer.com", "godaddy.com \u2022 prod.phx3.secureserver.net", "Trojan.Win32.Snovir.kfmibf | FreeYTVDownloader.exe: FileHash-SHA256 3f5576bcd7bab6cf302bfaaa151f5807aac0b80ad01879662c01ca83ebf457ab", "Tea Conquer Bot.exe | FileHash-SHA256 00fc3c28ee517b91128d25c65eeddcd8dac2328447566e94732a3c92b71bfee5", "Amadey: FileHash-MD5 9a0b7ee713610b8395c8f0580a3b1e3d", "Amadey: FileHash-SHA1\te44a9e7ec6fe06ae6ba1b9518db78e95ad451942", "Amadey: FileHash-SHA256 6b8e428cff996c49aa52e017213c7016880a2bc1583d051240c74992bf83c357", "Amadey: IP 104.26.5.15", "CS IDS: ET INFO Android Device Connectivity Check [Low Risk] was executed.", "Attempted to send viewer to own server.", "How about stop harming people" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Trojan.Win32.Snovir.kfmibf", "display_name": "Trojan.Win32.Snovir.kfmibf", "target": null }, { "id": "AMADEY", "display_name": "AMADEY", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 52, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 115, "FileHash-SHA1": 114, "FileHash-SHA256": 952, "URL": 285, "domain": 257, "hostname": 285, "email": 1 }, "indicator_count": 2009, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "787 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65ea64dbc3938c6472fd5e7b", "name": "Emotet | YouTube \u2022 Darklivity Podcast \"Unhinged Horror\" Crimes of Tracey Richter", "description": "", "modified": "2024-04-05T09:00:01.502000", "created": "2024-03-08T01:07:39.514000", "tags": [ "communicating", "replacement", "unauthorized", "cyber attack", "emotet", "suspicious", "ransom", "Jays Youtube Bot.exe", "united", "unknown", "passive dns", "gmt server", "gmt etag", "accept encoding", "scan endpoints", "all octoseek", "ipv4", "pulse submit", "accept", "pragma", "injection", "downloader", "as44273 host", "search", "record value", "status", "nxdomain", "content type", "next", "body", "entries", "object", "com cnt", "dem fin", "gov int", "nav onl", "phy pre", "pur sta", "win32", "as15169 google", "aaaa", "domain", "pulse pulses", "urls", "contacted", "contacted urls", "whois whois", "pcname", "machinename", "execution", "bundled", "whois sneaky", "smokeloader", "amadey", "android", "youtube", "darklivity podcast", "tracey richter", "michael roberts", "server redirect", "hacking", "botnet", "application/binary", "jomax", "early, iowa", "hacker", "ruthless", "colorado", "pitman and or dentist hired roberts obvi", "song culture", "tsara brashears" ], "references": [ "www.youtube.com/watch?v=GyuMozsVyYs [Emotet] Songculture linked to Darklivity Podcast", "https://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2 [https://b.link/infringementhttps://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2]", "message.htm.com [Ransom | Malware Spreader]", "Ransom: FileHash-MD5 cece27e27fcad115504a2dc155358dae", "Ransom: FileHash-SHA1 90f739d446a6cab0a73086e56b1473e3c05ab752", "Ransom: FileHash-SHA256 c2f7df5c2fd585ba533fca2c2f1933bec36c4713ed5351a3656ddefee71c4cea", "Tracey Richter Roberts convicted murderer framed IMO] Michael Roberts suspect [self promoting hacker/PI]", "Jays Youtube Bot.exe: FileHash-SHA256 00514527e00ee001d042e5963b7c69f01060c4b4bc5064319c4af853a3d162c5 \u2022 303 status redirect to Bot server.", "host.secureserver.net \u2022 htm.com \u2022 rue.services \u2022 199.22.109.208.host.secureserver.net \u2022 n1s.18b.mywebsitetransfer.com \u2022 mywebsitetransfer.com", "godaddy.com \u2022 prod.phx3.secureserver.net", "Trojan.Win32.Snovir.kfmibf | FreeYTVDownloader.exe: FileHash-SHA256 3f5576bcd7bab6cf302bfaaa151f5807aac0b80ad01879662c01ca83ebf457ab", "Tea Conquer Bot.exe | FileHash-SHA256 00fc3c28ee517b91128d25c65eeddcd8dac2328447566e94732a3c92b71bfee5", "Amadey: FileHash-MD5 9a0b7ee713610b8395c8f0580a3b1e3d", "Amadey: FileHash-SHA1\te44a9e7ec6fe06ae6ba1b9518db78e95ad451942", "Amadey: FileHash-SHA256 6b8e428cff996c49aa52e017213c7016880a2bc1583d051240c74992bf83c357", "Amadey: IP 104.26.5.15", "CS IDS: ET INFO Android Device Connectivity Check [Low Risk] was executed.", "Attempted to send viewer to own server.", "How about stop harming people" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Trojan.Win32.Snovir.kfmibf", "display_name": "Trojan.Win32.Snovir.kfmibf", "target": null }, { "id": "AMADEY", "display_name": "AMADEY", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "65e843669f4ba77affa4b297", "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 115, "FileHash-SHA1": 114, "FileHash-SHA256": 952, "URL": 285, "domain": 257, "hostname": 285, "email": 1 }, "indicator_count": 2009, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "787 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e576d419524d75af35a36e", "name": "FormBook", "description": "FormBook is an infostealer malware (malicious spyware). malicious code uses various hooks to gain access to keystrokes, screenshots, and other functions. The malware can also receive commands from its operator to steal information from browsers or download and execute other malware. As a MaaS offering, FormBook malware may be deployed by various threat actors. It's currently being use by a ,legal teams masquerading as government (might be \nlegitimate attorneys) law firm modifying and deleting front facing threats on various platforms. One firm has very poor reviews Corrupt. Others initiate malicious prosecution law suits. Social; engineering , intertwining malicious behavior.in every aspect of targets life from business banking, ancestry to aggressive match making attempts.", "modified": "2024-04-03T05:03:03.527000", "created": "2024-03-04T07:23:00.177000", "tags": [ "resolutions", "referrer", "siblings", "asn owner", "historical ssl", "contacted", "high level", "hackers", "formbook", "name verdict", "falcon sandbox", "report", "united", "registrar", "creation date", "search", "emails", "name", "name servers", "showing", "unknown", "scan endpoints", "date", "next", "root ca", "pattern match", "authority", "beginstring", "class", "mitre att", "global root", "ck id", "show technique", "ck matrix", "null", "accept", "refresh", "span", "error", "tools", "body", "look", "verify", "restart", "hybrid", "local", "click", "strings", "files files", "ssl certificate", "tsara brashears", "highly targeted", "ransomware", "dark power", "play ransomware", "malware", "core", "installer", "awful", "snatch", "metro", "service", "critical", "copy", "execution", "location united", "asn as15169", "less whois", "as15169 google", "status", "entries", "record value", "servers", "trojan", "win32", "aaaa", "worm", "passive dns", "gmt cache", "sameorigin", "all scoreblue", "ipv4", "lowfi", "domain related", "urls", "domain", "nxdomain", "hostname", "users", "yara detections", "alerts", "high", "filehash", "pulse pulses", "av detections", "ids detections", "musicmaid", "reader", "office standard", "high process", "injection t1055", "t1055", "x00x00", "icmp traffic", "injection", "hijacker", "password", "stealer", "corruption", "targeting", "172.31.13.249" ], "references": [ "gstatic.com", "Unsupported/Fake Windows NT Version 5.0", "Login privileges", "172.31.13.249" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Trojan:Win32/Dorv.B!rfn", "display_name": "Trojan:Win32/Dorv.B!rfn", "target": "/malware/Trojan:Win32/Dorv.B!rfn" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "Trojan:Win32/Antavmu.D", "display_name": "Trojan:Win32/Antavmu.D", "target": "/malware/Trojan:Win32/Antavmu.D" }, { "id": "PWS:MSIL/Dcstl.GD!MTB", "display_name": "PWS:MSIL/Dcstl.GD!MTB", "target": "/malware/PWS:MSIL/Dcstl.GD!MTB" }, { "id": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01", "display_name": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01", "target": null }, { "id": "Win32:MalwareX-gen\\ [Trj]", "display_name": "Win32:MalwareX-gen\\ [Trj]", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1447", "name": "Delete Device Data", "display_name": "T1447 - Delete Device Data" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1002", "name": "Data Compressed", "display_name": "T1002 - Data Compressed" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3117, "FileHash-MD5": 280, "FileHash-SHA1": 286, "FileHash-SHA256": 3773, "domain": 1264, "hostname": 1595, "email": 6, "CVE": 5 }, "indicator_count": 10326, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "789 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e57f32581a900dfb272d05", "name": "FormBook | 172.31.13.249", "description": "", "modified": "2024-04-03T05:03:03.527000", "created": "2024-03-04T07:58:42.074000", "tags": [ "resolutions", "referrer", "siblings", "asn owner", "historical ssl", "contacted", "high level", "hackers", "formbook", "name verdict", "falcon sandbox", "report", "united", "registrar", "creation date", "search", "emails", "name", "name servers", "showing", "unknown", "scan endpoints", "date", "next", "root ca", "pattern match", "authority", "beginstring", "class", "mitre att", "global root", "ck id", "show technique", "ck matrix", "null", "accept", "refresh", "span", "error", "tools", "body", "look", "verify", "restart", "hybrid", "local", "click", "strings", "files files", "ssl certificate", "tsara brashears", "highly targeted", "ransomware", "dark power", "play ransomware", "malware", "core", "installer", "awful", "snatch", "metro", "service", "critical", "copy", "execution", "location united", "asn as15169", "less whois", "as15169 google", "status", "entries", "record value", "servers", "trojan", "win32", "aaaa", "worm", "passive dns", "gmt cache", "sameorigin", "all scoreblue", "ipv4", "lowfi", "domain related", "urls", "domain", "nxdomain", "hostname", "users", "yara detections", "alerts", "high", "filehash", "pulse pulses", "av detections", "ids detections", "musicmaid", "reader", "office standard", "high process", "injection t1055", "t1055", "x00x00", "icmp traffic", "injection", "hijacker", "password", "stealer", "corruption", "targeting", "172.31.13.249" ], "references": [ "gstatic.com", "Unsupported/Fake Windows NT Version 5.0", "Login privileges", "172.31.13.249" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Trojan:Win32/Dorv.B!rfn", "display_name": "Trojan:Win32/Dorv.B!rfn", "target": "/malware/Trojan:Win32/Dorv.B!rfn" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "Trojan:Win32/Antavmu.D", "display_name": "Trojan:Win32/Antavmu.D", "target": "/malware/Trojan:Win32/Antavmu.D" }, { "id": "PWS:MSIL/Dcstl.GD!MTB", "display_name": "PWS:MSIL/Dcstl.GD!MTB", "target": "/malware/PWS:MSIL/Dcstl.GD!MTB" }, { "id": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01", "display_name": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01", "target": null }, { "id": "Win32:MalwareX-gen\\ [Trj]", "display_name": "Win32:MalwareX-gen\\ [Trj]", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1447", "name": "Delete Device Data", "display_name": "T1447 - Delete Device Data" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1002", "name": "Data Compressed", "display_name": "T1002 - Data Compressed" } ], "industries": [], "TLP": "white", "cloned_from": "65e576d419524d75af35a36e", "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3117, "FileHash-MD5": 280, "FileHash-SHA1": 286, "FileHash-SHA256": 3773, "domain": 1264, "hostname": 1595, "email": 6, "CVE": 5 }, "indicator_count": 10326, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "789 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a127b18f314c64abf0ca", "name": "MITRE ATT&C - T1140 - Deobfuscate/Decode Files or Information", "description": "", "modified": "2023-12-06T16:28:23.639000", "created": "2023-12-06T16:28:23.639000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1651, "FileHash-MD5": 32, "FileHash-SHA1": 25, "hostname": 939, "domain": 339, "URL": 2307, "email": 2 }, "indicator_count": 5295, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a11eb966ec5b823d2ae8", "name": "Drive By Malware", "description": "", "modified": "2023-12-06T16:28:14.217000", "created": "2023-12-06T16:28:14.217000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1651, "FileHash-MD5": 32, "FileHash-SHA1": 25, "hostname": 939, "domain": 339, "URL": 2307, "email": 2 }, "indicator_count": 5295, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a11966ff39f73aed8c7d", "name": "Fileless Malware", "description": "", "modified": "2023-12-06T16:28:09.128000", "created": "2023-12-06T16:28:09.128000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1651, "FileHash-MD5": 32, "FileHash-SHA1": 25, "hostname": 939, "domain": 339, "URL": 2307, "email": 2 }, "indicator_count": 5295, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64ee7075f37dad88d73c3830", "name": "Fileless Malware", "description": "An example of 1 dangerous exploit. \nThis happened on Brand New fully updated locked down Apple iPhone, Samsung. If you happen to be looking at your phone, you may witness the following: Google logo on appengine.goohke .com Drive By will have a disclaimer that it is NOT affiliate.\nYou will see:\nhttps://accounts.google.com/AccountChooser?continue\nAll of your Gmail accounts will be displayed your primary account will be checked. The drive by happens at tspeed of 2 -3 seconds. Without clicking, your entire phone is compromised. Every account, locations, maps, YouTube, voice, camera, , keyloggers installed. This is not your fault. You are a target. There are empty hashes. It's fileless malware which does not write to storage. \nPhishing, malware hosting, other IoC s.\nExtremely hazardous, renders phone a zombie. New network and data plan all without your explicit consent.\nWelcome to the BotNetwork.\nhttp://appengine.google.com/\naccounts.google.com\nconsent.google.com/m?---- (Forced Consent on iOS device)", "modified": "2023-09-28T21:05:16.310000", "created": "2023-08-29T22:25:53.474000", "tags": [ "as15169 google", "united", "aaaa", "domain", "search", "cname", "passive dns", "urls", "entries", "dashboard", "date", "sha1", "ssdeep", "tnull file", "magic", "file size", "software", "ioctype", "iocvalue", "refunds", "show less", "line", "value", "august", "variables", "recordimlel", "fcssrowkey", "ijvalues", "wjdd object", "berr", "mxndff boolean", "url age" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 339, "email": 2, "FileHash-MD5": 32, "FileHash-SHA1": 25, "FileHash-SHA256": 1651, "hostname": 939, "URL": 2307 }, "indicator_count": 5295, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "976 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64ee70f9eaecf035471ff80c", "name": "Drive By Malware ", "description": "", "modified": "2023-09-28T21:05:16.310000", "created": "2023-08-29T22:28:09.867000", "tags": [ "as15169 google", "united", "aaaa", "domain", "search", "cname", "passive dns", "urls", "entries", "dashboard", "date", "sha1", "ssdeep", "tnull file", "magic", "file size", "software", "ioctype", "iocvalue", "refunds", "show less", "line", "value", "august", "variables", "recordimlel", "fcssrowkey", "ijvalues", "wjdd object", "berr", "mxndff boolean", "url age" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "64ee7075f37dad88d73c3830", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 339, "email": 2, "FileHash-MD5": 32, "FileHash-SHA1": 25, "FileHash-SHA256": 1651, "hostname": 939, "URL": 2307 }, "indicator_count": 5295, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "976 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://250awww.youtube.lu", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://250awww.youtube.lu", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780326316.8101594 }