{ "type": "URL", "indicator": "https://53454f.4d722e526f626f74.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://53454f.4d722e526f626f74.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3771721526, "indicator": "https://53454f.4d722e526f626f74.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "692f23547b713b128b9c8156", "name": "Indicator Deletion Attack | Chris P. Ahmann Esq still utilizes parking crews to execute cyber attacks", "description": "Unable to open malware indicators at this time. These attackers use Parking Crews for their exploits, leasing parked domains for the amount of time needed to execute an attack. The attack last predate me ever using Level Blue. I have to review indicators reports more closely but, I do see a the multitude of attacks against target TLB and an intersection of attacks concerning Disable_Duck (Alberta) Chris Ahmann , Colorado government indicated. \n\n[OTX auto populated - Adversaries may use techniques to evade detection in their malware or tools, as well as using techniques such as code signing, encryption, and other techniques for avoiding detection and monitoring of their activities.]", "modified": "2026-01-01T17:01:48.163000", "created": "2025-12-02T17:35:15.203000", "tags": [ "data upload", "extraction", "failed", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "development att", "united", "flag", "poland poland", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "mitre att", "ck matrix", "pattern match", "ascii text", "show process", "network traffic", "t1057", "general", "local", "path", "encrypt", "hosts ip", "details", "ssl certificate", "sha256", "sha1", "size", "unicode text", "crlf", "utf8", "lf line", "server", "command decode", "markmonitor", "amazon", "ltd dba", "com laude", "organization", "click", "show technique", "brand", "microsoft edge", "windows nt", "win64", "khtml", "gecko", "submitted", "prefetch1", "name server", "misc attack", "et tor", "known tor", "relayrouter", "contacted hosts", "google", "pornhub", "ip address", "t1480 execution", "file defense", "passive dns", "related nids", "urls", "files location", "flag united" ], "references": [ "deploy-delete-app-us-east-2-1.deploy-delete-test-us-east-2-1mtsufd.us-east-2.gamma.forgeapps.ec2.aws.dev", "Amazon.com \u2022 Google.com \u2022YouTube.com, Apple.com , etc Exploited", "cloudendpointsapis.com \u2022 https://www.vgt.pl/style/style.css \u2022 ceidg.gov.pl", "pl.wikipedia.org \u2022 fontawesome.io \u2022 opensource.org \u2022 videojet.com", "https://discoverreceiver.gurus.vmicrosoft.com/ \u2022 account.live.com \u2022 acctcdn.msauth.net", "https://www.milehighmedia.com/legal/2257", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://twitter.com/PORNO_SEXYBABES", "http://www.anyxxxtube.net/search-porn/tsara-brashears", "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net \u2022 wallpapers-nature.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022", "https://wallpapers-nature.com/ tsara-brashears/urlscan-io", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "http://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/EntryChangeHistory.Id=7a025cc6", "(Delete app that removed YoiTube views) www.youtube.com/watch?v=GyuMozsVyYs", "http://watchhers.net/index.php", "everesttech.net \u2022 aws.amazon.com \u2022 cm.everesttech.net \u2022 dpm.demdex.net \u2022 s3.amazonaws.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1358, "FileHash-MD5": 100, "FileHash-SHA1": 102, "FileHash-SHA256": 1682, "URL": 2497, "CVE": 2, "domain": 400, "SSLCertFingerprint": 6, "email": 3 }, "indicator_count": 6150, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "107 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "692d02f096f3ec8b5b507496", "name": "Google Drive: Share Files Online with Secure Cloud Storage | Google Workspace", "description": "nJRAT | Corrupted Google Drive sent to targets former device. Years long social engineering may have been involved. All\nIoC\u2019s Appears to involve years of social engineering. Google\ndrive service in question is a storage service based in Vietnam. | \n\nBotnet / Check-ins / Spyware / Cams. [Anon Sec Botnet subdomain name pulsed. Close directly related to zalo.me\nand tbtteams.com]\nRequires further research.\n\nThis pulse is a bit confusing due where and who it originated from.", "modified": "2025-12-31T02:01:50.101000", "created": "2025-12-01T02:52:32.483000", "tags": [ "business", "enterprise", "drive", "english", "google drive", "try drive", "business small", "workspace", "sign", "strong", "find", "life", "tools", "protect", "cloud", "simple", "android", "indonesia", "video", "mb download", "shared may", "shared", "learn", "drive drive", "name date", "javascript", "dynamicloader", "medium", "minimal headers", "high", "observed get", "get http", "united", "yara rule", "http", "write", "guard", "malware", "read c", "ms windows", "intel", "png image", "rgba", "pe32", "get na", "explorer", "music", "virlock", "media", "ho chi", "minh city", "viet nam", "storage company", "limited", "google", "address as", "luutruso", "cloudflar", "domain", "asn15169", "asn56153", "asn13335", "cisco", "umbrella rank", "apex domain", "url https", "kb stylesheet", "kb font", "kb image", "image", "kb script", "november", "resource path", "size", "type mimetype", "primary request", "redirect chain", "kb document", "urls", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "t1590 gather", "windir", "openurl c", "prefetch2", "tor analysis", "dns requests", "domain address", "rsdsq jfu", "ollydbg ollydbg", "wireshark", "external", "binary file", "mitre att", "ck matrix", "aaaa", "cong ty", "co phan", "code", "province hcm", "files", "ip address", "request", "flag", "country", "contacted hosts", "process details", "link initial", "t1480 execution", "domains", "moved", "gmt content", "all ipv4", "url analysis", "location viet", "title", "error", "problem", "url add", "related nids", "files location", "flag united", "development att", "name server", "markmonitor", "localappdata", "programfiles", "edge", "hyundai", "social engineering", ".mil", "hackers", "phishing eml", "summary", "cisco umbrella", "google safe", "browsing", "current dns", "a record", "ip information", "ipasns ip", "detail domain", "domain tree", "links apex", "transfer", "b script", "b stylesheet", "frame b830", "b document", "value", "december", "degurafregistry", "gat object", "jsl object", "gapijstiming", "iframe function", "domainpath name", "nid value", "source level", "files domain", "files related", "tags", "related tags", "virustotal", "foundry", "pulse otx", "dark", "vietnam", "present aug", "present nov", "present jul", "present sep", "unknown aaaa", "search", "name servers", "present oct", "trojan", "data upload", "extraction", "se https", "include review", "exclude sugges", "find s", "failed", "typ don", "faith", "study", "romeo\u2019s", "juliettes", "femme fatales", "strategy", "honey pot", "honey traps", "spy", "helix", "anons", "passive dns", "pulse pulses", "files ip", "address", "location united", "asn as400519", "whois registrar", "ms defender", "files matching", "number", "sample analysis", "hide samples", "date hash", "cameras", "cams", "spycam", "botnet", "vietnam", "company limited", "dnssec", "status", "india unknown", "present may", "espionage", "hostname add", "generic", "cnc activity", "backdoor", "ipv4", "anonsecbotnet", "iptv" ], "references": [ "drive.google.com/", "https://foundry2-lbl.dvr.dn2.n-helix.com/", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/c7aa2b182b17cfb5efb3367e0bc7b36e7088ab43a8fb21a772a0f8f90b7329d9", "zalo.me | href | Binary File | ATT&CK ID T1566.002", "https://account.helix.com/activate/start", "anonsecbotnet.cameraddns.net \u2022 cameraddns.net \u2022 http://iptv.cameraddns.net/cotich/ \u2022 http://iptv.cameraddns.net/cotichC \u2022", "https://iptv.cameraddns.net/kodi/zips/plugin.video.iptvjson]", "Terse Unencrypted Request for Google - Likely Connectivity Check", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/c7aa2b182b17cfb5efb3367e0bc7b36e7088ab43a8fb21a772a0f8f90b7329d9", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/d334c3220573f98da1a0eef13be9c8b0053447519b3a6ace3728bcffa10b99b6", "cpcalendars.hyundaibariavungtau3s.com \u2022 cpcontacts.hyundaibariavungtau3s.com", "https://hyundaibariavungtau3s.com/vehicle/stargazer", "https://hyundaibariavungtau3s.com/vehicle/ioniq-5", "https://hyundaibariavungtau3s.com/vehicle/new-hyundai-venue", "https://hyundaibariavungtau3s.com/vehicle/new-hyundai-palisade", "https://hyundaibariavungtau3s.com/vehicle/hyundai-custin", "https://hyundaibariavungtau3s.com/wp-content/themes/flatsome/inc/extensions/flatsome-live-search/", "https://delivery-mp-microsoft.dvrx.dn3.n-helix.com \u2022 https://dnsplay.dn2.n-helix.com", "https://dnss2.dn2.n-helix.com \u2022 https://dnssounib.dn2.n-helix.com/", "https://foundry2-lbl.dvr.dn2.n-helix.com/ \u2022 https://node8-serve.dvrx.dn3.n-helix.com \u2022 https://sfbambi-tel.dn2.n-helix.com \u2022 https://softlayer3.dn2.n-helix.com", "http://bjdclub.ru/out.phtml?www.skyxxxgals.info/feet-licking-porn/", "http://www.yayabay.com/forum/adclick.php?url=http%3a%2f%2fhkprice.info%2fpornstars%2f22466", "https://asianleak.com/videos/8120/sg-cousin-showering-spy-cam", "feedback-pa.clients6.google.com/v1/survey/trigger/", "https://feedback-pa.clients6.google.com/v1/survey/trigger/trigger_anonymous?key=AIzaSyD3LJeW4Q6gtdgJlyeFZUp-GhpIoc6EUeg", "anonsecbotnet.cameraddns.net \u2022 http://anonsecbotnet.cameraddns.net \u2022 https://anonsecbotnet.cameraddns.net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Virus.Virlock-6804475-0", "display_name": "Win.Virus.Virlock-6804475-0", "target": null }, { "id": "Win.Malware.Bzub-6727003-0", "display_name": "Win.Malware.Bzub-6727003-0", "target": null }, { "id": "Win.Trojan.Generic-9801687-0", "display_name": "Win.Trojan.Generic-9801687-0", "target": null }, { "id": "NID", "display_name": "NID", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Trojan:Win32/Floxif.E", "display_name": "Trojan:Win32/Floxif.E", "target": "/malware/Trojan:Win32/Floxif.E" }, { "id": "Win.Dropper.njRAT-10015886-0", "display_name": "Win.Dropper.njRAT-10015886-0", "target": null }, { "id": "Win.Packed.Generic-9795615-0", "display_name": "Win.Packed.Generic-9795615-0", "target": null }, { "id": "Backdoor:MSIL/Bladabindi.AJ GC!", "display_name": "Backdoor:MSIL/Bladabindi.AJ GC!", "target": "/malware/Backdoor:MSIL/Bladabindi.AJ GC!" }, { "id": "Win.Packed.Generic-9795615-0\t.", "display_name": "Win.Packed.Generic-9795615-0\t.", "target": null }, { "id": "Backdoor:MSIL/Bladabindi.AJ", "display_name": "Backdoor:MSIL/Bladabindi.AJ", "target": "/malware/Backdoor:MSIL/Bladabindi.AJ" }, { "id": "Win.Packed.Fecn-7077459-0", "display_name": "Win.Packed.Fecn-7077459-0", "target": null }, { "id": "Trojan:MSIL/Ranos.A", "display_name": "Trojan:MSIL/Ranos.A", "target": "/malware/Trojan:MSIL/Ranos.A" }, { "id": "Win.Trojan.Generic-6417450-0", "display_name": "Win.Trojan.Generic-6417450-0", "target": null }, { "id": "ALF:Backdoor:MSIL/Noancooe.KA", "display_name": "ALF:Backdoor:MSIL/Noancooe.KA", "target": null }, { "id": "Win.Packed.Msilperseus-9956592-0", "display_name": "Win.Packed.Msilperseus-9956592-0", "target": null }, { "id": "Trojan:MSIL/ClipBanker", "display_name": "Trojan:MSIL/ClipBanker", "target": "/malware/Trojan:MSIL/ClipBanker" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1194", "name": "Spearphishing via Service", "display_name": "T1194 - Spearphishing via Service" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1039", "name": "Data from Network Shared Drive", "display_name": "T1039 - Data from Network Shared Drive" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1911, "hostname": 714, "FileHash-SHA256": 1304, "FileHash-MD5": 159, "FileHash-SHA1": 71, "SSLCertFingerprint": 2, "domain": 421, "CVE": 1, "email": 4 }, "indicator_count": 4587, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "109 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a958f96f9b29641ea020", "name": "Fitbit app link IoC's", "description": "", "modified": "2023-12-06T17:03:20.219000", "created": "2023-12-06T17:03:20.219000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 17, "FileHash-SHA256": 3730, "hostname": 1052, "domain": 446, "URL": 2806, "FileHash-MD5": 173, "FileHash-SHA1": 168, "email": 1 }, "indicator_count": 8393, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "864 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a927b24b94cdd5d344d1", "name": "Fitbit app link IoC's", "description": "", "modified": "2023-12-06T17:02:31.854000", "created": "2023-12-06T17:02:31.854000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 17, "FileHash-SHA256": 3730, "hostname": 1052, "domain": 446, "URL": 2806, "FileHash-MD5": 173, "FileHash-SHA1": 168, "email": 1 }, "indicator_count": 8393, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "864 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "652b2a50c4487060d52346fd", "name": "Fitbit app link IoC's", "description": "Critical. Fitbit download link found in Google search results.\n[https://play.google.com/store/apps/details?id=com.fitbit.FitbitMobile]\n\nBlackNET is a Remote Access Trojan (RAT) - Advanced Windows Botnet.\nCapabilities: stealing/grabbing files and passwords, keylogging, cryptojacking, loading files, executing commands, etc. \n\nOpenCandy , PUP\nCapabilities: Browser home page hijacker, installs unwanted toolbars, plug-ins, and extensions to web browsers, collects information, user\u2019s surfing habits, distribution to third parties without user consent.\n\nProcess Injection: Privilege escalation adversaries use to inject arbitrary code.", "modified": "2023-11-13T22:04:06.580000", "created": "2023-10-14T23:54:55.973000", "tags": [ "ssl certificate", "contacted", "contacted urls", "referrer", "march", "historical ssl", "whois sslcert", "suspicious", "execution", "malware", "core", "name verdict", "falco", "pattern match", "ascii text", "file", "png image", "sdcwhb", "windows nt", "jpeg image", "jfif", "appdata", "kg2exe", "date", "unknown", "general", "hybrid", "this", "click", "strings", "class", "critical", "error", "zfaoz", "falcon sandbox", "exit", "node tcp", "traffic", "et tor", "known tor", "relayrouter", "tor known", "tor relayrouter", "detection list", "ip address", "cisco umbrella", "heur", "site", "safe site", "alexa top", "million", "maltiverse", "malicious url", "malicious site", "unsafe", "riskware", "swrort", "downldr", "artemis", "team", "phishing", "iframe", "crack", "xrat", "installcore", "facebook", "bank", "opencandy", "nircmd", "exploit", "filetour", "cleaner", "wacatac", "win64", "unruy", "blacknet rat", "stealer", "azorult", "service", "runescape", "download", "tiggre", "presenoker", "conduit", "xtrat", "agent", "patcher", "adload", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "dropper", "trojanx", "webshell", "adposhel", "union", "trojanspy", "webtoolbar", "blacklist https", "blacklist", "command_and_control", "Fitbit", "hidden tear", "google", "spyware", "potentially unwanted progams", "network", "bundlers", "aware" ], "references": [ "https://play.google.com/store/apps/details?id=com.fitbit.FitbitMobile", "https://www.hybrid-analysis.com/sample/1e5fe7747a445f340ed8db6bd946b6fb2cf2db123b08c3ac818cb8a1c2ae28d0" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ZfAoz", "display_name": "ZfAoz", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "MediaMagnet", "display_name": "MediaMagnet", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WisdomEyes.16070401.9500", "display_name": "WisdomEyes.16070401.9500", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1052, "FileHash-MD5": 173, "FileHash-SHA1": 168, "FileHash-SHA256": 3730, "URL": 2806, "domain": 446, "CVE": 17, "email": 1 }, "indicator_count": 8393, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "887 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "652b2a8048e6a285461c4a5d", "name": "Fitbit app link IoC's", "description": "Critical. Fitbit download link found in Google search results.\n[https://play.google.com/store/apps/details?id=com.fitbit.FitbitMobile]\n\nBlackNET is a Remote Access Trojan (RAT) - Advanced Windows Botnet.\nCapabilities: stealing/grabbing files and passwords, keylogging, cryptojacking, loading files, executing commands, etc. \n\nOpenCandy , PUP\nCapabilities: Browser home page hijacker, installs unwanted toolbars, plug-ins, and extensions to web browsers, collects information, user\u2019s surfing habits, distribution to third parties without user consent.\n\nProcess Injection: Privilege escalation adversaries use to inject arbitrary code.", "modified": "2023-11-13T22:04:06.580000", "created": "2023-10-14T23:55:42.972000", "tags": [ "ssl certificate", "contacted", "contacted urls", "referrer", "march", "historical ssl", "whois sslcert", "suspicious", "execution", "malware", "core", "name verdict", "falco", "pattern match", "ascii text", "file", "png image", "sdcwhb", "windows nt", "jpeg image", "jfif", "appdata", "kg2exe", "date", "unknown", "general", "hybrid", "this", "click", "strings", "class", "critical", "error", "zfaoz", "falcon sandbox", "exit", "node tcp", "traffic", "et tor", "known tor", "relayrouter", "tor known", "tor relayrouter", "detection list", "ip address", "cisco umbrella", "heur", "site", "safe site", "alexa top", "million", "maltiverse", "malicious url", "malicious site", "unsafe", "riskware", "swrort", "downldr", "artemis", "team", "phishing", "iframe", "crack", "xrat", "installcore", "facebook", "bank", "opencandy", "nircmd", "exploit", "filetour", "cleaner", "wacatac", "win64", "unruy", "blacknet rat", "stealer", "azorult", "service", "runescape", "download", "tiggre", "presenoker", "conduit", "xtrat", "agent", "patcher", "adload", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "dropper", "trojanx", "webshell", "adposhel", "union", "trojanspy", "webtoolbar", "blacklist https", "blacklist", "command_and_control", "Fitbit", "hidden tear", "google", "spyware", "potentially unwanted progams", "network", "bundlers", "aware" ], "references": [ "https://play.google.com/store/apps/details?id=com.fitbit.FitbitMobile", "https://www.hybrid-analysis.com/sample/1e5fe7747a445f340ed8db6bd946b6fb2cf2db123b08c3ac818cb8a1c2ae28d0" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ZfAoz", "display_name": "ZfAoz", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "MediaMagnet", "display_name": "MediaMagnet", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WisdomEyes.16070401.9500", "display_name": "WisdomEyes.16070401.9500", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1052, "FileHash-MD5": 173, "FileHash-SHA1": 168, "FileHash-SHA256": 3730, "URL": 2806, "domain": 446, "CVE": 17, "email": 1 }, "indicator_count": 8393, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "887 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f147a7e55dd916fe9e3e2", "name": "Fitbit app link IoC's", "description": "", "modified": "2023-11-13T22:04:06.580000", "created": "2023-10-30T02:27:06.140000", "tags": [ "ssl certificate", "contacted", "contacted urls", "referrer", "march", "historical ssl", "whois sslcert", "suspicious", "execution", "malware", "core", "name verdict", "falco", "pattern match", "ascii text", "file", "png image", "sdcwhb", "windows nt", "jpeg image", "jfif", "appdata", "kg2exe", "date", "unknown", "general", "hybrid", "this", "click", "strings", "class", "critical", "error", "zfaoz", "falcon sandbox", "exit", "node tcp", "traffic", "et tor", "known tor", "relayrouter", "tor known", "tor relayrouter", "detection list", "ip address", "cisco umbrella", "heur", "site", "safe site", "alexa top", "million", "maltiverse", "malicious url", "malicious site", "unsafe", "riskware", "swrort", "downldr", "artemis", "team", "phishing", "iframe", "crack", "xrat", "installcore", "facebook", "bank", "opencandy", "nircmd", "exploit", "filetour", "cleaner", "wacatac", "win64", "unruy", "blacknet rat", "stealer", "azorult", "service", "runescape", "download", "tiggre", "presenoker", "conduit", "xtrat", "agent", "patcher", "adload", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "dropper", "trojanx", "webshell", "adposhel", "union", "trojanspy", "webtoolbar", "blacklist https", "blacklist", "command_and_control", "Fitbit", "hidden tear", "google", "spyware", "potentially unwanted progams", "network", "bundlers", "aware" ], "references": [ "https://play.google.com/store/apps/details?id=com.fitbit.FitbitMobile", "https://www.hybrid-analysis.com/sample/1e5fe7747a445f340ed8db6bd946b6fb2cf2db123b08c3ac818cb8a1c2ae28d0" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ZfAoz", "display_name": "ZfAoz", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "MediaMagnet", "display_name": "MediaMagnet", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WisdomEyes.16070401.9500", "display_name": "WisdomEyes.16070401.9500", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "652b2a8048e6a285461c4a5d", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1052, "FileHash-MD5": 173, "FileHash-SHA1": 168, "FileHash-SHA256": 3730, "URL": 2806, "domain": 446, "CVE": 17, "email": 1 }, "indicator_count": 8393, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "887 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "feedback-pa.clients6.google.com/v1/survey/trigger/", "https://hyundaibariavungtau3s.com/vehicle/new-hyundai-palisade", "Amazon.com \u2022 Google.com \u2022YouTube.com, Apple.com , etc Exploited", "deploy-delete-app-us-east-2-1.deploy-delete-test-us-east-2-1mtsufd.us-east-2.gamma.forgeapps.ec2.aws.dev", "https://foundry2-lbl.dvr.dn2.n-helix.com/", "https://dnss2.dn2.n-helix.com \u2022 https://dnssounib.dn2.n-helix.com/", "cloudendpointsapis.com \u2022 https://www.vgt.pl/style/style.css \u2022 ceidg.gov.pl", "https://feedback-pa.clients6.google.com/v1/survey/trigger/trigger_anonymous?key=AIzaSyD3LJeW4Q6gtdgJlyeFZUp-GhpIoc6EUeg", "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "https://wallpapers-nature.com/ tsara-brashears/urlscan-io", "https://play.google.com/store/apps/details?id=com.fitbit.FitbitMobile", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex", "Terse Unencrypted Request for Google - Likely Connectivity Check", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net \u2022 wallpapers-nature.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/c7aa2b182b17cfb5efb3367e0bc7b36e7088ab43a8fb21a772a0f8f90b7329d9", "http://watchhers.net/index.php", "https://www.hybrid-analysis.com/sample/1e5fe7747a445f340ed8db6bd946b6fb2cf2db123b08c3ac818cb8a1c2ae28d0", "https://iptv.cameraddns.net/kodi/zips/plugin.video.iptvjson]", "everesttech.net \u2022 aws.amazon.com \u2022 cm.everesttech.net \u2022 dpm.demdex.net \u2022 s3.amazonaws.com", "https://hyundaibariavungtau3s.com/vehicle/stargazer", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://hyundaibariavungtau3s.com/vehicle/hyundai-custin", "https://hyundaibariavungtau3s.com/vehicle/ioniq-5", "anonsecbotnet.cameraddns.net \u2022 cameraddns.net \u2022 http://iptv.cameraddns.net/cotich/ \u2022 http://iptv.cameraddns.net/cotichC \u2022", "https://asianleak.com/videos/8120/sg-cousin-showering-spy-cam", "http://www.yayabay.com/forum/adclick.php?url=http%3a%2f%2fhkprice.info%2fpornstars%2f22466", "https://account.helix.com/activate/start", "pl.wikipedia.org \u2022 fontawesome.io \u2022 opensource.org \u2022 videojet.com", "https://twitter.com/PORNO_SEXYBABES", "https://hyundaibariavungtau3s.com/vehicle/new-hyundai-venue", "http://bjdclub.ru/out.phtml?www.skyxxxgals.info/feet-licking-porn/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "zalo.me | href | Binary File | ATT&CK ID T1566.002", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/d334c3220573f98da1a0eef13be9c8b0053447519b3a6ace3728bcffa10b99b6", "https://foundry2-lbl.dvr.dn2.n-helix.com/ \u2022 https://node8-serve.dvrx.dn3.n-helix.com \u2022 https://sfbambi-tel.dn2.n-helix.com \u2022 https://softlayer3.dn2.n-helix.com", "http://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/EntryChangeHistory.Id=7a025cc6", "http://www.anyxxxtube.net/search-porn/tsara-brashears", "(Delete app that removed YoiTube views) www.youtube.com/watch?v=GyuMozsVyYs", "cpcalendars.hyundaibariavungtau3s.com \u2022 cpcontacts.hyundaibariavungtau3s.com", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "https://hyundaibariavungtau3s.com/wp-content/themes/flatsome/inc/extensions/flatsome-live-search/", "https://www.milehighmedia.com/legal/2257", "drive.google.com/", "https://discoverreceiver.gurus.vmicrosoft.com/ \u2022 account.live.com \u2022 acctcdn.msauth.net", "https://delivery-mp-microsoft.dvrx.dn3.n-helix.com \u2022 https://dnsplay.dn2.n-helix.com", "anonsecbotnet.cameraddns.net \u2022 http://anonsecbotnet.cameraddns.net \u2022 https://anonsecbotnet.cameraddns.net" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Wisdomeyes.16070401.9500", "Cve-2023-22518", "Backdoor:msil/bladabindi.aj", "Win.trojan.generic-6417450-0", "Trojan:msil/clipbanker", "Maltiverse", "Win.malware.bzub-6727003-0", "Backdoor:msil/bladabindi.aj gc!", "Win.packed.msilperseus-9956592-0", "Mediamagnet", "Win.packed.generic-9795615-0", "Win.packed.fecn-7077459-0", "Zfaoz", "Trojan:msil/ranos.a", "Trojanspy", "Other malware", "Webtoolbar", "Wacatac", "Blacknet rat", "Win.dropper.njrat-10015886-0", "Win.trojan.generic-9801687-0", "Trojan:win32/tiggre", "Trojan:win32/floxif.e", "Win.packed.generic-9795615-0\t.", "Alf:backdoor:msil/noancooe.ka", "Win.virus.virlock-6804475-0", "Nid", "Unruy" ], "industries": [], "unique_indicators": 18706 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/4d722e526f626f74.com", "whois": "http://whois.domaintools.com/4d722e526f626f74.com", "domain": "4d722e526f626f74.com", "hostname": "53454f.4d722e526f626f74.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 7, "pulses": [ { "id": "692f23547b713b128b9c8156", "name": "Indicator Deletion Attack | Chris P. Ahmann Esq still utilizes parking crews to execute cyber attacks", "description": "Unable to open malware indicators at this time. These attackers use Parking Crews for their exploits, leasing parked domains for the amount of time needed to execute an attack. The attack last predate me ever using Level Blue. I have to review indicators reports more closely but, I do see a the multitude of attacks against target TLB and an intersection of attacks concerning Disable_Duck (Alberta) Chris Ahmann , Colorado government indicated. \n\n[OTX auto populated - Adversaries may use techniques to evade detection in their malware or tools, as well as using techniques such as code signing, encryption, and other techniques for avoiding detection and monitoring of their activities.]", "modified": "2026-01-01T17:01:48.163000", "created": "2025-12-02T17:35:15.203000", "tags": [ "data upload", "extraction", "failed", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "development att", "united", "flag", "poland poland", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "mitre att", "ck matrix", "pattern match", "ascii text", "show process", "network traffic", "t1057", "general", "local", "path", "encrypt", "hosts ip", "details", "ssl certificate", "sha256", "sha1", "size", "unicode text", "crlf", "utf8", "lf line", "server", "command decode", "markmonitor", "amazon", "ltd dba", "com laude", "organization", "click", "show technique", "brand", "microsoft edge", "windows nt", "win64", "khtml", "gecko", "submitted", "prefetch1", "name server", "misc attack", "et tor", "known tor", "relayrouter", "contacted hosts", "google", "pornhub", "ip address", "t1480 execution", "file defense", "passive dns", "related nids", "urls", "files location", "flag united" ], "references": [ "deploy-delete-app-us-east-2-1.deploy-delete-test-us-east-2-1mtsufd.us-east-2.gamma.forgeapps.ec2.aws.dev", "Amazon.com \u2022 Google.com \u2022YouTube.com, Apple.com , etc Exploited", "cloudendpointsapis.com \u2022 https://www.vgt.pl/style/style.css \u2022 ceidg.gov.pl", "pl.wikipedia.org \u2022 fontawesome.io \u2022 opensource.org \u2022 videojet.com", "https://discoverreceiver.gurus.vmicrosoft.com/ \u2022 account.live.com \u2022 acctcdn.msauth.net", "https://www.milehighmedia.com/legal/2257", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://twitter.com/PORNO_SEXYBABES", "http://www.anyxxxtube.net/search-porn/tsara-brashears", "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net \u2022 wallpapers-nature.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022", "https://wallpapers-nature.com/ tsara-brashears/urlscan-io", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "http://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/EntryChangeHistory.Id=7a025cc6", "(Delete app that removed YoiTube views) www.youtube.com/watch?v=GyuMozsVyYs", "http://watchhers.net/index.php", "everesttech.net \u2022 aws.amazon.com \u2022 cm.everesttech.net \u2022 dpm.demdex.net \u2022 s3.amazonaws.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1358, "FileHash-MD5": 100, "FileHash-SHA1": 102, "FileHash-SHA256": 1682, "URL": 2497, "CVE": 2, "domain": 400, "SSLCertFingerprint": 6, "email": 3 }, "indicator_count": 6150, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "107 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "692d02f096f3ec8b5b507496", "name": "Google Drive: Share Files Online with Secure Cloud Storage | Google Workspace", "description": "nJRAT | Corrupted Google Drive sent to targets former device. Years long social engineering may have been involved. All\nIoC\u2019s Appears to involve years of social engineering. Google\ndrive service in question is a storage service based in Vietnam. | \n\nBotnet / Check-ins / Spyware / Cams. [Anon Sec Botnet subdomain name pulsed. Close directly related to zalo.me\nand tbtteams.com]\nRequires further research.\n\nThis pulse is a bit confusing due where and who it originated from.", "modified": "2025-12-31T02:01:50.101000", "created": "2025-12-01T02:52:32.483000", "tags": [ "business", "enterprise", "drive", "english", "google drive", "try drive", "business small", "workspace", "sign", "strong", "find", "life", "tools", "protect", "cloud", "simple", "android", "indonesia", "video", "mb download", "shared may", "shared", "learn", "drive drive", "name date", "javascript", "dynamicloader", "medium", "minimal headers", "high", "observed get", "get http", "united", "yara rule", "http", "write", "guard", "malware", "read c", "ms windows", "intel", "png image", "rgba", "pe32", "get na", "explorer", "music", "virlock", "media", "ho chi", "minh city", "viet nam", "storage company", "limited", "google", "address as", "luutruso", "cloudflar", "domain", "asn15169", "asn56153", "asn13335", "cisco", "umbrella rank", "apex domain", "url https", "kb stylesheet", "kb font", "kb image", "image", "kb script", "november", "resource path", "size", "type mimetype", "primary request", "redirect chain", "kb document", "urls", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "t1590 gather", "windir", "openurl c", "prefetch2", "tor analysis", "dns requests", "domain address", "rsdsq jfu", "ollydbg ollydbg", "wireshark", "external", "binary file", "mitre att", "ck matrix", "aaaa", "cong ty", "co phan", "code", "province hcm", "files", "ip address", "request", "flag", "country", "contacted hosts", "process details", "link initial", "t1480 execution", "domains", "moved", "gmt content", "all ipv4", "url analysis", "location viet", "title", "error", "problem", "url add", "related nids", "files location", "flag united", "development att", "name server", "markmonitor", "localappdata", "programfiles", "edge", "hyundai", "social engineering", ".mil", "hackers", "phishing eml", "summary", "cisco umbrella", "google safe", "browsing", "current dns", "a record", "ip information", "ipasns ip", "detail domain", "domain tree", "links apex", "transfer", "b script", "b stylesheet", "frame b830", "b document", "value", "december", "degurafregistry", "gat object", "jsl object", "gapijstiming", "iframe function", "domainpath name", "nid value", "source level", "files domain", "files related", "tags", "related tags", "virustotal", "foundry", "pulse otx", "dark", "vietnam", "present aug", "present nov", "present jul", "present sep", "unknown aaaa", "search", "name servers", "present oct", "trojan", "data upload", "extraction", "se https", "include review", "exclude sugges", "find s", "failed", "typ don", "faith", "study", "romeo\u2019s", "juliettes", "femme fatales", "strategy", "honey pot", "honey traps", "spy", "helix", "anons", "passive dns", "pulse pulses", "files ip", "address", "location united", "asn as400519", "whois registrar", "ms defender", "files matching", "number", "sample analysis", "hide samples", "date hash", "cameras", "cams", "spycam", "botnet", "vietnam", "company limited", "dnssec", "status", "india unknown", "present may", "espionage", "hostname add", "generic", "cnc activity", "backdoor", "ipv4", "anonsecbotnet", "iptv" ], "references": [ "drive.google.com/", "https://foundry2-lbl.dvr.dn2.n-helix.com/", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/c7aa2b182b17cfb5efb3367e0bc7b36e7088ab43a8fb21a772a0f8f90b7329d9", "zalo.me | href | Binary File | ATT&CK ID T1566.002", "https://account.helix.com/activate/start", "anonsecbotnet.cameraddns.net \u2022 cameraddns.net \u2022 http://iptv.cameraddns.net/cotich/ \u2022 http://iptv.cameraddns.net/cotichC \u2022", "https://iptv.cameraddns.net/kodi/zips/plugin.video.iptvjson]", "Terse Unencrypted Request for Google - Likely Connectivity Check", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/c7aa2b182b17cfb5efb3367e0bc7b36e7088ab43a8fb21a772a0f8f90b7329d9", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/d334c3220573f98da1a0eef13be9c8b0053447519b3a6ace3728bcffa10b99b6", "cpcalendars.hyundaibariavungtau3s.com \u2022 cpcontacts.hyundaibariavungtau3s.com", "https://hyundaibariavungtau3s.com/vehicle/stargazer", "https://hyundaibariavungtau3s.com/vehicle/ioniq-5", "https://hyundaibariavungtau3s.com/vehicle/new-hyundai-venue", "https://hyundaibariavungtau3s.com/vehicle/new-hyundai-palisade", "https://hyundaibariavungtau3s.com/vehicle/hyundai-custin", "https://hyundaibariavungtau3s.com/wp-content/themes/flatsome/inc/extensions/flatsome-live-search/", "https://delivery-mp-microsoft.dvrx.dn3.n-helix.com \u2022 https://dnsplay.dn2.n-helix.com", "https://dnss2.dn2.n-helix.com \u2022 https://dnssounib.dn2.n-helix.com/", "https://foundry2-lbl.dvr.dn2.n-helix.com/ \u2022 https://node8-serve.dvrx.dn3.n-helix.com \u2022 https://sfbambi-tel.dn2.n-helix.com \u2022 https://softlayer3.dn2.n-helix.com", "http://bjdclub.ru/out.phtml?www.skyxxxgals.info/feet-licking-porn/", "http://www.yayabay.com/forum/adclick.php?url=http%3a%2f%2fhkprice.info%2fpornstars%2f22466", "https://asianleak.com/videos/8120/sg-cousin-showering-spy-cam", "feedback-pa.clients6.google.com/v1/survey/trigger/", "https://feedback-pa.clients6.google.com/v1/survey/trigger/trigger_anonymous?key=AIzaSyD3LJeW4Q6gtdgJlyeFZUp-GhpIoc6EUeg", "anonsecbotnet.cameraddns.net \u2022 http://anonsecbotnet.cameraddns.net \u2022 https://anonsecbotnet.cameraddns.net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Virus.Virlock-6804475-0", "display_name": "Win.Virus.Virlock-6804475-0", "target": null }, { "id": "Win.Malware.Bzub-6727003-0", "display_name": "Win.Malware.Bzub-6727003-0", "target": null }, { "id": "Win.Trojan.Generic-9801687-0", "display_name": "Win.Trojan.Generic-9801687-0", "target": null }, { "id": "NID", "display_name": "NID", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Trojan:Win32/Floxif.E", "display_name": "Trojan:Win32/Floxif.E", "target": "/malware/Trojan:Win32/Floxif.E" }, { "id": "Win.Dropper.njRAT-10015886-0", "display_name": "Win.Dropper.njRAT-10015886-0", "target": null }, { "id": "Win.Packed.Generic-9795615-0", "display_name": "Win.Packed.Generic-9795615-0", "target": null }, { "id": "Backdoor:MSIL/Bladabindi.AJ GC!", "display_name": "Backdoor:MSIL/Bladabindi.AJ GC!", "target": "/malware/Backdoor:MSIL/Bladabindi.AJ GC!" }, { "id": "Win.Packed.Generic-9795615-0\t.", "display_name": "Win.Packed.Generic-9795615-0\t.", "target": null }, { "id": "Backdoor:MSIL/Bladabindi.AJ", "display_name": "Backdoor:MSIL/Bladabindi.AJ", "target": "/malware/Backdoor:MSIL/Bladabindi.AJ" }, { "id": "Win.Packed.Fecn-7077459-0", "display_name": "Win.Packed.Fecn-7077459-0", "target": null }, { "id": "Trojan:MSIL/Ranos.A", "display_name": "Trojan:MSIL/Ranos.A", "target": "/malware/Trojan:MSIL/Ranos.A" }, { "id": "Win.Trojan.Generic-6417450-0", "display_name": "Win.Trojan.Generic-6417450-0", "target": null }, { "id": "ALF:Backdoor:MSIL/Noancooe.KA", "display_name": "ALF:Backdoor:MSIL/Noancooe.KA", "target": null }, { "id": "Win.Packed.Msilperseus-9956592-0", "display_name": "Win.Packed.Msilperseus-9956592-0", "target": null }, { "id": "Trojan:MSIL/ClipBanker", "display_name": "Trojan:MSIL/ClipBanker", "target": "/malware/Trojan:MSIL/ClipBanker" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1194", "name": "Spearphishing via Service", "display_name": "T1194 - Spearphishing via Service" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1039", "name": "Data from Network Shared Drive", "display_name": "T1039 - Data from Network Shared Drive" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1911, "hostname": 714, "FileHash-SHA256": 1304, "FileHash-MD5": 159, "FileHash-SHA1": 71, "SSLCertFingerprint": 2, "domain": 421, "CVE": 1, "email": 4 }, "indicator_count": 4587, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "109 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a958f96f9b29641ea020", "name": "Fitbit app link IoC's", "description": "", "modified": "2023-12-06T17:03:20.219000", "created": "2023-12-06T17:03:20.219000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 17, "FileHash-SHA256": 3730, "hostname": 1052, "domain": 446, "URL": 2806, "FileHash-MD5": 173, "FileHash-SHA1": 168, "email": 1 }, "indicator_count": 8393, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "864 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a927b24b94cdd5d344d1", "name": "Fitbit app link IoC's", "description": "", "modified": "2023-12-06T17:02:31.854000", "created": "2023-12-06T17:02:31.854000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 17, "FileHash-SHA256": 3730, "hostname": 1052, "domain": 446, "URL": 2806, "FileHash-MD5": 173, "FileHash-SHA1": 168, "email": 1 }, "indicator_count": 8393, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "864 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "652b2a50c4487060d52346fd", "name": "Fitbit app link IoC's", "description": "Critical. Fitbit download link found in Google search results.\n[https://play.google.com/store/apps/details?id=com.fitbit.FitbitMobile]\n\nBlackNET is a Remote Access Trojan (RAT) - Advanced Windows Botnet.\nCapabilities: stealing/grabbing files and passwords, keylogging, cryptojacking, loading files, executing commands, etc. \n\nOpenCandy , PUP\nCapabilities: Browser home page hijacker, installs unwanted toolbars, plug-ins, and extensions to web browsers, collects information, user\u2019s surfing habits, distribution to third parties without user consent.\n\nProcess Injection: Privilege escalation adversaries use to inject arbitrary code.", "modified": "2023-11-13T22:04:06.580000", "created": "2023-10-14T23:54:55.973000", "tags": [ "ssl certificate", "contacted", "contacted urls", "referrer", "march", "historical ssl", "whois sslcert", "suspicious", "execution", "malware", "core", "name verdict", "falco", "pattern match", "ascii text", "file", "png image", "sdcwhb", "windows nt", "jpeg image", "jfif", "appdata", "kg2exe", "date", "unknown", "general", "hybrid", "this", "click", "strings", "class", "critical", "error", "zfaoz", "falcon sandbox", "exit", "node tcp", "traffic", "et tor", "known tor", "relayrouter", "tor known", "tor relayrouter", "detection list", "ip address", "cisco umbrella", "heur", "site", "safe site", "alexa top", "million", "maltiverse", "malicious url", "malicious site", "unsafe", "riskware", "swrort", "downldr", "artemis", "team", "phishing", "iframe", "crack", "xrat", "installcore", "facebook", "bank", "opencandy", "nircmd", "exploit", "filetour", "cleaner", "wacatac", "win64", "unruy", "blacknet rat", "stealer", "azorult", "service", "runescape", "download", "tiggre", "presenoker", "conduit", "xtrat", "agent", "patcher", "adload", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "dropper", "trojanx", "webshell", "adposhel", "union", "trojanspy", "webtoolbar", "blacklist https", "blacklist", "command_and_control", "Fitbit", "hidden tear", "google", "spyware", "potentially unwanted progams", "network", "bundlers", "aware" ], "references": [ "https://play.google.com/store/apps/details?id=com.fitbit.FitbitMobile", "https://www.hybrid-analysis.com/sample/1e5fe7747a445f340ed8db6bd946b6fb2cf2db123b08c3ac818cb8a1c2ae28d0" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ZfAoz", "display_name": "ZfAoz", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "MediaMagnet", "display_name": "MediaMagnet", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WisdomEyes.16070401.9500", "display_name": "WisdomEyes.16070401.9500", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1052, "FileHash-MD5": 173, "FileHash-SHA1": 168, "FileHash-SHA256": 3730, "URL": 2806, "domain": 446, "CVE": 17, "email": 1 }, "indicator_count": 8393, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "887 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "652b2a8048e6a285461c4a5d", "name": "Fitbit app link IoC's", "description": "Critical. Fitbit download link found in Google search results.\n[https://play.google.com/store/apps/details?id=com.fitbit.FitbitMobile]\n\nBlackNET is a Remote Access Trojan (RAT) - Advanced Windows Botnet.\nCapabilities: stealing/grabbing files and passwords, keylogging, cryptojacking, loading files, executing commands, etc. \n\nOpenCandy , PUP\nCapabilities: Browser home page hijacker, installs unwanted toolbars, plug-ins, and extensions to web browsers, collects information, user\u2019s surfing habits, distribution to third parties without user consent.\n\nProcess Injection: Privilege escalation adversaries use to inject arbitrary code.", "modified": "2023-11-13T22:04:06.580000", "created": "2023-10-14T23:55:42.972000", "tags": [ "ssl certificate", "contacted", "contacted urls", "referrer", "march", "historical ssl", "whois sslcert", "suspicious", "execution", "malware", "core", "name verdict", "falco", "pattern match", "ascii text", "file", "png image", "sdcwhb", "windows nt", "jpeg image", "jfif", "appdata", "kg2exe", "date", "unknown", "general", "hybrid", "this", "click", "strings", "class", "critical", "error", "zfaoz", "falcon sandbox", "exit", "node tcp", "traffic", "et tor", "known tor", "relayrouter", "tor known", "tor relayrouter", "detection list", "ip address", "cisco umbrella", "heur", "site", "safe site", "alexa top", "million", "maltiverse", "malicious url", "malicious site", "unsafe", "riskware", "swrort", "downldr", "artemis", "team", "phishing", "iframe", "crack", "xrat", "installcore", "facebook", "bank", "opencandy", "nircmd", "exploit", "filetour", "cleaner", "wacatac", "win64", "unruy", "blacknet rat", "stealer", "azorult", "service", "runescape", "download", "tiggre", "presenoker", "conduit", "xtrat", "agent", "patcher", "adload", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "dropper", "trojanx", "webshell", "adposhel", "union", "trojanspy", "webtoolbar", "blacklist https", "blacklist", "command_and_control", "Fitbit", "hidden tear", "google", "spyware", "potentially unwanted progams", "network", "bundlers", "aware" ], "references": [ "https://play.google.com/store/apps/details?id=com.fitbit.FitbitMobile", "https://www.hybrid-analysis.com/sample/1e5fe7747a445f340ed8db6bd946b6fb2cf2db123b08c3ac818cb8a1c2ae28d0" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ZfAoz", "display_name": "ZfAoz", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "MediaMagnet", "display_name": "MediaMagnet", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WisdomEyes.16070401.9500", "display_name": "WisdomEyes.16070401.9500", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1052, "FileHash-MD5": 173, "FileHash-SHA1": 168, "FileHash-SHA256": 3730, "URL": 2806, "domain": 446, "CVE": 17, "email": 1 }, "indicator_count": 8393, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "887 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f147a7e55dd916fe9e3e2", "name": "Fitbit app link IoC's", "description": "", "modified": "2023-11-13T22:04:06.580000", "created": "2023-10-30T02:27:06.140000", "tags": [ "ssl certificate", "contacted", "contacted urls", "referrer", "march", "historical ssl", "whois sslcert", "suspicious", "execution", "malware", "core", "name verdict", "falco", "pattern match", "ascii text", "file", "png image", "sdcwhb", "windows nt", "jpeg image", "jfif", "appdata", "kg2exe", "date", "unknown", "general", "hybrid", "this", "click", "strings", "class", "critical", "error", "zfaoz", "falcon sandbox", "exit", "node tcp", "traffic", "et tor", "known tor", "relayrouter", "tor known", "tor relayrouter", "detection list", "ip address", "cisco umbrella", "heur", "site", "safe site", "alexa top", "million", "maltiverse", "malicious url", "malicious site", "unsafe", "riskware", "swrort", "downldr", "artemis", "team", "phishing", "iframe", "crack", "xrat", "installcore", "facebook", "bank", "opencandy", "nircmd", "exploit", "filetour", "cleaner", "wacatac", "win64", "unruy", "blacknet rat", "stealer", "azorult", "service", "runescape", "download", "tiggre", "presenoker", "conduit", "xtrat", "agent", "patcher", "adload", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "dropper", "trojanx", "webshell", "adposhel", "union", "trojanspy", "webtoolbar", "blacklist https", "blacklist", "command_and_control", "Fitbit", "hidden tear", "google", "spyware", "potentially unwanted progams", "network", "bundlers", "aware" ], "references": [ "https://play.google.com/store/apps/details?id=com.fitbit.FitbitMobile", "https://www.hybrid-analysis.com/sample/1e5fe7747a445f340ed8db6bd946b6fb2cf2db123b08c3ac818cb8a1c2ae28d0" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ZfAoz", "display_name": "ZfAoz", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "MediaMagnet", "display_name": "MediaMagnet", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WisdomEyes.16070401.9500", "display_name": "WisdomEyes.16070401.9500", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "652b2a8048e6a285461c4a5d", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1052, "FileHash-MD5": 173, "FileHash-SHA1": 168, "FileHash-SHA256": 3730, "URL": 2806, "domain": 446, "CVE": 17, "email": 1 }, "indicator_count": 8393, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "887 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://53454f.4d722e526f626f74.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://53454f.4d722e526f626f74.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776598943.7432446 }