{ "type": "URL", "indicator": "https://accounts.google.com/o/oauth2/auth", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://accounts.google.com/o/oauth2/auth", "type": "url", "type_title": "URL", "validation": [ { "source": "alexa", "message": "Alexa rank: #1", "name": "Listed on Alexa" }, { "source": "akamai", "message": "Akamai rank: #3", "name": "Akamai Popular Domain" }, { "source": "whitelist", "message": "Whitelisted domain google.com", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain google.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 2593373125, "indicator": "https://accounts.google.com/o/oauth2/auth", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 15, "pulses": [ { "id": "6a16afb92680fcea084bb7b0", "name": "credit: scoreblue ['Eternal Blue_Wana Cry MS'] clone - user notes: interesting name tagged", "description": "", "modified": "2026-05-27T08:54:31.968000", "created": "2026-05-27T08:47:53.724000", "tags": [ "sha256", "sha1", "pattern match", "ascii text", "document file", "v2 document", "crlf line", "size", "unicode", "beginstring", "null", "hybrid", "refresh", "body", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "external-resources", "dom-modification", "third-party-cookies", "iframes", "trackers", "text/html", "twitter", "final url", "ip address", "status code", "body length", "kb body", "headers", "deny", "express", "referrer", "impacting azure", "proofpoint", "sneaky server", "replacement", "unauthorized", "switch dns", "query", "vy binh", "hiddentear", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "date", "meta", "form", "submission", "expiresthu", "path", "secure", "self", "xcitium verdict", "cloud", "sophos", "history first", "analysis", "cp", "cyber", "threat", "redrum", "hit", "men", "triangulation", "historical ssl", "apt suspects", "critical cmd", "hide", "asyncrat", "jeremy", "government", "malicious", "yuming", "name servers", "united", "passive dns", "urls", "creation date", "search", "expiration date", "showing", "unknown", "next", "windows nt", "malware beacon", "memcommit", "generic http", "exe upload", "outbound", "etpro trojan", "show", "trojan", "copy", "write", "win32", "malware", "read c", "entries", "medium", "markus", "contentlength", "write c", "delete c", "create c", "yara detections", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "next pe", "as32934", "hitmen", "local government", "scene unit", "crime", "denver police", "address", "status", "aaaa", "apple", "less whois", "registrar", "wannacry", "http", "unique", "url https", "related nids", "code", "screenshot", "anity", "nsa", "shadow", "saudi telecom", "riyadh address", "saudi arabia", "abuse", "ripe", "company isp", "number", "label saudi", "telecom company", "jsc regional", "riyadh", "ripe ncc", "registry techc", "campus", "saudi", "ripe network", "domain", "internet se", "emails", "system", "server tsa", "b server", "certificate", "digicert inc", "moved", "record value" ], "references": [ "http://x.com/denverpolice/status/", "Redirects to >https://twitter.com/x/migrate?tok=eyJlIjoiL2RlbnZlcnBvbGljZS9zdGF0dXMvIiwidCI6MTcxNjcwMzc3M33oZya0EO4PtEbRwq4XZboX", "Redirects to https://twitter.com?mx=1", "IP address: 104.244.42.1 Hosting: Unknown Running on: Tsa B CMS: Express", "Crouching Yeti: Appendixes - according to source ArcSight Threat Intelligence", "https://otx.alienvault.com/indicator/file/00001aff2ea1acd6087f9fba8d8316d90d29e391d9969bc70cc607461467797e", "Alerts: nids_malware_alert network_icmp dumped_buffer network_cnc_http network_http network_http_post allocates_rwx", "Alerts: packer_entropy packer_upx antivm_memory_available pe_features", "Yara Detections: Yara Detections Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , Toxoplasmosis , UPX", "Packer UPX v0.89.6 - v1.02 / v1.05 -v1.24 -> Markus & Laszlo [overlay]", "Yara Detections: ConventionEngine_Term_Desktop , LZMA , mpress_2_xx_x86 , dbgdetect_procs", "pornhub.dev, http://matrix.pornhub.dev, https://twitter.com/PORNO_SEXYBABES, https://www.anon-v.com/porno/fenella/", "Hostname device-local-fb18804d-348e-49ea-8c17-cc8a29f18082.remotewd.com | 192.168.56.104: IPv4", "https://otx.alienvault.com/indicator/file/f7636eef1d9df0664cd0f205ad8864b659bf9898ce6231376778c4411986912e", "https://otx.alienvault.com/indicator/file/000054fa2b0d1004464350ee9acc40707fec51223dba36c702a3db4139af9717", "Domain: hicloudcam.com | https://otx.alienvault.com/indicator/hostname/alarmeu.sslproxy.gatewayvvlilly3lilly.alpha.hicloudcam.com", "originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com | 108.160.165.139 Location: USA |ASN AS19679 dropbox inc. Nameservers ns-136.awsdns-17.com. ns-1518.awsdns-61.org. ,\u00a0 ns-1573.awsdns-04.co.uk. ,\u00a0 ns-809.awsdns-37.net. Less WHOIS Registrar: https://www.101domain.com/,\u00a0\u00a0 Creation Date: Oct 21, 2010 Related Pulses None Related Tags None Indicator Facts Running webserver External Resources Whois,\u00a0 UrlVoid,\u00a0 VirusTotal Analysis Related Pulses Comments (0) Whois Show 100 entr", "https://otx.alienvault.com/indicator/hostname/originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com", "PATHETIC redirect: rainn.org | victims of violence & abuse disclose extremely sensitive details. Reported false information given to disorient victims.", "WannaCry | NSA -Anity Cert: https://otx.alienvault.com/indicator/url/https://www.antiy.com/response/Antiy_Wannacry_NSA.html", "WannaCry MS17-010 'Shadow' https://otx.alienvault.com/otxapi/indicators/url/screenshot/https://www.antiy.com/response/wannacry.html", "Command and Control IP: 5.41.21.250 | Location Saudi Arabia flag Jeddah, Saudi Arabia ASN AS39891 saudi telecom company jsc", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "uploads-cserver-alumni-profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32/Vflooder.B Checkin", "display_name": "Win32/Vflooder.B Checkin", "target": null }, { "id": "Win.Malware.Vtflooder-6723768-0", "display_name": "Win.Malware.Vtflooder-6723768-0", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32/Vflooder.B vtapi DOS", "display_name": "Win32/Vflooder.B vtapi DOS", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Trojan.Downloader-63174", "display_name": "Win.Trojan.Downloader-63174", "target": null }, { "id": "Clicker.BGOU", "display_name": "Clicker.BGOU", "target": null }, { "id": "Win.Trojan.Agent-752791", "display_name": "Win.Trojan.Agent-752791", "target": null }, { "id": "Win.Dropper.QQpass-9895638-0", "display_name": "Win.Dropper.QQpass-9895638-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "WannaCry", "display_name": "WannaCry", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1038", "name": "DLL Search Order Hijacking", "display_name": "T1038 - DLL Search Order Hijacking" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [], "TLP": "green", "cloned_from": "66536c8eee8d42d670e27723", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 350, "FileHash-SHA1": 348, "FileHash-SHA256": 2662, "URL": 7850, "domain": 2245, "hostname": 3611, "SSLCertFingerprint": 4, "email": 10, "CIDR": 4 }, "indicator_count": 17084, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a16ab45548ef01419902c8f", "name": "Credit: Scoreblue - \"iOS Attack - Crouching Yeti: http://x.[com]/denverpolice/status/| CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by scoreblue Public", "description": "", "modified": "2026-05-27T08:28:53.256000", "created": "2026-05-27T08:28:53.256000", "tags": [ "sha256", "sha1", "pattern match", "ascii text", "document file", "v2 document", "crlf line", "size", "unicode", "beginstring", "null", "hybrid", "refresh", "body", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "external-resources", "dom-modification", "third-party-cookies", "iframes", "trackers", "text/html", "twitter", "final url", "ip address", "status code", "body length", "kb body", "headers", "deny", "express", "referrer", "impacting azure", "proofpoint", "sneaky server", "replacement", "unauthorized", "switch dns", "query", "vy binh", "hiddentear", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "date", "meta", "form", "submission", "expiresthu", "path", "secure", "self", "xcitium verdict", "cloud", "sophos", "history first", "analysis", "cp", "cyber", "threat", "redrum", "hit", "men", "triangulation", "historical ssl", "apt suspects", "critical cmd", "hide", "asyncrat", "jeremy", "government", "malicious", "yuming", "name servers", "united", "passive dns", "urls", "creation date", "search", "expiration date", "showing", "unknown", "next", "windows nt", "malware beacon", "memcommit", "generic http", "exe upload", "outbound", "etpro trojan", "show", "trojan", "copy", "write", "win32", "malware", "read c", "entries", "medium", "markus", "contentlength", "write c", "delete c", "create c", "yara detections", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "next pe", "as32934", "hitmen", "local government", "scene unit", "crime", "denver police", "address", "status", "aaaa", "apple", "less whois", "registrar", "wannacry", "http", "unique", "url https", "related nids", "code", "screenshot", "anity", "nsa", "shadow", "saudi telecom", "riyadh address", "saudi arabia", "abuse", "ripe", "company isp", "number", "label saudi", "telecom company", "jsc regional", "riyadh", "ripe ncc", "registry techc", "campus", "saudi", "ripe network", "domain", "internet se", "emails", "system", "server tsa", "b server", "certificate", "digicert inc", "moved", "record value" ], "references": [ "http://x.com/denverpolice/status/", "Redirects to >https://twitter.com/x/migrate?tok=eyJlIjoiL2RlbnZlcnBvbGljZS9zdGF0dXMvIiwidCI6MTcxNjcwMzc3M33oZya0EO4PtEbRwq4XZboX", "Redirects to https://twitter.com?mx=1", "IP address: 104.244.42.1 Hosting: Unknown Running on: Tsa B CMS: Express", "Crouching Yeti: Appendixes - according to source ArcSight Threat Intelligence", "https://otx.alienvault.com/indicator/file/00001aff2ea1acd6087f9fba8d8316d90d29e391d9969bc70cc607461467797e", "Alerts: nids_malware_alert network_icmp dumped_buffer network_cnc_http network_http network_http_post allocates_rwx", "Alerts: packer_entropy packer_upx antivm_memory_available pe_features", "Yara Detections: Yara Detections Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , Toxoplasmosis , UPX", "Packer UPX v0.89.6 - v1.02 / v1.05 -v1.24 -> Markus & Laszlo [overlay]", "Yara Detections: ConventionEngine_Term_Desktop , LZMA , mpress_2_xx_x86 , dbgdetect_procs", "pornhub.dev, http://matrix.pornhub.dev, https://twitter.com/PORNO_SEXYBABES, https://www.anon-v.com/porno/fenella/", "Hostname device-local-fb18804d-348e-49ea-8c17-cc8a29f18082.remotewd.com | 192.168.56.104: IPv4", "https://otx.alienvault.com/indicator/file/f7636eef1d9df0664cd0f205ad8864b659bf9898ce6231376778c4411986912e", "https://otx.alienvault.com/indicator/file/000054fa2b0d1004464350ee9acc40707fec51223dba36c702a3db4139af9717", "Domain: hicloudcam.com | https://otx.alienvault.com/indicator/hostname/alarmeu.sslproxy.gatewayvvlilly3lilly.alpha.hicloudcam.com", "originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com | 108.160.165.139 Location: USA |ASN AS19679 dropbox inc. Nameservers ns-136.awsdns-17.com. ns-1518.awsdns-61.org. ,\u00a0 ns-1573.awsdns-04.co.uk. ,\u00a0 ns-809.awsdns-37.net. Less WHOIS Registrar: https://www.101domain.com/,\u00a0\u00a0 Creation Date: Oct 21, 2010 Related Pulses None Related Tags None Indicator Facts Running webserver External Resources Whois,\u00a0 UrlVoid,\u00a0 VirusTotal Analysis Related Pulses Comments (0) Whois Show 100 entr", "https://otx.alienvault.com/indicator/hostname/originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com", "PATHETIC redirect: rainn.org | victims of violence & abuse disclose extremely sensitive details. Reported false information given to disorient victims.", "WannaCry | NSA -Anity Cert: https://otx.alienvault.com/indicator/url/https://www.antiy.com/response/Antiy_Wannacry_NSA.html", "WannaCry MS17-010 'Shadow' https://otx.alienvault.com/otxapi/indicators/url/screenshot/https://www.antiy.com/response/wannacry.html", "Command and Control IP: 5.41.21.250 | Location Saudi Arabia flag Jeddah, Saudi Arabia ASN AS39891 saudi telecom company jsc", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "uploads-cserver-alumni-profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32/Vflooder.B Checkin", "display_name": "Win32/Vflooder.B Checkin", "target": null }, { "id": "Win.Malware.Vtflooder-6723768-0", "display_name": "Win.Malware.Vtflooder-6723768-0", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32/Vflooder.B vtapi DOS", "display_name": "Win32/Vflooder.B vtapi DOS", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Trojan.Downloader-63174", "display_name": "Win.Trojan.Downloader-63174", "target": null }, { "id": "Clicker.BGOU", "display_name": "Clicker.BGOU", "target": null }, { "id": "Win.Trojan.Agent-752791", "display_name": "Win.Trojan.Agent-752791", "target": null }, { "id": "Win.Dropper.QQpass-9895638-0", "display_name": "Win.Dropper.QQpass-9895638-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "WannaCry", "display_name": "WannaCry", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1038", "name": "DLL Search Order Hijacking", "display_name": "T1038 - DLL Search Order Hijacking" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [], "TLP": "green", "cloned_from": "66536881127f5ee988306394", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 350, "FileHash-SHA1": 348, "FileHash-SHA256": 2659, "URL": 7850, "domain": 2245, "hostname": 3611, "SSLCertFingerprint": 4, "email": 10, "CIDR": 4 }, "indicator_count": 17081, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "4 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a16ab3f9578fcc7ffd52a3a", "name": "Credit: Scoreblue - \"iOS Attack - Crouching Yeti: http://x.[com]/denverpolice/status/| CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by scoreblue Public", "description": "", "modified": "2026-05-27T08:28:47.467000", "created": "2026-05-27T08:28:47.467000", "tags": [ "sha256", "sha1", "pattern match", "ascii text", "document file", "v2 document", "crlf line", "size", "unicode", "beginstring", "null", "hybrid", "refresh", "body", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "external-resources", "dom-modification", "third-party-cookies", "iframes", "trackers", "text/html", "twitter", "final url", "ip address", "status code", "body length", "kb body", "headers", "deny", "express", "referrer", "impacting azure", "proofpoint", "sneaky server", "replacement", "unauthorized", "switch dns", "query", "vy binh", "hiddentear", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "date", "meta", "form", "submission", "expiresthu", "path", "secure", "self", "xcitium verdict", "cloud", "sophos", "history first", "analysis", "cp", "cyber", "threat", "redrum", "hit", "men", "triangulation", "historical ssl", "apt suspects", "critical cmd", "hide", "asyncrat", "jeremy", "government", "malicious", "yuming", "name servers", "united", "passive dns", "urls", "creation date", "search", "expiration date", "showing", "unknown", "next", "windows nt", "malware beacon", "memcommit", "generic http", "exe upload", "outbound", "etpro trojan", "show", "trojan", "copy", "write", "win32", "malware", "read c", "entries", "medium", "markus", "contentlength", "write c", "delete c", "create c", "yara detections", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "next pe", "as32934", "hitmen", "local government", "scene unit", "crime", "denver police", "address", "status", "aaaa", "apple", "less whois", "registrar", "wannacry", "http", "unique", "url https", "related nids", "code", "screenshot", "anity", "nsa", "shadow", "saudi telecom", "riyadh address", "saudi arabia", "abuse", "ripe", "company isp", "number", "label saudi", "telecom company", "jsc regional", "riyadh", "ripe ncc", "registry techc", "campus", "saudi", "ripe network", "domain", "internet se", "emails", "system", "server tsa", "b server", "certificate", "digicert inc", "moved", "record value" ], "references": [ "http://x.com/denverpolice/status/", "Redirects to >https://twitter.com/x/migrate?tok=eyJlIjoiL2RlbnZlcnBvbGljZS9zdGF0dXMvIiwidCI6MTcxNjcwMzc3M33oZya0EO4PtEbRwq4XZboX", "Redirects to https://twitter.com?mx=1", "IP address: 104.244.42.1 Hosting: Unknown Running on: Tsa B CMS: Express", "Crouching Yeti: Appendixes - according to source ArcSight Threat Intelligence", "https://otx.alienvault.com/indicator/file/00001aff2ea1acd6087f9fba8d8316d90d29e391d9969bc70cc607461467797e", "Alerts: nids_malware_alert network_icmp dumped_buffer network_cnc_http network_http network_http_post allocates_rwx", "Alerts: packer_entropy packer_upx antivm_memory_available pe_features", "Yara Detections: Yara Detections Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , Toxoplasmosis , UPX", "Packer UPX v0.89.6 - v1.02 / v1.05 -v1.24 -> Markus & Laszlo [overlay]", "Yara Detections: ConventionEngine_Term_Desktop , LZMA , mpress_2_xx_x86 , dbgdetect_procs", "pornhub.dev, http://matrix.pornhub.dev, https://twitter.com/PORNO_SEXYBABES, https://www.anon-v.com/porno/fenella/", "Hostname device-local-fb18804d-348e-49ea-8c17-cc8a29f18082.remotewd.com | 192.168.56.104: IPv4", "https://otx.alienvault.com/indicator/file/f7636eef1d9df0664cd0f205ad8864b659bf9898ce6231376778c4411986912e", "https://otx.alienvault.com/indicator/file/000054fa2b0d1004464350ee9acc40707fec51223dba36c702a3db4139af9717", "Domain: hicloudcam.com | https://otx.alienvault.com/indicator/hostname/alarmeu.sslproxy.gatewayvvlilly3lilly.alpha.hicloudcam.com", "originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com | 108.160.165.139 Location: USA |ASN AS19679 dropbox inc. Nameservers ns-136.awsdns-17.com. ns-1518.awsdns-61.org. ,\u00a0 ns-1573.awsdns-04.co.uk. ,\u00a0 ns-809.awsdns-37.net. Less WHOIS Registrar: https://www.101domain.com/,\u00a0\u00a0 Creation Date: Oct 21, 2010 Related Pulses None Related Tags None Indicator Facts Running webserver External Resources Whois,\u00a0 UrlVoid,\u00a0 VirusTotal Analysis Related Pulses Comments (0) Whois Show 100 entr", "https://otx.alienvault.com/indicator/hostname/originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com", "PATHETIC redirect: rainn.org | victims of violence & abuse disclose extremely sensitive details. Reported false information given to disorient victims.", "WannaCry | NSA -Anity Cert: https://otx.alienvault.com/indicator/url/https://www.antiy.com/response/Antiy_Wannacry_NSA.html", "WannaCry MS17-010 'Shadow' https://otx.alienvault.com/otxapi/indicators/url/screenshot/https://www.antiy.com/response/wannacry.html", "Command and Control IP: 5.41.21.250 | Location Saudi Arabia flag Jeddah, Saudi Arabia ASN AS39891 saudi telecom company jsc", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "uploads-cserver-alumni-profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32/Vflooder.B Checkin", "display_name": "Win32/Vflooder.B Checkin", "target": null }, { "id": "Win.Malware.Vtflooder-6723768-0", "display_name": "Win.Malware.Vtflooder-6723768-0", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32/Vflooder.B vtapi DOS", "display_name": "Win32/Vflooder.B vtapi DOS", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Trojan.Downloader-63174", "display_name": "Win.Trojan.Downloader-63174", "target": null }, { "id": "Clicker.BGOU", "display_name": "Clicker.BGOU", "target": null }, { "id": "Win.Trojan.Agent-752791", "display_name": "Win.Trojan.Agent-752791", "target": null }, { "id": "Win.Dropper.QQpass-9895638-0", "display_name": "Win.Dropper.QQpass-9895638-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "WannaCry", "display_name": "WannaCry", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1038", "name": "DLL Search Order Hijacking", "display_name": "T1038 - DLL Search Order Hijacking" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [], "TLP": "green", "cloned_from": "66536881127f5ee988306394", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 350, "FileHash-SHA1": 348, "FileHash-SHA256": 2659, "URL": 7850, "domain": 2245, "hostname": 3611, "SSLCertFingerprint": 4, "email": 10, "CIDR": 4 }, "indicator_count": 17081, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "4 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6647908c09468f42bc1249f1", "name": "University of Alberta Azure/Entra Compromised Tenant Compromized Institution", "description": "Update: Academic/Non-Academic Staff Unions, 3rd party org, & some profs/students/alumni tried raising concerns to Admins/President/IST & CISO => Maintaining position they will not be looking into reported problems re: Cybersecurity under any circumstances = more time more problems? Attempts to advocate -> Harrass./Discrim./De-humanizing responses from admins (representing all folks - recorded). \nTenant ID: 718b8a9b-44d8-441a-a344-4294ea842172 = This pulse is 1 example (small) of problems.\n\nPrimary domain\nualbertaca.onmicrosoft.com\nCustom Domain Names\nualberta.ca\nVerified\nualbertaca.onmicrosoft.com", "modified": "2025-03-01T04:59:57.222000", "created": "2024-05-17T17:14:52.317000", "tags": [ "false", "true", "visible", "application", "microsoft teams", "microsoft azure", "office", "service", "dynamics", "hidden", "android", "explorer", "write", "connector", "test", "sharepoint", "live", "meister", "tools", "desktop", "spark", "front", "enterprise", "designer", "atlas", "premium", "assistant", "allow", "azureadmyorg", "game", "verify", "microsoft power", "channelsurfcli", "mtd1", "file transfer", "magnus", "microsoft crm", "youth" ], "references": [ "All - EnterpriseAppsList.csv", "AppRegistrationList.csv", "https://tria.ge/240517-vc7c1shc62/behavioral1", "https://tria.ge/240517-vdwb5shc71/behavioral1", "https://tria.ge/240517-vqxezaaa33/behavioral1", "https://tria.ge/240517-t9pc2ahb2t", "https://www.virustotal.com/graph/embed/g9453a2f58a3340f18120987c2b4d710dbb44ded88c434abf8894458a98c7bd4b?theme=dark", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/iocs", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/graph", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/summary", "https://www.filescan.io/uploads/66479b483313f70f0afe3dbb", "https://www.filescan.io/uploads/664799c9d5c40bffee6106d7", "Thor Scan: S-I9VvMTB6cZU", "https://www.filescan.io/uploads/664ba368d5c40bffee63b1ee/reports/31817751-6b5d-45df-8813-472aa6c756a3/overview", "https://www.filescan.io/uploads/664ba8a20663ff3c2ec6428a/reports/09d3d82a-7ec1-4804-93e5-5ae691fbb7f2/overview", "https://imp0rtp3.wordpress.com/2021/08/12/tetris/", "https://www.filescan.io/uploads/664bb0cd7c9fb1468fc610c5/reports/00c78e4d-2156-4906-a106-ebf7e2723251/overview", "https://www.filescan.io/uploads/664bb40fbc04dffa92240ca2/reports/398074f2-c7b6-40e9-9b5c-4225cc990473/overview", "https://www.filescan.io/uploads/664bb683bc04dffa92241015/reports/92b70fd6-97d7-4386-8465-f3fd79043843/overview", "https://tria.ge/240521-q4s79agb25/static1", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/664f906322f5af13cdfb50be", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/664f906222f5af13cdfb5093", "https://www.filescan.io/uploads/666d69ff6b8dba248b414767/reports/dda2c8a1-96fd-4c00-9cbc-c64c4685a804/overview", "https://www.filescan.io/uploads/666d69ff6b8dba248b414767", "https://viz.greynoise.io/analysis/33e9b33b-b932-4c43-9be1-3e2d6f9cb4b3", "https://viz.greynoise.io/analysis/e51d9a15-d802-4d51-9a70-17803dc2693a", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b", "Above Malcore Strings: All - EnterpriseAppsList, AppRegistration, EnterpriseAppslist, exportGroup, exportUsers, HiddenApps - EnterpriseAppsList****", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d00975ea31558d54fceea", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667cff1a5ea31558d54fcbf6", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d0107b44401771de9ebf2", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d00356dd8f43b723a915a", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667cffec5ea31558d54fcda2", "https://www.hudsonrock.com/search?domain=ualberta.ca", "https://www.criminalip.io/domain/report?scan_id=13798622", "https://viz.greynoise.io/analysis/9635144c-db8f-47ab-a83a-5785602244cf - 07.03.24", "https://urlscan.io/search/#ualberta.ca", "https://www.virustotal.com/gui/collection/0ca12fcdd125ec5a5055180ee828b98d47b8b2e920660be559c2b602266b6b1d/iocs", "https://sitereport.netcraft.com/?url=http://ualberta.ca", "https://www.wordfence.com/blog/2022/10/threat-advisory-monitoring-cve-2022-42889-text4shell-exploit-attempts/", "https://tenantresolution.pingcastle.com/Search - Tenant still active (07.19.24) - Good jobs ya'll", "https://www.virustotal.com/graph/embed/gf1d5aa209c7f4fd086e4cb17dcd0af52421ea4bae87d49fe9b4076b382612f0e?theme=dark", "https://viz.greynoise.io/query/AS36351%20classification:%22malicious%22", "https://viz.greynoise.io/query/AS60068%20classification:%22malicious%22", "https://viz.greynoise.io/query/AS8075%20classification:%22malicious%22", "https://viz.greynoise.io/query/AS15169%20classification:%22malicious%22", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b - https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b = Hidden Apps - Enterprise Apps List" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology", "Healthcare", "Telecommunications", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 7, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1703, "FileHash-SHA256": 90472, "URL": 99185, "domain": 82954, "hostname": 39041, "FileHash-SHA1": 1624, "email": 4658, "CVE": 12 }, "indicator_count": 319649, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "456 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66536881127f5ee988306394", "name": "iOS Attack - Crouching Yeti: http://x.com/denverpolice/status/|", "description": "Targeted triangulation. Apple iOS iPad. Attack chains of Operation Triangulation involves advanced tactics employed by those acting as secret middleman, deploying spoofed trusted websites, emails, alarming news stories, messages, Bluetooth hacking, if threat actor has full CnC of targets phone via injection (sometimes it's random) can power on B/T. In Spoofed sites, malicious redirects, iMessage 0day case. Zero-click iMessage exploit seen. Information is sent to attacker and stored. Data harvesting, financial & identity theft, service modification and DoS intended. Used by law enforcement, governments, attorney PI's, cyber security defense, red teams and/or malicious hackers.\n*Crouching Yeti threat description notes: Contextual Indicators: Domain is classified as Social Networking Contextual Indicators: The URL is known benign by Check Point's Threat Cloud Contextual Indicators: Https://x.com is popular among websites with good reputation Contextual Indicators: Domain Cisco Umbrella rank is 312.", "modified": "2024-06-25T16:05:26.604000", "created": "2024-05-26T16:51:13.962000", "tags": [ "sha256", "sha1", "pattern match", "ascii text", "document file", "v2 document", "crlf line", "size", "unicode", "beginstring", "null", "hybrid", "refresh", "body", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "external-resources", "dom-modification", "third-party-cookies", "iframes", "trackers", "text/html", "twitter", "final url", "ip address", "status code", "body length", "kb body", "headers", "deny", "express", "referrer", "impacting azure", "proofpoint", "sneaky server", "replacement", "unauthorized", "switch dns", "query", "vy binh", "hiddentear", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "date", "meta", "form", "submission", "expiresthu", "path", "secure", "self", "xcitium verdict", "cloud", "sophos", "history first", "analysis", "cp", "cyber", "threat", "redrum", "hit", "men", "triangulation", "historical ssl", "apt suspects", "critical cmd", "hide", "asyncrat", "jeremy", "government", "malicious", "yuming", "name servers", "united", "passive dns", "urls", "creation date", "search", "expiration date", "showing", "unknown", "next", "windows nt", "malware beacon", "memcommit", "generic http", "exe upload", "outbound", "etpro trojan", "show", "trojan", "copy", "write", "win32", "malware", "read c", "entries", "medium", "markus", "contentlength", "write c", "delete c", "create c", "yara detections", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "next pe", "as32934", "hitmen", "local government", "scene unit", "crime", "denver police", "address", "status", "aaaa", "apple", "less whois", "registrar", "wannacry", "http", "unique", "url https", "related nids", "code", "screenshot", "anity", "nsa", "shadow", "saudi telecom", "riyadh address", "saudi arabia", "abuse", "ripe", "company isp", "number", "label saudi", "telecom company", "jsc regional", "riyadh", "ripe ncc", "registry techc", "campus", "saudi", "ripe network", "domain", "internet se", "emails", "system", "server tsa", "b server", "certificate", "digicert inc", "moved", "record value" ], "references": [ "http://x.com/denverpolice/status/", "Redirects to >https://twitter.com/x/migrate?tok=eyJlIjoiL2RlbnZlcnBvbGljZS9zdGF0dXMvIiwidCI6MTcxNjcwMzc3M33oZya0EO4PtEbRwq4XZboX", "Redirects to https://twitter.com?mx=1", "IP address: 104.244.42.1 Hosting: Unknown Running on: Tsa B CMS: Express", "Crouching Yeti: Appendixes - according to source ArcSight Threat Intelligence", "https://otx.alienvault.com/indicator/file/00001aff2ea1acd6087f9fba8d8316d90d29e391d9969bc70cc607461467797e", "Alerts: nids_malware_alert network_icmp dumped_buffer network_cnc_http network_http network_http_post allocates_rwx", "Alerts: packer_entropy packer_upx antivm_memory_available pe_features", "Yara Detections: Yara Detections Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , Toxoplasmosis , UPX", "Packer UPX v0.89.6 - v1.02 / v1.05 -v1.24 -> Markus & Laszlo [overlay]", "Yara Detections: ConventionEngine_Term_Desktop , LZMA , mpress_2_xx_x86 , dbgdetect_procs", "pornhub.dev, http://matrix.pornhub.dev, https://twitter.com/PORNO_SEXYBABES, https://www.anon-v.com/porno/fenella/", "Hostname device-local-fb18804d-348e-49ea-8c17-cc8a29f18082.remotewd.com | 192.168.56.104: IPv4", "https://otx.alienvault.com/indicator/file/f7636eef1d9df0664cd0f205ad8864b659bf9898ce6231376778c4411986912e", "https://otx.alienvault.com/indicator/file/000054fa2b0d1004464350ee9acc40707fec51223dba36c702a3db4139af9717", "Domain: hicloudcam.com | https://otx.alienvault.com/indicator/hostname/alarmeu.sslproxy.gatewayvvlilly3lilly.alpha.hicloudcam.com", "originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com | 108.160.165.139 Location: USA |ASN AS19679 dropbox inc. Nameservers ns-136.awsdns-17.com. ns-1518.awsdns-61.org. ,\u00a0 ns-1573.awsdns-04.co.uk. ,\u00a0 ns-809.awsdns-37.net. Less WHOIS Registrar: https://www.101domain.com/,\u00a0\u00a0 Creation Date: Oct 21, 2010 Related Pulses None Related Tags None Indicator Facts Running webserver External Resources Whois,\u00a0 UrlVoid,\u00a0 VirusTotal Analysis Related Pulses Comments (0) Whois Show 100 entr", "https://otx.alienvault.com/indicator/hostname/originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com", "PATHETIC redirect: rainn.org | victims of violence & abuse disclose extremely sensitive details. Reported false information given to disorient victims.", "WannaCry | NSA -Anity Cert: https://otx.alienvault.com/indicator/url/https://www.antiy.com/response/Antiy_Wannacry_NSA.html", "WannaCry MS17-010 'Shadow' https://otx.alienvault.com/otxapi/indicators/url/screenshot/https://www.antiy.com/response/wannacry.html", "Command and Control IP: 5.41.21.250 | Location Saudi Arabia flag Jeddah, Saudi Arabia ASN AS39891 saudi telecom company jsc", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "uploads-cserver-alumni-profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32/Vflooder.B Checkin", "display_name": "Win32/Vflooder.B Checkin", "target": null }, { "id": "Win.Malware.Vtflooder-6723768-0", "display_name": "Win.Malware.Vtflooder-6723768-0", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32/Vflooder.B vtapi DOS", "display_name": "Win32/Vflooder.B vtapi DOS", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Trojan.Downloader-63174", "display_name": "Win.Trojan.Downloader-63174", "target": null }, { "id": "Clicker.BGOU", "display_name": "Clicker.BGOU", "target": null }, { "id": "Win.Trojan.Agent-752791", "display_name": "Win.Trojan.Agent-752791", "target": null }, { "id": "Win.Dropper.QQpass-9895638-0", "display_name": "Win.Dropper.QQpass-9895638-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "WannaCry", "display_name": "WannaCry", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1038", "name": "DLL Search Order Hijacking", "display_name": "T1038 - DLL Search Order Hijacking" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 350, "FileHash-SHA1": 348, "FileHash-SHA256": 2659, "URL": 7850, "domain": 2245, "hostname": 3611, "SSLCertFingerprint": 4, "email": 10, "CIDR": 4 }, "indicator_count": 17081, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "704 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66536c8eee8d42d670e27723", "name": "Eternal Blue _ WannaCry MS17-010 | Apple iOS iMessage injection infiltration", "description": "", "modified": "2024-06-25T16:05:26.604000", "created": "2024-05-26T17:08:30.022000", "tags": [ "sha256", "sha1", "pattern match", "ascii text", "document file", "v2 document", "crlf line", "size", "unicode", "beginstring", "null", "hybrid", "refresh", "body", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "external-resources", "dom-modification", "third-party-cookies", "iframes", "trackers", "text/html", "twitter", "final url", "ip address", "status code", "body length", "kb body", "headers", "deny", "express", "referrer", "impacting azure", "proofpoint", "sneaky server", "replacement", "unauthorized", "switch dns", "query", "vy binh", "hiddentear", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "date", "meta", "form", "submission", "expiresthu", "path", "secure", "self", "xcitium verdict", "cloud", "sophos", "history first", "analysis", "cp", "cyber", "threat", "redrum", "hit", "men", "triangulation", "historical ssl", "apt suspects", "critical cmd", "hide", "asyncrat", "jeremy", "government", "malicious", "yuming", "name servers", "united", "passive dns", "urls", "creation date", "search", "expiration date", "showing", "unknown", "next", "windows nt", "malware beacon", "memcommit", "generic http", "exe upload", "outbound", "etpro trojan", "show", "trojan", "copy", "write", "win32", "malware", "read c", "entries", "medium", "markus", "contentlength", "write c", "delete c", "create c", "yara detections", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "next pe", "as32934", "hitmen", "local government", "scene unit", "crime", "denver police", "address", "status", "aaaa", "apple", "less whois", "registrar", "wannacry", "http", "unique", "url https", "related nids", "code", "screenshot", "anity", "nsa", "shadow", "saudi telecom", "riyadh address", "saudi arabia", "abuse", "ripe", "company isp", "number", "label saudi", "telecom company", "jsc regional", "riyadh", "ripe ncc", "registry techc", "campus", "saudi", "ripe network", "domain", "internet se", "emails", "system", "server tsa", "b server", "certificate", "digicert inc", "moved", "record value" ], "references": [ "http://x.com/denverpolice/status/", "Redirects to >https://twitter.com/x/migrate?tok=eyJlIjoiL2RlbnZlcnBvbGljZS9zdGF0dXMvIiwidCI6MTcxNjcwMzc3M33oZya0EO4PtEbRwq4XZboX", "Redirects to https://twitter.com?mx=1", "IP address: 104.244.42.1 Hosting: Unknown Running on: Tsa B CMS: Express", "Crouching Yeti: Appendixes - according to source ArcSight Threat Intelligence", "https://otx.alienvault.com/indicator/file/00001aff2ea1acd6087f9fba8d8316d90d29e391d9969bc70cc607461467797e", "Alerts: nids_malware_alert network_icmp dumped_buffer network_cnc_http network_http network_http_post allocates_rwx", "Alerts: packer_entropy packer_upx antivm_memory_available pe_features", "Yara Detections: Yara Detections Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , Toxoplasmosis , UPX", "Packer UPX v0.89.6 - v1.02 / v1.05 -v1.24 -> Markus & Laszlo [overlay]", "Yara Detections: ConventionEngine_Term_Desktop , LZMA , mpress_2_xx_x86 , dbgdetect_procs", "pornhub.dev, http://matrix.pornhub.dev, https://twitter.com/PORNO_SEXYBABES, https://www.anon-v.com/porno/fenella/", "Hostname device-local-fb18804d-348e-49ea-8c17-cc8a29f18082.remotewd.com | 192.168.56.104: IPv4", "https://otx.alienvault.com/indicator/file/f7636eef1d9df0664cd0f205ad8864b659bf9898ce6231376778c4411986912e", "https://otx.alienvault.com/indicator/file/000054fa2b0d1004464350ee9acc40707fec51223dba36c702a3db4139af9717", "Domain: hicloudcam.com | https://otx.alienvault.com/indicator/hostname/alarmeu.sslproxy.gatewayvvlilly3lilly.alpha.hicloudcam.com", "originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com | 108.160.165.139 Location: USA |ASN AS19679 dropbox inc. Nameservers ns-136.awsdns-17.com. ns-1518.awsdns-61.org. ,\u00a0 ns-1573.awsdns-04.co.uk. ,\u00a0 ns-809.awsdns-37.net. Less WHOIS Registrar: https://www.101domain.com/,\u00a0\u00a0 Creation Date: Oct 21, 2010 Related Pulses None Related Tags None Indicator Facts Running webserver External Resources Whois,\u00a0 UrlVoid,\u00a0 VirusTotal Analysis Related Pulses Comments (0) Whois Show 100 entr", "https://otx.alienvault.com/indicator/hostname/originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com", "PATHETIC redirect: rainn.org | victims of violence & abuse disclose extremely sensitive details. Reported false information given to disorient victims.", "WannaCry | NSA -Anity Cert: https://otx.alienvault.com/indicator/url/https://www.antiy.com/response/Antiy_Wannacry_NSA.html", "WannaCry MS17-010 'Shadow' https://otx.alienvault.com/otxapi/indicators/url/screenshot/https://www.antiy.com/response/wannacry.html", "Command and Control IP: 5.41.21.250 | Location Saudi Arabia flag Jeddah, Saudi Arabia ASN AS39891 saudi telecom company jsc", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "uploads-cserver-alumni-profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32/Vflooder.B Checkin", "display_name": "Win32/Vflooder.B Checkin", "target": null }, { "id": "Win.Malware.Vtflooder-6723768-0", "display_name": "Win.Malware.Vtflooder-6723768-0", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32/Vflooder.B vtapi DOS", "display_name": "Win32/Vflooder.B vtapi DOS", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Trojan.Downloader-63174", "display_name": "Win.Trojan.Downloader-63174", "target": null }, { "id": "Clicker.BGOU", "display_name": "Clicker.BGOU", "target": null }, { "id": "Win.Trojan.Agent-752791", "display_name": "Win.Trojan.Agent-752791", "target": null }, { "id": "Win.Dropper.QQpass-9895638-0", "display_name": "Win.Dropper.QQpass-9895638-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "WannaCry", "display_name": "WannaCry", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1038", "name": "DLL Search Order Hijacking", "display_name": "T1038 - DLL Search Order Hijacking" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [], "TLP": "green", "cloned_from": "66536881127f5ee988306394", "export_count": 55, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 350, "FileHash-SHA1": 348, "FileHash-SHA256": 2659, "URL": 7850, "domain": 2245, "hostname": 3611, "SSLCertFingerprint": 4, "email": 10, "CIDR": 4 }, "indicator_count": 17081, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "704 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66141ecabe8f1ab189351dd3", "name": "Tofsee Botnet: Google.com.uy | Install | Injection | Pegasus Monitoring", "description": "Installed remotely by nefarious actor by Trojan dropper. Typically not install via PlayStore/AppStore; can be with severe compromise/ VPNs will be fake. Examples: 1.1.1.1, 1.1.1.4, Proton AG or Proton.ch. Not visible: [.uy.]. All data, monitored, manipulated, tracked, location, vehicle tracking, webcams, IP track, data cryptocurrency mining, tracked 24/7, collection, DDoS attacks, ransom, full CnC.\nTweakers.net, .bv , etc., observed, pegasus related", "modified": "2024-05-08T16:00:34.588000", "created": "2024-04-08T16:43:54.908000", "tags": [ "installer", "tofsee", "trojan", "dropper", "dns", "as20940", "united", "aaaa", "as15703", "search", "servers", "as8455 schuberg", "a domains", "encrypt", "code", "tweakers", "unknown", "ransom", "body", "webcams", "banker", "location tracking", "vehicle tracking", "device tracking", "exploitation", "redirects", "ip tracking", "vpn nullify", "vehicle keycodes", "search threat", "analyzer feeds", "panel platform", "search platform", "profile user", "iocs", "redacted for", "passive dns", "all scoreblue", "hostname", "next", "cnc", "scanning host", "milesone", "virtual currency mining", "crypto", "regsetvalueexa", "regdword", "default", "show", "regbinary", "read c", "settingswpad", "as15169", "malware", "copy", "write", "upatre", "ids detections", "scan endpoints", "filehash", "av detections", "yara detections", "alerts", "analysis date", "file score", "ransom", "related pulses", "entries", "icmp traffic", "packing t1045", "t1045", "pe resource", "august", "win32", "for privacy", "creation date", "name servers", "urls", "date", "status", "as15169 google", "as44273 host", "ipv4", "pulse submit", "url analysis", "msie", "chrome", "moved", "title", "gmt content", "apple", "invalidate_gift_cards", "tulach rebranded", "hallrender rebranded", "as8075", "verdana", "td tr", "domain", "germany unknown", "as34011 host", "etag", "medium", "module load", "invalidate_google_play", "algorithm", "v3 serial", "number", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "first", "win32 exe", "win32 dll", "javascript", "mozilla firefox", "edition", "detections type", "name", "keeweb", "setup", "firefox setup", "record type", "ttl value", "android", "files", "formbook", "critical cmd", "tracker", "tsara brashears", "remote", "historical ssl", "referrer", "march", "body html", "head meta", "moved title", "head body", "pegasus", "nemtih", "hit", "men", "gift_card_mining", "google_play_card_mining", "miner", "htmladodb may", "twitter", "win64", "as21342", "as2914 ntt", "as15334", "error", "certificate", "checkbox", "accept", "record value", "emails", "domain name" ], "references": [ "Virustotal - google.com.uy", "https://hybrid-analysis.com/sample/79c5841a534b53013389ba76326a067895bdf5e41ad279d82b2002f6c8f2cda6", "http://www.50calpaintballshop.com/phpinfo.php?a[]=lost+my+mercedes+key>Mercedes+benz+Key+programmer", "http://www.50calpaintballshop.com/phpinfo.php?a[]=lost+my+mercedes+key", "http://www.50calpaintballshop.com/phpinfo.php?a[]=webcam+models+livecambabes.webcam>korean+webcam+models", "http://www.50calpaintballshop.com/phpinfo.php?a[]=www.livecambabes.Webcam>sexy+girls+dildoing", "http://www.50calpaintballshop.com/phpinfo.php?a[]=avon+representative>50calpaintballshop.com>avon+representative+directory [Beware: redirects]", "http://www.50calpaintballshop.com/phpinfo.php?a[]=how+to+join+avon+uk>how+do+i+join+avon+online [redirects to fraud representatives]", "Reports of victims meeting fraud direct sales reps in home/coffee shops. Reps store PII, financial, SSN# on device. Orders in victims name. ID theft ring", "https://www.herbgordonsubaru.com/?ddcref=careconnect_NM102-01&utm_campaign=newsconnect&utm_medium=email&utm_source=careconnect", "https://www.herbgordonsubaru.com/new-inventory/index?search=&model=Outback&utm_source=careconnect&utm_medium=email&utm_campaign=marketdriver-sales&ddcref=careconnect_marketdriversales", "nr-data.net [Apple Private Data Collection]", "checkip.dyndns.org [command and control]", "checkip.dyndns.org Alerts: dead_host network_icmp nolookup_communication modifies_proxy_wpad packer_polymorphic recon_beacon", "144.76.108.82 [scanning host]", "Yara Detections PEtite24", "FormBook IP: 142.251.211.243", "https://pegasusm2.bullsbikesusa.com", "https://microcenterinsider.com/pub/cc?_ri_=X0Gzc2X=AQpglLjHJlTQG0amRRrN1tkKAFGSTzdEjURWMTwh5gzdnK5Wo4uRBMFITdmoHEE1NzdwpzaEqrzcUkeItzbfVXtpKX=BATA" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands" ], "malware_families": [ { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Trojan:MSIL/TrojanDropper", "display_name": "Trojan:MSIL/TrojanDropper", "target": "/malware/Trojan:MSIL/TrojanDropper" }, { "id": "Installer", "display_name": "Installer", "target": null }, { "id": "Sf:Agent-DQ\\ [Trj]", "display_name": "Sf:Agent-DQ\\ [Trj]", "target": null }, { "id": "TrojanDownloader:Win32/Upatre!rfn", "display_name": "TrojanDownloader:Win32/Upatre!rfn", "target": "/malware/TrojanDownloader:Win32/Upatre!rfn" }, { "id": "Win32:DropperX-gen\\ [Drp]", "display_name": "Win32:DropperX-gen\\ [Drp]", "target": null }, { "id": "Win.Trojan.Tofsee-9770082-1", "display_name": "Win.Trojan.Tofsee-9770082-1", "target": null }, { "id": "Ransom:Win32/StopCrypt.AK!MTB", "display_name": "Ransom:Win32/StopCrypt.AK!MTB", "target": "/malware/Ransom:Win32/StopCrypt.AK!MTB" } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1574.005", "name": "Executable Installer File Permissions Weakness", "display_name": "T1574.005 - Executable Installer File Permissions Weakness" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1493", "name": "Transmitted Data Manipulation", "display_name": "T1493 - Transmitted Data Manipulation" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1013", "name": "Port Monitors", "display_name": "T1013 - Port Monitors" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1468", "name": "Remotely Track Device Without Authorization", "display_name": "T1468 - Remotely Track Device Without Authorization" }, { "id": "T1450", "name": "Exploit SS7 to Track Device Location", "display_name": "T1450 - Exploit SS7 to Track Device Location" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1483", "name": "Domain Generation Algorithms", "display_name": "T1483 - Domain Generation Algorithms" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 392, "FileHash-SHA1": 468, "FileHash-SHA256": 3233, "URL": 8667, "domain": 2219, "hostname": 3480, "email": 8 }, "indicator_count": 18467, "is_author": false, "is_subscribing": null, "subscriber_count": 235, "modified_text": "752 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655f6d7ac217661e4bc37f4d", "name": "Qbot | Miscellaneous Attacks", "description": "The following is a full list of links between malware and cyber-attackers, following a series of alerts from Phishtank, the UK-based cyber security firm, and the US government.", "modified": "2023-12-23T07:03:55.171000", "created": "2023-11-23T15:19:22.356000", "tags": [ "pattern match", "ascii text", "file", "jpeg image", "exif standard", "tiff image", "png image", "united", "baseline", "rgba", "date", "class", "unknown", "hybrid", "accept", "local", "click", "strings", "generator", "critical", "error", "firehol", "detection list", "ip address", "blacklist", "botnet command", "control server", "noname057", "facebook", "phishtank", "blacklist http", "organization", "ssl certificate", "whois record", "contacted", "historical ssl", "n64xtx0vpihxzc", "whois whois", "qpyrn6pd http", "referrer", "execution", "communicating", "core", "discord", "hiddentear", "metro", "probe", "ransomexx", "quasar", "asyncrat", "bleachgap", "formbook", "nanocore", "roblox", "heur", "cyber threat", "engineering", "malware", "phishing", "malicious site", "phishing site", "covid19", "team", "bank", "cobalt strike", "artemis", "download", "zbot", "suppobox", "service", "downloader", "virut", "malicious", "emotet", "stealer", "exploit", "generic", "dropper", "unruy", "agent", "unsafe", "ramnit", "redline stealer", "smsspy", "bradesco", "fakealert", "qakbot", "outbreak", "qbot", "bankerx", "riskware", "nimda", "swrort", "adwind", "trojanx", "crack", "win64", "squirrelwaffle", "pony", "binder", "virustotal", "azorult", "zeus", "nymaim", "matsnu", "simda", "runescape", "cutwail", "dnspionage", "redirector", "fusioncore", "iframe", "killav", "raccoon", "daum", "installcore", "ransomware", "cisco umbrella", "site", "safe site", "alexa top", "million", "presenoker", "downldr", "alexa", "applicunwnt", "opencandy", "cleaner", "wacatac", "xrat", "xtrat", "dbatloader", "infy", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "phish", "deepscan", "trojanspy", "maltiverse", "qpyrn6pd", "spyware", "injector", "jul jan", "tag count", "tue jan", "threat report", "ip summary", "url summary", "summary", "sample" ], "references": [ "https://www.hybrid-analysis.com/sample/d4e0619008da0bf555fd1d9af2797eaed02c89512239cbdaf64c08e795bb9658", "http://www.jamesbgriffinlaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/16132c66b562a3---dewubomojagorekijufuruni [ Malicious Plugins]", "*otc.greatcall.com [Botnetwork]", "https://www.norad.mil/ [ Modified by others| Parking Crew - is a Tracker]", "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Malware Server | iTunes path hacktool]", "tulach.cc. [Malevolent | Modified description]", "https://tulach.cc/ [phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ ELF - Descriptions modified by others]", "https://www.pornhub.com/video/search?search=tsara+brashears [NORAD.mil phone tracking. Description modified]", "s3.amazonaws.com [Virut Tsara Brashears Botnetwork | Modified description]" ], "public": 1, "adversary": "Qbot", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Roblox", "display_name": "Roblox", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 82, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 897, "FileHash-SHA1": 479, "URL": 9847, "domain": 2344, "hostname": 2398, "CVE": 22, "FileHash-SHA256": 4712 }, "indicator_count": 20699, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "890 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655f6d89b33758a190399f39", "name": "Qbot | Miscellaneous Attacks", "description": "The following is a full list of links between malware and cyber-attackers, following a series of alerts from Phishtank, the UK-based cyber security firm, and the US government.", "modified": "2023-12-23T07:03:55.171000", "created": "2023-11-23T15:19:37.838000", "tags": [ "pattern match", "ascii text", "file", "jpeg image", "exif standard", "tiff image", "png image", "united", "baseline", "rgba", "date", "class", "unknown", "hybrid", "accept", "local", "click", "strings", "generator", "critical", "error", "firehol", "detection list", "ip address", "blacklist", "botnet command", "control server", "noname057", "facebook", "phishtank", "blacklist http", "organization", "ssl certificate", "whois record", "contacted", "historical ssl", "n64xtx0vpihxzc", "whois whois", "qpyrn6pd http", "referrer", "execution", "communicating", "core", "discord", "hiddentear", "metro", "probe", "ransomexx", "quasar", "asyncrat", "bleachgap", "formbook", "nanocore", "roblox", "heur", "cyber threat", "engineering", "malware", "phishing", "malicious site", "phishing site", "covid19", "team", "bank", "cobalt strike", "artemis", "download", "zbot", "suppobox", "service", "downloader", "virut", "malicious", "emotet", "stealer", "exploit", "generic", "dropper", "unruy", "agent", "unsafe", "ramnit", "redline stealer", "smsspy", "bradesco", "fakealert", "qakbot", "outbreak", "qbot", "bankerx", "riskware", "nimda", "swrort", "adwind", "trojanx", "crack", "win64", "squirrelwaffle", "pony", "binder", "virustotal", "azorult", "zeus", "nymaim", "matsnu", "simda", "runescape", "cutwail", "dnspionage", "redirector", "fusioncore", "iframe", "killav", "raccoon", "daum", "installcore", "ransomware", "cisco umbrella", "site", "safe site", "alexa top", "million", "presenoker", "downldr", "alexa", "applicunwnt", "opencandy", "cleaner", "wacatac", "xrat", "xtrat", "dbatloader", "infy", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "phish", "deepscan", "trojanspy", "maltiverse", "qpyrn6pd", "spyware", "injector", "jul jan", "tag count", "tue jan", "threat report", "ip summary", "url summary", "summary", "sample" ], "references": [ "https://www.hybrid-analysis.com/sample/d4e0619008da0bf555fd1d9af2797eaed02c89512239cbdaf64c08e795bb9658", "http://www.jamesbgriffinlaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/16132c66b562a3---dewubomojagorekijufuruni [ Malicious Plugins]", "*otc.greatcall.com [Botnetwork]", "https://www.norad.mil/ [ Modified by others| Parking Crew - is a Tracker]", "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Malware Server | iTunes path hacktool]", "tulach.cc. [Malevolent | Modified description]", "https://tulach.cc/ [phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ ELF - Descriptions modified by others]", "https://www.pornhub.com/video/search?search=tsara+brashears [NORAD.mil phone tracking. Description modified]", "s3.amazonaws.com [Virut Tsara Brashears Botnetwork | Modified description]" ], "public": 1, "adversary": "Qbot", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Roblox", "display_name": "Roblox", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 84, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 897, "FileHash-SHA1": 479, "URL": 9847, "domain": 2344, "hostname": 2398, "CVE": 22, "FileHash-SHA256": 4712 }, "indicator_count": 20699, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "890 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655f6edffd3910161c2ad1a2", "name": "D26A | DNSpionage| Qbot | Tulach Malaware | https://theanimallawfirm.com/ | FakeAlert", "description": "", "modified": "2023-12-23T07:03:55.171000", "created": "2023-11-23T15:25:19.843000", "tags": [ "pattern match", "ascii text", "file", "jpeg image", "exif standard", "tiff image", "png image", "united", "baseline", "rgba", "date", "class", "unknown", "hybrid", "accept", "local", "click", "strings", "generator", "critical", "error", "firehol", "detection list", "ip address", "blacklist", "botnet command", "control server", "noname057", "facebook", "phishtank", "blacklist http", "organization", "ssl certificate", "whois record", "contacted", "historical ssl", "n64xtx0vpihxzc", "whois whois", "qpyrn6pd http", "referrer", "execution", "communicating", "core", "discord", "hiddentear", "metro", "probe", "ransomexx", "quasar", "asyncrat", "bleachgap", "formbook", "nanocore", "roblox", "heur", "cyber threat", "engineering", "malware", "phishing", "malicious site", "phishing site", "covid19", "team", "bank", "cobalt strike", "artemis", "download", "zbot", "suppobox", "service", "downloader", "virut", "malicious", "emotet", "stealer", "exploit", "generic", "dropper", "unruy", "agent", "unsafe", "ramnit", "redline stealer", "smsspy", "bradesco", "fakealert", "qakbot", "outbreak", "qbot", "bankerx", "riskware", "nimda", "swrort", "adwind", "trojanx", "crack", "win64", "squirrelwaffle", "pony", "binder", "virustotal", "azorult", "zeus", "nymaim", "matsnu", "simda", "runescape", "cutwail", "dnspionage", "redirector", "fusioncore", "iframe", "killav", "raccoon", "daum", "installcore", "ransomware", "cisco umbrella", "site", "safe site", "alexa top", "million", "presenoker", "downldr", "alexa", "applicunwnt", "opencandy", "cleaner", "wacatac", "xrat", "xtrat", "dbatloader", "infy", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "phish", "deepscan", "trojanspy", "maltiverse", "qpyrn6pd", "spyware", "injector", "jul jan", "tag count", "tue jan", "threat report", "ip summary", "url summary", "summary", "sample" ], "references": [ "https://www.hybrid-analysis.com/sample/d4e0619008da0bf555fd1d9af2797eaed02c89512239cbdaf64c08e795bb9658", "http://www.jamesbgriffinlaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/16132c66b562a3---dewubomojagorekijufuruni [ Malicious Plugins]", "*otc.greatcall.com [Botnetwork]", "https://www.norad.mil/ [ Modified by others| Parking Crew - is a Tracker]", "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Malware Server | iTunes path hacktool]", "tulach.cc. [Malevolent | Modified description]", "https://tulach.cc/ [phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ ELF - Descriptions modified by others]", "https://www.pornhub.com/video/search?search=tsara+brashears [NORAD.mil phone tracking. Description modified]", "s3.amazonaws.com [Virut Tsara Brashears Botnetwork | Modified description]" ], "public": 1, "adversary": "Qbot", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Roblox", "display_name": "Roblox", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": "655f6d89b33758a190399f39", "export_count": 86, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 897, "FileHash-SHA1": 479, "URL": 9847, "domain": 2344, "hostname": 2398, "CVE": 22, "FileHash-SHA256": 4712 }, "indicator_count": 20699, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "890 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a958f96f9b29641ea020", "name": "Fitbit app link IoC's", "description": "", "modified": "2023-12-06T17:03:20.219000", "created": "2023-12-06T17:03:20.219000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 17, "FileHash-SHA256": 3730, "hostname": 1052, "domain": 446, "URL": 2806, "FileHash-MD5": 173, "FileHash-SHA1": 168, "email": 1 }, "indicator_count": 8393, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a927b24b94cdd5d344d1", "name": "Fitbit app link IoC's", "description": "", "modified": "2023-12-06T17:02:31.854000", "created": "2023-12-06T17:02:31.854000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 17, "FileHash-SHA256": 3730, "hostname": 1052, "domain": 446, "URL": 2806, "FileHash-MD5": 173, "FileHash-SHA1": 168, "email": 1 }, "indicator_count": 8393, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "652b2a50c4487060d52346fd", "name": "Fitbit app link IoC's", "description": "Critical. Fitbit download link found in Google search results.\n[https://play.google.com/store/apps/details?id=com.fitbit.FitbitMobile]\n\nBlackNET is a Remote Access Trojan (RAT) - Advanced Windows Botnet.\nCapabilities: stealing/grabbing files and passwords, keylogging, cryptojacking, loading files, executing commands, etc. \n\nOpenCandy , PUP\nCapabilities: Browser home page hijacker, installs unwanted toolbars, plug-ins, and extensions to web browsers, collects information, user\u2019s surfing habits, distribution to third parties without user consent.\n\nProcess Injection: Privilege escalation adversaries use to inject arbitrary code.", "modified": "2023-11-13T22:04:06.580000", "created": "2023-10-14T23:54:55.973000", "tags": [ "ssl certificate", "contacted", "contacted urls", "referrer", "march", "historical ssl", "whois sslcert", "suspicious", "execution", "malware", "core", "name verdict", "falco", "pattern match", "ascii text", "file", "png image", "sdcwhb", "windows nt", "jpeg image", "jfif", "appdata", "kg2exe", "date", "unknown", "general", "hybrid", "this", "click", "strings", "class", "critical", "error", "zfaoz", "falcon sandbox", "exit", "node tcp", "traffic", "et tor", "known tor", "relayrouter", "tor known", "tor relayrouter", "detection list", "ip address", "cisco umbrella", "heur", "site", "safe site", "alexa top", "million", "maltiverse", "malicious url", "malicious site", "unsafe", "riskware", "swrort", "downldr", "artemis", "team", "phishing", "iframe", "crack", "xrat", "installcore", "facebook", "bank", "opencandy", "nircmd", "exploit", "filetour", "cleaner", "wacatac", "win64", "unruy", "blacknet rat", "stealer", "azorult", "service", "runescape", "download", "tiggre", "presenoker", "conduit", "xtrat", "agent", "patcher", "adload", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "dropper", "trojanx", "webshell", "adposhel", "union", "trojanspy", "webtoolbar", "blacklist https", "blacklist", "command_and_control", "Fitbit", "hidden tear", "google", "spyware", "potentially unwanted progams", "network", "bundlers", "aware" ], "references": [ "https://play.google.com/store/apps/details?id=com.fitbit.FitbitMobile", "https://www.hybrid-analysis.com/sample/1e5fe7747a445f340ed8db6bd946b6fb2cf2db123b08c3ac818cb8a1c2ae28d0" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ZfAoz", "display_name": "ZfAoz", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "MediaMagnet", "display_name": "MediaMagnet", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WisdomEyes.16070401.9500", "display_name": "WisdomEyes.16070401.9500", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1052, "FileHash-MD5": 173, "FileHash-SHA1": 168, "FileHash-SHA256": 3730, "URL": 2806, "domain": 446, "CVE": 17, "email": 1 }, "indicator_count": 8393, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "929 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "652b2a8048e6a285461c4a5d", "name": "Fitbit app link IoC's", "description": "Critical. Fitbit download link found in Google search results.\n[https://play.google.com/store/apps/details?id=com.fitbit.FitbitMobile]\n\nBlackNET is a Remote Access Trojan (RAT) - Advanced Windows Botnet.\nCapabilities: stealing/grabbing files and passwords, keylogging, cryptojacking, loading files, executing commands, etc. \n\nOpenCandy , PUP\nCapabilities: Browser home page hijacker, installs unwanted toolbars, plug-ins, and extensions to web browsers, collects information, user\u2019s surfing habits, distribution to third parties without user consent.\n\nProcess Injection: Privilege escalation adversaries use to inject arbitrary code.", "modified": "2023-11-13T22:04:06.580000", "created": "2023-10-14T23:55:42.972000", "tags": [ "ssl certificate", "contacted", "contacted urls", "referrer", "march", "historical ssl", "whois sslcert", "suspicious", "execution", "malware", "core", "name verdict", "falco", "pattern match", "ascii text", "file", "png image", "sdcwhb", "windows nt", "jpeg image", "jfif", "appdata", "kg2exe", "date", "unknown", "general", "hybrid", "this", "click", "strings", "class", "critical", "error", "zfaoz", "falcon sandbox", "exit", "node tcp", "traffic", "et tor", "known tor", "relayrouter", "tor known", "tor relayrouter", "detection list", "ip address", "cisco umbrella", "heur", "site", "safe site", "alexa top", "million", "maltiverse", "malicious url", "malicious site", "unsafe", "riskware", "swrort", "downldr", "artemis", "team", "phishing", "iframe", "crack", "xrat", "installcore", "facebook", "bank", "opencandy", "nircmd", "exploit", "filetour", "cleaner", "wacatac", "win64", "unruy", "blacknet rat", "stealer", "azorult", "service", "runescape", "download", "tiggre", "presenoker", "conduit", "xtrat", "agent", "patcher", "adload", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "dropper", "trojanx", "webshell", "adposhel", "union", "trojanspy", "webtoolbar", "blacklist https", "blacklist", "command_and_control", "Fitbit", "hidden tear", "google", "spyware", "potentially unwanted progams", "network", "bundlers", "aware" ], "references": [ "https://play.google.com/store/apps/details?id=com.fitbit.FitbitMobile", "https://www.hybrid-analysis.com/sample/1e5fe7747a445f340ed8db6bd946b6fb2cf2db123b08c3ac818cb8a1c2ae28d0" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ZfAoz", "display_name": "ZfAoz", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "MediaMagnet", "display_name": "MediaMagnet", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WisdomEyes.16070401.9500", "display_name": "WisdomEyes.16070401.9500", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1052, "FileHash-MD5": 173, "FileHash-SHA1": 168, "FileHash-SHA256": 3730, "URL": 2806, "domain": 446, "CVE": 17, "email": 1 }, "indicator_count": 8393, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "929 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f147a7e55dd916fe9e3e2", "name": "Fitbit app link IoC's", "description": "", "modified": "2023-11-13T22:04:06.580000", "created": "2023-10-30T02:27:06.140000", "tags": [ "ssl certificate", "contacted", "contacted urls", "referrer", "march", "historical ssl", "whois sslcert", "suspicious", "execution", "malware", "core", "name verdict", "falco", "pattern match", "ascii text", "file", "png image", "sdcwhb", "windows nt", "jpeg image", "jfif", "appdata", "kg2exe", "date", "unknown", "general", "hybrid", "this", "click", "strings", "class", "critical", "error", "zfaoz", "falcon sandbox", "exit", "node tcp", "traffic", "et tor", "known tor", "relayrouter", "tor known", "tor relayrouter", "detection list", "ip address", "cisco umbrella", "heur", "site", "safe site", "alexa top", "million", "maltiverse", "malicious url", "malicious site", "unsafe", "riskware", "swrort", "downldr", "artemis", "team", "phishing", "iframe", "crack", "xrat", "installcore", "facebook", "bank", "opencandy", "nircmd", "exploit", "filetour", "cleaner", "wacatac", "win64", "unruy", "blacknet rat", "stealer", "azorult", "service", "runescape", "download", "tiggre", "presenoker", "conduit", "xtrat", "agent", "patcher", "adload", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "dropper", "trojanx", "webshell", "adposhel", "union", "trojanspy", "webtoolbar", "blacklist https", "blacklist", "command_and_control", "Fitbit", "hidden tear", "google", "spyware", "potentially unwanted progams", "network", "bundlers", "aware" ], "references": [ "https://play.google.com/store/apps/details?id=com.fitbit.FitbitMobile", "https://www.hybrid-analysis.com/sample/1e5fe7747a445f340ed8db6bd946b6fb2cf2db123b08c3ac818cb8a1c2ae28d0" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ZfAoz", "display_name": "ZfAoz", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "MediaMagnet", "display_name": "MediaMagnet", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WisdomEyes.16070401.9500", "display_name": "WisdomEyes.16070401.9500", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "652b2a8048e6a285461c4a5d", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1052, "FileHash-MD5": 173, "FileHash-SHA1": 168, "FileHash-SHA256": 3730, "URL": 2806, "domain": 446, "CVE": 17, "email": 1 }, "indicator_count": 8393, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "929 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ ELF - Descriptions modified by others]", "Packer UPX v0.89.6 - v1.02 / v1.05 -v1.24 -> Markus & Laszlo [overlay]", "http://www.50calpaintballshop.com/phpinfo.php?a[]=avon+representative>50calpaintballshop.com>avon+representative+directory [Beware: redirects]", "uploads-cserver-alumni-profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com", "http://www.50calpaintballshop.com/phpinfo.php?a[]=webcam+models+livecambabes.webcam>korean+webcam+models", "https://otx.alienvault.com/indicator/file/00001aff2ea1acd6087f9fba8d8316d90d29e391d9969bc70cc607461467797e", "https://www.filescan.io/uploads/664bb683bc04dffa92241015/reports/92b70fd6-97d7-4386-8465-f3fd79043843/overview", "https://viz.greynoise.io/query/AS60068%20classification:%22malicious%22", "Crouching Yeti: Appendixes - according to source ArcSight Threat Intelligence", "https://www.virustotal.com/graph/embed/gf1d5aa209c7f4fd086e4cb17dcd0af52421ea4bae87d49fe9b4076b382612f0e?theme=dark", "https://www.norad.mil/ [ Modified by others| Parking Crew - is a Tracker]", "https://viz.greynoise.io/query/AS36351%20classification:%22malicious%22", "PATHETIC redirect: rainn.org | victims of violence & abuse disclose extremely sensitive details. Reported false information given to disorient victims.", "Yara Detections: Yara Detections Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , Toxoplasmosis , UPX", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/graph", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/664f906222f5af13cdfb5093", "http://www.50calpaintballshop.com/phpinfo.php?a[]=lost+my+mercedes+key", "All - EnterpriseAppsList.csv", "http://www.jamesbgriffinlaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/16132c66b562a3---dewubomojagorekijufuruni [ Malicious Plugins]", "https://hybrid-analysis.com/sample/79c5841a534b53013389ba76326a067895bdf5e41ad279d82b2002f6c8f2cda6", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/664f906322f5af13cdfb50be", "https://www.wordfence.com/blog/2022/10/threat-advisory-monitoring-cve-2022-42889-text4shell-exploit-attempts/", "s3.amazonaws.com [Virut Tsara Brashears Botnetwork | Modified description]", "originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com | 108.160.165.139 Location: USA |ASN AS19679 dropbox inc. Nameservers ns-136.awsdns-17.com. ns-1518.awsdns-61.org. ,\u00a0 ns-1573.awsdns-04.co.uk. ,\u00a0 ns-809.awsdns-37.net. Less WHOIS Registrar: https://www.101domain.com/,\u00a0\u00a0 Creation Date: Oct 21, 2010 Related Pulses None Related Tags None Indicator Facts Running webserver External Resources Whois,\u00a0 UrlVoid,\u00a0 VirusTotal Analysis Related Pulses Comments (0) Whois Show 100 entr", "https://tulach.cc/ [phishing]", "Above Malcore Strings: All - EnterpriseAppsList, AppRegistration, EnterpriseAppslist, exportGroup, exportUsers, HiddenApps - EnterpriseAppsList****", "https://www.hybrid-analysis.com/sample/1e5fe7747a445f340ed8db6bd946b6fb2cf2db123b08c3ac818cb8a1c2ae28d0", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d00975ea31558d54fceea", "https://www.virustotal.com/graph/embed/g9453a2f58a3340f18120987c2b4d710dbb44ded88c434abf8894458a98c7bd4b?theme=dark", "Reports of victims meeting fraud direct sales reps in home/coffee shops. Reps store PII, financial, SSN# on device. Orders in victims name. ID theft ring", "Alerts: packer_entropy packer_upx antivm_memory_available pe_features", "https://otx.alienvault.com/indicator/file/f7636eef1d9df0664cd0f205ad8864b659bf9898ce6231376778c4411986912e", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/iocs", "https://www.herbgordonsubaru.com/new-inventory/index?search=&model=Outback&utm_source=careconnect&utm_medium=email&utm_campaign=marketdriver-sales&ddcref=careconnect_marketdriversales", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d0107b44401771de9ebf2", "Yara Detections PEtite24", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b", "https://urlscan.io/search/#ualberta.ca", "*otc.greatcall.com [Botnetwork]", "https://otx.alienvault.com/indicator/file/000054fa2b0d1004464350ee9acc40707fec51223dba36c702a3db4139af9717", "https://www.filescan.io/uploads/664ba8a20663ff3c2ec6428a/reports/09d3d82a-7ec1-4804-93e5-5ae691fbb7f2/overview", "https://www.hudsonrock.com/search?domain=ualberta.ca", "Virustotal - google.com.uy", "tulach.cc. [Malevolent | Modified description]", "https://otx.alienvault.com/indicator/hostname/originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com", "Hostname device-local-fb18804d-348e-49ea-8c17-cc8a29f18082.remotewd.com | 192.168.56.104: IPv4", "144.76.108.82 [scanning host]", "https://pegasusm2.bullsbikesusa.com", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "nr-data.net [Apple Private Data Collection]", "https://tria.ge/240517-vdwb5shc71/behavioral1", "https://microcenterinsider.com/pub/cc?_ri_=X0Gzc2X=AQpglLjHJlTQG0amRRrN1tkKAFGSTzdEjURWMTwh5gzdnK5Wo4uRBMFITdmoHEE1NzdwpzaEqrzcUkeItzbfVXtpKX=BATA", "Redirects to https://twitter.com?mx=1", "FormBook IP: 142.251.211.243", "checkip.dyndns.org Alerts: dead_host network_icmp nolookup_communication modifies_proxy_wpad packer_polymorphic recon_beacon", "https://www.pornhub.com/video/search?search=tsara+brashears [NORAD.mil phone tracking. Description modified]", "http://www.50calpaintballshop.com/phpinfo.php?a[]=lost+my+mercedes+key>Mercedes+benz+Key+programmer", "https://viz.greynoise.io/query/AS15169%20classification:%22malicious%22", "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Malware Server | iTunes path hacktool]", "https://www.herbgordonsubaru.com/?ddcref=careconnect_NM102-01&utm_campaign=newsconnect&utm_medium=email&utm_source=careconnect", "Yara Detections: ConventionEngine_Term_Desktop , LZMA , mpress_2_xx_x86 , dbgdetect_procs", "https://tria.ge/240517-vqxezaaa33/behavioral1", "Redirects to >https://twitter.com/x/migrate?tok=eyJlIjoiL2RlbnZlcnBvbGljZS9zdGF0dXMvIiwidCI6MTcxNjcwMzc3M33oZya0EO4PtEbRwq4XZboX", "https://sitereport.netcraft.com/?url=http://ualberta.ca", "Command and Control IP: 5.41.21.250 | Location Saudi Arabia flag Jeddah, Saudi Arabia ASN AS39891 saudi telecom company jsc", "Alerts: nids_malware_alert network_icmp dumped_buffer network_cnc_http network_http network_http_post allocates_rwx", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667cff1a5ea31558d54fcbf6", "https://www.filescan.io/uploads/664ba368d5c40bffee63b1ee/reports/31817751-6b5d-45df-8813-472aa6c756a3/overview", "https://www.criminalip.io/domain/report?scan_id=13798622", "https://viz.greynoise.io/analysis/33e9b33b-b932-4c43-9be1-3e2d6f9cb4b3", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/summary", "http://x.com/denverpolice/status/", "https://www.hybrid-analysis.com/sample/d4e0619008da0bf555fd1d9af2797eaed02c89512239cbdaf64c08e795bb9658", "Domain: hicloudcam.com | https://otx.alienvault.com/indicator/hostname/alarmeu.sslproxy.gatewayvvlilly3lilly.alpha.hicloudcam.com", "AppRegistrationList.csv", "https://www.filescan.io/uploads/664bb40fbc04dffa92240ca2/reports/398074f2-c7b6-40e9-9b5c-4225cc990473/overview", "https://tria.ge/240517-t9pc2ahb2t", "WannaCry MS17-010 'Shadow' https://otx.alienvault.com/otxapi/indicators/url/screenshot/https://www.antiy.com/response/wannacry.html", "https://tria.ge/240517-vc7c1shc62/behavioral1", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667cffec5ea31558d54fcda2", "http://www.50calpaintballshop.com/phpinfo.php?a[]=how+to+join+avon+uk>how+do+i+join+avon+online [redirects to fraud representatives]", "WannaCry | NSA -Anity Cert: https://otx.alienvault.com/indicator/url/https://www.antiy.com/response/Antiy_Wannacry_NSA.html", "https://tria.ge/240521-q4s79agb25/static1", "https://www.filescan.io/uploads/664799c9d5c40bffee6106d7", "https://viz.greynoise.io/analysis/9635144c-db8f-47ab-a83a-5785602244cf - 07.03.24", "http://www.50calpaintballshop.com/phpinfo.php?a[]=www.livecambabes.Webcam>sexy+girls+dildoing", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b - https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b = Hidden Apps - Enterprise Apps List", "pornhub.dev, http://matrix.pornhub.dev, https://twitter.com/PORNO_SEXYBABES, https://www.anon-v.com/porno/fenella/", "IP address: 104.244.42.1 Hosting: Unknown Running on: Tsa B CMS: Express", "https://viz.greynoise.io/query/AS8075%20classification:%22malicious%22", "Thor Scan: S-I9VvMTB6cZU", "https://www.filescan.io/uploads/664bb0cd7c9fb1468fc610c5/reports/00c78e4d-2156-4906-a106-ebf7e2723251/overview", "https://viz.greynoise.io/analysis/e51d9a15-d802-4d51-9a70-17803dc2693a", "https://imp0rtp3.wordpress.com/2021/08/12/tetris/", "https://www.filescan.io/uploads/666d69ff6b8dba248b414767", "https://www.filescan.io/uploads/666d69ff6b8dba248b414767/reports/dda2c8a1-96fd-4c00-9cbc-c64c4685a804/overview", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d00356dd8f43b723a915a", "https://tenantresolution.pingcastle.com/Search - Tenant still active (07.19.24) - Good jobs ya'll", "https://play.google.com/store/apps/details?id=com.fitbit.FitbitMobile", "checkip.dyndns.org [command and control]", "https://www.virustotal.com/gui/collection/0ca12fcdd125ec5a5055180ee828b98d47b8b2e920660be559c2b602266b6b1d/iocs", "https://www.filescan.io/uploads/66479b483313f70f0afe3dbb" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Qbot" ], "malware_families": [ "Wisdomeyes.16070401.9500", "Tofsee", "Clicker.bgou", "Roblox", "Win.trojan.agent-752791", "Unruy", "Installer", "Ransom:win32/stopcrypt.ak!mtb", "Zfaoz", "Wannacry", "Win.trojan.downloader-63174", "Trojan:win32/qqpass", "Trojan:msil/trojandropper", "Win32:malware-gen", "Sf:agent-dq\\ [trj]", "Maltiverse", "Wacatac", "Blacknet rat", "Win32/vflooder.b vtapi dos", "Trojan:win32/tiggre", "Win.dropper.qqpass-9895638-0", "Win.trojan.tofsee-9770082-1", "Win32:dropperx-gen\\ [drp]", "Win32:trojan-gen", "Trojanspy", "Tulach malware", "Mediamagnet", "Webtoolbar", "Win.malware.vtflooder-6723768-0", "Win32/vflooder.b checkin", "Trojandownloader:win32/upatre!rfn" ], "industries": [ "Government", "Healthcare", "Technology", "Telecommunications", "Education" ], "unique_indicators": 104915 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/google.com", "whois": "http://whois.domaintools.com/google.com", "domain": "google.com", "hostname": "accounts.google.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 15, "pulses": [ { "id": "6a16afb92680fcea084bb7b0", "name": "credit: scoreblue ['Eternal Blue_Wana Cry MS'] clone - user notes: interesting name tagged", "description": "", "modified": "2026-05-27T08:54:31.968000", "created": "2026-05-27T08:47:53.724000", "tags": [ "sha256", "sha1", "pattern match", "ascii text", "document file", "v2 document", "crlf line", "size", "unicode", "beginstring", "null", "hybrid", "refresh", "body", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "external-resources", "dom-modification", "third-party-cookies", "iframes", "trackers", "text/html", "twitter", "final url", "ip address", "status code", "body length", "kb body", "headers", "deny", "express", "referrer", "impacting azure", "proofpoint", "sneaky server", "replacement", "unauthorized", "switch dns", "query", "vy binh", "hiddentear", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "date", "meta", "form", "submission", "expiresthu", "path", "secure", "self", "xcitium verdict", "cloud", "sophos", "history first", "analysis", "cp", "cyber", "threat", "redrum", "hit", "men", "triangulation", "historical ssl", "apt suspects", "critical cmd", "hide", "asyncrat", "jeremy", "government", "malicious", "yuming", "name servers", "united", "passive dns", "urls", "creation date", "search", "expiration date", "showing", "unknown", "next", "windows nt", "malware beacon", "memcommit", "generic http", "exe upload", "outbound", "etpro trojan", "show", "trojan", "copy", "write", "win32", "malware", "read c", "entries", "medium", "markus", "contentlength", "write c", "delete c", "create c", "yara detections", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "next pe", "as32934", "hitmen", "local government", "scene unit", "crime", "denver police", "address", "status", "aaaa", "apple", "less whois", "registrar", "wannacry", "http", "unique", "url https", "related nids", "code", "screenshot", "anity", "nsa", "shadow", "saudi telecom", "riyadh address", "saudi arabia", "abuse", "ripe", "company isp", "number", "label saudi", "telecom company", "jsc regional", "riyadh", "ripe ncc", "registry techc", "campus", "saudi", "ripe network", "domain", "internet se", "emails", "system", "server tsa", "b server", "certificate", "digicert inc", "moved", "record value" ], "references": [ "http://x.com/denverpolice/status/", "Redirects to >https://twitter.com/x/migrate?tok=eyJlIjoiL2RlbnZlcnBvbGljZS9zdGF0dXMvIiwidCI6MTcxNjcwMzc3M33oZya0EO4PtEbRwq4XZboX", "Redirects to https://twitter.com?mx=1", "IP address: 104.244.42.1 Hosting: Unknown Running on: Tsa B CMS: Express", "Crouching Yeti: Appendixes - according to source ArcSight Threat Intelligence", "https://otx.alienvault.com/indicator/file/00001aff2ea1acd6087f9fba8d8316d90d29e391d9969bc70cc607461467797e", "Alerts: nids_malware_alert network_icmp dumped_buffer network_cnc_http network_http network_http_post allocates_rwx", "Alerts: packer_entropy packer_upx antivm_memory_available pe_features", "Yara Detections: Yara Detections Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , Toxoplasmosis , UPX", "Packer UPX v0.89.6 - v1.02 / v1.05 -v1.24 -> Markus & Laszlo [overlay]", "Yara Detections: ConventionEngine_Term_Desktop , LZMA , mpress_2_xx_x86 , dbgdetect_procs", "pornhub.dev, http://matrix.pornhub.dev, https://twitter.com/PORNO_SEXYBABES, https://www.anon-v.com/porno/fenella/", "Hostname device-local-fb18804d-348e-49ea-8c17-cc8a29f18082.remotewd.com | 192.168.56.104: IPv4", "https://otx.alienvault.com/indicator/file/f7636eef1d9df0664cd0f205ad8864b659bf9898ce6231376778c4411986912e", "https://otx.alienvault.com/indicator/file/000054fa2b0d1004464350ee9acc40707fec51223dba36c702a3db4139af9717", "Domain: hicloudcam.com | https://otx.alienvault.com/indicator/hostname/alarmeu.sslproxy.gatewayvvlilly3lilly.alpha.hicloudcam.com", "originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com | 108.160.165.139 Location: USA |ASN AS19679 dropbox inc. Nameservers ns-136.awsdns-17.com. ns-1518.awsdns-61.org. ,\u00a0 ns-1573.awsdns-04.co.uk. ,\u00a0 ns-809.awsdns-37.net. Less WHOIS Registrar: https://www.101domain.com/,\u00a0\u00a0 Creation Date: Oct 21, 2010 Related Pulses None Related Tags None Indicator Facts Running webserver External Resources Whois,\u00a0 UrlVoid,\u00a0 VirusTotal Analysis Related Pulses Comments (0) Whois Show 100 entr", "https://otx.alienvault.com/indicator/hostname/originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com", "PATHETIC redirect: rainn.org | victims of violence & abuse disclose extremely sensitive details. Reported false information given to disorient victims.", "WannaCry | NSA -Anity Cert: https://otx.alienvault.com/indicator/url/https://www.antiy.com/response/Antiy_Wannacry_NSA.html", "WannaCry MS17-010 'Shadow' https://otx.alienvault.com/otxapi/indicators/url/screenshot/https://www.antiy.com/response/wannacry.html", "Command and Control IP: 5.41.21.250 | Location Saudi Arabia flag Jeddah, Saudi Arabia ASN AS39891 saudi telecom company jsc", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "uploads-cserver-alumni-profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32/Vflooder.B Checkin", "display_name": "Win32/Vflooder.B Checkin", "target": null }, { "id": "Win.Malware.Vtflooder-6723768-0", "display_name": "Win.Malware.Vtflooder-6723768-0", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32/Vflooder.B vtapi DOS", "display_name": "Win32/Vflooder.B vtapi DOS", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Trojan.Downloader-63174", "display_name": "Win.Trojan.Downloader-63174", "target": null }, { "id": "Clicker.BGOU", "display_name": "Clicker.BGOU", "target": null }, { "id": "Win.Trojan.Agent-752791", "display_name": "Win.Trojan.Agent-752791", "target": null }, { "id": "Win.Dropper.QQpass-9895638-0", "display_name": "Win.Dropper.QQpass-9895638-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "WannaCry", "display_name": "WannaCry", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1038", "name": "DLL Search Order Hijacking", "display_name": "T1038 - DLL Search Order Hijacking" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [], "TLP": "green", "cloned_from": "66536c8eee8d42d670e27723", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 350, "FileHash-SHA1": 348, "FileHash-SHA256": 2662, "URL": 7850, "domain": 2245, "hostname": 3611, "SSLCertFingerprint": 4, "email": 10, "CIDR": 4 }, "indicator_count": 17084, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a16ab45548ef01419902c8f", "name": "Credit: Scoreblue - \"iOS Attack - Crouching Yeti: http://x.[com]/denverpolice/status/| CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by scoreblue Public", "description": "", "modified": "2026-05-27T08:28:53.256000", "created": "2026-05-27T08:28:53.256000", "tags": [ "sha256", "sha1", "pattern match", "ascii text", "document file", "v2 document", "crlf line", "size", "unicode", "beginstring", "null", "hybrid", "refresh", "body", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "external-resources", "dom-modification", "third-party-cookies", "iframes", "trackers", "text/html", "twitter", "final url", "ip address", "status code", "body length", "kb body", "headers", "deny", "express", "referrer", "impacting azure", "proofpoint", "sneaky server", "replacement", "unauthorized", "switch dns", "query", "vy binh", "hiddentear", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "date", "meta", "form", "submission", "expiresthu", "path", "secure", "self", "xcitium verdict", "cloud", "sophos", "history first", "analysis", "cp", "cyber", "threat", "redrum", "hit", "men", "triangulation", "historical ssl", "apt suspects", "critical cmd", "hide", "asyncrat", "jeremy", "government", "malicious", "yuming", "name servers", "united", "passive dns", "urls", "creation date", "search", "expiration date", "showing", "unknown", "next", "windows nt", "malware beacon", "memcommit", "generic http", "exe upload", "outbound", "etpro trojan", "show", "trojan", "copy", "write", "win32", "malware", "read c", "entries", "medium", "markus", "contentlength", "write c", "delete c", "create c", "yara detections", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "next pe", "as32934", "hitmen", "local government", "scene unit", "crime", "denver police", "address", "status", "aaaa", "apple", "less whois", "registrar", "wannacry", "http", "unique", "url https", "related nids", "code", "screenshot", "anity", "nsa", "shadow", "saudi telecom", "riyadh address", "saudi arabia", "abuse", "ripe", "company isp", "number", "label saudi", "telecom company", "jsc regional", "riyadh", "ripe ncc", "registry techc", "campus", "saudi", "ripe network", "domain", "internet se", "emails", "system", "server tsa", "b server", "certificate", "digicert inc", "moved", "record value" ], "references": [ "http://x.com/denverpolice/status/", "Redirects to >https://twitter.com/x/migrate?tok=eyJlIjoiL2RlbnZlcnBvbGljZS9zdGF0dXMvIiwidCI6MTcxNjcwMzc3M33oZya0EO4PtEbRwq4XZboX", "Redirects to https://twitter.com?mx=1", "IP address: 104.244.42.1 Hosting: Unknown Running on: Tsa B CMS: Express", "Crouching Yeti: Appendixes - according to source ArcSight Threat Intelligence", "https://otx.alienvault.com/indicator/file/00001aff2ea1acd6087f9fba8d8316d90d29e391d9969bc70cc607461467797e", "Alerts: nids_malware_alert network_icmp dumped_buffer network_cnc_http network_http network_http_post allocates_rwx", "Alerts: packer_entropy packer_upx antivm_memory_available pe_features", "Yara Detections: Yara Detections Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , Toxoplasmosis , UPX", "Packer UPX v0.89.6 - v1.02 / v1.05 -v1.24 -> Markus & Laszlo [overlay]", "Yara Detections: ConventionEngine_Term_Desktop , LZMA , mpress_2_xx_x86 , dbgdetect_procs", "pornhub.dev, http://matrix.pornhub.dev, https://twitter.com/PORNO_SEXYBABES, https://www.anon-v.com/porno/fenella/", "Hostname device-local-fb18804d-348e-49ea-8c17-cc8a29f18082.remotewd.com | 192.168.56.104: IPv4", "https://otx.alienvault.com/indicator/file/f7636eef1d9df0664cd0f205ad8864b659bf9898ce6231376778c4411986912e", "https://otx.alienvault.com/indicator/file/000054fa2b0d1004464350ee9acc40707fec51223dba36c702a3db4139af9717", "Domain: hicloudcam.com | https://otx.alienvault.com/indicator/hostname/alarmeu.sslproxy.gatewayvvlilly3lilly.alpha.hicloudcam.com", "originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com | 108.160.165.139 Location: USA |ASN AS19679 dropbox inc. Nameservers ns-136.awsdns-17.com. ns-1518.awsdns-61.org. ,\u00a0 ns-1573.awsdns-04.co.uk. ,\u00a0 ns-809.awsdns-37.net. Less WHOIS Registrar: https://www.101domain.com/,\u00a0\u00a0 Creation Date: Oct 21, 2010 Related Pulses None Related Tags None Indicator Facts Running webserver External Resources Whois,\u00a0 UrlVoid,\u00a0 VirusTotal Analysis Related Pulses Comments (0) Whois Show 100 entr", "https://otx.alienvault.com/indicator/hostname/originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com", "PATHETIC redirect: rainn.org | victims of violence & abuse disclose extremely sensitive details. Reported false information given to disorient victims.", "WannaCry | NSA -Anity Cert: https://otx.alienvault.com/indicator/url/https://www.antiy.com/response/Antiy_Wannacry_NSA.html", "WannaCry MS17-010 'Shadow' https://otx.alienvault.com/otxapi/indicators/url/screenshot/https://www.antiy.com/response/wannacry.html", "Command and Control IP: 5.41.21.250 | Location Saudi Arabia flag Jeddah, Saudi Arabia ASN AS39891 saudi telecom company jsc", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "uploads-cserver-alumni-profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32/Vflooder.B Checkin", "display_name": "Win32/Vflooder.B Checkin", "target": null }, { "id": "Win.Malware.Vtflooder-6723768-0", "display_name": "Win.Malware.Vtflooder-6723768-0", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32/Vflooder.B vtapi DOS", "display_name": "Win32/Vflooder.B vtapi DOS", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Trojan.Downloader-63174", "display_name": "Win.Trojan.Downloader-63174", "target": null }, { "id": "Clicker.BGOU", "display_name": "Clicker.BGOU", "target": null }, { "id": "Win.Trojan.Agent-752791", "display_name": "Win.Trojan.Agent-752791", "target": null }, { "id": "Win.Dropper.QQpass-9895638-0", "display_name": "Win.Dropper.QQpass-9895638-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "WannaCry", "display_name": "WannaCry", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1038", "name": "DLL Search Order Hijacking", "display_name": "T1038 - DLL Search Order Hijacking" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [], "TLP": "green", "cloned_from": "66536881127f5ee988306394", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 350, "FileHash-SHA1": 348, "FileHash-SHA256": 2659, "URL": 7850, "domain": 2245, "hostname": 3611, "SSLCertFingerprint": 4, "email": 10, "CIDR": 4 }, "indicator_count": 17081, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "4 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a16ab3f9578fcc7ffd52a3a", "name": "Credit: Scoreblue - \"iOS Attack - Crouching Yeti: http://x.[com]/denverpolice/status/| CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by scoreblue Public", "description": "", "modified": "2026-05-27T08:28:47.467000", "created": "2026-05-27T08:28:47.467000", "tags": [ "sha256", "sha1", "pattern match", "ascii text", "document file", "v2 document", "crlf line", "size", "unicode", "beginstring", "null", "hybrid", "refresh", "body", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "external-resources", "dom-modification", "third-party-cookies", "iframes", "trackers", "text/html", "twitter", "final url", "ip address", "status code", "body length", "kb body", "headers", "deny", "express", "referrer", "impacting azure", "proofpoint", "sneaky server", "replacement", "unauthorized", "switch dns", "query", "vy binh", "hiddentear", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "date", "meta", "form", "submission", "expiresthu", "path", "secure", "self", "xcitium verdict", "cloud", "sophos", "history first", "analysis", "cp", "cyber", "threat", "redrum", "hit", "men", "triangulation", "historical ssl", "apt suspects", "critical cmd", "hide", "asyncrat", "jeremy", "government", "malicious", "yuming", "name servers", "united", "passive dns", "urls", "creation date", "search", "expiration date", "showing", "unknown", "next", "windows nt", "malware beacon", "memcommit", "generic http", "exe upload", "outbound", "etpro trojan", "show", "trojan", "copy", "write", "win32", "malware", "read c", "entries", "medium", "markus", "contentlength", "write c", "delete c", "create c", "yara detections", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "next pe", "as32934", "hitmen", "local government", "scene unit", "crime", "denver police", "address", "status", "aaaa", "apple", "less whois", "registrar", "wannacry", "http", "unique", "url https", "related nids", "code", "screenshot", "anity", "nsa", "shadow", "saudi telecom", "riyadh address", "saudi arabia", "abuse", "ripe", "company isp", "number", "label saudi", "telecom company", "jsc regional", "riyadh", "ripe ncc", "registry techc", "campus", "saudi", "ripe network", "domain", "internet se", "emails", "system", "server tsa", "b server", "certificate", "digicert inc", "moved", "record value" ], "references": [ "http://x.com/denverpolice/status/", "Redirects to >https://twitter.com/x/migrate?tok=eyJlIjoiL2RlbnZlcnBvbGljZS9zdGF0dXMvIiwidCI6MTcxNjcwMzc3M33oZya0EO4PtEbRwq4XZboX", "Redirects to https://twitter.com?mx=1", "IP address: 104.244.42.1 Hosting: Unknown Running on: Tsa B CMS: Express", "Crouching Yeti: Appendixes - according to source ArcSight Threat Intelligence", "https://otx.alienvault.com/indicator/file/00001aff2ea1acd6087f9fba8d8316d90d29e391d9969bc70cc607461467797e", "Alerts: nids_malware_alert network_icmp dumped_buffer network_cnc_http network_http network_http_post allocates_rwx", "Alerts: packer_entropy packer_upx antivm_memory_available pe_features", "Yara Detections: Yara Detections Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , Toxoplasmosis , UPX", "Packer UPX v0.89.6 - v1.02 / v1.05 -v1.24 -> Markus & Laszlo [overlay]", "Yara Detections: ConventionEngine_Term_Desktop , LZMA , mpress_2_xx_x86 , dbgdetect_procs", "pornhub.dev, http://matrix.pornhub.dev, https://twitter.com/PORNO_SEXYBABES, https://www.anon-v.com/porno/fenella/", "Hostname device-local-fb18804d-348e-49ea-8c17-cc8a29f18082.remotewd.com | 192.168.56.104: IPv4", "https://otx.alienvault.com/indicator/file/f7636eef1d9df0664cd0f205ad8864b659bf9898ce6231376778c4411986912e", "https://otx.alienvault.com/indicator/file/000054fa2b0d1004464350ee9acc40707fec51223dba36c702a3db4139af9717", "Domain: hicloudcam.com | https://otx.alienvault.com/indicator/hostname/alarmeu.sslproxy.gatewayvvlilly3lilly.alpha.hicloudcam.com", "originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com | 108.160.165.139 Location: USA |ASN AS19679 dropbox inc. Nameservers ns-136.awsdns-17.com. ns-1518.awsdns-61.org. ,\u00a0 ns-1573.awsdns-04.co.uk. ,\u00a0 ns-809.awsdns-37.net. Less WHOIS Registrar: https://www.101domain.com/,\u00a0\u00a0 Creation Date: Oct 21, 2010 Related Pulses None Related Tags None Indicator Facts Running webserver External Resources Whois,\u00a0 UrlVoid,\u00a0 VirusTotal Analysis Related Pulses Comments (0) Whois Show 100 entr", "https://otx.alienvault.com/indicator/hostname/originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com", "PATHETIC redirect: rainn.org | victims of violence & abuse disclose extremely sensitive details. Reported false information given to disorient victims.", "WannaCry | NSA -Anity Cert: https://otx.alienvault.com/indicator/url/https://www.antiy.com/response/Antiy_Wannacry_NSA.html", "WannaCry MS17-010 'Shadow' https://otx.alienvault.com/otxapi/indicators/url/screenshot/https://www.antiy.com/response/wannacry.html", "Command and Control IP: 5.41.21.250 | Location Saudi Arabia flag Jeddah, Saudi Arabia ASN AS39891 saudi telecom company jsc", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "uploads-cserver-alumni-profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32/Vflooder.B Checkin", "display_name": "Win32/Vflooder.B Checkin", "target": null }, { "id": "Win.Malware.Vtflooder-6723768-0", "display_name": "Win.Malware.Vtflooder-6723768-0", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32/Vflooder.B vtapi DOS", "display_name": "Win32/Vflooder.B vtapi DOS", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Trojan.Downloader-63174", "display_name": "Win.Trojan.Downloader-63174", "target": null }, { "id": "Clicker.BGOU", "display_name": "Clicker.BGOU", "target": null }, { "id": "Win.Trojan.Agent-752791", "display_name": "Win.Trojan.Agent-752791", "target": null }, { "id": "Win.Dropper.QQpass-9895638-0", "display_name": "Win.Dropper.QQpass-9895638-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "WannaCry", "display_name": "WannaCry", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1038", "name": "DLL Search Order Hijacking", "display_name": "T1038 - DLL Search Order Hijacking" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [], "TLP": "green", "cloned_from": "66536881127f5ee988306394", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 350, "FileHash-SHA1": 348, "FileHash-SHA256": 2659, "URL": 7850, "domain": 2245, "hostname": 3611, "SSLCertFingerprint": 4, "email": 10, "CIDR": 4 }, "indicator_count": 17081, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "4 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6647908c09468f42bc1249f1", "name": "University of Alberta Azure/Entra Compromised Tenant Compromized Institution", "description": "Update: Academic/Non-Academic Staff Unions, 3rd party org, & some profs/students/alumni tried raising concerns to Admins/President/IST & CISO => Maintaining position they will not be looking into reported problems re: Cybersecurity under any circumstances = more time more problems? Attempts to advocate -> Harrass./Discrim./De-humanizing responses from admins (representing all folks - recorded). \nTenant ID: 718b8a9b-44d8-441a-a344-4294ea842172 = This pulse is 1 example (small) of problems.\n\nPrimary domain\nualbertaca.onmicrosoft.com\nCustom Domain Names\nualberta.ca\nVerified\nualbertaca.onmicrosoft.com", "modified": "2025-03-01T04:59:57.222000", "created": "2024-05-17T17:14:52.317000", "tags": [ "false", "true", "visible", "application", "microsoft teams", "microsoft azure", "office", "service", "dynamics", "hidden", "android", "explorer", "write", "connector", "test", "sharepoint", "live", "meister", "tools", "desktop", "spark", "front", "enterprise", "designer", "atlas", "premium", "assistant", "allow", "azureadmyorg", "game", "verify", "microsoft power", "channelsurfcli", "mtd1", "file transfer", "magnus", "microsoft crm", "youth" ], "references": [ "All - EnterpriseAppsList.csv", "AppRegistrationList.csv", "https://tria.ge/240517-vc7c1shc62/behavioral1", "https://tria.ge/240517-vdwb5shc71/behavioral1", "https://tria.ge/240517-vqxezaaa33/behavioral1", "https://tria.ge/240517-t9pc2ahb2t", "https://www.virustotal.com/graph/embed/g9453a2f58a3340f18120987c2b4d710dbb44ded88c434abf8894458a98c7bd4b?theme=dark", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/iocs", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/graph", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/summary", "https://www.filescan.io/uploads/66479b483313f70f0afe3dbb", "https://www.filescan.io/uploads/664799c9d5c40bffee6106d7", "Thor Scan: S-I9VvMTB6cZU", "https://www.filescan.io/uploads/664ba368d5c40bffee63b1ee/reports/31817751-6b5d-45df-8813-472aa6c756a3/overview", "https://www.filescan.io/uploads/664ba8a20663ff3c2ec6428a/reports/09d3d82a-7ec1-4804-93e5-5ae691fbb7f2/overview", "https://imp0rtp3.wordpress.com/2021/08/12/tetris/", "https://www.filescan.io/uploads/664bb0cd7c9fb1468fc610c5/reports/00c78e4d-2156-4906-a106-ebf7e2723251/overview", "https://www.filescan.io/uploads/664bb40fbc04dffa92240ca2/reports/398074f2-c7b6-40e9-9b5c-4225cc990473/overview", "https://www.filescan.io/uploads/664bb683bc04dffa92241015/reports/92b70fd6-97d7-4386-8465-f3fd79043843/overview", "https://tria.ge/240521-q4s79agb25/static1", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/664f906322f5af13cdfb50be", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/664f906222f5af13cdfb5093", "https://www.filescan.io/uploads/666d69ff6b8dba248b414767/reports/dda2c8a1-96fd-4c00-9cbc-c64c4685a804/overview", "https://www.filescan.io/uploads/666d69ff6b8dba248b414767", "https://viz.greynoise.io/analysis/33e9b33b-b932-4c43-9be1-3e2d6f9cb4b3", "https://viz.greynoise.io/analysis/e51d9a15-d802-4d51-9a70-17803dc2693a", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b", "Above Malcore Strings: All - EnterpriseAppsList, AppRegistration, EnterpriseAppslist, exportGroup, exportUsers, HiddenApps - EnterpriseAppsList****", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d00975ea31558d54fceea", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667cff1a5ea31558d54fcbf6", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d0107b44401771de9ebf2", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d00356dd8f43b723a915a", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667cffec5ea31558d54fcda2", "https://www.hudsonrock.com/search?domain=ualberta.ca", "https://www.criminalip.io/domain/report?scan_id=13798622", "https://viz.greynoise.io/analysis/9635144c-db8f-47ab-a83a-5785602244cf - 07.03.24", "https://urlscan.io/search/#ualberta.ca", "https://www.virustotal.com/gui/collection/0ca12fcdd125ec5a5055180ee828b98d47b8b2e920660be559c2b602266b6b1d/iocs", "https://sitereport.netcraft.com/?url=http://ualberta.ca", "https://www.wordfence.com/blog/2022/10/threat-advisory-monitoring-cve-2022-42889-text4shell-exploit-attempts/", "https://tenantresolution.pingcastle.com/Search - Tenant still active (07.19.24) - Good jobs ya'll", "https://www.virustotal.com/graph/embed/gf1d5aa209c7f4fd086e4cb17dcd0af52421ea4bae87d49fe9b4076b382612f0e?theme=dark", "https://viz.greynoise.io/query/AS36351%20classification:%22malicious%22", "https://viz.greynoise.io/query/AS60068%20classification:%22malicious%22", "https://viz.greynoise.io/query/AS8075%20classification:%22malicious%22", "https://viz.greynoise.io/query/AS15169%20classification:%22malicious%22", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b - https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b = Hidden Apps - Enterprise Apps List" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology", "Healthcare", "Telecommunications", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 7, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1703, "FileHash-SHA256": 90472, "URL": 99185, "domain": 82954, "hostname": 39041, "FileHash-SHA1": 1624, "email": 4658, "CVE": 12 }, "indicator_count": 319649, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "456 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66536881127f5ee988306394", "name": "iOS Attack - Crouching Yeti: http://x.com/denverpolice/status/|", "description": "Targeted triangulation. Apple iOS iPad. Attack chains of Operation Triangulation involves advanced tactics employed by those acting as secret middleman, deploying spoofed trusted websites, emails, alarming news stories, messages, Bluetooth hacking, if threat actor has full CnC of targets phone via injection (sometimes it's random) can power on B/T. In Spoofed sites, malicious redirects, iMessage 0day case. Zero-click iMessage exploit seen. Information is sent to attacker and stored. Data harvesting, financial & identity theft, service modification and DoS intended. Used by law enforcement, governments, attorney PI's, cyber security defense, red teams and/or malicious hackers.\n*Crouching Yeti threat description notes: Contextual Indicators: Domain is classified as Social Networking Contextual Indicators: The URL is known benign by Check Point's Threat Cloud Contextual Indicators: Https://x.com is popular among websites with good reputation Contextual Indicators: Domain Cisco Umbrella rank is 312.", "modified": "2024-06-25T16:05:26.604000", "created": "2024-05-26T16:51:13.962000", "tags": [ "sha256", "sha1", "pattern match", "ascii text", "document file", "v2 document", "crlf line", "size", "unicode", "beginstring", "null", "hybrid", "refresh", "body", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "external-resources", "dom-modification", "third-party-cookies", "iframes", "trackers", "text/html", "twitter", "final url", "ip address", "status code", "body length", "kb body", "headers", "deny", "express", "referrer", "impacting azure", "proofpoint", "sneaky server", "replacement", "unauthorized", "switch dns", "query", "vy binh", "hiddentear", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "date", "meta", "form", "submission", "expiresthu", "path", "secure", "self", "xcitium verdict", "cloud", "sophos", "history first", "analysis", "cp", "cyber", "threat", "redrum", "hit", "men", "triangulation", "historical ssl", "apt suspects", "critical cmd", "hide", "asyncrat", "jeremy", "government", "malicious", "yuming", "name servers", "united", "passive dns", "urls", "creation date", "search", "expiration date", "showing", "unknown", "next", "windows nt", "malware beacon", "memcommit", "generic http", "exe upload", "outbound", "etpro trojan", "show", "trojan", "copy", "write", "win32", "malware", "read c", "entries", "medium", "markus", "contentlength", "write c", "delete c", "create c", "yara detections", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "next pe", "as32934", "hitmen", "local government", "scene unit", "crime", "denver police", "address", "status", "aaaa", "apple", "less whois", "registrar", "wannacry", "http", "unique", "url https", "related nids", "code", "screenshot", "anity", "nsa", "shadow", "saudi telecom", "riyadh address", "saudi arabia", "abuse", "ripe", "company isp", "number", "label saudi", "telecom company", "jsc regional", "riyadh", "ripe ncc", "registry techc", "campus", "saudi", "ripe network", "domain", "internet se", "emails", "system", "server tsa", "b server", "certificate", "digicert inc", "moved", "record value" ], "references": [ "http://x.com/denverpolice/status/", "Redirects to >https://twitter.com/x/migrate?tok=eyJlIjoiL2RlbnZlcnBvbGljZS9zdGF0dXMvIiwidCI6MTcxNjcwMzc3M33oZya0EO4PtEbRwq4XZboX", "Redirects to https://twitter.com?mx=1", "IP address: 104.244.42.1 Hosting: Unknown Running on: Tsa B CMS: Express", "Crouching Yeti: Appendixes - according to source ArcSight Threat Intelligence", "https://otx.alienvault.com/indicator/file/00001aff2ea1acd6087f9fba8d8316d90d29e391d9969bc70cc607461467797e", "Alerts: nids_malware_alert network_icmp dumped_buffer network_cnc_http network_http network_http_post allocates_rwx", "Alerts: packer_entropy packer_upx antivm_memory_available pe_features", "Yara Detections: Yara Detections Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , Toxoplasmosis , UPX", "Packer UPX v0.89.6 - v1.02 / v1.05 -v1.24 -> Markus & Laszlo [overlay]", "Yara Detections: ConventionEngine_Term_Desktop , LZMA , mpress_2_xx_x86 , dbgdetect_procs", "pornhub.dev, http://matrix.pornhub.dev, https://twitter.com/PORNO_SEXYBABES, https://www.anon-v.com/porno/fenella/", "Hostname device-local-fb18804d-348e-49ea-8c17-cc8a29f18082.remotewd.com | 192.168.56.104: IPv4", "https://otx.alienvault.com/indicator/file/f7636eef1d9df0664cd0f205ad8864b659bf9898ce6231376778c4411986912e", "https://otx.alienvault.com/indicator/file/000054fa2b0d1004464350ee9acc40707fec51223dba36c702a3db4139af9717", "Domain: hicloudcam.com | https://otx.alienvault.com/indicator/hostname/alarmeu.sslproxy.gatewayvvlilly3lilly.alpha.hicloudcam.com", "originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com | 108.160.165.139 Location: USA |ASN AS19679 dropbox inc. Nameservers ns-136.awsdns-17.com. ns-1518.awsdns-61.org. ,\u00a0 ns-1573.awsdns-04.co.uk. ,\u00a0 ns-809.awsdns-37.net. Less WHOIS Registrar: https://www.101domain.com/,\u00a0\u00a0 Creation Date: Oct 21, 2010 Related Pulses None Related Tags None Indicator Facts Running webserver External Resources Whois,\u00a0 UrlVoid,\u00a0 VirusTotal Analysis Related Pulses Comments (0) Whois Show 100 entr", "https://otx.alienvault.com/indicator/hostname/originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com", "PATHETIC redirect: rainn.org | victims of violence & abuse disclose extremely sensitive details. Reported false information given to disorient victims.", "WannaCry | NSA -Anity Cert: https://otx.alienvault.com/indicator/url/https://www.antiy.com/response/Antiy_Wannacry_NSA.html", "WannaCry MS17-010 'Shadow' https://otx.alienvault.com/otxapi/indicators/url/screenshot/https://www.antiy.com/response/wannacry.html", "Command and Control IP: 5.41.21.250 | Location Saudi Arabia flag Jeddah, Saudi Arabia ASN AS39891 saudi telecom company jsc", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "uploads-cserver-alumni-profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32/Vflooder.B Checkin", "display_name": "Win32/Vflooder.B Checkin", "target": null }, { "id": "Win.Malware.Vtflooder-6723768-0", "display_name": "Win.Malware.Vtflooder-6723768-0", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32/Vflooder.B vtapi DOS", "display_name": "Win32/Vflooder.B vtapi DOS", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Trojan.Downloader-63174", "display_name": "Win.Trojan.Downloader-63174", "target": null }, { "id": "Clicker.BGOU", "display_name": "Clicker.BGOU", "target": null }, { "id": "Win.Trojan.Agent-752791", "display_name": "Win.Trojan.Agent-752791", "target": null }, { "id": "Win.Dropper.QQpass-9895638-0", "display_name": "Win.Dropper.QQpass-9895638-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "WannaCry", "display_name": "WannaCry", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1038", "name": "DLL Search Order Hijacking", "display_name": "T1038 - DLL Search Order Hijacking" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 350, "FileHash-SHA1": 348, "FileHash-SHA256": 2659, "URL": 7850, "domain": 2245, "hostname": 3611, "SSLCertFingerprint": 4, "email": 10, "CIDR": 4 }, "indicator_count": 17081, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "704 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66536c8eee8d42d670e27723", "name": "Eternal Blue _ WannaCry MS17-010 | Apple iOS iMessage injection infiltration", "description": "", "modified": "2024-06-25T16:05:26.604000", "created": "2024-05-26T17:08:30.022000", "tags": [ "sha256", "sha1", "pattern match", "ascii text", "document file", "v2 document", "crlf line", "size", "unicode", "beginstring", "null", "hybrid", "refresh", "body", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "external-resources", "dom-modification", "third-party-cookies", "iframes", "trackers", "text/html", "twitter", "final url", "ip address", "status code", "body length", "kb body", "headers", "deny", "express", "referrer", "impacting azure", "proofpoint", "sneaky server", "replacement", "unauthorized", "switch dns", "query", "vy binh", "hiddentear", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "date", "meta", "form", "submission", "expiresthu", "path", "secure", "self", "xcitium verdict", "cloud", "sophos", "history first", "analysis", "cp", "cyber", "threat", "redrum", "hit", "men", "triangulation", "historical ssl", "apt suspects", "critical cmd", "hide", "asyncrat", "jeremy", "government", "malicious", "yuming", "name servers", "united", "passive dns", "urls", "creation date", "search", "expiration date", "showing", "unknown", "next", "windows nt", "malware beacon", "memcommit", "generic http", "exe upload", "outbound", "etpro trojan", "show", "trojan", "copy", "write", "win32", "malware", "read c", "entries", "medium", "markus", "contentlength", "write c", "delete c", "create c", "yara detections", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "next pe", "as32934", "hitmen", "local government", "scene unit", "crime", "denver police", "address", "status", "aaaa", "apple", "less whois", "registrar", "wannacry", "http", "unique", "url https", "related nids", "code", "screenshot", "anity", "nsa", "shadow", "saudi telecom", "riyadh address", "saudi arabia", "abuse", "ripe", "company isp", "number", "label saudi", "telecom company", "jsc regional", "riyadh", "ripe ncc", "registry techc", "campus", "saudi", "ripe network", "domain", "internet se", "emails", "system", "server tsa", "b server", "certificate", "digicert inc", "moved", "record value" ], "references": [ "http://x.com/denverpolice/status/", "Redirects to >https://twitter.com/x/migrate?tok=eyJlIjoiL2RlbnZlcnBvbGljZS9zdGF0dXMvIiwidCI6MTcxNjcwMzc3M33oZya0EO4PtEbRwq4XZboX", "Redirects to https://twitter.com?mx=1", "IP address: 104.244.42.1 Hosting: Unknown Running on: Tsa B CMS: Express", "Crouching Yeti: Appendixes - according to source ArcSight Threat Intelligence", "https://otx.alienvault.com/indicator/file/00001aff2ea1acd6087f9fba8d8316d90d29e391d9969bc70cc607461467797e", "Alerts: nids_malware_alert network_icmp dumped_buffer network_cnc_http network_http network_http_post allocates_rwx", "Alerts: packer_entropy packer_upx antivm_memory_available pe_features", "Yara Detections: Yara Detections Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , Toxoplasmosis , UPX", "Packer UPX v0.89.6 - v1.02 / v1.05 -v1.24 -> Markus & Laszlo [overlay]", "Yara Detections: ConventionEngine_Term_Desktop , LZMA , mpress_2_xx_x86 , dbgdetect_procs", "pornhub.dev, http://matrix.pornhub.dev, https://twitter.com/PORNO_SEXYBABES, https://www.anon-v.com/porno/fenella/", "Hostname device-local-fb18804d-348e-49ea-8c17-cc8a29f18082.remotewd.com | 192.168.56.104: IPv4", "https://otx.alienvault.com/indicator/file/f7636eef1d9df0664cd0f205ad8864b659bf9898ce6231376778c4411986912e", "https://otx.alienvault.com/indicator/file/000054fa2b0d1004464350ee9acc40707fec51223dba36c702a3db4139af9717", "Domain: hicloudcam.com | https://otx.alienvault.com/indicator/hostname/alarmeu.sslproxy.gatewayvvlilly3lilly.alpha.hicloudcam.com", "originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com | 108.160.165.139 Location: USA |ASN AS19679 dropbox inc. Nameservers ns-136.awsdns-17.com. ns-1518.awsdns-61.org. ,\u00a0 ns-1573.awsdns-04.co.uk. ,\u00a0 ns-809.awsdns-37.net. Less WHOIS Registrar: https://www.101domain.com/,\u00a0\u00a0 Creation Date: Oct 21, 2010 Related Pulses None Related Tags None Indicator Facts Running webserver External Resources Whois,\u00a0 UrlVoid,\u00a0 VirusTotal Analysis Related Pulses Comments (0) Whois Show 100 entr", "https://otx.alienvault.com/indicator/hostname/originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com", "PATHETIC redirect: rainn.org | victims of violence & abuse disclose extremely sensitive details. Reported false information given to disorient victims.", "WannaCry | NSA -Anity Cert: https://otx.alienvault.com/indicator/url/https://www.antiy.com/response/Antiy_Wannacry_NSA.html", "WannaCry MS17-010 'Shadow' https://otx.alienvault.com/otxapi/indicators/url/screenshot/https://www.antiy.com/response/wannacry.html", "Command and Control IP: 5.41.21.250 | Location Saudi Arabia flag Jeddah, Saudi Arabia ASN AS39891 saudi telecom company jsc", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "uploads-cserver-alumni-profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32/Vflooder.B Checkin", "display_name": "Win32/Vflooder.B Checkin", "target": null }, { "id": "Win.Malware.Vtflooder-6723768-0", "display_name": "Win.Malware.Vtflooder-6723768-0", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32/Vflooder.B vtapi DOS", "display_name": "Win32/Vflooder.B vtapi DOS", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Trojan.Downloader-63174", "display_name": "Win.Trojan.Downloader-63174", "target": null }, { "id": "Clicker.BGOU", "display_name": "Clicker.BGOU", "target": null }, { "id": "Win.Trojan.Agent-752791", "display_name": "Win.Trojan.Agent-752791", "target": null }, { "id": "Win.Dropper.QQpass-9895638-0", "display_name": "Win.Dropper.QQpass-9895638-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "WannaCry", "display_name": "WannaCry", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1038", "name": "DLL Search Order Hijacking", "display_name": "T1038 - DLL Search Order Hijacking" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [], "TLP": "green", "cloned_from": "66536881127f5ee988306394", "export_count": 55, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 350, "FileHash-SHA1": 348, "FileHash-SHA256": 2659, "URL": 7850, "domain": 2245, "hostname": 3611, "SSLCertFingerprint": 4, "email": 10, "CIDR": 4 }, "indicator_count": 17081, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "704 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66141ecabe8f1ab189351dd3", "name": "Tofsee Botnet: Google.com.uy | Install | Injection | Pegasus Monitoring", "description": "Installed remotely by nefarious actor by Trojan dropper. Typically not install via PlayStore/AppStore; can be with severe compromise/ VPNs will be fake. Examples: 1.1.1.1, 1.1.1.4, Proton AG or Proton.ch. Not visible: [.uy.]. All data, monitored, manipulated, tracked, location, vehicle tracking, webcams, IP track, data cryptocurrency mining, tracked 24/7, collection, DDoS attacks, ransom, full CnC.\nTweakers.net, .bv , etc., observed, pegasus related", "modified": "2024-05-08T16:00:34.588000", "created": "2024-04-08T16:43:54.908000", "tags": [ "installer", "tofsee", "trojan", "dropper", "dns", "as20940", "united", "aaaa", "as15703", "search", "servers", "as8455 schuberg", "a domains", "encrypt", "code", "tweakers", "unknown", "ransom", "body", "webcams", "banker", "location tracking", "vehicle tracking", "device tracking", "exploitation", "redirects", "ip tracking", "vpn nullify", "vehicle keycodes", "search threat", "analyzer feeds", "panel platform", "search platform", "profile user", "iocs", "redacted for", "passive dns", "all scoreblue", "hostname", "next", "cnc", "scanning host", "milesone", "virtual currency mining", "crypto", "regsetvalueexa", "regdword", "default", "show", "regbinary", "read c", "settingswpad", "as15169", "malware", "copy", "write", "upatre", "ids detections", "scan endpoints", "filehash", "av detections", "yara detections", "alerts", "analysis date", "file score", "ransom", "related pulses", "entries", "icmp traffic", "packing t1045", "t1045", "pe resource", "august", "win32", "for privacy", "creation date", "name servers", "urls", "date", "status", "as15169 google", "as44273 host", "ipv4", "pulse submit", "url analysis", "msie", "chrome", "moved", "title", "gmt content", "apple", "invalidate_gift_cards", "tulach rebranded", "hallrender rebranded", "as8075", "verdana", "td tr", "domain", "germany unknown", "as34011 host", "etag", "medium", "module load", "invalidate_google_play", "algorithm", "v3 serial", "number", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "first", "win32 exe", "win32 dll", "javascript", "mozilla firefox", "edition", "detections type", "name", "keeweb", "setup", "firefox setup", "record type", "ttl value", "android", "files", "formbook", "critical cmd", "tracker", "tsara brashears", "remote", "historical ssl", "referrer", "march", "body html", "head meta", "moved title", "head body", "pegasus", "nemtih", "hit", "men", "gift_card_mining", "google_play_card_mining", "miner", "htmladodb may", "twitter", "win64", "as21342", "as2914 ntt", "as15334", "error", "certificate", "checkbox", "accept", "record value", "emails", "domain name" ], "references": [ "Virustotal - google.com.uy", "https://hybrid-analysis.com/sample/79c5841a534b53013389ba76326a067895bdf5e41ad279d82b2002f6c8f2cda6", "http://www.50calpaintballshop.com/phpinfo.php?a[]=lost+my+mercedes+key>Mercedes+benz+Key+programmer", "http://www.50calpaintballshop.com/phpinfo.php?a[]=lost+my+mercedes+key", "http://www.50calpaintballshop.com/phpinfo.php?a[]=webcam+models+livecambabes.webcam>korean+webcam+models", "http://www.50calpaintballshop.com/phpinfo.php?a[]=www.livecambabes.Webcam>sexy+girls+dildoing", "http://www.50calpaintballshop.com/phpinfo.php?a[]=avon+representative>50calpaintballshop.com>avon+representative+directory [Beware: redirects]", "http://www.50calpaintballshop.com/phpinfo.php?a[]=how+to+join+avon+uk>how+do+i+join+avon+online [redirects to fraud representatives]", "Reports of victims meeting fraud direct sales reps in home/coffee shops. Reps store PII, financial, SSN# on device. Orders in victims name. ID theft ring", "https://www.herbgordonsubaru.com/?ddcref=careconnect_NM102-01&utm_campaign=newsconnect&utm_medium=email&utm_source=careconnect", "https://www.herbgordonsubaru.com/new-inventory/index?search=&model=Outback&utm_source=careconnect&utm_medium=email&utm_campaign=marketdriver-sales&ddcref=careconnect_marketdriversales", "nr-data.net [Apple Private Data Collection]", "checkip.dyndns.org [command and control]", "checkip.dyndns.org Alerts: dead_host network_icmp nolookup_communication modifies_proxy_wpad packer_polymorphic recon_beacon", "144.76.108.82 [scanning host]", "Yara Detections PEtite24", "FormBook IP: 142.251.211.243", "https://pegasusm2.bullsbikesusa.com", "https://microcenterinsider.com/pub/cc?_ri_=X0Gzc2X=AQpglLjHJlTQG0amRRrN1tkKAFGSTzdEjURWMTwh5gzdnK5Wo4uRBMFITdmoHEE1NzdwpzaEqrzcUkeItzbfVXtpKX=BATA" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands" ], "malware_families": [ { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Trojan:MSIL/TrojanDropper", "display_name": "Trojan:MSIL/TrojanDropper", "target": "/malware/Trojan:MSIL/TrojanDropper" }, { "id": "Installer", "display_name": "Installer", "target": null }, { "id": "Sf:Agent-DQ\\ [Trj]", "display_name": "Sf:Agent-DQ\\ [Trj]", "target": null }, { "id": "TrojanDownloader:Win32/Upatre!rfn", "display_name": "TrojanDownloader:Win32/Upatre!rfn", "target": "/malware/TrojanDownloader:Win32/Upatre!rfn" }, { "id": "Win32:DropperX-gen\\ [Drp]", "display_name": "Win32:DropperX-gen\\ [Drp]", "target": null }, { "id": "Win.Trojan.Tofsee-9770082-1", "display_name": "Win.Trojan.Tofsee-9770082-1", "target": null }, { "id": "Ransom:Win32/StopCrypt.AK!MTB", "display_name": "Ransom:Win32/StopCrypt.AK!MTB", "target": "/malware/Ransom:Win32/StopCrypt.AK!MTB" } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1574.005", "name": "Executable Installer File Permissions Weakness", "display_name": "T1574.005 - Executable Installer File Permissions Weakness" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1493", "name": "Transmitted Data Manipulation", "display_name": "T1493 - Transmitted Data Manipulation" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1013", "name": "Port Monitors", "display_name": "T1013 - Port Monitors" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1468", "name": "Remotely Track Device Without Authorization", "display_name": "T1468 - Remotely Track Device Without Authorization" }, { "id": "T1450", "name": "Exploit SS7 to Track Device Location", "display_name": "T1450 - Exploit SS7 to Track Device Location" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1483", "name": "Domain Generation Algorithms", "display_name": "T1483 - Domain Generation Algorithms" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 392, "FileHash-SHA1": 468, "FileHash-SHA256": 3233, "URL": 8667, "domain": 2219, "hostname": 3480, "email": 8 }, "indicator_count": 18467, "is_author": false, "is_subscribing": null, "subscriber_count": 235, "modified_text": "752 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655f6d7ac217661e4bc37f4d", "name": "Qbot | Miscellaneous Attacks", "description": "The following is a full list of links between malware and cyber-attackers, following a series of alerts from Phishtank, the UK-based cyber security firm, and the US government.", "modified": "2023-12-23T07:03:55.171000", "created": "2023-11-23T15:19:22.356000", "tags": [ "pattern match", "ascii text", "file", "jpeg image", "exif standard", "tiff image", "png image", "united", "baseline", "rgba", "date", "class", "unknown", "hybrid", "accept", "local", "click", "strings", "generator", "critical", "error", "firehol", "detection list", "ip address", "blacklist", "botnet command", "control server", "noname057", "facebook", "phishtank", "blacklist http", "organization", "ssl certificate", "whois record", "contacted", "historical ssl", "n64xtx0vpihxzc", "whois whois", "qpyrn6pd http", "referrer", "execution", "communicating", "core", "discord", "hiddentear", "metro", "probe", "ransomexx", "quasar", "asyncrat", "bleachgap", "formbook", "nanocore", "roblox", "heur", "cyber threat", "engineering", "malware", "phishing", "malicious site", "phishing site", "covid19", "team", "bank", "cobalt strike", "artemis", "download", "zbot", "suppobox", "service", "downloader", "virut", "malicious", "emotet", "stealer", "exploit", "generic", "dropper", "unruy", "agent", "unsafe", "ramnit", "redline stealer", "smsspy", "bradesco", "fakealert", "qakbot", "outbreak", "qbot", "bankerx", "riskware", "nimda", "swrort", "adwind", "trojanx", "crack", "win64", "squirrelwaffle", "pony", "binder", "virustotal", "azorult", "zeus", "nymaim", "matsnu", "simda", "runescape", "cutwail", "dnspionage", "redirector", "fusioncore", "iframe", "killav", "raccoon", "daum", "installcore", "ransomware", "cisco umbrella", "site", "safe site", "alexa top", "million", "presenoker", "downldr", "alexa", "applicunwnt", "opencandy", "cleaner", "wacatac", "xrat", "xtrat", "dbatloader", "infy", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "phish", "deepscan", "trojanspy", "maltiverse", "qpyrn6pd", "spyware", "injector", "jul jan", "tag count", "tue jan", "threat report", "ip summary", "url summary", "summary", "sample" ], "references": [ "https://www.hybrid-analysis.com/sample/d4e0619008da0bf555fd1d9af2797eaed02c89512239cbdaf64c08e795bb9658", "http://www.jamesbgriffinlaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/16132c66b562a3---dewubomojagorekijufuruni [ Malicious Plugins]", "*otc.greatcall.com [Botnetwork]", "https://www.norad.mil/ [ Modified by others| Parking Crew - is a Tracker]", "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Malware Server | iTunes path hacktool]", "tulach.cc. [Malevolent | Modified description]", "https://tulach.cc/ [phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ ELF - Descriptions modified by others]", "https://www.pornhub.com/video/search?search=tsara+brashears [NORAD.mil phone tracking. Description modified]", "s3.amazonaws.com [Virut Tsara Brashears Botnetwork | Modified description]" ], "public": 1, "adversary": "Qbot", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Roblox", "display_name": "Roblox", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 82, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 897, "FileHash-SHA1": 479, "URL": 9847, "domain": 2344, "hostname": 2398, "CVE": 22, "FileHash-SHA256": 4712 }, "indicator_count": 20699, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "890 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655f6d89b33758a190399f39", "name": "Qbot | Miscellaneous Attacks", "description": "The following is a full list of links between malware and cyber-attackers, following a series of alerts from Phishtank, the UK-based cyber security firm, and the US government.", "modified": "2023-12-23T07:03:55.171000", "created": "2023-11-23T15:19:37.838000", "tags": [ "pattern match", "ascii text", "file", "jpeg image", "exif standard", "tiff image", "png image", "united", "baseline", "rgba", "date", "class", "unknown", "hybrid", "accept", "local", "click", "strings", "generator", "critical", "error", "firehol", "detection list", "ip address", "blacklist", "botnet command", "control server", "noname057", "facebook", "phishtank", "blacklist http", "organization", "ssl certificate", "whois record", "contacted", "historical ssl", "n64xtx0vpihxzc", "whois whois", "qpyrn6pd http", "referrer", "execution", "communicating", "core", "discord", "hiddentear", "metro", "probe", "ransomexx", "quasar", "asyncrat", "bleachgap", "formbook", "nanocore", "roblox", "heur", "cyber threat", "engineering", "malware", "phishing", "malicious site", "phishing site", "covid19", "team", "bank", "cobalt strike", "artemis", "download", "zbot", "suppobox", "service", "downloader", "virut", "malicious", "emotet", "stealer", "exploit", "generic", "dropper", "unruy", "agent", "unsafe", "ramnit", "redline stealer", "smsspy", "bradesco", "fakealert", "qakbot", "outbreak", "qbot", "bankerx", "riskware", "nimda", "swrort", "adwind", "trojanx", "crack", "win64", "squirrelwaffle", "pony", "binder", "virustotal", "azorult", "zeus", "nymaim", "matsnu", "simda", "runescape", "cutwail", "dnspionage", "redirector", "fusioncore", "iframe", "killav", "raccoon", "daum", "installcore", "ransomware", "cisco umbrella", "site", "safe site", "alexa top", "million", "presenoker", "downldr", "alexa", "applicunwnt", "opencandy", "cleaner", "wacatac", "xrat", "xtrat", "dbatloader", "infy", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "phish", "deepscan", "trojanspy", "maltiverse", "qpyrn6pd", "spyware", "injector", "jul jan", "tag count", "tue jan", "threat report", "ip summary", "url summary", "summary", "sample" ], "references": [ "https://www.hybrid-analysis.com/sample/d4e0619008da0bf555fd1d9af2797eaed02c89512239cbdaf64c08e795bb9658", "http://www.jamesbgriffinlaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/16132c66b562a3---dewubomojagorekijufuruni [ Malicious Plugins]", "*otc.greatcall.com [Botnetwork]", "https://www.norad.mil/ [ Modified by others| Parking Crew - is a Tracker]", "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Malware Server | iTunes path hacktool]", "tulach.cc. [Malevolent | Modified description]", "https://tulach.cc/ [phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ ELF - Descriptions modified by others]", "https://www.pornhub.com/video/search?search=tsara+brashears [NORAD.mil phone tracking. Description modified]", "s3.amazonaws.com [Virut Tsara Brashears Botnetwork | Modified description]" ], "public": 1, "adversary": "Qbot", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Roblox", "display_name": "Roblox", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 84, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 897, "FileHash-SHA1": 479, "URL": 9847, "domain": 2344, "hostname": 2398, "CVE": 22, "FileHash-SHA256": 4712 }, "indicator_count": 20699, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "890 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655f6edffd3910161c2ad1a2", "name": "D26A | DNSpionage| Qbot | Tulach Malaware | https://theanimallawfirm.com/ | FakeAlert", "description": "", "modified": "2023-12-23T07:03:55.171000", "created": "2023-11-23T15:25:19.843000", "tags": [ "pattern match", "ascii text", "file", "jpeg image", "exif standard", "tiff image", "png image", "united", "baseline", "rgba", "date", "class", "unknown", "hybrid", "accept", "local", "click", "strings", "generator", "critical", "error", "firehol", "detection list", "ip address", "blacklist", "botnet command", "control server", "noname057", "facebook", "phishtank", "blacklist http", "organization", "ssl certificate", "whois record", "contacted", "historical ssl", "n64xtx0vpihxzc", "whois whois", "qpyrn6pd http", "referrer", "execution", "communicating", "core", "discord", "hiddentear", "metro", "probe", "ransomexx", "quasar", "asyncrat", "bleachgap", "formbook", "nanocore", "roblox", "heur", "cyber threat", "engineering", "malware", "phishing", "malicious site", "phishing site", "covid19", "team", "bank", "cobalt strike", "artemis", "download", "zbot", "suppobox", "service", "downloader", "virut", "malicious", "emotet", "stealer", "exploit", "generic", "dropper", "unruy", "agent", "unsafe", "ramnit", "redline stealer", "smsspy", "bradesco", "fakealert", "qakbot", "outbreak", "qbot", "bankerx", "riskware", "nimda", "swrort", "adwind", "trojanx", "crack", "win64", "squirrelwaffle", "pony", "binder", "virustotal", "azorult", "zeus", "nymaim", "matsnu", "simda", "runescape", "cutwail", "dnspionage", "redirector", "fusioncore", "iframe", "killav", "raccoon", "daum", "installcore", "ransomware", "cisco umbrella", "site", "safe site", "alexa top", "million", "presenoker", "downldr", "alexa", "applicunwnt", "opencandy", "cleaner", "wacatac", "xrat", "xtrat", "dbatloader", "infy", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "phish", "deepscan", "trojanspy", "maltiverse", "qpyrn6pd", "spyware", "injector", "jul jan", "tag count", "tue jan", "threat report", "ip summary", "url summary", "summary", "sample" ], "references": [ "https://www.hybrid-analysis.com/sample/d4e0619008da0bf555fd1d9af2797eaed02c89512239cbdaf64c08e795bb9658", "http://www.jamesbgriffinlaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/16132c66b562a3---dewubomojagorekijufuruni [ Malicious Plugins]", "*otc.greatcall.com [Botnetwork]", "https://www.norad.mil/ [ Modified by others| Parking Crew - is a Tracker]", "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Malware Server | iTunes path hacktool]", "tulach.cc. [Malevolent | Modified description]", "https://tulach.cc/ [phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ ELF - Descriptions modified by others]", "https://www.pornhub.com/video/search?search=tsara+brashears [NORAD.mil phone tracking. Description modified]", "s3.amazonaws.com [Virut Tsara Brashears Botnetwork | Modified description]" ], "public": 1, "adversary": "Qbot", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Roblox", "display_name": "Roblox", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": "655f6d89b33758a190399f39", "export_count": 86, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 897, "FileHash-SHA1": 479, "URL": 9847, "domain": 2344, "hostname": 2398, "CVE": 22, "FileHash-SHA256": 4712 }, "indicator_count": 20699, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "890 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://accounts.google.com/o/oauth2/auth", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://accounts.google.com/o/oauth2/auth", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780223408.2684753 }