{ "type": "URL", "indicator": "https://admin.moneyboxapp.org", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://admin.moneyboxapp.org", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3831655435, "indicator": "https://admin.moneyboxapp.org", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 18, "pulses": [ { "id": "6a126fcffc60a71dfab01f24", "name": "credit scoreblue - clone of another researchers post [Google Spy engine | Tracking, Malware Repository CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by scoreblue] + added 10 iocs", "description": "", "modified": "2026-05-24T03:32:22.109000", "created": "2026-05-24T03:26:07.144000", "tags": [ "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "expired", "acceptencoding", "html info", "title home", "tags viewport", "trackers google", "tag manager", "gsddf3d2bzf", "historical ssl", "referrer", "december", "formbook", "round", "apple ios", "tsara brashears", "unlocker", "collection", "vt graph", "socgholish", "blister", "hacktool", "hiddentear", "gootloader", "agent tesla", "crypto", "installer", "life", "malware", "open", "korplug", "tofsee", "date", "name servers", "status", "passive dns", "urls", "scan endpoints", "all scoreblue", "pulse submit", "url analysis", "files", "no data", "tag count", "analyzer threat", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "heur", "cisco umbrella", "alexa top", "million", "site", "alexa", "maltiverse", "xcnfe", "safe site", "phishing", "remcos", "malicious", "miner", "bank", "agenttesla", "agent", "unknown", "downloader", "unsafe", "trojan", "detplock", "artemis", "networm", "win64", "redline stealer", "limerat", "venom rat", "trojanspy", "tld count", "png image", "jpeg image", "rgba", "exif standard", "tiff image", "pattern match", "ascii text", "united", "jfif", "sha1", "core", "general", "starfield", "hybrid", "local", "encrypt", "click", "strings", "adobea", "daga", "as30148 sucuri", "td tr", "search", "span td", "as44273 host", "creation date", "a domains", "xtra", "meta", "back", "verdict", "domain", "aaaa", "as15169 google", "asnone united", "nxdomain", "sucuri security", "a li", "span", "class", "body", "sucuri website", "a div", "authority", "record value", "showing", "gmt content", "x sucuri", "high", "related pulses", "show", "guard", "entries", "win32", "west domains", "next", "ipv4", "asnone germany", "object", "com cnt", "dem fin", "gov int", "nav onl", "phy pre", "formbook cnc", "checkin", "found", "error", "code", "create c", "read c", "delete", "write", "default", "dock", "execution", "copy", "xport", "firewall", "body doctype", "section", "dcrat", "analyzer paste", "iocs", "hostnames", "url https", "blacklist", "cl0p ransomware", "zbot", "malware site", "team memscan", "cl0p", "algorithm", "data", "v3 serial", "number", "cus starizona", "cngo daddy", "g2 validity", "subject public", "key info", "certificate", "whois lookup", "netrange", "nethandle", "net192", "net1920000", "as174", "as3257", "sucuri", "sucur2", "verisign", "whois database", "server", "registrar abuse", "icann whois", "whois status", "registrar iana", "form", "temple", "first", "android", "win32 exe", "html", "bobby fischer", "office open", "detections type", "name", "pdf dealer", "price list", "pdf my", "crime", "taiwan unknown", "as3462", "as131148 bank", "as21342", "all search", "otx scoreblue", "pulse pulses", "cname", "as22612", "as43350 nforce", "win32upatre jun", "expiration date", "hostname", "lowfi", "date hash", "avast avg", "date checked", "url hostname", "server response", "google safe", "results jun", "files show", "registrar", "china unknown", "title", "network", "fakedout threat", "urls http", "maltiverse safe", "malicious url", "team", "phishtank", "services", "botnet command", "control server", "mining", "betabot", "team malware", "engineering", "stealer", "service", "vawtrak", "virut", "emotet", "simda", "redline", "fri oct", "media sharing", "known infection source", "bot networks", "malware", "malware repository", "spyware" ], "references": [ "https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/", "ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,", "Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]", "https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities", "Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint", "Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self", "Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect", "IP\u2019s Contacted: 192.124.249.187", "Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile", "Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=", "www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": "6688e0ffb31d4881f3238713", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4130, "URL": 11958, "hostname": 4644, "domain": 4304, "FileHash-MD5": 2256, "FileHash-SHA1": 1161, "CVE": 8, "SSLCertFingerprint": 20, "email": 8, "CIDR": 1, "IPv6": 4, "IPv4": 6 }, "indicator_count": 28500, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a126fcc3620af2edeb95e57", "name": "credit scoreblue - clone of another researchers post [Google Spy engine | Tracking, Malware Repository CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by scoreblue] + added 10 iocs", "description": "", "modified": "2026-05-24T03:26:04.439000", "created": "2026-05-24T03:26:04.439000", "tags": [ "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "expired", "acceptencoding", "html info", "title home", "tags viewport", "trackers google", "tag manager", "gsddf3d2bzf", "historical ssl", "referrer", "december", "formbook", "round", "apple ios", "tsara brashears", "unlocker", "collection", "vt graph", "socgholish", "blister", "hacktool", "hiddentear", "gootloader", "agent tesla", "crypto", "installer", "life", "malware", "open", "korplug", "tofsee", "date", "name servers", "status", "passive dns", "urls", "scan endpoints", "all scoreblue", "pulse submit", "url analysis", "files", "no data", "tag count", "analyzer threat", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "heur", "cisco umbrella", "alexa top", "million", "site", "alexa", "maltiverse", "xcnfe", "safe site", "phishing", "remcos", "malicious", "miner", "bank", "agenttesla", "agent", "unknown", "downloader", "unsafe", "trojan", "detplock", "artemis", "networm", "win64", "redline stealer", "limerat", "venom rat", "trojanspy", "tld count", "png image", "jpeg image", "rgba", "exif standard", "tiff image", "pattern match", "ascii text", "united", "jfif", "sha1", "core", "general", "starfield", "hybrid", "local", "encrypt", "click", "strings", "adobea", "daga", "as30148 sucuri", "td tr", "search", "span td", "as44273 host", "creation date", "a domains", "xtra", "meta", "back", "verdict", "domain", "aaaa", "as15169 google", "asnone united", "nxdomain", "sucuri security", "a li", "span", "class", "body", "sucuri website", "a div", "authority", "record value", "showing", "gmt content", "x sucuri", "high", "related pulses", "show", "guard", "entries", "win32", "west domains", "next", "ipv4", "asnone germany", "object", "com cnt", "dem fin", "gov int", "nav onl", "phy pre", "formbook cnc", "checkin", "found", "error", "code", "create c", "read c", "delete", "write", "default", "dock", "execution", "copy", "xport", "firewall", "body doctype", "section", "dcrat", "analyzer paste", "iocs", "hostnames", "url https", "blacklist", "cl0p ransomware", "zbot", "malware site", "team memscan", "cl0p", "algorithm", "data", "v3 serial", "number", "cus starizona", "cngo daddy", "g2 validity", "subject public", "key info", "certificate", "whois lookup", "netrange", "nethandle", "net192", "net1920000", "as174", "as3257", "sucuri", "sucur2", "verisign", "whois database", "server", "registrar abuse", "icann whois", "whois status", "registrar iana", "form", "temple", "first", "android", "win32 exe", "html", "bobby fischer", "office open", "detections type", "name", "pdf dealer", "price list", "pdf my", "crime", "taiwan unknown", "as3462", "as131148 bank", "as21342", "all search", "otx scoreblue", "pulse pulses", "cname", "as22612", "as43350 nforce", "win32upatre jun", "expiration date", "hostname", "lowfi", "date hash", "avast avg", "date checked", "url hostname", "server response", "google safe", "results jun", "files show", "registrar", "china unknown", "title", "network", "fakedout threat", "urls http", "maltiverse safe", "malicious url", "team", "phishtank", "services", "botnet command", "control server", "mining", "betabot", "team malware", "engineering", "stealer", "service", "vawtrak", "virut", "emotet", "simda", "redline", "fri oct", "media sharing", "known infection source", "bot networks", "malware", "malware repository", "spyware" ], "references": [ "https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/", "ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,", "Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]", "https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities", "Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint", "Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self", "Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect", "IP\u2019s Contacted: 192.124.249.187", "Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile", "Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=", "www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": "6688e0ffb31d4881f3238713", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4080, "URL": 11952, "hostname": 4638, "domain": 4301, "FileHash-MD5": 2236, "FileHash-SHA1": 1140, "CVE": 8, "SSLCertFingerprint": 20, "email": 8, "CIDR": 1 }, "indicator_count": 28384, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "8 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687605f986433ebf2673f0b8", "name": "Win.Malware.Downloadguide-6803841-0 | Patient Monitoring", "description": "Part of an elaborate, unrelenting espionage campaign , multiple compromises, targeting.\n> alf:PUA:Win32/DownloadGuide \nLink below found in previous Pulse -[http://s0.patient.media/res/f91b97f6b547405cb4370cbb003dfea2-jquery-1.11.1.min.js.gzip]\n\u2022 Win.Malware.Downloadguide-6803841-0\nYara:\nresearch_pe_signed_outside_timestamp\n\u2022\nkernel32_dll_xor_exe_key_51_key_byte_encoded \u2022\nxor_0x33_kernel32_dll \u2022 \nConcerning: {Domain\tAddress\tRegistrar\tCountry\ns0.patient.media\n-\tGoDaddy.com, LLC\nOrganization: Egton Medical Information Systems Limited\nName Server: ns34.domaincontrol.com\nCreation Date: 2015-01-12T16:20:56}\n\n{https://www.anyxxxtube.net/search-porn/tsara-brashears/}\n{https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net}\n{wallpapers-nature.com}\n{https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian}", "modified": "2025-08-14T07:05:00.239000", "created": "2025-07-15T07:40:41.180000", "tags": [ "url http", "url https", "indicator role", "title added", "active related", "pulses hostname", "entries", "gmt etag", "server", "ecacc", "serving ip", "address", "dom dom", "data upload", "extraction", "pdf report", "enter", "failed", "extraction data", "enter sc", "type", "extra data", "extri please", "review data", "excluded tous", "tui sugges", "find", "show", "at filer", "iocs", "levelbluelabs", "please", "included iocs", "excluded io", "find suggested", "types", "domain data", "search", "o please", "manually add", "c data", "o suggesteo", "include data", "review uus", "u exclude", "find s", "indicaok data", "dom doman", "filehash", "md5 add", "pulse pulses", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "copy", "push", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "pattern match", "ascii text", "size", "mitre att", "utf8", "null", "refresh", "body", "span", "hybrid", "general", "local", "path", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "evasion att", "t1480 execution", "discovery att" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3597, "FileHash-MD5": 343, "domain": 547, "hostname": 1222, "FileHash-SHA1": 343, "FileHash-SHA256": 4464, "CVE": 1, "email": 1 }, "indicator_count": 10518, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "291 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "685186983a4dd00c2b45b255", "name": "Source:\thttps://cloud.samsara.com/o/79639/flee", "description": "", "modified": "2025-07-17T14:01:34.245000", "created": "2025-06-17T15:15:36.505000", "tags": [ "body", "cps https", "location", "urls server", "cloudfront", "united", "unknown aaaa", "search", "digital press", "moved", "digital culture", "ip address", "creation date", "record value", "entries", "date", "meta", "urls", "http", "passive dns", "unique", "pulse pulses", "related nids", "files location", "flag united", "showing", "rich content", "system", "cdn amazon", "amazons3 tls", "certificate", "redirects", "ua9385760744", "utc na", "utc google", "tag manager", "gk4vnlmd3b9", "server", "amazon", "net1832001", "net18160001", "address range", "cidr", "network name", "allocation type", "whois server", "entity amazon4", "handle", "present mar", "present feb", "unknown cname", "urls show", "date checked", "url hostname", "server response", "aaaa" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "685186035e5fb63846d29e45", "export_count": 47, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2075, "URL": 5471, "hostname": 1531, "domain": 1013, "FileHash-MD5": 55, "FileHash-SHA1": 53, "CVE": 1, "SSLCertFingerprint": 1, "email": 1, "CIDR": 2 }, "indicator_count": 10203, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "319 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "685186035e5fb63846d29e45", "name": "Regarding Minority Report 2.0 | Aggresive Remote device tracking (multiple) | Network Rat", "description": "Abuse.\nWhy is so much of this in plain sight? .\nMalicious tactics abused by preemptive policing recently implemented by Tech Bros under current Trump administration.\nThee governing Cyber Defense / AI / Data collection firm. | foundry2-lbl.dvr.dn2.n-helix.com | \nhttp://foundry2-lbl.dvr.dn2.n-helix.com |\nhttps://foundry2-lbl.dvr.dn2.n-helix.com |\nhttps://nl.cyberriskalliance.com/assets/icons/twitter.png |\nhttps://axis.snxd.com/track/0\n| track.getbuilt.com | \nRelates to Denver female \u2018allegedly\u2019 injured \u2018in PT.\nA malicious prosecution case against alleged victim after a Detective brought \u2018MTI\u2019 case to controlled Denver DA was dismissed by judge. Injured victim paid a pathetic settlement; especially considering the seriousness of the response of the government. \nThis type\nof tracking silencing is critically dangerous. \nHosanna make no haste to rescue all\nof victims of civilian & victim targeting.\n*Crowdsourced", "modified": "2025-07-17T14:01:34.245000", "created": "2025-06-17T15:13:07.233000", "tags": [ "body", "cps https", "location", "urls server", "cloudfront", "united", "unknown aaaa", "search", "digital press", "moved", "digital culture", "ip address", "creation date", "record value", "entries", "date", "meta", "urls", "http", "passive dns", "unique", "pulse pulses", "related nids", "files location", "flag united", "showing", "rich content", "system", "cdn amazon", "amazons3 tls", "certificate", "redirects", "ua9385760744", "utc na", "utc google", "tag manager", "gk4vnlmd3b9", "server", "amazon", "net1832001", "net18160001", "address range", "cidr", "network name", "allocation type", "whois server", "entity amazon4", "handle", "present mar", "present feb", "unknown cname", "urls show", "date checked", "url hostname", "server response", "aaaa" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2075, "URL": 5471, "hostname": 1531, "domain": 1013, "FileHash-MD5": 55, "FileHash-SHA1": 53, "CVE": 1, "SSLCertFingerprint": 1, "email": 1, "CIDR": 2 }, "indicator_count": 10203, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "319 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68743733a69ce827f6156f5c", "name": "W3.org | Google Spy engine | Tracking, Malware Repository | www.W3.org https://www.searchw3.com/ > ww.google.com.uy", "description": "", "modified": "2025-07-13T22:46:11.685000", "created": "2025-07-13T22:46:11.685000", "tags": [ "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "expired", "acceptencoding", "html info", "title home", "tags viewport", "trackers google", "tag manager", "gsddf3d2bzf", "historical ssl", "referrer", "december", "formbook", "round", "apple ios", "tsara brashears", "unlocker", "collection", "vt graph", "socgholish", "blister", "hacktool", "hiddentear", "gootloader", "agent tesla", "crypto", "installer", "life", "malware", "open", "korplug", "tofsee", "date", "name servers", "status", "passive dns", "urls", "scan endpoints", "all scoreblue", "pulse submit", "url analysis", "files", "no data", "tag count", "analyzer threat", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "heur", "cisco umbrella", "alexa top", "million", "site", "alexa", "maltiverse", "xcnfe", "safe site", "phishing", "remcos", "malicious", "miner", "bank", "agenttesla", "agent", "unknown", "downloader", "unsafe", "trojan", "detplock", "artemis", "networm", "win64", "redline stealer", "limerat", "venom rat", "trojanspy", "tld count", "png image", "jpeg image", "rgba", "exif standard", "tiff image", "pattern match", "ascii text", "united", "jfif", "sha1", "core", "general", "starfield", "hybrid", "local", "encrypt", "click", "strings", "adobea", "daga", "as30148 sucuri", "td tr", "search", "span td", "as44273 host", "creation date", "a domains", "xtra", "meta", "back", "verdict", "domain", "aaaa", "as15169 google", "asnone united", "nxdomain", "sucuri security", "a li", "span", "class", "body", "sucuri website", "a div", "authority", "record value", "showing", "gmt content", "x sucuri", "high", "related pulses", "show", "guard", "entries", "win32", "west domains", "next", "ipv4", "asnone germany", "object", "com cnt", "dem fin", "gov int", "nav onl", "phy pre", "formbook cnc", "checkin", "found", "error", "code", "create c", "read c", "delete", "write", "default", "dock", "execution", "copy", "xport", "firewall", "body doctype", "section", "dcrat", "analyzer paste", "iocs", "hostnames", "url https", "blacklist", "cl0p ransomware", "zbot", "malware site", "team memscan", "cl0p", "algorithm", "data", "v3 serial", "number", "cus starizona", "cngo daddy", "g2 validity", "subject public", "key info", "certificate", "whois lookup", "netrange", "nethandle", "net192", "net1920000", "as174", "as3257", "sucuri", "sucur2", "verisign", "whois database", "server", "registrar abuse", "icann whois", "whois status", "registrar iana", "form", "temple", "first", "android", "win32 exe", "html", "bobby fischer", "office open", "detections type", "name", "pdf dealer", "price list", "pdf my", "crime", "taiwan unknown", "as3462", "as131148 bank", "as21342", "all search", "otx scoreblue", "pulse pulses", "cname", "as22612", "as43350 nforce", "win32upatre jun", "expiration date", "hostname", "lowfi", "date hash", "avast avg", "date checked", "url hostname", "server response", "google safe", "results jun", "files show", "registrar", "china unknown", "title", "network", "fakedout threat", "urls http", "maltiverse safe", "malicious url", "team", "phishtank", "services", "botnet command", "control server", "mining", "betabot", "team malware", "engineering", "stealer", "service", "vawtrak", "virut", "emotet", "simda", "redline", "fri oct", "media sharing", "known infection source", "bot networks", "malware", "malware repository", "spyware" ], "references": [ "https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/", "ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,", "Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]", "https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities", "Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint", "Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self", "Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect", "IP\u2019s Contacted: 192.124.249.187", "Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile", "Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=", "www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": "6688e0ffb31d4881f3238713", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4080, "URL": 11952, "hostname": 4638, "domain": 4301, "FileHash-MD5": 2236, "FileHash-SHA1": 1140, "CVE": 8, "SSLCertFingerprint": 20, "email": 8, "CIDR": 1 }, "indicator_count": 28384, "is_author": false, "is_subscribing": null, "subscriber_count": 147, "modified_text": "322 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6688e0ffb31d4881f3238713", "name": "Google Spy engine | Tracking, Malware Repository", "description": "www.W3.org https://www.searchw3.com/ > ww.google.com.uy. All tags auto populated. Did not spend time documenting all as pulse is quite large. I was able to prove the the compromises are active. I will make much smaller reports.\n(Botnet Commands, Google Spy engine | Tracking, Malware Repository, Stealer, iPhone unlocker)", "modified": "2024-08-05T04:01:42.283000", "created": "2024-07-06T06:15:27.994000", "tags": [ "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "expired", "acceptencoding", "html info", "title home", "tags viewport", "trackers google", "tag manager", "gsddf3d2bzf", "historical ssl", "referrer", "december", "formbook", "round", "apple ios", "tsara brashears", "unlocker", "collection", "vt graph", "socgholish", "blister", "hacktool", "hiddentear", "gootloader", "agent tesla", "crypto", "installer", "life", "malware", "open", "korplug", "tofsee", "date", "name servers", "status", "passive dns", "urls", "scan endpoints", "all scoreblue", "pulse submit", "url analysis", "files", "no data", "tag count", "analyzer threat", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "heur", "cisco umbrella", "alexa top", "million", "site", "alexa", "maltiverse", "xcnfe", "safe site", "phishing", "remcos", "malicious", "miner", "bank", "agenttesla", "agent", "unknown", "downloader", "unsafe", "trojan", "detplock", "artemis", "networm", "win64", "redline stealer", "limerat", "venom rat", "trojanspy", "tld count", "png image", "jpeg image", "rgba", "exif standard", "tiff image", "pattern match", "ascii text", "united", "jfif", "sha1", "core", "general", "starfield", "hybrid", "local", "encrypt", "click", "strings", "adobea", "daga", "as30148 sucuri", "td tr", "search", "span td", "as44273 host", "creation date", "a domains", "xtra", "meta", "back", "verdict", "domain", "aaaa", "as15169 google", "asnone united", "nxdomain", "sucuri security", "a li", "span", "class", "body", "sucuri website", "a div", "authority", "record value", "showing", "gmt content", "x sucuri", "high", "related pulses", "show", "guard", "entries", "win32", "west domains", "next", "ipv4", "asnone germany", "object", "com cnt", "dem fin", "gov int", "nav onl", "phy pre", "formbook cnc", "checkin", "found", "error", "code", "create c", "read c", "delete", "write", "default", "dock", "execution", "copy", "xport", "firewall", "body doctype", "section", "dcrat", "analyzer paste", "iocs", "hostnames", "url https", "blacklist", "cl0p ransomware", "zbot", "malware site", "team memscan", "cl0p", "algorithm", "data", "v3 serial", "number", "cus starizona", "cngo daddy", "g2 validity", "subject public", "key info", "certificate", "whois lookup", "netrange", "nethandle", "net192", "net1920000", "as174", "as3257", "sucuri", "sucur2", "verisign", "whois database", "server", "registrar abuse", "icann whois", "whois status", "registrar iana", "form", "temple", "first", "android", "win32 exe", "html", "bobby fischer", "office open", "detections type", "name", "pdf dealer", "price list", "pdf my", "crime", "taiwan unknown", "as3462", "as131148 bank", "as21342", "all search", "otx scoreblue", "pulse pulses", "cname", "as22612", "as43350 nforce", "win32upatre jun", "expiration date", "hostname", "lowfi", "date hash", "avast avg", "date checked", "url hostname", "server response", "google safe", "results jun", "files show", "registrar", "china unknown", "title", "network", "fakedout threat", "urls http", "maltiverse safe", "malicious url", "team", "phishtank", "services", "botnet command", "control server", "mining", "betabot", "team malware", "engineering", "stealer", "service", "vawtrak", "virut", "emotet", "simda", "redline", "fri oct", "media sharing", "known infection source", "bot networks", "malware", "malware repository", "spyware" ], "references": [ "https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/", "ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,", "Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]", "https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities", "Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint", "Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self", "Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect", "IP\u2019s Contacted: 192.124.249.187", "Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile", "Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=", "www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 89, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4080, "URL": 11952, "hostname": 4638, "domain": 4301, "FileHash-MD5": 2236, "FileHash-SHA1": 1140, "CVE": 8, "SSLCertFingerprint": 20, "email": 8, "CIDR": 1 }, "indicator_count": 28384, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "665 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6688e142f0c8f5ddecbc788c", "name": "Google Spy engine | Tracking, Malware Repository", "description": "www.W3.org https://www.searchw3.com/ > ww.google.com.uy. All tags auto populated. Did not spend time documenting all as pulse is quite large. I was able to prove the the compromises are active. I will make much smaller reports.\n(Botnet Commands, Google Spy engine | Tracking, Malware Repository, Stealer, iPhone unlocker)", "modified": "2024-08-05T04:01:42.283000", "created": "2024-07-06T06:16:34.388000", "tags": [ "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "expired", "acceptencoding", "html info", "title home", "tags viewport", "trackers google", "tag manager", "gsddf3d2bzf", "historical ssl", "referrer", "december", "formbook", "round", "apple ios", "tsara brashears", "unlocker", "collection", "vt graph", "socgholish", "blister", "hacktool", "hiddentear", "gootloader", "agent tesla", "crypto", "installer", "life", "malware", "open", "korplug", "tofsee", "date", "name servers", "status", "passive dns", "urls", "scan endpoints", "all scoreblue", "pulse submit", "url analysis", "files", "no data", "tag count", "analyzer threat", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "heur", "cisco umbrella", "alexa top", "million", "site", "alexa", "maltiverse", "xcnfe", "safe site", "phishing", "remcos", "malicious", "miner", "bank", "agenttesla", "agent", "unknown", "downloader", "unsafe", "trojan", "detplock", "artemis", "networm", "win64", "redline stealer", "limerat", "venom rat", "trojanspy", "tld count", "png image", "jpeg image", "rgba", "exif standard", "tiff image", "pattern match", "ascii text", "united", "jfif", "sha1", "core", "general", "starfield", "hybrid", "local", "encrypt", "click", "strings", "adobea", "daga", "as30148 sucuri", "td tr", "search", "span td", "as44273 host", "creation date", "a domains", "xtra", "meta", "back", "verdict", "domain", "aaaa", "as15169 google", "asnone united", "nxdomain", "sucuri security", "a li", "span", "class", "body", "sucuri website", "a div", "authority", "record value", "showing", "gmt content", "x sucuri", "high", "related pulses", "show", "guard", "entries", "win32", "west domains", "next", "ipv4", "asnone germany", "object", "com cnt", "dem fin", "gov int", "nav onl", "phy pre", "formbook cnc", "checkin", "found", "error", "code", "create c", "read c", "delete", "write", "default", "dock", "execution", "copy", "xport", "firewall", "body doctype", "section", "dcrat", "analyzer paste", "iocs", "hostnames", "url https", "blacklist", "cl0p ransomware", "zbot", "malware site", "team memscan", "cl0p", "algorithm", "data", "v3 serial", "number", "cus starizona", "cngo daddy", "g2 validity", "subject public", "key info", "certificate", "whois lookup", "netrange", "nethandle", "net192", "net1920000", "as174", "as3257", "sucuri", "sucur2", "verisign", "whois database", "server", "registrar abuse", "icann whois", "whois status", "registrar iana", "form", "temple", "first", "android", "win32 exe", "html", "bobby fischer", "office open", "detections type", "name", "pdf dealer", "price list", "pdf my", "crime", "taiwan unknown", "as3462", "as131148 bank", "as21342", "all search", "otx scoreblue", "pulse pulses", "cname", "as22612", "as43350 nforce", "win32upatre jun", "expiration date", "hostname", "lowfi", "date hash", "avast avg", "date checked", "url hostname", "server response", "google safe", "results jun", "files show", "registrar", "china unknown", "title", "network", "fakedout threat", "urls http", "maltiverse safe", "malicious url", "team", "phishtank", "services", "botnet command", "control server", "mining", "betabot", "team malware", "engineering", "stealer", "service", "vawtrak", "virut", "emotet", "simda", "redline", "fri oct", "media sharing", "known infection source", "bot networks", "malware", "malware repository", "spyware" ], "references": [ "https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/", "ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,", "Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]", "https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities", "Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint", "Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self", "Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect", "IP\u2019s Contacted: 192.124.249.187", "Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile", "Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=", "www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 94, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4080, "URL": 11952, "hostname": 4638, "domain": 4301, "FileHash-MD5": 2236, "FileHash-SHA1": 1140, "CVE": 8, "SSLCertFingerprint": 20, "email": 8, "CIDR": 1 }, "indicator_count": 28384, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "665 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6688e15588a794b95443b46d", "name": "Google Spy engine | Tracking, Malware Repository", "description": "www.W3.org https://www.searchw3.com/ > ww.google.com.uy. All tags auto populated. Did not spend time documenting all as pulse is quite large. I was able to prove the the compromises are active. I will make much smaller reports.\n(Botnet Commands, Google Spy engine | Tracking, Malware Repository, Stealer, iPhone unlocker)\nSorry so sloppy and large.\nAll tags , malware families and ATT&CK mechanisms auto populated", "modified": "2024-08-05T02:03:31.529000", "created": "2024-07-06T06:16:53.461000", "tags": [ "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "expired", "acceptencoding", "html info", "title home", "tags viewport", "trackers google", "tag manager", "gsddf3d2bzf", "historical ssl", "referrer", "december", "formbook", "round", "apple ios", "tsara brashears", "unlocker", "collection", "vt graph", "socgholish", "blister", "hacktool", "hiddentear", "gootloader", "agent tesla", "crypto", "installer", "life", "malware", "open", "korplug", "tofsee", "date", "name servers", "status", "passive dns", "urls", "scan endpoints", "all scoreblue", "pulse submit", "url analysis", "files", "no data", "tag count", "analyzer threat", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "heur", "cisco umbrella", "alexa top", "million", "site", "alexa", "maltiverse", "xcnfe", "safe site", "phishing", "remcos", "malicious", "miner", "bank", "agenttesla", "agent", "unknown", "downloader", "unsafe", "trojan", "detplock", "artemis", "networm", "win64", "redline stealer", "limerat", "venom rat", "trojanspy", "tld count", "png image", "jpeg image", "rgba", "exif standard", "tiff image", "pattern match", "ascii text", "united", "jfif", "sha1", "core", "general", "starfield", "hybrid", "local", "encrypt", "click", "strings", "adobea", "daga", "as30148 sucuri", "td tr", "search", "span td", "as44273 host", "creation date", "a domains", "xtra", "meta", "back", "verdict", "domain", "aaaa", "as15169 google", "asnone united", "nxdomain", "sucuri security", "a li", "span", "class", "body", "sucuri website", "a div", "authority", "record value", "showing", "gmt content", "x sucuri", "high", "related pulses", "show", "guard", "entries", "win32", "west domains", "next", "ipv4", "asnone germany", "object", "com cnt", "dem fin", "gov int", "nav onl", "phy pre", "formbook cnc", "checkin", "found", "error", "code", "create c", "read c", "delete", "write", "default", "dock", "execution", "copy", "xport", "firewall", "body doctype", "section", "dcrat", "analyzer paste", "iocs", "hostnames", "url https", "blacklist", "cl0p ransomware", "zbot", "malware site", "team memscan", "cl0p", "algorithm", "data", "v3 serial", "number", "cus starizona", "cngo daddy", "g2 validity", "subject public", "key info", "certificate", "whois lookup", "netrange", "nethandle", "net192", "net1920000", "as174", "as3257", "sucuri", "sucur2", "verisign", "whois database", "server", "registrar abuse", "icann whois", "whois status", "registrar iana", "form", "temple", "first", "android", "win32 exe", "html", "bobby fischer", "office open", "detections type", "name", "pdf dealer", "price list", "pdf my", "crime", "taiwan unknown", "as3462", "as131148 bank", "as21342", "all search", "otx scoreblue", "pulse pulses", "cname", "as22612", "as43350 nforce", "win32upatre jun", "expiration date", "hostname", "lowfi", "date hash", "avast avg", "date checked", "url hostname", "server response", "google safe", "results jun", "files show", "registrar", "china unknown", "title", "file size", "b file", "detections file", "gzip chrome", "cache entry", "graph", "ip detections", "country", "domains", "internet domain", "service bs", "corp", "namecheap inc", "csc corporate", "tucows", "epik llc", "tucows domains" ], "references": [ "https://www.searchw3.com/", "IP\u2019s Contacted: 192.124.249.187", "Ransomware: message.htm.com", "https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities", "Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint", "Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self", "Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect", "192.124.249.187", "Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 73, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3731, "URL": 11926, "hostname": 4626, "domain": 4135, "FileHash-MD5": 1530, "FileHash-SHA1": 762, "CVE": 8, "SSLCertFingerprint": 20, "email": 8, "CIDR": 1 }, "indicator_count": 26747, "is_author": false, "is_subscribing": null, "subscriber_count": 234, "modified_text": "665 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b7119615db47ea27706a86", "name": "Esurance Remote Attacks| Emotet | Lolkek | Part I", "description": "Emotet is a kind of malware originally designed as a banking Trojan aimed at stealing financial data, but it's evolved to become a major threat to users everywhere.\n\nLater versions evolved to use macro-enabled documents to retrieve the virus payload from command and control. They have been advised .", "modified": "2024-04-12T23:03:13.367000", "created": "2024-01-29T02:46:46.076000", "tags": [ "ssl certificate", "xamzexpires600", "whois record", "url collection", "collections", "historical ssl", "referrer", "contacted", "resolutions", "web gateway", "emotet", "urls http", "whois whois", "domains", "lolkek", "core", "caddywiper", "awful", "urls url", "cymulate", "malware", "com laude", "ltd dba", "first", "utc submissions", "submitters", "cloudflarenet", "internet domain", "service bs", "corp", "dynadot", "twitter", "optimizer", "amazonaes", "summary iocs", "graph community", "origin1", "ver33", "dtamlb", "smlb", "csc corporate", "gandi sas", "namecheap inc", "google", "amazon02", "apple", "remote attacks" ], "references": [ "https://www.esurance.com/", "https://www.malwarebytes.com/emotet" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null } ], "attack_ids": [], "industries": [ "Telecom", "Civil Society", "Insurance" ], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9102, "CVE": 5, "FileHash-MD5": 68, "FileHash-SHA1": 67, "FileHash-SHA256": 2209, "domain": 1427, "hostname": 4334 }, "indicator_count": 17212, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "779 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65bc0d302007152543202bac", "name": "WannaCry", "description": "WannaCry ransomware explained. WannaCry is an example of crypto ransomware, a type of malicious software (malware) used by cybercriminals to extort money", "modified": "2024-03-02T21:02:32.756000", "created": "2024-02-01T21:29:20.375000", "tags": [ "contacted", "tsara brashears", "urls url", "files", "pegasus", "domains", "cellbrite", "targets sa", "survivor", "apple ios", "execution", "lockbit", "malware", "core", "awful", "hacktool", "crypto", "ransomexx", "quasar", "asyncrat", "bot network", "loader", "ransomware", "wannacry", "cryptor", "encoder", "compiler", "win32 dll", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 compiler", "vs98", "contained", "w english", "info compiler", "products", "header intel", "name md5", "type", "language", "overlay", "as133618", "unknown", "cname", "united", "germany unknown", "ukraine unknown", "ireland unknown", "virgin islands", "as47846", "as39084 rinet", "date", "encrypt", "next", "microsoft visual c++ v6.0", "as133618 trellian pty. limited", "dynamicloader", "high", "t1063", "yara rule", "medium", "spoofs", "high security", "software", "discovery", "attempts", "april", "dropper", "reads self", "bots", "connect", "botnet", "sabey", "libel", "menacing", "brother sabey", "as15169 google", "aaaa", "search", "name servers", "as29182 jsc", "russia unknown", "found", "error" ], "references": [ "https://www.instagram.com/unipegasus_infotech_solutions/?hl=en (dang)", "cellebrite.com | enterprise.cellebrite.com", "http://pegasus.diskel.co.uk/ | china.pegasus-idc.com | imap.pegasustech.ne", "deviceinbox.com", "671425187f3ec0da502d2e6b760de93661c1cf5381f81d21c64c6015fbcde2b3", "c1a99e3bde9bad27e463c32b96311312.virus", "CS Yara rule:WannaCry_Ransomware from ruleset crime_wannacry by Florian Roth (Nextron Systems) (with the help of binar.ly)", "CS Yara rule:SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)", "CS IDS rule: (icmp4) ICMP destination unreachable communication administratively prohibited", "CS IDS rule: (port_scan) TCP filtered portsweep", "CS IDS rule: (stream_tcp) data sent on stream after TCP reset received", "CS IDS rule: ET DROP Spamhaus DROP Listed Traffic Inbound group 14", "CS Sigma Rule: Creation of an Executable by an Executable by frack113", "Trojan:Win32/WannaCry.350", "https://www.sweetheartvideo.com/tsara-brashears/ [Bot Network]", "angebot.staude.de", "https://otx.alienvault.com/indicator/file/1b7a83a7a35418afa60e88eabcb9fd5a8689700bba20dadb5fbad4e197ce1f1e", "https://cura360.com/foldawheel-phoenix-fully-powered-standing-wheelchair?utm_source=google&utm_medium=PLA&gad_source=1&gclid=EAIaIQobChMIw92wtdnigwMVhV9HAR126wDrEAQYASABEgJ_aPD_BwE", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://pin.it/ [Pinterest BotNetwork for Pegasus]", "http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/xetetorobezaj.pdf [redirect] http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/" ], "public": 1, "adversary": "NSO Group - Pegasus", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/WannaCry.350", "display_name": "Trojan:Win32/WannaCry.350", "target": "/malware/Trojan:Win32/WannaCry.350" } ], "attack_ids": [ { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 310, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 67, "FileHash-SHA1": 62, "FileHash-SHA256": 2864, "domain": 1401, "URL": 5523, "hostname": 1766, "FilePath": 1, "CVE": 2, "email": 5 }, "indicator_count": 11691, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "821 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65bc0d2518a7ef9bb17df1b9", "name": "WannaCry", "description": "WannaCry ransomware explained. WannaCry is an example of crypto ransomware, a type of malicious software (malware) used by cybercriminals to extort money", "modified": "2024-03-02T21:02:32.756000", "created": "2024-02-01T21:29:09.832000", "tags": [ "contacted", "tsara brashears", "urls url", "files", "pegasus", "domains", "cellbrite", "targets sa", "survivor", "apple ios", "execution", "lockbit", "malware", "core", "awful", "hacktool", "crypto", "ransomexx", "quasar", "asyncrat", "bot network", "loader", "ransomware", "wannacry", "cryptor", "encoder", "compiler", "win32 dll", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 compiler", "vs98", "contained", "w english", "info compiler", "products", "header intel", "name md5", "type", "language", "overlay", "as133618", "unknown", "cname", "united", "germany unknown", "ukraine unknown", "ireland unknown", "virgin islands", "as47846", "as39084 rinet", "date", "encrypt", "next", "microsoft visual c++ v6.0", "as133618 trellian pty. limited", "dynamicloader", "high", "t1063", "yara rule", "medium", "spoofs", "high security", "software", "discovery", "attempts", "april", "dropper", "reads self", "bots", "connect", "botnet", "sabey", "libel", "menacing", "brother sabey", "as15169 google", "aaaa", "search", "name servers", "as29182 jsc", "russia unknown", "found", "error" ], "references": [ "https://www.instagram.com/unipegasus_infotech_solutions/?hl=en (dang)", "cellebrite.com | enterprise.cellebrite.com", "http://pegasus.diskel.co.uk/ | china.pegasus-idc.com | imap.pegasustech.ne", "deviceinbox.com", "671425187f3ec0da502d2e6b760de93661c1cf5381f81d21c64c6015fbcde2b3", "c1a99e3bde9bad27e463c32b96311312.virus", "CS Yara rule:WannaCry_Ransomware from ruleset crime_wannacry by Florian Roth (Nextron Systems) (with the help of binar.ly)", "CS Yara rule:SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)", "CS IDS rule: (icmp4) ICMP destination unreachable communication administratively prohibited", "CS IDS rule: (port_scan) TCP filtered portsweep", "CS IDS rule: (stream_tcp) data sent on stream after TCP reset received", "CS IDS rule: ET DROP Spamhaus DROP Listed Traffic Inbound group 14", "CS Sigma Rule: Creation of an Executable by an Executable by frack113", "Trojan:Win32/WannaCry.350", "https://www.sweetheartvideo.com/tsara-brashears/ [Bot Network]", "angebot.staude.de", "https://otx.alienvault.com/indicator/file/1b7a83a7a35418afa60e88eabcb9fd5a8689700bba20dadb5fbad4e197ce1f1e", "https://cura360.com/foldawheel-phoenix-fully-powered-standing-wheelchair?utm_source=google&utm_medium=PLA&gad_source=1&gclid=EAIaIQobChMIw92wtdnigwMVhV9HAR126wDrEAQYASABEgJ_aPD_BwE", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://pin.it/ [Pinterest BotNetwork for Pegasus]", "http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/xetetorobezaj.pdf [redirect] http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/" ], "public": 1, "adversary": "NSO Group - Pegasus", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/WannaCry.350", "display_name": "Trojan:Win32/WannaCry.350", "target": "/malware/Trojan:Win32/WannaCry.350" } ], "attack_ids": [ { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 67, "FileHash-SHA1": 62, "FileHash-SHA256": 2864, "domain": 1401, "URL": 5523, "hostname": 1766, "FilePath": 1, "CVE": 2, "email": 5 }, "indicator_count": 11691, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "821 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65bc0cfda433eb05bde3827b", "name": "WannaCry", "description": "WannaCry ransomware explained. WannaCry is an example of crypto ransomware, a type of malicious software (malware) used by cybercriminals to extort money", "modified": "2024-03-02T21:02:32.756000", "created": "2024-02-01T21:28:29.606000", "tags": [ "contacted", "tsara brashears", "urls url", "files", "pegasus", "domains", "cellbrite", "targets sa", "survivor", "apple ios", "execution", "lockbit", "malware", "core", "awful", "hacktool", "crypto", "ransomexx", "quasar", "asyncrat", "bot network", "loader", "ransomware", "wannacry", "cryptor", "encoder", "compiler", "win32 dll", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 compiler", "vs98", "contained", "w english", "info compiler", "products", "header intel", "name md5", "type", "language", "overlay", "as133618", "unknown", "cname", "united", "germany unknown", "ukraine unknown", "ireland unknown", "virgin islands", "as47846", "as39084 rinet", "date", "encrypt", "next", "microsoft visual c++ v6.0", "as133618 trellian pty. limited", "dynamicloader", "high", "t1063", "yara rule", "medium", "spoofs", "high security", "software", "discovery", "attempts", "april", "dropper", "reads self", "bots", "connect", "botnet", "sabey", "libel", "menacing", "brother sabey", "as15169 google", "aaaa", "search", "name servers", "as29182 jsc", "russia unknown", "found", "error" ], "references": [ "https://www.instagram.com/unipegasus_infotech_solutions/?hl=en (dang)", "cellebrite.com | enterprise.cellebrite.com", "http://pegasus.diskel.co.uk/ | china.pegasus-idc.com | imap.pegasustech.ne", "deviceinbox.com", "671425187f3ec0da502d2e6b760de93661c1cf5381f81d21c64c6015fbcde2b3", "c1a99e3bde9bad27e463c32b96311312.virus", "CS Yara rule:WannaCry_Ransomware from ruleset crime_wannacry by Florian Roth (Nextron Systems) (with the help of binar.ly)", "CS Yara rule:SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)", "CS IDS rule: (icmp4) ICMP destination unreachable communication administratively prohibited", "CS IDS rule: (port_scan) TCP filtered portsweep", "CS IDS rule: (stream_tcp) data sent on stream after TCP reset received", "CS IDS rule: ET DROP Spamhaus DROP Listed Traffic Inbound group 14", "CS Sigma Rule: Creation of an Executable by an Executable by frack113", "Trojan:Win32/WannaCry.350", "https://www.sweetheartvideo.com/tsara-brashears/ [Bot Network]", "angebot.staude.de", "https://otx.alienvault.com/indicator/file/1b7a83a7a35418afa60e88eabcb9fd5a8689700bba20dadb5fbad4e197ce1f1e", "https://cura360.com/foldawheel-phoenix-fully-powered-standing-wheelchair?utm_source=google&utm_medium=PLA&gad_source=1&gclid=EAIaIQobChMIw92wtdnigwMVhV9HAR126wDrEAQYASABEgJ_aPD_BwE", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://pin.it/ [Pinterest BotNetwork for Pegasus]", "http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/xetetorobezaj.pdf [redirect] http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/" ], "public": 1, "adversary": "NSO Group - Pegasus", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/WannaCry.350", "display_name": "Trojan:Win32/WannaCry.350", "target": "/malware/Trojan:Win32/WannaCry.350" } ], "attack_ids": [ { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 67, "FileHash-SHA1": 62, "FileHash-SHA256": 2864, "domain": 1401, "URL": 5523, "hostname": 1766, "FilePath": 1, "CVE": 2, "email": 5 }, "indicator_count": 11691, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "821 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65bc0cf9b0dac1aa7f9046cf", "name": "WannaCry", "description": "WannaCry ransomware explained. WannaCry is an example of crypto ransomware, a type of malicious software (malware) used by cybercriminals to extort money", "modified": "2024-03-02T21:02:32.756000", "created": "2024-02-01T21:28:25.092000", "tags": [ "contacted", "tsara brashears", "urls url", "files", "pegasus", "domains", "cellbrite", "targets sa", "survivor", "apple ios", "execution", "lockbit", "malware", "core", "awful", "hacktool", "crypto", "ransomexx", "quasar", "asyncrat", "bot network", "loader", "ransomware", "wannacry", "cryptor", "encoder", "compiler", "win32 dll", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 compiler", "vs98", "contained", "w english", "info compiler", "products", "header intel", "name md5", "type", "language", "overlay", "as133618", "unknown", "cname", "united", "germany unknown", "ukraine unknown", "ireland unknown", "virgin islands", "as47846", "as39084 rinet", "date", "encrypt", "next", "microsoft visual c++ v6.0", "as133618 trellian pty. limited", "dynamicloader", "high", "t1063", "yara rule", "medium", "spoofs", "high security", "software", "discovery", "attempts", "april", "dropper", "reads self", "bots", "connect", "botnet", "sabey", "libel", "menacing", "brother sabey", "as15169 google", "aaaa", "search", "name servers", "as29182 jsc", "russia unknown", "found", "error" ], "references": [ "https://www.instagram.com/unipegasus_infotech_solutions/?hl=en (dang)", "cellebrite.com | enterprise.cellebrite.com", "http://pegasus.diskel.co.uk/ | china.pegasus-idc.com | imap.pegasustech.ne", "deviceinbox.com", "671425187f3ec0da502d2e6b760de93661c1cf5381f81d21c64c6015fbcde2b3", "c1a99e3bde9bad27e463c32b96311312.virus", "CS Yara rule:WannaCry_Ransomware from ruleset crime_wannacry by Florian Roth (Nextron Systems) (with the help of binar.ly)", "CS Yara rule:SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)", "CS IDS rule: (icmp4) ICMP destination unreachable communication administratively prohibited", "CS IDS rule: (port_scan) TCP filtered portsweep", "CS IDS rule: (stream_tcp) data sent on stream after TCP reset received", "CS IDS rule: ET DROP Spamhaus DROP Listed Traffic Inbound group 14", "CS Sigma Rule: Creation of an Executable by an Executable by frack113", "Trojan:Win32/WannaCry.350", "https://www.sweetheartvideo.com/tsara-brashears/ [Bot Network]", "angebot.staude.de", "https://otx.alienvault.com/indicator/file/1b7a83a7a35418afa60e88eabcb9fd5a8689700bba20dadb5fbad4e197ce1f1e", "https://cura360.com/foldawheel-phoenix-fully-powered-standing-wheelchair?utm_source=google&utm_medium=PLA&gad_source=1&gclid=EAIaIQobChMIw92wtdnigwMVhV9HAR126wDrEAQYASABEgJ_aPD_BwE", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://pin.it/ [Pinterest BotNetwork for Pegasus]", "http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/xetetorobezaj.pdf [redirect] http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/" ], "public": 1, "adversary": "NSO Group - Pegasus", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/WannaCry.350", "display_name": "Trojan:Win32/WannaCry.350", "target": "/malware/Trojan:Win32/WannaCry.350" } ], "attack_ids": [ { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 67, "FileHash-SHA1": 62, "FileHash-SHA256": 2864, "domain": 1401, "URL": 5523, "hostname": 1766, "FilePath": 1, "CVE": 2, "email": 5 }, "indicator_count": 11691, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "821 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65de941acedcdd661f0593b6", "name": "Esurance Remote Attacks (Cloned. Who modifies reports? This happens to me)", "description": "", "modified": "2024-02-28T02:02:02.807000", "created": "2024-02-28T02:02:02.807000", "tags": [ "ssl certificate", "xamzexpires600", "whois record", "url collection", "collections", "historical ssl", "referrer", "contacted", "resolutions", "web gateway", "emotet", "urls http", "whois whois", "domains", "lolkek", "core", "caddywiper", "awful", "urls url", "cymulate", "malware", "com laude", "ltd dba", "first", "utc submissions", "submitters", "cloudflarenet", "internet domain", "service bs", "corp", "dynadot", "twitter", "optimizer", "amazonaes", "summary iocs", "graph community", "origin1", "ver33", "dtamlb", "smlb", "csc corporate", "gandi sas", "namecheap inc", "google", "amazon02", "apple", "remote attacks" ], "references": [ "https://www.esurance.com/", "https://www.malwarebytes.com/emotet" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null } ], "attack_ids": [], "industries": [ "Telecom", "Civil Society", "Insurance" ], "TLP": "white", "cloned_from": "65b711a6f49f057c311f2642", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8575, "CVE": 4, "FileHash-MD5": 47, "FileHash-SHA1": 46, "FileHash-SHA256": 1951, "domain": 1394, "hostname": 4095 }, "indicator_count": 16112, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "824 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b80763e9d9e18cf87d985b", "name": "Esurance Remote Attacks| Emotet | Lolkek | Part I", "description": "", "modified": "2024-02-28T02:01:51.407000", "created": "2024-01-29T20:15:31.163000", "tags": [ "ssl certificate", "xamzexpires600", "whois record", "url collection", "collections", "historical ssl", "referrer", "contacted", "resolutions", "web gateway", "emotet", "urls http", "whois whois", "domains", "lolkek", "core", "caddywiper", "awful", "urls url", "cymulate", "malware", "com laude", "ltd dba", "first", "utc submissions", "submitters", "cloudflarenet", "internet domain", "service bs", "corp", "dynadot", "twitter", "optimizer", "amazonaes", "summary iocs", "graph community", "origin1", "ver33", "dtamlb", "smlb", "csc corporate", "gandi sas", "namecheap inc", "google", "amazon02", "apple", "remote attacks" ], "references": [ "https://www.esurance.com/", "https://www.malwarebytes.com/emotet" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null } ], "attack_ids": [], "industries": [ "Telecom", "Civil Society", "Insurance" ], "TLP": "white", "cloned_from": "65b711a6f49f057c311f2642", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8575, "CVE": 4, "FileHash-MD5": 47, "FileHash-SHA1": 46, "FileHash-SHA256": 1951, "domain": 1394, "hostname": 4095 }, "indicator_count": 16112, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "824 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b711a6f49f057c311f2642", "name": "Esurance Remote Attacks| Emotet | Lolkek | Part I", "description": "Emotet is a kind of malware originally designed as a banking Trojan aimed at stealing financial data, but it's evolved to become a major threat to users everywhere.\n\nLater versions evolved to use macro-enabled documents to retrieve the virus payload from command and control. They have been advised .", "modified": "2024-02-28T02:01:51.407000", "created": "2024-01-29T02:47:02.117000", "tags": [ "ssl certificate", "xamzexpires600", "whois record", "url collection", "collections", "historical ssl", "referrer", "contacted", "resolutions", "web gateway", "emotet", "urls http", "whois whois", "domains", "lolkek", "core", "caddywiper", "awful", "urls url", "cymulate", "malware", "com laude", "ltd dba", "first", "utc submissions", "submitters", "cloudflarenet", "internet domain", "service bs", "corp", "dynadot", "twitter", "optimizer", "amazonaes", "summary iocs", "graph community", "origin1", "ver33", "dtamlb", "smlb", "csc corporate", "gandi sas", "namecheap inc", "google", "amazon02", "apple", "remote attacks" ], "references": [ "https://www.esurance.com/", "https://www.malwarebytes.com/emotet" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null } ], "attack_ids": [], "industries": [ "Telecom", "Civil Society", "Insurance" ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8575, "CVE": 4, "FileHash-MD5": 47, "FileHash-SHA1": 46, "FileHash-SHA256": 1951, "domain": 1394, "hostname": 4095 }, "indicator_count": 16112, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "824 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b7119e9272b1426729e1ed", "name": "Esurance Remote Attacks| Emotet | Lolkek | Part I", "description": "Emotet is a kind of malware originally designed as a banking Trojan aimed at stealing financial data, but it's evolved to become a major threat to users everywhere.\n\nLater versions evolved to use macro-enabled documents to retrieve the virus payload from command and control. They have been advised .", "modified": "2024-02-28T02:01:51.407000", "created": "2024-01-29T02:46:54.594000", "tags": [ "ssl certificate", "xamzexpires600", "whois record", "url collection", "collections", "historical ssl", "referrer", "contacted", "resolutions", "web gateway", "emotet", "urls http", "whois whois", "domains", "lolkek", "core", "caddywiper", "awful", "urls url", "cymulate", "malware", "com laude", "ltd dba", "first", "utc submissions", "submitters", "cloudflarenet", "internet domain", "service bs", "corp", "dynadot", "twitter", "optimizer", "amazonaes", "summary iocs", "graph community", "origin1", "ver33", "dtamlb", "smlb", "csc corporate", "gandi sas", "namecheap inc", "google", "amazon02", "apple", "remote attacks" ], "references": [ "https://www.esurance.com/", "https://www.malwarebytes.com/emotet" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null } ], "attack_ids": [], "industries": [ "Telecom", "Civil Society", "Insurance" ], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8575, "CVE": 4, "FileHash-MD5": 47, "FileHash-SHA1": 46, "FileHash-SHA256": 1951, "domain": 1394, "hostname": 4095 }, "indicator_count": 16112, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "824 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://otx.alienvault.com/indicator/file/1b7a83a7a35418afa60e88eabcb9fd5a8689700bba20dadb5fbad4e197ce1f1e", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "CS Sigma Rule: Creation of an Executable by an Executable by frack113", "ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,", "Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "Trojan:Win32/WannaCry.350", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities", "www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=", "Ransomware: message.htm.com", "https://cura360.com/foldawheel-phoenix-fully-powered-standing-wheelchair?utm_source=google&utm_medium=PLA&gad_source=1&gclid=EAIaIQobChMIw92wtdnigwMVhV9HAR126wDrEAQYASABEgJ_aPD_BwE", "deviceinbox.com", "https://www.malwarebytes.com/emotet", "CS IDS rule: (stream_tcp) data sent on stream after TCP reset received", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "CS IDS rule: (icmp4) ICMP destination unreachable communication administratively prohibited", "angebot.staude.de", "https://www.sweetheartvideo.com/tsara-brashears/ [Bot Network]", "CS Yara rule:SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)", "https://www.searchw3.com/", "192.124.249.187", "c1a99e3bde9bad27e463c32b96311312.virus", "https://pin.it/ [Pinterest BotNetwork for Pegasus]", "Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile", "www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/", "CS IDS rule: ET DROP Spamhaus DROP Listed Traffic Inbound group 14", "CS Yara rule:WannaCry_Ransomware from ruleset crime_wannacry by Florian Roth (Nextron Systems) (with the help of binar.ly)", "Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin", "CS IDS rule: (port_scan) TCP filtered portsweep", "https://www.instagram.com/unipegasus_infotech_solutions/?hl=en (dang)", "Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint", "cellebrite.com | enterprise.cellebrite.com", "https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/", "671425187f3ec0da502d2e6b760de93661c1cf5381f81d21c64c6015fbcde2b3", "https://www.esurance.com/", "Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/xetetorobezaj.pdf [redirect] http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/", "IP\u2019s Contacted: 192.124.249.187", "https://www.sweetheartvideo.com/tsara-brashears/", "Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect", "http://pegasus.diskel.co.uk/ | china.pegasus-idc.com | imap.pegasustech.ne" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "NSO Group - Pegasus" ], "malware_families": [ "Lolkek", "Cl0p", "Emotet", "Trojanspy", "Trojan:win32/wannacry.350", "Redline" ], "industries": [ "Insurance", "Civil society", "Telecom" ], "unique_indicators": 77837 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/moneyboxapp.org", "whois": "http://whois.domaintools.com/moneyboxapp.org", "domain": "moneyboxapp.org", "hostname": "admin.moneyboxapp.org" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 18, "pulses": [ { "id": "6a126fcffc60a71dfab01f24", "name": "credit scoreblue - clone of another researchers post [Google Spy engine | Tracking, Malware Repository CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by scoreblue] + added 10 iocs", "description": "", "modified": "2026-05-24T03:32:22.109000", "created": "2026-05-24T03:26:07.144000", "tags": [ "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "expired", "acceptencoding", "html info", "title home", "tags viewport", "trackers google", "tag manager", "gsddf3d2bzf", "historical ssl", "referrer", "december", "formbook", "round", "apple ios", "tsara brashears", "unlocker", "collection", "vt graph", "socgholish", "blister", "hacktool", "hiddentear", "gootloader", "agent tesla", "crypto", "installer", "life", "malware", "open", "korplug", "tofsee", "date", "name servers", "status", "passive dns", "urls", "scan endpoints", "all scoreblue", "pulse submit", "url analysis", "files", "no data", "tag count", "analyzer threat", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "heur", "cisco umbrella", "alexa top", "million", "site", "alexa", "maltiverse", "xcnfe", "safe site", "phishing", "remcos", "malicious", "miner", "bank", "agenttesla", "agent", "unknown", "downloader", "unsafe", "trojan", "detplock", "artemis", "networm", "win64", "redline stealer", "limerat", "venom rat", "trojanspy", "tld count", "png image", "jpeg image", "rgba", "exif standard", "tiff image", "pattern match", "ascii text", "united", "jfif", "sha1", "core", "general", "starfield", "hybrid", "local", "encrypt", "click", "strings", "adobea", "daga", "as30148 sucuri", "td tr", "search", "span td", "as44273 host", "creation date", "a domains", "xtra", "meta", "back", "verdict", "domain", "aaaa", "as15169 google", "asnone united", "nxdomain", "sucuri security", "a li", "span", "class", "body", "sucuri website", "a div", "authority", "record value", "showing", "gmt content", "x sucuri", "high", "related pulses", "show", "guard", "entries", "win32", "west domains", "next", "ipv4", "asnone germany", "object", "com cnt", "dem fin", "gov int", "nav onl", "phy pre", "formbook cnc", "checkin", "found", "error", "code", "create c", "read c", "delete", "write", "default", "dock", "execution", "copy", "xport", "firewall", "body doctype", "section", "dcrat", "analyzer paste", "iocs", "hostnames", "url https", "blacklist", "cl0p ransomware", "zbot", "malware site", "team memscan", "cl0p", "algorithm", "data", "v3 serial", "number", "cus starizona", "cngo daddy", "g2 validity", "subject public", "key info", "certificate", "whois lookup", "netrange", "nethandle", "net192", "net1920000", "as174", "as3257", "sucuri", "sucur2", "verisign", "whois database", "server", "registrar abuse", "icann whois", "whois status", "registrar iana", "form", "temple", "first", "android", "win32 exe", "html", "bobby fischer", "office open", "detections type", "name", "pdf dealer", "price list", "pdf my", "crime", "taiwan unknown", "as3462", "as131148 bank", "as21342", "all search", "otx scoreblue", "pulse pulses", "cname", "as22612", "as43350 nforce", "win32upatre jun", "expiration date", "hostname", "lowfi", "date hash", "avast avg", "date checked", "url hostname", "server response", "google safe", "results jun", "files show", "registrar", "china unknown", "title", "network", "fakedout threat", "urls http", "maltiverse safe", "malicious url", "team", "phishtank", "services", "botnet command", "control server", "mining", "betabot", "team malware", "engineering", "stealer", "service", "vawtrak", "virut", "emotet", "simda", "redline", "fri oct", "media sharing", "known infection source", "bot networks", "malware", "malware repository", "spyware" ], "references": [ "https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/", "ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,", "Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]", "https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities", "Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint", "Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self", "Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect", "IP\u2019s Contacted: 192.124.249.187", "Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile", "Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=", "www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": "6688e0ffb31d4881f3238713", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4130, "URL": 11958, "hostname": 4644, "domain": 4304, "FileHash-MD5": 2256, "FileHash-SHA1": 1161, "CVE": 8, "SSLCertFingerprint": 20, "email": 8, "CIDR": 1, "IPv6": 4, "IPv4": 6 }, "indicator_count": 28500, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a126fcc3620af2edeb95e57", "name": "credit scoreblue - clone of another researchers post [Google Spy engine | Tracking, Malware Repository CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by scoreblue] + added 10 iocs", "description": "", "modified": "2026-05-24T03:26:04.439000", "created": "2026-05-24T03:26:04.439000", "tags": [ "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "expired", "acceptencoding", "html info", "title home", "tags viewport", "trackers google", "tag manager", "gsddf3d2bzf", "historical ssl", "referrer", "december", "formbook", "round", "apple ios", "tsara brashears", "unlocker", "collection", "vt graph", "socgholish", "blister", "hacktool", "hiddentear", "gootloader", "agent tesla", "crypto", "installer", "life", "malware", "open", "korplug", "tofsee", "date", "name servers", "status", "passive dns", "urls", "scan endpoints", "all scoreblue", "pulse submit", "url analysis", "files", "no data", "tag count", "analyzer threat", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "heur", "cisco umbrella", "alexa top", "million", "site", "alexa", "maltiverse", "xcnfe", "safe site", "phishing", "remcos", "malicious", "miner", "bank", "agenttesla", "agent", "unknown", "downloader", "unsafe", "trojan", "detplock", "artemis", "networm", "win64", "redline stealer", "limerat", "venom rat", "trojanspy", "tld count", "png image", "jpeg image", "rgba", "exif standard", "tiff image", "pattern match", "ascii text", "united", "jfif", "sha1", "core", "general", "starfield", "hybrid", "local", "encrypt", "click", "strings", "adobea", "daga", "as30148 sucuri", "td tr", "search", "span td", "as44273 host", "creation date", "a domains", "xtra", "meta", "back", "verdict", "domain", "aaaa", "as15169 google", "asnone united", "nxdomain", "sucuri security", "a li", "span", "class", "body", "sucuri website", "a div", "authority", "record value", "showing", "gmt content", "x sucuri", "high", "related pulses", "show", "guard", "entries", "win32", "west domains", "next", "ipv4", "asnone germany", "object", "com cnt", "dem fin", "gov int", "nav onl", "phy pre", "formbook cnc", "checkin", "found", "error", "code", "create c", "read c", "delete", "write", "default", "dock", "execution", "copy", "xport", "firewall", "body doctype", "section", "dcrat", "analyzer paste", "iocs", "hostnames", "url https", "blacklist", "cl0p ransomware", "zbot", "malware site", "team memscan", "cl0p", "algorithm", "data", "v3 serial", "number", "cus starizona", "cngo daddy", "g2 validity", "subject public", "key info", "certificate", "whois lookup", "netrange", "nethandle", "net192", "net1920000", "as174", "as3257", "sucuri", "sucur2", "verisign", "whois database", "server", "registrar abuse", "icann whois", "whois status", "registrar iana", "form", "temple", "first", "android", "win32 exe", "html", "bobby fischer", "office open", "detections type", "name", "pdf dealer", "price list", "pdf my", "crime", "taiwan unknown", "as3462", "as131148 bank", "as21342", "all search", "otx scoreblue", "pulse pulses", "cname", "as22612", "as43350 nforce", "win32upatre jun", "expiration date", "hostname", "lowfi", "date hash", "avast avg", "date checked", "url hostname", "server response", "google safe", "results jun", "files show", "registrar", "china unknown", "title", "network", "fakedout threat", "urls http", "maltiverse safe", "malicious url", "team", "phishtank", "services", "botnet command", "control server", "mining", "betabot", "team malware", "engineering", "stealer", "service", "vawtrak", "virut", "emotet", "simda", "redline", "fri oct", "media sharing", "known infection source", "bot networks", "malware", "malware repository", "spyware" ], "references": [ "https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/", "ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,", "Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]", "https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities", "Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint", "Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self", "Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect", "IP\u2019s Contacted: 192.124.249.187", "Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile", "Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=", "www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": "6688e0ffb31d4881f3238713", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4080, "URL": 11952, "hostname": 4638, "domain": 4301, "FileHash-MD5": 2236, "FileHash-SHA1": 1140, "CVE": 8, "SSLCertFingerprint": 20, "email": 8, "CIDR": 1 }, "indicator_count": 28384, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "8 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687605f986433ebf2673f0b8", "name": "Win.Malware.Downloadguide-6803841-0 | Patient Monitoring", "description": "Part of an elaborate, unrelenting espionage campaign , multiple compromises, targeting.\n> alf:PUA:Win32/DownloadGuide \nLink below found in previous Pulse -[http://s0.patient.media/res/f91b97f6b547405cb4370cbb003dfea2-jquery-1.11.1.min.js.gzip]\n\u2022 Win.Malware.Downloadguide-6803841-0\nYara:\nresearch_pe_signed_outside_timestamp\n\u2022\nkernel32_dll_xor_exe_key_51_key_byte_encoded \u2022\nxor_0x33_kernel32_dll \u2022 \nConcerning: {Domain\tAddress\tRegistrar\tCountry\ns0.patient.media\n-\tGoDaddy.com, LLC\nOrganization: Egton Medical Information Systems Limited\nName Server: ns34.domaincontrol.com\nCreation Date: 2015-01-12T16:20:56}\n\n{https://www.anyxxxtube.net/search-porn/tsara-brashears/}\n{https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net}\n{wallpapers-nature.com}\n{https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian}", "modified": "2025-08-14T07:05:00.239000", "created": "2025-07-15T07:40:41.180000", "tags": [ "url http", "url https", "indicator role", "title added", "active related", "pulses hostname", "entries", "gmt etag", "server", "ecacc", "serving ip", "address", "dom dom", "data upload", "extraction", "pdf report", "enter", "failed", "extraction data", "enter sc", "type", "extra data", "extri please", "review data", "excluded tous", "tui sugges", "find", "show", "at filer", "iocs", "levelbluelabs", "please", "included iocs", "excluded io", "find suggested", "types", "domain data", "search", "o please", "manually add", "c data", "o suggesteo", "include data", "review uus", "u exclude", "find s", "indicaok data", "dom doman", "filehash", "md5 add", "pulse pulses", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "copy", "push", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "pattern match", "ascii text", "size", "mitre att", "utf8", "null", "refresh", "body", "span", "hybrid", "general", "local", "path", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "evasion att", "t1480 execution", "discovery att" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3597, "FileHash-MD5": 343, "domain": 547, "hostname": 1222, "FileHash-SHA1": 343, "FileHash-SHA256": 4464, "CVE": 1, "email": 1 }, "indicator_count": 10518, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "291 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "685186983a4dd00c2b45b255", "name": "Source:\thttps://cloud.samsara.com/o/79639/flee", "description": "", "modified": "2025-07-17T14:01:34.245000", "created": "2025-06-17T15:15:36.505000", "tags": [ "body", "cps https", "location", "urls server", "cloudfront", "united", "unknown aaaa", "search", "digital press", "moved", "digital culture", "ip address", "creation date", "record value", "entries", "date", "meta", "urls", "http", "passive dns", "unique", "pulse pulses", "related nids", "files location", "flag united", "showing", "rich content", "system", "cdn amazon", "amazons3 tls", "certificate", "redirects", "ua9385760744", "utc na", "utc google", "tag manager", "gk4vnlmd3b9", "server", "amazon", "net1832001", "net18160001", "address range", "cidr", "network name", "allocation type", "whois server", "entity amazon4", "handle", "present mar", "present feb", "unknown cname", "urls show", "date checked", "url hostname", "server response", "aaaa" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "685186035e5fb63846d29e45", "export_count": 47, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2075, "URL": 5471, "hostname": 1531, "domain": 1013, "FileHash-MD5": 55, "FileHash-SHA1": 53, "CVE": 1, "SSLCertFingerprint": 1, "email": 1, "CIDR": 2 }, "indicator_count": 10203, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "319 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "685186035e5fb63846d29e45", "name": "Regarding Minority Report 2.0 | Aggresive Remote device tracking (multiple) | Network Rat", "description": "Abuse.\nWhy is so much of this in plain sight? .\nMalicious tactics abused by preemptive policing recently implemented by Tech Bros under current Trump administration.\nThee governing Cyber Defense / AI / Data collection firm. | foundry2-lbl.dvr.dn2.n-helix.com | \nhttp://foundry2-lbl.dvr.dn2.n-helix.com |\nhttps://foundry2-lbl.dvr.dn2.n-helix.com |\nhttps://nl.cyberriskalliance.com/assets/icons/twitter.png |\nhttps://axis.snxd.com/track/0\n| track.getbuilt.com | \nRelates to Denver female \u2018allegedly\u2019 injured \u2018in PT.\nA malicious prosecution case against alleged victim after a Detective brought \u2018MTI\u2019 case to controlled Denver DA was dismissed by judge. Injured victim paid a pathetic settlement; especially considering the seriousness of the response of the government. \nThis type\nof tracking silencing is critically dangerous. \nHosanna make no haste to rescue all\nof victims of civilian & victim targeting.\n*Crowdsourced", "modified": "2025-07-17T14:01:34.245000", "created": "2025-06-17T15:13:07.233000", "tags": [ "body", "cps https", "location", "urls server", "cloudfront", "united", "unknown aaaa", "search", "digital press", "moved", "digital culture", "ip address", "creation date", "record value", "entries", "date", "meta", "urls", "http", "passive dns", "unique", "pulse pulses", "related nids", "files location", "flag united", "showing", "rich content", "system", "cdn amazon", "amazons3 tls", "certificate", "redirects", "ua9385760744", "utc na", "utc google", "tag manager", "gk4vnlmd3b9", "server", "amazon", "net1832001", "net18160001", "address range", "cidr", "network name", "allocation type", "whois server", "entity amazon4", "handle", "present mar", "present feb", "unknown cname", "urls show", "date checked", "url hostname", "server response", "aaaa" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2075, "URL": 5471, "hostname": 1531, "domain": 1013, "FileHash-MD5": 55, "FileHash-SHA1": 53, "CVE": 1, "SSLCertFingerprint": 1, "email": 1, "CIDR": 2 }, "indicator_count": 10203, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "319 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68743733a69ce827f6156f5c", "name": "W3.org | Google Spy engine | Tracking, Malware Repository | www.W3.org https://www.searchw3.com/ > ww.google.com.uy", "description": "", "modified": "2025-07-13T22:46:11.685000", "created": "2025-07-13T22:46:11.685000", "tags": [ "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "expired", "acceptencoding", "html info", "title home", "tags viewport", "trackers google", "tag manager", "gsddf3d2bzf", "historical ssl", "referrer", "december", "formbook", "round", "apple ios", "tsara brashears", "unlocker", "collection", "vt graph", "socgholish", "blister", "hacktool", "hiddentear", "gootloader", "agent tesla", "crypto", "installer", "life", "malware", "open", "korplug", "tofsee", "date", "name servers", "status", "passive dns", "urls", "scan endpoints", "all scoreblue", "pulse submit", "url analysis", "files", "no data", "tag count", "analyzer threat", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "heur", "cisco umbrella", "alexa top", "million", "site", "alexa", "maltiverse", "xcnfe", "safe site", "phishing", "remcos", "malicious", "miner", "bank", "agenttesla", "agent", "unknown", "downloader", "unsafe", "trojan", "detplock", "artemis", "networm", "win64", "redline stealer", "limerat", "venom rat", "trojanspy", "tld count", "png image", "jpeg image", "rgba", "exif standard", "tiff image", "pattern match", "ascii text", "united", "jfif", "sha1", "core", "general", "starfield", "hybrid", "local", "encrypt", "click", "strings", "adobea", "daga", "as30148 sucuri", "td tr", "search", "span td", "as44273 host", "creation date", "a domains", "xtra", "meta", "back", "verdict", "domain", "aaaa", "as15169 google", "asnone united", "nxdomain", "sucuri security", "a li", "span", "class", "body", "sucuri website", "a div", "authority", "record value", "showing", "gmt content", "x sucuri", "high", "related pulses", "show", "guard", "entries", "win32", "west domains", "next", "ipv4", "asnone germany", "object", "com cnt", "dem fin", "gov int", "nav onl", "phy pre", "formbook cnc", "checkin", "found", "error", "code", "create c", "read c", "delete", "write", "default", "dock", "execution", "copy", "xport", "firewall", "body doctype", "section", "dcrat", "analyzer paste", "iocs", "hostnames", "url https", "blacklist", "cl0p ransomware", "zbot", "malware site", "team memscan", "cl0p", "algorithm", "data", "v3 serial", "number", "cus starizona", "cngo daddy", "g2 validity", "subject public", "key info", "certificate", "whois lookup", "netrange", "nethandle", "net192", "net1920000", "as174", "as3257", "sucuri", "sucur2", "verisign", "whois database", "server", "registrar abuse", "icann whois", "whois status", "registrar iana", "form", "temple", "first", "android", "win32 exe", "html", "bobby fischer", "office open", "detections type", "name", "pdf dealer", "price list", "pdf my", "crime", "taiwan unknown", "as3462", "as131148 bank", "as21342", "all search", "otx scoreblue", "pulse pulses", "cname", "as22612", "as43350 nforce", "win32upatre jun", "expiration date", "hostname", "lowfi", "date hash", "avast avg", "date checked", "url hostname", "server response", "google safe", "results jun", "files show", "registrar", "china unknown", "title", "network", "fakedout threat", "urls http", "maltiverse safe", "malicious url", "team", "phishtank", "services", "botnet command", "control server", "mining", "betabot", "team malware", "engineering", "stealer", "service", "vawtrak", "virut", "emotet", "simda", "redline", "fri oct", "media sharing", "known infection source", "bot networks", "malware", "malware repository", "spyware" ], "references": [ "https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/", "ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,", "Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]", "https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities", "Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint", "Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self", "Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect", "IP\u2019s Contacted: 192.124.249.187", "Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile", "Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=", "www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": "6688e0ffb31d4881f3238713", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4080, "URL": 11952, "hostname": 4638, "domain": 4301, "FileHash-MD5": 2236, "FileHash-SHA1": 1140, "CVE": 8, "SSLCertFingerprint": 20, "email": 8, "CIDR": 1 }, "indicator_count": 28384, "is_author": false, "is_subscribing": null, "subscriber_count": 147, "modified_text": "322 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6688e0ffb31d4881f3238713", "name": "Google Spy engine | Tracking, Malware Repository", "description": "www.W3.org https://www.searchw3.com/ > ww.google.com.uy. All tags auto populated. Did not spend time documenting all as pulse is quite large. I was able to prove the the compromises are active. I will make much smaller reports.\n(Botnet Commands, Google Spy engine | Tracking, Malware Repository, Stealer, iPhone unlocker)", "modified": "2024-08-05T04:01:42.283000", "created": "2024-07-06T06:15:27.994000", "tags": [ "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "expired", "acceptencoding", "html info", "title home", "tags viewport", "trackers google", "tag manager", "gsddf3d2bzf", "historical ssl", "referrer", "december", "formbook", "round", "apple ios", "tsara brashears", "unlocker", "collection", "vt graph", "socgholish", "blister", "hacktool", "hiddentear", "gootloader", "agent tesla", "crypto", "installer", "life", "malware", "open", "korplug", "tofsee", "date", "name servers", "status", "passive dns", "urls", "scan endpoints", "all scoreblue", "pulse submit", "url analysis", "files", "no data", "tag count", "analyzer threat", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "heur", "cisco umbrella", "alexa top", "million", "site", "alexa", "maltiverse", "xcnfe", "safe site", "phishing", "remcos", "malicious", "miner", "bank", "agenttesla", "agent", "unknown", "downloader", "unsafe", "trojan", "detplock", "artemis", "networm", "win64", "redline stealer", "limerat", "venom rat", "trojanspy", "tld count", "png image", "jpeg image", "rgba", "exif standard", "tiff image", "pattern match", "ascii text", "united", "jfif", "sha1", "core", "general", "starfield", "hybrid", "local", "encrypt", "click", "strings", "adobea", "daga", "as30148 sucuri", "td tr", "search", "span td", "as44273 host", "creation date", "a domains", "xtra", "meta", "back", "verdict", "domain", "aaaa", "as15169 google", "asnone united", "nxdomain", "sucuri security", "a li", "span", "class", "body", "sucuri website", "a div", "authority", "record value", "showing", "gmt content", "x sucuri", "high", "related pulses", "show", "guard", "entries", "win32", "west domains", "next", "ipv4", "asnone germany", "object", "com cnt", "dem fin", "gov int", "nav onl", "phy pre", "formbook cnc", "checkin", "found", "error", "code", "create c", "read c", "delete", "write", "default", "dock", "execution", "copy", "xport", "firewall", "body doctype", "section", "dcrat", "analyzer paste", "iocs", "hostnames", "url https", "blacklist", "cl0p ransomware", "zbot", "malware site", "team memscan", "cl0p", "algorithm", "data", "v3 serial", "number", "cus starizona", "cngo daddy", "g2 validity", "subject public", "key info", "certificate", "whois lookup", "netrange", "nethandle", "net192", "net1920000", "as174", "as3257", "sucuri", "sucur2", "verisign", "whois database", "server", "registrar abuse", "icann whois", "whois status", "registrar iana", "form", "temple", "first", "android", "win32 exe", "html", "bobby fischer", "office open", "detections type", "name", "pdf dealer", "price list", "pdf my", "crime", "taiwan unknown", "as3462", "as131148 bank", "as21342", "all search", "otx scoreblue", "pulse pulses", "cname", "as22612", "as43350 nforce", "win32upatre jun", "expiration date", "hostname", "lowfi", "date hash", "avast avg", "date checked", "url hostname", "server response", "google safe", "results jun", "files show", "registrar", "china unknown", "title", "network", "fakedout threat", "urls http", "maltiverse safe", "malicious url", "team", "phishtank", "services", "botnet command", "control server", "mining", "betabot", "team malware", "engineering", "stealer", "service", "vawtrak", "virut", "emotet", "simda", "redline", "fri oct", "media sharing", "known infection source", "bot networks", "malware", "malware repository", "spyware" ], "references": [ "https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/", "ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,", "Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]", "https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities", "Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint", "Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self", "Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect", "IP\u2019s Contacted: 192.124.249.187", "Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile", "Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=", "www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 89, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4080, "URL": 11952, "hostname": 4638, "domain": 4301, "FileHash-MD5": 2236, "FileHash-SHA1": 1140, "CVE": 8, "SSLCertFingerprint": 20, "email": 8, "CIDR": 1 }, "indicator_count": 28384, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "665 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6688e142f0c8f5ddecbc788c", "name": "Google Spy engine | Tracking, Malware Repository", "description": "www.W3.org https://www.searchw3.com/ > ww.google.com.uy. All tags auto populated. Did not spend time documenting all as pulse is quite large. I was able to prove the the compromises are active. I will make much smaller reports.\n(Botnet Commands, Google Spy engine | Tracking, Malware Repository, Stealer, iPhone unlocker)", "modified": "2024-08-05T04:01:42.283000", "created": "2024-07-06T06:16:34.388000", "tags": [ "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "expired", "acceptencoding", "html info", "title home", "tags viewport", "trackers google", "tag manager", "gsddf3d2bzf", "historical ssl", "referrer", "december", "formbook", "round", "apple ios", "tsara brashears", "unlocker", "collection", "vt graph", "socgholish", "blister", "hacktool", "hiddentear", "gootloader", "agent tesla", "crypto", "installer", "life", "malware", "open", "korplug", "tofsee", "date", "name servers", "status", "passive dns", "urls", "scan endpoints", "all scoreblue", "pulse submit", "url analysis", "files", "no data", "tag count", "analyzer threat", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "heur", "cisco umbrella", "alexa top", "million", "site", "alexa", "maltiverse", "xcnfe", "safe site", "phishing", "remcos", "malicious", "miner", "bank", "agenttesla", "agent", "unknown", "downloader", "unsafe", "trojan", "detplock", "artemis", "networm", "win64", "redline stealer", "limerat", "venom rat", "trojanspy", "tld count", "png image", "jpeg image", "rgba", "exif standard", "tiff image", "pattern match", "ascii text", "united", "jfif", "sha1", "core", "general", "starfield", "hybrid", "local", "encrypt", "click", "strings", "adobea", "daga", "as30148 sucuri", "td tr", "search", "span td", "as44273 host", "creation date", "a domains", "xtra", "meta", "back", "verdict", "domain", "aaaa", "as15169 google", "asnone united", "nxdomain", "sucuri security", "a li", "span", "class", "body", "sucuri website", "a div", "authority", "record value", "showing", "gmt content", "x sucuri", "high", "related pulses", "show", "guard", "entries", "win32", "west domains", "next", "ipv4", "asnone germany", "object", "com cnt", "dem fin", "gov int", "nav onl", "phy pre", "formbook cnc", "checkin", "found", "error", "code", "create c", "read c", "delete", "write", "default", "dock", "execution", "copy", "xport", "firewall", "body doctype", "section", "dcrat", "analyzer paste", "iocs", "hostnames", "url https", "blacklist", "cl0p ransomware", "zbot", "malware site", "team memscan", "cl0p", "algorithm", "data", "v3 serial", "number", "cus starizona", "cngo daddy", "g2 validity", "subject public", "key info", "certificate", "whois lookup", "netrange", "nethandle", "net192", "net1920000", "as174", "as3257", "sucuri", "sucur2", "verisign", "whois database", "server", "registrar abuse", "icann whois", "whois status", "registrar iana", "form", "temple", "first", "android", "win32 exe", "html", "bobby fischer", "office open", "detections type", "name", "pdf dealer", "price list", "pdf my", "crime", "taiwan unknown", "as3462", "as131148 bank", "as21342", "all search", "otx scoreblue", "pulse pulses", "cname", "as22612", "as43350 nforce", "win32upatre jun", "expiration date", "hostname", "lowfi", "date hash", "avast avg", "date checked", "url hostname", "server response", "google safe", "results jun", "files show", "registrar", "china unknown", "title", "network", "fakedout threat", "urls http", "maltiverse safe", "malicious url", "team", "phishtank", "services", "botnet command", "control server", "mining", "betabot", "team malware", "engineering", "stealer", "service", "vawtrak", "virut", "emotet", "simda", "redline", "fri oct", "media sharing", "known infection source", "bot networks", "malware", "malware repository", "spyware" ], "references": [ "https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/", "ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,", "Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]", "https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities", "Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint", "Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self", "Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect", "IP\u2019s Contacted: 192.124.249.187", "Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile", "Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=", "www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 94, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4080, "URL": 11952, "hostname": 4638, "domain": 4301, "FileHash-MD5": 2236, "FileHash-SHA1": 1140, "CVE": 8, "SSLCertFingerprint": 20, "email": 8, "CIDR": 1 }, "indicator_count": 28384, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "665 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6688e15588a794b95443b46d", "name": "Google Spy engine | Tracking, Malware Repository", "description": "www.W3.org https://www.searchw3.com/ > ww.google.com.uy. All tags auto populated. Did not spend time documenting all as pulse is quite large. I was able to prove the the compromises are active. I will make much smaller reports.\n(Botnet Commands, Google Spy engine | Tracking, Malware Repository, Stealer, iPhone unlocker)\nSorry so sloppy and large.\nAll tags , malware families and ATT&CK mechanisms auto populated", "modified": "2024-08-05T02:03:31.529000", "created": "2024-07-06T06:16:53.461000", "tags": [ "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "expired", "acceptencoding", "html info", "title home", "tags viewport", "trackers google", "tag manager", "gsddf3d2bzf", "historical ssl", "referrer", "december", "formbook", "round", "apple ios", "tsara brashears", "unlocker", "collection", "vt graph", "socgholish", "blister", "hacktool", "hiddentear", "gootloader", "agent tesla", "crypto", "installer", "life", "malware", "open", "korplug", "tofsee", "date", "name servers", "status", "passive dns", "urls", "scan endpoints", "all scoreblue", "pulse submit", "url analysis", "files", "no data", "tag count", "analyzer threat", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "heur", "cisco umbrella", "alexa top", "million", "site", "alexa", "maltiverse", "xcnfe", "safe site", "phishing", "remcos", "malicious", "miner", "bank", "agenttesla", "agent", "unknown", "downloader", "unsafe", "trojan", "detplock", "artemis", "networm", "win64", "redline stealer", "limerat", "venom rat", "trojanspy", "tld count", "png image", "jpeg image", "rgba", "exif standard", "tiff image", "pattern match", "ascii text", "united", "jfif", "sha1", "core", "general", "starfield", "hybrid", "local", "encrypt", "click", "strings", "adobea", "daga", "as30148 sucuri", "td tr", "search", "span td", "as44273 host", "creation date", "a domains", "xtra", "meta", "back", "verdict", "domain", "aaaa", "as15169 google", "asnone united", "nxdomain", "sucuri security", "a li", "span", "class", "body", "sucuri website", "a div", "authority", "record value", "showing", "gmt content", "x sucuri", "high", "related pulses", "show", "guard", "entries", "win32", "west domains", "next", "ipv4", "asnone germany", "object", "com cnt", "dem fin", "gov int", "nav onl", "phy pre", "formbook cnc", "checkin", "found", "error", "code", "create c", "read c", "delete", "write", "default", "dock", "execution", "copy", "xport", "firewall", "body doctype", "section", "dcrat", "analyzer paste", "iocs", "hostnames", "url https", "blacklist", "cl0p ransomware", "zbot", "malware site", "team memscan", "cl0p", "algorithm", "data", "v3 serial", "number", "cus starizona", "cngo daddy", "g2 validity", "subject public", "key info", "certificate", "whois lookup", "netrange", "nethandle", "net192", "net1920000", "as174", "as3257", "sucuri", "sucur2", "verisign", "whois database", "server", "registrar abuse", "icann whois", "whois status", "registrar iana", "form", "temple", "first", "android", "win32 exe", "html", "bobby fischer", "office open", "detections type", "name", "pdf dealer", "price list", "pdf my", "crime", "taiwan unknown", "as3462", "as131148 bank", "as21342", "all search", "otx scoreblue", "pulse pulses", "cname", "as22612", "as43350 nforce", "win32upatre jun", "expiration date", "hostname", "lowfi", "date hash", "avast avg", "date checked", "url hostname", "server response", "google safe", "results jun", "files show", "registrar", "china unknown", "title", "file size", "b file", "detections file", "gzip chrome", "cache entry", "graph", "ip detections", "country", "domains", "internet domain", "service bs", "corp", "namecheap inc", "csc corporate", "tucows", "epik llc", "tucows domains" ], "references": [ "https://www.searchw3.com/", "IP\u2019s Contacted: 192.124.249.187", "Ransomware: message.htm.com", "https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities", "Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint", "Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self", "Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect", "192.124.249.187", "Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 73, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3731, "URL": 11926, "hostname": 4626, "domain": 4135, "FileHash-MD5": 1530, "FileHash-SHA1": 762, "CVE": 8, "SSLCertFingerprint": 20, "email": 8, "CIDR": 1 }, "indicator_count": 26747, "is_author": false, "is_subscribing": null, "subscriber_count": 234, "modified_text": "665 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b7119615db47ea27706a86", "name": "Esurance Remote Attacks| Emotet | Lolkek | Part I", "description": "Emotet is a kind of malware originally designed as a banking Trojan aimed at stealing financial data, but it's evolved to become a major threat to users everywhere.\n\nLater versions evolved to use macro-enabled documents to retrieve the virus payload from command and control. They have been advised .", "modified": "2024-04-12T23:03:13.367000", "created": "2024-01-29T02:46:46.076000", "tags": [ "ssl certificate", "xamzexpires600", "whois record", "url collection", "collections", "historical ssl", "referrer", "contacted", "resolutions", "web gateway", "emotet", "urls http", "whois whois", "domains", "lolkek", "core", "caddywiper", "awful", "urls url", "cymulate", "malware", "com laude", "ltd dba", "first", "utc submissions", "submitters", "cloudflarenet", "internet domain", "service bs", "corp", "dynadot", "twitter", "optimizer", "amazonaes", "summary iocs", "graph community", "origin1", "ver33", "dtamlb", "smlb", "csc corporate", "gandi sas", "namecheap inc", "google", "amazon02", "apple", "remote attacks" ], "references": [ "https://www.esurance.com/", "https://www.malwarebytes.com/emotet" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null } ], "attack_ids": [], "industries": [ "Telecom", "Civil Society", "Insurance" ], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9102, "CVE": 5, "FileHash-MD5": 68, "FileHash-SHA1": 67, "FileHash-SHA256": 2209, "domain": 1427, "hostname": 4334 }, "indicator_count": 17212, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "779 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://admin.moneyboxapp.org", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://admin.moneyboxapp.org", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780353947.3829935 }