{ "type": "URL", "indicator": "https://ads.kwanzoo.com/embed", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://ads.kwanzoo.com/embed", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3757393109, "indicator": "https://ads.kwanzoo.com/embed", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "69e1d9cd805ecfc463bed935", "name": "BlackNet RAT clone credit octoseek", "description": "", "modified": "2026-04-18T00:51:09.427000", "created": "2026-04-17T06:57:17.378000", "tags": [ "united", "heur", "bank", "covid19 scam", "anonymizer", "malicious site", "telefonica peru", "cyber threat", "proxy", "malware", "phishing", "zbot", "suppobox", "team", "trojanx", "service", "facebook", "win64", "trojan", "artemis", "cisco umbrella", "site", "alexa top", "million", "safe site", "engineering", "download", "microsoft", "generic", "union", "bazaloader", "media", "runescape", "blacklist https", "generic malware", "metro", "tmobile", "on us", "mls season", "home internet", "shop", "autopay", "free", "metro store", "limit", "pass", "close", "galaxy", "easy", "back", "stream", "find", "twitter", "intnavfnav", "conditions", "service url", "search live", "api blog", "docs pricing", "september", "instagram url", "facebook url", "value", "variables", "visitor object", "alpine object", "cookies", "taq boolean", "get h2", "kb script", "b xhr", "post h2", "frame", "b image", "kb image", "redirect chain", "frame c0bc", "kb stylesheet", "covid19", "phishing site", "malicious", "cve201711882", "cobalt strike", "squirrelwaffle", "pony", "binder", "virut", "ramnit", "dropper", "formbook", "azorult", "bambernek", "alexa", "unsafe", "opencandy", "downldr", "irata", "dbatloader", "vidar", "outbreak", "downloader", "blocker", "ransom", "autoit", "bladabindi", "emotet", "blacknet rat", "stealer", "presenoker", "fusioncore", "cleaner", "wacatac", "riskware", "coinminer", "xrat", "swrort", "installcore", "trojanspy", "mbydkqdhtu0h", "pbiptbmvd0k4", "pbzpdldtg", "detection list", "glelexoputyh", "linkid252669", "s2okorbdpt2x", "el9km", "mtap2vnnnpj", "blacklist", "x22x22", "x22scriptx22", "x22dntx22", "date", "u002d2", "linkcode u002d", "srclang", "urllang", "srcurl", "qzid", "pattern match", "intnavtnav", "q0o0mahttp", "login", "windows nt", "bad traffic", "et info", "tls handshake", "failure", "http traffic", "http", "suricata alerts", "event category", "description sid", "external", "logo", "av detection", "default browser", "guest system", "professional", "general", "file", "get fwlink", "geckohost", "suidm", "edgev1", "srchdafnoform", "srchuidv2", "edgesf1", "malware site", "agent", "exploit", "mimikatz", "quasar rat", "iframe", "beach research", "sgeneric", "static engine", "umbrella", "malware service", "exploit source", "scanning host", "Command and Control", "malicious url", "team malicious", "tor known", "tor relayrouter", "exit", "node tcp", "traffic", "bad traffic" ], "references": [ "https://metro-tmo.com/", "Hybrid Analysis", "Alienvault OTX", "Data Analysis" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "South Africa", "Japan" ], "malware_families": [ { "id": "TrojanDownloader:O97M/BazaLoader", "display_name": "TrojanDownloader:O97M/BazaLoader", "target": "/malware/TrojanDownloader:O97M/BazaLoader" }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Backdoor:Win32/Zbot", "display_name": "Backdoor:Win32/Zbot", "target": "/malware/Backdoor:Win32/Zbot" }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Backdoor:MSIL/Bladabindi", "display_name": "Backdoor:MSIL/Bladabindi", "target": "/malware/Backdoor:MSIL/Bladabindi" }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "MimiKatz", "display_name": "MimiKatz", "target": null }, { "id": "Squirrelwaffle", "display_name": "Squirrelwaffle", "target": null }, { "id": "Pony - S0453", "display_name": "Pony - S0453", "target": null }, { "id": "TrojanDropper:VBS/Swrort", "display_name": "TrojanDropper:VBS/Swrort", "target": "/malware/TrojanDropper:VBS/Swrort" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Virus:DOS/Metro", "display_name": "Virus:DOS/Metro", "target": "/malware/Virus:DOS/Metro" }, { "id": "Metro", "display_name": "Metro", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Backdoor:Win32/Outbreak", "display_name": "Backdoor:Win32/Outbreak", "target": "/malware/Backdoor:Win32/Outbreak" }, { "id": "ALF:PUA:Win32/OpenCandy", "display_name": "ALF:PUA:Win32/OpenCandy", "target": null }, { "id": "IRATA", "display_name": "IRATA", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "ALF:PUA:Win32/FusionCore", "display_name": "ALF:PUA:Win32/FusionCore", "target": null }, { "id": "ALF:Trojan:O97M/Emotet", "display_name": "ALF:Trojan:O97M/Emotet", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" } ], "attack_ids": [ { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Food", "Gas", "Entertainment" ], "TLP": "white", "cloned_from": "650d0c66e0b02a6dde4a8b7a", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 781, "FileHash-SHA256": 3085, "domain": 528, "URL": 3130, "CVE": 6, "FileHash-MD5": 610, "FileHash-SHA1": 368 }, "indicator_count": 8508, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6564fa9a3d90d1cd14928b16", "name": "Lumma \u2022 University of Alberta \"No Problems\" | T1036 - Masquerading", "description": "I was contacted on this forum re: University of Alberta issue. Based on research www.ualberta.ca redirects. There hasn't been a research effort for redirect. I researched a spoofed website. After viewing senders request, my devices operating system changed, isn't recognized by any accounts, keyloggers.\nFound: Anonymizers, Redirector, Masquerading, Network RAT, Serious Social Engineering, Botnetwork Army, Stealers, Lumma and weirdly targeted 'Tsara Brashears' as a malicious link on a spoofed University in Canada, UCHealth Colorado links.", "modified": "2023-12-27T19:03:02.665000", "created": "2023-11-27T20:22:50.050000", "tags": [ "threat report", "back", "ip summary", "url summary", "summary", "download csv", "download", "json url", "urls", "detection list", "cisco umbrella", "site", "heur", "safe site", "alexa top", "million", "malware", "malicious site", "phishing site", "malicious url", "phishing", "riskware", "presenoker", "artemis", "agent", "unsafe", "opencandy", "ursnif", "wacatac", "team", "facebook", "runescape", "service", "downldr", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "installcore", "fareit", "secrisk", "exploit", "mimikatz", "sorano", "emotet", "genkryptik", "fuery", "dbatloader", "qakbot", "alexa", "malicious", "union", "lumma stealer", "fusioncore", "cleaner", "azorult", "bank", "blacknet rat", "stealer", "iframe", "trojanspy", "analysis", "united", "firehol", "proxy", "mail spammer", "downloader", "malware site", "meterpreter", "qbot", "bankerx", "dropper", "nimda", "formbook", "swrort", "unruy", "adwind", "trojanx", "crack", "win64", "generic", "dnspionage", "expirestue", "path", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "alberta", "university", "edmonton", "html info", "alberta meta", "tags", "trackers google", "tag manager", "gtmkr32", "blacklist", "low risk", "apache", "domain", "malware found", "unknown", "minimal low", "security risk", "medium high", "critical", "protect", "college", "mtis", "faculties", "research", "health", "a about", "news", "events", "sport", "life", "find", "story", "tools", "getprocaddress", "indicator", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "pattern match", "file", "date", "factory", "hybrid", "general", "cookie", "click", "strings", "djin", "no data", "tag count", "sample", "samples", "netsky", "cobalt strike", "xrat", "fakealert", "raccoon", "redline stealer", "metastealer", "icedid", "quasar rat", "acint", "anonymizer", "blockchain", "social engineering", "read c", "search", "show", "medium", "entries", "whitelisted", "memcommit", "delete", "yara detections", "next", "dock", "write", "execution", "copy", "south carolina", "federal credit", "team proxy", "static engine", "covid19", "redirector", "suspic", "tue mar", "zbot", "size68b type", "count blacklist", "tag tag", "rejected sample", "icon", "analyzed", "hwp support", "falcon sandbox", "multi scan", "update", "view details", "upgrade", "blacklist https", "keyloggers" ], "references": [ "https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (iPhone unlocker)", "uchealth.com", "http://michaela.young@uchealth.com", "http://intranet.uchealth.com/Policies/Corporate%20Policies/Standards%20of%20Performance%20and%20Conduct.pdf", "https://api2018.uchealth.com/apihc/tass/webportal/apihealthcare_live/default.aspx", "https://www.uchealth.com/wp-content/uploads/2017/12/UCHealthInsuranceIndex_120417.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "MimiKatz", "display_name": "MimiKatz", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "Network RAT", "display_name": "Network RAT", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "Raccoon", "display_name": "Raccoon", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Brontok", "display_name": "Brontok", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1588.004", "name": "Digital Certificates", "display_name": "T1588.004 - Digital Certificates" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1126", "name": "Network Share Connection Removal", "display_name": "T1126 - Network Share Connection Removal" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1134.004", "name": "Parent PID Spoofing", "display_name": "T1134.004 - Parent PID Spoofing" } ], "industries": [ "Education", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 83, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 320, "FileHash-SHA1": 172, "FileHash-SHA256": 4302, "URL": 8243, "CIDR": 1, "domain": 1742, "hostname": 2270, "CVE": 18, "SSLCertFingerprint": 3, "email": 4 }, "indicator_count": 17075, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "844 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a5cb329096398f3411f4", "name": "Virus:DOS/Metro", "description": "", "modified": "2023-12-06T16:48:11.311000", "created": "2023-12-06T16:48:11.311000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "FileHash-SHA256": 3085, "hostname": 780, "domain": 527, "FileHash-MD5": 610, "FileHash-SHA1": 368, "URL": 3128 }, "indicator_count": 8504, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a5ba6d66424b1992092e", "name": "BlackNet RAT", "description": "", "modified": "2023-12-06T16:47:54.897000", "created": "2023-12-06T16:47:54.897000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "FileHash-SHA256": 3085, "hostname": 780, "domain": 527, "FileHash-MD5": 610, "FileHash-SHA1": 368, "URL": 3128 }, "indicator_count": 8504, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a5b2ff4216fe9cd82624", "name": "Metro T-Mobile Command & Control. Cyber Threat", "description": "", "modified": "2023-12-06T16:47:46.826000", "created": "2023-12-06T16:47:46.826000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "FileHash-SHA256": 3085, "hostname": 780, "domain": 527, "FileHash-MD5": 610, "FileHash-SHA1": 368, "URL": 3128 }, "indicator_count": 8504, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "650d0c39523aa8a52fdb1fa1", "name": "Metro T-Mobile Command & Control. Cyber Threat", "description": "", "modified": "2023-10-21T23:02:19.178000", "created": "2023-09-22T03:38:33.405000", "tags": [ "united", "heur", "bank", "covid19 scam", "anonymizer", "malicious site", "telefonica peru", "cyber threat", "proxy", "malware", "phishing", "zbot", "suppobox", "team", "trojanx", "service", "facebook", "win64", "trojan", "artemis", "cisco umbrella", "site", "alexa top", "million", "safe site", "engineering", "download", "microsoft", "generic", "union", "bazaloader", "media", "runescape", "blacklist https", "generic malware", "metro", "tmobile", "on us", "mls season", "home internet", "shop", "autopay", "free", "metro store", "limit", "pass", "close", "galaxy", "easy", "back", "stream", "find", "twitter", "intnavfnav", "conditions", "service url", "search live", "api blog", "docs pricing", "september", "instagram url", "facebook url", "value", "variables", "visitor object", "alpine object", "cookies", "taq boolean", "get h2", "kb script", "b xhr", "post h2", "frame", "b image", "kb image", "redirect chain", "frame c0bc", "kb stylesheet", "covid19", "phishing site", "malicious", "cve201711882", "cobalt strike", "squirrelwaffle", "pony", "binder", "virut", "ramnit", "dropper", "formbook", "azorult", "bambernek", "alexa", "unsafe", "opencandy", "downldr", "irata", "dbatloader", "vidar", "outbreak", "downloader", "blocker", "ransom", "autoit", "bladabindi", "emotet", "blacknet rat", "stealer", "presenoker", "fusioncore", "cleaner", "wacatac", "riskware", "coinminer", "xrat", "swrort", "installcore", "trojanspy", "mbydkqdhtu0h", "pbiptbmvd0k4", "pbzpdldtg", "detection list", "glelexoputyh", "linkid252669", "s2okorbdpt2x", "el9km", "mtap2vnnnpj", "blacklist", "x22x22", "x22scriptx22", "x22dntx22", "date", "u002d2", "linkcode u002d", "srclang", "urllang", "srcurl", "qzid", "pattern match", "intnavtnav", "q0o0mahttp", "login", "windows nt", "bad traffic", "et info", "tls handshake", "failure", "http traffic", "http", "suricata alerts", "event category", "description sid", "external", "logo", "av detection", "default browser", "guest system", "professional", "general", "file", "get fwlink", "geckohost", "suidm", "edgev1", "srchdafnoform", "srchuidv2", "edgesf1", "malware site", "agent", "exploit", "mimikatz", "quasar rat", "iframe", "beach research", "sgeneric", "static engine", "umbrella", "malware service", "exploit source", "scanning host", "Command and Control", "malicious url", "team malicious", "tor known", "tor relayrouter", "exit", "node tcp", "traffic", "bad traffic" ], "references": [ "https://metro-tmo.com/", "Hybrid Analysis", "Alienvault OTX", "Data Analysis" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "South Africa", "Japan" ], "malware_families": [ { "id": "TrojanDownloader:O97M/BazaLoader", "display_name": "TrojanDownloader:O97M/BazaLoader", "target": "/malware/TrojanDownloader:O97M/BazaLoader" }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Backdoor:Win32/Zbot", "display_name": "Backdoor:Win32/Zbot", "target": "/malware/Backdoor:Win32/Zbot" }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Backdoor:MSIL/Bladabindi", "display_name": "Backdoor:MSIL/Bladabindi", "target": "/malware/Backdoor:MSIL/Bladabindi" }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "MimiKatz", "display_name": "MimiKatz", "target": null }, { "id": "Squirrelwaffle", "display_name": "Squirrelwaffle", "target": null }, { "id": "Pony - S0453", "display_name": "Pony - S0453", "target": null }, { "id": "TrojanDropper:VBS/Swrort", "display_name": "TrojanDropper:VBS/Swrort", "target": "/malware/TrojanDropper:VBS/Swrort" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Virus:DOS/Metro", "display_name": "Virus:DOS/Metro", "target": "/malware/Virus:DOS/Metro" }, { "id": "Metro", "display_name": "Metro", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Backdoor:Win32/Outbreak", "display_name": "Backdoor:Win32/Outbreak", "target": "/malware/Backdoor:Win32/Outbreak" }, { "id": "ALF:PUA:Win32/OpenCandy", "display_name": "ALF:PUA:Win32/OpenCandy", "target": null }, { "id": "IRATA", "display_name": "IRATA", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "ALF:PUA:Win32/FusionCore", "display_name": "ALF:PUA:Win32/FusionCore", "target": null }, { "id": "ALF:Trojan:O97M/Emotet", "display_name": "ALF:Trojan:O97M/Emotet", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" } ], "attack_ids": [ { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Food", "Gas", "Entertainment" ], "TLP": "white", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 780, "FileHash-SHA256": 3085, "domain": 527, "URL": 3128, "CVE": 6, "FileHash-MD5": 610, "FileHash-SHA1": 368 }, "indicator_count": 8504, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "910 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "650d0c66e0b02a6dde4a8b7a", "name": "BlackNet RAT", "description": "", "modified": "2023-10-21T23:02:19.178000", "created": "2023-09-22T03:39:18.306000", "tags": [ "united", "heur", "bank", "covid19 scam", "anonymizer", "malicious site", "telefonica peru", "cyber threat", "proxy", "malware", "phishing", "zbot", "suppobox", "team", "trojanx", "service", "facebook", "win64", "trojan", "artemis", "cisco umbrella", "site", "alexa top", "million", "safe site", "engineering", "download", "microsoft", "generic", "union", "bazaloader", "media", "runescape", "blacklist https", "generic malware", "metro", "tmobile", "on us", "mls season", "home internet", "shop", "autopay", "free", "metro store", "limit", "pass", "close", "galaxy", "easy", "back", "stream", "find", "twitter", "intnavfnav", "conditions", "service url", "search live", "api blog", "docs pricing", "september", "instagram url", "facebook url", "value", "variables", "visitor object", "alpine object", "cookies", "taq boolean", "get h2", "kb script", "b xhr", "post h2", "frame", "b image", "kb image", "redirect chain", "frame c0bc", "kb stylesheet", "covid19", "phishing site", "malicious", "cve201711882", "cobalt strike", "squirrelwaffle", "pony", "binder", "virut", "ramnit", "dropper", "formbook", "azorult", "bambernek", "alexa", "unsafe", "opencandy", "downldr", "irata", "dbatloader", "vidar", "outbreak", "downloader", "blocker", "ransom", "autoit", "bladabindi", "emotet", "blacknet rat", "stealer", "presenoker", "fusioncore", "cleaner", "wacatac", "riskware", "coinminer", "xrat", "swrort", "installcore", "trojanspy", "mbydkqdhtu0h", "pbiptbmvd0k4", "pbzpdldtg", "detection list", "glelexoputyh", "linkid252669", "s2okorbdpt2x", "el9km", "mtap2vnnnpj", "blacklist", "x22x22", "x22scriptx22", "x22dntx22", "date", "u002d2", "linkcode u002d", "srclang", "urllang", "srcurl", "qzid", "pattern match", "intnavtnav", "q0o0mahttp", "login", "windows nt", "bad traffic", "et info", "tls handshake", "failure", "http traffic", "http", "suricata alerts", "event category", "description sid", "external", "logo", "av detection", "default browser", "guest system", "professional", "general", "file", "get fwlink", "geckohost", "suidm", "edgev1", "srchdafnoform", "srchuidv2", "edgesf1", "malware site", "agent", "exploit", "mimikatz", "quasar rat", "iframe", "beach research", "sgeneric", "static engine", "umbrella", "malware service", "exploit source", "scanning host", "Command and Control", "malicious url", "team malicious", "tor known", "tor relayrouter", "exit", "node tcp", "traffic", "bad traffic" ], "references": [ "https://metro-tmo.com/", "Hybrid Analysis", "Alienvault OTX", "Data Analysis" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "South Africa", "Japan" ], "malware_families": [ { "id": "TrojanDownloader:O97M/BazaLoader", "display_name": "TrojanDownloader:O97M/BazaLoader", "target": "/malware/TrojanDownloader:O97M/BazaLoader" }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Backdoor:Win32/Zbot", "display_name": "Backdoor:Win32/Zbot", "target": "/malware/Backdoor:Win32/Zbot" }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Backdoor:MSIL/Bladabindi", "display_name": "Backdoor:MSIL/Bladabindi", "target": "/malware/Backdoor:MSIL/Bladabindi" }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "MimiKatz", "display_name": "MimiKatz", "target": null }, { "id": "Squirrelwaffle", "display_name": "Squirrelwaffle", "target": null }, { "id": "Pony - S0453", "display_name": "Pony - S0453", "target": null }, { "id": "TrojanDropper:VBS/Swrort", "display_name": "TrojanDropper:VBS/Swrort", "target": "/malware/TrojanDropper:VBS/Swrort" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Virus:DOS/Metro", "display_name": "Virus:DOS/Metro", "target": "/malware/Virus:DOS/Metro" }, { "id": "Metro", "display_name": "Metro", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Backdoor:Win32/Outbreak", "display_name": "Backdoor:Win32/Outbreak", "target": "/malware/Backdoor:Win32/Outbreak" }, { "id": "ALF:PUA:Win32/OpenCandy", "display_name": "ALF:PUA:Win32/OpenCandy", "target": null }, { "id": "IRATA", "display_name": "IRATA", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "ALF:PUA:Win32/FusionCore", "display_name": "ALF:PUA:Win32/FusionCore", "target": null }, { "id": "ALF:Trojan:O97M/Emotet", "display_name": "ALF:Trojan:O97M/Emotet", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" } ], "attack_ids": [ { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Food", "Gas", "Entertainment" ], "TLP": "white", "cloned_from": "650d0c39523aa8a52fdb1fa1", "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 780, "FileHash-SHA256": 3085, "domain": 527, "URL": 3128, "CVE": 6, "FileHash-MD5": 610, "FileHash-SHA1": 368 }, "indicator_count": 8504, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "910 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "650d0c8adc78d892cadd250a", "name": "Virus:DOS/Metro", "description": "", "modified": "2023-10-21T23:02:19.178000", "created": "2023-09-22T03:39:54.432000", "tags": [ "united", "heur", "bank", "covid19 scam", "anonymizer", "malicious site", "telefonica peru", "cyber threat", "proxy", "malware", "phishing", "zbot", "suppobox", "team", "trojanx", "service", "facebook", "win64", "trojan", "artemis", "cisco umbrella", "site", "alexa top", "million", "safe site", "engineering", "download", "microsoft", "generic", "union", "bazaloader", "media", "runescape", "blacklist https", "generic malware", "metro", "tmobile", "on us", "mls season", "home internet", "shop", "autopay", "free", "metro store", "limit", "pass", "close", "galaxy", "easy", "back", "stream", "find", "twitter", "intnavfnav", "conditions", "service url", "search live", "api blog", "docs pricing", "september", "instagram url", "facebook url", "value", "variables", "visitor object", "alpine object", "cookies", "taq boolean", "get h2", "kb script", "b xhr", "post h2", "frame", "b image", "kb image", "redirect chain", "frame c0bc", "kb stylesheet", "covid19", "phishing site", "malicious", "cve201711882", "cobalt strike", "squirrelwaffle", "pony", "binder", "virut", "ramnit", "dropper", "formbook", "azorult", "bambernek", "alexa", "unsafe", "opencandy", "downldr", "irata", "dbatloader", "vidar", "outbreak", "downloader", "blocker", "ransom", "autoit", "bladabindi", "emotet", "blacknet rat", "stealer", "presenoker", "fusioncore", "cleaner", "wacatac", "riskware", "coinminer", "xrat", "swrort", "installcore", "trojanspy", "mbydkqdhtu0h", "pbiptbmvd0k4", "pbzpdldtg", "detection list", "glelexoputyh", "linkid252669", "s2okorbdpt2x", "el9km", "mtap2vnnnpj", "blacklist", "x22x22", "x22scriptx22", "x22dntx22", "date", "u002d2", "linkcode u002d", "srclang", "urllang", "srcurl", "qzid", "pattern match", "intnavtnav", "q0o0mahttp", "login", "windows nt", "bad traffic", "et info", "tls handshake", "failure", "http traffic", "http", "suricata alerts", "event category", "description sid", "external", "logo", "av detection", "default browser", "guest system", "professional", "general", "file", "get fwlink", "geckohost", "suidm", "edgev1", "srchdafnoform", "srchuidv2", "edgesf1", "malware site", "agent", "exploit", "mimikatz", "quasar rat", "iframe", "beach research", "sgeneric", "static engine", "umbrella", "malware service", "exploit source", "scanning host", "Command and Control", "malicious url", "team malicious", "tor known", "tor relayrouter", "exit", "node tcp", "traffic", "bad traffic" ], "references": [ "https://metro-tmo.com/", "Hybrid Analysis", "Alienvault OTX", "Data Analysis" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "South Africa", "Japan" ], "malware_families": [ { "id": "TrojanDownloader:O97M/BazaLoader", "display_name": "TrojanDownloader:O97M/BazaLoader", "target": "/malware/TrojanDownloader:O97M/BazaLoader" }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Backdoor:Win32/Zbot", "display_name": "Backdoor:Win32/Zbot", "target": "/malware/Backdoor:Win32/Zbot" }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Backdoor:MSIL/Bladabindi", "display_name": "Backdoor:MSIL/Bladabindi", "target": "/malware/Backdoor:MSIL/Bladabindi" }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "MimiKatz", "display_name": "MimiKatz", "target": null }, { "id": "Squirrelwaffle", "display_name": "Squirrelwaffle", "target": null }, { "id": "Pony - S0453", "display_name": "Pony - S0453", "target": null }, { "id": "TrojanDropper:VBS/Swrort", "display_name": "TrojanDropper:VBS/Swrort", "target": "/malware/TrojanDropper:VBS/Swrort" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Virus:DOS/Metro", "display_name": "Virus:DOS/Metro", "target": "/malware/Virus:DOS/Metro" }, { "id": "Metro", "display_name": "Metro", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Backdoor:Win32/Outbreak", "display_name": "Backdoor:Win32/Outbreak", "target": "/malware/Backdoor:Win32/Outbreak" }, { "id": "ALF:PUA:Win32/OpenCandy", "display_name": "ALF:PUA:Win32/OpenCandy", "target": null }, { "id": "IRATA", "display_name": "IRATA", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "ALF:PUA:Win32/FusionCore", "display_name": "ALF:PUA:Win32/FusionCore", "target": null }, { "id": "ALF:Trojan:O97M/Emotet", "display_name": "ALF:Trojan:O97M/Emotet", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" } ], "attack_ids": [ { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Food", "Gas", "Entertainment" ], "TLP": "white", "cloned_from": "650d0c66e0b02a6dde4a8b7a", "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 780, "FileHash-SHA256": 3085, "domain": 527, "URL": 3128, "CVE": 6, "FileHash-MD5": 610, "FileHash-SHA1": 368 }, "indicator_count": 8504, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "910 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://api2018.uchealth.com/apihc/tass/webportal/apihealthcare_live/default.aspx", "Alienvault OTX", "Data Analysis", "Hybrid Analysis", "http://michaela.young@uchealth.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (iPhone unlocker)", "http://intranet.uchealth.com/Policies/Corporate%20Policies/Standards%20of%20Performance%20and%20Conduct.pdf", "https://metro-tmo.com/", "uchealth.com", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "https://www.uchealth.com/wp-content/uploads/2017/12/UCHealthInsuranceIndex_120417.pdf" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Backdoor:win32/outbreak", "Vidar", "Backdoor:msil/bladabindi", "Irata", "Lumma stealer", "Metro", "Ramnit", "Trojandropper:vbs/swrort", "Alf:pua:win32/opencandy", "Opencandy", "Mimikatz", "Trojan:win32/installcore", "Pony - s0453", "Redline stealer", "Maltiverse", "Trojanspy", "Quasar rat", "Qakbot", "Beach research", "Meterpreter", "Unruy", "Virut", "Raccoon", "Squirrelwaffle", "Blacknet rat", "Backdoor:win32/zbot", "Trojanx", "Alf:trojan:o97m/emotet", "Brontok", "Formbook", "Suppobox", "Virus:dos/metro", "Network rat", "Emotet", "Alf:pua:win32/fusioncore", "Artemis", "Azorult", "Cobalt strike - s0154", "Trojandownloader:o97m/bazaloader" ], "industries": [ "Education", "Gas", "Food", "Healthcare", "Entertainment" ], "unique_indicators": 25496 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/kwanzoo.com", "whois": "http://whois.domaintools.com/kwanzoo.com", "domain": "kwanzoo.com", "hostname": "ads.kwanzoo.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "69e1d9cd805ecfc463bed935", "name": "BlackNet RAT clone credit octoseek", "description": "", "modified": "2026-04-18T00:51:09.427000", "created": "2026-04-17T06:57:17.378000", "tags": [ "united", "heur", "bank", "covid19 scam", "anonymizer", "malicious site", "telefonica peru", "cyber threat", "proxy", "malware", "phishing", "zbot", "suppobox", "team", "trojanx", "service", "facebook", "win64", "trojan", "artemis", "cisco umbrella", "site", "alexa top", "million", "safe site", "engineering", "download", "microsoft", "generic", "union", "bazaloader", "media", "runescape", "blacklist https", "generic malware", "metro", "tmobile", "on us", "mls season", "home internet", "shop", "autopay", "free", "metro store", "limit", "pass", "close", "galaxy", "easy", "back", "stream", "find", "twitter", "intnavfnav", "conditions", "service url", "search live", "api blog", "docs pricing", "september", "instagram url", "facebook url", "value", "variables", "visitor object", "alpine object", "cookies", "taq boolean", "get h2", "kb script", "b xhr", "post h2", "frame", "b image", "kb image", "redirect chain", "frame c0bc", "kb stylesheet", "covid19", "phishing site", "malicious", "cve201711882", "cobalt strike", "squirrelwaffle", "pony", "binder", "virut", "ramnit", "dropper", "formbook", "azorult", "bambernek", "alexa", "unsafe", "opencandy", "downldr", "irata", "dbatloader", "vidar", "outbreak", "downloader", "blocker", "ransom", "autoit", "bladabindi", "emotet", "blacknet rat", "stealer", "presenoker", "fusioncore", "cleaner", "wacatac", "riskware", "coinminer", "xrat", "swrort", "installcore", "trojanspy", "mbydkqdhtu0h", "pbiptbmvd0k4", "pbzpdldtg", "detection list", "glelexoputyh", "linkid252669", "s2okorbdpt2x", "el9km", "mtap2vnnnpj", "blacklist", "x22x22", "x22scriptx22", "x22dntx22", "date", "u002d2", "linkcode u002d", "srclang", "urllang", "srcurl", "qzid", "pattern match", "intnavtnav", "q0o0mahttp", "login", "windows nt", "bad traffic", "et info", "tls handshake", "failure", "http traffic", "http", "suricata alerts", "event category", "description sid", "external", "logo", "av detection", "default browser", "guest system", "professional", "general", "file", "get fwlink", "geckohost", "suidm", "edgev1", "srchdafnoform", "srchuidv2", "edgesf1", "malware site", "agent", "exploit", "mimikatz", "quasar rat", "iframe", "beach research", "sgeneric", "static engine", "umbrella", "malware service", "exploit source", "scanning host", "Command and Control", "malicious url", "team malicious", "tor known", "tor relayrouter", "exit", "node tcp", "traffic", "bad traffic" ], "references": [ "https://metro-tmo.com/", "Hybrid Analysis", "Alienvault OTX", "Data Analysis" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "South Africa", "Japan" ], "malware_families": [ { "id": "TrojanDownloader:O97M/BazaLoader", "display_name": "TrojanDownloader:O97M/BazaLoader", "target": "/malware/TrojanDownloader:O97M/BazaLoader" }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Backdoor:Win32/Zbot", "display_name": "Backdoor:Win32/Zbot", "target": "/malware/Backdoor:Win32/Zbot" }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Backdoor:MSIL/Bladabindi", "display_name": "Backdoor:MSIL/Bladabindi", "target": "/malware/Backdoor:MSIL/Bladabindi" }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "MimiKatz", "display_name": "MimiKatz", "target": null }, { "id": "Squirrelwaffle", "display_name": "Squirrelwaffle", "target": null }, { "id": "Pony - S0453", "display_name": "Pony - S0453", "target": null }, { "id": "TrojanDropper:VBS/Swrort", "display_name": "TrojanDropper:VBS/Swrort", "target": "/malware/TrojanDropper:VBS/Swrort" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Virus:DOS/Metro", "display_name": "Virus:DOS/Metro", "target": "/malware/Virus:DOS/Metro" }, { "id": "Metro", "display_name": "Metro", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Backdoor:Win32/Outbreak", "display_name": "Backdoor:Win32/Outbreak", "target": "/malware/Backdoor:Win32/Outbreak" }, { "id": "ALF:PUA:Win32/OpenCandy", "display_name": "ALF:PUA:Win32/OpenCandy", "target": null }, { "id": "IRATA", "display_name": "IRATA", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "ALF:PUA:Win32/FusionCore", "display_name": "ALF:PUA:Win32/FusionCore", "target": null }, { "id": "ALF:Trojan:O97M/Emotet", "display_name": "ALF:Trojan:O97M/Emotet", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" } ], "attack_ids": [ { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Food", "Gas", "Entertainment" ], "TLP": "white", "cloned_from": "650d0c66e0b02a6dde4a8b7a", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 781, "FileHash-SHA256": 3085, "domain": 528, "URL": 3130, "CVE": 6, "FileHash-MD5": 610, "FileHash-SHA1": 368 }, "indicator_count": 8508, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6564fa9a3d90d1cd14928b16", "name": "Lumma \u2022 University of Alberta \"No Problems\" | T1036 - Masquerading", "description": "I was contacted on this forum re: University of Alberta issue. Based on research www.ualberta.ca redirects. There hasn't been a research effort for redirect. I researched a spoofed website. After viewing senders request, my devices operating system changed, isn't recognized by any accounts, keyloggers.\nFound: Anonymizers, Redirector, Masquerading, Network RAT, Serious Social Engineering, Botnetwork Army, Stealers, Lumma and weirdly targeted 'Tsara Brashears' as a malicious link on a spoofed University in Canada, UCHealth Colorado links.", "modified": "2023-12-27T19:03:02.665000", "created": "2023-11-27T20:22:50.050000", "tags": [ "threat report", "back", "ip summary", "url summary", "summary", "download csv", "download", "json url", "urls", "detection list", "cisco umbrella", "site", "heur", "safe site", "alexa top", "million", "malware", "malicious site", "phishing site", "malicious url", "phishing", "riskware", "presenoker", "artemis", "agent", "unsafe", "opencandy", "ursnif", "wacatac", "team", "facebook", "runescape", "service", "downldr", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "installcore", "fareit", "secrisk", "exploit", "mimikatz", "sorano", "emotet", "genkryptik", "fuery", "dbatloader", "qakbot", "alexa", "malicious", "union", "lumma stealer", "fusioncore", "cleaner", "azorult", "bank", "blacknet rat", "stealer", "iframe", "trojanspy", "analysis", "united", "firehol", "proxy", "mail spammer", "downloader", "malware site", "meterpreter", "qbot", "bankerx", "dropper", "nimda", "formbook", "swrort", "unruy", "adwind", "trojanx", "crack", "win64", "generic", "dnspionage", "expirestue", "path", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "alberta", "university", "edmonton", "html info", "alberta meta", "tags", "trackers google", "tag manager", "gtmkr32", "blacklist", "low risk", "apache", "domain", "malware found", "unknown", "minimal low", "security risk", "medium high", "critical", "protect", "college", "mtis", "faculties", "research", "health", "a about", "news", "events", "sport", "life", "find", "story", "tools", "getprocaddress", "indicator", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "pattern match", "file", "date", "factory", "hybrid", "general", "cookie", "click", "strings", "djin", "no data", "tag count", "sample", "samples", "netsky", "cobalt strike", "xrat", "fakealert", "raccoon", "redline stealer", "metastealer", "icedid", "quasar rat", "acint", "anonymizer", "blockchain", "social engineering", "read c", "search", "show", "medium", "entries", "whitelisted", "memcommit", "delete", "yara detections", "next", "dock", "write", "execution", "copy", "south carolina", "federal credit", "team proxy", "static engine", "covid19", "redirector", "suspic", "tue mar", "zbot", "size68b type", "count blacklist", "tag tag", "rejected sample", "icon", "analyzed", "hwp support", "falcon sandbox", "multi scan", "update", "view details", "upgrade", "blacklist https", "keyloggers" ], "references": [ "https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (iPhone unlocker)", "uchealth.com", "http://michaela.young@uchealth.com", "http://intranet.uchealth.com/Policies/Corporate%20Policies/Standards%20of%20Performance%20and%20Conduct.pdf", "https://api2018.uchealth.com/apihc/tass/webportal/apihealthcare_live/default.aspx", "https://www.uchealth.com/wp-content/uploads/2017/12/UCHealthInsuranceIndex_120417.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "MimiKatz", "display_name": "MimiKatz", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "Network RAT", "display_name": "Network RAT", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "Raccoon", "display_name": "Raccoon", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Brontok", "display_name": "Brontok", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1588.004", "name": "Digital Certificates", "display_name": "T1588.004 - Digital Certificates" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1126", "name": "Network Share Connection Removal", "display_name": "T1126 - Network Share Connection Removal" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1134.004", "name": "Parent PID Spoofing", "display_name": "T1134.004 - Parent PID Spoofing" } ], "industries": [ "Education", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 83, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 320, "FileHash-SHA1": 172, "FileHash-SHA256": 4302, "URL": 8243, "CIDR": 1, "domain": 1742, "hostname": 2270, "CVE": 18, "SSLCertFingerprint": 3, "email": 4 }, "indicator_count": 17075, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "844 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a5cb329096398f3411f4", "name": "Virus:DOS/Metro", "description": "", "modified": "2023-12-06T16:48:11.311000", "created": "2023-12-06T16:48:11.311000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "FileHash-SHA256": 3085, "hostname": 780, "domain": 527, "FileHash-MD5": 610, "FileHash-SHA1": 368, "URL": 3128 }, "indicator_count": 8504, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a5ba6d66424b1992092e", "name": "BlackNet RAT", "description": "", "modified": "2023-12-06T16:47:54.897000", "created": "2023-12-06T16:47:54.897000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "FileHash-SHA256": 3085, "hostname": 780, "domain": 527, "FileHash-MD5": 610, "FileHash-SHA1": 368, "URL": 3128 }, "indicator_count": 8504, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a5b2ff4216fe9cd82624", "name": "Metro T-Mobile Command & Control. Cyber Threat", "description": "", "modified": "2023-12-06T16:47:46.826000", "created": "2023-12-06T16:47:46.826000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "FileHash-SHA256": 3085, "hostname": 780, "domain": 527, "FileHash-MD5": 610, "FileHash-SHA1": 368, "URL": 3128 }, "indicator_count": 8504, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "650d0c39523aa8a52fdb1fa1", "name": "Metro T-Mobile Command & Control. Cyber Threat", "description": "", "modified": "2023-10-21T23:02:19.178000", "created": "2023-09-22T03:38:33.405000", "tags": [ "united", "heur", "bank", "covid19 scam", "anonymizer", "malicious site", "telefonica peru", "cyber threat", "proxy", "malware", "phishing", "zbot", "suppobox", "team", "trojanx", "service", "facebook", "win64", "trojan", "artemis", "cisco umbrella", "site", "alexa top", "million", "safe site", "engineering", "download", "microsoft", "generic", "union", "bazaloader", "media", "runescape", "blacklist https", "generic malware", "metro", "tmobile", "on us", "mls season", "home internet", "shop", "autopay", "free", "metro store", "limit", "pass", "close", "galaxy", "easy", "back", "stream", "find", "twitter", "intnavfnav", "conditions", "service url", "search live", "api blog", "docs pricing", "september", "instagram url", "facebook url", "value", "variables", "visitor object", "alpine object", "cookies", "taq boolean", "get h2", "kb script", "b xhr", "post h2", "frame", "b image", "kb image", "redirect chain", "frame c0bc", "kb stylesheet", "covid19", "phishing site", "malicious", "cve201711882", "cobalt strike", "squirrelwaffle", "pony", "binder", "virut", "ramnit", "dropper", "formbook", "azorult", "bambernek", "alexa", "unsafe", "opencandy", "downldr", "irata", "dbatloader", "vidar", "outbreak", "downloader", "blocker", "ransom", "autoit", "bladabindi", "emotet", "blacknet rat", "stealer", "presenoker", "fusioncore", "cleaner", "wacatac", "riskware", "coinminer", "xrat", "swrort", "installcore", "trojanspy", "mbydkqdhtu0h", "pbiptbmvd0k4", "pbzpdldtg", "detection list", "glelexoputyh", "linkid252669", "s2okorbdpt2x", "el9km", "mtap2vnnnpj", "blacklist", "x22x22", "x22scriptx22", "x22dntx22", "date", "u002d2", "linkcode u002d", "srclang", "urllang", "srcurl", "qzid", "pattern match", "intnavtnav", "q0o0mahttp", "login", "windows nt", "bad traffic", "et info", "tls handshake", "failure", "http traffic", "http", "suricata alerts", "event category", "description sid", "external", "logo", "av detection", "default browser", "guest system", "professional", "general", "file", "get fwlink", "geckohost", "suidm", "edgev1", "srchdafnoform", "srchuidv2", "edgesf1", "malware site", "agent", "exploit", "mimikatz", "quasar rat", "iframe", "beach research", "sgeneric", "static engine", "umbrella", "malware service", "exploit source", "scanning host", "Command and Control", "malicious url", "team malicious", "tor known", "tor relayrouter", "exit", "node tcp", "traffic", "bad traffic" ], "references": [ "https://metro-tmo.com/", "Hybrid Analysis", "Alienvault OTX", "Data Analysis" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "South Africa", "Japan" ], "malware_families": [ { "id": "TrojanDownloader:O97M/BazaLoader", "display_name": "TrojanDownloader:O97M/BazaLoader", "target": "/malware/TrojanDownloader:O97M/BazaLoader" }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Backdoor:Win32/Zbot", "display_name": "Backdoor:Win32/Zbot", "target": "/malware/Backdoor:Win32/Zbot" }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Backdoor:MSIL/Bladabindi", "display_name": "Backdoor:MSIL/Bladabindi", "target": "/malware/Backdoor:MSIL/Bladabindi" }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "MimiKatz", "display_name": "MimiKatz", "target": null }, { "id": "Squirrelwaffle", "display_name": "Squirrelwaffle", "target": null }, { "id": "Pony - S0453", "display_name": "Pony - S0453", "target": null }, { "id": "TrojanDropper:VBS/Swrort", "display_name": "TrojanDropper:VBS/Swrort", "target": "/malware/TrojanDropper:VBS/Swrort" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Virus:DOS/Metro", "display_name": "Virus:DOS/Metro", "target": "/malware/Virus:DOS/Metro" }, { "id": "Metro", "display_name": "Metro", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Backdoor:Win32/Outbreak", "display_name": "Backdoor:Win32/Outbreak", "target": "/malware/Backdoor:Win32/Outbreak" }, { "id": "ALF:PUA:Win32/OpenCandy", "display_name": "ALF:PUA:Win32/OpenCandy", "target": null }, { "id": "IRATA", "display_name": "IRATA", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "ALF:PUA:Win32/FusionCore", "display_name": "ALF:PUA:Win32/FusionCore", "target": null }, { "id": "ALF:Trojan:O97M/Emotet", "display_name": "ALF:Trojan:O97M/Emotet", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" } ], "attack_ids": [ { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Food", "Gas", "Entertainment" ], "TLP": "white", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 780, "FileHash-SHA256": 3085, "domain": 527, "URL": 3128, "CVE": 6, "FileHash-MD5": 610, "FileHash-SHA1": 368 }, "indicator_count": 8504, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "910 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "650d0c66e0b02a6dde4a8b7a", "name": "BlackNet RAT", "description": "", "modified": "2023-10-21T23:02:19.178000", "created": "2023-09-22T03:39:18.306000", "tags": [ "united", "heur", "bank", "covid19 scam", "anonymizer", "malicious site", "telefonica peru", "cyber threat", "proxy", "malware", "phishing", "zbot", "suppobox", "team", "trojanx", "service", "facebook", "win64", "trojan", "artemis", "cisco umbrella", "site", "alexa top", "million", "safe site", "engineering", "download", "microsoft", "generic", "union", "bazaloader", "media", "runescape", "blacklist https", "generic malware", "metro", "tmobile", "on us", "mls season", "home internet", "shop", "autopay", "free", "metro store", "limit", "pass", "close", "galaxy", "easy", "back", "stream", "find", "twitter", "intnavfnav", "conditions", "service url", "search live", "api blog", "docs pricing", "september", "instagram url", "facebook url", "value", "variables", "visitor object", "alpine object", "cookies", "taq boolean", "get h2", "kb script", "b xhr", "post h2", "frame", "b image", "kb image", "redirect chain", "frame c0bc", "kb stylesheet", "covid19", "phishing site", "malicious", "cve201711882", "cobalt strike", "squirrelwaffle", "pony", "binder", "virut", "ramnit", "dropper", "formbook", "azorult", "bambernek", "alexa", "unsafe", "opencandy", "downldr", "irata", "dbatloader", "vidar", "outbreak", "downloader", "blocker", "ransom", "autoit", "bladabindi", "emotet", "blacknet rat", "stealer", "presenoker", "fusioncore", "cleaner", "wacatac", "riskware", "coinminer", "xrat", "swrort", "installcore", "trojanspy", "mbydkqdhtu0h", "pbiptbmvd0k4", "pbzpdldtg", "detection list", "glelexoputyh", "linkid252669", "s2okorbdpt2x", "el9km", "mtap2vnnnpj", "blacklist", "x22x22", "x22scriptx22", "x22dntx22", "date", "u002d2", "linkcode u002d", "srclang", "urllang", "srcurl", "qzid", "pattern match", "intnavtnav", "q0o0mahttp", "login", "windows nt", "bad traffic", "et info", "tls handshake", "failure", "http traffic", "http", "suricata alerts", "event category", "description sid", "external", "logo", "av detection", "default browser", "guest system", "professional", "general", "file", "get fwlink", "geckohost", "suidm", "edgev1", "srchdafnoform", "srchuidv2", "edgesf1", "malware site", "agent", "exploit", "mimikatz", "quasar rat", "iframe", "beach research", "sgeneric", "static engine", "umbrella", "malware service", "exploit source", "scanning host", "Command and Control", "malicious url", "team malicious", "tor known", "tor relayrouter", "exit", "node tcp", "traffic", "bad traffic" ], "references": [ "https://metro-tmo.com/", "Hybrid Analysis", "Alienvault OTX", "Data Analysis" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "South Africa", "Japan" ], "malware_families": [ { "id": "TrojanDownloader:O97M/BazaLoader", "display_name": "TrojanDownloader:O97M/BazaLoader", "target": "/malware/TrojanDownloader:O97M/BazaLoader" }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Backdoor:Win32/Zbot", "display_name": "Backdoor:Win32/Zbot", "target": "/malware/Backdoor:Win32/Zbot" }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Backdoor:MSIL/Bladabindi", "display_name": "Backdoor:MSIL/Bladabindi", "target": "/malware/Backdoor:MSIL/Bladabindi" }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "MimiKatz", "display_name": "MimiKatz", "target": null }, { "id": "Squirrelwaffle", "display_name": "Squirrelwaffle", "target": null }, { "id": "Pony - S0453", "display_name": "Pony - S0453", "target": null }, { "id": "TrojanDropper:VBS/Swrort", "display_name": "TrojanDropper:VBS/Swrort", "target": "/malware/TrojanDropper:VBS/Swrort" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Virus:DOS/Metro", "display_name": "Virus:DOS/Metro", "target": "/malware/Virus:DOS/Metro" }, { "id": "Metro", "display_name": "Metro", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Backdoor:Win32/Outbreak", "display_name": "Backdoor:Win32/Outbreak", "target": "/malware/Backdoor:Win32/Outbreak" }, { "id": "ALF:PUA:Win32/OpenCandy", "display_name": "ALF:PUA:Win32/OpenCandy", "target": null }, { "id": "IRATA", "display_name": "IRATA", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "ALF:PUA:Win32/FusionCore", "display_name": "ALF:PUA:Win32/FusionCore", "target": null }, { "id": "ALF:Trojan:O97M/Emotet", "display_name": "ALF:Trojan:O97M/Emotet", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" } ], "attack_ids": [ { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Food", "Gas", "Entertainment" ], "TLP": "white", "cloned_from": "650d0c39523aa8a52fdb1fa1", "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 780, "FileHash-SHA256": 3085, "domain": 527, "URL": 3128, "CVE": 6, "FileHash-MD5": 610, "FileHash-SHA1": 368 }, "indicator_count": 8504, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "910 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "650d0c8adc78d892cadd250a", "name": "Virus:DOS/Metro", "description": "", "modified": "2023-10-21T23:02:19.178000", "created": "2023-09-22T03:39:54.432000", "tags": [ "united", "heur", "bank", "covid19 scam", "anonymizer", "malicious site", "telefonica peru", "cyber threat", "proxy", "malware", "phishing", "zbot", "suppobox", "team", "trojanx", "service", "facebook", "win64", "trojan", "artemis", "cisco umbrella", "site", "alexa top", "million", "safe site", "engineering", "download", "microsoft", "generic", "union", "bazaloader", "media", "runescape", "blacklist https", "generic malware", "metro", "tmobile", "on us", "mls season", "home internet", "shop", "autopay", "free", "metro store", "limit", "pass", "close", "galaxy", "easy", "back", "stream", "find", "twitter", "intnavfnav", "conditions", "service url", "search live", "api blog", "docs pricing", "september", "instagram url", "facebook url", "value", "variables", "visitor object", "alpine object", "cookies", "taq boolean", "get h2", "kb script", "b xhr", "post h2", "frame", "b image", "kb image", "redirect chain", "frame c0bc", "kb stylesheet", "covid19", "phishing site", "malicious", "cve201711882", "cobalt strike", "squirrelwaffle", "pony", "binder", "virut", "ramnit", "dropper", "formbook", "azorult", "bambernek", "alexa", "unsafe", "opencandy", "downldr", "irata", "dbatloader", "vidar", "outbreak", "downloader", "blocker", "ransom", "autoit", "bladabindi", "emotet", "blacknet rat", "stealer", "presenoker", "fusioncore", "cleaner", "wacatac", "riskware", "coinminer", "xrat", "swrort", "installcore", "trojanspy", "mbydkqdhtu0h", "pbiptbmvd0k4", "pbzpdldtg", "detection list", "glelexoputyh", "linkid252669", "s2okorbdpt2x", "el9km", "mtap2vnnnpj", "blacklist", "x22x22", "x22scriptx22", "x22dntx22", "date", "u002d2", "linkcode u002d", "srclang", "urllang", "srcurl", "qzid", "pattern match", "intnavtnav", "q0o0mahttp", "login", "windows nt", "bad traffic", "et info", "tls handshake", "failure", "http traffic", "http", "suricata alerts", "event category", "description sid", "external", "logo", "av detection", "default browser", "guest system", "professional", "general", "file", "get fwlink", "geckohost", "suidm", "edgev1", "srchdafnoform", "srchuidv2", "edgesf1", "malware site", "agent", "exploit", "mimikatz", "quasar rat", "iframe", "beach research", "sgeneric", "static engine", "umbrella", "malware service", "exploit source", "scanning host", "Command and Control", "malicious url", "team malicious", "tor known", "tor relayrouter", "exit", "node tcp", "traffic", "bad traffic" ], "references": [ "https://metro-tmo.com/", "Hybrid Analysis", "Alienvault OTX", "Data Analysis" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "South Africa", "Japan" ], "malware_families": [ { "id": "TrojanDownloader:O97M/BazaLoader", "display_name": "TrojanDownloader:O97M/BazaLoader", "target": "/malware/TrojanDownloader:O97M/BazaLoader" }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Backdoor:Win32/Zbot", "display_name": "Backdoor:Win32/Zbot", "target": "/malware/Backdoor:Win32/Zbot" }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Backdoor:MSIL/Bladabindi", "display_name": "Backdoor:MSIL/Bladabindi", "target": "/malware/Backdoor:MSIL/Bladabindi" }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "MimiKatz", "display_name": "MimiKatz", "target": null }, { "id": "Squirrelwaffle", "display_name": "Squirrelwaffle", "target": null }, { "id": "Pony - S0453", "display_name": "Pony - S0453", "target": null }, { "id": "TrojanDropper:VBS/Swrort", "display_name": "TrojanDropper:VBS/Swrort", "target": "/malware/TrojanDropper:VBS/Swrort" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Virus:DOS/Metro", "display_name": "Virus:DOS/Metro", "target": "/malware/Virus:DOS/Metro" }, { "id": "Metro", "display_name": "Metro", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Backdoor:Win32/Outbreak", "display_name": "Backdoor:Win32/Outbreak", "target": "/malware/Backdoor:Win32/Outbreak" }, { "id": "ALF:PUA:Win32/OpenCandy", "display_name": "ALF:PUA:Win32/OpenCandy", "target": null }, { "id": "IRATA", "display_name": "IRATA", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "ALF:PUA:Win32/FusionCore", "display_name": "ALF:PUA:Win32/FusionCore", "target": null }, { "id": "ALF:Trojan:O97M/Emotet", "display_name": "ALF:Trojan:O97M/Emotet", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" } ], "attack_ids": [ { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Food", "Gas", "Entertainment" ], "TLP": "white", "cloned_from": "650d0c66e0b02a6dde4a8b7a", "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 780, "FileHash-SHA256": 3085, "domain": 527, "URL": 3128, "CVE": 6, "FileHash-MD5": 610, "FileHash-SHA1": 368 }, "indicator_count": 8504, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "910 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://ads.kwanzoo.com/embed", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://ads.kwanzoo.com/embed", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776634575.2310908 }