{
"type": "URL",
"indicator": "https://almavision.almavision.com",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://almavision.almavision.com",
"type": "url",
"type_title": "URL",
"validation": [],
"base_indicator": {
"id": 3659195569,
"indicator": "https://almavision.almavision.com",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 44,
"pulses": [
{
"id": "68e2bb5d9ee8577ab5519f2c",
"name": "Meritshealth with DoD links? ",
"description": "",
"modified": "2026-01-13T00:05:56.401000",
"created": "2025-10-05T18:39:25.286000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68e2b14d83bb63502feac65e",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1365,
"URL": 11172,
"hostname": 2780,
"FileHash-MD5": 381,
"FileHash-SHA256": 4420,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 20486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "96 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2b14d83bb63502feac65e",
"name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.",
"description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?",
"modified": "2026-01-07T00:00:30.717000",
"created": "2025-10-05T17:56:29.109000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1328,
"URL": 9931,
"hostname": 2621,
"FileHash-MD5": 381,
"FileHash-SHA256": 4360,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 18989,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "102 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6952fbca42c1b0da7431e6a7",
"name": "Pegasus / Pegacloud - Infiltration (10-2013 or 2014 to Current/ Ongoing) ",
"description": "",
"modified": "2025-12-29T22:08:10.280000",
"created": "2025-12-29T22:08:10.280000",
"tags": [
"backdoor",
"cyprus",
"trojan",
"mtb sep",
"passive dns",
"ddos",
"mtb oct",
"mtb aug",
"ipv4 add",
"smokeloader",
"trojandropper",
"extraction",
"se extraction",
"failed",
"data upload",
"enter s",
"enter sc",
"data u",
"extrac please",
"prop",
"extre data",
"type",
"extr data",
"include review",
"exclude",
"find s",
"typ data",
"source tir",
"extri",
"exclude sugges",
"se type",
"extra",
"include data",
"exclude review",
"show",
"showinil tvnes",
"dom dom",
"sc cat959",
"drop",
"pulse pulses",
"worm",
"files show",
"date hash",
"avast avg",
"win32",
"susp",
"cyprus showing",
"entries",
"next associated",
"urls show",
"date checked",
"url hostname",
"server response",
"ip address",
"google safe",
"server",
"registrar abuse",
"iana id",
"contact phone",
"dnssec",
"domain status",
"registrar url",
"registrar whois",
"date",
"registrar",
"se cre",
"pul use",
"url list",
"status http",
"linkid182227",
"linkid151642",
"first",
"domain list",
"ii llc",
"sc data",
"ukl extract",
"hiloti style",
"msle",
"win3 data",
"onio",
"observea",
"data data",
"stop data",
"monitored target",
"tsara",
"pegasus",
"social engineering"
],
"references": [
"http://fakejuko.site40/",
"pegacloud.net",
"IDS: Hiloti Style GET to PHP with invalid terse MSIE headers",
"IDS: Win32/Ibashade CnC Beacon",
"IDS: Win32.Scar.hhrw POST",
"IDS: Trojan.Win32.Cosmu.cdqg Checkin",
"IDS: OnionDuke CnC Beacon 1",
"IDS: Observed Suspicious UA (Mozilla/5.0)",
"IDS: Data POST to an image file (jpg)",
"cwt-cwtcxp1-dt1.pegacloud.net\t\u2022 fortrea-prod1.pegacloud.net \u2022 ssl-ssldmp-dt1-sftp.pegacloud.net \u2022 13.40.20.221 \u2022 44.215.155.206 \u2022 44.226.180.214"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Win32:WormX-gen [Wrm]",
"display_name": "Win32:WormX-gen [Wrm]",
"target": null
},
{
"id": "Worm:Win32:Drolnux",
"display_name": "Worm:Win32:Drolnux",
"target": null
},
{
"id": "Pegasus - MOB-S0005",
"display_name": "Pegasus - MOB-S0005",
"target": null
}
],
"attack_ids": [],
"industries": [
"Technology",
"Telecommunications",
"Government"
],
"TLP": "white",
"cloned_from": "6877422df67773a07ef450c2",
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1630,
"URL": 4078,
"FileHash-MD5": 245,
"FileHash-SHA1": 246,
"FileHash-SHA256": 2561,
"CVE": 2,
"domain": 1307,
"email": 1
},
"indicator_count": 10070,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "111 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6928f8d9e4222a6a219d785e",
"name": "ClipBanker Spy & Information stealer | Crazy Frost | MaaS | Chrome & Cloudflare attacks",
"description": "It appears that entity CrazyFrost provides MasS among other things that include major smear campaigns.| Likely quasi government , and Law Firm contractors.. Domestic terrorizing isn\u2019t a stretch.\nClipBanker: A form of banking trojan information stealer and spy that specifically monitors and steals information, likely by modifying the clipboard contents to redirect financial transactions (e.g., changing a copied bank account number to the attacker's).\n\n[OTX populated - HOSTNAME: CloudFlare.com.., a company owned by the US government, has been added to Pulse, an anti-virus database. (Pulses) created by users.]",
"modified": "2025-12-28T00:04:06.179000",
"created": "2025-11-28T01:20:25.401000",
"tags": [
"dynamicloader",
"json",
"ascii text",
"high",
"data",
"x90uxa4xf8",
"cape",
"stream",
"guard",
"write",
"trojan",
"redline",
"malware",
"push",
"local",
"injection_inter_process",
"recon_fingerprint",
"persistence_ads",
"process_creation_suspicious_location",
"infostealer_browser",
"infostealer_cookies",
"stealth_file",
"cape_detected_threat",
"antivm_generic_bios",
"cape_extracted_content",
"united",
"mtb jul",
"a domains",
"aaaa",
"443 ma86400",
"servers",
"win32upatre jul",
"virtool",
"b778b1",
"div div",
"d9e4f4",
"edf2f8",
"present mar",
"fastest privacy",
"first dns",
"win32",
"trojandropper",
"passive dns",
"mtb nov",
"ipv4 add",
"asn as13335",
"dns resolutions",
"domain",
"data upload",
"extraction",
"yara",
"troja yara",
"trojar data",
"virto",
"worn data",
"included iocs",
"manually add",
"resolved ips",
"ta0002",
"evasion ta0005",
"tr shared",
"modules",
"files",
"infor",
"t1027",
"process t1057",
"community score",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"ssl certificate",
"defense evasion",
"spawns",
"flag",
"name server",
"date",
"cloudflare",
"data protected",
"misc activity",
"et info",
"dns requests",
"domain address",
"gmt flag",
"techtarget",
"server",
"et policy",
"prefetch2",
"t1179 hooking",
"access windows",
"installs",
"mitre att",
"ck techniques",
"click",
"windir",
"country",
"contacted hosts",
"ip address",
"process details",
"contacted",
"http traffic",
"suricata alerts",
"event category",
"found"
],
"references": [
"Malware : ClipBanker Entity: Crazy Frost",
"www.crazyfrost.com FileDescription :JF_CF_MiniZM FileVersion: 1.1.0.0 InternalName: jf_cf_frostovip.exe LegalCopyright Copyright \u00a9 CrazyFrost",
"IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
"Services : GoogleChromeElevationService = Delete",
"Yara: RansomWin32SintaCry CodeOverlap TrojanClickerWin32Zeriest CodeOverlap",
"Yara: TrojanDownloaderMSILBalamid CodeOverlap TrojanDropperWin32Popsenong CodeOverlap",
"Yara: TrojanPythonKaazar CodeOverlap TrojanSpyWin32Chekafev CodeOverlap",
"Yara: TrojanWin32Kredbegg CodeOverlap TrojanWin32Motve CodeOverlap TrojanWin32Pitroj",
"Yara : VirToolMSILLuxod CodeOverlap WormMSILVonriamt CodeOverlap TrojanWin32Depriz CodeOverlap",
"Yara: WormWin32Rombrast CodeOverlap Jorgen,Ibsen PECompact_2xx VZX Jeremy,Collake",
"Sigma: Matches rule Suspicious desktop.ini Action by Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)",
"CS IDS: Matches rule (http_inspect) invalid status line",
"CS IDS: Matches rule INDICATOR-COMPROMISE png file attachment without matching file magic Unique rule identifier: This rule belongs to a private collection.",
"jf_cf_frostovip.exe FILEHASH SHA256 4b9d6c5de40bfc4da8cb8b3ab9408dc574346b97268983f10bef8810e3f6bed8",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/\t\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian\t URL\thttp://www.anyxxxtube.net/search-porn/tsara-brashears \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t\u2022 http://www.anyxxxtube",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/\t URL\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex",
"http://www.anyxxxtube/"
],
"public": 1,
"adversary": "Crazy Frost",
"targeted_countries": [],
"malware_families": [
{
"id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"target": null
},
{
"id": "Trojan.Disfa/downloader10",
"display_name": "Trojan.Disfa/downloader10",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Trojan:Win32/Zusy",
"display_name": "Trojan:Win32/Zusy",
"target": "/malware/Trojan:Win32/Zusy"
},
{
"id": "Rozena",
"display_name": "Rozena",
"target": null
}
],
"attack_ids": [
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1035",
"name": "Service Execution",
"display_name": "T1035 - Service Execution"
},
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1498",
"name": "Network Denial of Service",
"display_name": "T1498 - Network Denial of Service"
},
{
"id": "T1464",
"name": "Jamming or Denial of Service",
"display_name": "T1464 - Jamming or Denial of Service"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 295,
"FileHash-SHA1": 217,
"FileHash-SHA256": 1887,
"URL": 3263,
"domain": 597,
"hostname": 1085,
"email": 2,
"CVE": 1
},
"indicator_count": 7347,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "112 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6877422df67773a07ef450c2",
"name": "Pegasus / Pegacloud - Infiltration",
"description": "Pegasus IoC\u2019s found in the periphery of research. Appears target contacted a \u2018fake host\u2019 after finding name in multiple highly malicious domains. May have appeared between 12/2013 - 11-2014. Target was contacted by telephone and asked \u2018 have you checked Googled yourself\u2019, to which target answered \u2018Not really\u2019. Target was told \u2018you really should Google yourself\u2019. Target, upset about content clicked and began a takedown effort with host.\n\nThis seems to be at the start of many malicious campaigns. Requires further investigation.",
"modified": "2025-08-15T05:01:22.570000",
"created": "2025-07-16T06:09:49.704000",
"tags": [
"backdoor",
"cyprus",
"trojan",
"mtb sep",
"passive dns",
"ddos",
"mtb oct",
"mtb aug",
"ipv4 add",
"smokeloader",
"trojandropper",
"extraction",
"se extraction",
"failed",
"data upload",
"enter s",
"enter sc",
"data u",
"extrac please",
"prop",
"extre data",
"type",
"extr data",
"include review",
"exclude",
"find s",
"typ data",
"source tir",
"extri",
"exclude sugges",
"se type",
"extra",
"include data",
"exclude review",
"show",
"showinil tvnes",
"dom dom",
"sc cat959",
"drop",
"pulse pulses",
"worm",
"files show",
"date hash",
"avast avg",
"win32",
"susp",
"cyprus showing",
"entries",
"next associated",
"urls show",
"date checked",
"url hostname",
"server response",
"ip address",
"google safe",
"server",
"registrar abuse",
"iana id",
"contact phone",
"dnssec",
"domain status",
"registrar url",
"registrar whois",
"date",
"registrar",
"se cre",
"pul use",
"url list",
"status http",
"linkid182227",
"linkid151642",
"first",
"domain list",
"ii llc",
"sc data",
"ukl extract",
"hiloti style",
"msle",
"win3 data",
"onio",
"observea",
"data data",
"stop data",
"monitored target",
"tsara",
"pegasus",
"social engineering"
],
"references": [
"http://fakejuko.site40/",
"pegacloud.net",
"IDS: Hiloti Style GET to PHP with invalid terse MSIE headers",
"IDS: Win32/Ibashade CnC Beacon",
"IDS: Win32.Scar.hhrw POST",
"IDS: Trojan.Win32.Cosmu.cdqg Checkin",
"IDS: OnionDuke CnC Beacon 1",
"IDS: Observed Suspicious UA (Mozilla/5.0)",
"IDS: Data POST to an image file (jpg)",
"cwt-cwtcxp1-dt1.pegacloud.net\t\u2022 fortrea-prod1.pegacloud.net \u2022 ssl-ssldmp-dt1-sftp.pegacloud.net \u2022 13.40.20.221 \u2022 44.215.155.206 \u2022 44.226.180.214"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Win32:WormX-gen [Wrm]",
"display_name": "Win32:WormX-gen [Wrm]",
"target": null
},
{
"id": "Worm:Win32:Drolnux",
"display_name": "Worm:Win32:Drolnux",
"target": null
},
{
"id": "Pegasus - MOB-S0005",
"display_name": "Pegasus - MOB-S0005",
"target": null
}
],
"attack_ids": [],
"industries": [
"Technology",
"Telecommunications",
"Government"
],
"TLP": "white",
"cloned_from": null,
"export_count": 20,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1630,
"URL": 4078,
"FileHash-MD5": 245,
"FileHash-SHA1": 246,
"FileHash-SHA256": 2561,
"CVE": 2,
"domain": 1307,
"email": 1
},
"indicator_count": 10070,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "247 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65cd05cd3c9d0cc0b9ed215f",
"name": "Emotet - https://www.gambinospizza.com | Brian Sabey \u2022 HallRender",
"description": "\u2022Emotet botnets were observed dropping Trickbot to deliver ransomware payloads against some victims and Qakbot Trojans to steal banking credentials and data from other targets.\n\n\u2022Scammer 'Attorney' Brian Sabey | HallRender associated ; utilizes every form of social engineering to gain full access to phone numbers, email, banking, network, relatives, contacts, PHI, PII, modifies services.\n.",
"modified": "2024-04-15T08:03:32.381000",
"created": "2024-02-14T18:26:21.427000",
"tags": [
"united",
"unknown",
"status",
"sec ch",
"as44273 host",
"search",
"aaaa",
"showing",
"ch ua",
"record value",
"ssl certificate",
"threat roundup",
"contacted",
"communicating",
"historical ssl",
"referrer",
"resolutions",
"http",
"execution",
"gopher",
"pattern match",
"breakpoint",
"command decode",
"desktop",
"base",
"gambino",
"pizza",
"suricata ipv4",
"mitre att",
"date",
"meta",
"footer",
"february",
"general",
"model",
"comspec",
"click",
"strings",
"main",
"brian sabey",
"hallrender",
"trojan",
"worm",
"frankfurt",
"germany",
"asn15169",
"google",
"asn16509",
"amazon02",
"asn396982",
"kansas city",
"franchise url",
"gmbh version",
"status page",
"service privacy",
"legal",
"impressum",
"reverse dns",
"general full",
"url https",
"resource",
"hash",
"protocol h2",
"asn13335",
"cloudflarenet",
"software",
"domains",
"hashes",
"learn",
"issues tab",
"value",
"variables",
"typeof function",
"topropertykey",
"bricksintersect",
"bricksfunction",
"domainpath name",
"request chain",
"chain",
"nl page",
"url history",
"javascript",
"page url",
"redirected",
"poweshell",
"bruschettab",
"mobsterstageda",
"calzonec",
"threat analyzer",
"threat",
"paste",
"iocs",
"hostnames",
"beefpizzac",
"superitaliansub",
"cname",
"msie",
"chrome",
"asnone united",
"as6336 turn",
"nxdomain",
"whitelisted",
"creation date",
"turn",
"body",
"algorithm",
"v3 serial",
"number",
"key algorithm",
"key identifier",
"subject key",
"identifier",
"x509v3 key",
"usage",
"x509v3 extended",
"info",
"first",
"server",
"registrar abuse",
"iana id",
"registrar url",
"registrar whois",
"contact email",
"registry domain",
"contact phone",
"dnssec",
"code",
"type name",
"win32 exe",
"recreation",
"whois record",
"infected",
"page dow",
"poser",
"scammer",
"security",
"malvertizing",
"betting",
"illegal activity",
"linux",
"teen porn",
"child exploitation",
"script urls",
"a domains",
"as10796 charter",
"find your",
"next franchise",
"x content",
"backend",
"as13768 aptum",
"moved",
"passive dns",
"urls",
"as2635",
"as14061",
"scan endpoints",
"all octoseek",
"url http",
"pulse pulses",
"ip address",
"related nids",
"files location",
"date hash",
"avast avg",
"nastya",
"entries",
"emotet",
"windows nt",
"show",
"etpro trojan",
"channel",
"artemis",
"medium",
"delete",
"copy",
"virustotal",
"trojan",
"write",
"trojanproxy",
"vipre",
"panda",
"malware",
"malware infection",
"dga",
"algorithm generated domains",
"command and control",
"pe32 executable",
"tag",
"tagging",
"porn tagging",
"as3356 level",
"tahoma arial",
"servers",
"as1136 kpn",
"next",
"et",
"remote",
"confirm http",
"sectrack",
"openssl",
"fulldisc",
"secunia",
"confirm https",
"openssl tls",
"multiple",
"remote",
"misc https",
"impact",
"heartbleed",
"external source",
"name hyperlink",
"hp hpsbmu02998",
"hp hpsbmu03019",
"hp hpsbmu03030",
"hp hpsbmu03018",
"title",
"lowfi",
"title error",
"body doctype",
"html public",
"w3cdtd html",
"html head",
"mozilla",
"720.282.2025",
"masquerading",
"ninite feb",
"mtb feb",
"telper",
"trojandropper",
"ninite",
"create c",
"read c",
"default",
"create",
"unicode",
"dock",
"xport"
],
"references": [
"www.gambinospizza.com",
"0qMrDxlbqY9THmtdz56XQ2fTe-p9H49lftTmBXmn1WY9Z16q1vJdZdjO5Wnq_Pn3gEAAP__hu8yPQ",
"https://apps.apple.com/us/app/gambinos-pizza/id1500338496 \u2022 apps.apple.com",
"https://play.google.com/store/apps/details?id=com.e9117073d4e0.www",
"targeting.unrulymedia.com \u2022 http://theteenhealthdoc.com",
"https://www.hallrender.com/attorney/brian-sabey/ \u2022 www.hallrender.com \u2022 https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https://www.hallrender.com/attorney/brian-sabey/&",
"https://www.hallrender.com/wp-content/uploads/2016/02/Denver-150x150.jpg \u2022 https://www.hallrender.com/xmlrpc.php?rsd",
"https://teenlist.toplistcreator.eu/in.php?nr=15170//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu",
"http://fboomporn.com/teens/51826-gloryholeswallow-flora-floras-1st-gloryhole-visit-fullhd-1080p.html \u2022 teenystar18.toplistcreator.eu",
"theteenhealthdoc.com \u2022 http://jailbait.toplistcreator.eu/link.php?link=teenystar18.toplistcreator.eu&nr=522 \u2022 franchisefifteen.com",
"https://fboomporn.com/engine/opensearch.php \u2022 http://porn.hub-accessories.site/ \u2022 https://pic.porn.hub-accessories.site",
"http://porn.toplistcreator.eu/in.php",
"ETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t85.17.142.7\t 2807561\tETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t85.17.142.7\t\t\t\t 2807561\tETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t95.169.186.\t\t 2807561\tETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t95.169.186.63",
"Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.10",
"https://tag.1rx.io/rmp/215626/0/mvo?z=1r&hbv=8.16,2.1\ttag.1rx.io \u2022 192.208.222.110",
"http://email.acm.mg.hydrantid.com/c/eJxUyTGygyAQBuDTQMksPyhYULzGe-C6LzCKOoYmt88kXdrvWxPlEJ3TkmygcbQBHrokFk-R4WwexpBl-J8Ce8uygBdeJqtrAsGTdWQB8jA0yQDEL0qMrD",
"CVE-2014-0160 \u2022 CVE-2017-11882",
"a17-250-248-150.www.bing.com \u2022 appledirectory.www.bing.com",
"animate-citadel-t3gbc9x3gzd7invrzh8w00zm.herokudns.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Trojan:Win32/Comspec",
"display_name": "Trojan:Win32/Comspec",
"target": "/malware/Trojan:Win32/Comspec"
},
{
"id": "XLS:Nastya\\ [Trj]",
"display_name": "XLS:Nastya\\ [Trj]",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "Crypt4.YGM",
"display_name": "Crypt4.YGM",
"target": null
},
{
"id": "ZBot",
"display_name": "ZBot",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Heartbleed Bug",
"display_name": "Heartbleed Bug",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 59,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 118,
"FileHash-SHA1": 106,
"domain": 3271,
"hostname": 2451,
"URL": 8652,
"email": 8,
"FileHash-SHA256": 3153,
"CVE": 4
},
"indicator_count": 17763,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 223,
"modified_text": "734 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65e57f32581a900dfb272d05",
"name": "FormBook | 172.31.13.249",
"description": "",
"modified": "2024-04-03T05:03:03.527000",
"created": "2024-03-04T07:58:42.074000",
"tags": [
"resolutions",
"referrer",
"siblings",
"asn owner",
"historical ssl",
"contacted",
"high level",
"hackers",
"formbook",
"name verdict",
"falcon sandbox",
"report",
"united",
"registrar",
"creation date",
"search",
"emails",
"name",
"name servers",
"showing",
"unknown",
"scan endpoints",
"date",
"next",
"root ca",
"pattern match",
"authority",
"beginstring",
"class",
"mitre att",
"global root",
"ck id",
"show technique",
"ck matrix",
"null",
"accept",
"refresh",
"span",
"error",
"tools",
"body",
"look",
"verify",
"restart",
"hybrid",
"local",
"click",
"strings",
"files files",
"ssl certificate",
"tsara brashears",
"highly targeted",
"ransomware",
"dark power",
"play ransomware",
"malware",
"core",
"installer",
"awful",
"snatch",
"metro",
"service",
"critical",
"copy",
"execution",
"location united",
"asn as15169",
"less whois",
"as15169 google",
"status",
"entries",
"record value",
"servers",
"trojan",
"win32",
"aaaa",
"worm",
"passive dns",
"gmt cache",
"sameorigin",
"all scoreblue",
"ipv4",
"lowfi",
"domain related",
"urls",
"domain",
"nxdomain",
"hostname",
"users",
"yara detections",
"alerts",
"high",
"filehash",
"pulse pulses",
"av detections",
"ids detections",
"musicmaid",
"reader",
"office standard",
"high process",
"injection t1055",
"t1055",
"x00x00",
"icmp traffic",
"injection",
"hijacker",
"password",
"stealer",
"corruption",
"targeting",
"172.31.13.249"
],
"references": [
"gstatic.com",
"Unsupported/Fake Windows NT Version 5.0",
"Login privileges",
"172.31.13.249"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "FormBook",
"display_name": "FormBook",
"target": null
},
{
"id": "Worm:Win32/Mofksys.RND!MTB",
"display_name": "Worm:Win32/Mofksys.RND!MTB",
"target": "/malware/Worm:Win32/Mofksys.RND!MTB"
},
{
"id": "Trojan:Win32/Dorv.B!rfn",
"display_name": "Trojan:Win32/Dorv.B!rfn",
"target": "/malware/Trojan:Win32/Dorv.B!rfn"
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "Trojan:Win32/QQpass",
"display_name": "Trojan:Win32/QQpass",
"target": "/malware/Trojan:Win32/QQpass"
},
{
"id": "Trojan:Win32/Antavmu.D",
"display_name": "Trojan:Win32/Antavmu.D",
"target": "/malware/Trojan:Win32/Antavmu.D"
},
{
"id": "PWS:MSIL/Dcstl.GD!MTB",
"display_name": "PWS:MSIL/Dcstl.GD!MTB",
"target": "/malware/PWS:MSIL/Dcstl.GD!MTB"
},
{
"id": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01",
"display_name": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01",
"target": null
},
{
"id": "Win32:MalwareX-gen\\ [Trj]",
"display_name": "Win32:MalwareX-gen\\ [Trj]",
"target": null
}
],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1100",
"name": "Web Shell",
"display_name": "T1100 - Web Shell"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1070.004",
"name": "File Deletion",
"display_name": "T1070.004 - File Deletion"
},
{
"id": "T1107",
"name": "File Deletion",
"display_name": "T1107 - File Deletion"
},
{
"id": "T1447",
"name": "Delete Device Data",
"display_name": "T1447 - Delete Device Data"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1002",
"name": "Data Compressed",
"display_name": "T1002 - Data Compressed"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "65e576d419524d75af35a36e",
"export_count": 45,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3117,
"FileHash-MD5": 280,
"FileHash-SHA1": 286,
"FileHash-SHA256": 3773,
"domain": 1264,
"hostname": 1595,
"email": 6,
"CVE": 5
},
"indicator_count": 10326,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 223,
"modified_text": "746 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65e576d419524d75af35a36e",
"name": "FormBook",
"description": "FormBook is an infostealer malware (malicious spyware). malicious code uses various hooks to gain access to keystrokes, screenshots, and other functions. The malware can also receive commands from its operator to steal information from browsers or download and execute other malware. As a MaaS offering, FormBook malware may be deployed by various threat actors. It's currently being use by a ,legal teams masquerading as government (might be \nlegitimate attorneys) law firm modifying and deleting front facing threats on various platforms. One firm has very poor reviews Corrupt. Others initiate malicious prosecution law suits. Social; engineering , intertwining malicious behavior.in every aspect of targets life from business banking, ancestry to aggressive match making attempts.",
"modified": "2024-04-03T05:03:03.527000",
"created": "2024-03-04T07:23:00.177000",
"tags": [
"resolutions",
"referrer",
"siblings",
"asn owner",
"historical ssl",
"contacted",
"high level",
"hackers",
"formbook",
"name verdict",
"falcon sandbox",
"report",
"united",
"registrar",
"creation date",
"search",
"emails",
"name",
"name servers",
"showing",
"unknown",
"scan endpoints",
"date",
"next",
"root ca",
"pattern match",
"authority",
"beginstring",
"class",
"mitre att",
"global root",
"ck id",
"show technique",
"ck matrix",
"null",
"accept",
"refresh",
"span",
"error",
"tools",
"body",
"look",
"verify",
"restart",
"hybrid",
"local",
"click",
"strings",
"files files",
"ssl certificate",
"tsara brashears",
"highly targeted",
"ransomware",
"dark power",
"play ransomware",
"malware",
"core",
"installer",
"awful",
"snatch",
"metro",
"service",
"critical",
"copy",
"execution",
"location united",
"asn as15169",
"less whois",
"as15169 google",
"status",
"entries",
"record value",
"servers",
"trojan",
"win32",
"aaaa",
"worm",
"passive dns",
"gmt cache",
"sameorigin",
"all scoreblue",
"ipv4",
"lowfi",
"domain related",
"urls",
"domain",
"nxdomain",
"hostname",
"users",
"yara detections",
"alerts",
"high",
"filehash",
"pulse pulses",
"av detections",
"ids detections",
"musicmaid",
"reader",
"office standard",
"high process",
"injection t1055",
"t1055",
"x00x00",
"icmp traffic",
"injection",
"hijacker",
"password",
"stealer",
"corruption",
"targeting",
"172.31.13.249"
],
"references": [
"gstatic.com",
"Unsupported/Fake Windows NT Version 5.0",
"Login privileges",
"172.31.13.249"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "FormBook",
"display_name": "FormBook",
"target": null
},
{
"id": "Worm:Win32/Mofksys.RND!MTB",
"display_name": "Worm:Win32/Mofksys.RND!MTB",
"target": "/malware/Worm:Win32/Mofksys.RND!MTB"
},
{
"id": "Trojan:Win32/Dorv.B!rfn",
"display_name": "Trojan:Win32/Dorv.B!rfn",
"target": "/malware/Trojan:Win32/Dorv.B!rfn"
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "Trojan:Win32/QQpass",
"display_name": "Trojan:Win32/QQpass",
"target": "/malware/Trojan:Win32/QQpass"
},
{
"id": "Trojan:Win32/Antavmu.D",
"display_name": "Trojan:Win32/Antavmu.D",
"target": "/malware/Trojan:Win32/Antavmu.D"
},
{
"id": "PWS:MSIL/Dcstl.GD!MTB",
"display_name": "PWS:MSIL/Dcstl.GD!MTB",
"target": "/malware/PWS:MSIL/Dcstl.GD!MTB"
},
{
"id": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01",
"display_name": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01",
"target": null
},
{
"id": "Win32:MalwareX-gen\\ [Trj]",
"display_name": "Win32:MalwareX-gen\\ [Trj]",
"target": null
}
],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1100",
"name": "Web Shell",
"display_name": "T1100 - Web Shell"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1070.004",
"name": "File Deletion",
"display_name": "T1070.004 - File Deletion"
},
{
"id": "T1107",
"name": "File Deletion",
"display_name": "T1107 - File Deletion"
},
{
"id": "T1447",
"name": "Delete Device Data",
"display_name": "T1447 - Delete Device Data"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1002",
"name": "Data Compressed",
"display_name": "T1002 - Data Compressed"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 45,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3117,
"FileHash-MD5": 280,
"FileHash-SHA1": 286,
"FileHash-SHA256": 3773,
"domain": 1264,
"hostname": 1595,
"email": 6,
"CVE": 5
},
"indicator_count": 10326,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 229,
"modified_text": "746 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "659fa1fad840744f75eb2d14",
"name": "Worm:Win32/Benjamin IoC's",
"description": "https://otx.alienvault.com/malware/Worm:Win32%2FBenjamin/samples | \nFiles Matching Antivirus Detection - 296,250 \nNetwork Icmp\nPersistence Autorun\nNetwork Http\nDynamic Function Loading\nProcmem Yara\nInjection Rwx\nPowershell Request\nDead Connect\nSuricata Alert\nPe Features\nPacker Entropy\nAntivm Memory Available\nAllocates Rwx\nCreates Exe\nPacker Polymorphic\nNids Alert\nDead Host\nNolookup Communication",
"modified": "2024-02-10T07:03:55.140000",
"created": "2024-01-11T08:08:26.689000",
"tags": [
"worm",
"win32",
"benjamin",
"passive dns",
"as47846",
"germany unknown",
"urls",
"next",
"scan endpoints",
"all octoseek",
"unknown",
"threat roundup",
"ssl certificate",
"whois record",
"august",
"april",
"execution",
"october",
"july",
"march",
"contacted",
"june",
"emotet",
"quasar",
"core",
"hacktool",
"goldfinder",
"sibot",
"ryuk",
"drxk0gdg2s06f8p",
"cfom2jtlf",
"k60zzli http",
"whois whois",
"historical ssl",
"resolutions",
"referrer"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 15,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 144,
"FileHash-SHA1": 145,
"FileHash-SHA256": 2888,
"hostname": 1075,
"domain": 1007,
"URL": 4964,
"CVE": 1
},
"indicator_count": 10224,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 222,
"modified_text": "799 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65a4898fa85cad0af83e032d",
"name": "SPACESHIP | CVE-2017-0147 - has been exploited at large Colorado Medical Campus ",
"description": "",
"modified": "2024-02-04T18:00:29.833000",
"created": "2024-01-15T01:25:35.060000",
"tags": [
"ssl certificate",
"whois record",
"execution",
"contacted",
"dropped",
"historical ssl",
"communicating",
"referrer",
"stolec kradnie",
"vt graph",
"first",
"utc submissions",
"submitters",
"amazonaes",
"amazon02",
"cloudflarenet",
"gandi sas",
"csc corporate",
"ltd dba",
"com laude",
"facebook",
"paris",
"twitter",
"ioc search",
"new ioc",
"teams api",
"contact",
"threat analyzer",
"threat",
"paste",
"iocs",
"url https",
"samples",
"bundled",
"tracking",
"tsara brashears",
"malware hunting",
"hacktool",
"emotet",
"copy",
"brashears",
"dynadot inc",
"enom",
"srsplus",
"spaceship",
"CVE-2017-0147",
"spy cve",
"pegasus",
"CVE-2017-0147 also found in Pegasus",
"mile high",
"logos",
"trademarks",
"aylo premium",
"click",
"record keeping",
"statement",
"all rights",
"reserved",
"vendo",
"hostnames",
"urls https",
"namecheap inc",
"feeds ioc",
"maltiverse",
"analyze",
"fastly",
"mb installer",
"helper",
"summary iocs",
"graph community",
"urls",
"urls http",
"united",
"unknown",
"msie",
"chrome",
"passive dns",
"body",
"date",
"gmt server",
"user agent",
"content type",
"encrypt",
"accept",
"as136800 sun",
"ipv4",
"pulse submit",
"url analysis",
"files",
"location hong",
"kong asn",
"dns resolutions",
"dinkle threat",
"mirai",
"hallrender",
"briansabey",
"brian sabey",
"mark sabey",
"uche6vol",
"uc health medical campus colorado medical campus",
"abuse"
],
"references": [
"https://www.virustotal.com/gui/url/76b30b054701dd52394b91dd11937fefc8888994ee214f02d22ebc2c8cb7e057/summary",
"CVE-2017-0147",
"https://www.virustotal.com/gui/url/76b30b054701dd52394b91dd11937fefc8888994ee214f02d22ebc2c8cb7e057/summary",
"https://otx.alienvault.com/indicator/cve/CVE-2017-0147",
"https://www.virustotal.com/gui/url/9fa23b2600cf067195442b801633ec4e67e17d0b0e807561cd6001808a8930bf/summary",
"114.114.114.114 - Tulach Malware",
"Targeting",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"tsarabrashears.com",
"https://pin.it/ malicious Pinterest redirect targets Tsara Brashears",
"sweetheartvideo.com",
"https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign]",
"www.dead-speak.com",
"Certificate Subject CN=brazzerspesonals.com",
"http://r3.o.lencr.org",
"156.254.243.90 [cnc] Unix.Trojan.Mirai-6981169-0",
"Mirai: a90557a4165401091b1d8d0132465170475508f810e7a5c7f585c17c2120447 ELF:DDoS-S\\ [Trj]",
"104.247.75.218 | [cnc ]",
"www.governmentattic.org [privilege: malicious malware downloading]",
"https://www.adultforce.com/ [malvertizing Tsara Brashears]"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "BRASHEARS",
"display_name": "BRASHEARS",
"target": null
},
{
"id": "SABEY",
"display_name": "SABEY",
"target": null
},
{
"id": "TULACH",
"display_name": "TULACH",
"target": null
},
{
"id": "HallRender",
"display_name": "HallRender",
"target": null
},
{
"id": "HallGrand",
"display_name": "HallGrand",
"target": null
},
{
"id": "CVE-2017-0147",
"display_name": "CVE-2017-0147",
"target": null
},
{
"id": "SPACESHIP",
"display_name": "SPACESHIP",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "Virus:DOS/Paris",
"display_name": "Virus:DOS/Paris",
"target": "/malware/Virus:DOS/Paris"
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
}
],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": "659864448507cc1752ff6456",
"export_count": 16,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 885,
"FileHash-SHA1": 505,
"FileHash-SHA256": 5051,
"URL": 12316,
"domain": 3944,
"hostname": 4449,
"CVE": 2
},
"indicator_count": 27152,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 227,
"modified_text": "805 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "659864448507cc1752ff6456",
"name": "SPACESHIP | CVE-2017-0147 - has been exploited at large Colorado Medical Campus",
"description": "CVE-2017-0147 and other malware is attacking a large Colorado Hospital. A report was posted by colleague but is somehow deleted. This has been exploited in a major way. The ability to have full cnc of all Medical center computers, will interact, listen,attend remotely, can login to system. Can run unauthorized systems in the background, access microphone, computer, ability to freeze system,imaging, records modification, appointment, diagnosis modification, records can and have been removed from facility. I only noticed today's that it appears to have been created by an entity targeting Tsara Brashears in every way possible. Report in references. Low confidence of having been exploited, CVE and Network attack has been quite active for some time.",
"modified": "2024-02-04T18:00:29.833000",
"created": "2024-01-05T20:19:16.886000",
"tags": [
"ssl certificate",
"whois record",
"execution",
"contacted",
"dropped",
"historical ssl",
"communicating",
"referrer",
"stolec kradnie",
"vt graph",
"first",
"utc submissions",
"submitters",
"amazonaes",
"amazon02",
"cloudflarenet",
"gandi sas",
"csc corporate",
"ltd dba",
"com laude",
"facebook",
"paris",
"twitter",
"ioc search",
"new ioc",
"teams api",
"contact",
"threat analyzer",
"threat",
"paste",
"iocs",
"url https",
"samples",
"bundled",
"tracking",
"tsara brashears",
"malware hunting",
"hacktool",
"emotet",
"copy",
"brashears",
"dynadot inc",
"enom",
"srsplus",
"spaceship",
"CVE-2017-0147",
"spy cve",
"pegasus",
"CVE-2017-0147 also found in Pegasus",
"mile high",
"logos",
"trademarks",
"aylo premium",
"click",
"record keeping",
"statement",
"all rights",
"reserved",
"vendo",
"hostnames",
"urls https",
"namecheap inc",
"feeds ioc",
"maltiverse",
"analyze",
"fastly",
"mb installer",
"helper",
"summary iocs",
"graph community",
"urls",
"urls http",
"united",
"unknown",
"msie",
"chrome",
"passive dns",
"body",
"date",
"gmt server",
"user agent",
"content type",
"encrypt",
"accept",
"as136800 sun",
"ipv4",
"pulse submit",
"url analysis",
"files",
"location hong",
"kong asn",
"dns resolutions",
"dinkle threat",
"mirai",
"hallrender",
"briansabey",
"brian sabey",
"mark sabey",
"uche6vol",
"uc health medical campus colorado medical campus",
"abuse"
],
"references": [
"https://www.virustotal.com/gui/url/76b30b054701dd52394b91dd11937fefc8888994ee214f02d22ebc2c8cb7e057/summary",
"CVE-2017-0147",
"https://www.virustotal.com/gui/url/76b30b054701dd52394b91dd11937fefc8888994ee214f02d22ebc2c8cb7e057/summary",
"https://otx.alienvault.com/indicator/cve/CVE-2017-0147",
"https://www.virustotal.com/gui/url/9fa23b2600cf067195442b801633ec4e67e17d0b0e807561cd6001808a8930bf/summary",
"114.114.114.114 - Tulach Malware",
"Targeting",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"tsarabrashears.com",
"https://pin.it/ malicious Pinterest redirect targets Tsara Brashears",
"sweetheartvideo.com",
"https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign]",
"www.dead-speak.com",
"Certificate Subject CN=brazzerspesonals.com",
"http://r3.o.lencr.org",
"156.254.243.90 [cnc] Unix.Trojan.Mirai-6981169-0",
"Mirai: a90557a4165401091b1d8d0132465170475508f810e7a5c7f585c17c2120447 ELF:DDoS-S\\ [Trj]",
"104.247.75.218 | [cnc ]",
"www.governmentattic.org [privilege: malicious malware downloading]",
"https://www.adultforce.com/ [malvertizing Tsara Brashears]"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "BRASHEARS",
"display_name": "BRASHEARS",
"target": null
},
{
"id": "SABEY",
"display_name": "SABEY",
"target": null
},
{
"id": "TULACH",
"display_name": "TULACH",
"target": null
},
{
"id": "HallRender",
"display_name": "HallRender",
"target": null
},
{
"id": "HallGrand",
"display_name": "HallGrand",
"target": null
},
{
"id": "CVE-2017-0147",
"display_name": "CVE-2017-0147",
"target": null
},
{
"id": "SPACESHIP",
"display_name": "SPACESHIP",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "Virus:DOS/Paris",
"display_name": "Virus:DOS/Paris",
"target": "/malware/Virus:DOS/Paris"
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
}
],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 22,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 885,
"FileHash-SHA1": 505,
"FileHash-SHA256": 5051,
"URL": 12316,
"domain": 3944,
"hostname": 4449,
"CVE": 2
},
"indicator_count": 27152,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 221,
"modified_text": "805 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "659864357d1d3185efc5c112",
"name": "SPACESHIP | CVE-2017-0147 - has been exploited at large Colorado Medical Campus",
"description": "CVE-2017-0147 and other malware is attacking a large Colorado Hospital. A report was posted by colleague but is somehow deleted. This has been exploited in a major way. The ability to have full cnc of all Medical center computers, will interact, listen,attend remotely, can login to system. Can run unauthorized systems in the background, access microphone, computer, ability to freeze system,imaging, records modification, appointment, diagnosis modification, records can and have been removed from facility. I only noticed today's that it appears to have been created by an entity targeting Tsara Brashears in every way possible. Report in references. Low confidence of having been exploited, CVE and Network attack has been quite active for some time.",
"modified": "2024-02-04T18:00:29.833000",
"created": "2024-01-05T20:19:01.457000",
"tags": [
"ssl certificate",
"whois record",
"execution",
"contacted",
"dropped",
"historical ssl",
"communicating",
"referrer",
"stolec kradnie",
"vt graph",
"first",
"utc submissions",
"submitters",
"amazonaes",
"amazon02",
"cloudflarenet",
"gandi sas",
"csc corporate",
"ltd dba",
"com laude",
"facebook",
"paris",
"twitter",
"ioc search",
"new ioc",
"teams api",
"contact",
"threat analyzer",
"threat",
"paste",
"iocs",
"url https",
"samples",
"bundled",
"tracking",
"tsara brashears",
"malware hunting",
"hacktool",
"emotet",
"copy",
"brashears",
"dynadot inc",
"enom",
"srsplus",
"spaceship",
"CVE-2017-0147",
"spy cve",
"pegasus",
"CVE-2017-0147 also found in Pegasus",
"mile high",
"logos",
"trademarks",
"aylo premium",
"click",
"record keeping",
"statement",
"all rights",
"reserved",
"vendo",
"hostnames",
"urls https",
"namecheap inc",
"feeds ioc",
"maltiverse",
"analyze",
"fastly",
"mb installer",
"helper",
"summary iocs",
"graph community",
"urls",
"urls http",
"united",
"unknown",
"msie",
"chrome",
"passive dns",
"body",
"date",
"gmt server",
"user agent",
"content type",
"encrypt",
"accept",
"as136800 sun",
"ipv4",
"pulse submit",
"url analysis",
"files",
"location hong",
"kong asn",
"dns resolutions",
"dinkle threat",
"mirai",
"hallrender",
"briansabey",
"brian sabey",
"mark sabey",
"uche6vol",
"uc health medical campus colorado medical campus",
"abuse"
],
"references": [
"https://www.virustotal.com/gui/url/76b30b054701dd52394b91dd11937fefc8888994ee214f02d22ebc2c8cb7e057/summary",
"CVE-2017-0147",
"https://www.virustotal.com/gui/url/76b30b054701dd52394b91dd11937fefc8888994ee214f02d22ebc2c8cb7e057/summary",
"https://otx.alienvault.com/indicator/cve/CVE-2017-0147",
"https://www.virustotal.com/gui/url/9fa23b2600cf067195442b801633ec4e67e17d0b0e807561cd6001808a8930bf/summary",
"114.114.114.114 - Tulach Malware",
"Targeting",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"tsarabrashears.com",
"https://pin.it/ malicious Pinterest redirect targets Tsara Brashears",
"sweetheartvideo.com",
"https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign]",
"www.dead-speak.com",
"Certificate Subject CN=brazzerspesonals.com",
"http://r3.o.lencr.org",
"156.254.243.90 [cnc] Unix.Trojan.Mirai-6981169-0",
"Mirai: a90557a4165401091b1d8d0132465170475508f810e7a5c7f585c17c2120447 ELF:DDoS-S\\ [Trj]",
"104.247.75.218 | [cnc ]",
"www.governmentattic.org [privilege: malicious malware downloading]",
"https://www.adultforce.com/ [malvertizing Tsara Brashears]"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "BRASHEARS",
"display_name": "BRASHEARS",
"target": null
},
{
"id": "SABEY",
"display_name": "SABEY",
"target": null
},
{
"id": "TULACH",
"display_name": "TULACH",
"target": null
},
{
"id": "HallRender",
"display_name": "HallRender",
"target": null
},
{
"id": "HallGrand",
"display_name": "HallGrand",
"target": null
},
{
"id": "CVE-2017-0147",
"display_name": "CVE-2017-0147",
"target": null
},
{
"id": "SPACESHIP",
"display_name": "SPACESHIP",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "Virus:DOS/Paris",
"display_name": "Virus:DOS/Paris",
"target": "/malware/Virus:DOS/Paris"
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
}
],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 19,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 885,
"FileHash-SHA1": 505,
"FileHash-SHA256": 5051,
"URL": 12316,
"domain": 3944,
"hostname": 4449,
"CVE": 2
},
"indicator_count": 27152,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 222,
"modified_text": "805 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65831c52eceb4090b5d49d21",
"name": "Critical (GC)",
"description": "",
"modified": "2024-01-19T15:01:02.500000",
"created": "2023-12-20T16:54:42.626000",
"tags": [
"ssl certificate",
"threat roundup",
"referrer",
"historical",
"historical ssl",
"colors",
"pattern match",
"windir",
"openurl c",
"logo",
"december",
"default browser",
"guest system",
"professional",
"service pack",
"click",
"strings",
"report",
"command_and_control",
"file",
"ascii text",
"done adding",
"catalog file",
"appdata",
"united",
"windows nt",
"indicator",
"mitre att",
"date",
"unknown",
"error",
"general",
"local",
"facebook",
"class",
"generator",
"critical",
"span",
"gc",
"http response",
"final url",
"ip address",
"status code",
"body length",
"kb body",
"sha256",
"httponly",
"secure",
"dynamic expires",
"blacklist",
"site",
"cisco umbrella",
"worm",
"malware-as_a_service"
],
"references": [
"https://neca.omeclk.com/portal/wts/uc^cn^ejkaejsaBeyk7-^Oa",
"https://www.hybrid-analysis.com/sample/f7cb7c256e840ab93e6991462cedf6eac928c12f4102798986e2c5d27d1abc7f"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Canada"
],
"malware_families": [
{
"id": "Gc",
"display_name": "Gc",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 20,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 57,
"FileHash-SHA1": 59,
"FileHash-SHA256": 1358,
"URL": 1430,
"domain": 245,
"hostname": 676
},
"indicator_count": 3825,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 218,
"modified_text": "821 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65618963e4e45d0c53f8e770",
"name": "ww1.imobitracking.net",
"description": "critical, cronup threat, cyber threat, data, serious, tracking, emails collection, relay router , emotet, exploit, content reputation.\n\nSerious tracking efforts, malicious.",
"modified": "2023-12-25T03:01:27.395000",
"created": "2023-11-25T05:42:59.043000",
"tags": [
"creation date",
"search",
"passive dns",
"urls",
"address",
"record value",
"emails",
"date",
"showing",
"body",
"unknown",
"cowboy",
"encrypt",
"resolver ip",
"whois lookups",
"server",
"iana id",
"registrar abuse",
"contact phone",
"dnssec",
"domain status",
"registrar url",
"registrar whois",
"registrar",
"first",
"dns replication",
"algorithm",
"key usage",
"google",
"record type",
"ttl value",
"cname",
"data",
"v3 serial",
"contacted",
"ssl certificate",
"threat roundup",
"march",
"august",
"referrer",
"whois record",
"communicating",
"june",
"april",
"copy",
"february",
"cobalt strike",
"remcos",
"emotet",
"core",
"noname057",
"tag count",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"blacklist",
"cisco umbrella",
"site",
"safe site",
"alexa top",
"million",
"malware site",
"phishing site",
"malicious site",
"malware",
"internet storm",
"united",
"cyber threat",
"heur",
"malicious url",
"mail spammer",
"suppobox",
"bambernek",
"cronup threat",
"team",
"facebook",
"malicious",
"phishing",
"download",
"virut",
"unruy",
"bandoo",
"matsnu",
"tofsee",
"simda",
"vawtrak",
"hotmail",
"qakbot",
"asyncrat",
"tsara brashears",
"no data",
"count blacklist",
"tag tag",
"pattern match",
"ascii text",
"file",
"misc attack",
"et tor",
"known tor",
"relayrouter",
"exit",
"node traffic",
"appdata",
"path",
"hybrid",
"general",
"local",
"click",
"strings",
"class",
"generator",
"critical",
"error",
"tor known",
"tor relayrouter",
"node tcp",
"traffic",
"host",
"cins active",
"poor reputation",
"spammer",
"barracuda et",
"artemis",
"iframe",
"cleaner",
"unsafe",
"riskware",
"agent",
"wacatac",
"bank",
"opencandy",
"nircmd",
"swrort",
"downldr",
"crack",
"presenoker",
"filetour",
"conduit",
"xtrat",
"azorult",
"service",
"runescape",
"acint",
"systweak",
"behav",
"tiggre",
"genkryptik",
"exploit",
"xrat",
"installcore",
"patcher",
"adload",
"win64",
"softcnapp",
"union",
"ponmocup",
"fusioncore",
"trojanspy",
"webtoolbar",
"maltiverse",
"114.114.114.114",
"tulach",
"tracking",
"apple",
"illegal",
"target",
"c2",
"cnc",
"scanning_host",
"CVE-2011-0611",
"CVE-2017-0147",
"CVE-2014-3153",
"CVE-2016-0189",
"CVE-2017-0199",
"CVE-2017-8570",
"CVE-2017-11882",
"CVE-2018-4893",
"CVE-2018-8174",
"CVE-2020-0601",
"CVE-2023-22518"
],
"references": [
"ww1.imobitracking.net",
"https://www.hybrid-analysis.com/sample/dcf9f5e78d4645b38540d25c4d8ca7fe3e019671caadf7cade4cc01008282bff",
"114.114.114.114",
"signin-appleid.jackpotiot.com",
"https://www.anyxxxtube.net/media/favicon/apple",
"http://manage.apple.com.webobjectsd5dbc98dcc983a7028bd82d1a47540.dsiblings.com/Info/information.html",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://httpdev.findatoyota.com",
"https://secure.medicalexpo.com/request-management-ws/views/contact-details.xhtml?token=A3QIgyaKRur%2BIjZfA4R8MkKBwXLdgMI5Gg%2F0dwmuMj0",
"t.prototype.hasownproperty.call",
"https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=",
"http://trkr.similarphotocleaner.com/trackerwcfsrv/tracker.svc/trackoffersview/?q=pxl=mco2191_mco2146_mco1132&utm_source=mcosfl&utm_medium=mcosfl&utm_campaign=mcosfl&x-count=1&x-context=osversion-5.1"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "Tulach Malware",
"display_name": "Tulach Malware",
"target": null
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Private Internet Access",
"display_name": "Private Internet Access",
"target": null
},
{
"id": "OpenCandy",
"display_name": "OpenCandy",
"target": null
},
{
"id": "XRat",
"display_name": "XRat",
"target": null
},
{
"id": "SuppoBox",
"display_name": "SuppoBox",
"target": null
},
{
"id": "Bandoo",
"display_name": "Bandoo",
"target": null
},
{
"id": "Virut",
"display_name": "Virut",
"target": null
},
{
"id": "Remcos",
"display_name": "Remcos",
"target": null
},
{
"id": "Vawtrak",
"display_name": "Vawtrak",
"target": null
},
{
"id": "Tiggre",
"display_name": "Tiggre",
"target": null
},
{
"id": "TrojanDropper:Win32/Ponmocup",
"display_name": "TrojanDropper:Win32/Ponmocup",
"target": "/malware/TrojanDropper:Win32/Ponmocup"
}
],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1218",
"name": "Signed Binary Proxy Execution",
"display_name": "T1218 - Signed Binary Proxy Execution"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 45,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1569,
"FileHash-MD5": 489,
"URL": 7420,
"domain": 917,
"FileHash-SHA1": 247,
"email": 3,
"FileHash-SHA256": 2578,
"CVE": 11
},
"indicator_count": 13234,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 218,
"modified_text": "846 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "655ae7b85bce5b026a160389",
"name": "Command and Control Server and Services CRITICAL",
"description": "HSBC\nInmortal\nRadar Ineractive\nRuleset Match:\nBackSwap Trojan detection by Ariel Millahuel\nCARROTBAT Malware detection by Ariel Millahuel",
"modified": "2023-12-20T03:01:11.128000",
"created": "2023-11-20T04:59:36.506000",
"tags": [
"contacted",
"execution",
"dropped",
"threat roundup",
"august",
"apple ios",
"contacted urls",
"referrer",
"october",
"april",
"core",
"february",
"hacktool",
"installer",
"urls",
"ovh sas",
"domains",
"ip detections",
"country",
"type name",
"win32 exe",
"noname057",
"generic malware",
"tag count",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"blacklist http",
"cisco umbrella",
"site",
"safe site",
"wormx",
"malicious site",
"alexa top",
"malware site",
"million",
"malicious url",
"phishing site",
"malware",
"alexa",
"phishing",
"agent",
"bank",
"inmortal",
"united",
"cyber threat",
"pony",
"cnc zeus",
"tracker",
"cnc server",
"covid19",
"engineering",
"http spammer",
"host",
"azorult",
"asyncrat",
"cobalt strike",
"team",
"hsbc",
"file size",
"files",
"file type",
"kb file",
"highly targeted",
"apple",
"password",
"tsara brashears",
"awful",
"radar ineractive",
"no data",
"blacklist",
"malvertizing",
"masquerading",
"tulach",
"114.114.114.114",
"Noname057"
],
"references": [],
"public": 1,
"adversary": "Unconfirmed Adversary",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Inmortal",
"display_name": "Inmortal",
"target": null
},
{
"id": "HSBC",
"display_name": "HSBC",
"target": null
},
{
"id": "Radar Ineractive",
"display_name": "Radar Ineractive",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "TA0001",
"name": "Initial Access",
"display_name": "TA0001 - Initial Access"
},
{
"id": "TA0009",
"name": "Collection",
"display_name": "TA0009 - Collection"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1059.002",
"name": "AppleScript",
"display_name": "T1059.002 - AppleScript"
},
{
"id": "T1102",
"name": "Web Service",
"display_name": "T1102 - Web Service"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1100",
"name": "Web Shell",
"display_name": "T1100 - Web Shell"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1548",
"name": "Abuse Elevation Control Mechanism",
"display_name": "T1548 - Abuse Elevation Control Mechanism"
},
{
"id": "T1098",
"name": "Account Manipulation",
"display_name": "T1098 - Account Manipulation"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 28,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 729,
"FileHash-MD5": 950,
"FileHash-SHA1": 482,
"FileHash-SHA256": 878,
"domain": 139,
"hostname": 300,
"CVE": 1
},
"indicator_count": 3479,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 220,
"modified_text": "851 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "655af35616dbd4781c681948",
"name": "Spyware: http://browser.events.data.microsoftstart.cn",
"description": "",
"modified": "2023-12-19T13:01:12.394000",
"created": "2023-11-20T05:49:10.586000",
"tags": [
"linkid246338",
"whois record",
"ssl certificate",
"contacted",
"execution",
"historical ssl",
"whois whois",
"communicating",
"resolutions",
"referrer",
"random",
"august",
"lockbit",
"attack",
"core",
"name verdict",
"falcon sandbox",
"pattern match",
"root ca",
"done adding",
"catalog file",
"authority",
"class",
"mitre att",
"script",
"temp",
"ascii text",
"date",
"unknown",
"service",
"generator",
"critical",
"error",
"meta",
"hybrid",
"local",
"click",
"strings",
"threat roundup"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1100",
"name": "Web Shell",
"display_name": "T1100 - Web Shell"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "655a13e4538e896c00f2077e",
"export_count": 15,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 34,
"FileHash-SHA1": 28,
"FileHash-SHA256": 2526,
"URL": 3515,
"domain": 458,
"hostname": 1092
},
"indicator_count": 7653,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 224,
"modified_text": "852 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "655a13e4538e896c00f2077e",
"name": "Spyware: http://browser.events.data.microsoftstart.cn",
"description": "This report is generated by MITRE ATT&CK\u2122 and produced by the team at the University of California, San Francisco, and is available on the web, via the Microsoft Research website.\nTulach, 114.114.114.114, spyware, phishing, fraud, malvertizing, password cracker, iPhone unlocker, malicious, media sharing, miscellaneous attacks.",
"modified": "2023-12-19T13:01:12.394000",
"created": "2023-11-19T13:55:48.898000",
"tags": [
"linkid246338",
"whois record",
"ssl certificate",
"contacted",
"execution",
"historical ssl",
"whois whois",
"communicating",
"resolutions",
"referrer",
"random",
"august",
"lockbit",
"attack",
"core",
"name verdict",
"falcon sandbox",
"pattern match",
"root ca",
"done adding",
"catalog file",
"authority",
"class",
"mitre att",
"script",
"temp",
"ascii text",
"date",
"unknown",
"service",
"generator",
"critical",
"error",
"meta",
"hybrid",
"local",
"click",
"strings",
"threat roundup"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1100",
"name": "Web Shell",
"display_name": "T1100 - Web Shell"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 34,
"FileHash-SHA1": 28,
"FileHash-SHA256": 2526,
"URL": 3515,
"domain": 458,
"hostname": 1092
},
"indicator_count": 7653,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 219,
"modified_text": "852 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65580c17e69371b34a573f72",
"name": "Masquerading",
"description": "",
"modified": "2023-12-17T11:03:45.376000",
"created": "2023-11-18T00:57:59.619000",
"tags": [
"no expiration",
"filehashsha256",
"filehashmd5",
"iocs",
"url http",
"expiration",
"scan endpoints",
"all search",
"otx octoseek",
"create new",
"blacklist http",
"laplasclipper",
"malicious url",
"cisco umbrella",
"site",
"alexa top",
"blacklist",
"safe site",
"malware site",
"phishing site",
"malicious site",
"malware",
"china unknown",
"united",
"unknown",
"as54994 quantil",
"cname",
"nxdomain",
"as8068",
"as4134 chinanet",
"passive dns",
"domain",
"next",
"filehashsha1",
"service company",
"servers",
"ndicator role",
"title added",
"active related",
"pulses url",
"showing",
"entries",
"pulses http",
"url https",
"type indicator",
"role title",
"added active",
"related pulses",
"report spam",
"author avatar",
"created",
"hour ago",
"trojanspy",
"redline",
"pulses hostname",
"blacklist https",
"indicator role",
"bidid",
"adid",
"v4us",
"v51845481",
"hostname",
"http",
"cisco",
"umbrella rank",
"search live",
"api blog",
"docs pricing",
"november",
"de summary",
"frankfurt",
"main",
"reverse dns",
"general full",
"asn16509",
"amazon02",
"resource",
"protocol h2",
"security tls",
"hash",
"de indicators",
"domains",
"hashes",
"copyright",
"gmbh version",
"follow",
"value",
"postitem",
"variables",
"parameters",
"systemid object",
"def function",
"login",
"get h2",
"secrets llc",
"agreement",
"the site",
"content",
"policy",
"this site",
"claims",
"florida",
"please",
"premium",
"service",
"restrict",
"express",
"media",
"facebook",
"twitter",
"final",
"first",
"cloudflarenet",
"gts ca",
"software",
"million",
"hours ago",
"chameleon",
"heur",
"phishing",
"riskware",
"agent",
"unsafe",
"opencandy",
"exploit",
"mimikatz",
"iframe",
"downldr",
"presenoker",
"artemis",
"download",
"beach research",
"germany",
"asn20940",
"akamaiasn1",
"threat report",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"alexa",
"maltiverse",
"google",
"qtsas",
"name value",
"no data",
"tag count",
"count blacklist",
"pbiptbmvd0k4",
"glelexoputyh",
"suppobox",
"team",
"bambernek",
"internet storm",
"phishtank",
"phish",
"trickbot",
"telecom",
"bank",
"ipv4",
"octoseek report",
"spam https",
"tsara brashears",
"malvertizing",
"tracking",
"tagging",
"spyder",
"cybercrime",
"email collection",
"apple data collection",
"win32 exe",
"ms word",
"document",
"type name",
"javascript",
"network capture",
"files",
"detections type",
"name",
"ssl certificate",
"whois whois",
"tsara brashears",
"whois record",
"asn owner",
"highly targeted",
"kgs0",
"kls0",
"relacionada",
"family",
"lolkek",
"emotet",
"dark power",
"wiper",
"ransomware",
"cobalt strike",
"quasar rat",
"ursnif",
"remcos",
"core",
"redline stealer",
"bitrat",
"hacktool",
"critical",
"copy",
"installer",
"execution",
"network",
"communicating",
"referrer",
"parent",
"historical ssl",
"siblings",
"resolutions",
"name verdict",
"falcon sandbox",
"pattern match",
"error",
"file",
"indicator",
"script",
"typeof e",
"ascii text",
"appdata",
"date",
"windir",
"span",
"body",
"meta",
"class",
"generator",
"info",
"null",
"refresh",
"hybrid",
"general",
"local",
"click",
"strings",
"tools",
"look",
"verify",
"restart",
"form",
"footer",
"html",
"union",
"outbreak",
"downer",
"shell",
"mediamagnet",
"sality",
"swrort",
"adaptivebee",
"unruy",
"iobit",
"dropper",
"trojanx",
"installcore",
"webshell",
"crack",
"webtoolbar",
"threat roundup",
"contacted",
"june",
"july",
"october",
"august"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Beach Research",
"display_name": "Beach Research",
"target": null
},
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
}
],
"attack_ids": [
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1102",
"name": "Web Service",
"display_name": "T1102 - Web Service"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1199",
"name": "Trusted Relationship",
"display_name": "T1199 - Trusted Relationship"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
}
],
"industries": [
"Health",
"Nutritional",
"Medical",
"Medicine"
],
"TLP": "white",
"cloned_from": "65574cb4447c8d87ad85fa75",
"export_count": 103,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 400,
"FileHash-SHA1": 240,
"FileHash-SHA256": 6459,
"hostname": 4845,
"URL": 11514,
"CVE": 15,
"domain": 3179,
"email": 31
},
"indicator_count": 26683,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 226,
"modified_text": "854 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65574cbe6bdbe24ecb170b24",
"name": "Masquerading",
"description": "",
"modified": "2023-12-17T11:03:45.376000",
"created": "2023-11-17T11:21:34.083000",
"tags": [
"no expiration",
"filehashsha256",
"filehashmd5",
"iocs",
"url http",
"expiration",
"scan endpoints",
"all search",
"otx octoseek",
"create new",
"blacklist http",
"laplasclipper",
"malicious url",
"cisco umbrella",
"site",
"alexa top",
"blacklist",
"safe site",
"malware site",
"phishing site",
"malicious site",
"malware",
"china unknown",
"united",
"unknown",
"as54994 quantil",
"cname",
"nxdomain",
"as8068",
"as4134 chinanet",
"passive dns",
"domain",
"next",
"filehashsha1",
"service company",
"servers",
"ndicator role",
"title added",
"active related",
"pulses url",
"showing",
"entries",
"pulses http",
"url https",
"type indicator",
"role title",
"added active",
"related pulses",
"report spam",
"author avatar",
"created",
"hour ago",
"trojanspy",
"redline",
"pulses hostname",
"blacklist https",
"indicator role",
"bidid",
"adid",
"v4us",
"v51845481",
"hostname",
"http",
"cisco",
"umbrella rank",
"search live",
"api blog",
"docs pricing",
"november",
"de summary",
"frankfurt",
"main",
"reverse dns",
"general full",
"asn16509",
"amazon02",
"resource",
"protocol h2",
"security tls",
"hash",
"de indicators",
"domains",
"hashes",
"copyright",
"gmbh version",
"follow",
"value",
"postitem",
"variables",
"parameters",
"systemid object",
"def function",
"login",
"get h2",
"secrets llc",
"agreement",
"the site",
"content",
"policy",
"this site",
"claims",
"florida",
"please",
"premium",
"service",
"restrict",
"express",
"media",
"facebook",
"twitter",
"final",
"first",
"cloudflarenet",
"gts ca",
"software",
"million",
"hours ago",
"chameleon",
"heur",
"phishing",
"riskware",
"agent",
"unsafe",
"opencandy",
"exploit",
"mimikatz",
"iframe",
"downldr",
"presenoker",
"artemis",
"download",
"beach research",
"germany",
"asn20940",
"akamaiasn1",
"threat report",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"alexa",
"maltiverse",
"google",
"qtsas",
"name value",
"no data",
"tag count",
"count blacklist",
"pbiptbmvd0k4",
"glelexoputyh",
"suppobox",
"team",
"bambernek",
"internet storm",
"phishtank",
"phish",
"trickbot",
"telecom",
"bank",
"ipv4",
"octoseek report",
"spam https",
"tsara brashears",
"malvertizing",
"tracking",
"tagging",
"spyder",
"cybercrime",
"email collection",
"apple data collection",
"win32 exe",
"ms word",
"document",
"type name",
"javascript",
"network capture",
"files",
"detections type",
"name",
"ssl certificate",
"whois whois",
"tsara brashears",
"whois record",
"asn owner",
"highly targeted",
"kgs0",
"kls0",
"relacionada",
"family",
"lolkek",
"emotet",
"dark power",
"wiper",
"ransomware",
"cobalt strike",
"quasar rat",
"ursnif",
"remcos",
"core",
"redline stealer",
"bitrat",
"hacktool",
"critical",
"copy",
"installer",
"execution",
"network",
"communicating",
"referrer",
"parent",
"historical ssl",
"siblings",
"resolutions",
"name verdict",
"falcon sandbox",
"pattern match",
"error",
"file",
"indicator",
"script",
"typeof e",
"ascii text",
"appdata",
"date",
"windir",
"span",
"body",
"meta",
"class",
"generator",
"info",
"null",
"refresh",
"hybrid",
"general",
"local",
"click",
"strings",
"tools",
"look",
"verify",
"restart",
"form",
"footer",
"html",
"union",
"outbreak",
"downer",
"shell",
"mediamagnet",
"sality",
"swrort",
"adaptivebee",
"unruy",
"iobit",
"dropper",
"trojanx",
"installcore",
"webshell",
"crack",
"webtoolbar",
"threat roundup",
"contacted",
"june",
"july",
"october",
"august"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Beach Research",
"display_name": "Beach Research",
"target": null
},
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
}
],
"attack_ids": [
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1102",
"name": "Web Service",
"display_name": "T1102 - Web Service"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1199",
"name": "Trusted Relationship",
"display_name": "T1199 - Trusted Relationship"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
}
],
"industries": [
"Health",
"Nutritional",
"Medical",
"Medicine"
],
"TLP": "white",
"cloned_from": null,
"export_count": 102,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 400,
"FileHash-SHA1": 240,
"FileHash-SHA256": 6459,
"hostname": 4845,
"URL": 11514,
"CVE": 15,
"domain": 3179,
"email": 31
},
"indicator_count": 26683,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 220,
"modified_text": "854 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65574cb4447c8d87ad85fa75",
"name": "Masquerading",
"description": "",
"modified": "2023-12-17T11:03:45.376000",
"created": "2023-11-17T11:21:24.343000",
"tags": [
"no expiration",
"filehashsha256",
"filehashmd5",
"iocs",
"url http",
"expiration",
"scan endpoints",
"all search",
"otx octoseek",
"create new",
"blacklist http",
"laplasclipper",
"malicious url",
"cisco umbrella",
"site",
"alexa top",
"blacklist",
"safe site",
"malware site",
"phishing site",
"malicious site",
"malware",
"china unknown",
"united",
"unknown",
"as54994 quantil",
"cname",
"nxdomain",
"as8068",
"as4134 chinanet",
"passive dns",
"domain",
"next",
"filehashsha1",
"service company",
"servers",
"ndicator role",
"title added",
"active related",
"pulses url",
"showing",
"entries",
"pulses http",
"url https",
"type indicator",
"role title",
"added active",
"related pulses",
"report spam",
"author avatar",
"created",
"hour ago",
"trojanspy",
"redline",
"pulses hostname",
"blacklist https",
"indicator role",
"bidid",
"adid",
"v4us",
"v51845481",
"hostname",
"http",
"cisco",
"umbrella rank",
"search live",
"api blog",
"docs pricing",
"november",
"de summary",
"frankfurt",
"main",
"reverse dns",
"general full",
"asn16509",
"amazon02",
"resource",
"protocol h2",
"security tls",
"hash",
"de indicators",
"domains",
"hashes",
"copyright",
"gmbh version",
"follow",
"value",
"postitem",
"variables",
"parameters",
"systemid object",
"def function",
"login",
"get h2",
"secrets llc",
"agreement",
"the site",
"content",
"policy",
"this site",
"claims",
"florida",
"please",
"premium",
"service",
"restrict",
"express",
"media",
"facebook",
"twitter",
"final",
"first",
"cloudflarenet",
"gts ca",
"software",
"million",
"hours ago",
"chameleon",
"heur",
"phishing",
"riskware",
"agent",
"unsafe",
"opencandy",
"exploit",
"mimikatz",
"iframe",
"downldr",
"presenoker",
"artemis",
"download",
"beach research",
"germany",
"asn20940",
"akamaiasn1",
"threat report",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"alexa",
"maltiverse",
"google",
"qtsas",
"name value",
"no data",
"tag count",
"count blacklist",
"pbiptbmvd0k4",
"glelexoputyh",
"suppobox",
"team",
"bambernek",
"internet storm",
"phishtank",
"phish",
"trickbot",
"telecom",
"bank",
"ipv4",
"octoseek report",
"spam https",
"tsara brashears",
"malvertizing",
"tracking",
"tagging",
"spyder",
"cybercrime",
"email collection",
"apple data collection",
"win32 exe",
"ms word",
"document",
"type name",
"javascript",
"network capture",
"files",
"detections type",
"name",
"ssl certificate",
"whois whois",
"tsara brashears",
"whois record",
"asn owner",
"highly targeted",
"kgs0",
"kls0",
"relacionada",
"family",
"lolkek",
"emotet",
"dark power",
"wiper",
"ransomware",
"cobalt strike",
"quasar rat",
"ursnif",
"remcos",
"core",
"redline stealer",
"bitrat",
"hacktool",
"critical",
"copy",
"installer",
"execution",
"network",
"communicating",
"referrer",
"parent",
"historical ssl",
"siblings",
"resolutions",
"name verdict",
"falcon sandbox",
"pattern match",
"error",
"file",
"indicator",
"script",
"typeof e",
"ascii text",
"appdata",
"date",
"windir",
"span",
"body",
"meta",
"class",
"generator",
"info",
"null",
"refresh",
"hybrid",
"general",
"local",
"click",
"strings",
"tools",
"look",
"verify",
"restart",
"form",
"footer",
"html",
"union",
"outbreak",
"downer",
"shell",
"mediamagnet",
"sality",
"swrort",
"adaptivebee",
"unruy",
"iobit",
"dropper",
"trojanx",
"installcore",
"webshell",
"crack",
"webtoolbar",
"threat roundup",
"contacted",
"june",
"july",
"october",
"august"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Beach Research",
"display_name": "Beach Research",
"target": null
},
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
}
],
"attack_ids": [
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1102",
"name": "Web Service",
"display_name": "T1102 - Web Service"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1199",
"name": "Trusted Relationship",
"display_name": "T1199 - Trusted Relationship"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
}
],
"industries": [
"Health",
"Nutritional",
"Medical",
"Medicine"
],
"TLP": "white",
"cloned_from": null,
"export_count": 103,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 400,
"FileHash-SHA1": 240,
"FileHash-SHA256": 6459,
"hostname": 4845,
"URL": 11514,
"CVE": 15,
"domain": 3179,
"email": 31
},
"indicator_count": 26683,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 222,
"modified_text": "854 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65580c1516990d69644fb3d0",
"name": "Masquerading",
"description": "",
"modified": "2023-12-17T11:03:45.376000",
"created": "2023-11-18T00:57:57.372000",
"tags": [
"no expiration",
"filehashsha256",
"filehashmd5",
"iocs",
"url http",
"expiration",
"scan endpoints",
"all search",
"otx octoseek",
"create new",
"blacklist http",
"laplasclipper",
"malicious url",
"cisco umbrella",
"site",
"alexa top",
"blacklist",
"safe site",
"malware site",
"phishing site",
"malicious site",
"malware",
"china unknown",
"united",
"unknown",
"as54994 quantil",
"cname",
"nxdomain",
"as8068",
"as4134 chinanet",
"passive dns",
"domain",
"next",
"filehashsha1",
"service company",
"servers",
"ndicator role",
"title added",
"active related",
"pulses url",
"showing",
"entries",
"pulses http",
"url https",
"type indicator",
"role title",
"added active",
"related pulses",
"report spam",
"author avatar",
"created",
"hour ago",
"trojanspy",
"redline",
"pulses hostname",
"blacklist https",
"indicator role",
"bidid",
"adid",
"v4us",
"v51845481",
"hostname",
"http",
"cisco",
"umbrella rank",
"search live",
"api blog",
"docs pricing",
"november",
"de summary",
"frankfurt",
"main",
"reverse dns",
"general full",
"asn16509",
"amazon02",
"resource",
"protocol h2",
"security tls",
"hash",
"de indicators",
"domains",
"hashes",
"copyright",
"gmbh version",
"follow",
"value",
"postitem",
"variables",
"parameters",
"systemid object",
"def function",
"login",
"get h2",
"secrets llc",
"agreement",
"the site",
"content",
"policy",
"this site",
"claims",
"florida",
"please",
"premium",
"service",
"restrict",
"express",
"media",
"facebook",
"twitter",
"final",
"first",
"cloudflarenet",
"gts ca",
"software",
"million",
"hours ago",
"chameleon",
"heur",
"phishing",
"riskware",
"agent",
"unsafe",
"opencandy",
"exploit",
"mimikatz",
"iframe",
"downldr",
"presenoker",
"artemis",
"download",
"beach research",
"germany",
"asn20940",
"akamaiasn1",
"threat report",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"alexa",
"maltiverse",
"google",
"qtsas",
"name value",
"no data",
"tag count",
"count blacklist",
"pbiptbmvd0k4",
"glelexoputyh",
"suppobox",
"team",
"bambernek",
"internet storm",
"phishtank",
"phish",
"trickbot",
"telecom",
"bank",
"ipv4",
"octoseek report",
"spam https",
"tsara brashears",
"malvertizing",
"tracking",
"tagging",
"spyder",
"cybercrime",
"email collection",
"apple data collection",
"win32 exe",
"ms word",
"document",
"type name",
"javascript",
"network capture",
"files",
"detections type",
"name",
"ssl certificate",
"whois whois",
"tsara brashears",
"whois record",
"asn owner",
"highly targeted",
"kgs0",
"kls0",
"relacionada",
"family",
"lolkek",
"emotet",
"dark power",
"wiper",
"ransomware",
"cobalt strike",
"quasar rat",
"ursnif",
"remcos",
"core",
"redline stealer",
"bitrat",
"hacktool",
"critical",
"copy",
"installer",
"execution",
"network",
"communicating",
"referrer",
"parent",
"historical ssl",
"siblings",
"resolutions",
"name verdict",
"falcon sandbox",
"pattern match",
"error",
"file",
"indicator",
"script",
"typeof e",
"ascii text",
"appdata",
"date",
"windir",
"span",
"body",
"meta",
"class",
"generator",
"info",
"null",
"refresh",
"hybrid",
"general",
"local",
"click",
"strings",
"tools",
"look",
"verify",
"restart",
"form",
"footer",
"html",
"union",
"outbreak",
"downer",
"shell",
"mediamagnet",
"sality",
"swrort",
"adaptivebee",
"unruy",
"iobit",
"dropper",
"trojanx",
"installcore",
"webshell",
"crack",
"webtoolbar",
"threat roundup",
"contacted",
"june",
"july",
"october",
"august"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Beach Research",
"display_name": "Beach Research",
"target": null
},
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
}
],
"attack_ids": [
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1102",
"name": "Web Service",
"display_name": "T1102 - Web Service"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1199",
"name": "Trusted Relationship",
"display_name": "T1199 - Trusted Relationship"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
}
],
"industries": [
"Health",
"Nutritional",
"Medical",
"Medicine"
],
"TLP": "white",
"cloned_from": "65574cb4447c8d87ad85fa75",
"export_count": 100,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 400,
"FileHash-SHA1": 240,
"FileHash-SHA256": 6459,
"hostname": 4845,
"URL": 11514,
"CVE": 15,
"domain": 3179,
"email": 31
},
"indicator_count": 26683,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 226,
"modified_text": "854 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65580c52bf98f256b6a01da6",
"name": "https://myaccount.uscis.gov/",
"description": "",
"modified": "2023-12-16T15:00:49.451000",
"created": "2023-11-18T00:58:58.944000",
"tags": [
"whois record",
"ssl certificate",
"whois whois",
"communicating",
"referrer",
"ip address",
"contacted",
"pe resource",
"historical ssl",
"collections wow",
"cobalt",
"stealer",
"quasar",
"remcos",
"ursnif",
"fabookie",
"name verdict",
"exit",
"node tcp",
"traffic",
"united",
"et tor",
"known tor",
"relayrouter",
"anonymizer",
"tor known",
"tor relayrouter",
"cisco umbrella",
"site",
"safe site",
"heur",
"maltiverse",
"million",
"alexa top",
"unsafe",
"html",
"team",
"riskware",
"malware",
"phishing",
"union",
"bank",
"outbreak",
"downer",
"shell",
"mediamagnet",
"sality",
"swrort",
"adaptivebee",
"unruy",
"iobit",
"dropper",
"trojanx",
"artemis",
"installcore",
"webshell",
"exploit",
"crack",
"webtoolbar",
"detection list",
"blacklist http",
"september",
"threat roundup",
"execution",
"metro",
"formbook",
"kgs0",
"kls0",
"blacklist https",
"malicious site",
"malware site",
"phishing site",
"download",
"malicious",
"azorult",
"service",
"runescape",
"facebook",
"genkryptik",
"fuery",
"wacatac",
"alexa",
"dbatloader",
"nanocore rat",
"agent tesla",
"binder",
"dridex",
"hawkeye",
"small",
"netwire",
"trojan",
"redline stealer",
"lumma stealer",
"trojanspy",
"redline",
"lumma",
"tsara brashears",
"whois",
"asn owner",
"highly targeted",
"relacionada",
"lolkek",
"emotet",
"dark power",
"wiper",
"ransomware",
"cobalt strike",
"quasar rat",
"core",
"bitrat",
"hacktool",
"critical",
"copy",
"installer",
"meta",
"as15169 google",
"aaaa",
"a domains",
"videosdewebcams",
"search",
"passive dns",
"urls",
"record value",
"date",
"certificate",
"scan endpoints",
"all octoseek",
"pulse pulses",
"files"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Germany"
],
"malware_families": [
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
},
{
"id": "Lumma",
"display_name": "Lumma",
"target": null
}
],
"attack_ids": [
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "655650c9b2be6cc930c92cf3",
"export_count": 101,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 204,
"FileHash-SHA1": 182,
"FileHash-SHA256": 6268,
"URL": 13989,
"domain": 3229,
"hostname": 4412,
"CVE": 19,
"email": 3
},
"indicator_count": 28306,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 226,
"modified_text": "855 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "655650c9b2be6cc930c92cf3",
"name": "https://myaccount.uscis.gov/",
"description": "HOW!?!? My device was remotely logged into this account somehow.\nThis is egregious. Silence Threats. I have no connection to this but was contacted by a while ago. I don't know how or why a part of the government would attack a person with a TBI and C1 - S1 Spinal cord injury allegedly caused by Colorado physical therapist and protect him. Why is victim, tracked and unsafe, receiving death threats, monitored, denied medical care, stalked EVERYWHERE. \nEven felons aren't monitored for life. STOP.\nWill this get us killed. Do the right thing.\nGod bless America, purge the government.\nThe truth should set you fee not get you harmed.",
"modified": "2023-12-16T15:00:49.451000",
"created": "2023-11-16T17:26:33",
"tags": [
"whois record",
"ssl certificate",
"whois whois",
"communicating",
"referrer",
"ip address",
"contacted",
"pe resource",
"historical ssl",
"collections wow",
"cobalt",
"stealer",
"quasar",
"remcos",
"ursnif",
"fabookie",
"name verdict",
"exit",
"node tcp",
"traffic",
"united",
"et tor",
"known tor",
"relayrouter",
"anonymizer",
"tor known",
"tor relayrouter",
"cisco umbrella",
"site",
"safe site",
"heur",
"maltiverse",
"million",
"alexa top",
"unsafe",
"html",
"team",
"riskware",
"malware",
"phishing",
"union",
"bank",
"outbreak",
"downer",
"shell",
"mediamagnet",
"sality",
"swrort",
"adaptivebee",
"unruy",
"iobit",
"dropper",
"trojanx",
"artemis",
"installcore",
"webshell",
"exploit",
"crack",
"webtoolbar",
"detection list",
"blacklist http",
"september",
"threat roundup",
"execution",
"metro",
"formbook",
"kgs0",
"kls0",
"blacklist https",
"malicious site",
"malware site",
"phishing site",
"download",
"malicious",
"azorult",
"service",
"runescape",
"facebook",
"genkryptik",
"fuery",
"wacatac",
"alexa",
"dbatloader",
"nanocore rat",
"agent tesla",
"binder",
"dridex",
"hawkeye",
"small",
"netwire",
"trojan",
"redline stealer",
"lumma stealer",
"trojanspy",
"redline",
"lumma",
"tsara brashears",
"whois",
"asn owner",
"highly targeted",
"relacionada",
"lolkek",
"emotet",
"dark power",
"wiper",
"ransomware",
"cobalt strike",
"quasar rat",
"core",
"bitrat",
"hacktool",
"critical",
"copy",
"installer",
"meta",
"as15169 google",
"aaaa",
"a domains",
"videosdewebcams",
"search",
"passive dns",
"urls",
"record value",
"date",
"certificate",
"scan endpoints",
"all octoseek",
"pulse pulses",
"files"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Germany"
],
"malware_families": [
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
},
{
"id": "Lumma",
"display_name": "Lumma",
"target": null
}
],
"attack_ids": [
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 102,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 204,
"FileHash-SHA1": 182,
"FileHash-SHA256": 6268,
"URL": 13989,
"domain": 3229,
"hostname": 4412,
"CVE": 19,
"email": 3
},
"indicator_count": 28306,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 224,
"modified_text": "855 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "655686e2c072557f03e9cba2",
"name": "https://myaccount.uscis.gov/ [pulse created by Octoseek]",
"description": "",
"modified": "2023-12-16T15:00:49.451000",
"created": "2023-11-16T21:17:22.087000",
"tags": [
"whois record",
"ssl certificate",
"whois whois",
"communicating",
"referrer",
"ip address",
"contacted",
"pe resource",
"historical ssl",
"collections wow",
"cobalt",
"stealer",
"quasar",
"remcos",
"ursnif",
"fabookie",
"name verdict",
"exit",
"node tcp",
"traffic",
"united",
"et tor",
"known tor",
"relayrouter",
"anonymizer",
"tor known",
"tor relayrouter",
"cisco umbrella",
"site",
"safe site",
"heur",
"maltiverse",
"million",
"alexa top",
"unsafe",
"html",
"team",
"riskware",
"malware",
"phishing",
"union",
"bank",
"outbreak",
"downer",
"shell",
"mediamagnet",
"sality",
"swrort",
"adaptivebee",
"unruy",
"iobit",
"dropper",
"trojanx",
"artemis",
"installcore",
"webshell",
"exploit",
"crack",
"webtoolbar",
"detection list",
"blacklist http",
"september",
"threat roundup",
"execution",
"metro",
"formbook",
"kgs0",
"kls0",
"blacklist https",
"malicious site",
"malware site",
"phishing site",
"download",
"malicious",
"azorult",
"service",
"runescape",
"facebook",
"genkryptik",
"fuery",
"wacatac",
"alexa",
"dbatloader",
"nanocore rat",
"agent tesla",
"binder",
"dridex",
"hawkeye",
"small",
"netwire",
"trojan",
"redline stealer",
"lumma stealer",
"trojanspy",
"redline",
"lumma",
"tsara brashears",
"whois",
"asn owner",
"highly targeted",
"relacionada",
"lolkek",
"emotet",
"dark power",
"wiper",
"ransomware",
"cobalt strike",
"quasar rat",
"core",
"bitrat",
"hacktool",
"critical",
"copy",
"installer",
"meta",
"as15169 google",
"aaaa",
"a domains",
"videosdewebcams",
"search",
"passive dns",
"urls",
"record value",
"date",
"certificate",
"scan endpoints",
"all octoseek",
"pulse pulses",
"files"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Germany"
],
"malware_families": [
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
},
{
"id": "Lumma",
"display_name": "Lumma",
"target": null
}
],
"attack_ids": [
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "655650c9b2be6cc930c92cf3",
"export_count": 102,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 204,
"FileHash-SHA1": 182,
"FileHash-SHA256": 6268,
"URL": 13989,
"domain": 3229,
"hostname": 4412,
"CVE": 19,
"email": 3
},
"indicator_count": 28306,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 225,
"modified_text": "855 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "656aac25a8a2caaddf0d3b88",
"name": "https://myaccount.uscis.gov/",
"description": "",
"modified": "2023-12-16T15:00:49.451000",
"created": "2023-12-02T04:01:41.427000",
"tags": [
"whois record",
"ssl certificate",
"whois whois",
"communicating",
"referrer",
"ip address",
"contacted",
"pe resource",
"historical ssl",
"collections wow",
"cobalt",
"stealer",
"quasar",
"remcos",
"ursnif",
"fabookie",
"name verdict",
"exit",
"node tcp",
"traffic",
"united",
"et tor",
"known tor",
"relayrouter",
"anonymizer",
"tor known",
"tor relayrouter",
"cisco umbrella",
"site",
"safe site",
"heur",
"maltiverse",
"million",
"alexa top",
"unsafe",
"html",
"team",
"riskware",
"malware",
"phishing",
"union",
"bank",
"outbreak",
"downer",
"shell",
"mediamagnet",
"sality",
"swrort",
"adaptivebee",
"unruy",
"iobit",
"dropper",
"trojanx",
"artemis",
"installcore",
"webshell",
"exploit",
"crack",
"webtoolbar",
"detection list",
"blacklist http",
"september",
"threat roundup",
"execution",
"metro",
"formbook",
"kgs0",
"kls0",
"blacklist https",
"malicious site",
"malware site",
"phishing site",
"download",
"malicious",
"azorult",
"service",
"runescape",
"facebook",
"genkryptik",
"fuery",
"wacatac",
"alexa",
"dbatloader",
"nanocore rat",
"agent tesla",
"binder",
"dridex",
"hawkeye",
"small",
"netwire",
"trojan",
"redline stealer",
"lumma stealer",
"trojanspy",
"redline",
"lumma",
"tsara brashears",
"whois",
"asn owner",
"highly targeted",
"relacionada",
"lolkek",
"emotet",
"dark power",
"wiper",
"ransomware",
"cobalt strike",
"quasar rat",
"core",
"bitrat",
"hacktool",
"critical",
"copy",
"installer",
"meta",
"as15169 google",
"aaaa",
"a domains",
"videosdewebcams",
"search",
"passive dns",
"urls",
"record value",
"date",
"certificate",
"scan endpoints",
"all octoseek",
"pulse pulses",
"files"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Germany"
],
"malware_families": [
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
},
{
"id": "Lumma",
"display_name": "Lumma",
"target": null
}
],
"attack_ids": [
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "655652f6ddcbf952a599cded",
"export_count": 93,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 204,
"FileHash-SHA1": 182,
"FileHash-SHA256": 6268,
"URL": 13989,
"domain": 3229,
"hostname": 4412,
"CVE": 19,
"email": 3
},
"indicator_count": 28306,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 227,
"modified_text": "855 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "655652f6ddcbf952a599cded",
"name": "https://myaccount.uscis.gov/",
"description": "After Mark Montano Md reported alleged acts by Jeffrey Scott Reimer after receiving 'multiple' reports of him aggressively pursuing Brashears, she was contacted, told she violated the Patriot Act by Big O Tires?!! Received letters from the above and harassed for years. Colorado Workers compensation is so corrupt this may be my last post. She was immediately framed , blamed, porn smeared and stalked. Denied medical care , when received died on surgery table, revised and disabled. Even the mafia would tackle only the associates bringing undue negative attention to their own organization.",
"modified": "2023-12-16T15:00:49.451000",
"created": "2023-11-16T17:35:50.285000",
"tags": [
"whois record",
"ssl certificate",
"whois whois",
"communicating",
"referrer",
"ip address",
"contacted",
"pe resource",
"historical ssl",
"collections wow",
"cobalt",
"stealer",
"quasar",
"remcos",
"ursnif",
"fabookie",
"name verdict",
"exit",
"node tcp",
"traffic",
"united",
"et tor",
"known tor",
"relayrouter",
"anonymizer",
"tor known",
"tor relayrouter",
"cisco umbrella",
"site",
"safe site",
"heur",
"maltiverse",
"million",
"alexa top",
"unsafe",
"html",
"team",
"riskware",
"malware",
"phishing",
"union",
"bank",
"outbreak",
"downer",
"shell",
"mediamagnet",
"sality",
"swrort",
"adaptivebee",
"unruy",
"iobit",
"dropper",
"trojanx",
"artemis",
"installcore",
"webshell",
"exploit",
"crack",
"webtoolbar",
"detection list",
"blacklist http",
"september",
"threat roundup",
"execution",
"metro",
"formbook",
"kgs0",
"kls0",
"blacklist https",
"malicious site",
"malware site",
"phishing site",
"download",
"malicious",
"azorult",
"service",
"runescape",
"facebook",
"genkryptik",
"fuery",
"wacatac",
"alexa",
"dbatloader",
"nanocore rat",
"agent tesla",
"binder",
"dridex",
"hawkeye",
"small",
"netwire",
"trojan",
"redline stealer",
"lumma stealer",
"trojanspy",
"redline",
"lumma",
"tsara brashears",
"whois",
"asn owner",
"highly targeted",
"relacionada",
"lolkek",
"emotet",
"dark power",
"wiper",
"ransomware",
"cobalt strike",
"quasar rat",
"core",
"bitrat",
"hacktool",
"critical",
"copy",
"installer",
"meta",
"as15169 google",
"aaaa",
"a domains",
"videosdewebcams",
"search",
"passive dns",
"urls",
"record value",
"date",
"certificate",
"scan endpoints",
"all octoseek",
"pulse pulses",
"files"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Germany"
],
"malware_families": [
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
},
{
"id": "Lumma",
"display_name": "Lumma",
"target": null
}
],
"attack_ids": [
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 100,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 204,
"FileHash-SHA1": 182,
"FileHash-SHA256": 6268,
"URL": 13989,
"domain": 3229,
"hostname": 4412,
"CVE": 19,
"email": 3
},
"indicator_count": 28306,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 224,
"modified_text": "855 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65565477da453c46f05a6ac4",
"name": "BTW VirusTotal - \" interesting files written to disk during execution'",
"description": "",
"modified": "2023-12-16T15:00:49.451000",
"created": "2023-11-16T17:42:15.123000",
"tags": [
"whois record",
"ssl certificate",
"whois whois",
"communicating",
"referrer",
"ip address",
"contacted",
"pe resource",
"historical ssl",
"collections wow",
"cobalt",
"stealer",
"quasar",
"remcos",
"ursnif",
"fabookie",
"name verdict",
"exit",
"node tcp",
"traffic",
"united",
"et tor",
"known tor",
"relayrouter",
"anonymizer",
"tor known",
"tor relayrouter",
"cisco umbrella",
"site",
"safe site",
"heur",
"maltiverse",
"million",
"alexa top",
"unsafe",
"html",
"team",
"riskware",
"malware",
"phishing",
"union",
"bank",
"outbreak",
"downer",
"shell",
"mediamagnet",
"sality",
"swrort",
"adaptivebee",
"unruy",
"iobit",
"dropper",
"trojanx",
"artemis",
"installcore",
"webshell",
"exploit",
"crack",
"webtoolbar",
"detection list",
"blacklist http",
"september",
"threat roundup",
"execution",
"metro",
"formbook",
"kgs0",
"kls0",
"blacklist https",
"malicious site",
"malware site",
"phishing site",
"download",
"malicious",
"azorult",
"service",
"runescape",
"facebook",
"genkryptik",
"fuery",
"wacatac",
"alexa",
"dbatloader",
"nanocore rat",
"agent tesla",
"binder",
"dridex",
"hawkeye",
"small",
"netwire",
"trojan",
"redline stealer",
"lumma stealer",
"trojanspy",
"redline",
"lumma",
"tsara brashears",
"whois",
"asn owner",
"highly targeted",
"relacionada",
"lolkek",
"emotet",
"dark power",
"wiper",
"ransomware",
"cobalt strike",
"quasar rat",
"core",
"bitrat",
"hacktool",
"critical",
"copy",
"installer",
"meta",
"as15169 google",
"aaaa",
"a domains",
"videosdewebcams",
"search",
"passive dns",
"urls",
"record value",
"date",
"certificate",
"scan endpoints",
"all octoseek",
"pulse pulses",
"files"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Germany"
],
"malware_families": [
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
},
{
"id": "Lumma",
"display_name": "Lumma",
"target": null
}
],
"attack_ids": [
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "655650c9b2be6cc930c92cf3",
"export_count": 101,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 204,
"FileHash-SHA1": 182,
"FileHash-SHA256": 6268,
"URL": 13989,
"domain": 3229,
"hostname": 4412,
"CVE": 19,
"email": 3
},
"indicator_count": 28306,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 223,
"modified_text": "855 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "655657ca2e402d4f98283de9",
"name": "https://myaccount.uscis.gov/ ",
"description": "",
"modified": "2023-12-16T15:00:49.451000",
"created": "2023-11-16T17:56:26.312000",
"tags": [
"whois record",
"ssl certificate",
"whois whois",
"communicating",
"referrer",
"ip address",
"contacted",
"pe resource",
"historical ssl",
"collections wow",
"cobalt",
"stealer",
"quasar",
"remcos",
"ursnif",
"fabookie",
"name verdict",
"exit",
"node tcp",
"traffic",
"united",
"et tor",
"known tor",
"relayrouter",
"anonymizer",
"tor known",
"tor relayrouter",
"cisco umbrella",
"site",
"safe site",
"heur",
"maltiverse",
"million",
"alexa top",
"unsafe",
"html",
"team",
"riskware",
"malware",
"phishing",
"union",
"bank",
"outbreak",
"downer",
"shell",
"mediamagnet",
"sality",
"swrort",
"adaptivebee",
"unruy",
"iobit",
"dropper",
"trojanx",
"artemis",
"installcore",
"webshell",
"exploit",
"crack",
"webtoolbar",
"detection list",
"blacklist http",
"september",
"threat roundup",
"execution",
"metro",
"formbook",
"kgs0",
"kls0",
"blacklist https",
"malicious site",
"malware site",
"phishing site",
"download",
"malicious",
"azorult",
"service",
"runescape",
"facebook",
"genkryptik",
"fuery",
"wacatac",
"alexa",
"dbatloader",
"nanocore rat",
"agent tesla",
"binder",
"dridex",
"hawkeye",
"small",
"netwire",
"trojan",
"redline stealer",
"lumma stealer",
"trojanspy",
"redline",
"lumma",
"tsara brashears",
"whois",
"asn owner",
"highly targeted",
"relacionada",
"lolkek",
"emotet",
"dark power",
"wiper",
"ransomware",
"cobalt strike",
"quasar rat",
"core",
"bitrat",
"hacktool",
"critical",
"copy",
"installer",
"meta",
"as15169 google",
"aaaa",
"a domains",
"videosdewebcams",
"search",
"passive dns",
"urls",
"record value",
"date",
"certificate",
"scan endpoints",
"all octoseek",
"pulse pulses",
"files"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Germany"
],
"malware_families": [
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
},
{
"id": "Lumma",
"display_name": "Lumma",
"target": null
}
],
"attack_ids": [
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "655650c9b2be6cc930c92cf3",
"export_count": 100,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 204,
"FileHash-SHA1": 182,
"FileHash-SHA256": 6268,
"URL": 13989,
"domain": 3229,
"hostname": 4412,
"CVE": 19,
"email": 3
},
"indicator_count": 28306,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 221,
"modified_text": "855 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6570a6a1be1f5233855ae116",
"name": "Communication Device exploit",
"description": "",
"modified": "2023-12-06T16:51:45.122000",
"created": "2023-12-06T16:51:45.122000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 1682,
"domain": 434,
"hostname": 678,
"FileHash-SHA1": 32,
"URL": 4050,
"FileHash-MD5": 32
},
"indicator_count": 6908,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6570a684ac21d7733c8e1041",
"name": "Remcos \u2022 Communication Device exploit \u2022 C2",
"description": "",
"modified": "2023-12-06T16:51:16.351000",
"created": "2023-12-06T16:51:16.351000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 1682,
"domain": 434,
"hostname": 678,
"FileHash-SHA1": 32,
"URL": 4050,
"FileHash-MD5": 32
},
"indicator_count": 6908,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 110,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6570a64f0bda3d89bf44603f",
"name": "Remcos \u2022 Communication Device exploit \u2022 C2",
"description": "",
"modified": "2023-12-06T16:50:23.738000",
"created": "2023-12-06T16:50:23.738000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 1682,
"domain": 434,
"hostname": 678,
"FileHash-SHA1": 32,
"URL": 4050,
"FileHash-MD5": 32
},
"indicator_count": 6908,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6570a6147bfb449c3489082e",
"name": "Malvertizing \u2022 Phishing \u2022 Malware \u2022 malicious name tagging",
"description": "",
"modified": "2023-12-06T16:49:24.127000",
"created": "2023-12-06T16:49:24.127000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 1079,
"hostname": 438,
"domain": 86,
"URL": 872,
"FileHash-MD5": 812,
"FileHash-SHA1": 86
},
"indicator_count": 3373,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6570a60cd4985a30bf050572",
"name": "Search Engines \u2022 Portals \u2022 Search Engines \u2022 Mobile Communications \u2022 searchengines",
"description": "",
"modified": "2023-12-06T16:49:16.153000",
"created": "2023-12-06T16:49:16.153000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 2,
"FileHash-SHA256": 930,
"domain": 74,
"hostname": 340,
"URL": 567,
"FileHash-MD5": 360,
"FileHash-SHA1": 185
},
"indicator_count": 2458,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 110,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6570992ff3ffe737f8cb8dfc",
"name": "www.almavision.com pertains to pscp.tv and twitter amongst many other top level domains",
"description": "",
"modified": "2023-12-06T15:54:22.375000",
"created": "2023-12-06T15:54:22.375000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 938,
"hostname": 737,
"domain": 239,
"FileHash-MD5": 17,
"FileHash-SHA1": 17,
"URL": 3529
},
"indicator_count": 5477,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 111,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "653fd47a852cc130c72de9e5",
"name": "BGP.Tools",
"description": "",
"modified": "2023-11-29T05:05:42.592000",
"created": "2023-10-30T16:06:18.567000",
"tags": [
"ssl certificate",
"whois record",
"referrer",
"whois whois",
"communicating",
"relacionada",
"resolutions",
"historical ssl",
"collections new",
"family",
"lolkek",
"dark power",
"ransomware",
"play ransomware",
"makop",
"core",
"redline stealer",
"hacktool",
"emotet",
"quasar rat",
"wiper",
"ursnif",
"malware",
"http response",
"final url",
"ip address",
"status code",
"body length",
"kb body",
"sha256",
"self",
"server",
"date wed",
"html info",
"meta tags",
"name verdict",
"falcon sandbox",
"pattern match",
"changelog",
"header",
"layer",
"data",
"ipv4",
"function",
"ascii text",
"et tor",
"known tor",
"meta",
"monitoring",
"body",
"form",
"august",
"june",
"friendly",
"main",
"footer",
"date",
"unknown",
"hybrid",
"general",
"local",
"click",
"strings",
"class",
"generator",
"critical",
"error",
"njrat",
"cobalt strike"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "653f4d0c4cca0c5f58530600",
"export_count": 39,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3631,
"FileHash-MD5": 45,
"FileHash-SHA1": 44,
"FileHash-SHA256": 1788,
"CVE": 5,
"domain": 543,
"hostname": 1328,
"CIDR": 2,
"email": 1
},
"indicator_count": 7387,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 225,
"modified_text": "872 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "653f4d0c4cca0c5f58530600",
"name": "BGP.Tools",
"description": "BGP is a very malicious, developed spyware tool. Attorneys, insurance companies use tool. BGP Hurricane. In the past they will call target and a modem connects draining ALL content. It can CNC device, erase everything from it, manipulate dropbox as well as other clouds. Very destructive.Once you're a target your privacy is gone for good. Assertions from threat crowd that CISA/Valmet are government phishing entities concerns me. BGP gets a 100% malicious score. Listed as part of infrastructure is CISA. A familiar name in adult content and other commands, vulnerabilities,etc. I'm not sure what to believe, or what's going on.",
"modified": "2023-11-29T05:05:42.592000",
"created": "2023-10-30T06:28:28.160000",
"tags": [
"ssl certificate",
"whois record",
"referrer",
"whois whois",
"communicating",
"relacionada",
"resolutions",
"historical ssl",
"collections new",
"family",
"lolkek",
"dark power",
"ransomware",
"play ransomware",
"makop",
"core",
"redline stealer",
"hacktool",
"emotet",
"quasar rat",
"wiper",
"ursnif",
"malware",
"http response",
"final url",
"ip address",
"status code",
"body length",
"kb body",
"sha256",
"self",
"server",
"date wed",
"html info",
"meta tags",
"name verdict",
"falcon sandbox",
"pattern match",
"changelog",
"header",
"layer",
"data",
"ipv4",
"function",
"ascii text",
"et tor",
"known tor",
"meta",
"monitoring",
"body",
"form",
"august",
"june",
"friendly",
"main",
"footer",
"date",
"unknown",
"hybrid",
"general",
"local",
"click",
"strings",
"class",
"generator",
"critical",
"error",
"njrat",
"cobalt strike"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 42,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3631,
"FileHash-MD5": 45,
"FileHash-SHA1": 44,
"FileHash-SHA256": 1788,
"CVE": 5,
"domain": 543,
"hostname": 1328,
"CIDR": 2,
"email": 1
},
"indicator_count": 7387,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 220,
"modified_text": "872 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "653f13c8ed1904a82c5615e1",
"name": "Remcos \u2022 Communication Device exploit \u2022 C2",
"description": "",
"modified": "2023-10-30T02:24:08.053000",
"created": "2023-10-30T02:24:08.053000",
"tags": [
"threat roundup",
"referrer",
"communicating",
"ssl certificate",
"historical ssl",
"apple",
"execution",
"core",
"ursnif",
"hacktool",
"remcos",
"misc attack",
"et tor",
"known tor",
"relayrouter",
"exit",
"node traffic",
"suricata alerts",
"event category",
"description sid",
"nr-data",
"target",
"walker",
"pornhub",
"exploit",
"issues",
"js user"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "65134045c1fc19331472ef05",
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 32,
"FileHash-SHA1": 32,
"FileHash-SHA256": 1682,
"URL": 4050,
"domain": 434,
"hostname": 678
},
"indicator_count": 6908,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 218,
"modified_text": "902 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "651349817011ab7e29b7e305",
"name": "Communication Device exploit",
"description": "",
"modified": "2023-10-25T04:00:03.254000",
"created": "2023-09-26T21:13:37.864000",
"tags": [
"threat roundup",
"referrer",
"communicating",
"ssl certificate",
"historical ssl",
"apple",
"execution",
"core",
"ursnif",
"hacktool",
"remcos",
"misc attack",
"et tor",
"known tor",
"relayrouter",
"exit",
"node traffic",
"suricata alerts",
"event category",
"description sid",
"nr-data",
"target",
"walker",
"pornhub",
"exploit",
"issues",
"js user"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "6511134ea6ee89ec55836a41",
"export_count": 13,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 32,
"FileHash-SHA1": 32,
"FileHash-SHA256": 1682,
"URL": 4050,
"domain": 434,
"hostname": 678
},
"indicator_count": 6908,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 225,
"modified_text": "907 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65134045c1fc19331472ef05",
"name": "Remcos \u2022 Communication Device exploit \u2022 C2",
"description": "",
"modified": "2023-10-25T04:00:03.254000",
"created": "2023-09-26T20:34:13.879000",
"tags": [
"threat roundup",
"referrer",
"communicating",
"ssl certificate",
"historical ssl",
"apple",
"execution",
"core",
"ursnif",
"hacktool",
"remcos",
"misc attack",
"et tor",
"known tor",
"relayrouter",
"exit",
"node traffic",
"suricata alerts",
"event category",
"description sid",
"nr-data",
"target",
"walker",
"pornhub",
"exploit",
"issues",
"js user"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "6511134ea6ee89ec55836a41",
"export_count": 13,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 32,
"FileHash-SHA1": 32,
"FileHash-SHA256": 1682,
"URL": 4050,
"domain": 434,
"hostname": 678
},
"indicator_count": 6908,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 225,
"modified_text": "907 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6511134ea6ee89ec55836a41",
"name": "Remcos \u2022 Communication Device exploit \u2022 C2",
"description": "Apple iOS exploit",
"modified": "2023-10-25T04:00:03.254000",
"created": "2023-09-25T04:57:50.258000",
"tags": [
"threat roundup",
"referrer",
"communicating",
"ssl certificate",
"historical ssl",
"apple",
"execution",
"core",
"ursnif",
"hacktool",
"remcos",
"misc attack",
"et tor",
"known tor",
"relayrouter",
"exit",
"node traffic",
"suricata alerts",
"event category",
"description sid",
"nr-data",
"target",
"walker",
"pornhub",
"exploit",
"issues",
"js user"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 20,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 32,
"FileHash-SHA1": 32,
"FileHash-SHA256": 1682,
"URL": 4050,
"domain": 434,
"hostname": 678
},
"indicator_count": 6908,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 219,
"modified_text": "907 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "650fc136668d5e0dfe491cf2",
"name": "Malvertizing \u2022 Phishing \u2022 Malware \u2022 malicious name tagging",
"description": "command and control \u2022 phishing \u2022 trojans \u2022 abuse \u2022 malicious site \u2022 stealers \u2022 fraud activities \u2022 illegal site \u2022 banker",
"modified": "2023-10-24T02:03:42.871000",
"created": "2023-09-24T04:55:18.270000",
"tags": [
"cisco umbrella",
"site",
"noname057",
"safe site",
"blacklist",
"alexa top",
"million",
"ip summary",
"url summary",
"summary",
"phishing",
"union",
"team",
"bank",
"malware",
"pony",
"malicious url",
"financial",
"malware site",
"malicious site",
"alexa",
"bing images",
"report",
"please",
"adult child",
"sexual abuse",
"invisible",
"cookies legal",
"advertise",
"help feedback",
"search live",
"api blog",
"docs pricing",
"september",
"domains",
"hashes",
"copyright",
"gmbh version",
"follow",
"public",
"blacklist https",
"data",
"command and control",
"detection list",
"phishing",
"abuse",
"tagging",
"Ameriprise Financial phishing",
"Tesco Bank phishing",
"South Carolina Federal Credit Union phishing",
"paypal phishing",
"malvertizing"
],
"references": [
"https://www.bing.com/images/search?view=detailV2&id=11DBB9C6633FBE863EC959A64A0934887FA7C481&thid=OIP.1ZMj0U28ecIgZMt",
"https://www.bing.com/images/search?view=detailV2&id=11DBB9C6633FBE863EC959A64A0934887FA7C481&thid=OIP.1ZMj0U28ecIgZMtxvGo2FAHaEK&exph=450&expw=800&q=Tsara+Brashears+Defeats+Jeffrey+Reimer&selectedindex=2&adt=1&vt=4&eim=0,3,4,6/",
"WebTools",
"Hybrid Analysis",
"photovolt.ro command and control",
"adns.lbl.gov"
],
"public": 1,
"adversary": "NoName057",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Pony - S0453",
"display_name": "Pony - S0453",
"target": null
},
{
"id": "TROJ_FRS.VSN1EJ18",
"display_name": "TROJ_FRS.VSN1EJ18",
"target": null
},
{
"id": "Generic.Malware",
"display_name": "Generic.Malware",
"target": null
},
{
"id": "malicious.moderate.ml",
"display_name": "malicious.moderate.ml",
"target": null
},
{
"id": "Trojan.Ransom.GenericKD",
"display_name": "Trojan.Ransom.GenericKD",
"target": null
},
{
"id": "Xegumumune.8596c22f",
"display_name": "Xegumumune.8596c22f",
"target": null
},
{
"id": "Hoax.JS.Phish",
"display_name": "Hoax.JS.Phish",
"target": null
},
{
"id": "Trojan.Ransom.GenericKD",
"display_name": "Trojan.Ransom.GenericKD",
"target": null
},
{
"id": "HTML_REDIR.SMR",
"display_name": "HTML_REDIR.SMR",
"target": null
},
{
"id": "TROJ_FRS.VSNTFK19",
"display_name": "TROJ_FRS.VSNTFK19",
"target": null
},
{
"id": "Phishing.HTML 1",
"display_name": "Phishing.HTML 1",
"target": null
},
{
"id": "Generic.ASMalwS",
"display_name": "Generic.ASMalwS",
"target": null
},
{
"id": "Phish.JAT 1",
"display_name": "Phish.JAT 1",
"target": null
},
{
"id": "Phishing.Gen",
"display_name": "Phishing.Gen",
"target": null
},
{
"id": "Kryptik.FPH.gen",
"display_name": "Kryptik.FPH.gen",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 19,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 86,
"URL": 872,
"FileHash-MD5": 812,
"FileHash-SHA1": 86,
"FileHash-SHA256": 1079,
"hostname": 438
},
"indicator_count": 3373,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 220,
"modified_text": "908 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "650f714b099ee92d73840f63",
"name": "Search Engines \u2022 Portals \u2022 Search Engines \u2022 Mobile Communications \u2022 searchengines",
"description": "Scanning Host \u2022 Malware Site \u2022 Phishing \u2022 Malicious site",
"modified": "2023-10-23T21:01:17.695000",
"created": "2023-09-23T23:14:18.638000",
"tags": [
"united",
"anonymizer",
"detection list",
"ip address",
"blacklist",
"firehol proxy",
"firehol south",
"credit union",
"team",
"proxy",
"cisco umbrella",
"site",
"safe site",
"malware site",
"malicious site",
"alexa top",
"million",
"malware",
"phishing site",
"suspected",
"unruy",
"riskware",
"artemis",
"phishing",
"bank",
"alexa",
"union",
"pony",
"catalina",
"opencandy",
"cleaner",
"service",
"runescape",
"facebook",
"download",
"iframe",
"downldr",
"agent",
"presenoker",
"unsafe",
"blacklist https",
"noname057",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"malicious url"
],
"references": [
"https://www.bing.com/images/search?view=detailV2&id=11DBB9C6633FBE863EC959A64A0934887FA7C481&thid=OIP.1ZMj0U28ecIgZMtxvGo2FAHaEK&exph=450&expw=800&q=Tsara+Brashears+Defeats+Jeffrey+Reimer&selectedindex=2&adt=1&vt=4&eim=0,3,4,6/CAR-BOMB-DEATH-THREAT-AFTER-TSARA-BRASHEARS-PREVAILS-AGAINST-JEFFREY-REIMER-DPT-SEXUAL-MISCONDUCT",
"Hybrid Analysis",
"Online Research",
"WebTools"
],
"public": 1,
"adversary": "NoName057",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "ALF:PUA:Win32/Catalina",
"display_name": "ALF:PUA:Win32/Catalina",
"target": null
},
{
"id": "Backdoor:PHP/Artemis",
"display_name": "Backdoor:PHP/Artemis",
"target": "/malware/Backdoor:PHP/Artemis"
},
{
"id": "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy",
"display_name": "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy",
"target": null
},
{
"id": "Pony - S0453",
"display_name": "Pony - S0453",
"target": null
},
{
"id": "ALF:Program:OpenCandy:Remnant",
"display_name": "ALF:Program:OpenCandy:Remnant",
"target": null
}
],
"attack_ids": [
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 16,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 567,
"FileHash-SHA256": 930,
"domain": 74,
"hostname": 340,
"CVE": 2,
"FileHash-SHA1": 185,
"FileHash-MD5": 360
},
"indicator_count": 2458,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 219,
"modified_text": "909 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "643039f4910bf556742467fe",
"name": "www.almavision.com pertains to pscp.tv and twitter amongst many other top level domains",
"description": "The full text of the text below, as compiled by the BBC, has been published, with the following:., \u00c2\u00a31.5m, \u00a31bn, \u00e2\u201a\u00ac",
"modified": "2023-05-07T14:02:11.634000",
"created": "2023-04-07T15:42:44.557000",
"tags": [
"almavision.com",
"pscp.tv",
"metvnetwork.com",
"me-tv.com",
"latv.com",
"api.obesignal.com/player"
],
"references": [
"my www.almavision.com VT graph json upload",
"https://www.virustotal.com/graph/g492542b37c8d461b99fa6c680158288d715dc056789a40b5be9c3585b79cdf1e"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "callmeDoris",
"id": "205385",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 737,
"URL": 3529,
"domain": 239,
"FileHash-SHA256": 938,
"FileHash-MD5": 17,
"FileHash-SHA1": 17
},
"indicator_count": 5477,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 92,
"modified_text": "1078 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "643ef9ae35813a02087c4122",
"name": "v2 - 181.29.101.13/srvc/codec/vermont - c2 - CVE-2017-17215",
"description": "",
"modified": "2023-04-18T20:12:30.537000",
"created": "2023-04-18T20:12:30.537000",
"tags": [
"chromeua",
"unicode",
"ansi",
"drmedgeua",
"temp",
"optin",
"edgeua",
"hidemfhevccodec",
"facebook",
"malicious",
"click",
"qakbot",
"181.29.101.13",
"c2",
"codec",
"CVE-2017-17215"
],
"references": [
"BAD- runtime.bundle.js\t31c9ac555f384e1fbcf07912acdeb5e67ca824ead7feaaa05357be0d942e80a7",
"BAD- wallet.bundle.js\tb0ac14b8b3341e599b1c4bd938daaea15b6ea5244a5c9874b392ef267892f7c5",
"Bad - Part RU daa8547f1dbc8c994eed3725f3076aaf6c4e298b963fb712e53eb0fa2dc1e789",
"https://hybrid-analysis.com/sample/20d1a598d8b49be01e16c213ef8da2acb2e48a57f5bfcd27aa63c8d3bff7cc0f/643ebd7da46b1bdb2a0d09ed"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1087",
"name": "Account Discovery",
"display_name": "T1087 - Account Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1555",
"name": "Credentials from Password Stores",
"display_name": "T1555 - Credentials from Password Stores"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "callmeDoris",
"id": "205385",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 143,
"hostname": 493,
"URL": 1632,
"FileHash-SHA256": 92,
"IPv4": 5,
"CVE": 1,
"FileHash-MD5": 59,
"FileHash-SHA1": 57
},
"indicator_count": 2482,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 91,
"modified_text": "1097 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"references": [
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"https://www.hallrender.com/attorney/brian-sabey/ \u2022 www.hallrender.com \u2022 https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https://www.hallrender.com/attorney/brian-sabey/&",
"https://otx.alienvault.com/indicator/cve/CVE-2017-0147",
"Yara: RansomWin32SintaCry CodeOverlap TrojanClickerWin32Zeriest CodeOverlap",
"ETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t85.17.142.7\t 2807561\tETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t85.17.142.7\t\t\t\t 2807561\tETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t95.169.186.\t\t 2807561\tETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t95.169.186.63",
"https://httpdev.findatoyota.com",
"https://www.adultforce.com/ [malvertizing Tsara Brashears]",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"WebTools",
"https://www.hybrid-analysis.com/sample/f7cb7c256e840ab93e6991462cedf6eac928c12f4102798986e2c5d27d1abc7f",
"IDS: Observed Suspicious UA (Mozilla/5.0)",
"https://fboomporn.com/engine/opensearch.php \u2022 http://porn.hub-accessories.site/ \u2022 https://pic.porn.hub-accessories.site",
"Sigma: Matches rule Suspicious desktop.ini Action by Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)",
"photovolt.ro command and control",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"https://apps.apple.com/us/app/gambinos-pizza/id1500338496 \u2022 apps.apple.com",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"Yara: TrojanPythonKaazar CodeOverlap TrojanSpyWin32Chekafev CodeOverlap",
"http://fakejuko.site40/",
"IDS: Hiloti Style GET to PHP with invalid terse MSIE headers",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"CVE-2017-0147",
"sweetheartvideo.com",
"www.dead-speak.com",
"my www.almavision.com VT graph json upload",
"Can the DoD no questions asked target a SA victim",
"Online Research",
"https://play.google.com/store/apps/details?id=com.e9117073d4e0.www",
"CS IDS: Matches rule (http_inspect) invalid status line",
"IDS: Trojan.Win32.Cosmu.cdqg Checkin",
"Yara: TrojanDownloaderMSILBalamid CodeOverlap TrojanDropperWin32Popsenong CodeOverlap",
"Mirai: a90557a4165401091b1d8d0132465170475508f810e7a5c7f585c17c2120447 ELF:DDoS-S\\ [Trj]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/\t\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian\t URL\thttp://www.anyxxxtube.net/search-porn/tsara-brashears \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t\u2022 http://www.anyxxxtube",
"https://www.virustotal.com/graph/g492542b37c8d461b99fa6c680158288d715dc056789a40b5be9c3585b79cdf1e",
"http://email.acm.mg.hydrantid.com/c/eJxUyTGygyAQBuDTQMksPyhYULzGe-C6LzCKOoYmt88kXdrvWxPlEJ3TkmygcbQBHrokFk-R4WwexpBl-J8Ce8uygBdeJqtrAsGTdWQB8jA0yQDEL0qMrD",
"ww1.imobitracking.net",
"Yara: TrojanWin32Kredbegg CodeOverlap TrojanWin32Motve CodeOverlap TrojanWin32Pitroj",
"Targeting",
"156.254.243.90 [cnc] Unix.Trojan.Mirai-6981169-0",
"https://es.pornhat.com/models/the-sex-creator/",
"Yara: WormWin32Rombrast CodeOverlap Jorgen,Ibsen PECompact_2xx VZX Jeremy,Collake",
"https://meumundogay-com.sexogratis.page/locker",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"cwt-cwtcxp1-dt1.pegacloud.net\t\u2022 fortrea-prod1.pegacloud.net \u2022 ssl-ssldmp-dt1-sftp.pegacloud.net \u2022 13.40.20.221 \u2022 44.215.155.206 \u2022 44.226.180.214",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"Target agreed and complied with all lie detector measures.",
"https://teenlist.toplistcreator.eu/in.php?nr=15170//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"Bad - Part RU daa8547f1dbc8c994eed3725f3076aaf6c4e298b963fb712e53eb0fa2dc1e789",
"http://r3.o.lencr.org",
"BAD- wallet.bundle.js\tb0ac14b8b3341e599b1c4bd938daaea15b6ea5244a5c9874b392ef267892f7c5",
"https://pin.it/ malicious Pinterest redirect targets Tsara Brashears",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"104.247.75.218 | [cnc ]",
"jf_cf_frostovip.exe FILEHASH SHA256 4b9d6c5de40bfc4da8cb8b3ab9408dc574346b97268983f10bef8810e3f6bed8",
"tsarabrashears.com",
"https://hybrid-analysis.com/sample/20d1a598d8b49be01e16c213ef8da2acb2e48a57f5bfcd27aa63c8d3bff7cc0f/643ebd7da46b1bdb2a0d09ed",
"https://www.virustotal.com/gui/url/9fa23b2600cf067195442b801633ec4e67e17d0b0e807561cd6001808a8930bf/summary",
"Malware : ClipBanker Entity: Crazy Frost",
"114.114.114.114 - Tulach Malware",
"a17-250-248-150.www.bing.com \u2022 appledirectory.www.bing.com",
"signin-appleid.jackpotiot.com",
"https://tag.1rx.io/rmp/215626/0/mvo?z=1r&hbv=8.16,2.1\ttag.1rx.io \u2022 192.208.222.110",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"http://manage.apple.com.webobjectsd5dbc98dcc983a7028bd82d1a47540.dsiblings.com/Info/information.html",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"IDS: Win32.Scar.hhrw POST",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"https://www.bing.com/images/search?view=detailV2&id=11DBB9C6633FBE863EC959A64A0934887FA7C481&thid=OIP.1ZMj0U28ecIgZMtxvGo2FAHaEK&exph=450&expw=800&q=Tsara+Brashears+Defeats+Jeffrey+Reimer&selectedindex=2&adt=1&vt=4&eim=0,3,4,6/",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"theteenhealthdoc.com \u2022 http://jailbait.toplistcreator.eu/link.php?link=teenystar18.toplistcreator.eu&nr=522 \u2022 franchisefifteen.com",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.virustotal.com/gui/url/76b30b054701dd52394b91dd11937fefc8888994ee214f02d22ebc2c8cb7e057/summary",
"Yara : VirToolMSILLuxod CodeOverlap WormMSILVonriamt CodeOverlap TrojanWin32Depriz CodeOverlap",
"http://trkr.similarphotocleaner.com/trackerwcfsrv/tracker.svc/trackoffersview/?q=pxl=mco2191_mco2146_mco1132&utm_source=mcosfl&utm_medium=mcosfl&utm_campaign=mcosfl&x-count=1&x-context=osversion-5.1",
"https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign]",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"CVE-2014-0160 \u2022 CVE-2017-11882",
"targeting.unrulymedia.com \u2022 http://theteenhealthdoc.com",
"https://www.bing.com/images/search?view=detailV2&id=11DBB9C6633FBE863EC959A64A0934887FA7C481&thid=OIP.1ZMj0U28ecIgZMtxvGo2FAHaEK&exph=450&expw=800&q=Tsara+Brashears+Defeats+Jeffrey+Reimer&selectedindex=2&adt=1&vt=4&eim=0,3,4,6/CAR-BOMB-DEATH-THREAT-AFTER-TSARA-BRASHEARS-PREVAILS-AGAINST-JEFFREY-REIMER-DPT-SEXUAL-MISCONDUCT",
"animate-citadel-t3gbc9x3gzd7invrzh8w00zm.herokudns.com",
"I am very upset. Whoever is doing this is sick.",
"0qMrDxlbqY9THmtdz56XQ2fTe-p9H49lftTmBXmn1WY9Z16q1vJdZdjO5Wnq_Pn3gEAAP__hu8yPQ",
"https://www.hybrid-analysis.com/sample/dcf9f5e78d4645b38540d25c4d8ca7fe3e019671caadf7cade4cc01008282bff",
"https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=",
"pegacloud.net",
"IDS: Data POST to an image file (jpg)",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://secure.medicalexpo.com/request-management-ws/views/contact-details.xhtml?token=A3QIgyaKRur%2BIjZfA4R8MkKBwXLdgMI5Gg%2F0dwmuMj0",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/\t URL\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex",
"www.crazyfrost.com FileDescription :JF_CF_MiniZM FileVersion: 1.1.0.0 InternalName: jf_cf_frostovip.exe LegalCopyright Copyright \u00a9 CrazyFrost",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"There is fear in silence or speaking out",
"If someone is believed to be a threat they have right to due process.",
"IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
"adns.lbl.gov",
"t.prototype.hasownproperty.call",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"https://www.anyxxxtube.net/media/favicon/apple",
"http://fboomporn.com/teens/51826-gloryholeswallow-flora-floras-1st-gloryhole-visit-fullhd-1080p.html \u2022 teenystar18.toplistcreator.eu",
"172.31.13.249",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"CS IDS: Matches rule INDICATOR-COMPROMISE png file attachment without matching file magic Unique rule identifier: This rule belongs to a private collection.",
"IDS: Win32/Ibashade CnC Beacon",
"gstatic.com",
"www.gambinospizza.com",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"Certificate Subject CN=brazzerspesonals.com",
"Services : GoogleChromeElevationService = Delete",
"Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.10",
"114.114.114.114",
"iamrobert.com Y.A.S.",
"Unsupported/Fake Windows NT Version 5.0",
"https://neca.omeclk.com/portal/wts/uc^cn^ejkaejsaBeyk7-^Oa",
"Login privileges",
"https://www.bing.com/images/search?view=detailV2&id=11DBB9C6633FBE863EC959A64A0934887FA7C481&thid=OIP.1ZMj0U28ecIgZMt",
"BAD- runtime.bundle.js\t31c9ac555f384e1fbcf07912acdeb5e67ca824ead7feaaa05357be0d942e80a7",
"http://porn.toplistcreator.eu/in.php",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"IDS: OnionDuke CnC Beacon 1",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"http://www.anyxxxtube/",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"www.governmentattic.org [privilege: malicious malware downloading]",
"Hybrid Analysis",
"https://www.hallrender.com/wp-content/uploads/2016/02/Denver-150x150.jpg \u2022 https://www.hallrender.com/xmlrpc.php?rsd",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": [],
"unique_indicators": 0
},
"other": {
"adversary": [
"Crazy Frost",
"NoName057",
"Unconfirmed Adversary"
],
"malware_families": [
"Phishing.html 1",
"Formbook",
"Malware",
"Sabey",
"Rozena",
"Vawtrak",
"Troj_frs.vsn1ej18",
"Inmortal",
"Apnic",
"Win32:wormx-gen [wrm]",
"Tulach malware",
"Brashears",
"Virut",
"Worm:win32:drolnux",
"Pony - s0453",
"Virus:dos/paris",
"Crypt4.ygm",
"Phishing.gen",
"Mirai",
"Suppobox",
"Beach research",
"Zbot",
"Worm:win32/mofksys.rnd!mtb",
"Trojan:win32/zusy",
"Gc",
"Emotet",
"Trojan:win32/comspec",
"Hallgrand",
"Other malware",
"Cve-2017-0147",
"Trojan:win32/dorv.b!rfn",
"#lowfi:hstr:msil/possibledownloader.s01",
"Webtoolbar",
"Trojan:win32/zombie.a",
"Hacktool",
"Xrat",
"Private internet access",
"Pws:msil/dcstl.gd!mtb",
"Generic.asmalws",
"Hoax.js.phish",
"Troj_frs.vsntfk19",
"Tulach",
"Remcos",
"Hsbc",
"Phish.jat 1",
"Bandoo",
"Trojanspy",
"Trojan.ransom.generickd",
"Kryptik.fph.gen",
"Trojan.disfa/downloader10",
"Alf:pua:win32/catalina",
"Win32:malwarex-gen\\ [trj]",
"Alf:heraklezeval:trojan:win32/clipbanker",
"Redline",
"Lumma",
"Xls:nastya\\ [trj]",
"Alf:heraklezeval:trojandownloader:win32/unruy",
"Radar ineractive",
"Generic.malware",
"Alf:program:opencandy:remnant",
"Heartbleed bug",
"Trojan:win32/qqpass",
"Tofsee",
"Hallrender",
"Backdoor:php/artemis",
"Spaceship",
"Opencandy",
"Maltiverse",
"Trojandropper:win32/ponmocup",
"Xegumumune.8596c22f",
"Malicious.moderate.ml",
"Trojan:win32/antavmu.d",
"Tiggre",
"Et",
"Html_redir.smr",
"Pegasus - mob-s0005"
],
"industries": [
"Health",
"Nutritional",
"Government",
"Medical",
"Telecommunications",
"Medicine",
"Technology"
],
"unique_indicators": 187648
}
}
},
"false_positive": [],
"alexa": "http://www.alexa.com/siteinfo/almavision.com",
"whois": "http://whois.domaintools.com/almavision.com",
"domain": "almavision.com",
"hostname": "almavision.almavision.com"
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 44,
"pulses": [
{
"id": "68e2bb5d9ee8577ab5519f2c",
"name": "Meritshealth with DoD links? ",
"description": "",
"modified": "2026-01-13T00:05:56.401000",
"created": "2025-10-05T18:39:25.286000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68e2b14d83bb63502feac65e",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1365,
"URL": 11172,
"hostname": 2780,
"FileHash-MD5": 381,
"FileHash-SHA256": 4420,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 20486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "96 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2b14d83bb63502feac65e",
"name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.",
"description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?",
"modified": "2026-01-07T00:00:30.717000",
"created": "2025-10-05T17:56:29.109000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1328,
"URL": 9931,
"hostname": 2621,
"FileHash-MD5": 381,
"FileHash-SHA256": 4360,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 18989,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "102 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6952fbca42c1b0da7431e6a7",
"name": "Pegasus / Pegacloud - Infiltration (10-2013 or 2014 to Current/ Ongoing) ",
"description": "",
"modified": "2025-12-29T22:08:10.280000",
"created": "2025-12-29T22:08:10.280000",
"tags": [
"backdoor",
"cyprus",
"trojan",
"mtb sep",
"passive dns",
"ddos",
"mtb oct",
"mtb aug",
"ipv4 add",
"smokeloader",
"trojandropper",
"extraction",
"se extraction",
"failed",
"data upload",
"enter s",
"enter sc",
"data u",
"extrac please",
"prop",
"extre data",
"type",
"extr data",
"include review",
"exclude",
"find s",
"typ data",
"source tir",
"extri",
"exclude sugges",
"se type",
"extra",
"include data",
"exclude review",
"show",
"showinil tvnes",
"dom dom",
"sc cat959",
"drop",
"pulse pulses",
"worm",
"files show",
"date hash",
"avast avg",
"win32",
"susp",
"cyprus showing",
"entries",
"next associated",
"urls show",
"date checked",
"url hostname",
"server response",
"ip address",
"google safe",
"server",
"registrar abuse",
"iana id",
"contact phone",
"dnssec",
"domain status",
"registrar url",
"registrar whois",
"date",
"registrar",
"se cre",
"pul use",
"url list",
"status http",
"linkid182227",
"linkid151642",
"first",
"domain list",
"ii llc",
"sc data",
"ukl extract",
"hiloti style",
"msle",
"win3 data",
"onio",
"observea",
"data data",
"stop data",
"monitored target",
"tsara",
"pegasus",
"social engineering"
],
"references": [
"http://fakejuko.site40/",
"pegacloud.net",
"IDS: Hiloti Style GET to PHP with invalid terse MSIE headers",
"IDS: Win32/Ibashade CnC Beacon",
"IDS: Win32.Scar.hhrw POST",
"IDS: Trojan.Win32.Cosmu.cdqg Checkin",
"IDS: OnionDuke CnC Beacon 1",
"IDS: Observed Suspicious UA (Mozilla/5.0)",
"IDS: Data POST to an image file (jpg)",
"cwt-cwtcxp1-dt1.pegacloud.net\t\u2022 fortrea-prod1.pegacloud.net \u2022 ssl-ssldmp-dt1-sftp.pegacloud.net \u2022 13.40.20.221 \u2022 44.215.155.206 \u2022 44.226.180.214"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Win32:WormX-gen [Wrm]",
"display_name": "Win32:WormX-gen [Wrm]",
"target": null
},
{
"id": "Worm:Win32:Drolnux",
"display_name": "Worm:Win32:Drolnux",
"target": null
},
{
"id": "Pegasus - MOB-S0005",
"display_name": "Pegasus - MOB-S0005",
"target": null
}
],
"attack_ids": [],
"industries": [
"Technology",
"Telecommunications",
"Government"
],
"TLP": "white",
"cloned_from": "6877422df67773a07ef450c2",
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1630,
"URL": 4078,
"FileHash-MD5": 245,
"FileHash-SHA1": 246,
"FileHash-SHA256": 2561,
"CVE": 2,
"domain": 1307,
"email": 1
},
"indicator_count": 10070,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "111 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6928f8d9e4222a6a219d785e",
"name": "ClipBanker Spy & Information stealer | Crazy Frost | MaaS | Chrome & Cloudflare attacks",
"description": "It appears that entity CrazyFrost provides MasS among other things that include major smear campaigns.| Likely quasi government , and Law Firm contractors.. Domestic terrorizing isn\u2019t a stretch.\nClipBanker: A form of banking trojan information stealer and spy that specifically monitors and steals information, likely by modifying the clipboard contents to redirect financial transactions (e.g., changing a copied bank account number to the attacker's).\n\n[OTX populated - HOSTNAME: CloudFlare.com.., a company owned by the US government, has been added to Pulse, an anti-virus database. (Pulses) created by users.]",
"modified": "2025-12-28T00:04:06.179000",
"created": "2025-11-28T01:20:25.401000",
"tags": [
"dynamicloader",
"json",
"ascii text",
"high",
"data",
"x90uxa4xf8",
"cape",
"stream",
"guard",
"write",
"trojan",
"redline",
"malware",
"push",
"local",
"injection_inter_process",
"recon_fingerprint",
"persistence_ads",
"process_creation_suspicious_location",
"infostealer_browser",
"infostealer_cookies",
"stealth_file",
"cape_detected_threat",
"antivm_generic_bios",
"cape_extracted_content",
"united",
"mtb jul",
"a domains",
"aaaa",
"443 ma86400",
"servers",
"win32upatre jul",
"virtool",
"b778b1",
"div div",
"d9e4f4",
"edf2f8",
"present mar",
"fastest privacy",
"first dns",
"win32",
"trojandropper",
"passive dns",
"mtb nov",
"ipv4 add",
"asn as13335",
"dns resolutions",
"domain",
"data upload",
"extraction",
"yara",
"troja yara",
"trojar data",
"virto",
"worn data",
"included iocs",
"manually add",
"resolved ips",
"ta0002",
"evasion ta0005",
"tr shared",
"modules",
"files",
"infor",
"t1027",
"process t1057",
"community score",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"ssl certificate",
"defense evasion",
"spawns",
"flag",
"name server",
"date",
"cloudflare",
"data protected",
"misc activity",
"et info",
"dns requests",
"domain address",
"gmt flag",
"techtarget",
"server",
"et policy",
"prefetch2",
"t1179 hooking",
"access windows",
"installs",
"mitre att",
"ck techniques",
"click",
"windir",
"country",
"contacted hosts",
"ip address",
"process details",
"contacted",
"http traffic",
"suricata alerts",
"event category",
"found"
],
"references": [
"Malware : ClipBanker Entity: Crazy Frost",
"www.crazyfrost.com FileDescription :JF_CF_MiniZM FileVersion: 1.1.0.0 InternalName: jf_cf_frostovip.exe LegalCopyright Copyright \u00a9 CrazyFrost",
"IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
"Services : GoogleChromeElevationService = Delete",
"Yara: RansomWin32SintaCry CodeOverlap TrojanClickerWin32Zeriest CodeOverlap",
"Yara: TrojanDownloaderMSILBalamid CodeOverlap TrojanDropperWin32Popsenong CodeOverlap",
"Yara: TrojanPythonKaazar CodeOverlap TrojanSpyWin32Chekafev CodeOverlap",
"Yara: TrojanWin32Kredbegg CodeOverlap TrojanWin32Motve CodeOverlap TrojanWin32Pitroj",
"Yara : VirToolMSILLuxod CodeOverlap WormMSILVonriamt CodeOverlap TrojanWin32Depriz CodeOverlap",
"Yara: WormWin32Rombrast CodeOverlap Jorgen,Ibsen PECompact_2xx VZX Jeremy,Collake",
"Sigma: Matches rule Suspicious desktop.ini Action by Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)",
"CS IDS: Matches rule (http_inspect) invalid status line",
"CS IDS: Matches rule INDICATOR-COMPROMISE png file attachment without matching file magic Unique rule identifier: This rule belongs to a private collection.",
"jf_cf_frostovip.exe FILEHASH SHA256 4b9d6c5de40bfc4da8cb8b3ab9408dc574346b97268983f10bef8810e3f6bed8",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/\t\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian\t URL\thttp://www.anyxxxtube.net/search-porn/tsara-brashears \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t\u2022 http://www.anyxxxtube",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/\t URL\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex",
"http://www.anyxxxtube/"
],
"public": 1,
"adversary": "Crazy Frost",
"targeted_countries": [],
"malware_families": [
{
"id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"target": null
},
{
"id": "Trojan.Disfa/downloader10",
"display_name": "Trojan.Disfa/downloader10",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Trojan:Win32/Zusy",
"display_name": "Trojan:Win32/Zusy",
"target": "/malware/Trojan:Win32/Zusy"
},
{
"id": "Rozena",
"display_name": "Rozena",
"target": null
}
],
"attack_ids": [
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1035",
"name": "Service Execution",
"display_name": "T1035 - Service Execution"
},
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1498",
"name": "Network Denial of Service",
"display_name": "T1498 - Network Denial of Service"
},
{
"id": "T1464",
"name": "Jamming or Denial of Service",
"display_name": "T1464 - Jamming or Denial of Service"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 295,
"FileHash-SHA1": 217,
"FileHash-SHA256": 1887,
"URL": 3263,
"domain": 597,
"hostname": 1085,
"email": 2,
"CVE": 1
},
"indicator_count": 7347,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "112 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6877422df67773a07ef450c2",
"name": "Pegasus / Pegacloud - Infiltration",
"description": "Pegasus IoC\u2019s found in the periphery of research. Appears target contacted a \u2018fake host\u2019 after finding name in multiple highly malicious domains. May have appeared between 12/2013 - 11-2014. Target was contacted by telephone and asked \u2018 have you checked Googled yourself\u2019, to which target answered \u2018Not really\u2019. Target was told \u2018you really should Google yourself\u2019. Target, upset about content clicked and began a takedown effort with host.\n\nThis seems to be at the start of many malicious campaigns. Requires further investigation.",
"modified": "2025-08-15T05:01:22.570000",
"created": "2025-07-16T06:09:49.704000",
"tags": [
"backdoor",
"cyprus",
"trojan",
"mtb sep",
"passive dns",
"ddos",
"mtb oct",
"mtb aug",
"ipv4 add",
"smokeloader",
"trojandropper",
"extraction",
"se extraction",
"failed",
"data upload",
"enter s",
"enter sc",
"data u",
"extrac please",
"prop",
"extre data",
"type",
"extr data",
"include review",
"exclude",
"find s",
"typ data",
"source tir",
"extri",
"exclude sugges",
"se type",
"extra",
"include data",
"exclude review",
"show",
"showinil tvnes",
"dom dom",
"sc cat959",
"drop",
"pulse pulses",
"worm",
"files show",
"date hash",
"avast avg",
"win32",
"susp",
"cyprus showing",
"entries",
"next associated",
"urls show",
"date checked",
"url hostname",
"server response",
"ip address",
"google safe",
"server",
"registrar abuse",
"iana id",
"contact phone",
"dnssec",
"domain status",
"registrar url",
"registrar whois",
"date",
"registrar",
"se cre",
"pul use",
"url list",
"status http",
"linkid182227",
"linkid151642",
"first",
"domain list",
"ii llc",
"sc data",
"ukl extract",
"hiloti style",
"msle",
"win3 data",
"onio",
"observea",
"data data",
"stop data",
"monitored target",
"tsara",
"pegasus",
"social engineering"
],
"references": [
"http://fakejuko.site40/",
"pegacloud.net",
"IDS: Hiloti Style GET to PHP with invalid terse MSIE headers",
"IDS: Win32/Ibashade CnC Beacon",
"IDS: Win32.Scar.hhrw POST",
"IDS: Trojan.Win32.Cosmu.cdqg Checkin",
"IDS: OnionDuke CnC Beacon 1",
"IDS: Observed Suspicious UA (Mozilla/5.0)",
"IDS: Data POST to an image file (jpg)",
"cwt-cwtcxp1-dt1.pegacloud.net\t\u2022 fortrea-prod1.pegacloud.net \u2022 ssl-ssldmp-dt1-sftp.pegacloud.net \u2022 13.40.20.221 \u2022 44.215.155.206 \u2022 44.226.180.214"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Win32:WormX-gen [Wrm]",
"display_name": "Win32:WormX-gen [Wrm]",
"target": null
},
{
"id": "Worm:Win32:Drolnux",
"display_name": "Worm:Win32:Drolnux",
"target": null
},
{
"id": "Pegasus - MOB-S0005",
"display_name": "Pegasus - MOB-S0005",
"target": null
}
],
"attack_ids": [],
"industries": [
"Technology",
"Telecommunications",
"Government"
],
"TLP": "white",
"cloned_from": null,
"export_count": 20,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1630,
"URL": 4078,
"FileHash-MD5": 245,
"FileHash-SHA1": 246,
"FileHash-SHA256": 2561,
"CVE": 2,
"domain": 1307,
"email": 1
},
"indicator_count": 10070,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "247 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65cd05cd3c9d0cc0b9ed215f",
"name": "Emotet - https://www.gambinospizza.com | Brian Sabey \u2022 HallRender",
"description": "\u2022Emotet botnets were observed dropping Trickbot to deliver ransomware payloads against some victims and Qakbot Trojans to steal banking credentials and data from other targets.\n\n\u2022Scammer 'Attorney' Brian Sabey | HallRender associated ; utilizes every form of social engineering to gain full access to phone numbers, email, banking, network, relatives, contacts, PHI, PII, modifies services.\n.",
"modified": "2024-04-15T08:03:32.381000",
"created": "2024-02-14T18:26:21.427000",
"tags": [
"united",
"unknown",
"status",
"sec ch",
"as44273 host",
"search",
"aaaa",
"showing",
"ch ua",
"record value",
"ssl certificate",
"threat roundup",
"contacted",
"communicating",
"historical ssl",
"referrer",
"resolutions",
"http",
"execution",
"gopher",
"pattern match",
"breakpoint",
"command decode",
"desktop",
"base",
"gambino",
"pizza",
"suricata ipv4",
"mitre att",
"date",
"meta",
"footer",
"february",
"general",
"model",
"comspec",
"click",
"strings",
"main",
"brian sabey",
"hallrender",
"trojan",
"worm",
"frankfurt",
"germany",
"asn15169",
"google",
"asn16509",
"amazon02",
"asn396982",
"kansas city",
"franchise url",
"gmbh version",
"status page",
"service privacy",
"legal",
"impressum",
"reverse dns",
"general full",
"url https",
"resource",
"hash",
"protocol h2",
"asn13335",
"cloudflarenet",
"software",
"domains",
"hashes",
"learn",
"issues tab",
"value",
"variables",
"typeof function",
"topropertykey",
"bricksintersect",
"bricksfunction",
"domainpath name",
"request chain",
"chain",
"nl page",
"url history",
"javascript",
"page url",
"redirected",
"poweshell",
"bruschettab",
"mobsterstageda",
"calzonec",
"threat analyzer",
"threat",
"paste",
"iocs",
"hostnames",
"beefpizzac",
"superitaliansub",
"cname",
"msie",
"chrome",
"asnone united",
"as6336 turn",
"nxdomain",
"whitelisted",
"creation date",
"turn",
"body",
"algorithm",
"v3 serial",
"number",
"key algorithm",
"key identifier",
"subject key",
"identifier",
"x509v3 key",
"usage",
"x509v3 extended",
"info",
"first",
"server",
"registrar abuse",
"iana id",
"registrar url",
"registrar whois",
"contact email",
"registry domain",
"contact phone",
"dnssec",
"code",
"type name",
"win32 exe",
"recreation",
"whois record",
"infected",
"page dow",
"poser",
"scammer",
"security",
"malvertizing",
"betting",
"illegal activity",
"linux",
"teen porn",
"child exploitation",
"script urls",
"a domains",
"as10796 charter",
"find your",
"next franchise",
"x content",
"backend",
"as13768 aptum",
"moved",
"passive dns",
"urls",
"as2635",
"as14061",
"scan endpoints",
"all octoseek",
"url http",
"pulse pulses",
"ip address",
"related nids",
"files location",
"date hash",
"avast avg",
"nastya",
"entries",
"emotet",
"windows nt",
"show",
"etpro trojan",
"channel",
"artemis",
"medium",
"delete",
"copy",
"virustotal",
"trojan",
"write",
"trojanproxy",
"vipre",
"panda",
"malware",
"malware infection",
"dga",
"algorithm generated domains",
"command and control",
"pe32 executable",
"tag",
"tagging",
"porn tagging",
"as3356 level",
"tahoma arial",
"servers",
"as1136 kpn",
"next",
"et",
"remote",
"confirm http",
"sectrack",
"openssl",
"fulldisc",
"secunia",
"confirm https",
"openssl tls",
"multiple",
"remote",
"misc https",
"impact",
"heartbleed",
"external source",
"name hyperlink",
"hp hpsbmu02998",
"hp hpsbmu03019",
"hp hpsbmu03030",
"hp hpsbmu03018",
"title",
"lowfi",
"title error",
"body doctype",
"html public",
"w3cdtd html",
"html head",
"mozilla",
"720.282.2025",
"masquerading",
"ninite feb",
"mtb feb",
"telper",
"trojandropper",
"ninite",
"create c",
"read c",
"default",
"create",
"unicode",
"dock",
"xport"
],
"references": [
"www.gambinospizza.com",
"0qMrDxlbqY9THmtdz56XQ2fTe-p9H49lftTmBXmn1WY9Z16q1vJdZdjO5Wnq_Pn3gEAAP__hu8yPQ",
"https://apps.apple.com/us/app/gambinos-pizza/id1500338496 \u2022 apps.apple.com",
"https://play.google.com/store/apps/details?id=com.e9117073d4e0.www",
"targeting.unrulymedia.com \u2022 http://theteenhealthdoc.com",
"https://www.hallrender.com/attorney/brian-sabey/ \u2022 www.hallrender.com \u2022 https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https://www.hallrender.com/attorney/brian-sabey/&",
"https://www.hallrender.com/wp-content/uploads/2016/02/Denver-150x150.jpg \u2022 https://www.hallrender.com/xmlrpc.php?rsd",
"https://teenlist.toplistcreator.eu/in.php?nr=15170//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu",
"http://fboomporn.com/teens/51826-gloryholeswallow-flora-floras-1st-gloryhole-visit-fullhd-1080p.html \u2022 teenystar18.toplistcreator.eu",
"theteenhealthdoc.com \u2022 http://jailbait.toplistcreator.eu/link.php?link=teenystar18.toplistcreator.eu&nr=522 \u2022 franchisefifteen.com",
"https://fboomporn.com/engine/opensearch.php \u2022 http://porn.hub-accessories.site/ \u2022 https://pic.porn.hub-accessories.site",
"http://porn.toplistcreator.eu/in.php",
"ETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t85.17.142.7\t 2807561\tETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t85.17.142.7\t\t\t\t 2807561\tETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t95.169.186.\t\t 2807561\tETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t95.169.186.63",
"Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.10",
"https://tag.1rx.io/rmp/215626/0/mvo?z=1r&hbv=8.16,2.1\ttag.1rx.io \u2022 192.208.222.110",
"http://email.acm.mg.hydrantid.com/c/eJxUyTGygyAQBuDTQMksPyhYULzGe-C6LzCKOoYmt88kXdrvWxPlEJ3TkmygcbQBHrokFk-R4WwexpBl-J8Ce8uygBdeJqtrAsGTdWQB8jA0yQDEL0qMrD",
"CVE-2014-0160 \u2022 CVE-2017-11882",
"a17-250-248-150.www.bing.com \u2022 appledirectory.www.bing.com",
"animate-citadel-t3gbc9x3gzd7invrzh8w00zm.herokudns.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Trojan:Win32/Comspec",
"display_name": "Trojan:Win32/Comspec",
"target": "/malware/Trojan:Win32/Comspec"
},
{
"id": "XLS:Nastya\\ [Trj]",
"display_name": "XLS:Nastya\\ [Trj]",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "Crypt4.YGM",
"display_name": "Crypt4.YGM",
"target": null
},
{
"id": "ZBot",
"display_name": "ZBot",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Heartbleed Bug",
"display_name": "Heartbleed Bug",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 59,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 118,
"FileHash-SHA1": 106,
"domain": 3271,
"hostname": 2451,
"URL": 8652,
"email": 8,
"FileHash-SHA256": 3153,
"CVE": 4
},
"indicator_count": 17763,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 223,
"modified_text": "734 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65e57f32581a900dfb272d05",
"name": "FormBook | 172.31.13.249",
"description": "",
"modified": "2024-04-03T05:03:03.527000",
"created": "2024-03-04T07:58:42.074000",
"tags": [
"resolutions",
"referrer",
"siblings",
"asn owner",
"historical ssl",
"contacted",
"high level",
"hackers",
"formbook",
"name verdict",
"falcon sandbox",
"report",
"united",
"registrar",
"creation date",
"search",
"emails",
"name",
"name servers",
"showing",
"unknown",
"scan endpoints",
"date",
"next",
"root ca",
"pattern match",
"authority",
"beginstring",
"class",
"mitre att",
"global root",
"ck id",
"show technique",
"ck matrix",
"null",
"accept",
"refresh",
"span",
"error",
"tools",
"body",
"look",
"verify",
"restart",
"hybrid",
"local",
"click",
"strings",
"files files",
"ssl certificate",
"tsara brashears",
"highly targeted",
"ransomware",
"dark power",
"play ransomware",
"malware",
"core",
"installer",
"awful",
"snatch",
"metro",
"service",
"critical",
"copy",
"execution",
"location united",
"asn as15169",
"less whois",
"as15169 google",
"status",
"entries",
"record value",
"servers",
"trojan",
"win32",
"aaaa",
"worm",
"passive dns",
"gmt cache",
"sameorigin",
"all scoreblue",
"ipv4",
"lowfi",
"domain related",
"urls",
"domain",
"nxdomain",
"hostname",
"users",
"yara detections",
"alerts",
"high",
"filehash",
"pulse pulses",
"av detections",
"ids detections",
"musicmaid",
"reader",
"office standard",
"high process",
"injection t1055",
"t1055",
"x00x00",
"icmp traffic",
"injection",
"hijacker",
"password",
"stealer",
"corruption",
"targeting",
"172.31.13.249"
],
"references": [
"gstatic.com",
"Unsupported/Fake Windows NT Version 5.0",
"Login privileges",
"172.31.13.249"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "FormBook",
"display_name": "FormBook",
"target": null
},
{
"id": "Worm:Win32/Mofksys.RND!MTB",
"display_name": "Worm:Win32/Mofksys.RND!MTB",
"target": "/malware/Worm:Win32/Mofksys.RND!MTB"
},
{
"id": "Trojan:Win32/Dorv.B!rfn",
"display_name": "Trojan:Win32/Dorv.B!rfn",
"target": "/malware/Trojan:Win32/Dorv.B!rfn"
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "Trojan:Win32/QQpass",
"display_name": "Trojan:Win32/QQpass",
"target": "/malware/Trojan:Win32/QQpass"
},
{
"id": "Trojan:Win32/Antavmu.D",
"display_name": "Trojan:Win32/Antavmu.D",
"target": "/malware/Trojan:Win32/Antavmu.D"
},
{
"id": "PWS:MSIL/Dcstl.GD!MTB",
"display_name": "PWS:MSIL/Dcstl.GD!MTB",
"target": "/malware/PWS:MSIL/Dcstl.GD!MTB"
},
{
"id": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01",
"display_name": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01",
"target": null
},
{
"id": "Win32:MalwareX-gen\\ [Trj]",
"display_name": "Win32:MalwareX-gen\\ [Trj]",
"target": null
}
],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1100",
"name": "Web Shell",
"display_name": "T1100 - Web Shell"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1070.004",
"name": "File Deletion",
"display_name": "T1070.004 - File Deletion"
},
{
"id": "T1107",
"name": "File Deletion",
"display_name": "T1107 - File Deletion"
},
{
"id": "T1447",
"name": "Delete Device Data",
"display_name": "T1447 - Delete Device Data"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1002",
"name": "Data Compressed",
"display_name": "T1002 - Data Compressed"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "65e576d419524d75af35a36e",
"export_count": 45,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3117,
"FileHash-MD5": 280,
"FileHash-SHA1": 286,
"FileHash-SHA256": 3773,
"domain": 1264,
"hostname": 1595,
"email": 6,
"CVE": 5
},
"indicator_count": 10326,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 223,
"modified_text": "746 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65e576d419524d75af35a36e",
"name": "FormBook",
"description": "FormBook is an infostealer malware (malicious spyware). malicious code uses various hooks to gain access to keystrokes, screenshots, and other functions. The malware can also receive commands from its operator to steal information from browsers or download and execute other malware. As a MaaS offering, FormBook malware may be deployed by various threat actors. It's currently being use by a ,legal teams masquerading as government (might be \nlegitimate attorneys) law firm modifying and deleting front facing threats on various platforms. One firm has very poor reviews Corrupt. Others initiate malicious prosecution law suits. Social; engineering , intertwining malicious behavior.in every aspect of targets life from business banking, ancestry to aggressive match making attempts.",
"modified": "2024-04-03T05:03:03.527000",
"created": "2024-03-04T07:23:00.177000",
"tags": [
"resolutions",
"referrer",
"siblings",
"asn owner",
"historical ssl",
"contacted",
"high level",
"hackers",
"formbook",
"name verdict",
"falcon sandbox",
"report",
"united",
"registrar",
"creation date",
"search",
"emails",
"name",
"name servers",
"showing",
"unknown",
"scan endpoints",
"date",
"next",
"root ca",
"pattern match",
"authority",
"beginstring",
"class",
"mitre att",
"global root",
"ck id",
"show technique",
"ck matrix",
"null",
"accept",
"refresh",
"span",
"error",
"tools",
"body",
"look",
"verify",
"restart",
"hybrid",
"local",
"click",
"strings",
"files files",
"ssl certificate",
"tsara brashears",
"highly targeted",
"ransomware",
"dark power",
"play ransomware",
"malware",
"core",
"installer",
"awful",
"snatch",
"metro",
"service",
"critical",
"copy",
"execution",
"location united",
"asn as15169",
"less whois",
"as15169 google",
"status",
"entries",
"record value",
"servers",
"trojan",
"win32",
"aaaa",
"worm",
"passive dns",
"gmt cache",
"sameorigin",
"all scoreblue",
"ipv4",
"lowfi",
"domain related",
"urls",
"domain",
"nxdomain",
"hostname",
"users",
"yara detections",
"alerts",
"high",
"filehash",
"pulse pulses",
"av detections",
"ids detections",
"musicmaid",
"reader",
"office standard",
"high process",
"injection t1055",
"t1055",
"x00x00",
"icmp traffic",
"injection",
"hijacker",
"password",
"stealer",
"corruption",
"targeting",
"172.31.13.249"
],
"references": [
"gstatic.com",
"Unsupported/Fake Windows NT Version 5.0",
"Login privileges",
"172.31.13.249"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "FormBook",
"display_name": "FormBook",
"target": null
},
{
"id": "Worm:Win32/Mofksys.RND!MTB",
"display_name": "Worm:Win32/Mofksys.RND!MTB",
"target": "/malware/Worm:Win32/Mofksys.RND!MTB"
},
{
"id": "Trojan:Win32/Dorv.B!rfn",
"display_name": "Trojan:Win32/Dorv.B!rfn",
"target": "/malware/Trojan:Win32/Dorv.B!rfn"
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "Trojan:Win32/QQpass",
"display_name": "Trojan:Win32/QQpass",
"target": "/malware/Trojan:Win32/QQpass"
},
{
"id": "Trojan:Win32/Antavmu.D",
"display_name": "Trojan:Win32/Antavmu.D",
"target": "/malware/Trojan:Win32/Antavmu.D"
},
{
"id": "PWS:MSIL/Dcstl.GD!MTB",
"display_name": "PWS:MSIL/Dcstl.GD!MTB",
"target": "/malware/PWS:MSIL/Dcstl.GD!MTB"
},
{
"id": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01",
"display_name": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01",
"target": null
},
{
"id": "Win32:MalwareX-gen\\ [Trj]",
"display_name": "Win32:MalwareX-gen\\ [Trj]",
"target": null
}
],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1100",
"name": "Web Shell",
"display_name": "T1100 - Web Shell"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1070.004",
"name": "File Deletion",
"display_name": "T1070.004 - File Deletion"
},
{
"id": "T1107",
"name": "File Deletion",
"display_name": "T1107 - File Deletion"
},
{
"id": "T1447",
"name": "Delete Device Data",
"display_name": "T1447 - Delete Device Data"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1002",
"name": "Data Compressed",
"display_name": "T1002 - Data Compressed"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 45,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3117,
"FileHash-MD5": 280,
"FileHash-SHA1": 286,
"FileHash-SHA256": 3773,
"domain": 1264,
"hostname": 1595,
"email": 6,
"CVE": 5
},
"indicator_count": 10326,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 229,
"modified_text": "746 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "659fa1fad840744f75eb2d14",
"name": "Worm:Win32/Benjamin IoC's",
"description": "https://otx.alienvault.com/malware/Worm:Win32%2FBenjamin/samples | \nFiles Matching Antivirus Detection - 296,250 \nNetwork Icmp\nPersistence Autorun\nNetwork Http\nDynamic Function Loading\nProcmem Yara\nInjection Rwx\nPowershell Request\nDead Connect\nSuricata Alert\nPe Features\nPacker Entropy\nAntivm Memory Available\nAllocates Rwx\nCreates Exe\nPacker Polymorphic\nNids Alert\nDead Host\nNolookup Communication",
"modified": "2024-02-10T07:03:55.140000",
"created": "2024-01-11T08:08:26.689000",
"tags": [
"worm",
"win32",
"benjamin",
"passive dns",
"as47846",
"germany unknown",
"urls",
"next",
"scan endpoints",
"all octoseek",
"unknown",
"threat roundup",
"ssl certificate",
"whois record",
"august",
"april",
"execution",
"october",
"july",
"march",
"contacted",
"june",
"emotet",
"quasar",
"core",
"hacktool",
"goldfinder",
"sibot",
"ryuk",
"drxk0gdg2s06f8p",
"cfom2jtlf",
"k60zzli http",
"whois whois",
"historical ssl",
"resolutions",
"referrer"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 15,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 144,
"FileHash-SHA1": 145,
"FileHash-SHA256": 2888,
"hostname": 1075,
"domain": 1007,
"URL": 4964,
"CVE": 1
},
"indicator_count": 10224,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 222,
"modified_text": "799 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65a4898fa85cad0af83e032d",
"name": "SPACESHIP | CVE-2017-0147 - has been exploited at large Colorado Medical Campus ",
"description": "",
"modified": "2024-02-04T18:00:29.833000",
"created": "2024-01-15T01:25:35.060000",
"tags": [
"ssl certificate",
"whois record",
"execution",
"contacted",
"dropped",
"historical ssl",
"communicating",
"referrer",
"stolec kradnie",
"vt graph",
"first",
"utc submissions",
"submitters",
"amazonaes",
"amazon02",
"cloudflarenet",
"gandi sas",
"csc corporate",
"ltd dba",
"com laude",
"facebook",
"paris",
"twitter",
"ioc search",
"new ioc",
"teams api",
"contact",
"threat analyzer",
"threat",
"paste",
"iocs",
"url https",
"samples",
"bundled",
"tracking",
"tsara brashears",
"malware hunting",
"hacktool",
"emotet",
"copy",
"brashears",
"dynadot inc",
"enom",
"srsplus",
"spaceship",
"CVE-2017-0147",
"spy cve",
"pegasus",
"CVE-2017-0147 also found in Pegasus",
"mile high",
"logos",
"trademarks",
"aylo premium",
"click",
"record keeping",
"statement",
"all rights",
"reserved",
"vendo",
"hostnames",
"urls https",
"namecheap inc",
"feeds ioc",
"maltiverse",
"analyze",
"fastly",
"mb installer",
"helper",
"summary iocs",
"graph community",
"urls",
"urls http",
"united",
"unknown",
"msie",
"chrome",
"passive dns",
"body",
"date",
"gmt server",
"user agent",
"content type",
"encrypt",
"accept",
"as136800 sun",
"ipv4",
"pulse submit",
"url analysis",
"files",
"location hong",
"kong asn",
"dns resolutions",
"dinkle threat",
"mirai",
"hallrender",
"briansabey",
"brian sabey",
"mark sabey",
"uche6vol",
"uc health medical campus colorado medical campus",
"abuse"
],
"references": [
"https://www.virustotal.com/gui/url/76b30b054701dd52394b91dd11937fefc8888994ee214f02d22ebc2c8cb7e057/summary",
"CVE-2017-0147",
"https://www.virustotal.com/gui/url/76b30b054701dd52394b91dd11937fefc8888994ee214f02d22ebc2c8cb7e057/summary",
"https://otx.alienvault.com/indicator/cve/CVE-2017-0147",
"https://www.virustotal.com/gui/url/9fa23b2600cf067195442b801633ec4e67e17d0b0e807561cd6001808a8930bf/summary",
"114.114.114.114 - Tulach Malware",
"Targeting",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"tsarabrashears.com",
"https://pin.it/ malicious Pinterest redirect targets Tsara Brashears",
"sweetheartvideo.com",
"https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign]",
"www.dead-speak.com",
"Certificate Subject CN=brazzerspesonals.com",
"http://r3.o.lencr.org",
"156.254.243.90 [cnc] Unix.Trojan.Mirai-6981169-0",
"Mirai: a90557a4165401091b1d8d0132465170475508f810e7a5c7f585c17c2120447 ELF:DDoS-S\\ [Trj]",
"104.247.75.218 | [cnc ]",
"www.governmentattic.org [privilege: malicious malware downloading]",
"https://www.adultforce.com/ [malvertizing Tsara Brashears]"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "BRASHEARS",
"display_name": "BRASHEARS",
"target": null
},
{
"id": "SABEY",
"display_name": "SABEY",
"target": null
},
{
"id": "TULACH",
"display_name": "TULACH",
"target": null
},
{
"id": "HallRender",
"display_name": "HallRender",
"target": null
},
{
"id": "HallGrand",
"display_name": "HallGrand",
"target": null
},
{
"id": "CVE-2017-0147",
"display_name": "CVE-2017-0147",
"target": null
},
{
"id": "SPACESHIP",
"display_name": "SPACESHIP",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "Virus:DOS/Paris",
"display_name": "Virus:DOS/Paris",
"target": "/malware/Virus:DOS/Paris"
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
}
],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": "659864448507cc1752ff6456",
"export_count": 16,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 885,
"FileHash-SHA1": 505,
"FileHash-SHA256": 5051,
"URL": 12316,
"domain": 3944,
"hostname": 4449,
"CVE": 2
},
"indicator_count": 27152,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 227,
"modified_text": "805 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "https://almavision.almavision.com",
"type": "URL"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "https://almavision.almavision.com",
"type": "URL",
"found": false,
"verdict": "clean",
"error": null
},
"from_cache": true,
"_cached_at": 1776640790.1222441
}