{ "type": "URL", "indicator": "https://alohatube.xyz/...", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://alohatube.xyz/...", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3752094801, "indicator": "https://alohatube.xyz/...", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 50, "pulses": [ { "id": "69e434769e2a43c088066ca2", "name": "Kraddare \u2022 Agent Tesla \u2022 CVE Jar clone credit octoseek", "description": "", "modified": "2026-04-19T07:36:41.138000", "created": "2026-04-19T01:48:38.335000", "tags": [ "heur", "cisco umbrella", "site", "alexa top", "malware", "million", "xcnfe", "maltiverse", "malware site", "safe site", "malicious", "trojan", "artemis", "vidar", "redline stealer", "raccoon", "keylogger", "riskware", "agent tesla", "remcos", "stealer", "miner", "hacktool", "bank", "agenttesla", "agent", "unknown", "downloader", "unsafe", "detplock", "networm", "win64", "service", "smokeloader", "dropper", "crack", "alexa", "trojanspy", "detection list", "blacklist https", "kyriazhs1975", "noname057", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "blacklist", "cyber threat", "united", "engineering", "phishing", "covid19", "facebook", "phishing site", "paypal", "njrat", "emotet", "nanocore rat", "meterpreter", "azorult", "download", "msil", "bladabindi", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "cve201711882", "redline", "ssl certificate", "tsara brashears", "cyberstalking", "spyware", "apple ios", "quasar", "ransomware", "malware norad", "cry kill", "attack", "installer", "formbook", "lockbit", "open", "banker", "bazarloader", "core", "ransomexx", "name verdict", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "script", "beginstring", "ascii text", "null", "date", "error", "span", "refresh", "class", "generator", "critical", "body", "look", "verify", "restart", "meta", "hybrid", "general", "click", "strings", "tools", "as141773", "as63932", "moved", "passive dns", "search", "entries", "gmt content", "type", "keep alive", "scan endpoints", "all octoseek", "pulse pulses", "as17806 mango", "blacklist http", "phishtank", "malicious site", "apple", "blockchain", "runescape", "twitter", "qakbot", "asyncrat", "team", "internet storm", "generic", "union", "bazaloader", "media", "generic malware", "hostname", "suppobox", "netwire rc", "installcore", "conduit", "iobit", "mediaget", "outbreak", "acint", "installpack", "phish", "rostpay", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "filetour", "wacatac", "fusioncore", "dapato", "cleaner", "softonic", "encpk", "qbot", "predator", "swrort", "kraddare", "systweak", "dllinject", "driverpack", "iframe", "downldr", "presenoker", "as61317", "asnone united", "urls", "files", "next", "as15169 google", "japan unknown", "as17506 arteria", "as32244 liquid", "as49505", "russia unknown", "expired", "domain", "falcon", "as19969", "ipv4", "ransom", "encrypt", "file", "windows nt", "indicator", "response", "appdata", "gmt contenttype", "png image", "local", "contacted", "fali malicious", "dropped", "communicating", "referrer", "fali contacted", "silk road", "immediate", "cymulate2", "tsara brashears", "malvertizing" ], "references": [ "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "alohatube.xyz", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://alohatube.xyz/search/tsara-brashears", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "ww.google.com.uy", "https://alohatube.xyz/search/tsara-brashears", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "https://polling.portal.gov.bd/js/npc.script.js", "polling.portal.gov.bd", "https://polling.portal.gov.bd/js/npop.script.js", "http://watchhers.net/index.php", "https://brandyallen.com/2022/11/23/sexy", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "http://park.above.com/jr.php?gz=DjDNgvDQ0WlpBALxevxSvkF3jBH95b5riUvmgFjb1tbPDV06suYFlRcPA34ufLE5UZ8spiM7ya7tRXR8nLUgk920DSaIXniiR5hkoveznG%20mez7OU5R%20HKIczV475LuRwxm3J1pcRSpQcePtF/4aD%20frLO%205mYc0Maj8Z1IwBeAMESc9Gk3BzCkGUHNVeCAZ9vZrQhEeVvN%20QVBAu1boZNJTnvCAP0lB5ebMSP92bFHD/ItyL53LoVDSYWMd64KTNMMJaXE0kZVqQn/%20STriQbrA6cmW3Xj4sAJ3XXEbNNJzTbIvgsy00PlKWInEUK/iXzVecaBsXg3vkUcvkeM3HPPIajaBexXO7ATYz/qTeKAksI9l2IoDAsn0S9BYCTuP8uTYdgJAv0LO%20MkNBOrSqJnFQzTlNxG4NRSP6K4VDWklVPpCwQc/s/AfrwIdLcdrV6CQDLaluG1naOjXDc", "http://nhrc.portal.gov.bd/sites/default/files/files/nhrc.portal.gov.bd/page/348ec5eb_22f8_4754_bb62_6a0d15ba1513/Study-Report-on-Sexual-Offences_Final.pdf", "https://twitter.com/PORNO_SEXYBABES", "https://alohatube.xyz/search/sex-mom-dog-animal", "https://www.colorfulbox.jp/", "Hybrid Analysis", "Any.run", "OTX AlienVault", "Urlscan", "UrlVoid", "http://emrd.gov.bd/dead.php", "http://titasgas.portal.gov.bd/dead.php", "http://mincom.gov.bd/dead.php", "http://cabinet.gov.bd/dead.php" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Malaysia", "Bangladesh" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Racoon Stealer", "display_name": "Racoon Stealer", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "njRAT - S0385", "display_name": "njRAT - S0385", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Bazaar Loader", "display_name": "Bazaar Loader", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Detplock", "display_name": "Detplock", "target": null }, { "id": "WannaCry Kill Switch", "display_name": "WannaCry Kill Switch", "target": null }, { "id": "Ghandi", "display_name": "Ghandi", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Swort", "display_name": "Swort", "target": null }, { "id": "Silk Road", "display_name": "Silk Road", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/SpyrixKeylogger", "display_name": "ALF:HeraklezEval:PUA:Win32/SpyrixKeylogger", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Worm:VBS/Dapato", "display_name": "Worm:VBS/Dapato", "target": "/malware/Worm:VBS/Dapato" }, { "id": "Kraddare", "display_name": "Kraddare", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" } ], "industries": [], "TLP": "green", "cloned_from": "654a7a53317c717d1f4fee7f", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2522, "FileHash-SHA1": 862, "FileHash-SHA256": 2855, "URL": 7963, "domain": 1168, "hostname": 3181, "CVE": 13, "email": 2, "IPv4": 1 }, "indicator_count": 18567, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "15 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b2730aa46a25d7949daa8d", "name": "apple retail dnspionage clone octoseek", "description": "", "modified": "2026-04-11T00:03:57.096000", "created": "2026-03-12T08:02:18.609000", "tags": [ "Ghost RAT", "WebToolbar", "Nanocore RAT", "GameHack", "Cobalt Strike", "RedlineStealer", "HallGrand", "InstallCore", "InstallBrain", "Emotet", "Tofsee", "InMortal", "Bradesco", "Agent Tesla", "Mitre", "Pyscpa", "TrojanSpy", "SuppoBox", "Occamy", "DNSPIONAGE", "Stealer", "Password", "Apple", "Retail", "Cherry Creek Colorado", "Bot Networks", "Ghost RAT", "Networm" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "658a2b6cfdcfeec5db5f31a1", "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7996, "FileHash-SHA1": 3921, "FileHash-SHA256": 5341, "hostname": 2108, "domain": 1005, "URL": 5635, "CIDR": 2, "CVE": 21, "email": 28 }, "indicator_count": 26057, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6523344e4adc85389899504c", "name": "Unsupported IE 404 account running BotNet Command & Control [by OctoSeek]", "description": "", "modified": "2024-10-13T03:00:28.081000", "created": "2023-10-08T22:59:26.040000", "tags": [ "united", "contacted urls", "whois record", "contacted", "malicious site", "malware", "phishing site", "anonymizer", "heur", "control server", "facebook", "cobalt strike", "execution", "installcore", "phishing", "service", "core", "metro", "icmp", "hacktool", "download", "relic", "monitoring", "installer", "steam", "bank", "dnspionage", "crack", "unsafe", "ramnit", "emotet", "malware site", "proxy", "exploit", "fakealert", "team", "redline stealer", "laplasclipper", "cisco umbrella", "site", "safe site", "alexa top", "million", "alexa", "downloader", "opencandy", "generic", "presenoker", "maltiverse", "trojanspy", "date", "unknown", "windir", "markmonitor", "name server", "av detection", "september", "default browser", "guest system", "hybrid", "general", "click", "strings", "class", "critical", "blacklist", "union", "Embarcadero Delphi", "whois whois", "referrer", "ssl certificate", "communicating", "resolutions", "parent parent", "dropped", "stealer", "banker", "keylogger", "attack", "apple", "detection list", "ip address", "netsky", "firehol proxy", "noname057", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "FireHol", "Proxy", "Pexee", "Bank of America Corporation Malware Download", "CVE-2017-11882", "Alexa SANS Internet Storm Center", "MCI Verizon Block", "NaN" ], "references": [ "http://ww1.tsx.org/_fd", "https://www.milehighmedia.com/legal/2257 (exploit source | revenge porn)", "Target \u2192 https://www.pinterest.com/pinkbuffalorun/ (EMOTET) Full control taken. True Board owner (a legitimate business) was likely very unaware Pinterest activities all flowed through the Dark Web. (Research shows over 5000 followers | 1 million visits per mo | more than 1 million pins re-pinned)", "http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel (remote hacking/potentially maliciousRedTeam)", "http://45.159.189.105/bot/online?guid=WALKER-PC&key=b73f03cae5752ff4c823f89de539b59754bc4e65d43970358b17bcf21fb6c4e5 (remote hacking)", "http://clipper.guru/bot/online?guid=WALKER-PC (remote hacking)", "Target \u2192 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (attached to Pinterest account)", "https://firebaseremoteconfig.googleapis.com/v1/projects/16163253122/namespaces/firebase:fetch (remote hacking)", "firebaseremoteconfig.googleapis.com (remote hacking)", "remote.telegrafix.com (remote hacking)", "fb582cc7cfcfa64786caff627cc34ff7aedf7a97620d0cd2eb927d4bb3b7653d", "remote.haverhillcc.com (remote hacking)", "http://ax.itunes.apple.com/WebObjects/MZStoreServices.woa/ws/RSS/toppaidapplications/limit=10/xml", "http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409", "http://init-p01st.push.apple.com/bag (remote hacking)", "https://support.apple.com/en-us/HT201265. Targets (iOS ID)", "apple.com. (malicious version/header)", "https://www.apple.com/sitemap/", "https://applemusic-spotlight.myunidays.com/US/en-US? (remote hacking)", "http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409", "init.ess.apple.com (remote hacking)", "applepaydayloans.com", "www.metrobyt-mobile.com (So very hacked. Should be shut down. No corporate headquarters. Malicious practices by many independent owners)", "https://applepaydayloans.com/", "https://sinister.ly/Thread-Apple-empty-box?page=13", "7651508989a859a165a3e587268021e3ce3734b3e8711d06a101068c60dfdbbe ( Spyware| tsetup.2.4.4.exe | Downloader.Agent!1.E2F1 (CLASSIC) |Telegram Messenger Inc WeExtract malicious installation on targets media & devices)", "https://support.Apple.com/de", "http://www.Apple.com/quicktime/download", "http://www.Apple.com/quicktime/download/standalone.html", "https://urldefense.us/v2/url?u=http-3A__support.apple.com_kb_HT2693&d=DwMGaQ&c=mcnPvAfk3Xtjyky7sc3uA24Vk9hJzQ1fEHisENJPWek&r=PjGDHIUs1kNE6nRUZrOEsufSDp8LBQ-SwHI1wE1Z0Qo&m=zBlvHUR-UT1fW5-53xrUtd5Uj5DBn30a-XGaqZ1lyWh4YCJi5SWOvg3tVORPEuat&s=OJ-NfystLux9f25c44kAAuBLCoTAo6gQJ7EMKHRlrCk&e=&data=05", "https://www.roseoubleu.fr/panier (phishing)", "Roksit.net", "stagelight.pl (malicious/ pattern match)", "www.jamesbgriffinlaw.com (malicious host)", "Data Analytics", "Behavior Pattern Match Analysis", "45.159.189.105 (Command and Control)", "http://45.159.189.105/bot/regex (Bot Command)", "151.101.0.84 US - United States Pinterest Botnet Command and Control Server - 23.62.46.21", "AS54113 Fastly Autonomous System aggregation for Pinterest United States Botnet Command and Control Server", "DetectItEasy PE32 Installer: Inno Setup Module (6.0.0) [unicode] Compiler: Embarcadero Delphi (10.3 Rio) [Professional] Linker: Turbo Linker (2.25*,Delphi) [GUI32,signed] Overlay: Inno Setup Installer data", "(unsupported_iexplore exploit/redirect) https://www.pinterest.com/pin/mood--35536284546940000/ (Dark Web Trace)" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TEL:Delphi/Obfuscator", "display_name": "TEL:Delphi/Obfuscator", "target": "/malware/TEL:Delphi/Obfuscator" }, { "id": "LaplasClipper", "display_name": "LaplasClipper", "target": null }, { "id": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "display_name": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "target": null }, { "id": "SLFPER:InstallCore", "display_name": "SLFPER:InstallCore", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "ALF:Program:OpenCandy:Remnant", "display_name": "ALF:Program:OpenCandy:Remnant", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "generic.malware", "display_name": "generic.malware", "target": null }, { "id": "Anonymizer", "display_name": "Anonymizer", "target": null }, { "id": "#HSTR:HackTool:Win32/Mimikatz", "display_name": "#HSTR:HackTool:Win32/Mimikatz", "target": null }, { "id": "PWS:MSIL/Steam", "display_name": "PWS:MSIL/Steam", "target": "/malware/PWS:MSIL/Steam" }, { "id": "Trojan.HTML.Agent", "display_name": "Trojan.HTML.Agent", "target": null }, { "id": "Gen:Variant.Zusy", "display_name": "Gen:Variant.Zusy", "target": null }, { "id": "Worm:Win32/Netsky", "display_name": "Worm:Win32/Netsky", "target": "/malware/Worm:Win32/Netsky" }, { "id": "Sodin Ransomware", "display_name": "Sodin Ransomware", "target": null }, { "id": "Keyloggers", "display_name": "Keyloggers", "target": null }, { "id": "Proxy", "display_name": "Proxy", "target": null }, { "id": "TEL:Trojan:Win32/Emotet", "display_name": "TEL:Trojan:Win32/Emotet", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat", "display_name": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat", "target": null }, { "id": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar", "display_name": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar", "target": null }, { "id": "AdwareSig [Adw] ml.Generic", "display_name": "AdwareSig [Adw] ml.Generic", "target": null }, { "id": "W32.Hack.Generic", "display_name": "W32.Hack.Generic", "target": null }, { "id": "Trojan.Ole2.Vbs", "display_name": "Trojan.Ole2.Vbs", "target": null }, { "id": "QVM20.1.8D80.Malware", "display_name": "QVM20.1.8D80.Malware", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Backdoor.Mokes", "display_name": "Backdoor.Mokes", "target": null }, { "id": "AdWare.DropWare", "display_name": "AdWare.DropWare", "target": null }, { "id": "Gen:Variant.Razy", "display_name": "Gen:Variant.Razy", "target": null }, { "id": "Generic.31fcc75f", "display_name": "Generic.31fcc75f", "target": null }, { "id": "Trojan.Generic", "display_name": "Trojan.Generic", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "malware.generic", "display_name": "malware.generic", "target": null }, { "id": "Gen:Variant.Bulz", "display_name": "Gen:Variant.Bulz", "target": null }, { "id": "GameHack.DR", "display_name": "GameHack.DR", "target": null }, { "id": "Dropper.Binder", "display_name": "Dropper.Binder", "target": null }, { "id": "malicious.22a4c0", "display_name": "malicious.22a4c0", "target": null }, { "id": "SdBot.CAOC", "display_name": "SdBot.CAOC", "target": null }, { "id": "ml.Generic", "display_name": "ml.Generic", "target": null }, { "id": "Trojan.Ransom.GenericKD", "display_name": "Trojan.Ransom.GenericKD", "target": null }, { "id": "Phish.AB", "display_name": "Phish.AB", "target": null }, { "id": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea", "display_name": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": "6506b48d699080b4bfd334c5", "export_count": 74, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7761, "CVE": 6, "FileHash-MD5": 285, "FileHash-SHA1": 165, "FileHash-SHA256": 5059, "domain": 987, "hostname": 2399 }, "indicator_count": 16662, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "553 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653a092e3e9270a3ccff2aa0", "name": "Apple iOS compromise. CVE Jar", "description": "ASpeakSoft iOS iPhone Unlocker v1.0.36 Multilingual Portable.exe\nTargets Tsara Brashears iPhone unlocked, Total command and control. Dumping, remote access, hidden users, privilege escalation, malware spreading, tracking, defacement, libel, harassment. \n\nTarget at eminent risk", "modified": "2024-08-28T12:01:51.699000", "created": "2023-10-26T06:37:34.613000", "tags": [ "apple ios", "tsara brashears", "unlocker", "critical risk", "cyberstalking", "elf collection", "apple phone", "shell code", "script", "spyware", "hacktool", "installer", "banker", "keylogger", "name verdict", "falcon sandbox", "beginstring", "sha256", "sha1", "runtime process", "segoe ui", "internet", "null", "size", "misc attack", "unknown", "error", "span", "date", "body", "refresh", "class", "generator", "critical", "tools", "look", "verify", "restart", "hybrid", "general", "click", "strings", "meta", "hiddentears", "PyInstaller", "ransomware", "verified", "et", "legal entities", "phishing", "e-devlet", "buff achievement tracker", "cyber warfare", "malware", "ransom", "malware spreader", "et malware", "neurevt.a.betabot check in", "atlassian", "Tulach malware", "shell code script", "TrojanSpy", "remote access", "cve", "collection", "monitoring", "cyber threat", "cyber stalking", "cybercrime", "lockbin.1", "python connection", "elf", "redirect", "watchhers", "tracking", "fed", "us", "blob", "vortex", "Amazon aes", "spyware", "banker", "synaptics", "fraud service", "python initiated connection", "Trojan_Win_Generic_101", "malware trojan", "evader", "contacted", "execution", "cobaltstrike", "hacking_tool", "trojan", "cve exploit", "red team tools", "fireeye", "noname057", "adult content", "pornographer", "attack", "unsafe", "tulach malware", "remote attacks", "Rat" ], "references": [ "1.116.132.182/weblogic_CVE_2020_2551.jar", "http://1.116.132.182/.git/HEAD" ], "public": 1, "adversary": "[Unnamed group]", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Verified", "display_name": "Verified", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Colbalt Strike", "display_name": "Colbalt Strike", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HiddenTear", "display_name": "HiddenTear", "target": null }, { "id": "trojan.barys/cobalt", "display_name": "trojan.barys/cobalt", "target": null }, { "id": "NoName057", "display_name": "NoName057", "target": null }, { "id": "Network RAT", "display_name": "Network RAT", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1493", "name": "Transmitted Data Manipulation", "display_name": "T1493 - Transmitted Data Manipulation" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1450", "name": "Exploit SS7 to Track Device Location", "display_name": "T1450 - Exploit SS7 to Track Device Location" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 99, "FileHash-SHA1": 92, "FileHash-SHA256": 984, "URL": 2184, "domain": 274, "hostname": 782, "CVE": 10 }, "indicator_count": 4425, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "599 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b85faa9b8e3e1206d7f25c", "name": "Tsara Brashears Dead campaign | ET | Emotet Botnet | Injection ", "description": "", "modified": "2024-06-15T04:39:29.943000", "created": "2024-01-30T02:32:10.210000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls http", "ssl certificate", "whois record", "historical ssl", "whois whois", "apple ios", "contacted", "tsara brashears", "whois", "resolutions", "password", "hacktool", "crypto", "execution", "emotet", "installer", "banker", "keylogger", "critical", "copy", "content reputation", "et", "submission", "comodo valkyrie", "verdict", "bitdefender", "history first", "analysis", "utc http", "response final", "url http", "search", "entries", "passive dns", "urls", "record value", "unknown", "united", "gmt content", "dynamic report", "0 report", "date", "accept", "name servers", "scan endpoints", "all octoseek", "pulse pulses", "http", "ip address", "related nids", "files location", "http response", "final url", "serving ip", "address", "ipv4", "files", "location china", "asn as45090", "dns resolutions", "twitter", "log id", "gmtn", "tls web", "encrypt", "ca issuers", "f20b201c", "b467295d", "b2931e3f", "false", "as15169 google", "domain", "msie", "windows nt", "wow64", "slcc2", "media center", "create c", "write c", "read c", "medium", "next", "dock", "write", "persistence", "delete c", "path", "xport", "default", "years ago", "modified", "created", "email", "active created", "white", "filehash", "memcommit", "tlsv1", "show", "win32", "malware", "get na", "systemroot", "starizona", "lscottsdale", "creation date", "emails", "domain name", "showing", "pulse submit", "amazon", "server ca", "b535", "tulach", "hallrender", "hallgrand", "briansabey", "brian sabey", "mark", "mark brian sabey", "mark sabey", "cybercrime", "cyber stalking", "botnet", "evader", "hacker", "targeting" ], "references": [ "http://www.dvd-game-new-releases.info/skin/tsara-brashears-dead.akp", "dvd-game-new-releases.info", "1.116.217.151 [Cobalt Strike]", "https://www.myminiweb.com/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "http://alohatube.xyz/search/tsara-brashears", "vtbehaviour.commondatastorage.googleapis.com", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://tulach.cc/", "ns3.hallgrandsale.ru" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" } ], "industries": [], "TLP": "white", "cloned_from": "659719b77c383c73c05208a9", "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 13324, "FileHash-MD5": 718, "FileHash-SHA1": 617, "FileHash-SHA256": 5761, "domain": 3503, "hostname": 4475, "CVE": 1, "email": 3, "SSLCertFingerprint": 11 }, "indicator_count": 28413, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "673 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a59fe40c1e4412af5b5710", "name": "Qakbot Continues | DNSpionage | Gmail l Carnegie Mellon University", "description": "Qakbot continues to attack vulnerable devices; this attack affecting Chrome, Chromium, Google PlayStore - Redline Stealer, Gmail accounts.\n\nQakBot\u2019s modular structure allows for various malicious features, including process and web injection, victim network enumeration and credential stealing, and the delivery of follow-on payloads such as Cobalt Strike[1], Brute Ratel, and other malware. QakBot infections are particularly known to precede the deployment of human-operated ransomware, including Conti[2], ProLock[3], Egregor[4], REvil[5], MegaCortex[6], Black Basta[7], Royal[8], and PwndLocker.", "modified": "2024-02-14T19:00:40.517000", "created": "2024-01-15T21:13:08.734000", "tags": [ "present jun", "scan endpoints", "all octoseek", "ipv4", "passive dns", "urls", "files", "reverse dns", "pittsburgh", "united", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "cobalt strike", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "networm", "win32", "whois record", "ssl certificate", "threat roundup", "july", "communicating", "whois whois", "referrer", "contacted", "attack", "execution", "malware", "august", "copy", "april", "qakbot", "ursnif", "azorult", "hacktool", "metro", "banker", "keylogger", "malicious", "february", "mydoom-90", "worm", "cmu server", "caltech.edu", "gmail", "google attack", "google playstore", "chrome", "targeting", "carnegie mellon university", "algorithm", "v3 serial", "number", "issuer", "cus cnincommon", "rsa server", "ca lann", "stmi ouincommon", "validity", "key algorithm", "info", "first", "carnegie mellon", "server", "domain name", "domain record", "domain", "city", "orgid", "rtechhandle", "net128", "net1280000", "error", "dns replication", "date", "win32 exe", "winamp", "detections type", "name" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-242a", "128.2.42.10 'CMU' Carnegie Mellon University Server", "caltech.edu | Carnegie Mellon University", "https://otx.alienvault.com/pulse/65a57ec1d13648277c52328a", "https://otx.alienvault.com/indicator/ip/142.250.69.206", "CVE-2022-26134", "http://matfyz.cz/ | phishing", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Apple Password Cracker]", "http://alohatube.xyz/search/tsara-brashears/ [BotNet]", "alohatube.xyz", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "www.studentaffairs.cmu.edu", "3.0.8.6 Carnegie Mellon University [cmu.edu projects]", "http://www.casos.cs.cmu.edu/projects/ora/software/3.0.8.6/ORA-NetScenes-gpt-iw-64.exe [cmu.edu projects]", "googlepassword.cmu.edu", "google.cmu.edu.", "https://otx.alienvault.com/indicator/hostname/ww.google.com.uy" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1588.004", "name": "Digital Certificates", "display_name": "T1588.004 - Digital Certificates" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 82, "FileHash-SHA1": 78, "FileHash-SHA256": 1270, "URL": 1188, "domain": 242, "hostname": 684, "CVE": 2, "CIDR": 1, "email": 2 }, "indicator_count": 3549, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "795 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659b4cea3e6da3a00306ae11", "name": "Ragnar Locker | Cowrie Hash", "description": "Cowrie is a medium interaction SSH and Telnet honeypot designed to log brute force attacks and shell interaction performed by an attacker. Cowrie also functions as an SSH and telnet proxy to observe attacker behavior to another system. Cowrie was developed from Kippo.\n\nRagnar Locker: \nAffected platforms: Microsoft Windows\nImpacted parties: Microsoft Windows & Linux Users\nImpact: Encrypts files on the compromised machine and demands ransom for file decryption\nSeverity level: High\n\nI'm not sure. It seems this 'Law' group aquires and sell your digital profiles, PHI. PII, Banking , Insurance credentials on the dark web.", "modified": "2024-02-06T23:04:54.022000", "created": "2024-01-08T01:16:26.884000", "tags": [ "contacted", "pe resource", "execution", "problems", "alienvault part", "dropped", "kgs0", "kls0", "collections", "schema abuse", "iframe", "united", "as29791", "search", "entries", "passive dns", "urls", "service", "date", "unknown", "japan unknown", "body", "czechia unknown", "sinkhole", "emotet", "date hash", "avast avg", "mtb dec", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "samples", "tulach", "tulach.cc", "sabey data center", "malware server", "gorf", "set cookie", "united kingdom", "script urls", "trojan", "status", "showing", "cookie", "template", "johnnsabey", "briansabey", "data center", "choco", "name", "win32 exe", "domains", "registrar", "markmonitor inc", "ip detections", "country", "us execution", "parents", "whois record", "whois whois", "ssl certificate", "apple ios", "red team", "tsara brashears", "historical ssl", "hacktool", "copy", "malicious", "life", "unsafe", "server", "registrar abuse", "contact phone", "domain status", "registrar whois", "email", "registry domain", "registry expiry", "algorithm", "v3 serial", "number", "issuer", "key algorithm", "ec oid", "key identifier", "subject key", "identifier", "x509v3 key", "info", "first", "http method", "http requests", "connect http", "get dns", "resolutions", "ip traffic", "intel", "ms windows", "write c", "pe32", "pe32 executable", "copy c", "show", "free", "recon", "benjamin", "write", "worm", "win32", "june", "delphi", "code", "malware", "next", "using", "urls http", "benjamin", "nids", "cowrie hashes", "dns replication", "files", "sample", "sender", "us postal", "cowrie", "iranian actor", "shipping", "healthcare", "ragnar locker", "qakbot", "qbot", "pii", "phi", "privacy", "honeypot", "referrer", "spyware", "android", "nanocore", "banker", "keylogger" ], "references": [ "choco.exe", "media-router-fp74.prod.media.vip.bf1.yahoo.com", "https://www.cybereason.com/blog/threat-analysis-report-ragnar-locker-ransomware-targeting-the-energy-sector?hs_amp=true", "httphttp://security.didici.cc/cves://www.sentinelone.com/anthology/ragnar-locker/", "http://security.didici.cc/cve", "https://whois.domaintools.com/gov1.info", "https://nsa.gov1.info/utah-data-center/", "https://github.com/cowrie/cowrie", "Cowrie (honeypot) - Wikipedia", "https://www.fortinet.com/blog/threat-research/ransomware-roundup-ragnar-locker-ransomware" ], "public": 1, "adversary": "Ragnar Locker | M. Brian Sabey | HallRender| Tulach | Benjamin", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "ALF:Win32/GbdInf_123DF591.J!ibt", "display_name": "ALF:Win32/GbdInf_123DF591.J!ibt", "target": "/malware/ALF:Win32/GbdInf_123DF591.J!ibt" }, { "id": "SABEY", "display_name": "SABEY", "target": null }, { "id": "ALF:Trojan:Win32/Cassini_f28c33a2!ibt", "display_name": "ALF:Trojan:Win32/Cassini_f28c33a2!ibt", "target": null }, { "id": "ALF:Trojan:Win32/Cassini_ade36583!ibt", "display_name": "ALF:Trojan:Win32/Cassini_ade36583!ibt", "target": null }, { "id": "ALF:Ransom:Win32/Babax.SG!MTB", "display_name": "ALF:Ransom:Win32/Babax.SG!MTB", "target": null }, { "id": "ALF:SpikeAexR.SECTHDR", "display_name": "ALF:SpikeAexR.SECTHDR", "target": null }, { "id": "ALF:Trojan:MSIL/AgentTesla.KM", "display_name": "ALF:Trojan:MSIL/AgentTesla.KM", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker , , ALF:Trojan:Win32/AutoRun.PI!MTB , ALF:Trojan:Win32/Cassini_6d4ebdc9!ibt", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker , , ALF:Trojan:Win32/AutoRun.PI!MTB , ALF:Trojan:Win32/Cassini_6d4ebdc9!ibt", "target": null }, { "id": "ALF:HeraklezEval:Ransom:MSIL/Gorf", "display_name": "ALF:HeraklezEval:Ransom:MSIL/Gorf", "target": null }, { "id": "Worm:Win32/Benjamin", "display_name": "Worm:Win32/Benjamin", "target": "/malware/Worm:Win32/Benjamin" }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "Ragnar Locker", "display_name": "Ragnar Locker", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Trojan", "display_name": "Trojan", "target": null }, { "id": "Worm", "display_name": "Worm", "target": null }, { "id": "NanCore RAY", "display_name": "NanCore RAY", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [ "Healthcare", "Insurance" ], "TLP": "white", "cloned_from": null, "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 347, "FileHash-SHA1": 222, "FileHash-SHA256": 6645, "hostname": 2744, "URL": 9123, "domain": 3065, "email": 4 }, "indicator_count": 22150, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "803 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659ab3389d6c91dc01801fe5", "name": "Simda | Sabey Data Center | https://nsa.gov1.info/utah-data-center/", "description": "SIMDA is a family of backdoors capable of stealing information such as user names, passwords, and certificates. It steals information via its keylogging and HTML injection routines. \nReference: TrendMicro\n\nMALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.Simda\nWin32.Trojan-Spy.Shiz.b\nParody named 'not the Whitehouse' -https://whois.domaintools.com/gov1.info\nM.Brian Sabey \nTargets Tsara Brashears", "modified": "2024-02-06T14:00:04.985000", "created": "2024-01-07T14:20:40.610000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls https", "algorithm", "data", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "key identifier", "redacted for", "privacy tech", "privacy admin", "date", "server", "country", "organization", "postal code", "stateprovince", "code", "whois record", "ssl certificate", "historical ssl", "whois whois", "september", "redline stealer", "whois", "threat roundup", "bangladesh", "communicating", "prynt stealer", "banker", "keylogger", "dtrack", "prynt", "name verdict", "falcon sandbox", "pattern match", "jpeg image", "jfif", "ascii text", "united", "appdata", "file", "indicator", "et tor", "known tor", "class", "unknown", "general", "hybrid", "local", "win64", "click", "twitter", "strings", "generator", "critical", "error", "trident", "cascade", "darpa", "registrar", "rdds service", "record", "registrant", "admin", "tech contact", "whois service", "form", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "headers nel", "contentencoding", "gmt connection", "search", "for privacy", "status", "showing", "passive dns", "urls", "ionos se", "creation date", "next", "aaaa", "pulse pulses", "files", "united kingdom", "whitelisted", "worm", "gmt contenttype", "scan endpoints", "all octoseek", "ipv4", "body", "http", "unique", "screenshot", "url http", "ip address", "internet se", "emails", "name servers", "dnssec", "as63949 linode", "all search", "otx octoseek", "related nids", "reverse dns", "netherlands asn", "contacted", "resolutions", "referrer", "mirai malware", "urls http", "parent referrer", "certificate", "record value", "entries", "dynamicloader", "yara rule", "high", "sinkhole cookie", "et trojan", "medium", "yara detections", "virtool", "value snkz", "less see", "possible", "august", "copy", "expiro", "public folder", "pictures", "videos", "music", "anomalous file", "media player", "url https", "delete c", "ms windows", "pe32", "intel", "windows nt", "wow64", "khtml", "gecko", "query", "write", "malware", "template", "findwindowa", "ollydbg", "regsetvalueexa", "regdword", "high process", "x8bxe5", "regbinary", "injection t1055", "t1055", "zeppelin", "win32", "internal", "malware beacon", "a checkin", "create c", "read c", "write c", "msie", "suspicious", "slcc2", "media center", "as20940", "as2914 ntt", "as16625 akamai", "a domains", "cdata", "script", "as8068", "mtb oct", "location canada", "trojanspy", "xpire.info", "searchmeup", "cname", "as35994 akamai", "as14061", "as9009 m247", "samples", "as25577 ide", "hostnames", "show", "info compiler", "products", "vs2008 sp1", "vs2008", "vs2010", "header target", "machine intel", "utc entry", "point", "sections", "info", "hashes c2ae", "zenbox", "detections file", "name", "html", "win32 exe", "javascript", "contacted ip", "ip detections", "gandi sas", "godaddy online", "cayman", "dynadot", "domains", "psiusa", "domain robot", "dynadot inc", "net technology", "tsara brashears", "apple phone", "unlocker", "shell code", "simda", "amazon 02", "metro", "infected", "qakbot" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "Prynt", "display_name": "Prynt", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Xpire.info", "display_name": "Xpire.info", "target": null }, { "id": "Searchmeup", "display_name": "Searchmeup", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2129, "FileHash-SHA1": 1459, "FileHash-SHA256": 5050, "URL": 7341, "domain": 3041, "hostname": 3214, "email": 12, "CVE": 1 }, "indicator_count": 22247, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "803 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659ab33e614882a4a7451ca8", "name": "Simda | Sabey Data Center | https://nsa.gov1.info/utah-data-center/", "description": "SIMDA is a family of backdoors capable of stealing information such as user names, passwords, and certificates. It steals information via its keylogging and HTML injection routines. \nReference: TrendMicro\n\nMALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.Simda\nWin32.Trojan-Spy.Shiz.b\nParody named 'not the Whitehouse' -https://whois.domaintools.com/gov1.info\nM.Brian Sabey \nTargets Tsara Brashears", "modified": "2024-02-06T14:00:04.985000", "created": "2024-01-07T14:20:46.936000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls https", "algorithm", "data", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "key identifier", "redacted for", "privacy tech", "privacy admin", "date", "server", "country", "organization", "postal code", "stateprovince", "code", "whois record", "ssl certificate", "historical ssl", "whois whois", "september", "redline stealer", "whois", "threat roundup", "bangladesh", "communicating", "prynt stealer", "banker", "keylogger", "dtrack", "prynt", "name verdict", "falcon sandbox", "pattern match", "jpeg image", "jfif", "ascii text", "united", "appdata", "file", "indicator", "et tor", "known tor", "class", "unknown", "general", "hybrid", "local", "win64", "click", "twitter", "strings", "generator", "critical", "error", "trident", "cascade", "darpa", "registrar", "rdds service", "record", "registrant", "admin", "tech contact", "whois service", "form", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "headers nel", "contentencoding", "gmt connection", "search", "for privacy", "status", "showing", "passive dns", "urls", "ionos se", "creation date", "next", "aaaa", "pulse pulses", "files", "united kingdom", "whitelisted", "worm", "gmt contenttype", "scan endpoints", "all octoseek", "ipv4", "body", "http", "unique", "screenshot", "url http", "ip address", "internet se", "emails", "name servers", "dnssec", "as63949 linode", "all search", "otx octoseek", "related nids", "reverse dns", "netherlands asn", "contacted", "resolutions", "referrer", "mirai malware", "urls http", "parent referrer", "certificate", "record value", "entries", "dynamicloader", "yara rule", "high", "sinkhole cookie", "et trojan", "medium", "yara detections", "virtool", "value snkz", "less see", "possible", "august", "copy", "expiro", "public folder", "pictures", "videos", "music", "anomalous file", "media player", "url https", "delete c", "ms windows", "pe32", "intel", "windows nt", "wow64", "khtml", "gecko", "query", "write", "malware", "template", "findwindowa", "ollydbg", "regsetvalueexa", "regdword", "high process", "x8bxe5", "regbinary", "injection t1055", "t1055", "zeppelin", "win32", "internal", "malware beacon", "a checkin", "create c", "read c", "write c", "msie", "suspicious", "slcc2", "media center", "as20940", "as2914 ntt", "as16625 akamai", "a domains", "cdata", "script", "as8068", "mtb oct", "location canada", "trojanspy", "xpire.info", "searchmeup", "cname", "as35994 akamai", "as14061", "as9009 m247", "samples", "as25577 ide", "hostnames", "show", "info compiler", "products", "vs2008 sp1", "vs2008", "vs2010", "header target", "machine intel", "utc entry", "point", "sections", "info", "hashes c2ae", "zenbox", "detections file", "name", "html", "win32 exe", "javascript", "contacted ip", "ip detections", "gandi sas", "godaddy online", "cayman", "dynadot", "domains", "psiusa", "domain robot", "dynadot inc", "net technology", "tsara brashears", "apple phone", "unlocker", "shell code", "simda", "amazon 02", "metro", "infected", "qakbot" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "Prynt", "display_name": "Prynt", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Xpire.info", "display_name": "Xpire.info", "target": null }, { "id": "Searchmeup", "display_name": "Searchmeup", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2129, "FileHash-SHA1": 1459, "FileHash-SHA256": 5050, "URL": 7341, "domain": 3041, "hostname": 3214, "email": 12, "CVE": 1 }, "indicator_count": 22247, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "803 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659719b77c383c73c05208a9", "name": "Content Reputation | ET | Botnet | Targeting", "description": "http://www.dvd-game-new-releases.info/skin/tsara-brashears-dead.akp", "modified": "2024-02-03T19:04:07.916000", "created": "2024-01-04T20:48:55.431000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls http", "ssl certificate", "whois record", "historical ssl", "whois whois", "apple ios", "contacted", "tsara brashears", "whois", "resolutions", "password", "hacktool", "crypto", "execution", "emotet", "installer", "banker", "keylogger", "critical", "copy", "content reputation", "et", "submission", "comodo valkyrie", "verdict", "bitdefender", "history first", "analysis", "utc http", "response final", "url http", "search", "entries", "passive dns", "urls", "record value", "unknown", "united", "gmt content", "dynamic report", "0 report", "date", "accept", "name servers", "scan endpoints", "all octoseek", "pulse pulses", "http", "ip address", "related nids", "files location", "http response", "final url", "serving ip", "address", "ipv4", "files", "location china", "asn as45090", "dns resolutions", "twitter", "log id", "gmtn", "tls web", "encrypt", "ca issuers", "f20b201c", "b467295d", "b2931e3f", "false", "as15169 google", "domain", "msie", "windows nt", "wow64", "slcc2", "media center", "create c", "write c", "read c", "medium", "next", "dock", "write", "persistence", "delete c", "path", "xport", "default", "years ago", "modified", "created", "email", "active created", "white", "filehash", "memcommit", "tlsv1", "show", "win32", "malware", "get na", "systemroot", "starizona", "lscottsdale", "creation date", "emails", "domain name", "showing", "pulse submit", "amazon", "server ca", "b535", "tulach", "hallrender", "hallgrand", "briansabey", "brian sabey", "mark", "mark brian sabey", "mark sabey", "cybercrime", "cyber stalking", "botnet", "evader", "hacker", "targeting" ], "references": [ "http://www.dvd-game-new-releases.info/skin/tsara-brashears-dead.akp", "dvd-game-new-releases.info", "1.116.217.151 [Cobalt Strike]", "https://www.myminiweb.com/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "http://alohatube.xyz/search/tsara-brashears", "vtbehaviour.commondatastorage.googleapis.com", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://tulach.cc/", "ns3.hallgrandsale.ru" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 13324, "FileHash-MD5": 718, "FileHash-SHA1": 617, "FileHash-SHA256": 5761, "domain": 3501, "hostname": 4475, "CVE": 1, "email": 3, "SSLCertFingerprint": 11 }, "indicator_count": 28411, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "806 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a7e6e042a968005f7a5552", "name": "Content Reputation | ET | Botnet | Targeting", "description": "", "modified": "2024-02-03T19:04:07.916000", "created": "2024-01-17T14:40:32.084000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls http", "ssl certificate", "whois record", "historical ssl", "whois whois", "apple ios", "contacted", "tsara brashears", "whois", "resolutions", "password", "hacktool", "crypto", "execution", "emotet", "installer", "banker", "keylogger", "critical", "copy", "content reputation", "et", "submission", "comodo valkyrie", "verdict", "bitdefender", "history first", "analysis", "utc http", "response final", "url http", "search", "entries", "passive dns", "urls", "record value", "unknown", "united", "gmt content", "dynamic report", "0 report", "date", "accept", "name servers", "scan endpoints", "all octoseek", "pulse pulses", "http", "ip address", "related nids", "files location", "http response", "final url", "serving ip", "address", "ipv4", "files", "location china", "asn as45090", "dns resolutions", "twitter", "log id", "gmtn", "tls web", "encrypt", "ca issuers", "f20b201c", "b467295d", "b2931e3f", "false", "as15169 google", "domain", "msie", "windows nt", "wow64", "slcc2", "media center", "create c", "write c", "read c", "medium", "next", "dock", "write", "persistence", "delete c", "path", "xport", "default", "years ago", "modified", "created", "email", "active created", "white", "filehash", "memcommit", "tlsv1", "show", "win32", "malware", "get na", "systemroot", "starizona", "lscottsdale", "creation date", "emails", "domain name", "showing", "pulse submit", "amazon", "server ca", "b535", "tulach", "hallrender", "hallgrand", "briansabey", "brian sabey", "mark", "mark brian sabey", "mark sabey", "cybercrime", "cyber stalking", "botnet", "evader", "hacker", "targeting" ], "references": [ "http://www.dvd-game-new-releases.info/skin/tsara-brashears-dead.akp", "dvd-game-new-releases.info", "1.116.217.151 [Cobalt Strike]", "https://www.myminiweb.com/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "http://alohatube.xyz/search/tsara-brashears", "vtbehaviour.commondatastorage.googleapis.com", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://tulach.cc/", "ns3.hallgrandsale.ru" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" } ], "industries": [], "TLP": "white", "cloned_from": "659719b77c383c73c05208a9", "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 13324, "FileHash-MD5": 718, "FileHash-SHA1": 617, "FileHash-SHA256": 5761, "domain": 3501, "hostname": 4475, "CVE": 1, "email": 3, "SSLCertFingerprint": 11 }, "indicator_count": 28411, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "806 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65bc13594cf21dbe00b94807", "name": "Tsara Brashears Dead campaign | ET | Emotet Botnet | Injection", "description": "", "modified": "2024-02-03T19:04:07.916000", "created": "2024-02-01T21:55:37.581000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls http", "ssl certificate", "whois record", "historical ssl", "whois whois", "apple ios", "contacted", "tsara brashears", "whois", "resolutions", "password", "hacktool", "crypto", "execution", "emotet", "installer", "banker", "keylogger", "critical", "copy", "content reputation", "et", "submission", "comodo valkyrie", "verdict", "bitdefender", "history first", "analysis", "utc http", "response final", "url http", "search", "entries", "passive dns", "urls", "record value", "unknown", "united", "gmt content", "dynamic report", "0 report", "date", "accept", "name servers", "scan endpoints", "all octoseek", "pulse pulses", "http", "ip address", "related nids", "files location", "http response", "final url", "serving ip", "address", "ipv4", "files", "location china", "asn as45090", "dns resolutions", "twitter", "log id", "gmtn", "tls web", "encrypt", "ca issuers", "f20b201c", "b467295d", "b2931e3f", "false", "as15169 google", "domain", "msie", "windows nt", "wow64", "slcc2", "media center", "create c", "write c", "read c", "medium", "next", "dock", "write", "persistence", "delete c", "path", "xport", "default", "years ago", "modified", "created", "email", "active created", "white", "filehash", "memcommit", "tlsv1", "show", "win32", "malware", "get na", "systemroot", "starizona", "lscottsdale", "creation date", "emails", "domain name", "showing", "pulse submit", "amazon", "server ca", "b535", "tulach", "hallrender", "hallgrand", "briansabey", "brian sabey", "mark", "mark brian sabey", "mark sabey", "cybercrime", "cyber stalking", "botnet", "evader", "hacker", "targeting" ], "references": [ "http://www.dvd-game-new-releases.info/skin/tsara-brashears-dead.akp", "dvd-game-new-releases.info", "1.116.217.151 [Cobalt Strike]", "https://www.myminiweb.com/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "http://alohatube.xyz/search/tsara-brashears", "vtbehaviour.commondatastorage.googleapis.com", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://tulach.cc/", "ns3.hallgrandsale.ru" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" } ], "industries": [], "TLP": "white", "cloned_from": "65b85faa9b8e3e1206d7f25c", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 13324, "FileHash-MD5": 718, "FileHash-SHA1": 617, "FileHash-SHA256": 5761, "domain": 3501, "hostname": 4475, "CVE": 1, "email": 3, "SSLCertFingerprint": 11 }, "indicator_count": 28411, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "806 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658a2b6cfdcfeec5db5f31a1", "name": "Apple Retail: DNSpionage | CNC Server| Injection | Remote Process Writes", "description": "It's best to update, transfer data, and activate device over safe, trusted, private internet. Bot Networks and DNS Espionage positive. Very malicious with ability to compromise every network as compromised device logs into spreading an incredibly large, very malicious ongoing cyber \nwarfare attack. Command and control server.", "modified": "2024-01-25T01:03:33.919000", "created": "2023-12-26T01:25:00.119000", "tags": [ "Ghost RAT", "WebToolbar", "Nanocore RAT", "GameHack", "Cobalt Strike", "RedlineStealer", "HallGrand", "InstallCore", "InstallBrain", "Emotet", "Tofsee", "InMortal", "Bradesco", "Agent Tesla", "Mitre", "Pyscpa", "TrojanSpy", "SuppoBox", "Occamy", "DNSPIONAGE", "Stealer", "Password", "Apple", "Retail", "Cherry Creek Colorado", "Bot Networks", "Ghost RAT", "Networm" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7996, "FileHash-SHA1": 3921, "FileHash-SHA256": 5341, "hostname": 2108, "domain": 1005, "URL": 5635, "CIDR": 2, "CVE": 21, "email": 28 }, "indicator_count": 26057, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "815 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658a2b70d4e5f1b1267a5a45", "name": "Apple Retail: DNSpionage | CNC Server| Injection | Remote Process Writes", "description": "It's best to update, transfer data, and activate device over safe, trusted, private internet. Bot Networks and DNS Espionage positive. Very malicious with ability to compromise every network as compromised device logs into spreading an incredibly large, very malicious ongoing cyber \nwarfare attack. Command and control server.", "modified": "2024-01-25T01:03:33.919000", "created": "2023-12-26T01:25:04.914000", "tags": [ "Ghost RAT", "WebToolbar", "Nanocore RAT", "GameHack", "Cobalt Strike", "RedlineStealer", "HallGrand", "InstallCore", "InstallBrain", "Emotet", "Tofsee", "InMortal", "Bradesco", "Agent Tesla", "Mitre", "Pyscpa", "TrojanSpy", "SuppoBox", "Occamy", "DNSPIONAGE", "Stealer", "Password", "Apple", "Retail", "Cherry Creek Colorado", "Bot Networks", "Ghost RAT", "Networm" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7996, "FileHash-SHA1": 3921, "FileHash-SHA256": 5341, "hostname": 2108, "domain": 1005, "URL": 5635, "CIDR": 2, "CVE": 21, "email": 28 }, "indicator_count": 26057, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "815 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658ca31a0720e83e8630677d", "name": "Apple Retail: DNSpionage | CNC Server| Injection | Remote Process [OctoSeek]", "description": "", "modified": "2024-01-25T01:03:33.919000", "created": "2023-12-27T22:20:10.878000", "tags": [ "Ghost RAT", "WebToolbar", "Nanocore RAT", "GameHack", "Cobalt Strike", "RedlineStealer", "HallGrand", "InstallCore", "InstallBrain", "Emotet", "Tofsee", "InMortal", "Bradesco", "Agent Tesla", "Mitre", "Pyscpa", "TrojanSpy", "SuppoBox", "Occamy", "DNSPIONAGE", "Stealer", "Password", "Apple", "Retail", "Cherry Creek Colorado", "Bot Networks", "Ghost RAT", "Networm" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "658a2b6cfdcfeec5db5f31a1", "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7996, "FileHash-SHA1": 3921, "FileHash-SHA256": 5341, "hostname": 2108, "domain": 1005, "URL": 5635, "CIDR": 2, "CVE": 21, "email": 28 }, "indicator_count": 26057, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "815 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a48b6ea16eeb6b54dfad7c", "name": "https://neca.omeclk.com/portal/wts/uc^cn^ejkaejsaBeyk7-^Oa | Brian Sabey dangerous obsession with Tsara Brashears", "description": "", "modified": "2024-01-15T01:33:34.790000", "created": "2024-01-15T01:33:34.790000", "tags": [ "cisco umbrella", "site", "alexa top", "emotet", "telefonica co", "million", "malware", "detection list", "blacklist", "alexa", "installcore", "heur", "cyber threat", "united", "phishing", "engineering", "phishing site", "team phishing", "spammer", "malicious site", "team", "download", "cobalt strike", "facebook", "artemis", "pony", "binder", "suppobox", "virut", "ramnit", "dropper", "formbook", "azorult", "simda", "downloader", "service", "bank", "zbot", "trojanspy", "heodo", "hostname", "hostnames", "whois record", "kgs0", "kls0", "apple ios", "tsara brashears", "ssl certificate", "elf collection", "cyberstalking", "spyware", "hackers", "installer", "open", "banker", "keylogger", "malicious", "hacktool", "core", "noname057", "generic malware", "safe site", "malware site", "iframe", "riskware", "exploit", "fakealert", "unsafe", "acint", "win64", "nircmd", "agent", "opencandy", "conduit", "swrort", "crack", "installpack", "xtrat", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "unruy", "filetour", "floxif", "cleaner", "patcher", "adload", "presenoker", "wacatac", "fusioncore", "genkryptik", "webtoolbar", "maltiverse", "smokeloader", "download json", "urls", "blacklist http", "kyriazhs1975", "vidar", "strike", "china cobalt", "meterpreter", "nanocore rat", "njrat", "redline stealer", "stealer", "nymaim", "mirai", "ghost rat", "runescape", "bradesco", "msil", "bladabindi", "orkut", "cutwail", "bandoo", "matsnu", "inmortal", "domains", "redline", "control server", "services", "generic", "br", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "squirrelwaffle", "soc http", "soc https", "back", "download csv", "json sample", "injector", "malicious url", "downldr", "covid19 scam", "historical ssl", "referrer", "contacted", "whois whois", "contacted urls", "whois sslcert", "threat roundup", "copy", "august", "execution", "ransomware", "gopher", "remcos", "attack", "radar ineractive", "paypal", "covid19", "phishing chase", "phishing google", "tracker malware", "chase personal", "banking", "javascript", "please", "cnc server", "tracker", "cnc feodo", "phishtank", "threats et", "name verdict", "falcon sandbox", "pattern match", "file", "ascii text", "indicator", "windows nt", "jpeg image", "appdata", "jfif standard", "script", "show", "date", "span", "unknown", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "path", "http header", "tcp traffic", "mitre att", "ck id", "show technique", "ck matrix", "accept", "adware", "ip address", "hsbc", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "trojanx", "webshell", "systweak", "behav", "tiggre", "runtime process", "sha256", "sha1", "mark brian sabey", "brian sabey", "sabey", "apple", "114.114.114.114", "attorney", "law", "spammer", "fraud service", "hallrender", "malvertizing", "cybercrime", "social engineering", "malware hosting", "cyber threat", "iphone unlocker", "malicious", "attacker", "tulach", "tulach.cc", "adult content", "child pornographer", "sabey data centers", "hall render denver", "monitoring", "stalker", "dev", "developer", "cyber harassment", "defacement", "death threats", "miner", "agenttesla", "trojan", "detplock", "networm", "rms", "sneaky server", "replacement", "unauthorized", "steam route", "tool", "probe", "safebae.org", "safebae", "daisy", "daisy coleman", "benjamin", "colorado", "missouri", "telefonica", "boost mobile", "blackievirus.com", "TrojanX", "metro t-mobile", "t-mobile", "mile high media", "CNC", "C2", "malware host", "yixun" ], "references": [ "https://hybrid-analysis.com/sample/a1b9247b6ad18f1cda0304e406333459d4000fced5753f91e5c046f6577c388a", "https://www.hallrender.com/attorney/brian-sabey", "safebae.org", "poemhunter.com", "http://www.hallrender.com/resources/blog/", "http://benjamin.xww.de/", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Hybrid Analysis", "wTools", "Research" ], "public": 1, "adversary": "Tulach | Mark Brian Sabey | Hall Render Law Firm", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "BR", "display_name": "BR", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "Feodo Tracker", "display_name": "Feodo Tracker", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Zpevdo", "display_name": "Zpevdo", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "xRAT", "display_name": "xRAT", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "DarkSide .Beware", "display_name": "DarkSide .Beware", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "SLFPER:BrowserModifier:Win32/MediaMagnet", "display_name": "SLFPER:BrowserModifier:Win32/MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "FORMBOOK", "display_name": "FORMBOOK", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Yixun", "display_name": "Yixun", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": "6590f9b6b1fe0330c655c25f", "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1643, "hostname": 1438, "CVE": 30, "FileHash-MD5": 2853, "FileHash-SHA1": 1584, "FileHash-SHA256": 3001, "URL": 2904, "email": 1 }, "indicator_count": 13454, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "825 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65715ad29ac565164664960b", "name": "InstallMate", "description": "", "modified": "2024-01-06T05:02:33.698000", "created": "2023-12-07T05:40:34.888000", "tags": [ "as15133 verizon", "united", "unknown", "passive dns", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "trojandropper", "body", "orgtechhandle", "orgid", "w jefferson", "blvd", "city", "los angeles", "stateprov", "postalcode", "sawyer", "kleinart", "mtb dec", "win32upatre dec", "win32qqpass dec", "entries", "date hash", "avast avg", "name verdict", "falcon sandbox", "generic malware", "tag count", "wed sep", "threat report", "summary", "sample", "samples", "detection list", "blacklist", "count blacklist", "generic", "noname057", "csv behavior", "text", "win32 dll", "win32 exe", "javascript", "office open", "xml document", "text iocs", "mario", "csv test", "python", "ip summary", "text query16752", "text edge", "type name", "services", "net192", "net1920000", "cidr", "nethandle", "orgabusehandle", "orgabusephone", "as14153", "contacted", "ssl certificate", "tsara brashears", "whois whois", "ransomware", "apple ios", "family", "roots", "lolkek", "tzw variants", "emotet", "bluenoroff", "lazarus", "dark power", "play ransomware", "makop", "attack", "core", "hacktool", "chaos", "ransomexx", "quasar", "njrat", "installer", "banker", "keylogger", "execution", "ermac", "metasploit", "relic", "monitoring", "qakbot", "thu nov", "url summary", "first", "cobalt strike", "strike cobalt", "malicious url", "tld count", "sun sep", "china cobalt", "strike", "cyber threat", "maltiverse", "malware site", "malicious host", "malware", "host", "phishing", "team", "exploit", "mirai", "pony", "nanocore", "bradesco", "suppobox", "laplasclipper", "asyncrat", "fakealert", "ramnit", "cisco umbrella", "site", "safe site", "heur", "malicious site", "alexa top", "million", "phishing site", "artemis", "unsafe", "riskware", "bank", "outbreak", "dropper", "trojanx", "turla", "installcore", "acint", "conduit", "installpack", "iobit", "mediaget", "crack", "iframe", "downldr", "agent", "presenoker", "alexa", "blacknet rat", "stealer", "unruy", "cleaner", "union", "dbatloader", "downloader", "blocker", "ransom", "autoit", "bladabindi", "trojan", "irata", "azorult", "service", "runescape", "facebook", "download", "genkryptik", "opencandy", "trojanspy", "relacionada", "referrer", "formbook", "blacklist http", "control server", "firehol", "botnet command", "http spammer", "mail spammer", "phishtank", "dnspionage", "betabot", "wormx", "redline stealer", "solimba", "zbot", "webtoolbar", "utc submissions", "submitters", "tot public", "company limited", "gandi sas", "ovh sas", "mb iesettings", "mb acrotray", "kb program", "team alexa", "quasar rat", "spammer", "team proxy", "ip reputation", "cins active", "online fri", "online sat", "sat apr", "temp", "windir", "kontakt", "antivirus", "sat jun", "gmt0600", "programdata", "regexpandsz d", "allusersprofile", "soar", "malicious", "programfiles", "sun jun", "mbt", "info api", "http", "redlinestealer", "score integrate", "siem", "tencent", "rc7 bypassed", "mon jun", "api sample", "hybridanalysis", "online sun", "fri jun", "tue apr", "code", "date", "hackers", "lumma stealer", "ursnif", "open" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "MBT", "display_name": "MBT", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 210, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 882, "FileHash-SHA1": 497, "FileHash-SHA256": 3763, "URL": 3088, "hostname": 1203, "CIDR": 2, "domain": 680, "CVE": 9, "email": 13 }, "indicator_count": 10137, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "834 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65715b49b95c13605856d6d0", "name": "Lazarus Group _ 192.229.211.108", "description": "", "modified": "2024-01-06T05:02:33.698000", "created": "2023-12-07T05:42:33.281000", "tags": [ "as15133 verizon", "united", "unknown", "passive dns", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "trojandropper", "body", "orgtechhandle", "orgid", "w jefferson", "blvd", "city", "los angeles", "stateprov", "postalcode", "sawyer", "kleinart", "mtb dec", "win32upatre dec", "win32qqpass dec", "entries", "date hash", "avast avg", "name verdict", "falcon sandbox", "generic malware", "tag count", "wed sep", "threat report", "summary", "sample", "samples", "detection list", "blacklist", "count blacklist", "generic", "noname057", "csv behavior", "text", "win32 dll", "win32 exe", "javascript", "office open", "xml document", "text iocs", "mario", "csv test", "python", "ip summary", "text query16752", "text edge", "type name", "services", "net192", "net1920000", "cidr", "nethandle", "orgabusehandle", "orgabusephone", "as14153", "contacted", "ssl certificate", "tsara brashears", "whois whois", "ransomware", "apple ios", "family", "roots", "lolkek", "tzw variants", "emotet", "bluenoroff", "lazarus", "dark power", "play ransomware", "makop", "attack", "core", "hacktool", "chaos", "ransomexx", "quasar", "njrat", "installer", "banker", "keylogger", "execution", "ermac", "metasploit", "relic", "monitoring", "qakbot", "thu nov", "url summary", "first", "cobalt strike", "strike cobalt", "malicious url", "tld count", "sun sep", "china cobalt", "strike", "cyber threat", "maltiverse", "malware site", "malicious host", "malware", "host", "phishing", "team", "exploit", "mirai", "pony", "nanocore", "bradesco", "suppobox", "laplasclipper", "asyncrat", "fakealert", "ramnit", "cisco umbrella", "site", "safe site", "heur", "malicious site", "alexa top", "million", "phishing site", "artemis", "unsafe", "riskware", "bank", "outbreak", "dropper", "trojanx", "turla", "installcore", "acint", "conduit", "installpack", "iobit", "mediaget", "crack", "iframe", "downldr", "agent", "presenoker", "alexa", "blacknet rat", "stealer", "unruy", "cleaner", "union", "dbatloader", "downloader", "blocker", "ransom", "autoit", "bladabindi", "trojan", "irata", "azorult", "service", "runescape", "facebook", "download", "genkryptik", "opencandy", "trojanspy", "relacionada", "referrer", "formbook", "blacklist http", "control server", "firehol", "botnet command", "http spammer", "mail spammer", "phishtank", "dnspionage", "betabot", "wormx", "redline stealer", "solimba", "zbot", "webtoolbar", "utc submissions", "submitters", "tot public", "company limited", "gandi sas", "ovh sas", "mb iesettings", "mb acrotray", "kb program", "team alexa", "quasar rat", "spammer", "team proxy", "ip reputation", "cins active", "online fri", "online sat", "sat apr", "temp", "windir", "kontakt", "antivirus", "sat jun", "gmt0600", "programdata", "regexpandsz d", "allusersprofile", "soar", "malicious", "programfiles", "sun jun", "mbt", "info api", "http", "redlinestealer", "score integrate", "siem", "tencent", "rc7 bypassed", "mon jun", "api sample", "hybridanalysis", "online sun", "fri jun", "tue apr", "code", "date", "hackers", "lumma stealer", "ursnif", "open" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "MBT", "display_name": "MBT", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": "65715ad29ac565164664960b", "export_count": 210, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 882, "FileHash-SHA1": 497, "FileHash-SHA256": 3763, "URL": 3088, "hostname": 1203, "CIDR": 2, "domain": 680, "CVE": 9, "email": 13 }, "indicator_count": 10137, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "834 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6572622bba87d8d105a7259f", "name": "Lazarus Group _ 192.229.211.108", "description": "", "modified": "2024-01-06T05:02:33.698000", "created": "2023-12-08T00:24:11.801000", "tags": [ "as15133 verizon", "united", "unknown", "passive dns", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "trojandropper", "body", "orgtechhandle", "orgid", "w jefferson", "blvd", "city", "los angeles", "stateprov", "postalcode", "sawyer", "kleinart", "mtb dec", "win32upatre dec", "win32qqpass dec", "entries", "date hash", "avast avg", "name verdict", "falcon sandbox", "generic malware", "tag count", "wed sep", "threat report", "summary", "sample", "samples", "detection list", "blacklist", "count blacklist", "generic", "noname057", "csv behavior", "text", "win32 dll", "win32 exe", "javascript", "office open", "xml document", "text iocs", "mario", "csv test", "python", "ip summary", "text query16752", "text edge", "type name", "services", "net192", "net1920000", "cidr", "nethandle", "orgabusehandle", "orgabusephone", "as14153", "contacted", "ssl certificate", "tsara brashears", "whois whois", "ransomware", "apple ios", "family", "roots", "lolkek", "tzw variants", "emotet", "bluenoroff", "lazarus", "dark power", "play ransomware", "makop", "attack", "core", "hacktool", "chaos", "ransomexx", "quasar", "njrat", "installer", "banker", "keylogger", "execution", "ermac", "metasploit", "relic", "monitoring", "qakbot", "thu nov", "url summary", "first", "cobalt strike", "strike cobalt", "malicious url", "tld count", "sun sep", "china cobalt", "strike", "cyber threat", "maltiverse", "malware site", "malicious host", "malware", "host", "phishing", "team", "exploit", "mirai", "pony", "nanocore", "bradesco", "suppobox", "laplasclipper", "asyncrat", "fakealert", "ramnit", "cisco umbrella", "site", "safe site", "heur", "malicious site", "alexa top", "million", "phishing site", "artemis", "unsafe", "riskware", "bank", "outbreak", "dropper", "trojanx", "turla", "installcore", "acint", "conduit", "installpack", "iobit", "mediaget", "crack", "iframe", "downldr", "agent", "presenoker", "alexa", "blacknet rat", "stealer", "unruy", "cleaner", "union", "dbatloader", "downloader", "blocker", "ransom", "autoit", "bladabindi", "trojan", "irata", "azorult", "service", "runescape", "facebook", "download", "genkryptik", "opencandy", "trojanspy", "relacionada", "referrer", "formbook", "blacklist http", "control server", "firehol", "botnet command", "http spammer", "mail spammer", "phishtank", "dnspionage", "betabot", "wormx", "redline stealer", "solimba", "zbot", "webtoolbar", "utc submissions", "submitters", "tot public", "company limited", "gandi sas", "ovh sas", "mb iesettings", "mb acrotray", "kb program", "team alexa", "quasar rat", "spammer", "team proxy", "ip reputation", "cins active", "online fri", "online sat", "sat apr", "temp", "windir", "kontakt", "antivirus", "sat jun", "gmt0600", "programdata", "regexpandsz d", "allusersprofile", "soar", "malicious", "programfiles", "sun jun", "mbt", "info api", "http", "redlinestealer", "score integrate", "siem", "tencent", "rc7 bypassed", "mon jun", "api sample", "hybridanalysis", "online sun", "fri jun", "tue apr", "code", "date", "hackers", "lumma stealer", "ursnif", "open" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "MBT", "display_name": "MBT", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": "65715b49b95c13605856d6d0", "export_count": 234, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 882, "FileHash-SHA1": 497, "FileHash-SHA256": 3763, "URL": 3088, "hostname": 1203, "CIDR": 2, "domain": 680, "CVE": 9, "email": 13 }, "indicator_count": 10137, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "834 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6590f9b6b1fe0330c655c25f", "name": "https://neca.omeclk.com/portal/wts/uc^cn^ejkaejsaBeyk7-^Oa | Brian Sabey dangerous obsession with Tsara Brashears ", "description": "", "modified": "2023-12-31T05:18:46.519000", "created": "2023-12-31T05:18:46.519000", "tags": [ "cisco umbrella", "site", "alexa top", "emotet", "telefonica co", "million", "malware", "detection list", "blacklist", "alexa", "installcore", "heur", "cyber threat", "united", "phishing", "engineering", "phishing site", "team phishing", "spammer", "malicious site", "team", "download", "cobalt strike", "facebook", "artemis", "pony", "binder", "suppobox", "virut", "ramnit", "dropper", "formbook", "azorult", "simda", "downloader", "service", "bank", "zbot", "trojanspy", "heodo", "hostname", "hostnames", "whois record", "kgs0", "kls0", "apple ios", "tsara brashears", "ssl certificate", "elf collection", "cyberstalking", "spyware", "hackers", "installer", "open", "banker", "keylogger", "malicious", "hacktool", "core", "noname057", "generic malware", "safe site", "malware site", "iframe", "riskware", "exploit", "fakealert", "unsafe", "acint", "win64", "nircmd", "agent", "opencandy", "conduit", "swrort", "crack", "installpack", "xtrat", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "unruy", "filetour", "floxif", "cleaner", "patcher", "adload", "presenoker", "wacatac", "fusioncore", "genkryptik", "webtoolbar", "maltiverse", "smokeloader", "download json", "urls", "blacklist http", "kyriazhs1975", "vidar", "strike", "china cobalt", "meterpreter", "nanocore rat", "njrat", "redline stealer", "stealer", "nymaim", "mirai", "ghost rat", "runescape", "bradesco", "msil", "bladabindi", "orkut", "cutwail", "bandoo", "matsnu", "inmortal", "domains", "redline", "control server", "services", "generic", "br", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "squirrelwaffle", "soc http", "soc https", "back", "download csv", "json sample", "injector", "malicious url", "downldr", "covid19 scam", "historical ssl", "referrer", "contacted", "whois whois", "contacted urls", "whois sslcert", "threat roundup", "copy", "august", "execution", "ransomware", "gopher", "remcos", "attack", "radar ineractive", "paypal", "covid19", "phishing chase", "phishing google", "tracker malware", "chase personal", "banking", "javascript", "please", "cnc server", "tracker", "cnc feodo", "phishtank", "threats et", "name verdict", "falcon sandbox", "pattern match", "file", "ascii text", "indicator", "windows nt", "jpeg image", "appdata", "jfif standard", "script", "show", "date", "span", "unknown", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "path", "http header", "tcp traffic", "mitre att", "ck id", "show technique", "ck matrix", "accept", "adware", "ip address", "hsbc", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "trojanx", "webshell", "systweak", "behav", "tiggre", "runtime process", "sha256", "sha1", "mark brian sabey", "brian sabey", "sabey", "apple", "114.114.114.114", "attorney", "law", "spammer", "fraud service", "hallrender", "malvertizing", "cybercrime", "social engineering", "malware hosting", "cyber threat", "iphone unlocker", "malicious", "attacker", "tulach", "tulach.cc", "adult content", "child pornographer", "sabey data centers", "hall render denver", "monitoring", "stalker", "dev", "developer", "cyber harassment", "defacement", "death threats", "miner", "agenttesla", "trojan", "detplock", "networm", "rms", "sneaky server", "replacement", "unauthorized", "steam route", "tool", "probe", "safebae.org", "safebae", "daisy", "daisy coleman", "benjamin", "colorado", "missouri", "telefonica", "boost mobile", "blackievirus.com", "TrojanX", "metro t-mobile", "t-mobile", "mile high media", "CNC", "C2", "malware host", "yixun" ], "references": [ "https://hybrid-analysis.com/sample/a1b9247b6ad18f1cda0304e406333459d4000fced5753f91e5c046f6577c388a", "https://www.hallrender.com/attorney/brian-sabey", "safebae.org", "poemhunter.com", "http://www.hallrender.com/resources/blog/", "http://benjamin.xww.de/", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Hybrid Analysis", "wTools", "Research" ], "public": 1, "adversary": "Tulach | Mark Brian Sabey | Hall Render Law Firm", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "BR", "display_name": "BR", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "Feodo Tracker", "display_name": "Feodo Tracker", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Zpevdo", "display_name": "Zpevdo", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "xRAT", "display_name": "xRAT", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "DarkSide .Beware", "display_name": "DarkSide .Beware", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "SLFPER:BrowserModifier:Win32/MediaMagnet", "display_name": "SLFPER:BrowserModifier:Win32/MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "FORMBOOK", "display_name": "FORMBOOK", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Yixun", "display_name": "Yixun", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": "658741502e029e25c7152cc0", "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1643, "hostname": 1438, "CVE": 30, "FileHash-MD5": 2853, "FileHash-SHA1": 1584, "FileHash-SHA256": 3001, "URL": 2904, "email": 1 }, "indicator_count": 13454, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "840 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6590f9011e57040b2717c99c", "name": "https://neca.omeclk.com/portal/wts/uc^cn^ejkaejsaBeyk7-^Oa", "description": "", "modified": "2023-12-31T05:15:45.262000", "created": "2023-12-31T05:15:45.262000", "tags": [ "ssl certificate", "threat roundup", "contacted", "execution", "august", "march", "whois record", "contacted urls", "malware", "copy", "april", "crypto", "alive", "malicious", "ducktail", "ransomware", "dead", "skynet", "chinese", "october", "roundup", "february", "goldfinder", "sibot", "hacktool", "metro", "goldmax", "installer", "awful", "open", "android", "banker", "keylogger", "united", "maltiverse", "mail spammer", "phishing site", "cyber threat", "engineering", "emotet", "phishing", "spammer", "firehol", "bank", "azorult", "team", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "installcore", "nymaim", "suppobox", "download", "looquer", "domains", "cisco umbrella", "site", "heur", "alexa top", "million", "safe site", "adware", "malware site", "malicious site", "artemis", "opencandy", "riskware", "tofsee", "gandcrab", "trojanx", "trojan", "generic", "bankerx", "service", "runescape", "facebook", "exploit", "agent", "mimikatz", "unsafe", "alexa", "union", "webtoolbar", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist https", "dsp1", "noname057", "tag count", "sample", "samples", "blacklist", "tsara brashears", "alohatube", "trojan", "scanning_host", "Botnet", "malvertizing", "abuse", "cyber stalking", "defacement", "adult content", "threats", "silencing", "harassment", "target", "aig", "workers compensation", "severe", "attack", "hacking", "yixun tool", "spyware", "malware", "evasion", "malicious", "private investigator", "legal entities", "insurance company", "remote attack", "colorado", "tulach", "Attack origin: United States", "apple", "ios", "victim", "allegations", "assault", "revenge", "retaliation", "libel", "monitoring", "tracking", "pegatech", "bam.nr-data.net", "bam", "nr-data.net", "matrix", "data.net", "asp.net", "apple private data collection", "norad.mil", "norad tracker", "b.scope", "command_and_control", "pornhub", "alohatube", "sweetheart videos", "users voice", "interfacing", "social engineering", "BankerX", "law enforcement aware, complacent or complicit?", "NSA tool Tulach malaware", "metro tmobile", "AS 10975 (NET-AIG) US", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus ou", "entrust", "oentrust", "l1k validity", "cus stnew", "group", "info", "domain status", "server", "date", "registrar abuse", "new york", "postal code", "contact phone", "registrar url", "csc corporate", "code", "microsoft", "win32 exe", "files", "detections type", "name", "confed", "network", "label netaig", "registry arin", "country us", "continent na", "whois lookup", "no match", "google", "dns replication", "domain", "type name", "pine street", "whois database", "email", "registrar iana", "icann whois", "contact", "form", "tech", "iana id", "tech email", "admin country", "CVE-2017-0147", "CVE-2018-0802", "CVE-2017-17215", "CVE-2016-7255", "CVE-2017-11882", "CVE-2017-8570" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Singapore" ], "malware_families": [ { "id": "Chinese", "display_name": "Chinese", "target": null }, { "id": "Looquer", "display_name": "Looquer", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Mimikatz", "display_name": "Mimikatz", "target": null }, { "id": "HiddenTear", "display_name": "HiddenTear", "target": null }, { "id": "Neurovt", "display_name": "Neurovt", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" }, { "id": "Yixun", "display_name": "Yixun", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "GoldMax - S0588", "display_name": "GoldMax - S0588", "target": null }, { "id": "DUCKTAIL", "display_name": "DUCKTAIL", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "GandCrab", "display_name": "GandCrab", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Raccoon Stealer", "display_name": "Raccoon Stealer", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "FireHOL", "display_name": "FireHOL", "target": null }, { "id": "HackTool.BruteForce", "display_name": "HackTool.BruteForce", "target": null }, { "id": "HackTool.CheatEngine", "display_name": "HackTool.CheatEngine", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "NanoCore", "display_name": "NanoCore", "target": null }, { "id": "Immortal Stealer", "display_name": "Immortal Stealer", "target": null }, { "id": "WebToolBar", "display_name": "WebToolBar", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1497.002", "name": "User Activity Based Checks", "display_name": "T1497.002 - User Activity Based Checks" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "T1523", "name": "Evade Analysis Environment", "display_name": "T1523 - Evade Analysis Environment" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1134.001", "name": "Token Impersonation/Theft", "display_name": "T1134.001 - Token Impersonation/Theft" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "6590f8f3b192d56e80294c13", "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5239, "FileHash-MD5": 929, "FileHash-SHA1": 500, "FileHash-SHA256": 3566, "domain": 1230, "hostname": 2051, "CVE": 6, "email": 5, "CIDR": 1 }, "indicator_count": 13527, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "840 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6590f8f3b192d56e80294c13", "name": "Aig.com Pegasus attack+ https://neca.omeclk.com/portal/wts/uc^cn^ejkaejsaBeyk7-^Oa", "description": "", "modified": "2023-12-31T05:15:31.645000", "created": "2023-12-31T05:15:31.645000", "tags": [ "ssl certificate", "threat roundup", "contacted", "execution", "august", "march", "whois record", "contacted urls", "malware", "copy", "april", "crypto", "alive", "malicious", "ducktail", "ransomware", "dead", "skynet", "chinese", "october", "roundup", "february", "goldfinder", "sibot", "hacktool", "metro", "goldmax", "installer", "awful", "open", "android", "banker", "keylogger", "united", "maltiverse", "mail spammer", "phishing site", "cyber threat", "engineering", "emotet", "phishing", "spammer", "firehol", "bank", "azorult", "team", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "installcore", "nymaim", "suppobox", "download", "looquer", "domains", "cisco umbrella", "site", "heur", "alexa top", "million", "safe site", "adware", "malware site", "malicious site", "artemis", "opencandy", "riskware", "tofsee", "gandcrab", "trojanx", "trojan", "generic", "bankerx", "service", "runescape", "facebook", "exploit", "agent", "mimikatz", "unsafe", "alexa", "union", "webtoolbar", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist https", "dsp1", "noname057", "tag count", "sample", "samples", "blacklist", "tsara brashears", "alohatube", "trojan", "scanning_host", "Botnet", "malvertizing", "abuse", "cyber stalking", "defacement", "adult content", "threats", "silencing", "harassment", "target", "aig", "workers compensation", "severe", "attack", "hacking", "yixun tool", "spyware", "malware", "evasion", "malicious", "private investigator", "legal entities", "insurance company", "remote attack", "colorado", "tulach", "Attack origin: United States", "apple", "ios", "victim", "allegations", "assault", "revenge", "retaliation", "libel", "monitoring", "tracking", "pegatech", "bam.nr-data.net", "bam", "nr-data.net", "matrix", "data.net", "asp.net", "apple private data collection", "norad.mil", "norad tracker", "b.scope", "command_and_control", "pornhub", "alohatube", "sweetheart videos", "users voice", "interfacing", "social engineering", "BankerX", "law enforcement aware, complacent or complicit?", "NSA tool Tulach malaware", "metro tmobile", "AS 10975 (NET-AIG) US", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus ou", "entrust", "oentrust", "l1k validity", "cus stnew", "group", "info", "domain status", "server", "date", "registrar abuse", "new york", "postal code", "contact phone", "registrar url", "csc corporate", "code", "microsoft", "win32 exe", "files", "detections type", "name", "confed", "network", "label netaig", "registry arin", "country us", "continent na", "whois lookup", "no match", "google", "dns replication", "domain", "type name", "pine street", "whois database", "email", "registrar iana", "icann whois", "contact", "form", "tech", "iana id", "tech email", "admin country", "CVE-2017-0147", "CVE-2018-0802", "CVE-2017-17215", "CVE-2016-7255", "CVE-2017-11882", "CVE-2017-8570" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Singapore" ], "malware_families": [ { "id": "Chinese", "display_name": "Chinese", "target": null }, { "id": "Looquer", "display_name": "Looquer", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Mimikatz", "display_name": "Mimikatz", "target": null }, { "id": "HiddenTear", "display_name": "HiddenTear", "target": null }, { "id": "Neurovt", "display_name": "Neurovt", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" }, { "id": "Yixun", "display_name": "Yixun", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "GoldMax - S0588", "display_name": "GoldMax - S0588", "target": null }, { "id": "DUCKTAIL", "display_name": "DUCKTAIL", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "GandCrab", "display_name": "GandCrab", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Raccoon Stealer", "display_name": "Raccoon Stealer", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "FireHOL", "display_name": "FireHOL", "target": null }, { "id": "HackTool.BruteForce", "display_name": "HackTool.BruteForce", "target": null }, { "id": "HackTool.CheatEngine", "display_name": "HackTool.CheatEngine", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "NanoCore", "display_name": "NanoCore", "target": null }, { "id": "Immortal Stealer", "display_name": "Immortal Stealer", "target": null }, { "id": "WebToolBar", "display_name": "WebToolBar", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1497.002", "name": "User Activity Based Checks", "display_name": "T1497.002 - User Activity Based Checks" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "T1523", "name": "Evade Analysis Environment", "display_name": "T1523 - Evade Analysis Environment" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1134.001", "name": "Token Impersonation/Theft", "display_name": "T1134.001 - Token Impersonation/Theft" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "653f21878bcd05f7d594ff86", "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5239, "FileHash-MD5": 929, "FileHash-SHA1": 500, "FileHash-SHA256": 3566, "domain": 1230, "hostname": 2051, "CVE": 6, "email": 5, "CIDR": 1 }, "indicator_count": 13527, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "840 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658741502e029e25c7152cc0", "name": "busted hijacking", "description": "", "modified": "2023-12-23T20:21:36.641000", "created": "2023-12-23T20:21:36.641000", "tags": [ "cisco umbrella", "site", "alexa top", "emotet", "telefonica co", "million", "malware", "detection list", "blacklist", "alexa", "installcore", "heur", "cyber threat", "united", "phishing", "engineering", "phishing site", "team phishing", "spammer", "malicious site", "team", "download", "cobalt strike", "facebook", "artemis", "pony", "binder", "suppobox", "virut", "ramnit", "dropper", "formbook", "azorult", "simda", "downloader", "service", "bank", "zbot", "trojanspy", "heodo", "hostname", "hostnames", "whois record", "kgs0", "kls0", "apple ios", "tsara brashears", "ssl certificate", "elf collection", "cyberstalking", "spyware", "hackers", "installer", "open", "banker", "keylogger", "malicious", "hacktool", "core", "noname057", "generic malware", "safe site", "malware site", "iframe", "riskware", "exploit", "fakealert", "unsafe", "acint", "win64", "nircmd", "agent", "opencandy", "conduit", "swrort", "crack", "installpack", "xtrat", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "unruy", "filetour", "floxif", "cleaner", "patcher", "adload", "presenoker", "wacatac", "fusioncore", "genkryptik", "webtoolbar", "maltiverse", "smokeloader", "download json", "urls", "blacklist http", "kyriazhs1975", "vidar", "strike", "china cobalt", "meterpreter", "nanocore rat", "njrat", "redline stealer", "stealer", "nymaim", "mirai", "ghost rat", "runescape", "bradesco", "msil", "bladabindi", "orkut", "cutwail", "bandoo", "matsnu", "inmortal", "domains", "redline", "control server", "services", "generic", "br", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "squirrelwaffle", "soc http", "soc https", "back", "download csv", "json sample", "injector", "malicious url", "downldr", "covid19 scam", "historical ssl", "referrer", "contacted", "whois whois", "contacted urls", "whois sslcert", "threat roundup", "copy", "august", "execution", "ransomware", "gopher", "remcos", "attack", "radar ineractive", "paypal", "covid19", "phishing chase", "phishing google", "tracker malware", "chase personal", "banking", "javascript", "please", "cnc server", "tracker", "cnc feodo", "phishtank", "threats et", "name verdict", "falcon sandbox", "pattern match", "file", "ascii text", "indicator", "windows nt", "jpeg image", "appdata", "jfif standard", "script", "show", "date", "span", "unknown", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "path", "http header", "tcp traffic", "mitre att", "ck id", "show technique", "ck matrix", "accept", "adware", "ip address", "hsbc", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "trojanx", "webshell", "systweak", "behav", "tiggre", "runtime process", "sha256", "sha1", "mark brian sabey", "brian sabey", "sabey", "apple", "114.114.114.114", "attorney", "law", "spammer", "fraud service", "hallrender", "malvertizing", "cybercrime", "social engineering", "malware hosting", "cyber threat", "iphone unlocker", "malicious", "attacker", "tulach", "tulach.cc", "adult content", "child pornographer", "sabey data centers", "hall render denver", "monitoring", "stalker", "dev", "developer", "cyber harassment", "defacement", "death threats", "miner", "agenttesla", "trojan", "detplock", "networm", "rms", "sneaky server", "replacement", "unauthorized", "steam route", "tool", "probe", "safebae.org", "safebae", "daisy", "daisy coleman", "benjamin", "colorado", "missouri", "telefonica", "boost mobile", "blackievirus.com", "TrojanX", "metro t-mobile", "t-mobile", "mile high media", "CNC", "C2", "malware host", "yixun" ], "references": [ "https://hybrid-analysis.com/sample/a1b9247b6ad18f1cda0304e406333459d4000fced5753f91e5c046f6577c388a", "https://www.hallrender.com/attorney/brian-sabey", "safebae.org", "poemhunter.com", "http://www.hallrender.com/resources/blog/", "http://benjamin.xww.de/", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Hybrid Analysis", "wTools", "Research" ], "public": 1, "adversary": "Tulach | Mark Brian Sabey | Hall Render Law Firm", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "BR", "display_name": "BR", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "Feodo Tracker", "display_name": "Feodo Tracker", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Zpevdo", "display_name": "Zpevdo", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "xRAT", "display_name": "xRAT", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "DarkSide .Beware", "display_name": "DarkSide .Beware", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "SLFPER:BrowserModifier:Win32/MediaMagnet", "display_name": "SLFPER:BrowserModifier:Win32/MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "FORMBOOK", "display_name": "FORMBOOK", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Yixun", "display_name": "Yixun", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": "6544c99af21a2fde7bd6927e", "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Machidian45", "id": "262704", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1643, "hostname": 1438, "CVE": 30, "FileHash-MD5": 2853, "FileHash-SHA1": 1584, "FileHash-SHA256": 3001, "URL": 2904, "email": 1 }, "indicator_count": 13454, "is_author": false, "is_subscribing": null, "subscriber_count": 32, "modified_text": "848 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6587414f2e029e25c7152cbf", "name": "busted hijacking", "description": "", "modified": "2023-12-23T20:21:35.725000", "created": "2023-12-23T20:21:35.725000", "tags": [ "cisco umbrella", "site", "alexa top", "emotet", "telefonica co", "million", "malware", "detection list", "blacklist", "alexa", "installcore", "heur", "cyber threat", "united", "phishing", "engineering", "phishing site", "team phishing", "spammer", "malicious site", "team", "download", "cobalt strike", "facebook", "artemis", "pony", "binder", "suppobox", "virut", "ramnit", "dropper", "formbook", "azorult", "simda", "downloader", "service", "bank", "zbot", "trojanspy", "heodo", "hostname", "hostnames", "whois record", "kgs0", "kls0", "apple ios", "tsara brashears", "ssl certificate", "elf collection", "cyberstalking", "spyware", "hackers", "installer", "open", "banker", "keylogger", "malicious", "hacktool", "core", "noname057", "generic malware", "safe site", "malware site", "iframe", "riskware", "exploit", "fakealert", "unsafe", "acint", "win64", "nircmd", "agent", "opencandy", "conduit", "swrort", "crack", "installpack", "xtrat", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "unruy", "filetour", "floxif", "cleaner", "patcher", "adload", "presenoker", "wacatac", "fusioncore", "genkryptik", "webtoolbar", "maltiverse", "smokeloader", "download json", "urls", "blacklist http", "kyriazhs1975", "vidar", "strike", "china cobalt", "meterpreter", "nanocore rat", "njrat", "redline stealer", "stealer", "nymaim", "mirai", "ghost rat", "runescape", "bradesco", "msil", "bladabindi", "orkut", "cutwail", "bandoo", "matsnu", "inmortal", "domains", "redline", "control server", "services", "generic", "br", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "squirrelwaffle", "soc http", "soc https", "back", "download csv", "json sample", "injector", "malicious url", "downldr", "covid19 scam", "historical ssl", "referrer", "contacted", "whois whois", "contacted urls", "whois sslcert", "threat roundup", "copy", "august", "execution", "ransomware", "gopher", "remcos", "attack", "radar ineractive", "paypal", "covid19", "phishing chase", "phishing google", "tracker malware", "chase personal", "banking", "javascript", "please", "cnc server", "tracker", "cnc feodo", "phishtank", "threats et", "name verdict", "falcon sandbox", "pattern match", "file", "ascii text", "indicator", "windows nt", "jpeg image", "appdata", "jfif standard", "script", "show", "date", "span", "unknown", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "path", "http header", "tcp traffic", "mitre att", "ck id", "show technique", "ck matrix", "accept", "adware", "ip address", "hsbc", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "trojanx", "webshell", "systweak", "behav", "tiggre", "runtime process", "sha256", "sha1", "mark brian sabey", "brian sabey", "sabey", "apple", "114.114.114.114", "attorney", "law", "spammer", "fraud service", "hallrender", "malvertizing", "cybercrime", "social engineering", "malware hosting", "cyber threat", "iphone unlocker", "malicious", "attacker", "tulach", "tulach.cc", "adult content", "child pornographer", "sabey data centers", "hall render denver", "monitoring", "stalker", "dev", "developer", "cyber harassment", "defacement", "death threats", "miner", "agenttesla", "trojan", "detplock", "networm", "rms", "sneaky server", "replacement", "unauthorized", "steam route", "tool", "probe", "safebae.org", "safebae", "daisy", "daisy coleman", "benjamin", "colorado", "missouri", "telefonica", "boost mobile", "blackievirus.com", "TrojanX", "metro t-mobile", "t-mobile", "mile high media", "CNC", "C2", "malware host", "yixun" ], "references": [ "https://hybrid-analysis.com/sample/a1b9247b6ad18f1cda0304e406333459d4000fced5753f91e5c046f6577c388a", "https://www.hallrender.com/attorney/brian-sabey", "safebae.org", "poemhunter.com", "http://www.hallrender.com/resources/blog/", "http://benjamin.xww.de/", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Hybrid Analysis", "wTools", "Research" ], "public": 1, "adversary": "Tulach | Mark Brian Sabey | Hall Render Law Firm", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "BR", "display_name": "BR", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "Feodo Tracker", "display_name": "Feodo Tracker", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Zpevdo", "display_name": "Zpevdo", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "xRAT", "display_name": "xRAT", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "DarkSide .Beware", "display_name": "DarkSide .Beware", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "SLFPER:BrowserModifier:Win32/MediaMagnet", "display_name": "SLFPER:BrowserModifier:Win32/MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "FORMBOOK", "display_name": "FORMBOOK", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Yixun", "display_name": "Yixun", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": "6544c99af21a2fde7bd6927e", "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Machidian45", "id": "262704", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1643, "hostname": 1438, "CVE": 30, "FileHash-MD5": 2853, "FileHash-SHA1": 1584, "FileHash-SHA256": 3001, "URL": 2904, "email": 1 }, "indicator_count": 13454, "is_author": false, "is_subscribing": null, "subscriber_count": 34, "modified_text": "848 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655b9a90e44a70d0fbbde981", "name": "Domain Seized - http://server3.elgenero.com/cgi-bin/xdown.cgi", "description": "Domain stated ' SEIZED' by Departing Homeland Security\nSeizure links below seem a bit questionable: \n\nhttp://server3.elgenero.com/iprc_seized_banner.png\nhttp://kickass.to/IPRC_Seized_2016_kat.jpg\nhttp://kickass.to/the-adventures-of-tom-sawyer-t2068537.html\t\nhttp://bludv.tv/iprc_seized_banner.png\nhttp://z-lib.org/iprc_seized_banner.png\nIPRC_Seized_2016_kat.jpg\n... just banners? Moved and continue? Okay.\nListed below also listed in seized domain. Domains,URL's and Botnetwork Hosts still seem to exist.\nhttp://alohatube.xyz/search/tsara-brashears\nalohatube.xyz\nhttps://alohatube.xyz/search/tsara-brashears\nhttps://www.anyxxxtube.net/search-porn/tsara-brashears/\nhttp://45.159.189.105/bot/regex\t\nhttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbia\t\nnr-data.net", "modified": "2023-12-20T17:01:34.161000", "created": "2023-11-20T17:42:40.771000", "tags": [ "safe site", "million", "cisco umbrella", "alexa top", "site", "tag count", "tld count", "jul jan", "team alexa", "count blacklist", "maltiverse", "redirme", "cronup threat", "intel malware", "malicious site", "malware", "no data", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "united", "cyber threat", "engineering", "team", "malware site", "covid19", "phishing site", "phishing", "phishtank", "bank", "zbot", "malicious", "download", "suppobox", "zeus", "nymaim", "matsnu", "artemis", "virut", "panama", "smsspy", "cobalt strike", "emotet", "bradesco", "stealer", "facebook", "service", "simda", "runescape", "cutwail", "unruy", "bandoo", "tinba", "pykspa", "domaiq", "ave maria", "citadel", "pony", "keitaro", "ponmocup", "ransomware", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "sha256", "sha1", "ascii text", "date", "unknown", "body", "error", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "malicious url", "union", "unsafe", "node tcp", "traffic", "tor known", "tor relayrouter", "spammer", "threats et", "ssl certificate", "contacted", "whois record", "whois whois", "historical ssl", "apple ios", "resolutions", "bundled", "referrer", "collections", "android", "banker", "keylogger", "generic malware", "generic", "blacklist http", "ac32a", "heur", "alexa", "xtrat", "iframe", "installcore", "win64", "crack", "xrat", "nircmd", "swrort", "agent", "filetour", "cleaner", "patcher", "adload", "wacatac", "riskware", "acint", "conduit", "fakealert", "opencandy", "xtreme", "downldr", "outbreak", "iobit", "rostpay", "dropper", "mediaget", "installpack", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "floxif", "presenoker", "fusioncore", "exploit", "filerepmetagen", "download json", "hostname", "hostnames", "mail spammer", "anonymizer", "firehol proxy", "asyncrat", "genkryptik", "fuery", "webtoolbar", "trojanspy", "dropped", "execution", "contacted urls", "http spammer", "host", "ip address", "site top", "site safe", "blacklist https", "tsara brashears", "kgs0", "kls0", "critical risk", "attack", "hacktool", "installer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Latvia", "Poland", "Germany" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 46, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1117, "FileHash-SHA1": 664, "FileHash-SHA256": 3426, "domain": 977, "hostname": 2269, "URL": 5554, "CVE": 23, "URI": 8, "Mutex": 1 }, "indicator_count": 14039, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "851 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656a9c2eeebaf7b69d0e12ba", "name": "Domain Seized - http://server3.elgenero.com/cgi-bin/xdown.cgi", "description": "", "modified": "2023-12-20T17:01:34.161000", "created": "2023-12-02T02:53:34.585000", "tags": [ "safe site", "million", "cisco umbrella", "alexa top", "site", "tag count", "tld count", "jul jan", "team alexa", "count blacklist", "maltiverse", "redirme", "cronup threat", "intel malware", "malicious site", "malware", "no data", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "united", "cyber threat", "engineering", "team", "malware site", "covid19", "phishing site", "phishing", "phishtank", "bank", "zbot", "malicious", "download", "suppobox", "zeus", "nymaim", "matsnu", "artemis", "virut", "panama", "smsspy", "cobalt strike", "emotet", "bradesco", "stealer", "facebook", "service", "simda", "runescape", "cutwail", "unruy", "bandoo", "tinba", "pykspa", "domaiq", "ave maria", "citadel", "pony", "keitaro", "ponmocup", "ransomware", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "sha256", "sha1", "ascii text", "date", "unknown", "body", "error", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "malicious url", "union", "unsafe", "node tcp", "traffic", "tor known", "tor relayrouter", "spammer", "threats et", "ssl certificate", "contacted", "whois record", "whois whois", "historical ssl", "apple ios", "resolutions", "bundled", "referrer", "collections", "android", "banker", "keylogger", "generic malware", "generic", "blacklist http", "ac32a", "heur", "alexa", "xtrat", "iframe", "installcore", "win64", "crack", "xrat", "nircmd", "swrort", "agent", "filetour", "cleaner", "patcher", "adload", "wacatac", "riskware", "acint", "conduit", "fakealert", "opencandy", "xtreme", "downldr", "outbreak", "iobit", "rostpay", "dropper", "mediaget", "installpack", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "floxif", "presenoker", "fusioncore", "exploit", "filerepmetagen", "download json", "hostname", "hostnames", "mail spammer", "anonymizer", "firehol proxy", "asyncrat", "genkryptik", "fuery", "webtoolbar", "trojanspy", "dropped", "execution", "contacted urls", "http spammer", "host", "ip address", "site top", "site safe", "blacklist https", "tsara brashears", "kgs0", "kls0", "critical risk", "attack", "hacktool", "installer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Latvia", "Poland", "Germany" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "655b9a90e44a70d0fbbde981", "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1117, "FileHash-SHA1": 664, "FileHash-SHA256": 3426, "domain": 977, "hostname": 2269, "URL": 5554, "CVE": 23, "URI": 8, "Mutex": 1 }, "indicator_count": 14039, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "851 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655950034e6ae4650a6b02ce", "name": "Python Initiated Connection | Spyware | Remote Attacks | | Part 4", "description": "Apple, Mac, iOS, phishing, frauds services, malware, trojan.allesgreh/trojan.allesgreh/respat, spyware, Google abuse, used to obsessively spy and stalk SA victim Tsara Brashears and possibly others. Python Initiated Connection, WScriptShell_Case_Anomaly.\nPulse: http://secure-appleid-com-uh2hdgo2m7pjuusohde19c8tqs.sssa79.com/\n[Concerning Pre populated content: A security alert has been sent to a secure Apple account in the US, but what exactly is it and what does it mean? and how did it end up in this post-mortem?\u2190((threat?))Let me tell you a]", "modified": "2023-12-18T23:03:18.732000", "created": "2023-11-19T00:00:03.258000", "tags": [ "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "contenttype", "phpsessid", "cisco umbrella", "alexa top", "million", "safe site", "site", "whois record", "ssl certificate", "execution", "dropped", "whois whois", "historical ssl", "copy", "tsara brashears", "communicating", "referrer", "cobalt strike", "hacktool", "emotet", "download", "malware", "malicious", "critical", "relic", "monitoring", "installer", "android", "agent tesla", "et", "october", "contacted", "threat roundup", "january", "cyberstalking", "attack", "icmp", "banker", "keylogger", "google llc", "gc abuse", "orgid", "direct", "whois lookup", "netrange", "nethandle", "net34", "net340000", "googl2", "comment", "gc", "dns replication", "date", "domain", "win32 exe", "driver pro", "files", "detections type", "name", "optimizer pro", "javascript", "text", "text ip", "aacr", "type name", "email", "email delivery", "email fwd", "delivery status", "notification", "name verdict", "runtime process", "sha1", "size", "localappdata", "temp", "prefetch8", "unicode text", "type data", "programfiles", "win64", "hybrid", "click", "strings", "youth", "pe resource", "apple private", "data collection", "hidden privacy", "threats https", "legal", "amazon aws", "wife happy", "vhash", "authentihash", "ssdeep", "file type", "magic pe32", "intel", "ms windows", "trid windows", "os2 executable", "compiler", "delphi", "sections", "md5 code", "data", "children", "file size", "dropped files", "google update", "setup sha256", "kb file" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null }, { "id": "GC", "display_name": "GC", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12901, "hostname": 4445, "domain": 3685, "FileHash-MD5": 197, "FileHash-SHA256": 5136, "FileHash-SHA1": 170, "CIDR": 1, "email": 2, "CVE": 4 }, "indicator_count": 26541, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "853 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655aef8a8cc2e0929f2aa5ea", "name": "Python Initiated Connection | Spyware | Remote Attacks |", "description": "", "modified": "2023-12-18T23:03:18.732000", "created": "2023-11-20T05:32:58.400000", "tags": [ "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "contenttype", "phpsessid", "cisco umbrella", "alexa top", "million", "safe site", "site", "whois record", "ssl certificate", "execution", "dropped", "whois whois", "historical ssl", "copy", "tsara brashears", "communicating", "referrer", "cobalt strike", "hacktool", "emotet", "download", "malware", "malicious", "critical", "relic", "monitoring", "installer", "android", "agent tesla", "et", "october", "contacted", "threat roundup", "january", "cyberstalking", "attack", "icmp", "banker", "keylogger", "google llc", "gc abuse", "orgid", "direct", "whois lookup", "netrange", "nethandle", "net34", "net340000", "googl2", "comment", "gc", "dns replication", "date", "domain", "win32 exe", "driver pro", "files", "detections type", "name", "optimizer pro", "javascript", "text", "text ip", "aacr", "type name", "email", "email delivery", "email fwd", "delivery status", "notification", "name verdict", "runtime process", "sha1", "size", "localappdata", "temp", "prefetch8", "unicode text", "type data", "programfiles", "win64", "hybrid", "click", "strings", "youth", "pe resource", "apple private", "data collection", "hidden privacy", "threats https", "legal", "amazon aws", "wife happy", "vhash", "authentihash", "ssdeep", "file type", "magic pe32", "intel", "ms windows", "trid windows", "os2 executable", "compiler", "delphi", "sections", "md5 code", "data", "children", "file size", "dropped files", "google update", "setup sha256", "kb file" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null }, { "id": "GC", "display_name": "GC", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": "655950034e6ae4650a6b02ce", "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12901, "hostname": 4445, "domain": 3685, "FileHash-MD5": 197, "FileHash-SHA256": 5136, "FileHash-SHA1": 170, "CIDR": 1, "email": 2, "CVE": 4 }, "indicator_count": 26541, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "853 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6544c7a11d7541bdb3bfe5ff", "name": "Radar Ineractive. Law Firm responsible for cyber crime.", "description": "Is this legal. Attorney from Hall Render law firm cyber stalking and malvertizing targets in adult content, dungeons, death scenarios, suicide threats? Pulse auto populates targets: Tsara Brashears 'alleged' SA victim. This may not be the forum for my , death threats should always be investigated as should allegations of assault. Malware, BotNet, car and phone tracking, monitoring, injection, .gov is found throughout. Monitoring of Safebae.org; online movement began by now deceased 'alleged' SA victim, Daisy Coleman of Audrey & Daisy. High Risk surviving target. Crazy cover up? Each target seems to have a state government power 'implicated' in attack. \n\nEd Said", "modified": "2023-12-16T19:40:11.047000", "created": "2023-11-03T10:12:49.539000", "tags": [ "cisco umbrella", "site", "alexa top", "emotet", "telefonica co", "million", "malware", "detection list", "blacklist", "alexa", "installcore", "heur", "cyber threat", "united", "phishing", "engineering", "phishing site", "team phishing", "spammer", "malicious site", "team", "download", "cobalt strike", "facebook", "artemis", "pony", "binder", "suppobox", "virut", "ramnit", "dropper", "formbook", "azorult", "simda", "downloader", "service", "bank", "zbot", "trojanspy", "heodo", "hostname", "hostnames", "whois record", "kgs0", "kls0", "apple ios", "tsara brashears", "ssl certificate", "elf collection", "cyberstalking", "spyware", "hackers", "installer", "open", "banker", "keylogger", "malicious", "hacktool", "core", "noname057", "generic malware", "safe site", "malware site", "iframe", "riskware", "exploit", "fakealert", "unsafe", "acint", "win64", "nircmd", "agent", "opencandy", "conduit", "swrort", "crack", "installpack", "xtrat", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "unruy", "filetour", "floxif", "cleaner", "patcher", "adload", "presenoker", "wacatac", "fusioncore", "genkryptik", "webtoolbar", "maltiverse", "smokeloader", "download json", "urls", "blacklist http", "kyriazhs1975", "vidar", "strike", "china cobalt", "meterpreter", "nanocore rat", "njrat", "redline stealer", "stealer", "nymaim", "mirai", "ghost rat", "runescape", "bradesco", "msil", "bladabindi", "orkut", "cutwail", "bandoo", "matsnu", "inmortal", "domains", "redline", "control server", "services", "generic", "br", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "squirrelwaffle", "soc http", "soc https", "back", "download csv", "json sample", "injector", "malicious url", "downldr", "covid19 scam", "historical ssl", "referrer", "contacted", "whois whois", "contacted urls", "whois sslcert", "threat roundup", "copy", "august", "execution", "ransomware", "gopher", "remcos", "attack", "radar ineractive", "paypal", "covid19", "phishing chase", "phishing google", "tracker malware", "chase personal", "banking", "javascript", "please", "cnc server", "tracker", "cnc feodo", "phishtank", "threats et", "name verdict", "falcon sandbox", "pattern match", "file", "ascii text", "indicator", "windows nt", "jpeg image", "appdata", "jfif standard", "script", "show", "date", "span", "unknown", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "path", "http header", "tcp traffic", "mitre att", "ck id", "show technique", "ck matrix", "accept", "adware", "ip address", "hsbc", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "trojanx", "webshell", "systweak", "behav", "tiggre", "runtime process", "sha256", "sha1", "mark brian sabey", "brian sabey", "sabey", "apple", "114.114.114.114", "attorney", "law", "spammer", "fraud service", "hallrender", "malvertizing", "cybercrime", "social engineering", "malware hosting", "cyber threat", "iphone unlocker", "malicious", "attacker", "tulach", "tulach.cc", "adult content", "child pornographer", "sabey data centers", "hall render denver", "monitoring", "stalker", "dev", "developer", "cyber harassment", "defacement", "death threats", "miner", "agenttesla", "trojan", "detplock", "networm", "rms", "sneaky server", "replacement", "unauthorized", "steam route", "tool", "probe", "safebae.org", "safebae", "daisy", "daisy coleman", "benjamin", "colorado", "missouri", "telefonica", "boost mobile", "blackievirus.com", "TrojanX", "metro t-mobile", "t-mobile", "mile high media", "CNC", "C2", "malware host", "yixun" ], "references": [ "https://hybrid-analysis.com/sample/a1b9247b6ad18f1cda0304e406333459d4000fced5753f91e5c046f6577c388a", "https://www.hallrender.com/attorney/brian-sabey", "safebae.org", "poemhunter.com", "http://www.hallrender.com/resources/blog/", "http://benjamin.xww.de/", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Hybrid Analysis", "wTools", "Research" ], "public": 1, "adversary": "Tulach | Mark Brian Sabey | Hall Render Law Firm", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "BR", "display_name": "BR", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "Feodo Tracker", "display_name": "Feodo Tracker", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Zpevdo", "display_name": "Zpevdo", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "xRAT", "display_name": "xRAT", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "DarkSide .Beware", "display_name": "DarkSide .Beware", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "SLFPER:BrowserModifier:Win32/MediaMagnet", "display_name": "SLFPER:BrowserModifier:Win32/MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "FORMBOOK", "display_name": "FORMBOOK", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Yixun", "display_name": "Yixun", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": null, "export_count": 82, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1644, "hostname": 1438, "CVE": 30, "FileHash-MD5": 2853, "FileHash-SHA1": 1584, "FileHash-SHA256": 3001, "URL": 2904, "email": 1 }, "indicator_count": 13455, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "855 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "654a772076be04f1649f9a42", "name": "Remote & other attacks. Dapato I Detplock I Emotet I", "description": "http://bpdb.portal.gov.bd:3128/sites/default/files/files/bpdb.portal.gov.bd/npfblock/2021-34bc869d2906198362a4346373ce5b94.jpg\nPurports to be based in Bangladesh, bounces to USA. Tor exit, relay router. Many proxies. Malicious. Very malicious targeting involved. Apple iOS hacking, device unlocking, CNC. Legal mischief.", "modified": "2023-12-07T17:00:24.699000", "created": "2023-11-07T17:42:56.873000", "tags": [ "heur", "cisco umbrella", "site", "alexa top", "malware", "million", "xcnfe", "maltiverse", "malware site", "safe site", "malicious", "trojan", "artemis", "vidar", "redline stealer", "raccoon", "keylogger", "riskware", "agent tesla", "remcos", "stealer", "miner", "hacktool", "bank", "agenttesla", "agent", "unknown", "downloader", "unsafe", "detplock", "networm", "win64", "service", "smokeloader", "dropper", "crack", "alexa", "trojanspy", "detection list", "blacklist https", "kyriazhs1975", "noname057", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "blacklist", "cyber threat", "united", "engineering", "phishing", "covid19", "facebook", "phishing site", "paypal", "njrat", "emotet", "nanocore rat", "meterpreter", "azorult", "download", "msil", "bladabindi", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "cve201711882", "redline", "ssl certificate", "tsara brashears", "cyberstalking", "spyware", "apple ios", "quasar", "ransomware", "malware norad", "cry kill", "attack", "installer", "formbook", "lockbit", "open", "banker", "bazarloader", "core", "ransomexx", "name verdict", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "script", "beginstring", "ascii text", "null", "date", "error", "span", "refresh", "class", "generator", "critical", "body", "look", "verify", "restart", "meta", "hybrid", "general", "click", "strings", "tools", "as141773", "as63932", "moved", "passive dns", "search", "entries", "gmt content", "type", "keep alive", "scan endpoints", "all octoseek", "pulse pulses", "as17806 mango", "blacklist http", "phishtank", "malicious site", "apple", "blockchain", "runescape", "twitter", "qakbot", "asyncrat", "team", "internet storm", "generic", "union", "bazaloader", "media", "generic malware", "hostname", "suppobox", "netwire rc", "installcore", "conduit", "iobit", "mediaget", "outbreak", "acint", "installpack", "phish", "rostpay", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "filetour", "wacatac", "fusioncore", "dapato", "cleaner", "softonic", "encpk", "qbot", "predator", "swrort", "kraddare", "systweak", "dllinject", "driverpack", "iframe", "downldr", "presenoker", "as61317", "asnone united", "urls", "files", "next", "as15169 google", "japan unknown", "as17506 arteria", "as32244 liquid", "as49505", "russia unknown", "expired", "domain", "falcon", "as19969", "ipv4", "ransom", "encrypt", "file", "windows nt", "indicator", "response", "appdata", "gmt contenttype", "png image", "local", "contacted", "fali malicious", "dropped", "communicating", "referrer", "fali contacted", "silk road", "immediate", "cymulate2", "tsara brashears", "malvertizing" ], "references": [ "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "alohatube.xyz", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://alohatube.xyz/search/tsara-brashears", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "ww.google.com.uy", "https://alohatube.xyz/search/tsara-brashears", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "https://polling.portal.gov.bd/js/npc.script.js", "polling.portal.gov.bd", "https://polling.portal.gov.bd/js/npop.script.js", "http://watchhers.net/index.php", "https://brandyallen.com/2022/11/23/sexy", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "http://park.above.com/jr.php?gz=DjDNgvDQ0WlpBALxevxSvkF3jBH95b5riUvmgFjb1tbPDV06suYFlRcPA34ufLE5UZ8spiM7ya7tRXR8nLUgk920DSaIXniiR5hkoveznG%20mez7OU5R%20HKIczV475LuRwxm3J1pcRSpQcePtF/4aD%20frLO%205mYc0Maj8Z1IwBeAMESc9Gk3BzCkGUHNVeCAZ9vZrQhEeVvN%20QVBAu1boZNJTnvCAP0lB5ebMSP92bFHD/ItyL53LoVDSYWMd64KTNMMJaXE0kZVqQn/%20STriQbrA6cmW3Xj4sAJ3XXEbNNJzTbIvgsy00PlKWInEUK/iXzVecaBsXg3vkUcvkeM3HPPIajaBexXO7ATYz/qTeKAksI9l2IoDAsn0S9BYCTuP8uTYdgJAv0LO%20MkNBOrSqJnFQzTlNxG4NRSP6K4VDWklVPpCwQc/s/AfrwIdLcdrV6CQDLaluG1naOjXDc", "http://nhrc.portal.gov.bd/sites/default/files/files/nhrc.portal.gov.bd/page/348ec5eb_22f8_4754_bb62_6a0d15ba1513/Study-Report-on-Sexual-Offences_Final.pdf", "https://twitter.com/PORNO_SEXYBABES", "https://alohatube.xyz/search/sex-mom-dog-animal", "https://www.colorfulbox.jp/", "Hybrid Analysis", "Any.run", "OTX AlienVault", "Urlscan", "UrlVoid", "http://emrd.gov.bd/dead.php", "http://titasgas.portal.gov.bd/dead.php", "http://mincom.gov.bd/dead.php", "http://cabinet.gov.bd/dead.php" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Malaysia", "Bangladesh" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Hall Render", "display_name": "Hall Render", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Racoon Stealer", "display_name": "Racoon Stealer", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "njRAT - S0385", "display_name": "njRAT - S0385", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Bazaar Loader", "display_name": "Bazaar Loader", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Detplock", "display_name": "Detplock", "target": null }, { "id": "WannaCry Kill Switch", "display_name": "WannaCry Kill Switch", "target": null }, { "id": "Ghandi", "display_name": "Ghandi", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Swort", "display_name": "Swort", "target": null }, { "id": "Silk Road", "display_name": "Silk Road", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/SpyrixKeylogger", "display_name": "ALF:HeraklezEval:PUA:Win32/SpyrixKeylogger", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Worm:VBS/Dapato", "display_name": "Worm:VBS/Dapato", "target": "/malware/Worm:VBS/Dapato" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 151, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2522, "FileHash-SHA1": 862, "FileHash-SHA256": 2855, "URL": 7963, "domain": 1168, "hostname": 3181, "CVE": 13, "email": 2 }, "indicator_count": 18566, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "864 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "654a7a4d960200d938e180c3", "name": "Kraddare \u2022 Agent Tesla \u2022 CVE Jar", "description": "http://bpdb.portal.gov.bd:3128/sites/default/files/files/bpdb.portal.gov.bd/npfblock/2021-34bc869d2906198362a4346373ce5b94.jpg\nPurports to be based in Bangladesh, bounces to USA. Tor exit, relay router. Many proxies. Malicious. Very malicious targeting involved. Apple iOS hacking, device unlocking, CNC. Legal mischief?\n\nCVE\tCVE-2017-0147\t\t\t\t\t\nCVE\tCVE-2015-1650\t\t\t\t\t\nCVE\tCVE-2014-6352\t\t\t\t\t\nCVE\tCVE-2014-3153\t\t\t\t\t\nCVE\tCVE-2017-8570\t\t\t\t\t\t\nCVE\tCVE-2015-6585\t\t\t\nCVE\tCVE-2012-0158\t\t\t\t\t\t\nCVE\tCVE-2010-3333\t\t\t\t\t\t\nCVE\tCVE-2017-17215\t\t\t\t\nhttp://1.116.132.182/weblogic_CVE_2020_2551.jar", "modified": "2023-12-07T17:00:24.699000", "created": "2023-11-07T17:56:29.786000", "tags": [ "heur", "cisco umbrella", "site", "alexa top", "malware", "million", "xcnfe", "maltiverse", "malware site", "safe site", "malicious", "trojan", "artemis", "vidar", "redline stealer", "raccoon", "keylogger", "riskware", "agent tesla", "remcos", "stealer", "miner", "hacktool", "bank", "agenttesla", "agent", "unknown", "downloader", "unsafe", "detplock", "networm", "win64", "service", "smokeloader", "dropper", "crack", "alexa", "trojanspy", "detection list", "blacklist https", "kyriazhs1975", "noname057", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "blacklist", "cyber threat", "united", "engineering", "phishing", "covid19", "facebook", "phishing site", "paypal", "njrat", "emotet", "nanocore rat", "meterpreter", "azorult", "download", "msil", "bladabindi", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "cve201711882", "redline", "ssl certificate", "tsara brashears", "cyberstalking", "spyware", "apple ios", "quasar", "ransomware", "malware norad", "cry kill", "attack", "installer", "formbook", "lockbit", "open", "banker", "bazarloader", "core", "ransomexx", "name verdict", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "script", "beginstring", "ascii text", "null", "date", "error", "span", "refresh", "class", "generator", "critical", "body", "look", "verify", "restart", "meta", "hybrid", "general", "click", "strings", "tools", "as141773", "as63932", "moved", "passive dns", "search", "entries", "gmt content", "type", "keep alive", "scan endpoints", "all octoseek", "pulse pulses", "as17806 mango", "blacklist http", "phishtank", "malicious site", "apple", "blockchain", "runescape", "twitter", "qakbot", "asyncrat", "team", "internet storm", "generic", "union", "bazaloader", "media", "generic malware", "hostname", "suppobox", "netwire rc", "installcore", "conduit", "iobit", "mediaget", "outbreak", "acint", "installpack", "phish", "rostpay", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "filetour", "wacatac", "fusioncore", "dapato", "cleaner", "softonic", "encpk", "qbot", "predator", "swrort", "kraddare", "systweak", "dllinject", "driverpack", "iframe", "downldr", "presenoker", "as61317", "asnone united", "urls", "files", "next", "as15169 google", "japan unknown", "as17506 arteria", "as32244 liquid", "as49505", "russia unknown", "expired", "domain", "falcon", "as19969", "ipv4", "ransom", "encrypt", "file", "windows nt", "indicator", "response", "appdata", "gmt contenttype", "png image", "local", "contacted", "fali malicious", "dropped", "communicating", "referrer", "fali contacted", "silk road", "immediate", "cymulate2", "tsara brashears", "malvertizing" ], "references": [ "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "alohatube.xyz", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://alohatube.xyz/search/tsara-brashears", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "ww.google.com.uy", "https://alohatube.xyz/search/tsara-brashears", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "https://polling.portal.gov.bd/js/npc.script.js", "polling.portal.gov.bd", "https://polling.portal.gov.bd/js/npop.script.js", "http://watchhers.net/index.php", "https://brandyallen.com/2022/11/23/sexy", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "http://park.above.com/jr.php?gz=DjDNgvDQ0WlpBALxevxSvkF3jBH95b5riUvmgFjb1tbPDV06suYFlRcPA34ufLE5UZ8spiM7ya7tRXR8nLUgk920DSaIXniiR5hkoveznG%20mez7OU5R%20HKIczV475LuRwxm3J1pcRSpQcePtF/4aD%20frLO%205mYc0Maj8Z1IwBeAMESc9Gk3BzCkGUHNVeCAZ9vZrQhEeVvN%20QVBAu1boZNJTnvCAP0lB5ebMSP92bFHD/ItyL53LoVDSYWMd64KTNMMJaXE0kZVqQn/%20STriQbrA6cmW3Xj4sAJ3XXEbNNJzTbIvgsy00PlKWInEUK/iXzVecaBsXg3vkUcvkeM3HPPIajaBexXO7ATYz/qTeKAksI9l2IoDAsn0S9BYCTuP8uTYdgJAv0LO%20MkNBOrSqJnFQzTlNxG4NRSP6K4VDWklVPpCwQc/s/AfrwIdLcdrV6CQDLaluG1naOjXDc", "http://nhrc.portal.gov.bd/sites/default/files/files/nhrc.portal.gov.bd/page/348ec5eb_22f8_4754_bb62_6a0d15ba1513/Study-Report-on-Sexual-Offences_Final.pdf", "https://twitter.com/PORNO_SEXYBABES", "https://alohatube.xyz/search/sex-mom-dog-animal", "https://www.colorfulbox.jp/", "Hybrid Analysis", "Any.run", "OTX AlienVault", "Urlscan", "UrlVoid", "http://emrd.gov.bd/dead.php", "http://titasgas.portal.gov.bd/dead.php", "http://mincom.gov.bd/dead.php", "http://cabinet.gov.bd/dead.php" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Malaysia", "Bangladesh" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Racoon Stealer", "display_name": "Racoon Stealer", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "njRAT - S0385", "display_name": "njRAT - S0385", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Bazaar Loader", "display_name": "Bazaar Loader", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Detplock", "display_name": "Detplock", "target": null }, { "id": "WannaCry Kill Switch", "display_name": "WannaCry Kill Switch", "target": null }, { "id": "Ghandi", "display_name": "Ghandi", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Swort", "display_name": "Swort", "target": null }, { "id": "Silk Road", "display_name": "Silk Road", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/SpyrixKeylogger", "display_name": "ALF:HeraklezEval:PUA:Win32/SpyrixKeylogger", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Worm:VBS/Dapato", "display_name": "Worm:VBS/Dapato", "target": "/malware/Worm:VBS/Dapato" }, { "id": "Kraddare", "display_name": "Kraddare", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 152, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2522, "FileHash-SHA1": 862, "FileHash-SHA256": 2855, "URL": 7963, "domain": 1168, "hostname": 3181, "CVE": 13, "email": 2 }, "indicator_count": 18566, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "864 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "654a7a53317c717d1f4fee7f", "name": "Kraddare \u2022 Agent Tesla \u2022 CVE Jar", "description": "http://bpdb.portal.gov.bd:3128/sites/default/files/files/bpdb.portal.gov.bd/npfblock/2021-34bc869d2906198362a4346373ce5b94.jpg\nPurports to be based in Bangladesh, bounces to USA. Tor exit, relay router. Many proxies. Malicious. Very malicious targeting involved. Apple iOS hacking, device unlocking, CNC. Legal mischief?\n\nCVE\tCVE-2017-0147\t\t\t\t\t\nCVE\tCVE-2015-1650\t\t\t\t\t\nCVE\tCVE-2014-6352\t\t\t\t\t\nCVE\tCVE-2014-3153\t\t\t\t\t\nCVE\tCVE-2017-8570\t\t\t\t\t\t\nCVE\tCVE-2015-6585\t\t\t\nCVE\tCVE-2012-0158\t\t\t\t\t\t\nCVE\tCVE-2010-3333\t\t\t\t\t\t\nCVE\tCVE-2017-17215\t\t\t\t\nhttp://1.116.132.182/weblogic_CVE_2020_2551.jar", "modified": "2023-12-07T17:00:24.699000", "created": "2023-11-07T17:56:35.967000", "tags": [ "heur", "cisco umbrella", "site", "alexa top", "malware", "million", "xcnfe", "maltiverse", "malware site", "safe site", "malicious", "trojan", "artemis", "vidar", "redline stealer", "raccoon", "keylogger", "riskware", "agent tesla", "remcos", "stealer", "miner", "hacktool", "bank", "agenttesla", "agent", "unknown", "downloader", "unsafe", "detplock", "networm", "win64", "service", "smokeloader", "dropper", "crack", "alexa", "trojanspy", "detection list", "blacklist https", "kyriazhs1975", "noname057", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "blacklist", "cyber threat", "united", "engineering", "phishing", "covid19", "facebook", "phishing site", "paypal", "njrat", "emotet", "nanocore rat", "meterpreter", "azorult", "download", "msil", "bladabindi", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "cve201711882", "redline", "ssl certificate", "tsara brashears", "cyberstalking", "spyware", "apple ios", "quasar", "ransomware", "malware norad", "cry kill", "attack", "installer", "formbook", "lockbit", "open", "banker", "bazarloader", "core", "ransomexx", "name verdict", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "script", "beginstring", "ascii text", "null", "date", "error", "span", "refresh", "class", "generator", "critical", "body", "look", "verify", "restart", "meta", "hybrid", "general", "click", "strings", "tools", "as141773", "as63932", "moved", "passive dns", "search", "entries", "gmt content", "type", "keep alive", "scan endpoints", "all octoseek", "pulse pulses", "as17806 mango", "blacklist http", "phishtank", "malicious site", "apple", "blockchain", "runescape", "twitter", "qakbot", "asyncrat", "team", "internet storm", "generic", "union", "bazaloader", "media", "generic malware", "hostname", "suppobox", "netwire rc", "installcore", "conduit", "iobit", "mediaget", "outbreak", "acint", "installpack", "phish", "rostpay", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "filetour", "wacatac", "fusioncore", "dapato", "cleaner", "softonic", "encpk", "qbot", "predator", "swrort", "kraddare", "systweak", "dllinject", "driverpack", "iframe", "downldr", "presenoker", "as61317", "asnone united", "urls", "files", "next", "as15169 google", "japan unknown", "as17506 arteria", "as32244 liquid", "as49505", "russia unknown", "expired", "domain", "falcon", "as19969", "ipv4", "ransom", "encrypt", "file", "windows nt", "indicator", "response", "appdata", "gmt contenttype", "png image", "local", "contacted", "fali malicious", "dropped", "communicating", "referrer", "fali contacted", "silk road", "immediate", "cymulate2", "tsara brashears", "malvertizing" ], "references": [ "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "alohatube.xyz", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://alohatube.xyz/search/tsara-brashears", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "ww.google.com.uy", "https://alohatube.xyz/search/tsara-brashears", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "https://polling.portal.gov.bd/js/npc.script.js", "polling.portal.gov.bd", "https://polling.portal.gov.bd/js/npop.script.js", "http://watchhers.net/index.php", "https://brandyallen.com/2022/11/23/sexy", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "http://park.above.com/jr.php?gz=DjDNgvDQ0WlpBALxevxSvkF3jBH95b5riUvmgFjb1tbPDV06suYFlRcPA34ufLE5UZ8spiM7ya7tRXR8nLUgk920DSaIXniiR5hkoveznG%20mez7OU5R%20HKIczV475LuRwxm3J1pcRSpQcePtF/4aD%20frLO%205mYc0Maj8Z1IwBeAMESc9Gk3BzCkGUHNVeCAZ9vZrQhEeVvN%20QVBAu1boZNJTnvCAP0lB5ebMSP92bFHD/ItyL53LoVDSYWMd64KTNMMJaXE0kZVqQn/%20STriQbrA6cmW3Xj4sAJ3XXEbNNJzTbIvgsy00PlKWInEUK/iXzVecaBsXg3vkUcvkeM3HPPIajaBexXO7ATYz/qTeKAksI9l2IoDAsn0S9BYCTuP8uTYdgJAv0LO%20MkNBOrSqJnFQzTlNxG4NRSP6K4VDWklVPpCwQc/s/AfrwIdLcdrV6CQDLaluG1naOjXDc", "http://nhrc.portal.gov.bd/sites/default/files/files/nhrc.portal.gov.bd/page/348ec5eb_22f8_4754_bb62_6a0d15ba1513/Study-Report-on-Sexual-Offences_Final.pdf", "https://twitter.com/PORNO_SEXYBABES", "https://alohatube.xyz/search/sex-mom-dog-animal", "https://www.colorfulbox.jp/", "Hybrid Analysis", "Any.run", "OTX AlienVault", "Urlscan", "UrlVoid", "http://emrd.gov.bd/dead.php", "http://titasgas.portal.gov.bd/dead.php", "http://mincom.gov.bd/dead.php", "http://cabinet.gov.bd/dead.php" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Malaysia", "Bangladesh" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Racoon Stealer", "display_name": "Racoon Stealer", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "njRAT - S0385", "display_name": "njRAT - S0385", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Bazaar Loader", "display_name": "Bazaar Loader", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Detplock", "display_name": "Detplock", "target": null }, { "id": "WannaCry Kill Switch", "display_name": "WannaCry Kill Switch", "target": null }, { "id": "Ghandi", "display_name": "Ghandi", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Swort", "display_name": "Swort", "target": null }, { "id": "Silk Road", "display_name": "Silk Road", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/SpyrixKeylogger", "display_name": "ALF:HeraklezEval:PUA:Win32/SpyrixKeylogger", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Worm:VBS/Dapato", "display_name": "Worm:VBS/Dapato", "target": "/malware/Worm:VBS/Dapato" }, { "id": "Kraddare", "display_name": "Kraddare", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 151, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2522, "FileHash-SHA1": 862, "FileHash-SHA256": 2855, "URL": 7963, "domain": 1168, "hostname": 3181, "CVE": 13, "email": 2 }, "indicator_count": 18566, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "864 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "654ab0f0b732066a2bdd1425", "name": "Remote & other attacks. Dapato I Detplock I Emotet I", "description": "", "modified": "2023-12-07T17:00:24.699000", "created": "2023-11-07T21:49:36.686000", "tags": [ "heur", "cisco umbrella", "site", "alexa top", "malware", "million", "xcnfe", "maltiverse", "malware site", "safe site", "malicious", "trojan", "artemis", "vidar", "redline stealer", "raccoon", "keylogger", "riskware", "agent tesla", "remcos", "stealer", "miner", "hacktool", "bank", "agenttesla", "agent", "unknown", "downloader", "unsafe", "detplock", "networm", "win64", "service", "smokeloader", "dropper", "crack", "alexa", "trojanspy", "detection list", "blacklist https", "kyriazhs1975", "noname057", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "blacklist", "cyber threat", "united", "engineering", "phishing", "covid19", "facebook", "phishing site", "paypal", "njrat", "emotet", "nanocore rat", "meterpreter", "azorult", "download", "msil", "bladabindi", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "cve201711882", "redline", "ssl certificate", "tsara brashears", "cyberstalking", "spyware", "apple ios", "quasar", "ransomware", "malware norad", "cry kill", "attack", "installer", "formbook", "lockbit", "open", "banker", "bazarloader", "core", "ransomexx", "name verdict", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "script", "beginstring", "ascii text", "null", "date", "error", "span", "refresh", "class", "generator", "critical", "body", "look", "verify", "restart", "meta", "hybrid", "general", "click", "strings", "tools", "as141773", "as63932", "moved", "passive dns", "search", "entries", "gmt content", "type", "keep alive", "scan endpoints", "all octoseek", "pulse pulses", "as17806 mango", "blacklist http", "phishtank", "malicious site", "apple", "blockchain", "runescape", "twitter", "qakbot", "asyncrat", "team", "internet storm", "generic", "union", "bazaloader", "media", "generic malware", "hostname", "suppobox", "netwire rc", "installcore", "conduit", "iobit", "mediaget", "outbreak", "acint", "installpack", "phish", "rostpay", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "filetour", "wacatac", "fusioncore", "dapato", "cleaner", "softonic", "encpk", "qbot", "predator", "swrort", "kraddare", "systweak", "dllinject", "driverpack", "iframe", "downldr", "presenoker", "as61317", "asnone united", "urls", "files", "next", "as15169 google", "japan unknown", "as17506 arteria", "as32244 liquid", "as49505", "russia unknown", "expired", "domain", "falcon", "as19969", "ipv4", "ransom", "encrypt", "file", "windows nt", "indicator", "response", "appdata", "gmt contenttype", "png image", "local", "contacted", "fali malicious", "dropped", "communicating", "referrer", "fali contacted", "silk road", "immediate", "cymulate2", "tsara brashears", "malvertizing" ], "references": [ "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "alohatube.xyz", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://alohatube.xyz/search/tsara-brashears", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "ww.google.com.uy", "https://alohatube.xyz/search/tsara-brashears", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "https://polling.portal.gov.bd/js/npc.script.js", "polling.portal.gov.bd", "https://polling.portal.gov.bd/js/npop.script.js", "http://watchhers.net/index.php", "https://brandyallen.com/2022/11/23/sexy", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "http://park.above.com/jr.php?gz=DjDNgvDQ0WlpBALxevxSvkF3jBH95b5riUvmgFjb1tbPDV06suYFlRcPA34ufLE5UZ8spiM7ya7tRXR8nLUgk920DSaIXniiR5hkoveznG%20mez7OU5R%20HKIczV475LuRwxm3J1pcRSpQcePtF/4aD%20frLO%205mYc0Maj8Z1IwBeAMESc9Gk3BzCkGUHNVeCAZ9vZrQhEeVvN%20QVBAu1boZNJTnvCAP0lB5ebMSP92bFHD/ItyL53LoVDSYWMd64KTNMMJaXE0kZVqQn/%20STriQbrA6cmW3Xj4sAJ3XXEbNNJzTbIvgsy00PlKWInEUK/iXzVecaBsXg3vkUcvkeM3HPPIajaBexXO7ATYz/qTeKAksI9l2IoDAsn0S9BYCTuP8uTYdgJAv0LO%20MkNBOrSqJnFQzTlNxG4NRSP6K4VDWklVPpCwQc/s/AfrwIdLcdrV6CQDLaluG1naOjXDc", "http://nhrc.portal.gov.bd/sites/default/files/files/nhrc.portal.gov.bd/page/348ec5eb_22f8_4754_bb62_6a0d15ba1513/Study-Report-on-Sexual-Offences_Final.pdf", "https://twitter.com/PORNO_SEXYBABES", "https://alohatube.xyz/search/sex-mom-dog-animal", "https://www.colorfulbox.jp/", "Hybrid Analysis", "Any.run", "OTX AlienVault", "Urlscan", "UrlVoid", "http://emrd.gov.bd/dead.php", "http://titasgas.portal.gov.bd/dead.php", "http://mincom.gov.bd/dead.php", "http://cabinet.gov.bd/dead.php" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Malaysia", "Bangladesh" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Hall Render", "display_name": "Hall Render", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Racoon Stealer", "display_name": "Racoon Stealer", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "njRAT - S0385", "display_name": "njRAT - S0385", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Bazaar Loader", "display_name": "Bazaar Loader", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Detplock", "display_name": "Detplock", "target": null }, { "id": "WannaCry Kill Switch", "display_name": "WannaCry Kill Switch", "target": null }, { "id": "Ghandi", "display_name": "Ghandi", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Swort", "display_name": "Swort", "target": null }, { "id": "Silk Road", "display_name": "Silk Road", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/SpyrixKeylogger", "display_name": "ALF:HeraklezEval:PUA:Win32/SpyrixKeylogger", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Worm:VBS/Dapato", "display_name": "Worm:VBS/Dapato", "target": "/malware/Worm:VBS/Dapato" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" } ], "industries": [], "TLP": "white", "cloned_from": "654a772076be04f1649f9a42", "export_count": 143, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2522, "FileHash-SHA1": 862, "FileHash-SHA256": 2855, "URL": 7963, "domain": 1168, "hostname": 3181, "CVE": 13, "email": 2 }, "indicator_count": 18566, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "864 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a835fc0836f148fa45c8", "name": "Unsupported IE 404 account running BotNet Command & Control [by OctoSeek]", "description": "", "modified": "2023-12-06T16:58:29.243000", "created": "2023-12-06T16:58:29.243000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "URL": 7203, "hostname": 2260, "FileHash-SHA256": 4835, "FileHash-MD5": 283, "FileHash-SHA1": 163, "domain": 915 }, "indicator_count": 15665, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a77022ab8eb59e186099", "name": "scan_host", "description": "", "modified": "2023-12-06T16:55:12.020000", "created": "2023-12-06T16:55:12.020000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "domain": 4157, "URL": 15415, "FileHash-SHA256": 7002, "hostname": 4814, "FileHash-MD5": 191, "FileHash-SHA1": 182, "email": 2, "CIDR": 2 }, "indicator_count": 31769, "is_author": false, "is_subscribing": null, "subscriber_count": 113, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a72f140326fa725a7583", "name": "Undefined Name", "description": "", "modified": "2023-12-06T16:54:07.518000", "created": "2023-12-06T16:54:07.518000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "domain": 4157, "URL": 15415, "FileHash-SHA256": 7002, "hostname": 4814, "FileHash-MD5": 191, "FileHash-SHA1": 182, "email": 2, "CIDR": 2 }, "indicator_count": 31769, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a71746cd05b8ffc71d86", "name": "Application Layer Protocol", "description": "", "modified": "2023-12-06T16:53:43.601000", "created": "2023-12-06T16:53:43.601000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "domain": 4157, "URL": 15415, "FileHash-SHA256": 7002, "hostname": 4814, "FileHash-MD5": 191, "FileHash-SHA1": 182, "email": 2, "CIDR": 2 }, "indicator_count": 31769, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a6f9f0cb95f36a8590b6", "name": "Application Layer Protocol", "description": "", "modified": "2023-12-06T16:53:13.036000", "created": "2023-12-06T16:53:13.036000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "domain": 4157, "URL": 15415, "FileHash-SHA256": 7002, "hostname": 4814, "FileHash-MD5": 191, "FileHash-SHA1": 182, "email": 2, "CIDR": 2 }, "indicator_count": 31769, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a6e151668215a7eb7ef6", "name": "Cyber Criminal Group", "description": "", "modified": "2023-12-06T16:52:49.885000", "created": "2023-12-06T16:52:49.885000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "domain": 4157, "URL": 15415, "FileHash-SHA256": 7002, "hostname": 4814, "FileHash-MD5": 191, "FileHash-SHA1": 182, "email": 2, "CIDR": 2 }, "indicator_count": 31769, "is_author": false, "is_subscribing": null, "subscriber_count": 113, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a6cfa62bb520508659a6", "name": "NewOrder.doc", "description": "", "modified": "2023-12-06T16:52:31.959000", "created": "2023-12-06T16:52:31.959000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "domain": 4157, "URL": 15415, "FileHash-SHA256": 7002, "hostname": 4814, "FileHash-MD5": 191, "FileHash-SHA1": 182, "email": 2, "CIDR": 2 }, "indicator_count": 31769, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a521974bdb5d6dbda092", "name": "", "description": "", "modified": "2023-12-06T16:45:21.776000", "created": "2023-12-06T16:45:21.776000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "URL": 7203, "hostname": 2260, "FileHash-SHA256": 4835, "FileHash-MD5": 283, "FileHash-SHA1": 163, "domain": 915 }, "indicator_count": 15665, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a5109ecc3c75c949f950", "name": "Unsupported IE 404 account running BotNet Command & Control Server | B/L", "description": "", "modified": "2023-12-06T16:45:04.296000", "created": "2023-12-06T16:45:04.296000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "URL": 7203, "hostname": 2260, "FileHash-SHA256": 4835, "FileHash-MD5": 283, "FileHash-SHA1": 163, "domain": 915 }, "indicator_count": 15665, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a4f322399eb1db2a07b2", "name": "Hijacked Pinterest Account Spreader, BotNet Control Server | Unsupported IE", "description": "", "modified": "2023-12-06T16:44:35.786000", "created": "2023-12-06T16:44:35.786000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "URL": 7203, "hostname": 2260, "FileHash-SHA256": 4835, "FileHash-MD5": 283, "FileHash-SHA1": 163, "domain": 915 }, "indicator_count": 15665, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a4e083c4acd789ea7e58", "name": "Blacklisted", "description": "", "modified": "2023-12-06T16:44:16.060000", "created": "2023-12-06T16:44:16.060000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "URL": 7203, "hostname": 2258, "FileHash-SHA256": 4835, "FileHash-MD5": 283, "FileHash-SHA1": 163, "domain": 915 }, "indicator_count": 15663, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a4d5c14495fcf65ee8a5", "name": "Netsky", "description": "", "modified": "2023-12-06T16:44:05.631000", "created": "2023-12-06T16:44:05.631000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "URL": 7203, "hostname": 2260, "FileHash-SHA256": 4835, "FileHash-MD5": 283, "FileHash-SHA1": 163, "domain": 915 }, "indicator_count": 15665, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a4cb97598bac143dc90b", "name": "Critical: Pinterest Cyber Espionage", "description": "", "modified": "2023-12-06T16:43:55.639000", "created": "2023-12-06T16:43:55.639000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "URL": 7203, "hostname": 2260, "FileHash-SHA256": 4835, "FileHash-MD5": 283, "FileHash-SHA1": 163, "domain": 915 }, "indicator_count": 15665, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a3dd6b4fb6460f906d0b", "name": "Undefined Name", "description": "", "modified": "2023-12-06T16:39:57.080000", "created": "2023-12-06T16:39:57.080000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "domain": 4157, "URL": 15415, "FileHash-SHA256": 7002, "hostname": 4814, "FileHash-MD5": 191, "FileHash-SHA1": 182, "email": 2, "CIDR": 2 }, "indicator_count": 31769, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a3cbf5835c0db09df031", "name": "Undefined Name", "description": "", "modified": "2023-12-06T16:39:39.015000", "created": "2023-12-06T16:39:39.015000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "domain": 4157, "URL": 15415, "FileHash-SHA256": 7002, "hostname": 4814, "FileHash-MD5": 191, "FileHash-SHA1": 182, "email": 2, "CIDR": 2 }, "indicator_count": 31769, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a3ba609912d5c2688fda", "name": "&", "description": "", "modified": "2023-12-06T16:39:22.589000", "created": "2023-12-06T16:39:22.589000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "domain": 4157, "URL": 15415, "FileHash-SHA256": 7002, "hostname": 4814, "FileHash-MD5": 191, "FileHash-SHA1": 182, "email": 2, "CIDR": 2 }, "indicator_count": 31769, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a3aab919327802eaa6c7", "name": "&", "description": "", "modified": "2023-12-06T16:39:06.882000", "created": "2023-12-06T16:39:06.882000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "domain": 4157, "URL": 15415, "FileHash-SHA256": 7002, "hostname": 4814, "FileHash-MD5": 191, "FileHash-SHA1": 182, "email": 2, "CIDR": 2 }, "indicator_count": 31769, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "http://www.Apple.com/quicktime/download/standalone.html", "apple.com. (malicious version/header)", "vtbehaviour.commondatastorage.googleapis.com", "www.studentaffairs.cmu.edu", "www.jamesbgriffinlaw.com (malicious host)", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-242a", "Target \u2192 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (attached to Pinterest account)", "Cowrie (honeypot) - Wikipedia", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "http://cabinet.gov.bd/dead.php", "http://www.casos.cs.cmu.edu/projects/ora/software/3.0.8.6/ORA-NetScenes-gpt-iw-64.exe [cmu.edu projects]", "1.116.132.182/weblogic_CVE_2020_2551.jar", "https://firebaseremoteconfig.googleapis.com/v1/projects/16163253122/namespaces/firebase:fetch (remote hacking)", "www.metrobyt-mobile.com (So very hacked. Should be shut down. No corporate headquarters. Malicious practices by many independent owners)", "http://titasgas.portal.gov.bd/dead.php", "AS54113 Fastly Autonomous System aggregation for Pinterest United States Botnet Command and Control Server", "https://alohatube.xyz/search/sex-mom-dog-animal", "https://applepaydayloans.com/", "UrlVoid", "choco.exe", "http://1.116.132.182/.git/HEAD", "http://benjamin.xww.de/", "DetectItEasy PE32 Installer: Inno Setup Module (6.0.0) [unicode] Compiler: Embarcadero Delphi (10.3 Rio) [Professional] Linker: Turbo Linker (2.25*,Delphi) [GUI32,signed] Overlay: Inno Setup Installer data", "https://support.apple.com/en-us/HT201265. Targets (iOS ID)", "https://www.cybereason.com/blog/threat-analysis-report-ragnar-locker-ransomware-targeting-the-energy-sector?hs_amp=true", "httphttp://security.didici.cc/cves://www.sentinelone.com/anthology/ragnar-locker/", "http://45.159.189.105/bot/regex (Bot Command)", "http://www.Apple.com/quicktime/download", "https://github.com/cowrie/cowrie", "Any.run", "http://watchhers.net/index.php", "https://applemusic-spotlight.myunidays.com/US/en-US? (remote hacking)", "http://emrd.gov.bd/dead.php", "https://otx.alienvault.com/indicator/ip/142.250.69.206", "stagelight.pl (malicious/ pattern match)", "alohatube.xyz", "https://polling.portal.gov.bd/js/npc.script.js", "init.ess.apple.com (remote hacking)", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+", "45.159.189.105 (Command and Control)", "https://support.Apple.com/de", "Urlscan", "http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel (remote hacking/potentially maliciousRedTeam)", "7651508989a859a165a3e587268021e3ce3734b3e8711d06a101068c60dfdbbe ( Spyware| tsetup.2.4.4.exe | Downloader.Agent!1.E2F1 (CLASSIC) |Telegram Messenger Inc WeExtract malicious installation on targets media & devices)", "http://ww1.tsx.org/_fd", "https://www.milehighmedia.com/legal/2257 (exploit source | revenge porn)", "http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409", "http://init-p01st.push.apple.com/bag (remote hacking)", "http://45.159.189.105/bot/online?guid=WALKER-PC&key=b73f03cae5752ff4c823f89de539b59754bc4e65d43970358b17bcf21fb6c4e5 (remote hacking)", "(unsupported_iexplore exploit/redirect) https://www.pinterest.com/pin/mood--35536284546940000/ (Dark Web Trace)", "https://otx.alienvault.com/pulse/65a57ec1d13648277c52328a", "https://www.colorfulbox.jp/", "wTools", "https://www.sweetheartvideo.com/tsara-brashears/", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "Behavior Pattern Match Analysis", "http://www.dvd-game-new-releases.info/skin/tsara-brashears-dead.akp", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://tulach.cc/", "https://whois.domaintools.com/gov1.info", "https://www.fortinet.com/blog/threat-research/ransomware-roundup-ragnar-locker-ransomware", "http://www.hallrender.com/resources/blog/", "firebaseremoteconfig.googleapis.com (remote hacking)", "3.0.8.6 Carnegie Mellon University [cmu.edu projects]", "http://alohatube.xyz/search/tsara-brashears", "remote.telegrafix.com (remote hacking)", "Target \u2192 https://www.pinterest.com/pinkbuffalorun/ (EMOTET) Full control taken. True Board owner (a legitimate business) was likely very unaware Pinterest activities all flowed through the Dark Web. (Research shows over 5000 followers | 1 million visits per mo | more than 1 million pins re-pinned)", "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "ww.google.com.uy", "https://www.myminiweb.com/", "http://nhrc.portal.gov.bd/sites/default/files/files/nhrc.portal.gov.bd/page/348ec5eb_22f8_4754_bb62_6a0d15ba1513/Study-Report-on-Sexual-Offences_Final.pdf", "https://www.roseoubleu.fr/panier (phishing)", "CVE-2022-26134", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "https://brandyallen.com/2022/11/23/sexy", "dvd-game-new-releases.info", "https://sinister.ly/Thread-Apple-empty-box?page=13", "http://matfyz.cz/ | phishing", "polling.portal.gov.bd", "http://park.above.com/jr.php?gz=DjDNgvDQ0WlpBALxevxSvkF3jBH95b5riUvmgFjb1tbPDV06suYFlRcPA34ufLE5UZ8spiM7ya7tRXR8nLUgk920DSaIXniiR5hkoveznG%20mez7OU5R%20HKIczV475LuRwxm3J1pcRSpQcePtF/4aD%20frLO%205mYc0Maj8Z1IwBeAMESc9Gk3BzCkGUHNVeCAZ9vZrQhEeVvN%20QVBAu1boZNJTnvCAP0lB5ebMSP92bFHD/ItyL53LoVDSYWMd64KTNMMJaXE0kZVqQn/%20STriQbrA6cmW3Xj4sAJ3XXEbNNJzTbIvgsy00PlKWInEUK/iXzVecaBsXg3vkUcvkeM3HPPIajaBexXO7ATYz/qTeKAksI9l2IoDAsn0S9BYCTuP8uTYdgJAv0LO%20MkNBOrSqJnFQzTlNxG4NRSP6K4VDWklVPpCwQc/s/AfrwIdLcdrV6CQDLaluG1naOjXDc", "https://alohatube.xyz/search/tsara-brashears", "Data Analytics", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Apple Password Cracker]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "google.cmu.edu.", "https://nsa.gov1.info/utah-data-center/", "Hybrid Analysis", "https://polling.portal.gov.bd/js/npop.script.js", "googlepassword.cmu.edu", "http://security.didici.cc/cve", "http://mincom.gov.bd/dead.php", "Research", "media-router-fp74.prod.media.vip.bf1.yahoo.com", "https://urldefense.us/v2/url?u=http-3A__support.apple.com_kb_HT2693&d=DwMGaQ&c=mcnPvAfk3Xtjyky7sc3uA24Vk9hJzQ1fEHisENJPWek&r=PjGDHIUs1kNE6nRUZrOEsufSDp8LBQ-SwHI1wE1Z0Qo&m=zBlvHUR-UT1fW5-53xrUtd5Uj5DBn30a-XGaqZ1lyWh4YCJi5SWOvg3tVORPEuat&s=OJ-NfystLux9f25c44kAAuBLCoTAo6gQJ7EMKHRlrCk&e=&data=05", "OTX AlienVault", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://otx.alienvault.com/indicator/hostname/ww.google.com.uy", "applepaydayloans.com", "remote.haverhillcc.com (remote hacking)", "poemhunter.com", "http://clipper.guru/bot/online?guid=WALKER-PC (remote hacking)", "ns3.hallgrandsale.ru", "https://twitter.com/PORNO_SEXYBABES", "https://www.apple.com/sitemap/", "safebae.org", "caltech.edu | Carnegie Mellon University", "Roksit.net", "http://ax.itunes.apple.com/WebObjects/MZStoreServices.woa/ws/RSS/toppaidapplications/limit=10/xml", "1.116.217.151 [Cobalt Strike]", "https://hybrid-analysis.com/sample/a1b9247b6ad18f1cda0304e406333459d4000fced5753f91e5c046f6577c388a", "fb582cc7cfcfa64786caff627cc34ff7aedf7a97620d0cd2eb927d4bb3b7653d", "151.101.0.84 US - United States Pinterest Botnet Command and Control Server - 23.62.46.21", "http://alohatube.xyz/search/tsara-brashears/ [BotNet]", "128.2.42.10 'CMU' Carnegie Mellon University Server", "https://www.hallrender.com/attorney/brian-sabey" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "[Unnamed group]", "Ragnar Locker | M. Brian Sabey | HallRender| Tulach | Benjamin", "Tulach | Mark Brian Sabey | Hall Render Law Firm" ], "malware_families": [ "Goldfinder", "Slfper:installcore", "Alf:ransom:win32/babax.sg!mtb", "Adware.dropware", "Trojan", "Tulach malware", "Tel:trojan:win32/emotet", "Njrat - s0385", "Wannacry kill switch", "Xpire.info", "Searchmeup", "Tel:delphi/obfuscator", "Malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tunsafe.ai_score_98% 1\tmobigame 1\tbanker,evasive,retefe 1\tprogram.unwanted 1\tmalicious.high.ml 1\tkryptik.dawvk 1\tunsafe.ai_score_91% 1\tadwar", "Worm:win32/netsky", "Pws:msil/steam", "Qvm20.1.8d80.malware", "Gen:variant.bulz", "Hacktool.cheatengine", "Vidar", "Adwaresig [adw] ml.generic", "Ramnit", "Radar ineractive", "Iobit", "Hall render", "Trojan.generic", "Chinese", "Slfper:browsermodifier:win32/mediamagnet", "Backdoor.mokes", "#lowfi:siga:trojanspy:msil/keylogger", "Nanocore", "Swort", "Rms", "Alf:program:opencandy:remnant", "Yixun", "Gen:variant.razy", "Cobalt strike", "Malicious.22a4c0", "Sabey", "Worm:win32/benjamin", "Hallrender", "Tofsee", "Content reputation", "Goldmax - s0588", "Sality", "Bazaar loader", "Ml.generic", "Prynt", "Ransomexx", "Sodin ransomware", "Maltiverse", "Proxy", "Et", "Hallgrand", "Anonymizer", "Alf:trojan:win32/cassini_f28c33a2!ibt", "Sibot", "Azorult", "Racoon stealer", "Gc", "Alf:heraklezeval:ransom:msil/gorf", "Alf:trojan:win32/cassini_ade36583!ibt", "Emotet", "Hiddentear", "Trojan.barys/cobalt", "Nymaim", "Skynet", "Feodo tracker", "Webtoolbar", "Darkside .beware", "Alf:trojan:msil/agenttesla.km", "Mbt", "Redline stealer", "Artemis", "Generic", "Mirai", "Trojan.ole2.vbs", "Laplasclipper", "Generic.malware", "Alf:heraklezeval:pua:win32/spyrixkeylogger", "Trojanspy", "Neurovt", "Agent tesla", "Ragnar locker", "Cobalt strike - s0154", "#hstr:hacktool:win32/mimikatz", "Zbot", "Virut", "Domains", "Cutwail", "Mimikatz", "Trojan:win32/installcore", "Silk road", "Trojan.html.agent", "Gamehack.dr", "Opencandy", "Quasar rat", "Hacktool.bruteforce", "Ransomware", "Ducktail", "Trojan:win32/wacatac", "Generic.31fcc75f", "Formbook", "Ghandi", "Redline", "Zpevdo", "Hacktool", "Immortal stealer", "Relic", "Tiggre", "Phish.ab", "Sdbot.caoc", "Keyloggers", "Occamy", "Nanocore rat", "Network rat", "Blacknet", "Noname057", "Systweak", "Nancore ray", "Xrat", "Raccoon stealer", "Inmortal", "Worm", "Dropper.binder", "Alf:spikeaexr.secthdr", "Gandcrab", "Alf:win32/gbdinf_123df591.j!ibt", "Qakbot", "Verified", "Trojanx", "Malware.generic", "Gen:variant.zusy", "Suppobox", "Wacatac", "Firehol", "W32.hack.generic", "Undefined 1\tms 1\txyz 1\tgl 1\tnet tld aggregation com ms xyz gl net 20% 20% 20% 20% 20% tld\tcount com\t1 undefined\tnan ms\t1 xyz\t1 gl\t1 net\t1 combined blacklist timeline hybrid-analysis maltiverse resea", "Tulach", "Worm:vbs/dapato", "Hsbc", "Looquer", "Qbot", "Br", "Detplock", "Generic.asmalws malicious_confidence_70% 1\til:trojan.msilzilla 1\tfilerepmalware 1\transom.sabsik 1\tbehaveslike.dropper 1\tmicrosoft phishing 1\tbackdoor.mokes 1\tphishing bank of america corporat", "Colbalt strike", "Kraddare", "Alf:heraklezeval:trojan:win32/clipbanker , , alf:trojan:win32/autorun.pi!mtb , alf:trojan:win32/cassini_6d4ebdc9!ibt", "Trojan.ransom.generickd" ], "industries": [ "Healthcare", "Insurance", "Health" ], "unique_indicators": 209589 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/alohatube.xyz", "whois": "http://whois.domaintools.com/alohatube.xyz", "domain": "alohatube.xyz", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 50, "pulses": [ { "id": "69e434769e2a43c088066ca2", "name": "Kraddare \u2022 Agent Tesla \u2022 CVE Jar clone credit octoseek", "description": "", "modified": "2026-04-19T07:36:41.138000", "created": "2026-04-19T01:48:38.335000", "tags": [ "heur", "cisco umbrella", "site", "alexa top", "malware", "million", "xcnfe", "maltiverse", "malware site", "safe site", "malicious", "trojan", "artemis", "vidar", "redline stealer", "raccoon", "keylogger", "riskware", "agent tesla", "remcos", "stealer", "miner", "hacktool", "bank", "agenttesla", "agent", "unknown", "downloader", "unsafe", "detplock", "networm", "win64", "service", "smokeloader", "dropper", "crack", "alexa", "trojanspy", "detection list", "blacklist https", "kyriazhs1975", "noname057", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "blacklist", "cyber threat", "united", "engineering", "phishing", "covid19", "facebook", "phishing site", "paypal", "njrat", "emotet", "nanocore rat", "meterpreter", "azorult", "download", "msil", "bladabindi", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "cve201711882", "redline", "ssl certificate", "tsara brashears", "cyberstalking", "spyware", "apple ios", "quasar", "ransomware", "malware norad", "cry kill", "attack", "installer", "formbook", "lockbit", "open", "banker", "bazarloader", "core", "ransomexx", "name verdict", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "script", "beginstring", "ascii text", "null", "date", "error", "span", "refresh", "class", "generator", "critical", "body", "look", "verify", "restart", "meta", "hybrid", "general", "click", "strings", "tools", "as141773", "as63932", "moved", "passive dns", "search", "entries", "gmt content", "type", "keep alive", "scan endpoints", "all octoseek", "pulse pulses", "as17806 mango", "blacklist http", "phishtank", "malicious site", "apple", "blockchain", "runescape", "twitter", "qakbot", "asyncrat", "team", "internet storm", "generic", "union", "bazaloader", "media", "generic malware", "hostname", "suppobox", "netwire rc", "installcore", "conduit", "iobit", "mediaget", "outbreak", "acint", "installpack", "phish", "rostpay", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "filetour", "wacatac", "fusioncore", "dapato", "cleaner", "softonic", "encpk", "qbot", "predator", "swrort", "kraddare", "systweak", "dllinject", "driverpack", "iframe", "downldr", "presenoker", "as61317", "asnone united", "urls", "files", "next", "as15169 google", "japan unknown", "as17506 arteria", "as32244 liquid", "as49505", "russia unknown", "expired", "domain", "falcon", "as19969", "ipv4", "ransom", "encrypt", "file", "windows nt", "indicator", "response", "appdata", "gmt contenttype", "png image", "local", "contacted", "fali malicious", "dropped", "communicating", "referrer", "fali contacted", "silk road", "immediate", "cymulate2", "tsara brashears", "malvertizing" ], "references": [ "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "alohatube.xyz", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://alohatube.xyz/search/tsara-brashears", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "ww.google.com.uy", "https://alohatube.xyz/search/tsara-brashears", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "https://polling.portal.gov.bd/js/npc.script.js", "polling.portal.gov.bd", "https://polling.portal.gov.bd/js/npop.script.js", "http://watchhers.net/index.php", "https://brandyallen.com/2022/11/23/sexy", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "http://park.above.com/jr.php?gz=DjDNgvDQ0WlpBALxevxSvkF3jBH95b5riUvmgFjb1tbPDV06suYFlRcPA34ufLE5UZ8spiM7ya7tRXR8nLUgk920DSaIXniiR5hkoveznG%20mez7OU5R%20HKIczV475LuRwxm3J1pcRSpQcePtF/4aD%20frLO%205mYc0Maj8Z1IwBeAMESc9Gk3BzCkGUHNVeCAZ9vZrQhEeVvN%20QVBAu1boZNJTnvCAP0lB5ebMSP92bFHD/ItyL53LoVDSYWMd64KTNMMJaXE0kZVqQn/%20STriQbrA6cmW3Xj4sAJ3XXEbNNJzTbIvgsy00PlKWInEUK/iXzVecaBsXg3vkUcvkeM3HPPIajaBexXO7ATYz/qTeKAksI9l2IoDAsn0S9BYCTuP8uTYdgJAv0LO%20MkNBOrSqJnFQzTlNxG4NRSP6K4VDWklVPpCwQc/s/AfrwIdLcdrV6CQDLaluG1naOjXDc", "http://nhrc.portal.gov.bd/sites/default/files/files/nhrc.portal.gov.bd/page/348ec5eb_22f8_4754_bb62_6a0d15ba1513/Study-Report-on-Sexual-Offences_Final.pdf", "https://twitter.com/PORNO_SEXYBABES", "https://alohatube.xyz/search/sex-mom-dog-animal", "https://www.colorfulbox.jp/", "Hybrid Analysis", "Any.run", "OTX AlienVault", "Urlscan", "UrlVoid", "http://emrd.gov.bd/dead.php", "http://titasgas.portal.gov.bd/dead.php", "http://mincom.gov.bd/dead.php", "http://cabinet.gov.bd/dead.php" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Malaysia", "Bangladesh" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Racoon Stealer", "display_name": "Racoon Stealer", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "njRAT - S0385", "display_name": "njRAT - S0385", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Bazaar Loader", "display_name": "Bazaar Loader", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Detplock", "display_name": "Detplock", "target": null }, { "id": "WannaCry Kill Switch", "display_name": "WannaCry Kill Switch", "target": null }, { "id": "Ghandi", "display_name": "Ghandi", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Swort", "display_name": "Swort", "target": null }, { "id": "Silk Road", "display_name": "Silk Road", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/SpyrixKeylogger", "display_name": "ALF:HeraklezEval:PUA:Win32/SpyrixKeylogger", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Worm:VBS/Dapato", "display_name": "Worm:VBS/Dapato", "target": "/malware/Worm:VBS/Dapato" }, { "id": "Kraddare", "display_name": "Kraddare", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" } ], "industries": [], "TLP": "green", "cloned_from": "654a7a53317c717d1f4fee7f", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2522, "FileHash-SHA1": 862, "FileHash-SHA256": 2855, "URL": 7963, "domain": 1168, "hostname": 3181, "CVE": 13, "email": 2, "IPv4": 1 }, "indicator_count": 18567, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "15 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b2730aa46a25d7949daa8d", "name": "apple retail dnspionage clone octoseek", "description": "", "modified": "2026-04-11T00:03:57.096000", "created": "2026-03-12T08:02:18.609000", "tags": [ "Ghost RAT", "WebToolbar", "Nanocore RAT", "GameHack", "Cobalt Strike", "RedlineStealer", "HallGrand", "InstallCore", "InstallBrain", "Emotet", "Tofsee", "InMortal", "Bradesco", "Agent Tesla", "Mitre", "Pyscpa", "TrojanSpy", "SuppoBox", "Occamy", "DNSPIONAGE", "Stealer", "Password", "Apple", "Retail", "Cherry Creek Colorado", "Bot Networks", "Ghost RAT", "Networm" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "658a2b6cfdcfeec5db5f31a1", "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7996, "FileHash-SHA1": 3921, "FileHash-SHA256": 5341, "hostname": 2108, "domain": 1005, "URL": 5635, "CIDR": 2, "CVE": 21, "email": 28 }, "indicator_count": 26057, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6523344e4adc85389899504c", "name": "Unsupported IE 404 account running BotNet Command & Control [by OctoSeek]", "description": "", "modified": "2024-10-13T03:00:28.081000", "created": "2023-10-08T22:59:26.040000", "tags": [ "united", "contacted urls", "whois record", "contacted", "malicious site", "malware", "phishing site", "anonymizer", "heur", "control server", "facebook", "cobalt strike", "execution", "installcore", "phishing", "service", "core", "metro", "icmp", "hacktool", "download", "relic", "monitoring", "installer", "steam", "bank", "dnspionage", "crack", "unsafe", "ramnit", "emotet", "malware site", "proxy", "exploit", "fakealert", "team", "redline stealer", "laplasclipper", "cisco umbrella", "site", "safe site", "alexa top", "million", "alexa", "downloader", "opencandy", "generic", "presenoker", "maltiverse", "trojanspy", "date", "unknown", "windir", "markmonitor", "name server", "av detection", "september", "default browser", "guest system", "hybrid", "general", "click", "strings", "class", "critical", "blacklist", "union", "Embarcadero Delphi", "whois whois", "referrer", "ssl certificate", "communicating", "resolutions", "parent parent", "dropped", "stealer", "banker", "keylogger", "attack", "apple", "detection list", "ip address", "netsky", "firehol proxy", "noname057", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "FireHol", "Proxy", "Pexee", "Bank of America Corporation Malware Download", "CVE-2017-11882", "Alexa SANS Internet Storm Center", "MCI Verizon Block", "NaN" ], "references": [ "http://ww1.tsx.org/_fd", "https://www.milehighmedia.com/legal/2257 (exploit source | revenge porn)", "Target \u2192 https://www.pinterest.com/pinkbuffalorun/ (EMOTET) Full control taken. True Board owner (a legitimate business) was likely very unaware Pinterest activities all flowed through the Dark Web. (Research shows over 5000 followers | 1 million visits per mo | more than 1 million pins re-pinned)", "http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel (remote hacking/potentially maliciousRedTeam)", "http://45.159.189.105/bot/online?guid=WALKER-PC&key=b73f03cae5752ff4c823f89de539b59754bc4e65d43970358b17bcf21fb6c4e5 (remote hacking)", "http://clipper.guru/bot/online?guid=WALKER-PC (remote hacking)", "Target \u2192 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (attached to Pinterest account)", "https://firebaseremoteconfig.googleapis.com/v1/projects/16163253122/namespaces/firebase:fetch (remote hacking)", "firebaseremoteconfig.googleapis.com (remote hacking)", "remote.telegrafix.com (remote hacking)", "fb582cc7cfcfa64786caff627cc34ff7aedf7a97620d0cd2eb927d4bb3b7653d", "remote.haverhillcc.com (remote hacking)", "http://ax.itunes.apple.com/WebObjects/MZStoreServices.woa/ws/RSS/toppaidapplications/limit=10/xml", "http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409", "http://init-p01st.push.apple.com/bag (remote hacking)", "https://support.apple.com/en-us/HT201265. Targets (iOS ID)", "apple.com. (malicious version/header)", "https://www.apple.com/sitemap/", "https://applemusic-spotlight.myunidays.com/US/en-US? (remote hacking)", "http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409", "init.ess.apple.com (remote hacking)", "applepaydayloans.com", "www.metrobyt-mobile.com (So very hacked. Should be shut down. No corporate headquarters. Malicious practices by many independent owners)", "https://applepaydayloans.com/", "https://sinister.ly/Thread-Apple-empty-box?page=13", "7651508989a859a165a3e587268021e3ce3734b3e8711d06a101068c60dfdbbe ( Spyware| tsetup.2.4.4.exe | Downloader.Agent!1.E2F1 (CLASSIC) |Telegram Messenger Inc WeExtract malicious installation on targets media & devices)", "https://support.Apple.com/de", "http://www.Apple.com/quicktime/download", "http://www.Apple.com/quicktime/download/standalone.html", "https://urldefense.us/v2/url?u=http-3A__support.apple.com_kb_HT2693&d=DwMGaQ&c=mcnPvAfk3Xtjyky7sc3uA24Vk9hJzQ1fEHisENJPWek&r=PjGDHIUs1kNE6nRUZrOEsufSDp8LBQ-SwHI1wE1Z0Qo&m=zBlvHUR-UT1fW5-53xrUtd5Uj5DBn30a-XGaqZ1lyWh4YCJi5SWOvg3tVORPEuat&s=OJ-NfystLux9f25c44kAAuBLCoTAo6gQJ7EMKHRlrCk&e=&data=05", "https://www.roseoubleu.fr/panier (phishing)", "Roksit.net", "stagelight.pl (malicious/ pattern match)", "www.jamesbgriffinlaw.com (malicious host)", "Data Analytics", "Behavior Pattern Match Analysis", "45.159.189.105 (Command and Control)", "http://45.159.189.105/bot/regex (Bot Command)", "151.101.0.84 US - United States Pinterest Botnet Command and Control Server - 23.62.46.21", "AS54113 Fastly Autonomous System aggregation for Pinterest United States Botnet Command and Control Server", "DetectItEasy PE32 Installer: Inno Setup Module (6.0.0) [unicode] Compiler: Embarcadero Delphi (10.3 Rio) [Professional] Linker: Turbo Linker (2.25*,Delphi) [GUI32,signed] Overlay: Inno Setup Installer data", "(unsupported_iexplore exploit/redirect) https://www.pinterest.com/pin/mood--35536284546940000/ (Dark Web Trace)" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TEL:Delphi/Obfuscator", "display_name": "TEL:Delphi/Obfuscator", "target": "/malware/TEL:Delphi/Obfuscator" }, { "id": "LaplasClipper", "display_name": "LaplasClipper", "target": null }, { "id": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "display_name": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "target": null }, { "id": "SLFPER:InstallCore", "display_name": "SLFPER:InstallCore", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "ALF:Program:OpenCandy:Remnant", "display_name": "ALF:Program:OpenCandy:Remnant", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "generic.malware", "display_name": "generic.malware", "target": null }, { "id": "Anonymizer", "display_name": "Anonymizer", "target": null }, { "id": "#HSTR:HackTool:Win32/Mimikatz", "display_name": "#HSTR:HackTool:Win32/Mimikatz", "target": null }, { "id": "PWS:MSIL/Steam", "display_name": "PWS:MSIL/Steam", "target": "/malware/PWS:MSIL/Steam" }, { "id": "Trojan.HTML.Agent", "display_name": "Trojan.HTML.Agent", "target": null }, { "id": "Gen:Variant.Zusy", "display_name": "Gen:Variant.Zusy", "target": null }, { "id": "Worm:Win32/Netsky", "display_name": "Worm:Win32/Netsky", "target": "/malware/Worm:Win32/Netsky" }, { "id": "Sodin Ransomware", "display_name": "Sodin Ransomware", "target": null }, { "id": "Keyloggers", "display_name": "Keyloggers", "target": null }, { "id": "Proxy", "display_name": "Proxy", "target": null }, { "id": "TEL:Trojan:Win32/Emotet", "display_name": "TEL:Trojan:Win32/Emotet", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat", "display_name": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat", "target": null }, { "id": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar", "display_name": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar", "target": null }, { "id": "AdwareSig [Adw] ml.Generic", "display_name": "AdwareSig [Adw] ml.Generic", "target": null }, { "id": "W32.Hack.Generic", "display_name": "W32.Hack.Generic", "target": null }, { "id": "Trojan.Ole2.Vbs", "display_name": "Trojan.Ole2.Vbs", "target": null }, { "id": "QVM20.1.8D80.Malware", "display_name": "QVM20.1.8D80.Malware", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Backdoor.Mokes", "display_name": "Backdoor.Mokes", "target": null }, { "id": "AdWare.DropWare", "display_name": "AdWare.DropWare", "target": null }, { "id": "Gen:Variant.Razy", "display_name": "Gen:Variant.Razy", "target": null }, { "id": "Generic.31fcc75f", "display_name": "Generic.31fcc75f", "target": null }, { "id": "Trojan.Generic", "display_name": "Trojan.Generic", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "malware.generic", "display_name": "malware.generic", "target": null }, { "id": "Gen:Variant.Bulz", "display_name": "Gen:Variant.Bulz", "target": null }, { "id": "GameHack.DR", "display_name": "GameHack.DR", "target": null }, { "id": "Dropper.Binder", "display_name": "Dropper.Binder", "target": null }, { "id": "malicious.22a4c0", "display_name": "malicious.22a4c0", "target": null }, { "id": "SdBot.CAOC", "display_name": "SdBot.CAOC", "target": null }, { "id": "ml.Generic", "display_name": "ml.Generic", "target": null }, { "id": "Trojan.Ransom.GenericKD", "display_name": "Trojan.Ransom.GenericKD", "target": null }, { "id": "Phish.AB", "display_name": "Phish.AB", "target": null }, { "id": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea", "display_name": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": "6506b48d699080b4bfd334c5", "export_count": 74, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7761, "CVE": 6, "FileHash-MD5": 285, "FileHash-SHA1": 165, "FileHash-SHA256": 5059, "domain": 987, "hostname": 2399 }, "indicator_count": 16662, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "553 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653a092e3e9270a3ccff2aa0", "name": "Apple iOS compromise. CVE Jar", "description": "ASpeakSoft iOS iPhone Unlocker v1.0.36 Multilingual Portable.exe\nTargets Tsara Brashears iPhone unlocked, Total command and control. Dumping, remote access, hidden users, privilege escalation, malware spreading, tracking, defacement, libel, harassment. \n\nTarget at eminent risk", "modified": "2024-08-28T12:01:51.699000", "created": "2023-10-26T06:37:34.613000", "tags": [ "apple ios", "tsara brashears", "unlocker", "critical risk", "cyberstalking", "elf collection", "apple phone", "shell code", "script", "spyware", "hacktool", "installer", "banker", "keylogger", "name verdict", "falcon sandbox", "beginstring", "sha256", "sha1", "runtime process", "segoe ui", "internet", "null", "size", "misc attack", "unknown", "error", "span", "date", "body", "refresh", "class", "generator", "critical", "tools", "look", "verify", "restart", "hybrid", "general", "click", "strings", "meta", "hiddentears", "PyInstaller", "ransomware", "verified", "et", "legal entities", "phishing", "e-devlet", "buff achievement tracker", "cyber warfare", "malware", "ransom", "malware spreader", "et malware", "neurevt.a.betabot check in", "atlassian", "Tulach malware", "shell code script", "TrojanSpy", "remote access", "cve", "collection", "monitoring", "cyber threat", "cyber stalking", "cybercrime", "lockbin.1", "python connection", "elf", "redirect", "watchhers", "tracking", "fed", "us", "blob", "vortex", "Amazon aes", "spyware", "banker", "synaptics", "fraud service", "python initiated connection", "Trojan_Win_Generic_101", "malware trojan", "evader", "contacted", "execution", "cobaltstrike", "hacking_tool", "trojan", "cve exploit", "red team tools", "fireeye", "noname057", "adult content", "pornographer", "attack", "unsafe", "tulach malware", "remote attacks", "Rat" ], "references": [ "1.116.132.182/weblogic_CVE_2020_2551.jar", "http://1.116.132.182/.git/HEAD" ], "public": 1, "adversary": "[Unnamed group]", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Verified", "display_name": "Verified", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Colbalt Strike", "display_name": "Colbalt Strike", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HiddenTear", "display_name": "HiddenTear", "target": null }, { "id": "trojan.barys/cobalt", "display_name": "trojan.barys/cobalt", "target": null }, { "id": "NoName057", "display_name": "NoName057", "target": null }, { "id": "Network RAT", "display_name": "Network RAT", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1493", "name": "Transmitted Data Manipulation", "display_name": "T1493 - Transmitted Data Manipulation" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1450", "name": "Exploit SS7 to Track Device Location", "display_name": "T1450 - Exploit SS7 to Track Device Location" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 99, "FileHash-SHA1": 92, "FileHash-SHA256": 984, "URL": 2184, "domain": 274, "hostname": 782, "CVE": 10 }, "indicator_count": 4425, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "599 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b85faa9b8e3e1206d7f25c", "name": "Tsara Brashears Dead campaign | ET | Emotet Botnet | Injection ", "description": "", "modified": "2024-06-15T04:39:29.943000", "created": "2024-01-30T02:32:10.210000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls http", "ssl certificate", "whois record", "historical ssl", "whois whois", "apple ios", "contacted", "tsara brashears", "whois", "resolutions", "password", "hacktool", "crypto", "execution", "emotet", "installer", "banker", "keylogger", "critical", "copy", "content reputation", "et", "submission", "comodo valkyrie", "verdict", "bitdefender", "history first", "analysis", "utc http", "response final", "url http", "search", "entries", "passive dns", "urls", "record value", "unknown", "united", "gmt content", "dynamic report", "0 report", "date", "accept", "name servers", "scan endpoints", "all octoseek", "pulse pulses", "http", "ip address", "related nids", "files location", "http response", "final url", "serving ip", "address", "ipv4", "files", "location china", "asn as45090", "dns resolutions", "twitter", "log id", "gmtn", "tls web", "encrypt", "ca issuers", "f20b201c", "b467295d", "b2931e3f", "false", "as15169 google", "domain", "msie", "windows nt", "wow64", "slcc2", "media center", "create c", "write c", "read c", "medium", "next", "dock", "write", "persistence", "delete c", "path", "xport", "default", "years ago", "modified", "created", "email", "active created", "white", "filehash", "memcommit", "tlsv1", "show", "win32", "malware", "get na", "systemroot", "starizona", "lscottsdale", "creation date", "emails", "domain name", "showing", "pulse submit", "amazon", "server ca", "b535", "tulach", "hallrender", "hallgrand", "briansabey", "brian sabey", "mark", "mark brian sabey", "mark sabey", "cybercrime", "cyber stalking", "botnet", "evader", "hacker", "targeting" ], "references": [ "http://www.dvd-game-new-releases.info/skin/tsara-brashears-dead.akp", "dvd-game-new-releases.info", "1.116.217.151 [Cobalt Strike]", "https://www.myminiweb.com/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "http://alohatube.xyz/search/tsara-brashears", "vtbehaviour.commondatastorage.googleapis.com", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://tulach.cc/", "ns3.hallgrandsale.ru" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" } ], "industries": [], "TLP": "white", "cloned_from": "659719b77c383c73c05208a9", "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 13324, "FileHash-MD5": 718, "FileHash-SHA1": 617, "FileHash-SHA256": 5761, "domain": 3503, "hostname": 4475, "CVE": 1, "email": 3, "SSLCertFingerprint": 11 }, "indicator_count": 28413, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "673 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a59fe40c1e4412af5b5710", "name": "Qakbot Continues | DNSpionage | Gmail l Carnegie Mellon University", "description": "Qakbot continues to attack vulnerable devices; this attack affecting Chrome, Chromium, Google PlayStore - Redline Stealer, Gmail accounts.\n\nQakBot\u2019s modular structure allows for various malicious features, including process and web injection, victim network enumeration and credential stealing, and the delivery of follow-on payloads such as Cobalt Strike[1], Brute Ratel, and other malware. QakBot infections are particularly known to precede the deployment of human-operated ransomware, including Conti[2], ProLock[3], Egregor[4], REvil[5], MegaCortex[6], Black Basta[7], Royal[8], and PwndLocker.", "modified": "2024-02-14T19:00:40.517000", "created": "2024-01-15T21:13:08.734000", "tags": [ "present jun", "scan endpoints", "all octoseek", "ipv4", "passive dns", "urls", "files", "reverse dns", "pittsburgh", "united", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "cobalt strike", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "networm", "win32", "whois record", "ssl certificate", "threat roundup", "july", "communicating", "whois whois", "referrer", "contacted", "attack", "execution", "malware", "august", "copy", "april", "qakbot", "ursnif", "azorult", "hacktool", "metro", "banker", "keylogger", "malicious", "february", "mydoom-90", "worm", "cmu server", "caltech.edu", "gmail", "google attack", "google playstore", "chrome", "targeting", "carnegie mellon university", "algorithm", "v3 serial", "number", "issuer", "cus cnincommon", "rsa server", "ca lann", "stmi ouincommon", "validity", "key algorithm", "info", "first", "carnegie mellon", "server", "domain name", "domain record", "domain", "city", "orgid", "rtechhandle", "net128", "net1280000", "error", "dns replication", "date", "win32 exe", "winamp", "detections type", "name" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-242a", "128.2.42.10 'CMU' Carnegie Mellon University Server", "caltech.edu | Carnegie Mellon University", "https://otx.alienvault.com/pulse/65a57ec1d13648277c52328a", "https://otx.alienvault.com/indicator/ip/142.250.69.206", "CVE-2022-26134", "http://matfyz.cz/ | phishing", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Apple Password Cracker]", "http://alohatube.xyz/search/tsara-brashears/ [BotNet]", "alohatube.xyz", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "www.studentaffairs.cmu.edu", "3.0.8.6 Carnegie Mellon University [cmu.edu projects]", "http://www.casos.cs.cmu.edu/projects/ora/software/3.0.8.6/ORA-NetScenes-gpt-iw-64.exe [cmu.edu projects]", "googlepassword.cmu.edu", "google.cmu.edu.", "https://otx.alienvault.com/indicator/hostname/ww.google.com.uy" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1588.004", "name": "Digital Certificates", "display_name": "T1588.004 - Digital Certificates" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 82, "FileHash-SHA1": 78, "FileHash-SHA256": 1270, "URL": 1188, "domain": 242, "hostname": 684, "CVE": 2, "CIDR": 1, "email": 2 }, "indicator_count": 3549, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "795 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659b4cea3e6da3a00306ae11", "name": "Ragnar Locker | Cowrie Hash", "description": "Cowrie is a medium interaction SSH and Telnet honeypot designed to log brute force attacks and shell interaction performed by an attacker. Cowrie also functions as an SSH and telnet proxy to observe attacker behavior to another system. Cowrie was developed from Kippo.\n\nRagnar Locker: \nAffected platforms: Microsoft Windows\nImpacted parties: Microsoft Windows & Linux Users\nImpact: Encrypts files on the compromised machine and demands ransom for file decryption\nSeverity level: High\n\nI'm not sure. It seems this 'Law' group aquires and sell your digital profiles, PHI. PII, Banking , Insurance credentials on the dark web.", "modified": "2024-02-06T23:04:54.022000", "created": "2024-01-08T01:16:26.884000", "tags": [ "contacted", "pe resource", "execution", "problems", "alienvault part", "dropped", "kgs0", "kls0", "collections", "schema abuse", "iframe", "united", "as29791", "search", "entries", "passive dns", "urls", "service", "date", "unknown", "japan unknown", "body", "czechia unknown", "sinkhole", "emotet", "date hash", "avast avg", "mtb dec", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "samples", "tulach", "tulach.cc", "sabey data center", "malware server", "gorf", "set cookie", "united kingdom", "script urls", "trojan", "status", "showing", "cookie", "template", "johnnsabey", "briansabey", "data center", "choco", "name", "win32 exe", "domains", "registrar", "markmonitor inc", "ip detections", "country", "us execution", "parents", "whois record", "whois whois", "ssl certificate", "apple ios", "red team", "tsara brashears", "historical ssl", "hacktool", "copy", "malicious", "life", "unsafe", "server", "registrar abuse", "contact phone", "domain status", "registrar whois", "email", "registry domain", "registry expiry", "algorithm", "v3 serial", "number", "issuer", "key algorithm", "ec oid", "key identifier", "subject key", "identifier", "x509v3 key", "info", "first", "http method", "http requests", "connect http", "get dns", "resolutions", "ip traffic", "intel", "ms windows", "write c", "pe32", "pe32 executable", "copy c", "show", "free", "recon", "benjamin", "write", "worm", "win32", "june", "delphi", "code", "malware", "next", "using", "urls http", "benjamin", "nids", "cowrie hashes", "dns replication", "files", "sample", "sender", "us postal", "cowrie", "iranian actor", "shipping", "healthcare", "ragnar locker", "qakbot", "qbot", "pii", "phi", "privacy", "honeypot", "referrer", "spyware", "android", "nanocore", "banker", "keylogger" ], "references": [ "choco.exe", "media-router-fp74.prod.media.vip.bf1.yahoo.com", "https://www.cybereason.com/blog/threat-analysis-report-ragnar-locker-ransomware-targeting-the-energy-sector?hs_amp=true", "httphttp://security.didici.cc/cves://www.sentinelone.com/anthology/ragnar-locker/", "http://security.didici.cc/cve", "https://whois.domaintools.com/gov1.info", "https://nsa.gov1.info/utah-data-center/", "https://github.com/cowrie/cowrie", "Cowrie (honeypot) - Wikipedia", "https://www.fortinet.com/blog/threat-research/ransomware-roundup-ragnar-locker-ransomware" ], "public": 1, "adversary": "Ragnar Locker | M. Brian Sabey | HallRender| Tulach | Benjamin", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "ALF:Win32/GbdInf_123DF591.J!ibt", "display_name": "ALF:Win32/GbdInf_123DF591.J!ibt", "target": "/malware/ALF:Win32/GbdInf_123DF591.J!ibt" }, { "id": "SABEY", "display_name": "SABEY", "target": null }, { "id": "ALF:Trojan:Win32/Cassini_f28c33a2!ibt", "display_name": "ALF:Trojan:Win32/Cassini_f28c33a2!ibt", "target": null }, { "id": "ALF:Trojan:Win32/Cassini_ade36583!ibt", "display_name": "ALF:Trojan:Win32/Cassini_ade36583!ibt", "target": null }, { "id": "ALF:Ransom:Win32/Babax.SG!MTB", "display_name": "ALF:Ransom:Win32/Babax.SG!MTB", "target": null }, { "id": "ALF:SpikeAexR.SECTHDR", "display_name": "ALF:SpikeAexR.SECTHDR", "target": null }, { "id": "ALF:Trojan:MSIL/AgentTesla.KM", "display_name": "ALF:Trojan:MSIL/AgentTesla.KM", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker , , ALF:Trojan:Win32/AutoRun.PI!MTB , ALF:Trojan:Win32/Cassini_6d4ebdc9!ibt", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker , , ALF:Trojan:Win32/AutoRun.PI!MTB , ALF:Trojan:Win32/Cassini_6d4ebdc9!ibt", "target": null }, { "id": "ALF:HeraklezEval:Ransom:MSIL/Gorf", "display_name": "ALF:HeraklezEval:Ransom:MSIL/Gorf", "target": null }, { "id": "Worm:Win32/Benjamin", "display_name": "Worm:Win32/Benjamin", "target": "/malware/Worm:Win32/Benjamin" }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "Ragnar Locker", "display_name": "Ragnar Locker", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Trojan", "display_name": "Trojan", "target": null }, { "id": "Worm", "display_name": "Worm", "target": null }, { "id": "NanCore RAY", "display_name": "NanCore RAY", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [ "Healthcare", "Insurance" ], "TLP": "white", "cloned_from": null, "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 347, "FileHash-SHA1": 222, "FileHash-SHA256": 6645, "hostname": 2744, "URL": 9123, "domain": 3065, "email": 4 }, "indicator_count": 22150, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "803 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659ab3389d6c91dc01801fe5", "name": "Simda | Sabey Data Center | https://nsa.gov1.info/utah-data-center/", "description": "SIMDA is a family of backdoors capable of stealing information such as user names, passwords, and certificates. It steals information via its keylogging and HTML injection routines. \nReference: TrendMicro\n\nMALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.Simda\nWin32.Trojan-Spy.Shiz.b\nParody named 'not the Whitehouse' -https://whois.domaintools.com/gov1.info\nM.Brian Sabey \nTargets Tsara Brashears", "modified": "2024-02-06T14:00:04.985000", "created": "2024-01-07T14:20:40.610000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls https", "algorithm", "data", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "key identifier", "redacted for", "privacy tech", "privacy admin", "date", "server", "country", "organization", "postal code", "stateprovince", "code", "whois record", "ssl certificate", "historical ssl", "whois whois", "september", "redline stealer", "whois", "threat roundup", "bangladesh", "communicating", "prynt stealer", "banker", "keylogger", "dtrack", "prynt", "name verdict", "falcon sandbox", "pattern match", "jpeg image", "jfif", "ascii text", "united", "appdata", "file", "indicator", "et tor", "known tor", "class", "unknown", "general", "hybrid", "local", "win64", "click", "twitter", "strings", "generator", "critical", "error", "trident", "cascade", "darpa", "registrar", "rdds service", "record", "registrant", "admin", "tech contact", "whois service", "form", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "headers nel", "contentencoding", "gmt connection", "search", "for privacy", "status", "showing", "passive dns", "urls", "ionos se", "creation date", "next", "aaaa", "pulse pulses", "files", "united kingdom", "whitelisted", "worm", "gmt contenttype", "scan endpoints", "all octoseek", "ipv4", "body", "http", "unique", "screenshot", "url http", "ip address", "internet se", "emails", "name servers", "dnssec", "as63949 linode", "all search", "otx octoseek", "related nids", "reverse dns", "netherlands asn", "contacted", "resolutions", "referrer", "mirai malware", "urls http", "parent referrer", "certificate", "record value", "entries", "dynamicloader", "yara rule", "high", "sinkhole cookie", "et trojan", "medium", "yara detections", "virtool", "value snkz", "less see", "possible", "august", "copy", "expiro", "public folder", "pictures", "videos", "music", "anomalous file", "media player", "url https", "delete c", "ms windows", "pe32", "intel", "windows nt", "wow64", "khtml", "gecko", "query", "write", "malware", "template", "findwindowa", "ollydbg", "regsetvalueexa", "regdword", "high process", "x8bxe5", "regbinary", "injection t1055", "t1055", "zeppelin", "win32", "internal", "malware beacon", "a checkin", "create c", "read c", "write c", "msie", "suspicious", "slcc2", "media center", "as20940", "as2914 ntt", "as16625 akamai", "a domains", "cdata", "script", "as8068", "mtb oct", "location canada", "trojanspy", "xpire.info", "searchmeup", "cname", "as35994 akamai", "as14061", "as9009 m247", "samples", "as25577 ide", "hostnames", "show", "info compiler", "products", "vs2008 sp1", "vs2008", "vs2010", "header target", "machine intel", "utc entry", "point", "sections", "info", "hashes c2ae", "zenbox", "detections file", "name", "html", "win32 exe", "javascript", "contacted ip", "ip detections", "gandi sas", "godaddy online", "cayman", "dynadot", "domains", "psiusa", "domain robot", "dynadot inc", "net technology", "tsara brashears", "apple phone", "unlocker", "shell code", "simda", "amazon 02", "metro", "infected", "qakbot" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "Prynt", "display_name": "Prynt", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Xpire.info", "display_name": "Xpire.info", "target": null }, { "id": "Searchmeup", "display_name": "Searchmeup", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2129, "FileHash-SHA1": 1459, "FileHash-SHA256": 5050, "URL": 7341, "domain": 3041, "hostname": 3214, "email": 12, "CVE": 1 }, "indicator_count": 22247, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "803 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659ab33e614882a4a7451ca8", "name": "Simda | Sabey Data Center | https://nsa.gov1.info/utah-data-center/", "description": "SIMDA is a family of backdoors capable of stealing information such as user names, passwords, and certificates. It steals information via its keylogging and HTML injection routines. \nReference: TrendMicro\n\nMALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.Simda\nWin32.Trojan-Spy.Shiz.b\nParody named 'not the Whitehouse' -https://whois.domaintools.com/gov1.info\nM.Brian Sabey \nTargets Tsara Brashears", "modified": "2024-02-06T14:00:04.985000", "created": "2024-01-07T14:20:46.936000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls https", "algorithm", "data", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "key identifier", "redacted for", "privacy tech", "privacy admin", "date", "server", "country", "organization", "postal code", "stateprovince", "code", "whois record", "ssl certificate", "historical ssl", "whois whois", "september", "redline stealer", "whois", "threat roundup", "bangladesh", "communicating", "prynt stealer", "banker", "keylogger", "dtrack", "prynt", "name verdict", "falcon sandbox", "pattern match", "jpeg image", "jfif", "ascii text", "united", "appdata", "file", "indicator", "et tor", "known tor", "class", "unknown", "general", "hybrid", "local", "win64", "click", "twitter", "strings", "generator", "critical", "error", "trident", "cascade", "darpa", "registrar", "rdds service", "record", "registrant", "admin", "tech contact", "whois service", "form", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "headers nel", "contentencoding", "gmt connection", "search", "for privacy", "status", "showing", "passive dns", "urls", "ionos se", "creation date", "next", "aaaa", "pulse pulses", "files", "united kingdom", "whitelisted", "worm", "gmt contenttype", "scan endpoints", "all octoseek", "ipv4", "body", "http", "unique", "screenshot", "url http", "ip address", "internet se", "emails", "name servers", "dnssec", "as63949 linode", "all search", "otx octoseek", "related nids", "reverse dns", "netherlands asn", "contacted", "resolutions", "referrer", "mirai malware", "urls http", "parent referrer", "certificate", "record value", "entries", "dynamicloader", "yara rule", "high", "sinkhole cookie", "et trojan", "medium", "yara detections", "virtool", "value snkz", "less see", "possible", "august", "copy", "expiro", "public folder", "pictures", "videos", "music", "anomalous file", "media player", "url https", "delete c", "ms windows", "pe32", "intel", "windows nt", "wow64", "khtml", "gecko", "query", "write", "malware", "template", "findwindowa", "ollydbg", "regsetvalueexa", "regdword", "high process", "x8bxe5", "regbinary", "injection t1055", "t1055", "zeppelin", "win32", "internal", "malware beacon", "a checkin", "create c", "read c", "write c", "msie", "suspicious", "slcc2", "media center", "as20940", "as2914 ntt", "as16625 akamai", "a domains", "cdata", "script", "as8068", "mtb oct", "location canada", "trojanspy", "xpire.info", "searchmeup", "cname", "as35994 akamai", "as14061", "as9009 m247", "samples", "as25577 ide", "hostnames", "show", "info compiler", "products", "vs2008 sp1", "vs2008", "vs2010", "header target", "machine intel", "utc entry", "point", "sections", "info", "hashes c2ae", "zenbox", "detections file", "name", "html", "win32 exe", "javascript", "contacted ip", "ip detections", "gandi sas", "godaddy online", "cayman", "dynadot", "domains", "psiusa", "domain robot", "dynadot inc", "net technology", "tsara brashears", "apple phone", "unlocker", "shell code", "simda", "amazon 02", "metro", "infected", "qakbot" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "Prynt", "display_name": "Prynt", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Xpire.info", "display_name": "Xpire.info", "target": null }, { "id": "Searchmeup", "display_name": "Searchmeup", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2129, "FileHash-SHA1": 1459, "FileHash-SHA256": 5050, "URL": 7341, "domain": 3041, "hostname": 3214, "email": 12, "CVE": 1 }, "indicator_count": 22247, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "803 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659719b77c383c73c05208a9", "name": "Content Reputation | ET | Botnet | Targeting", "description": "http://www.dvd-game-new-releases.info/skin/tsara-brashears-dead.akp", "modified": "2024-02-03T19:04:07.916000", "created": "2024-01-04T20:48:55.431000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls http", "ssl certificate", "whois record", "historical ssl", "whois whois", "apple ios", "contacted", "tsara brashears", "whois", "resolutions", "password", "hacktool", "crypto", "execution", "emotet", "installer", "banker", "keylogger", "critical", "copy", "content reputation", "et", "submission", "comodo valkyrie", "verdict", "bitdefender", "history first", "analysis", "utc http", "response final", "url http", "search", "entries", "passive dns", "urls", "record value", "unknown", "united", "gmt content", "dynamic report", "0 report", "date", "accept", "name servers", "scan endpoints", "all octoseek", "pulse pulses", "http", "ip address", "related nids", "files location", "http response", "final url", "serving ip", "address", "ipv4", "files", "location china", "asn as45090", "dns resolutions", "twitter", "log id", "gmtn", "tls web", "encrypt", "ca issuers", "f20b201c", "b467295d", "b2931e3f", "false", "as15169 google", "domain", "msie", "windows nt", "wow64", "slcc2", "media center", "create c", "write c", "read c", "medium", "next", "dock", "write", "persistence", "delete c", "path", "xport", "default", "years ago", "modified", "created", "email", "active created", "white", "filehash", "memcommit", "tlsv1", "show", "win32", "malware", "get na", "systemroot", "starizona", "lscottsdale", "creation date", "emails", "domain name", "showing", "pulse submit", "amazon", "server ca", "b535", "tulach", "hallrender", "hallgrand", "briansabey", "brian sabey", "mark", "mark brian sabey", "mark sabey", "cybercrime", "cyber stalking", "botnet", "evader", "hacker", "targeting" ], "references": [ "http://www.dvd-game-new-releases.info/skin/tsara-brashears-dead.akp", "dvd-game-new-releases.info", "1.116.217.151 [Cobalt Strike]", "https://www.myminiweb.com/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "http://alohatube.xyz/search/tsara-brashears", "vtbehaviour.commondatastorage.googleapis.com", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://tulach.cc/", "ns3.hallgrandsale.ru" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 13324, "FileHash-MD5": 718, "FileHash-SHA1": 617, "FileHash-SHA256": 5761, "domain": 3501, "hostname": 4475, "CVE": 1, "email": 3, "SSLCertFingerprint": 11 }, "indicator_count": 28411, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "806 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://alohatube.xyz/...", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://alohatube.xyz/...", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776641477.8069 }