{
"type": "URL",
"indicator": "https://alt7.phoneticarts.com",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://alt7.phoneticarts.com",
"type": "url",
"type_title": "URL",
"validation": [],
"base_indicator": {
"id": 2918441933,
"indicator": "https://alt7.phoneticarts.com",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 35,
"pulses": [
{
"id": "699c6ef61298b57cd7275728",
"name": "Apple Support IOC\u2019s IcedID | Bloored | Mydoom worm | iOS IOC\u2019s",
"description": "A list of Apple and Apple related iOS\u2019s linked to a malicious redirect found in an apple.support.com redirect. Two separate Apple ID\u2019s on one iPhone. | Mimecast compromised with Emotet. iCloud siphoning. Related to Pulse found in references. | IOC\u2019s came from a single url.",
"modified": "2026-03-25T07:05:10.628000",
"created": "2026-02-23T15:15:02.857000",
"tags": [
"ipv4",
"http",
"passive dns",
"files domain",
"united",
"unknown ns",
"for privacy",
"ip address",
"domain",
"dynamicloader",
"antivirus",
"yara rule",
"fe ff",
"write c",
"msvisualcpp60",
"rsds",
"e8 c8",
"e8 a8",
"ff e1",
"unknown",
"worm",
"launch",
"write",
"explorer",
"february",
"push",
"service",
"files",
"reverse dns",
"america flag",
"america asn",
"url add",
"otx logo",
"all ipv4",
"searc",
"date checked",
"server response",
"results dec",
"unknown soa",
"present aug",
"present oct",
"present sep",
"present nov",
"moved",
"error",
"title",
"win32mydoom feb",
"aaaa",
"name servers",
"trojan",
"servers",
"virtool",
"united states",
"apple",
"crlf line",
"unicode text",
"utf8",
"ff d5",
"ascii text",
"ee fc",
"suspicious",
"music",
"malware",
"role title",
"ttl value",
".cc",
"d4 f5",
"msvisualcpp2002",
"msvisualcpp2005",
"apple support",
".ch",
"privaterelay",
"pattern match",
"ck id",
"mitre att",
"ck matrix",
"href",
"et info",
"general",
"local",
"path",
"click",
"learn",
"command",
"name tactics",
"informative",
"adversaries",
"spawns",
"defense evasion",
"t1480 execution",
"present jun",
"backdoor",
"present may",
"status",
"ransom",
"high",
"medium",
"windows",
"tofsee",
"loaderid",
"lidfileupd",
"localcfg",
"rndhex",
"stream",
"delete",
"emotet",
"bot network",
"mitm",
"screenshot",
"mimecast"
],
"references": [
"http://apple.support.com/ht***** redirect",
"https://otx.alienvault.com/pulse/699b907c5375efb7ce1639b8",
"mac.store",
"https://icloud.ch/cn/ipod-touch/",
"https://icloud.ch/",
"https://multicash.smbcgroup.com/gb/App/Authentication/Challenge",
"https://uatapp.pacificcross.com.ph/Oqapv2uatRedirect/",
"Redirect: schemas.microsoft.com",
"apple.com(-inc.cc)",
"oas-japac-domains-applecomputer.cn",
"robert-aebi.appleid.com",
"smtp2.icl-privaterelay.appleid.com",
"http://audaxgroup.appleid.com/",
"https://otx.alienvault.com/indicator/url/http://ipodtouch.co/?cid=oas-japac-domains-applecomputer.com.cn/ing/product+validatie.php",
"iphonegermany.com",
"api.mr-2538.dev-phoenix.diagnostics.si.siemens.cloud",
"https://aspmx.l.google.com/",
"api.us-1.a.mimecastprotect.com l.uk-1.a.mimecastprotect.com",
"de-smtp-inbound-1.mimecast.com de-smtp-inbound-2.mimecast.com",
"http://www.icloud-sms-alert.com/",
"monitoring.eurovision.net",
"https://www.irby.com/iub-en/services/testing-and-monitoring",
"monitor.kyos.ninja"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Trojan:Win32/IcedId.DI!MTB",
"display_name": "Trojan:Win32/IcedId.DI!MTB",
"target": "/malware/Trojan:Win32/IcedId.DI!MTB"
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
},
{
"id": "Worm:Win32/Bloored",
"display_name": "Worm:Win32/Bloored",
"target": "/malware/Worm:Win32/Bloored"
},
{
"id": "Win.Malware.Elenooka-6996044-0",
"display_name": "Win.Malware.Elenooka-6996044-0",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "TA0029",
"name": "Privilege Escalation",
"display_name": "TA0029 - Privilege Escalation"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6031,
"hostname": 1971,
"domain": 1125,
"FileHash-SHA256": 1715,
"email": 18,
"FileHash-MD5": 317,
"FileHash-SHA1": 164
},
"indicator_count": 11341,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "25 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6962b68da732abc66a0c2caf",
"name": "Der Zugriff \u2022 Kanna \u2022 MyDoom \u2022 Sigur - Pahamify Pegasus",
"description": "Pahamify Pegasus | Execution Attack, Access Attack | Drive by Compromise | \nSifting through Pahamify Pegasus this is no longer your computer , injection, google connects, remote connections, remote mouse movement, remote access, Google espionage, bad traffic, Apple complicit access. This is your Google account and browser, this is your appleid. Still researching\u2026. || \n*https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_ ||\nMalware: Der Zugriff ,\nKanna ,\nMyDoom ,\nSigur \n#firebase #google_connection #bible_gateway_honeypot #crypto #hidden_users #who_else",
"modified": "2026-02-09T19:00:09.890000",
"created": "2026-01-10T20:29:01.675000",
"tags": [
"ip address",
"status code",
"kb body",
"iocs",
"deny age",
"cloudfront",
"utc google",
"tag manager",
"g8t6ln06z40",
"utc na",
"google tag",
"injection",
"t1055 malware",
"tree",
"help v",
"defense evasion",
"injection t1055",
"resolved ips",
"get http",
"dns resolutions",
"v memory",
"pattern domains",
"full reports",
"v help",
"memory pattern",
"urls https",
"hashes",
"tiktok",
"microsoft",
"dashboard falcon",
"request",
"windows nt",
"win64",
"khtml",
"gecko",
"response",
"appleid",
"united",
"name servers",
"aaaa",
"servers",
"moved",
"script urls",
"passive dns",
"urls",
"data upload",
"extraction",
"failed",
"jsvendor",
"jsapp",
"script script",
"cssapp",
"jsfirebase",
"pegasus",
"encrypt",
"title error",
"ipv4",
"files",
"reverse dns",
"united states",
"malware",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"execution att",
"t1204 user",
"script",
"beginstring",
"bad traffic",
"et info",
"null",
"title",
"refresh",
"span",
"strings",
"error",
"tools",
"meta",
"look",
"verify",
"restart",
"mitre att",
"ascii text",
"pattern match",
"ck matrix",
"tls handshake",
"hybrid",
"general",
"local",
"path",
"click",
"ck techniques",
"access att",
"div div",
"a li",
"ul div",
"record value",
"emails",
"accept",
"referen https",
"microsoft-falcon.net",
"proxy",
"status",
"certificate",
"updated date",
"whois server",
"zipcode",
"entries http",
"scans show",
"search",
"matches x",
"type",
"gmt cache",
"all ipv4",
"america flag",
"america asn",
"sameorigin",
"urls show",
"date checked",
"url hostname",
"server response",
"google safe",
"results jan",
"ipv4 add",
"win32mydoom jan",
"trojan",
"worm",
"expiration date",
"files show",
"date hash",
"avast avg",
"win32mydoom",
"backdoor",
"found",
"gmt connection",
"control",
"content type",
"twitter",
"dynamicloader",
"medium",
"high",
"msie",
"wow64",
"slcc2",
"media center",
"write",
"global",
"domain name",
"hostname",
"apple",
"racebook",
"mouse movement",
"remote mouse",
"domain",
"hostname add",
"url analysis",
"crlf line",
"ff d5",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"f0 ff",
"ff bb",
"music",
"push",
"autorun",
"unknown",
"present sep",
"present may",
"present jan",
"present aug",
"cname",
"present nov",
"present jun",
"apache",
"body",
"pragma",
"found registry",
"able",
"model",
"indicator",
"source",
"show technique",
"file",
"internet",
"errore",
"erreur",
"download",
"service",
"crypto",
"compiler",
"installer",
"yang",
"updater",
"shutdown",
"thunk",
"este",
"install",
"reboot",
"code",
"downloader",
"sigur",
"kanna",
"der zugriff",
"google",
"chrome",
"Pahamify Pegasus",
"christoper p. ahmann",
"law enforcement",
"retaliation",
"phone",
"espionage",
"united states",
"m brian sabey",
"quasi government",
"target",
"monitored targeting",
"aig",
"therahand (old name)",
"target: tsara brashears",
"douglas county, co",
"sheriff",
"industry and commerce",
"worker\u2019s compensation",
"crime",
"financial crime",
"danger",
"nem tih",
"amazon",
"aws",
"amazon aws",
"deal",
"deal with it lawfully",
"pay victim",
"protecting reimer"
],
"references": [
"https://pegasus.pahamify.com/ \u2022 pahamify.com \u2022 pegasus.pahamify.com \u2022 activation.pahamify.com \u2022 httpspegasus.pahamify.com",
"https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_",
"Der Zugriff\u2022 Kanna \u2022 MyDoom \u2022 Sigur",
"Pahamify Pegasus",
"Matches rule ET INFO Observed Google DNS over HTTPS Domain (dns google in TLS SNI)",
"https://graph.facebook.com/v3.3/590584968016991/mobile_sdk_gk?fields=gatekeepers&format=json&sdk_version=5.0.0&sdk=android&platform=android",
"https://4.base.maps.ls.hereapi.com/maptile/2.1/maptile/newest/normal.day.mobile/{z}/{x}/{y}/256/PNG8?apiKey=wzEuHW02YdaEjU0Em-SwWQBtxbfF86-OfUuq1z93NI4",
"tv.apple.com",
"dashboard-proxy-sc-ncus-j7ynx.falcon- core.microsoft-falcon.net",
"Antivirus Detections: Win.Trojan.Gamarue-9832405-0 , Trojan:Win32/Pariham.A",
"IDS : Commonly Abused File Sharing Site Domain Observed (sendspace .com in DNS Lookup)",
"IDS: Commonly Abused File Sharing Site Domain Observed (sendspace .com in TLS SNI)",
"IDS: TLS Handshake Failure",
"Yara Detections BackdoorWin32Simda",
"Google_Chrome_64bit_v136.0.7103.49.exe",
"https://hybrid-analysis.com/sample/e4306740e79c65c90242aef93fceeb93fa6da74577570c7b4a04399879349c37/696298b7667c4a112d04eac7",
"https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t \u2022 wallpapers-nature.com",
"https://wallpapers-nature.com/%20tsara-brashears/urlscan-io \u2022",
"https://wallpapers-nature.com/tsara-brashears/urlscan-io"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Trojan:Win32/Pariham.A",
"display_name": "Trojan:Win32/Pariham.A",
"target": "/malware/Trojan:Win32/Pariham.A"
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
},
{
"id": "Virus:Win95/Cerebrus",
"display_name": "Virus:Win95/Cerebrus",
"target": "/malware/Virus:Win95/Cerebrus"
},
{
"id": "AutoRunIt",
"display_name": "AutoRunIt",
"target": null
},
{
"id": "Sigur",
"display_name": "Sigur",
"target": null
},
{
"id": "Kanna",
"display_name": "Kanna",
"target": null
},
{
"id": "Der Zugriff",
"display_name": "Der Zugriff",
"target": null
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1566.002",
"name": "Spearphishing Link",
"display_name": "T1566.002 - Spearphishing Link"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1589",
"name": "Gather Victim Identity Information",
"display_name": "T1589 - Gather Victim Identity Information"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1592",
"name": "Gather Victim Host Information",
"display_name": "T1592 - Gather Victim Host Information"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1444",
"name": "Masquerade as Legitimate Application",
"display_name": "T1444 - Masquerade as Legitimate Application"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1110",
"name": "Brute Force",
"display_name": "T1110 - Brute Force"
},
{
"id": "T1005",
"name": "Data from Local System",
"display_name": "T1005 - Data from Local System"
},
{
"id": "T1007",
"name": "System Service Discovery",
"display_name": "T1007 - System Service Discovery"
},
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1029",
"name": "Scheduled Transfer",
"display_name": "T1029 - Scheduled Transfer"
},
{
"id": "T1033",
"name": "System Owner/User Discovery",
"display_name": "T1033 - System Owner/User Discovery"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1049",
"name": "System Network Connections Discovery",
"display_name": "T1049 - System Network Connections Discovery"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1074",
"name": "Data Staged",
"display_name": "T1074 - Data Staged"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1102",
"name": "Web Service",
"display_name": "T1102 - Web Service"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1124",
"name": "System Time Discovery",
"display_name": "T1124 - System Time Discovery"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1213",
"name": "Data from Information Repositories",
"display_name": "T1213 - Data from Information Repositories"
},
{
"id": "T1222",
"name": "File and Directory Permissions Modification",
"display_name": "T1222 - File and Directory Permissions Modification"
},
{
"id": "T1486",
"name": "Data Encrypted for Impact",
"display_name": "T1486 - Data Encrypted for Impact"
},
{
"id": "T1489",
"name": "Service Stop",
"display_name": "T1489 - Service Stop"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1529",
"name": "System Shutdown/Reboot",
"display_name": "T1529 - System Shutdown/Reboot"
},
{
"id": "T1543",
"name": "Create or Modify System Process",
"display_name": "T1543 - Create or Modify System Process"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1555",
"name": "Credentials from Password Stores",
"display_name": "T1555 - Credentials from Password Stores"
},
{
"id": "T1559",
"name": "Inter-Process Communication",
"display_name": "T1559 - Inter-Process Communication"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1569",
"name": "System Services",
"display_name": "T1569 - System Services"
},
{
"id": "T1570",
"name": "Lateral Tool Transfer",
"display_name": "T1570 - Lateral Tool Transfer"
},
{
"id": "T1614",
"name": "System Location Discovery",
"display_name": "T1614 - System Location Discovery"
},
{
"id": "T1569.002",
"name": "Service Execution",
"display_name": "T1569.002 - Service Execution"
},
{
"id": "T1543.003",
"name": "Windows Service",
"display_name": "T1543.003 - Windows Service"
},
{
"id": "T1546.015",
"name": "Component Object Model Hijacking",
"display_name": "T1546.015 - Component Object Model Hijacking"
},
{
"id": "T1055.003",
"name": "Thread Execution Hijacking",
"display_name": "T1055.003 - Thread Execution Hijacking"
},
{
"id": "T1134.001",
"name": "Token Impersonation/Theft",
"display_name": "T1134.001 - Token Impersonation/Theft"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1134.002",
"name": "Create Process with Token",
"display_name": "T1134.002 - Create Process with Token"
},
{
"id": "T1070.006",
"name": "Timestomp",
"display_name": "T1070.006 - Timestomp"
},
{
"id": "T1564.003",
"name": "Hidden Window",
"display_name": "T1564.003 - Hidden Window"
},
{
"id": "T1497.003",
"name": "Time Based Evasion",
"display_name": "T1497.003 - Time Based Evasion"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1497.002",
"name": "User Activity Based Checks",
"display_name": "T1497.002 - User Activity Based Checks"
},
{
"id": "T1070.004",
"name": "File Deletion",
"display_name": "T1070.004 - File Deletion"
},
{
"id": "T1027.005",
"name": "Indicator Removal from Tools",
"display_name": "T1027.005 - Indicator Removal from Tools"
},
{
"id": "T1518.001",
"name": "Security Software Discovery",
"display_name": "T1518.001 - Security Software Discovery"
},
{
"id": "T1074.001",
"name": "Local Data Staging",
"display_name": "T1074.001 - Local Data Staging"
},
{
"id": "T1560.002",
"name": "Archive via Library",
"display_name": "T1560.002 - Archive via Library"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
}
],
"industries": [
"Civil Society",
"Legal",
"Government",
"Technology",
"Telecommunications",
"Financial"
],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6094,
"domain": 1195,
"hostname": 2001,
"FileHash-SHA256": 2598,
"FileHash-MD5": 546,
"FileHash-SHA1": 403,
"email": 16,
"CVE": 2,
"SSLCertFingerprint": 3
},
"indicator_count": 12858,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "69 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2bb5d9ee8577ab5519f2c",
"name": "Meritshealth with DoD links? ",
"description": "",
"modified": "2026-01-13T00:05:56.401000",
"created": "2025-10-05T18:39:25.286000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68e2b14d83bb63502feac65e",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1365,
"URL": 11172,
"hostname": 2780,
"FileHash-MD5": 381,
"FileHash-SHA256": 4420,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 20486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "96 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2b14d83bb63502feac65e",
"name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.",
"description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?",
"modified": "2026-01-07T00:00:30.717000",
"created": "2025-10-05T17:56:29.109000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1328,
"URL": 9931,
"hostname": 2621,
"FileHash-MD5": 381,
"FileHash-SHA256": 4360,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 18989,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "102 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "676493c5607a603f1785a935",
"name": "https://ginko.garden/pl/contact tel:+48 797 920 339 ip4 77.79.221.180 77.79.221.148",
"description": "Pasywna replikacja DNS: \n77.79.221.180 \nSugerowany opis:\nPe\u0142ny tekst Ginko.Garden - Nowoczesne dekoracje i pergole metalowe - wedi dweud eu glass - metaloplastyka.\nSugerowane identyfikatory ATT&CK:\nOgr\u00f3d - Nowoczesne dekoracje z metalu do ogrodu - bi\u017cuteria ogrodowa i dekoracje szklane - pergole metalowe - metaloplastyka Meta Tagi s\u0142owa kluczowe Nowoczesne dekoracje z metalu do ogrodu - pergole metalowe - Ginko.\n77.79.221.148 \n46.41.159.227 \n46.41.159.177",
"modified": "2025-07-28T11:51:42.400000",
"created": "2024-12-19T21:44:37.537000",
"tags": [
"copyright",
"customevent",
"typeof e",
"boomerang",
"typeof t",
"macintosh",
"os x",
"post",
"typeof",
"iframe",
"date",
"nazwa rekordu",
"aaaaa",
"na wniosek",
"bezpieczestwo",
"serwer",
"przerwa",
"informacja o",
"prace",
"nazwa",
"hasze",
"adresy url",
"nazwa http",
"configoverride",
"continuity",
"pageparam s",
"iframedelay",
"autoxhr",
"historia",
"nazwa https",
"uytkownik",
"zenbox",
"komunikacja",
"pliki",
"rozmiar",
"kb data",
"wykrycia nie",
"mitre",
"ids nie",
"sigmy nie",
"submission",
"sha256",
"ssdeep",
"file type",
"html internet",
"magic html",
"unicode text",
"utf8 text",
"trid hypertext",
"markup language"
],
"references": [
"https://s.go-mpulse.net/boomerang/XZ4AH-ABKPW-SQPBC-CYWES-BCG6V",
"https://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/SearchDetails.aspx?Id=7a025cc6-5167-43cf-947f-387a3b830778",
"https://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/SearchDetails.aspx?Id=f3ee4c4e-e009-4d69-82da-eef3bad1ecc4"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 14,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Arek-BTC",
"id": "212764",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1334,
"hostname": 454,
"domain": 346,
"IPv6": 2,
"IPv4": 36,
"FileHash-SHA256": 1499,
"FileHash-MD5": 92,
"FileHash-SHA1": 74,
"CVE": 1,
"email": 1
},
"indicator_count": 3839,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 123,
"modified_text": "265 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6695e27f356a22d97fba5ca8",
"name": "Critical attack/s continues to affect YouTube Creator/s account/s",
"description": "Related to YouTube creator/s attack/s. Found as part of Jays Youtube Bot.exe and YouTube bots.\nFull CnC, access and id devices. Redirects views, resells. spoofs, binds and/or accounts. FRAUD! \nReference: YARA Signature Match - THOR APT Scanner\nRULE: SUSP_Wextract_Anomaly_Unsigned_May23\nRULE_SET: Livehunt - Suspicious290 Indicators \ud83c\udff9\nRULE_TYPE: THOR APT Scanner's rule set only \ud83d\udd28\nRULE_LINK: https://valhalla.nextron-systems.com/info/rule/SUSP_Wextract_Anomaly_Unsigned_May23\nDESCRIPTION: Detects an anomalous unsigned wextract that contains additional code and has been seen abused to deliver malware\nREFERENCE: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/deconstructing-amadeys-latest-multi-stage-attack-and-malware-distribution/\nRULE_AUTHOR: X__Junior\nThor for details #susp_wextract_anomaly_unsigned_may23",
"modified": "2024-08-15T02:00:24.886000",
"created": "2024-07-16T03:01:17.316000",
"tags": [
"win32 exe",
"wextract",
"kb file",
"files",
"file type",
"javascript",
"graph",
"ip detections",
"country",
"userprofile",
"runtime modules",
"samplepath",
"delnoderundll32",
"mpgph131 hr",
"hourly rl",
"highest c",
"mpgph131 lg",
"onlogon rl",
"highest",
"process",
"registrya",
"registry keys",
"registry",
"windows policy",
"shell folders",
"file execution",
"binary data",
"security center",
"text c",
"peexe c",
"xml c",
"zip c",
"file system",
"written c",
"dropped",
"hashes",
"windows nt",
"wow64",
"referer https",
"date thu",
"get https",
"request",
"gecko response",
"gmt connection",
"gmt vary",
"etag",
"accept",
"win64",
"query",
"windows get",
"internal",
"set file",
"create",
"create process",
"windows read",
"shutdown system",
"modify access",
"delete registry",
"enumerate",
"behavior tags",
"k0pmbc",
"spsfsb",
"ctsu",
"efq78c",
"egw7od",
"en3i8d",
"i6ydgd",
"iz1fbc",
"izt63",
"kum7z",
"vs2003",
"sp1 build",
"contained",
"info compiler",
"products",
"header intel",
"name md5",
"type",
"language",
"simplified",
"army",
"variant sides",
"with russia",
"ramnit",
"netsupport rat",
"sneaky server",
"replacement",
"unauthorized",
"sim unlock",
"emotet",
"chaos",
"malicious",
"critical",
"copy",
"life",
"pe32",
"intel",
"ms windows",
"ms visual",
"win32 dynamic",
"link library",
"win16 ne",
"pe32 compiler",
"cc linker",
"urls",
"gandi sas",
"domains",
"cloudflare",
"ii llc",
"psiusa",
"domain robot",
"ltd dba",
"com laude",
"ascio",
"contacted",
"ms word",
"document",
"b file",
"html",
"javascript jac",
"html iu3",
"executed by usa",
"#wextract",
"#unsigned",
"thor",
"stealer",
"evader",
"systemroot",
"grum",
"high",
"delete c",
"cape",
"write",
"103 read",
"clsid read",
"date read",
"trojan",
"united",
"unknown",
"status",
"cname",
"creation date",
"search",
"as1921",
"austria unknown",
"emails",
"expiration date",
"date",
"pragma",
"next",
"passive dns",
"backdoor",
"win32",
"scan endpoints",
"all scoreblue",
"ipv4",
"usa",
"co",
"teams",
"cybercrime",
"spoof",
"benjamin",
"dynamicloader",
"write c",
"pe32 executable",
"show",
"yara rule",
"windows",
"recon",
"worm",
"powershell",
"june",
"delphi",
"malware",
"malice",
"retaliation",
"through the nights",
"apple",
"lenovo",
"ios",
"hackers",
"move",
"moved"
],
"references": [
"WEXTRACT.EXE .MUI: FileHash-SHA256 00e5aefb5ffd357e995d1a4ee30735a692780b203cd58e6239637471047d51a4",
"MALWARE STEALER TROJAN EVADER | WEXTRACT.EXE .MUI | TXTRESSE | via https://www.virustotal.com/gui/domain/www.youtube.com",
"CS Sigma: Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke",
"Critical CS Sigma: Matches rule Suspicious Double Extension File Execution by Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems)",
"^ by Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems) ^",
"CS Sigma: Matches rule Disable Windows Defender Functionalities Via Registry Keys by AlertIQ, J\u00e1n Tren\u010dansk\u00fd, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan",
"CS Sigma: Matches rule Chromium Browser Instance Executed With Custom Extension by Aedan Russell, frack113, X__Junior (Nextron Systems)",
"CS Sigma: Matches rule Suspicious Add Scheduled Task Parent by Florian Roth (Nextron Systems)",
"CS Sigma: Matches rule Suspicious Schtasks Schedule Type With High Privileges by Nasreddine Bencherchali (Nextron Systems)",
"CS Sigma: Matches rule Scheduled Task Creation by Florian Roth (Nextron Systems)",
"CS IDS: Matches rule (stream_tcp) data sent on stream not accepting data",
"CS IDS: Matches rule (http_inspect) HTTP response has UTF character set that failed to normalize",
"CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)",
"CS IDS: Matches rule ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port)",
"CS IDS: Matches rule ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)",
"CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token) Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)",
"CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)",
"CS IDS: Matches rule ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent",
"CS IDS: Matches rule ET MALWARE Suspected RisePro TCP Heartbeat Packet",
"CS IDS: Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)",
"CS IDS: Matches rule ET MALWARE Win32/Ramnit Checkin Matches rule MALWARE-CNC Win.Trojan.Ramnit variant outbound detected",
"TXTRESSE: FileHash-SHA256 00001dd58b69582cc30a16b000bce3d96d369487444385489084719676afba4d",
"Crowdsourced YARA rules: Matches rule UPX from ruleset UPX by kevoreilly",
"Crowdsourced YARA rules: Matches rule win_ramnit_auto from ruleset win.ramnit_auto by Felix Bilstein - yara-signator at cocacoding dot com",
"Crowdsourced YARA rules: Matches rule MAL_Ramnit_May19_1 from ruleset crime_nansh0u by Florian Roth (Nextron Systems)",
"Crowdsourced IDS rules: Matches rule: MALWARE-CNC Win.Trojan.Ramnit variant outbound detected",
"Crowdsourced IDS rules: Matches rule: (port_scan) UDP filtered",
"Crowdsourced IDS rules: Matches rule: ET MALWARE Win32/Ramnit Checkin | Matches rule ET DNS Query for .cc TLD",
"https://www.nextron-systems.com/notes-on-virustotal-matches/",
"TrojanDownloader:Win32/Upatre , Virus:Win32/Sality.AT , Win.Downloader.Small-1645",
"Antivirus Detections: Backdoor:Win32/Likseput.B , PWS:Win32/QQpass.B!MTB , Trojan:Win32/Scrarev.C , Trojan:Win32/Speesipro.A , Trojan:Win32/Zombie.A , TrojanDownloader:Win32/Cutwail.BS , TrojanDownloader:Win32/Nemucod ,",
"IDS Detections: Backdoor.Win32.Pushdo.s Checkin Backdoor.Win32.Pushdo.s Checkin Suspicious csrss.exe in URI",
"https://www.virustotal.com/gui/file/00e5aefb5ffd357e995d1a4ee30735a692780b203cd58e6239637471047d51a4/detection",
"Jays Youtube Bot.exe > FileHash-SHA256 00514527e00ee001d042",
"https://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2",
"https://www.youtube.com/watch?v=GyuMozsVyYs",
"Emotet | YouTube \u2022 Darklivity Podcast \"Unhinged Horror\"",
"https://otx.alienvault.com/pulse/6694bb9be1b61bf820500004",
"http://193.233.132.62/hera/amadka.exe | https://www.info-only-men.com/landing/mlp88g?subPublisher=popunder:eu-adsrv.rtbsuperhub.com&zone=popunder:eu-adsrv.rtbsuperhub.com&",
"https://software-free-phone-2018.win/62ae8f9b-d0cb-4b4c-8318-dd7900e1d092/e29481e9-a792-46a8-bbf0-188ed2a816ae/?brand=Apple&browser=Safari&btd=dHJr",
"nr-data.net [Apple Private Data Collection]",
"https://rector-fitiology.icu/99c8d3a6-be16-421a-87a8-40701eae8149?zoneid=6543079&bannerid=18710758&browser=chrome&os=ios&devic",
"https://software-free-phone-2018.win/7a7c1101-0538-49de-925f-4f4675a5fd1f/3b0669f6-a07e-4eb8-8e2b-d0282d482c1a/?brand=Lenovo&browser=Chr"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "WAT:Blacked-E",
"display_name": "WAT:Blacked-E",
"target": null
},
{
"id": "Win32:RmnDrp [Inf]",
"display_name": "Win32:RmnDrp [Inf]",
"target": null
},
{
"id": "AI:FileInfector.EAEEA7850C",
"display_name": "AI:FileInfector.EAEEA7850C",
"target": null
},
{
"id": "Virus.Ramnit/Nimnul",
"display_name": "Virus.Ramnit/Nimnul",
"target": null
},
{
"id": "Trojan.Crifi.1",
"display_name": "Trojan.Crifi.1",
"target": null
},
{
"id": "Trojan.MSIL.Injurer.cbd",
"display_name": "Trojan.MSIL.Injurer.cbd",
"target": null
},
{
"id": "Win.Downloader.Small-1645",
"display_name": "Win.Downloader.Small-1645",
"target": null
},
{
"id": "Trojan:Win32/Scrarev.C",
"display_name": "Trojan:Win32/Scrarev.C",
"target": "/malware/Trojan:Win32/Scrarev.C"
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "Trojan:Win32/Speesipro.A",
"display_name": "Trojan:Win32/Speesipro.A",
"target": "/malware/Trojan:Win32/Speesipro.A"
},
{
"id": "Virus:Win32/Sality.AT",
"display_name": "Virus:Win32/Sality.AT",
"target": "/malware/Virus:Win32/Sality.AT"
},
{
"id": "TrojanDownloader:Win32/Upatre",
"display_name": "TrojanDownloader:Win32/Upatre",
"target": "/malware/TrojanDownloader:Win32/Upatre"
},
{
"id": "TrojanDownloader:Win32/Cutwail.BS",
"display_name": "TrojanDownloader:Win32/Cutwail.BS",
"target": "/malware/TrojanDownloader:Win32/Cutwail.BS"
},
{
"id": "TrojanDownloader:Win32/Nemucod",
"display_name": "TrojanDownloader:Win32/Nemucod",
"target": "/malware/TrojanDownloader:Win32/Nemucod"
},
{
"id": "PWS:Win32/QQpass.B!MTB",
"display_name": "PWS:Win32/QQpass.B!MTB",
"target": "/malware/PWS:Win32/QQpass.B!MTB"
},
{
"id": "Backdoor:Win32/Likseput.B",
"display_name": "Backdoor:Win32/Likseput.B",
"target": "/malware/Backdoor:Win32/Likseput.B"
},
{
"id": "Worm:Win32/Benjamin",
"display_name": "Worm:Win32/Benjamin",
"target": "/malware/Worm:Win32/Benjamin"
},
{
"id": "ALF:HeraklezEval:TrojanSpy:Win32/SocStealer",
"display_name": "ALF:HeraklezEval:TrojanSpy:Win32/SocStealer",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1588",
"name": "Obtain Capabilities",
"display_name": "T1588 - Obtain Capabilities"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1472",
"name": "Generate Fraudulent Advertising Revenue",
"display_name": "T1472 - Generate Fraudulent Advertising Revenue"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1539",
"name": "Steal Web Session Cookie",
"display_name": "T1539 - Steal Web Session Cookie"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1134.004",
"name": "Parent PID Spoofing",
"display_name": "T1134.004 - Parent PID Spoofing"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1003.007",
"name": "Proc Filesystem",
"display_name": "T1003.007 - Proc Filesystem"
},
{
"id": "T1042",
"name": "Change Default File Association",
"display_name": "T1042 - Change Default File Association"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
}
],
"industries": [
"Media",
"Technology",
"Civil Society",
"Crime Victims"
],
"TLP": "green",
"cloned_from": null,
"export_count": 30,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 4312,
"domain": 1056,
"hostname": 1818,
"URL": 5125,
"FileHash-MD5": 310,
"FileHash-SHA1": 221,
"email": 3
},
"indicator_count": 12845,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 228,
"modified_text": "612 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65ea6410c1e1b1185951ef98",
"name": "Win32:BotX-gen\\ [Trj] \u2022Jays Youtube Bot.exe attack executed (Copy)",
"description": "",
"modified": "2024-04-05T12:00:46.637000",
"created": "2024-03-08T01:04:16.906000",
"tags": [
"referrer",
"tsara brashears",
"password bypass",
"apple phone",
"unlocker",
"shell code",
"script",
"pe resource",
"execution",
"sneaky server",
"emotet",
"android",
"download",
"malware",
"relic",
"monitoring",
"installer",
"formbook",
"urls",
"contacted",
"win32 exe",
"parents",
"type name",
"msrsaapp",
"files",
"file type",
"kb file",
"b file",
"graph",
"pe32 executable",
"ms windows",
"intel",
"generic cil",
"executable",
"mono",
"win32 dynamic",
"link library",
"win16 ne",
"samplename",
"samplepath",
"jays youtube",
"rticon neutral",
"details",
"header intel",
"name md5",
"type",
"language",
"contained",
"ico rtgroupicon",
"neutral",
"net technology",
"corporation",
"domains",
"markmonitor inc",
"malicious",
"cnc",
"network",
"bypass password",
"network probe",
"dns query",
"as20940",
"united",
"aaaa",
"search",
"showing",
"date",
"passive dns",
"registrar",
"unknown",
"encrypt",
"next",
"domain",
"emails",
"name servers",
"as199524",
"record value",
"rst seen",
"last seen",
"asn country",
"cname",
"as15169 google",
"scan endpoints",
"all octoseek",
"pulse pulses",
"files ip",
"as4788",
"address",
"pulses",
"win32",
"entries",
"dadjoke",
"ms defender",
"united kingdom",
"germany unknown",
"as46606",
"as14061",
"servers",
"as12576 ee",
"russia unknown",
"as3320 deutsche",
"gamaredon",
"armageddon",
"as8068",
"script urls",
"for privacy",
"script domains",
"certificate",
"meta",
"creation date",
"as14627",
"ipv4",
"onthewifi",
"as54113",
"trojan",
"flywheel",
"sea x",
"accept",
"ransom",
"post http",
"langserbian",
"sublangdefault",
"rticon",
"process32nextw",
"medium",
"t1055",
"high",
"ip address",
"generic",
"body",
"markus",
"june",
"copy",
"bitcoin"
],
"references": [
"FormBook: FileHash-SHA256 5b9fa34fac18f4084221969800faddfe1cf0afc22d601d211ee695934e7d62cb",
"FormBook: 45.159.189.105",
"FormBook: http://45.159.189.105/bot/regex",
"Emotet: www.youtube.com/watch?v=GyuMozsVyYs",
"Relic: bam.nr-data.net [Apple Private Data Collection]",
"capitana.onthewifi.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Germany"
],
"malware_families": [
{
"id": "Win32:Trojan-gen",
"display_name": "Win32:Trojan-gen",
"target": null
},
{
"id": "Win32:Cryptor",
"display_name": "Win32:Cryptor",
"target": null
},
{
"id": "Win.Virus.PolyRansom-5704625-0",
"display_name": "Win.Virus.PolyRansom-5704625-0",
"target": null
},
{
"id": "SLF:Trojan:Win32/Grandoreiro.A",
"display_name": "SLF:Trojan:Win32/Grandoreiro.A",
"target": null
},
{
"id": "Win32:BotX-gen\\ [Trj]",
"display_name": "Win32:BotX-gen\\ [Trj]",
"target": null
},
{
"id": "Trojan:Win32/Glupteba.KM!MTB",
"display_name": "Trojan:Win32/Glupteba.KM!MTB",
"target": "/malware/Trojan:Win32/Glupteba.KM!MTB"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1188",
"name": "Multi-hop Proxy",
"display_name": "T1188 - Multi-hop Proxy"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "65e863bebbf95e0dc5a4169a",
"export_count": 47,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 309,
"FileHash-SHA1": 307,
"FileHash-SHA256": 3084,
"URL": 3066,
"domain": 1085,
"hostname": 1709,
"CVE": 1,
"email": 7
},
"indicator_count": 9568,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 227,
"modified_text": "744 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65e863bebbf95e0dc5a4169a",
"name": "Win32:BotX-gen\\ [Trj] \u2022Jays Youtube Bot.exe attack expected",
"description": "Network compromised updated Apple device was directed (303) to a server. This is one of several botnets found. onthewifi \u2206 {Win32:BotX-gen\\ [Trj]} \u2022 Injection process | Password bypass. Studies targets behavior | Checks for other devices | Glupteba: \n Glupteba is a trojan-type program, malicious software that installs other programs of this type. Cyber criminals can perform a number of actions of a malicious hacker's choice on your device.",
"modified": "2024-04-05T12:00:46.637000",
"created": "2024-03-06T12:38:22.052000",
"tags": [
"referrer",
"tsara brashears",
"password bypass",
"apple phone",
"unlocker",
"shell code",
"script",
"pe resource",
"execution",
"sneaky server",
"emotet",
"android",
"download",
"malware",
"relic",
"monitoring",
"installer",
"formbook",
"urls",
"contacted",
"win32 exe",
"parents",
"type name",
"msrsaapp",
"files",
"file type",
"kb file",
"b file",
"graph",
"pe32 executable",
"ms windows",
"intel",
"generic cil",
"executable",
"mono",
"win32 dynamic",
"link library",
"win16 ne",
"samplename",
"samplepath",
"jays youtube",
"rticon neutral",
"details",
"header intel",
"name md5",
"type",
"language",
"contained",
"ico rtgroupicon",
"neutral",
"net technology",
"corporation",
"domains",
"markmonitor inc",
"malicious",
"cnc",
"network",
"bypass password",
"network probe",
"dns query",
"as20940",
"united",
"aaaa",
"search",
"showing",
"date",
"passive dns",
"registrar",
"unknown",
"encrypt",
"next",
"domain",
"emails",
"name servers",
"as199524",
"record value",
"rst seen",
"last seen",
"asn country",
"cname",
"as15169 google",
"scan endpoints",
"all octoseek",
"pulse pulses",
"files ip",
"as4788",
"address",
"pulses",
"win32",
"entries",
"dadjoke",
"ms defender",
"united kingdom",
"germany unknown",
"as46606",
"as14061",
"servers",
"as12576 ee",
"russia unknown",
"as3320 deutsche",
"gamaredon",
"armageddon",
"as8068",
"script urls",
"for privacy",
"script domains",
"certificate",
"meta",
"creation date",
"as14627",
"ipv4",
"onthewifi",
"as54113",
"trojan",
"flywheel",
"sea x",
"accept",
"ransom",
"post http",
"langserbian",
"sublangdefault",
"rticon",
"process32nextw",
"medium",
"t1055",
"high",
"ip address",
"generic",
"body",
"markus",
"june",
"copy",
"bitcoin"
],
"references": [
"FormBook: FileHash-SHA256 5b9fa34fac18f4084221969800faddfe1cf0afc22d601d211ee695934e7d62cb",
"FormBook: 45.159.189.105",
"FormBook: http://45.159.189.105/bot/regex",
"Emotet: www.youtube.com/watch?v=GyuMozsVyYs",
"Relic: bam.nr-data.net [Apple Private Data Collection]",
"capitana.onthewifi.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Germany"
],
"malware_families": [
{
"id": "Win32:Trojan-gen",
"display_name": "Win32:Trojan-gen",
"target": null
},
{
"id": "Win32:Cryptor",
"display_name": "Win32:Cryptor",
"target": null
},
{
"id": "Win.Virus.PolyRansom-5704625-0",
"display_name": "Win.Virus.PolyRansom-5704625-0",
"target": null
},
{
"id": "SLF:Trojan:Win32/Grandoreiro.A",
"display_name": "SLF:Trojan:Win32/Grandoreiro.A",
"target": null
},
{
"id": "Win32:BotX-gen\\ [Trj]",
"display_name": "Win32:BotX-gen\\ [Trj]",
"target": null
},
{
"id": "Trojan:Win32/Glupteba.KM!MTB",
"display_name": "Trojan:Win32/Glupteba.KM!MTB",
"target": "/malware/Trojan:Win32/Glupteba.KM!MTB"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1188",
"name": "Multi-hop Proxy",
"display_name": "T1188 - Multi-hop Proxy"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 53,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 309,
"FileHash-SHA1": 307,
"FileHash-SHA256": 3084,
"URL": 3066,
"domain": 1085,
"hostname": 1709,
"CVE": 1,
"email": 7
},
"indicator_count": 9568,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 221,
"modified_text": "744 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65caca061fbb7674de86ec7b",
"name": "Invicta Stealer",
"description": "Invicta Stealer is equipped to steal data from most locations of a system which makes it a dangerous threat.\nLink found in https://house.mo.com",
"modified": "2024-03-14T01:01:47.115000",
"created": "2024-02-13T01:46:46.969000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"historical ssl",
"resolutions",
"communicating",
"whois whois",
"subdomains",
"referrer",
"problems",
"core",
"startpage",
"june",
"passive dns",
"urls",
"domain",
"otx telemetry",
"body",
"gmt content",
"x adblock",
"scan endpoints",
"all octoseek",
"hostname",
"date",
"encrypt",
"threat roundup",
"october",
"november",
"march",
"february",
"apple ios",
"april",
"tsara brashears",
"copy",
"hacktool",
"phishing",
"metro",
"crypto",
"installer",
"awful",
"united",
"unknown",
"germany unknown",
"search",
"servers",
"registrar",
"name servers",
"status",
"next",
"moved",
"address",
"creation date",
"showing",
"ipv4",
"pulse submit",
"url analysis",
"accept",
"aaaa",
"record type",
"ttl value",
"html document",
"ascii text",
"anchor hrefs",
"hrefs",
"anchor",
"anchor href",
"threat",
"paste",
"iocs",
"analyze",
"hostnames",
"url https",
"sample",
"server",
"code",
"registry domain",
"dnssec",
"registrar url",
"registrar whois",
"iana id",
"registrar abuse",
"tech email",
"fake update",
"utilizes new",
"idat loader",
"stealc",
"urls http",
"isadultno",
"adposbottom",
"adformatplain",
"adnetworks",
"quasar rat",
"ip detections",
"country",
"cellbrite",
"execution",
"pegasus",
"malware",
"agent tesla",
"attack",
"ukraine",
"silent",
"invicta stealer",
"redline stealer",
"orcus rat",
"files",
"germany asn",
"as196763",
"a domains",
"redacted for",
"record value",
"for privacy",
"emails",
"name",
"contacted urls",
"bundled",
"de indicators",
"domains",
"hashes",
"gmbh version",
"status page",
"service privacy",
"legal",
"impressum",
"pulse pulses",
"location united",
"open",
"cookie",
"customer",
"0 report",
"sea alt",
"certificate",
"#targeting",
"#discordwallets",
"house.mo.gov"
],
"references": [
"https://www.facebooksunglassshop.com/",
"CVE-2017-0147 \u2022 CVE-2023-4966 \u2022 CVE-2023-22518",
"https://ispy-official.com/ X Cache: Redirect from cloudfront Via: 1.1 030fe0607711293dda988e571617a9f2.cloudfront.net CloudFront X Amz Cf",
"Pop: HIO50 C1 X Amz Cf Id: Jt aBPO2nI3Nt D0E4nzqpun66btDLhJ41kQwhDASrIukoWyUOWE1w==",
"apple.com-auth.eu [Find apple] | https://applemusic-spotlight.myunidays.com/US/en-US? [compromise via apple media]",
"http://init-p01st.push.apple.com/bag [= Google.com.uy modified browser - malicious] apple.com-auth.eu \u2022 appleid.apple.com-auth.eu\u2022",
"https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [apple media compromise. Pega behavior?]",
"all-live.secure2storeapple.xxianzi.com \u2022 https://www.symbios.pk/apple-ipod-5-32gb",
"http://m.xiang5.com/keyword/17655.html&ht=%E9%98%BF%E6%BD%BC%E5%B0%8F%E8%AF%B4%E5%9C%A8%E7%BA%BF%E9%98%85%E8%AF%BB%E5%85%8D%E8%B4%B9%E9%98%85%E8%AF%BB_%E9%98%BF%E6%BD%BC%E5%B0%8F%E8%AF%B4%E5%9C%A8%E7%BA%BF%E9%98%85%E8%AF%BB%E5%85%A8%E6%9C%AC%E6%97%A0%E5%BC%B9%E7%AA%97-%E9%A6%99%E7%BD%91%E5%B0%8F%E8%AF%B4%E6%89%8B%E6%9C%BA%E7%89%88&uaddr=https:/www.sogou.com/link?url=58p16RfDRLtDzo-0AEmfJoGs8rDRUEq4ejjohgXqBYnQGuHk6xSRXg..&h=1080&w=1920&cd=24&lg=zh-CN&ua=mozilla/5.0%20(windows%20nt%2010.0;%20win64;%20x64)%20",
"Tracking: mailtrack.io \u2022 nr-data.net \u2022 tracking.bullseyeedu.com \u2022 https://smtp.mail.pentrack.com \u2022 tracking.vetsindexes.com",
"Remote threats: http://watchhers.net/index.php \u2022 http://eye.infunvip.com/appinterface/other/login.remote",
"https://plussizedesi.com/wp-content/uploads/2022/07/SniperGhostWarrior2BlackBox_Version_Download_INSTALL.pdf",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ iOS unlocker & password decryption]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 apple collection]",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"wallpapers-nature.com",
"https://wallpapers-nature.com/%20tsara-brashears/urlscan-io",
"https://wallpapers-nature.com/tsara-brashears/urlscan-io",
"hello-world-mute-unit-3072.a-rahimi-farahani.workers.dev",
"edgedl.me.gvt1.com",
"Link found in https://house.mo.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Invicta Stealer",
"display_name": "Invicta Stealer",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
},
{
"id": "RedLine Stealer",
"display_name": "RedLine Stealer",
"target": null
},
{
"id": "Orcus RAT",
"display_name": "Orcus RAT",
"target": null
},
{
"id": "Silent",
"display_name": "Silent",
"target": null
}
],
"attack_ids": [],
"industries": [
"Government",
"Civil Society",
"Technology"
],
"TLP": "white",
"cloned_from": null,
"export_count": 65,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 153,
"FileHash-SHA1": 145,
"FileHash-SHA256": 3848,
"CVE": 3,
"URL": 8291,
"domain": 2541,
"hostname": 3034,
"email": 13
},
"indicator_count": 18028,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 222,
"modified_text": "766 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65a836104ede1963b0502042",
"name": "Not even Google",
"description": "https://shadow.googlecnapps.cn\njoshuajenkinslaw.com",
"modified": "2024-02-16T17:02:44.115000",
"created": "2024-01-17T20:18:24.316000",
"tags": [
"ssl certificate",
"threat roundup",
"whois record",
"march",
"october",
"contacted",
"july",
"april",
"june",
"roundup",
"august",
"copy",
"execution",
"plugx",
"goldfinder",
"sibot",
"hacktool",
"february",
"ransomexx",
"ermac",
"emotet",
"agent tesla",
"nokoyawa"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 20,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 1315,
"URL": 1384,
"domain": 327,
"hostname": 516,
"FileHash-MD5": 19,
"FileHash-SHA1": 19
},
"indicator_count": 3580,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 220,
"modified_text": "793 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "658303b7e2b4417d9e24a7cc",
"name": "Reddit Honeypot | Cyber Defense Firm Attack",
"description": "",
"modified": "2024-01-19T12:02:13.495000",
"created": "2023-12-20T15:09:43.783000",
"tags": [
"pattern match",
"et tor",
"known tor",
"relayrouter",
"exit",
"node traffic",
"misc attack",
"sha1",
"sha256",
"runtime process",
"date",
"unknown",
"error",
"path",
"class",
"generator",
"critical",
"meta",
"hybrid",
"general",
"local",
"click",
"strings",
"accept",
"url http",
"filehashmd5",
"url https",
"search otx",
"octoseek report",
"spam author",
"reddit",
"tulach c2",
"created",
"minutes ago",
"added active",
"related pulses",
"am",
"no expiration",
"indicator role",
"pulses url",
"showing",
"entries",
"dded active",
"copyright",
"reserved",
"cve cve20170199",
"win32 exe",
"android",
"http response",
"final url",
"ip address",
"status code",
"body length",
"kb body",
"headers",
"manager",
"files",
"detections type",
"name",
"lord krishna",
"right",
"tjprojmain",
"windows",
"secure",
"headers nel",
"ssl certificate",
"whois whois",
"historical ssl",
"referrer",
"logistics",
"cyber defense",
"firm collection",
"ioc honeypot",
"list for",
"malware",
"open",
"attack",
"contacted",
"dropped",
"bundled",
"problems",
"whois record",
"domains",
"execution",
"agent tesla",
"azorult",
"project",
"startpage",
"vhash",
"authentihash",
"imphash",
"rich pe",
"ssdeep",
"file type",
"magic pe32",
"installer",
"compiler",
"nsis",
"serial number",
"g4 code",
"signing rsa4096",
"sha384",
"root g4",
"valid from",
"algorithm",
"thumbprint",
"fast corporate",
"from",
"pe resource",
"collection",
"vt graph",
"paulsmith",
"apple tv",
"apple music",
"$RTD4NQU.exe",
"no data",
"tag count",
"ioc search",
"new ioc",
"teams api",
"contact",
"search",
"iocs",
"summary",
"nisis",
"executable",
"ms windows",
"trid win64",
"generic",
"sections",
"sha256 file",
"type type",
"chi2",
"dkey english",
"xml rtmanifest",
"english us",
"overlay",
"learn",
"botnet",
"honeypot",
"ejkaej saBey k7-^Oa"
],
"references": [
"https://www.reddit.com/user/",
"https://www.virustotal.com/gui/url/6a627ce5fd6be7b3c0b5637e6b1facfa92c279d25ff9b1f50fe131c91591d804/summary",
"Gowi Live Bot.exe",
"https://www.virustotal.com/gui/file/2ab9e32cd78f2b538c36f145b790f78f1262bcfcf1a5d6d019e7a2a151a24424/summary",
"https://www.hybrid-analysis.com/sample/d4f0fd95f42482e96d982df3d538f67ee9c8756834486dd2cf33e1679c90af50/65812fd9a34bc52aac0b910f",
"nr-data.net [New Relic Tracking | Apple Private Data Collection]",
"[w and w.o https] applemusic-spotlight.myunidays.com [Multilingual Portable.exe Apple music compromise]",
"tv.apple.com [Apple Backdoor| Attack | Hacking]",
"name-playatoms-pa.googleapis.com [ nr-data Apple tv tracking]",
"browser.events.data.msn.com | events-sandbox.data.msn.com",
"https://tulach.cc/ [phishing attacks]",
"tulach.cc [AM | phishing]",
"$RTD4NQU.exe - Sigma Rule: Audit Policy Tampering Via Auditpolicy",
"$RTD4NQU.exe - Yara rule: INDICATOR TOOL UAC NSISUAC",
"3.163.189.120 [Tracking]",
"86.140.232.148 [scanning_host]",
"https://seedbeej.pk/tin/index.php?QBOT.zip. [ phishing plus]",
"http://iyfsearch.com/&ap=67&be=203&fe=198&dc=198&perf= [phishing]",
"checkip.dyndns.org [command_and_control]",
"104.86.182.8 [command_and_control]",
"103.224.182.253 [command_and_control]",
"103.224.182.246 [command_and_control]",
"www.supernetforme.com [command_and_control]",
"rp.downloadastrocdn.com [command_and_control]",
"ddos.dnsnb8.net [command_and_control]"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "AM",
"display_name": "AM",
"target": null
},
{
"id": "Agent Tesla",
"display_name": "Agent Tesla",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
},
{
"id": "Tulach Malware",
"display_name": "Tulach Malware",
"target": null
},
{
"id": "adware.pcappstore/veryfast",
"display_name": "adware.pcappstore/veryfast",
"target": null
},
{
"id": "NSIS",
"display_name": "NSIS",
"target": null
},
{
"id": "Static AI - Malicious PE",
"display_name": "Static AI - Malicious PE",
"target": null
},
{
"id": "HoneyPot",
"display_name": "HoneyPot",
"target": null
}
],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 37,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 392,
"FileHash-SHA1": 374,
"FileHash-SHA256": 5560,
"URL": 7433,
"domain": 1461,
"hostname": 2463,
"CVE": 3,
"email": 1
},
"indicator_count": 17687,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 220,
"modified_text": "821 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6570a7dda4ef145116f1593a",
"name": "Packed.VMProt/ Packed.VMProtect Apple| iOS | Mac attack techapply.com",
"description": "",
"modified": "2023-12-06T16:57:01.831000",
"created": "2023-12-06T16:57:01.831000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 5,
"hostname": 551,
"FileHash-SHA256": 650,
"FileHash-MD5": 425,
"FileHash-SHA1": 224,
"URL": 1019,
"domain": 485,
"email": 2,
"FilePath": 2
},
"indicator_count": 3363,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6570a7d867bfb30b452b94d0",
"name": "Packed.VMProt/ Packed.VMProtect Apple| iOS | Mac attack techapply.com",
"description": "",
"modified": "2023-12-06T16:56:56.522000",
"created": "2023-12-06T16:56:56.522000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 5,
"hostname": 551,
"FileHash-SHA256": 650,
"FileHash-MD5": 425,
"FileHash-SHA1": 224,
"URL": 1019,
"domain": 485,
"email": 2,
"FilePath": 2
},
"indicator_count": 3363,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6570a78eb69b21bf0d7aab38",
"name": "Strictor CNC | APT37 | IP148.251.234.93 | Anonymizer | Redline",
"description": "",
"modified": "2023-12-06T16:55:42.674000",
"created": "2023-12-06T16:55:42.674000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 10,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 723,
"hostname": 687,
"FileHash-SHA256": 1519,
"URL": 2751,
"FileHash-MD5": 1,
"FileHash-SHA1": 1
},
"indicator_count": 5682,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "657092f9499206cd87c73969",
"name": "iphone",
"description": "",
"modified": "2023-12-06T15:27:53.981000",
"created": "2023-12-06T15:27:53.981000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 1768,
"hostname": 808,
"domain": 306,
"URL": 1938,
"FileHash-SHA1": 1
},
"indicator_count": 4821,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "657089f0a9a109319e652f2e",
"name": "Democracy.works_3.23.22",
"description": "",
"modified": "2023-12-06T14:49:20.276000",
"created": "2023-12-06T14:49:20.276000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 2,
"FileHash-SHA256": 3788,
"URL": 10812,
"hostname": 2537,
"domain": 1018,
"FileHash-MD5": 2,
"FileHash-SHA1": 1
},
"indicator_count": 18160,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "657089d7a9a109319e652f2d",
"name": "DEMOCRACY.WORKS",
"description": "",
"modified": "2023-12-06T14:48:55.889000",
"created": "2023-12-06T14:48:55.889000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 1,
"FileHash-SHA256": 3611,
"URL": 9861,
"hostname": 2031,
"domain": 945,
"FileHash-MD5": 2,
"FileHash-SHA1": 1
},
"indicator_count": 16452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "657080e2831409d23c8d24a5",
"name": "iMessages.app 03.01.2022",
"description": "",
"modified": "2023-12-06T14:10:42.459000",
"created": "2023-12-06T14:10:42.459000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 1768,
"hostname": 808,
"domain": 306,
"URL": 1937,
"FileHash-SHA1": 1
},
"indicator_count": 4820,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65707e5b7df6f60133e8fb50",
"name": "Jeeng / Powerbox",
"description": "",
"modified": "2023-12-06T13:59:55.129000",
"created": "2023-12-06T13:59:55.129000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 3,
"FileHash-SHA256": 9072,
"domain": 2500,
"hostname": 3584,
"URL": 13548,
"FileHash-MD5": 197,
"FileHash-SHA1": 162,
"email": 19,
"CIDR": 20,
"SSLCertFingerprint": 2,
"BitcoinAddress": 1
},
"indicator_count": 29108,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6546d0120a7e479fecffe2b1",
"name": "Browser Malware Attack",
"description": "Attacking browser to identify researcher.\nCommand for critical failure/destruction: https://search.app.goo.gl/?ofl=https://lens.google&al=googleapp://lens?lens_data=KAw&apn=com.google.android.googlequicksearchbox&amv=301204913&isi=284815942&ius=googleapp&ibi=com.goog",
"modified": "2023-12-04T22:00:43.514000",
"created": "2023-11-04T23:13:21.883000",
"tags": [
"united",
"facebook",
"phishtank",
"detection list",
"ip address",
"blacklist",
"paypal",
"cisco umbrella",
"site",
"alexa top",
"safe site",
"million",
"malicious url",
"malware site",
"malicious site",
"malware",
"name verdict",
"falcon sandbox",
"reports no",
"speci",
"efr1",
"pattern match",
"file",
"web open",
"font format",
"truetype",
"indicator",
"windows nt",
"et tor",
"known tor",
"relayrouter",
"date",
"unknown",
"general",
"hybrid",
"local",
"stream",
"click",
"strings",
"class",
"generator",
"critical",
"error",
"self",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"kb body",
"sha256",
"phishing site",
"heur",
"cyber threat",
"unsafe",
"riskware",
"phishing",
"bank",
"service",
"artemis",
"team",
"xtrat",
"agent",
"xrat",
"filetour",
"exploit",
"conduit",
"opencandy",
"fusioncore",
"orkut",
"steam",
"genkryptik",
"runescape",
"presenoker",
"ramnit",
"msil",
"crack",
"tofsee",
"suppobox",
"malicious",
"simda",
"vawtrak",
"hotmail",
"generic",
"webtoolbar",
"hsbc",
"maltiverse",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"count blacklist",
"tag count",
"downldr",
"cleaner",
"iframe",
"wacatac",
"alexa",
"win64",
"swrort",
"installcore",
"azorult",
"download",
"blacknet rat",
"stealer",
"softcnapp",
"nircmd",
"unruy",
"patcher",
"adload",
"dropper",
"installpack",
"tiggre",
"gamehack",
"trojanspy",
"germany http",
"attacker",
"static engine",
"internet storm",
"center",
"passive dns",
"urls",
"scan endpoints",
"all search",
"otx scoreblue",
"url http",
"pulse pulses",
"http",
"related nids"
],
"references": [
"https://search.app.goo.gl/?ofl=https://lens.google&al=googleapp://lens?lens_data=KAw&apn=com.google.android.googlequicksearchbox&amv=301204913&isi=284815942&ius=googleapp&ibi=com.goog",
"object.prototype.hasownproperty.call",
"hasownproperty.call",
"a.default.meta.applestore.id",
"applestore.id",
"http://decafsmob.this.id",
"id.google.com",
"http://critical-system-failure7250.21ny35098453.com-bm3y-v806d9gk.cricket/",
"http://git.io/yBU2rg",
"critical-failure-alert2286.40ek97931491.com-4nj1ze3ivfwy.website",
"https://fairspin.io/?track_id=44698569&pid=1&geo=6252001&utm_source=bonafides&utm_medium=&utm_campaign=smarttds&utm_term=incorrect_param",
"http://tracking.3061331.corn10wuk.club",
"http://information.7174932.cakcuk.az/tracking/tracking.php?id=8459701&page=904",
"apps.apple.com/us/app/id$",
"t.name",
"http://e.id?e.id:e.id.getAttribute",
"location.search",
"https://dnsorangetel.dn2.n-helix.com",
"1080p-torrent.ml",
"states.app",
"dev-2.ernestatech.com",
"https://hybrid-analysis.com/sample/d26000dfe1137f05f9187996dc752a703000402fe9e35a8ea216e9215a34560d",
"209.85.145.113 [malware]",
"cdn.fuckporntube.com",
"www.search.app.goo.gl",
"apps.apple.com",
"http://www.youtube.com/gen_204?cplatform=tablet&c=android&cver=5.6.36&cos=Android&cosver=4.4.2&cbr=com.google.android.youtube&cbrv",
"https://coloradosprings.americanlisted.com/pets-animals/beautiful-ragdoll-kittens_31591993.html",
"globalworker1.sol.us",
"worker-m-tlcus1.sol.us"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Germany",
"Ireland",
"Singapore"
],
"malware_families": [
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "HSBC",
"display_name": "HSBC",
"target": null
},
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "GameHack",
"display_name": "GameHack",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
}
],
"attack_ids": [
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 33,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1015,
"hostname": 1309,
"FileHash-MD5": 466,
"FileHash-SHA1": 255,
"FileHash-SHA256": 3783,
"URL": 4001,
"CVE": 9,
"email": 3
},
"indicator_count": 10841,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 229,
"modified_text": "867 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6546cf78627adef6562a97aa",
"name": "Browser Malware Attack",
"description": "Attacking my browser to identify.\nCommand for critical failure/destruction: https://search.app.goo.gl/?ofl=https://lens.google&al=googleapp://lens?lens_data=KAw&apn=com.google.android.googlequicksearchbox&amv=301204913&isi=284815942&ius=googleapp&ibi=com.goog",
"modified": "2023-12-04T22:00:43.514000",
"created": "2023-11-04T23:10:48.676000",
"tags": [
"united",
"facebook",
"phishtank",
"detection list",
"ip address",
"blacklist",
"paypal",
"cisco umbrella",
"site",
"alexa top",
"safe site",
"million",
"malicious url",
"malware site",
"malicious site",
"malware",
"name verdict",
"falcon sandbox",
"reports no",
"speci",
"efr1",
"pattern match",
"file",
"web open",
"font format",
"truetype",
"indicator",
"windows nt",
"et tor",
"known tor",
"relayrouter",
"date",
"unknown",
"general",
"hybrid",
"local",
"stream",
"click",
"strings",
"class",
"generator",
"critical",
"error",
"self",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"kb body",
"sha256",
"phishing site",
"heur",
"cyber threat",
"unsafe",
"riskware",
"phishing",
"bank",
"service",
"artemis",
"team",
"xtrat",
"agent",
"xrat",
"filetour",
"exploit",
"conduit",
"opencandy",
"fusioncore",
"orkut",
"steam",
"genkryptik",
"runescape",
"presenoker",
"ramnit",
"msil",
"crack",
"tofsee",
"suppobox",
"malicious",
"simda",
"vawtrak",
"hotmail",
"generic",
"webtoolbar",
"hsbc",
"maltiverse",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"count blacklist",
"tag count",
"downldr",
"cleaner",
"iframe",
"wacatac",
"alexa",
"win64",
"swrort",
"installcore",
"azorult",
"download",
"blacknet rat",
"stealer",
"softcnapp",
"nircmd",
"unruy",
"patcher",
"adload",
"dropper",
"installpack",
"tiggre",
"gamehack",
"trojanspy",
"germany http",
"attacker",
"static engine",
"internet storm",
"center",
"passive dns",
"urls",
"scan endpoints",
"all search",
"otx scoreblue",
"url http",
"pulse pulses",
"http",
"related nids"
],
"references": [
"https://search.app.goo.gl/?ofl=https://lens.google&al=googleapp://lens?lens_data=KAw&apn=com.google.android.googlequicksearchbox&amv=301204913&isi=284815942&ius=googleapp&ibi=com.goog",
"object.prototype.hasownproperty.call",
"hasownproperty.call",
"a.default.meta.applestore.id",
"applestore.id",
"http://decafsmob.this.id",
"id.google.com",
"http://critical-system-failure7250.21ny35098453.com-bm3y-v806d9gk.cricket/",
"http://git.io/yBU2rg",
"critical-failure-alert2286.40ek97931491.com-4nj1ze3ivfwy.website",
"https://fairspin.io/?track_id=44698569&pid=1&geo=6252001&utm_source=bonafides&utm_medium=&utm_campaign=smarttds&utm_term=incorrect_param",
"http://tracking.3061331.corn10wuk.club",
"http://information.7174932.cakcuk.az/tracking/tracking.php?id=8459701&page=904",
"apps.apple.com/us/app/id$",
"t.name",
"http://e.id?e.id:e.id.getAttribute",
"location.search",
"https://dnsorangetel.dn2.n-helix.com",
"1080p-torrent.ml",
"states.app",
"dev-2.ernestatech.com",
"https://hybrid-analysis.com/sample/d26000dfe1137f05f9187996dc752a703000402fe9e35a8ea216e9215a34560d",
"209.85.145.113 [malware]",
"cdn.fuckporntube.com",
"www.search.app.goo.gl",
"apps.apple.com",
"http://www.youtube.com/gen_204?cplatform=tablet&c=android&cver=5.6.36&cos=Android&cosver=4.4.2&cbr=com.google.android.youtube&cbrv",
"https://coloradosprings.americanlisted.com/pets-animals/beautiful-ragdoll-kittens_31591993.html",
"globalworker1.sol.us",
"worker-m-tlcus1.sol.us"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Germany",
"Ireland",
"Singapore"
],
"malware_families": [
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "HSBC",
"display_name": "HSBC",
"target": null
},
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "GameHack",
"display_name": "GameHack",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
}
],
"attack_ids": [
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 25,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1015,
"hostname": 1309,
"FileHash-MD5": 466,
"FileHash-SHA1": 255,
"FileHash-SHA256": 3783,
"URL": 4001,
"CVE": 9,
"email": 3
},
"indicator_count": 10841,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 225,
"modified_text": "867 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "653bf3b076e4dbcd0c099992",
"name": "Remote Access | DeepScan | Dumping | DNS | Internal System Infiltration",
"description": "DeepScan run (absolute overkill). I witnessed excessive data use, device is completely practically unusable, many black pages, denial of most services. CNC. Browser bar became a malicious app that returns 0 searches. Attack directed towards my devices.\nNo stone left unturned. Passwords taken. Apps installed to device Covered can on device takes pictures/flash at will. Evasive. Very talented hackers. \nBravo! Very intrusive. Constantly attacking.\nTarget: Tsara Brashears and researcher",
"modified": "2023-11-26T14:04:04.692000",
"created": "2023-10-27T17:30:24.926000",
"tags": [
"ssl certificate",
"historical ssl",
"resolutions",
"referrer",
"collections",
"contacted",
"efr1",
"parent domain",
"amazon 02",
"metro",
"crypto",
"cisco umbrella",
"site",
"safe site",
"heur",
"malware",
"alexa top",
"million",
"malicious url",
"malware site",
"malicious site",
"opencandy",
"riskware",
"unsafe",
"phishing",
"zbot",
"team",
"exploit",
"agent",
"mimikatz",
"azorult",
"service",
"runescape",
"facebook",
"bank",
"download",
"downldr",
"presenoker",
"fusioncore",
"cleaner",
"wacatac",
"artemis",
"blacknet rat",
"stealer",
"trojanspy",
"blacklist https",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"blacklist",
"count blacklist",
"tag count",
"tsara brashears",
"self",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"kb body",
"sha256",
"whois record",
"contacted urls",
"siblings domain",
"execution",
"goldmax",
"goldfinder",
"sibot",
"emotet",
"united",
"phishing site",
"maltiverse",
"adware",
"phishtank",
"xtrat",
"xrat",
"redline stealer",
"xtreme",
"crack",
"genkryptik",
"deepscan",
"win64",
"quasar rat",
"fareit",
"downloader",
"trojan",
"alexa",
"iframe",
"cve201711882",
"phish",
"genpack",
"suspicious",
"magazine",
"applicunwnt",
"cobalt strike",
"malicious",
"pattern match",
"file",
"web open",
"font format",
"truetype",
"indicator",
"windows nt",
"ascii text",
"mitre att",
"ck id",
"date",
"unknown",
"hybrid",
"accept",
"local",
"stream",
"click",
"strings",
"class",
"generator",
"critical",
"error",
"pmejdjsu12",
"Royal Bank of Scotland",
"Phishing Bank of America Corporation",
"Phishing Netflix",
"Phishing Wells Fargo",
"Phishing RuneScape",
"Phishing Internal Revenue Service",
"Phtarget unspecified phishing",
"PAYPAL phishing",
"Phishing Indeed",
"Phishing eBay, Inc",
"PhisSafe",
"mobigame",
"Phishing Facebook",
"remote",
"mitm",
"tower",
"worm",
"firm",
"privilege",
"attacker",
"monitoring",
"cyber threat",
"apple",
"illegal",
"DNS_PROBE_STARTED",
"insurance",
"revenge",
"legal entities",
"https://boxofporn.com"
],
"references": [],
"public": 1,
"adversary": "[Unnamed group]",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Trojan.Hotkeychick",
"display_name": "Trojan.Hotkeychick",
"target": null
},
{
"id": "CVE Exploits",
"display_name": "CVE Exploits",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "Generic.ASMalwS",
"display_name": "Generic.ASMalwS",
"target": null
},
{
"id": "HackTool.CheatEngine",
"display_name": "HackTool.CheatEngine",
"target": null
},
{
"id": "HackTool.BruteForce",
"display_name": "HackTool.BruteForce",
"target": null
},
{
"id": "Virus.Sality",
"display_name": "Virus.Sality",
"target": null
},
{
"id": "W32.Malware",
"display_name": "W32.Malware",
"target": null
},
{
"id": "TSGeneric",
"display_name": "TSGeneric",
"target": null
},
{
"id": "Trojan.OTNR",
"display_name": "Trojan.OTNR",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "RedLine Stealer",
"display_name": "RedLine Stealer",
"target": null
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
},
{
"id": "BlackNET RAT",
"display_name": "BlackNET RAT",
"target": null
},
{
"id": "Mimikatz - S0002",
"display_name": "Mimikatz - S0002",
"target": null
},
{
"id": "GoldFinder",
"display_name": "GoldFinder",
"target": null
},
{
"id": "GoldMax - S0588",
"display_name": "GoldMax - S0588",
"target": null
},
{
"id": "Cobalt Strike",
"display_name": "Cobalt Strike",
"target": null
},
{
"id": "Sibot",
"display_name": "Sibot",
"target": null
},
{
"id": "Downloader.OpenCandy",
"display_name": "Downloader.OpenCandy",
"target": null
},
{
"id": "Azorult",
"display_name": "Azorult",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "GoogleToolbar",
"display_name": "GoogleToolbar",
"target": null
},
{
"id": "BScope.Adware.MSIL",
"display_name": "BScope.Adware.MSIL",
"target": null
},
{
"id": "Application.Auslogics",
"display_name": "Application.Auslogics",
"target": null
},
{
"id": "PE.Heur",
"display_name": "PE.Heur",
"target": null
},
{
"id": "Gen:Variant.Application.Bundler.DownloadGuide",
"display_name": "Gen:Variant.Application.Bundler.DownloadGuide",
"target": null
},
{
"id": "Trojan:Win32/Xtrat",
"display_name": "Trojan:Win32/Xtrat",
"target": "/malware/Trojan:Win32/Xtrat"
},
{
"id": "Xtreme RAT",
"display_name": "Xtreme RAT",
"target": null
},
{
"id": "ML.Attribute",
"display_name": "ML.Attribute",
"target": null
},
{
"id": "AGEN.1045143",
"display_name": "AGEN.1045143",
"target": null
},
{
"id": "Hoax.DeceptPCClean",
"display_name": "Hoax.DeceptPCClean",
"target": null
},
{
"id": "Packed.Themida",
"display_name": "Packed.Themida",
"target": null
},
{
"id": "MSIL_Bladabindi.G.gen",
"display_name": "MSIL_Bladabindi.G.gen",
"target": null
},
{
"id": "Gen:NN.ZexaF.34090",
"display_name": "Gen:NN.ZexaF.34090",
"target": null
},
{
"id": "Unsafe.AI_Score_95% 2",
"display_name": "Unsafe.AI_Score_95% 2",
"target": null
},
{
"id": "BScope.Trojan",
"display_name": "BScope.Trojan",
"target": null
},
{
"id": "JS:Trojan.HideLink 2",
"display_name": "JS:Trojan.HideLink 2",
"target": null
},
{
"id": "Gen:Variant.Symmi",
"display_name": "Gen:Variant.Symmi",
"target": null
},
{
"id": "Gen:Heur.MSIL.Inject",
"display_name": "Gen:Heur.MSIL.Inject",
"target": null
},
{
"id": "Application.BitCoinMiner",
"display_name": "Application.BitCoinMiner",
"target": null
},
{
"id": "WebToolbar.Asparnet",
"display_name": "WebToolbar.Asparnet",
"target": null
},
{
"id": "W32.HfsAutoB",
"display_name": "W32.HfsAutoB",
"target": null
},
{
"id": "Gen:Variant.Ursu",
"display_name": "Gen:Variant.Ursu",
"target": null
},
{
"id": "HW32.Packed",
"display_name": "HW32.Packed",
"target": null
},
{
"id": "Application.Deceptor",
"display_name": "Application.Deceptor",
"target": null
},
{
"id": "Backdoor.Androm",
"display_name": "Backdoor.Androm",
"target": null
},
{
"id": "HEUR:Hoax.PCFixer",
"display_name": "HEUR:Hoax.PCFixer",
"target": null
},
{
"id": "Gen:Variant.Jacard",
"display_name": "Gen:Variant.Jacard",
"target": null
},
{
"id": "Tool.Patcher",
"display_name": "Tool.Patcher",
"target": null
},
{
"id": "Trojan.Khalesi 2\tAdware 2",
"display_name": "Trojan.Khalesi 2\tAdware 2",
"target": null
},
{
"id": "RiskWare.HackTool.Agent",
"display_name": "RiskWare.HackTool.Agent",
"target": null
},
{
"id": "Unsafe.AI_Score_94%",
"display_name": "Unsafe.AI_Score_94%",
"target": null
},
{
"id": "Trojan.WisdomEyes.16070401.9500",
"display_name": "Trojan.WisdomEyes.16070401.9500",
"target": null
},
{
"id": "RiskWare.Crack",
"display_name": "RiskWare.Crack",
"target": null
},
{
"id": "Gen:Variant.Bulz",
"display_name": "Gen:Variant.Bulz",
"target": null
},
{
"id": "VB:Trojan.Valyria",
"display_name": "VB:Trojan.Valyria",
"target": null
},
{
"id": "TrojanBanker.Banbra",
"display_name": "TrojanBanker.Banbra",
"target": null
},
{
"id": "DriverReviver.A potentially unwanted",
"display_name": "DriverReviver.A potentially unwanted",
"target": null
},
{
"id": "Warezov.gen3",
"display_name": "Warezov.gen3",
"target": null
},
{
"id": "JS:Trojan.Clicker",
"display_name": "JS:Trojan.Clicker",
"target": null
},
{
"id": "Nemucod.21C8",
"display_name": "Nemucod.21C8",
"target": null
},
{
"id": "Asparnet.P",
"display_name": "Asparnet.P",
"target": null
},
{
"id": "InstallCore.Gen7",
"display_name": "InstallCore.Gen7",
"target": null
},
{
"id": "CsQKHtaAI",
"display_name": "CsQKHtaAI",
"target": null
},
{
"id": "Clicker.VB",
"display_name": "Clicker.VB",
"target": null
},
{
"id": "Exploit.Zip.Heuristic",
"display_name": "Exploit.Zip.Heuristic",
"target": null
},
{
"id": "Trojan.Ransom.GandCrab",
"display_name": "Trojan.Ransom.GandCrab",
"target": null
},
{
"id": "ScrInject.B",
"display_name": "ScrInject.B",
"target": null
},
{
"id": "ScrInject.eric",
"display_name": "ScrInject.eric",
"target": null
},
{
"id": "HEUR:Trojan.Diztakun",
"display_name": "HEUR:Trojan.Diztakun",
"target": null
},
{
"id": "Agent.OCJ",
"display_name": "Agent.OCJ",
"target": null
},
{
"id": "Vdehu.A",
"display_name": "Vdehu.A",
"target": null
},
{
"id": "Hacktool.Crack",
"display_name": "Hacktool.Crack",
"target": null
},
{
"id": "Backdoor.DTR.15",
"display_name": "Backdoor.DTR.15",
"target": null
},
{
"id": "Freemake.A potentially unwanted",
"display_name": "Freemake.A potentially unwanted",
"target": null
},
{
"id": "Absolute Uninstaller",
"display_name": "Absolute Uninstaller",
"target": null
},
{
"id": "HTML:Script",
"display_name": "HTML:Script",
"target": null
},
{
"id": "Trojan.Small",
"display_name": "Trojan.Small",
"target": null
},
{
"id": "HackTool.Crack",
"display_name": "HackTool.Crack",
"target": null
},
{
"id": "Generic.Application.JS.Sobrab.1",
"display_name": "Generic.Application.JS.Sobrab.1",
"target": null
},
{
"id": "Trojan.Rozena",
"display_name": "Trojan.Rozena",
"target": null
},
{
"id": "Trojan.Downloader",
"display_name": "Trojan.Downloader",
"target": null
},
{
"id": "Trojan.Bayrob",
"display_name": "Trojan.Bayrob",
"target": null
},
{
"id": "Adware.OxyPumper",
"display_name": "Adware.OxyPumper",
"target": null
},
{
"id": "Worm.Chir",
"display_name": "Worm.Chir",
"target": null
},
{
"id": "Trojan.Linux.Generic",
"display_name": "Trojan.Linux.Generic",
"target": null
},
{
"id": "Trojan.Ransom.GenericKD",
"display_name": "Trojan.Ransom.GenericKD",
"target": null
},
{
"id": "Heur.BZC.YAX.Boxter.819",
"display_name": "Heur.BZC.YAX.Boxter.819",
"target": null
},
{
"id": "Faceliker.D",
"display_name": "Faceliker.D",
"target": null
},
{
"id": "Adware",
"display_name": "Adware",
"target": null
},
{
"id": "DeepScan:Generic.BrResMon.1",
"display_name": "DeepScan:Generic.BrResMon.1",
"target": null
},
{
"id": "Adware.KuziTui",
"display_name": "Adware.KuziTui",
"target": null
},
{
"id": "Trojan.Brsecmon",
"display_name": "Trojan.Brsecmon",
"target": null
},
{
"id": "SigRiskware.LespeedTechnologyLtd",
"display_name": "SigRiskware.LespeedTechnologyLtd",
"target": null
},
{
"id": "Doplik.J",
"display_name": "Doplik.J",
"target": null
},
{
"id": "Backdoor.Nhopro",
"display_name": "Backdoor.Nhopro",
"target": null
},
{
"id": "TrojanBanker.Banbra",
"display_name": "TrojanBanker.Banbra",
"target": null
},
{
"id": "Gen:NN.ZemsilF.32515",
"display_name": "Gen:NN.ZemsilF.32515",
"target": null
},
{
"id": "Downware",
"display_name": "Downware",
"target": null
},
{
"id": "MxResIcn.Heur",
"display_name": "MxResIcn.Heur",
"target": null
},
{
"id": "Mimikatz",
"display_name": "Mimikatz",
"target": null
},
{
"id": "Magazine phishing",
"display_name": "Magazine phishing",
"target": null
},
{
"id": "ApplicUnwnt@#2n6\tIRS",
"display_name": "ApplicUnwnt@#2n6\tIRS",
"target": null
},
{
"id": "TEL:Trojan:HTML/Phishing",
"display_name": "TEL:Trojan:HTML/Phishing",
"target": null
},
{
"id": "DriverReviver.A potentially unwanted",
"display_name": "DriverReviver.A potentially unwanted",
"target": null
},
{
"id": "Trojan.GandCrypt",
"display_name": "Trojan.GandCrypt",
"target": null
},
{
"id": "Redirector.AN",
"display_name": "Redirector.AN",
"target": null
},
{
"id": "Agent.CUX.gen",
"display_name": "Agent.CUX.gen",
"target": null
},
{
"id": "Gen:Variant.Application.Bundler",
"display_name": "Gen:Variant.Application.Bundler",
"target": null
},
{
"id": "Downloader.Generic",
"display_name": "Downloader.Generic",
"target": null
},
{
"id": "Trojan.ClipBanker",
"display_name": "Trojan.ClipBanker",
"target": null
},
{
"id": "TrojanDropper.Autit",
"display_name": "TrojanDropper.Autit",
"target": null
},
{
"id": "Dropper.Trojan.Agent",
"display_name": "Dropper.Trojan.Agent",
"target": null
},
{
"id": "QVM05.1.08E5.Malware",
"display_name": "QVM05.1.08E5.Malware",
"target": null
},
{
"id": "Trojan.CookiesStealer",
"display_name": "Trojan.CookiesStealer",
"target": null
},
{
"id": "Agent.MU",
"display_name": "Agent.MU",
"target": null
},
{
"id": "Wacatac.B",
"display_name": "Wacatac.B",
"target": null
},
{
"id": "Dropper.Gen",
"display_name": "Dropper.Gen",
"target": null
},
{
"id": "WiseCleaner.A potentially unwanted",
"display_name": "WiseCleaner.A potentially unwanted",
"target": null
},
{
"id": "Gen:Heur.MSIL.Androm",
"display_name": "Gen:Heur.MSIL.Androm",
"target": null
},
{
"id": "Gen:NN.ZemsilF.34170",
"display_name": "Gen:NN.ZemsilF.34170",
"target": null
},
{
"id": "Gen:Variant.MSILHeracles",
"display_name": "Gen:Variant.MSILHeracles",
"target": null
},
{
"id": "Trojan.DownLoader33",
"display_name": "Trojan.DownLoader33",
"target": null
},
{
"id": "Trojan.MSIL",
"display_name": "Trojan.MSIL",
"target": null
},
{
"id": "Program.Freemake",
"display_name": "Program.Freemake",
"target": null
},
{
"id": "Kryptik.dawvk",
"display_name": "Kryptik.dawvk",
"target": null
},
{
"id": "AdwareSig [Adw]",
"display_name": "AdwareSig [Adw]",
"target": null
},
{
"id": "Phishing JPMorgan Chase and Co.",
"display_name": "Phishing JPMorgan Chase and Co.",
"target": null
},
{
"id": "Adware.BrowseFoxCRTD",
"display_name": "Adware.BrowseFoxCRTD",
"target": null
},
{
"id": "Suspici.1F4405D1",
"display_name": "Suspici.1F4405D1",
"target": null
},
{
"id": "PUA.Wombat",
"display_name": "PUA.Wombat",
"target": null
},
{
"id": "AdWare.DealPly",
"display_name": "AdWare.DealPly",
"target": null
},
{
"id": "Injector.CUAM",
"display_name": "Injector.CUAM",
"target": null
},
{
"id": "Downldr.gen",
"display_name": "Downldr.gen",
"target": null
},
{
"id": "Troj_Gen.F04IE00CI19",
"display_name": "Troj_Gen.F04IE00CI19",
"target": null
},
{
"id": "Worm.Autorun",
"display_name": "Worm.Autorun",
"target": null
},
{
"id": "Worm.Boychi",
"display_name": "Worm.Boychi",
"target": null
},
{
"id": "Worm.Allaple",
"display_name": "Worm.Allaple",
"target": null
},
{
"id": "CVE-2014-3153",
"display_name": "CVE-2014-3153",
"target": null
},
{
"id": "BehavesLike.ICLoader",
"display_name": "BehavesLike.ICLoader",
"target": null
},
{
"id": "BScope.Backdoor",
"display_name": "BScope.Backdoor",
"target": null
},
{
"id": "Trojan.WIN32.PDF.Alien",
"display_name": "Trojan.WIN32.PDF.Alien",
"target": null
},
{
"id": "PUP.Systweak",
"display_name": "PUP.Systweak",
"target": null
},
{
"id": "Sabsik.FL.B",
"display_name": "Sabsik.FL.B",
"target": null
},
{
"id": "malicious.f01f67",
"display_name": "malicious.f01f67",
"target": null
},
{
"id": "AGEN.1144657",
"display_name": "AGEN.1144657",
"target": null
},
{
"id": "Gen:Variant.Tedy HackTool.VulnDriver",
"display_name": "Gen:Variant.Tedy HackTool.VulnDriver",
"target": null
},
{
"id": "Backdoor.Predator",
"display_name": "Backdoor.Predator",
"target": null
},
{
"id": "Kryptik.GKQR",
"display_name": "Kryptik.GKQR",
"target": null
},
{
"id": "DarkKomet.ife",
"display_name": "DarkKomet.ife",
"target": null
},
{
"id": "BehavesLike.Downloader",
"display_name": "BehavesLike.Downloader",
"target": null
},
{
"id": "Trojan.JS.Iframe",
"display_name": "Trojan.JS.Iframe",
"target": null
},
{
"id": "InstallCore.NP",
"display_name": "InstallCore.NP",
"target": null
},
{
"id": "Generic.JS.BlackHole",
"display_name": "Generic.JS.BlackHole",
"target": null
},
{
"id": "Dropper.Wanna",
"display_name": "Dropper.Wanna",
"target": null
},
{
"id": "Remote Utilities",
"display_name": "Remote Utilities",
"target": null
},
{
"id": "W32.InstallCore.AGX",
"display_name": "W32.InstallCore.AGX",
"target": null
},
{
"id": "NetTool.RemoteExec",
"display_name": "NetTool.RemoteExec",
"target": null
},
{
"id": "Bondat.A",
"display_name": "Bondat.A",
"target": null
},
{
"id": "VM201.0.B70B.Malware",
"display_name": "VM201.0.B70B.Malware",
"target": null
},
{
"id": "Riskware.NetFilter",
"display_name": "Riskware.NetFilter",
"target": null
},
{
"id": "Infected.WebPage",
"display_name": "Infected.WebPage",
"target": null
},
{
"id": "HEUR:Exploit.Script",
"display_name": "HEUR:Exploit.Script",
"target": null
},
{
"id": "BScope.TrojanDownloader",
"display_name": "BScope.TrojanDownloader",
"target": null
},
{
"id": "HTML:RedirBA",
"display_name": "HTML:RedirBA",
"target": null
},
{
"id": "Trojan.BAT.Qhost",
"display_name": "Trojan.BAT.Qhost",
"target": null
},
{
"id": "HTML:RedirME",
"display_name": "HTML:RedirME",
"target": null
},
{
"id": "TrojWare.JS.AdWare.Agent",
"display_name": "TrojWare.JS.AdWare.Agent",
"target": null
},
{
"id": "Packed.Dico",
"display_name": "Packed.Dico",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1056.001",
"name": "Keylogging",
"display_name": "T1056.001 - Keylogging"
},
{
"id": "T1071.002",
"name": "File Transfer Protocols",
"display_name": "T1071.002 - File Transfer Protocols"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1491.001",
"name": "Internal Defacement",
"display_name": "T1491.001 - Internal Defacement"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1602.001",
"name": "SNMP (MIB Dump)",
"display_name": "T1602.001 - SNMP (MIB Dump)"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 34,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1695,
"FileHash-SHA1": 756,
"FileHash-SHA256": 2029,
"domain": 290,
"URL": 1854,
"hostname": 568,
"CVE": 5
},
"indicator_count": 7197,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 226,
"modified_text": "875 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "653f09785f9ee8aebca2a667",
"name": "Remote Access | DeepScan | Dumping | DNS | Internal System Infiltration",
"description": "",
"modified": "2023-11-26T14:04:04.692000",
"created": "2023-10-30T01:40:08.022000",
"tags": [
"ssl certificate",
"historical ssl",
"resolutions",
"referrer",
"collections",
"contacted",
"efr1",
"parent domain",
"amazon 02",
"metro",
"crypto",
"cisco umbrella",
"site",
"safe site",
"heur",
"malware",
"alexa top",
"million",
"malicious url",
"malware site",
"malicious site",
"opencandy",
"riskware",
"unsafe",
"phishing",
"zbot",
"team",
"exploit",
"agent",
"mimikatz",
"azorult",
"service",
"runescape",
"facebook",
"bank",
"download",
"downldr",
"presenoker",
"fusioncore",
"cleaner",
"wacatac",
"artemis",
"blacknet rat",
"stealer",
"trojanspy",
"blacklist https",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"blacklist",
"count blacklist",
"tag count",
"tsara brashears",
"self",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"kb body",
"sha256",
"whois record",
"contacted urls",
"siblings domain",
"execution",
"goldmax",
"goldfinder",
"sibot",
"emotet",
"united",
"phishing site",
"maltiverse",
"adware",
"phishtank",
"xtrat",
"xrat",
"redline stealer",
"xtreme",
"crack",
"genkryptik",
"deepscan",
"win64",
"quasar rat",
"fareit",
"downloader",
"trojan",
"alexa",
"iframe",
"cve201711882",
"phish",
"genpack",
"suspicious",
"magazine",
"applicunwnt",
"cobalt strike",
"malicious",
"pattern match",
"file",
"web open",
"font format",
"truetype",
"indicator",
"windows nt",
"ascii text",
"mitre att",
"ck id",
"date",
"unknown",
"hybrid",
"accept",
"local",
"stream",
"click",
"strings",
"class",
"generator",
"critical",
"error",
"pmejdjsu12",
"Royal Bank of Scotland",
"Phishing Bank of America Corporation",
"Phishing Netflix",
"Phishing Wells Fargo",
"Phishing RuneScape",
"Phishing Internal Revenue Service",
"Phtarget unspecified phishing",
"PAYPAL phishing",
"Phishing Indeed",
"Phishing eBay, Inc",
"PhisSafe",
"mobigame",
"Phishing Facebook",
"remote",
"mitm",
"tower",
"worm",
"firm",
"privilege",
"attacker",
"monitoring",
"cyber threat",
"apple",
"illegal",
"DNS_PROBE_STARTED",
"insurance",
"revenge",
"legal entities",
"https://boxofporn.com"
],
"references": [],
"public": 1,
"adversary": "[Unnamed group]",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Trojan.Hotkeychick",
"display_name": "Trojan.Hotkeychick",
"target": null
},
{
"id": "CVE Exploits",
"display_name": "CVE Exploits",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "Generic.ASMalwS",
"display_name": "Generic.ASMalwS",
"target": null
},
{
"id": "HackTool.CheatEngine",
"display_name": "HackTool.CheatEngine",
"target": null
},
{
"id": "HackTool.BruteForce",
"display_name": "HackTool.BruteForce",
"target": null
},
{
"id": "Virus.Sality",
"display_name": "Virus.Sality",
"target": null
},
{
"id": "W32.Malware",
"display_name": "W32.Malware",
"target": null
},
{
"id": "TSGeneric",
"display_name": "TSGeneric",
"target": null
},
{
"id": "Trojan.OTNR",
"display_name": "Trojan.OTNR",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "RedLine Stealer",
"display_name": "RedLine Stealer",
"target": null
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
},
{
"id": "BlackNET RAT",
"display_name": "BlackNET RAT",
"target": null
},
{
"id": "Mimikatz - S0002",
"display_name": "Mimikatz - S0002",
"target": null
},
{
"id": "GoldFinder",
"display_name": "GoldFinder",
"target": null
},
{
"id": "GoldMax - S0588",
"display_name": "GoldMax - S0588",
"target": null
},
{
"id": "Cobalt Strike",
"display_name": "Cobalt Strike",
"target": null
},
{
"id": "Sibot",
"display_name": "Sibot",
"target": null
},
{
"id": "Downloader.OpenCandy",
"display_name": "Downloader.OpenCandy",
"target": null
},
{
"id": "Azorult",
"display_name": "Azorult",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "GoogleToolbar",
"display_name": "GoogleToolbar",
"target": null
},
{
"id": "BScope.Adware.MSIL",
"display_name": "BScope.Adware.MSIL",
"target": null
},
{
"id": "Application.Auslogics",
"display_name": "Application.Auslogics",
"target": null
},
{
"id": "PE.Heur",
"display_name": "PE.Heur",
"target": null
},
{
"id": "Gen:Variant.Application.Bundler.DownloadGuide",
"display_name": "Gen:Variant.Application.Bundler.DownloadGuide",
"target": null
},
{
"id": "Trojan:Win32/Xtrat",
"display_name": "Trojan:Win32/Xtrat",
"target": "/malware/Trojan:Win32/Xtrat"
},
{
"id": "Xtreme RAT",
"display_name": "Xtreme RAT",
"target": null
},
{
"id": "ML.Attribute",
"display_name": "ML.Attribute",
"target": null
},
{
"id": "AGEN.1045143",
"display_name": "AGEN.1045143",
"target": null
},
{
"id": "Hoax.DeceptPCClean",
"display_name": "Hoax.DeceptPCClean",
"target": null
},
{
"id": "Packed.Themida",
"display_name": "Packed.Themida",
"target": null
},
{
"id": "MSIL_Bladabindi.G.gen",
"display_name": "MSIL_Bladabindi.G.gen",
"target": null
},
{
"id": "Gen:NN.ZexaF.34090",
"display_name": "Gen:NN.ZexaF.34090",
"target": null
},
{
"id": "Unsafe.AI_Score_95% 2",
"display_name": "Unsafe.AI_Score_95% 2",
"target": null
},
{
"id": "BScope.Trojan",
"display_name": "BScope.Trojan",
"target": null
},
{
"id": "JS:Trojan.HideLink 2",
"display_name": "JS:Trojan.HideLink 2",
"target": null
},
{
"id": "Gen:Variant.Symmi",
"display_name": "Gen:Variant.Symmi",
"target": null
},
{
"id": "Gen:Heur.MSIL.Inject",
"display_name": "Gen:Heur.MSIL.Inject",
"target": null
},
{
"id": "Application.BitCoinMiner",
"display_name": "Application.BitCoinMiner",
"target": null
},
{
"id": "WebToolbar.Asparnet",
"display_name": "WebToolbar.Asparnet",
"target": null
},
{
"id": "W32.HfsAutoB",
"display_name": "W32.HfsAutoB",
"target": null
},
{
"id": "Gen:Variant.Ursu",
"display_name": "Gen:Variant.Ursu",
"target": null
},
{
"id": "HW32.Packed",
"display_name": "HW32.Packed",
"target": null
},
{
"id": "Application.Deceptor",
"display_name": "Application.Deceptor",
"target": null
},
{
"id": "Backdoor.Androm",
"display_name": "Backdoor.Androm",
"target": null
},
{
"id": "HEUR:Hoax.PCFixer",
"display_name": "HEUR:Hoax.PCFixer",
"target": null
},
{
"id": "Gen:Variant.Jacard",
"display_name": "Gen:Variant.Jacard",
"target": null
},
{
"id": "Tool.Patcher",
"display_name": "Tool.Patcher",
"target": null
},
{
"id": "Trojan.Khalesi 2\tAdware 2",
"display_name": "Trojan.Khalesi 2\tAdware 2",
"target": null
},
{
"id": "RiskWare.HackTool.Agent",
"display_name": "RiskWare.HackTool.Agent",
"target": null
},
{
"id": "Unsafe.AI_Score_94%",
"display_name": "Unsafe.AI_Score_94%",
"target": null
},
{
"id": "Trojan.WisdomEyes.16070401.9500",
"display_name": "Trojan.WisdomEyes.16070401.9500",
"target": null
},
{
"id": "RiskWare.Crack",
"display_name": "RiskWare.Crack",
"target": null
},
{
"id": "Gen:Variant.Bulz",
"display_name": "Gen:Variant.Bulz",
"target": null
},
{
"id": "VB:Trojan.Valyria",
"display_name": "VB:Trojan.Valyria",
"target": null
},
{
"id": "TrojanBanker.Banbra",
"display_name": "TrojanBanker.Banbra",
"target": null
},
{
"id": "DriverReviver.A potentially unwanted",
"display_name": "DriverReviver.A potentially unwanted",
"target": null
},
{
"id": "Warezov.gen3",
"display_name": "Warezov.gen3",
"target": null
},
{
"id": "JS:Trojan.Clicker",
"display_name": "JS:Trojan.Clicker",
"target": null
},
{
"id": "Nemucod.21C8",
"display_name": "Nemucod.21C8",
"target": null
},
{
"id": "Asparnet.P",
"display_name": "Asparnet.P",
"target": null
},
{
"id": "InstallCore.Gen7",
"display_name": "InstallCore.Gen7",
"target": null
},
{
"id": "CsQKHtaAI",
"display_name": "CsQKHtaAI",
"target": null
},
{
"id": "Clicker.VB",
"display_name": "Clicker.VB",
"target": null
},
{
"id": "Exploit.Zip.Heuristic",
"display_name": "Exploit.Zip.Heuristic",
"target": null
},
{
"id": "Trojan.Ransom.GandCrab",
"display_name": "Trojan.Ransom.GandCrab",
"target": null
},
{
"id": "ScrInject.B",
"display_name": "ScrInject.B",
"target": null
},
{
"id": "ScrInject.eric",
"display_name": "ScrInject.eric",
"target": null
},
{
"id": "HEUR:Trojan.Diztakun",
"display_name": "HEUR:Trojan.Diztakun",
"target": null
},
{
"id": "Agent.OCJ",
"display_name": "Agent.OCJ",
"target": null
},
{
"id": "Vdehu.A",
"display_name": "Vdehu.A",
"target": null
},
{
"id": "Hacktool.Crack",
"display_name": "Hacktool.Crack",
"target": null
},
{
"id": "Backdoor.DTR.15",
"display_name": "Backdoor.DTR.15",
"target": null
},
{
"id": "Freemake.A potentially unwanted",
"display_name": "Freemake.A potentially unwanted",
"target": null
},
{
"id": "Absolute Uninstaller",
"display_name": "Absolute Uninstaller",
"target": null
},
{
"id": "HTML:Script",
"display_name": "HTML:Script",
"target": null
},
{
"id": "Trojan.Small",
"display_name": "Trojan.Small",
"target": null
},
{
"id": "HackTool.Crack",
"display_name": "HackTool.Crack",
"target": null
},
{
"id": "Generic.Application.JS.Sobrab.1",
"display_name": "Generic.Application.JS.Sobrab.1",
"target": null
},
{
"id": "Trojan.Rozena",
"display_name": "Trojan.Rozena",
"target": null
},
{
"id": "Trojan.Downloader",
"display_name": "Trojan.Downloader",
"target": null
},
{
"id": "Trojan.Bayrob",
"display_name": "Trojan.Bayrob",
"target": null
},
{
"id": "Adware.OxyPumper",
"display_name": "Adware.OxyPumper",
"target": null
},
{
"id": "Worm.Chir",
"display_name": "Worm.Chir",
"target": null
},
{
"id": "Trojan.Linux.Generic",
"display_name": "Trojan.Linux.Generic",
"target": null
},
{
"id": "Trojan.Ransom.GenericKD",
"display_name": "Trojan.Ransom.GenericKD",
"target": null
},
{
"id": "Heur.BZC.YAX.Boxter.819",
"display_name": "Heur.BZC.YAX.Boxter.819",
"target": null
},
{
"id": "Faceliker.D",
"display_name": "Faceliker.D",
"target": null
},
{
"id": "Adware",
"display_name": "Adware",
"target": null
},
{
"id": "DeepScan:Generic.BrResMon.1",
"display_name": "DeepScan:Generic.BrResMon.1",
"target": null
},
{
"id": "Adware.KuziTui",
"display_name": "Adware.KuziTui",
"target": null
},
{
"id": "Trojan.Brsecmon",
"display_name": "Trojan.Brsecmon",
"target": null
},
{
"id": "SigRiskware.LespeedTechnologyLtd",
"display_name": "SigRiskware.LespeedTechnologyLtd",
"target": null
},
{
"id": "Doplik.J",
"display_name": "Doplik.J",
"target": null
},
{
"id": "Backdoor.Nhopro",
"display_name": "Backdoor.Nhopro",
"target": null
},
{
"id": "TrojanBanker.Banbra",
"display_name": "TrojanBanker.Banbra",
"target": null
},
{
"id": "Gen:NN.ZemsilF.32515",
"display_name": "Gen:NN.ZemsilF.32515",
"target": null
},
{
"id": "Downware",
"display_name": "Downware",
"target": null
},
{
"id": "MxResIcn.Heur",
"display_name": "MxResIcn.Heur",
"target": null
},
{
"id": "Mimikatz",
"display_name": "Mimikatz",
"target": null
},
{
"id": "Magazine phishing",
"display_name": "Magazine phishing",
"target": null
},
{
"id": "ApplicUnwnt@#2n6\tIRS",
"display_name": "ApplicUnwnt@#2n6\tIRS",
"target": null
},
{
"id": "TEL:Trojan:HTML/Phishing",
"display_name": "TEL:Trojan:HTML/Phishing",
"target": null
},
{
"id": "DriverReviver.A potentially unwanted",
"display_name": "DriverReviver.A potentially unwanted",
"target": null
},
{
"id": "Trojan.GandCrypt",
"display_name": "Trojan.GandCrypt",
"target": null
},
{
"id": "Redirector.AN",
"display_name": "Redirector.AN",
"target": null
},
{
"id": "Agent.CUX.gen",
"display_name": "Agent.CUX.gen",
"target": null
},
{
"id": "Gen:Variant.Application.Bundler",
"display_name": "Gen:Variant.Application.Bundler",
"target": null
},
{
"id": "Downloader.Generic",
"display_name": "Downloader.Generic",
"target": null
},
{
"id": "Trojan.ClipBanker",
"display_name": "Trojan.ClipBanker",
"target": null
},
{
"id": "TrojanDropper.Autit",
"display_name": "TrojanDropper.Autit",
"target": null
},
{
"id": "Dropper.Trojan.Agent",
"display_name": "Dropper.Trojan.Agent",
"target": null
},
{
"id": "QVM05.1.08E5.Malware",
"display_name": "QVM05.1.08E5.Malware",
"target": null
},
{
"id": "Trojan.CookiesStealer",
"display_name": "Trojan.CookiesStealer",
"target": null
},
{
"id": "Agent.MU",
"display_name": "Agent.MU",
"target": null
},
{
"id": "Wacatac.B",
"display_name": "Wacatac.B",
"target": null
},
{
"id": "Dropper.Gen",
"display_name": "Dropper.Gen",
"target": null
},
{
"id": "WiseCleaner.A potentially unwanted",
"display_name": "WiseCleaner.A potentially unwanted",
"target": null
},
{
"id": "Gen:Heur.MSIL.Androm",
"display_name": "Gen:Heur.MSIL.Androm",
"target": null
},
{
"id": "Gen:NN.ZemsilF.34170",
"display_name": "Gen:NN.ZemsilF.34170",
"target": null
},
{
"id": "Gen:Variant.MSILHeracles",
"display_name": "Gen:Variant.MSILHeracles",
"target": null
},
{
"id": "Trojan.DownLoader33",
"display_name": "Trojan.DownLoader33",
"target": null
},
{
"id": "Trojan.MSIL",
"display_name": "Trojan.MSIL",
"target": null
},
{
"id": "Program.Freemake",
"display_name": "Program.Freemake",
"target": null
},
{
"id": "Kryptik.dawvk",
"display_name": "Kryptik.dawvk",
"target": null
},
{
"id": "AdwareSig [Adw]",
"display_name": "AdwareSig [Adw]",
"target": null
},
{
"id": "Phishing JPMorgan Chase and Co.",
"display_name": "Phishing JPMorgan Chase and Co.",
"target": null
},
{
"id": "Adware.BrowseFoxCRTD",
"display_name": "Adware.BrowseFoxCRTD",
"target": null
},
{
"id": "Suspici.1F4405D1",
"display_name": "Suspici.1F4405D1",
"target": null
},
{
"id": "PUA.Wombat",
"display_name": "PUA.Wombat",
"target": null
},
{
"id": "AdWare.DealPly",
"display_name": "AdWare.DealPly",
"target": null
},
{
"id": "Injector.CUAM",
"display_name": "Injector.CUAM",
"target": null
},
{
"id": "Downldr.gen",
"display_name": "Downldr.gen",
"target": null
},
{
"id": "Troj_Gen.F04IE00CI19",
"display_name": "Troj_Gen.F04IE00CI19",
"target": null
},
{
"id": "Worm.Autorun",
"display_name": "Worm.Autorun",
"target": null
},
{
"id": "Worm.Boychi",
"display_name": "Worm.Boychi",
"target": null
},
{
"id": "Worm.Allaple",
"display_name": "Worm.Allaple",
"target": null
},
{
"id": "CVE-2014-3153",
"display_name": "CVE-2014-3153",
"target": null
},
{
"id": "BehavesLike.ICLoader",
"display_name": "BehavesLike.ICLoader",
"target": null
},
{
"id": "BScope.Backdoor",
"display_name": "BScope.Backdoor",
"target": null
},
{
"id": "Trojan.WIN32.PDF.Alien",
"display_name": "Trojan.WIN32.PDF.Alien",
"target": null
},
{
"id": "PUP.Systweak",
"display_name": "PUP.Systweak",
"target": null
},
{
"id": "Sabsik.FL.B",
"display_name": "Sabsik.FL.B",
"target": null
},
{
"id": "malicious.f01f67",
"display_name": "malicious.f01f67",
"target": null
},
{
"id": "AGEN.1144657",
"display_name": "AGEN.1144657",
"target": null
},
{
"id": "Gen:Variant.Tedy HackTool.VulnDriver",
"display_name": "Gen:Variant.Tedy HackTool.VulnDriver",
"target": null
},
{
"id": "Backdoor.Predator",
"display_name": "Backdoor.Predator",
"target": null
},
{
"id": "Kryptik.GKQR",
"display_name": "Kryptik.GKQR",
"target": null
},
{
"id": "DarkKomet.ife",
"display_name": "DarkKomet.ife",
"target": null
},
{
"id": "BehavesLike.Downloader",
"display_name": "BehavesLike.Downloader",
"target": null
},
{
"id": "Trojan.JS.Iframe",
"display_name": "Trojan.JS.Iframe",
"target": null
},
{
"id": "InstallCore.NP",
"display_name": "InstallCore.NP",
"target": null
},
{
"id": "Generic.JS.BlackHole",
"display_name": "Generic.JS.BlackHole",
"target": null
},
{
"id": "Dropper.Wanna",
"display_name": "Dropper.Wanna",
"target": null
},
{
"id": "Remote Utilities",
"display_name": "Remote Utilities",
"target": null
},
{
"id": "W32.InstallCore.AGX",
"display_name": "W32.InstallCore.AGX",
"target": null
},
{
"id": "NetTool.RemoteExec",
"display_name": "NetTool.RemoteExec",
"target": null
},
{
"id": "Bondat.A",
"display_name": "Bondat.A",
"target": null
},
{
"id": "VM201.0.B70B.Malware",
"display_name": "VM201.0.B70B.Malware",
"target": null
},
{
"id": "Riskware.NetFilter",
"display_name": "Riskware.NetFilter",
"target": null
},
{
"id": "Infected.WebPage",
"display_name": "Infected.WebPage",
"target": null
},
{
"id": "HEUR:Exploit.Script",
"display_name": "HEUR:Exploit.Script",
"target": null
},
{
"id": "BScope.TrojanDownloader",
"display_name": "BScope.TrojanDownloader",
"target": null
},
{
"id": "HTML:RedirBA",
"display_name": "HTML:RedirBA",
"target": null
},
{
"id": "Trojan.BAT.Qhost",
"display_name": "Trojan.BAT.Qhost",
"target": null
},
{
"id": "HTML:RedirME",
"display_name": "HTML:RedirME",
"target": null
},
{
"id": "TrojWare.JS.AdWare.Agent",
"display_name": "TrojWare.JS.AdWare.Agent",
"target": null
},
{
"id": "Packed.Dico",
"display_name": "Packed.Dico",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1056.001",
"name": "Keylogging",
"display_name": "T1056.001 - Keylogging"
},
{
"id": "T1071.002",
"name": "File Transfer Protocols",
"display_name": "T1071.002 - File Transfer Protocols"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1491.001",
"name": "Internal Defacement",
"display_name": "T1491.001 - Internal Defacement"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1602.001",
"name": "SNMP (MIB Dump)",
"display_name": "T1602.001 - SNMP (MIB Dump)"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "653bf3b076e4dbcd0c099992",
"export_count": 28,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1695,
"FileHash-SHA1": 756,
"FileHash-SHA256": 2029,
"domain": 290,
"URL": 1854,
"hostname": 568,
"CVE": 5
},
"indicator_count": 7197,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 219,
"modified_text": "875 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "653f14eabcb037c4257b827b",
"name": "Packed.VMProt/ Packed.VMProtect Apple| iOS | Mac attack techapply.com",
"description": "",
"modified": "2023-11-04T16:00:22.229000",
"created": "2023-10-30T02:28:58.264000",
"tags": [
"engineering",
"united",
"cyber threat",
"team",
"malware",
"telefonica co",
"heur",
"malicious site",
"ip reputation",
"bambernek pony",
"zeus",
"nymaim",
"facebook",
"raccoon",
"download",
"kronos",
"ramnit",
"simda",
"bank",
"phishing",
"citadel",
"zbot",
"pykspa",
"agent",
"maltiverse",
"noname057",
"copyright",
"reserved",
"flag",
"date",
"name server",
"markmonitor",
"server",
"organization",
"germany germany",
"sample",
"session details",
"click",
"misc attack",
"et tor",
"known tor",
"relayrouter",
"exit",
"node traffic",
"exit node",
"traffic group",
"suricata alerts",
"event category",
"analysis",
"malicious url",
"windows nt",
"wow64",
"response",
"gmt contenttype",
"gecko host",
"vary",
"gmt etag",
"general gets",
"script",
"parking crew",
"apple",
"apple id",
"tsara",
"tsara brashears",
"spyware",
"cyber criminal",
"cyber stalking",
"track",
"track iphone",
"accept all platforms",
"infringement",
"intellectual property",
"suricata",
"alert",
"red team",
"happywifehappylife",
"malicious",
"revenge",
"posts",
"post",
"post to web",
"post to server",
"exploit",
"command_and_control",
"toggle",
"logon",
"login",
"privilege",
"ios",
"attack",
"mitre",
"Packed.VMProt",
"apple engineering",
"abuse",
"cve",
"robots",
"arizona",
"bounce",
"canada",
"croatia",
"base64_encoded",
"%samplepath%",
"tagging",
"png image",
"PSI-USA, Inc. dba Domain Robot Organization",
"dns",
"query",
"evasive",
"crack",
"record type",
"ttl value",
"dns replication",
"santa fe",
"available from",
"registrar abuse",
"iana id",
"domain status",
"creation date",
"registrar url",
"code",
"dapato",
"predator",
"win64",
"conduit",
"fakeinstaller",
"installpack",
"generic",
"downloader",
"spyrixkeylogger",
"bitminer",
"loadmoney",
"filetour",
"wacatac",
"fusioncore",
"cleaner",
"networm",
"mediaget",
"softonic",
"trojan",
"encpk",
"qbot",
"swrort",
"kraddare",
"systweak",
"iobit",
"installcore",
"artemis",
"riskware",
"dllinject",
"driverpack",
"trojanspy",
"webtoolbar",
"cisco umbrella",
"ip hostname",
"safe site",
"site",
"targeted",
"AI",
"dllinject"
],
"references": [
"Spyware",
"Parking Crew Spyware",
"c.parkingcrew.net 185.53.178.30 TTL: 9\tPSI-USA, Inc. dba Domain Robot Organization: Team Internet AG Name Server: NS-1403.AWSDNS-47.ORG",
"http://service.appleid.apple.online.hqvce.techapply.com/apple/f625bbcc3a59f078ffa95159c719501e/index.php?itunes=_connect-run&secure=5540zef1415405412104ef151511d7f84f5ze1f510eec8bd0e",
"service.appleid.apple.online.hqvce.techapply.com 76.223.35.103 TTL: 600\tTitanic Hosting, Inc. Name Server: NS1.DNE.COM",
"d38psrni17bvxu.cloudfront.net 18.239.196.136 TTL: 60\tMarkMonitor, Inc. Organization: Amazon.com, Inc. Name Server: NS-1306.AWSDNS-35.ORG",
"https://www.hybrid-analysis.com/sample/6450c8bb8cec78135dd4891507099d1407ef1d9af40bc250251eb99888c20f7e/651eda366e1436b384026c6d",
"wTools",
"Research and Analysis",
"go.microsoft.com 184.26.158.64 TTL: 2672\tMarkMonitor, Inc. Organization: Microsoft Corporation Name Server: NS1.MSFT.NET",
"dllinject"
],
"public": 1,
"adversary": "Cyber Criminal",
"targeted_countries": [
"Argentina",
"Ireland",
"United States of America"
],
"malware_families": [
{
"id": "Looquer",
"display_name": "Looquer",
"target": null
},
{
"id": "TinyZBot - S0004",
"display_name": "TinyZBot - S0004",
"target": null
},
{
"id": "Ramnit",
"display_name": "Ramnit",
"target": null
},
{
"id": "Bambernek Pony",
"display_name": "Bambernek Pony",
"target": null
},
{
"id": "Ransom:Win32/Nymaim",
"display_name": "Ransom:Win32/Nymaim",
"target": "/malware/Ransom:Win32/Nymaim"
},
{
"id": "Backdoor:Win32/Simda",
"display_name": "Backdoor:Win32/Simda",
"target": "/malware/Backdoor:Win32/Simda"
},
{
"id": "TrojanSpy:Win32/Kronos",
"display_name": "TrojanSpy:Win32/Kronos",
"target": "/malware/TrojanSpy:Win32/Kronos"
},
{
"id": "Trojan:Win32/Raccoonstealer",
"display_name": "Trojan:Win32/Raccoonstealer",
"target": "/malware/Trojan:Win32/Raccoonstealer"
},
{
"id": "Packed.VMProtect",
"display_name": "Packed.VMProtect",
"target": null
},
{
"id": "Spammer:Win32/Noname",
"display_name": "Spammer:Win32/Noname",
"target": "/malware/Spammer:Win32/Noname"
},
{
"id": "Worm:Win32/Pykspa",
"display_name": "Worm:Win32/Pykspa",
"target": "/malware/Worm:Win32/Pykspa"
},
{
"id": "Banker",
"display_name": "Banker",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "Trojan:MSIL/Razy",
"display_name": "Trojan:MSIL/Razy",
"target": "/malware/Trojan:MSIL/Razy"
},
{
"id": "Trojan:Win32/Wacatac",
"display_name": "Trojan:Win32/Wacatac",
"target": "/malware/Trojan:Win32/Wacatac"
},
{
"id": "ALF:PUA:Win32/IObit",
"display_name": "ALF:PUA:Win32/IObit",
"target": null
},
{
"id": "TrojanDownloader:Win32/Kraddare",
"display_name": "TrojanDownloader:Win32/Kraddare",
"target": "/malware/TrojanDownloader:Win32/Kraddare"
},
{
"id": "ALF:PUA:Win32/FusionCore",
"display_name": "ALF:PUA:Win32/FusionCore",
"target": null
},
{
"id": "ALF:HeraklezEval:PUA:Win32/SpyrixKeylogger",
"display_name": "ALF:HeraklezEval:PUA:Win32/SpyrixKeylogger",
"target": null
},
{
"id": "Trojan:Win32/Qbot",
"display_name": "Trojan:Win32/Qbot",
"target": "/malware/Trojan:Win32/Qbot"
},
{
"id": "Trojan:Win32/InstallCore",
"display_name": "Trojan:Win32/InstallCore",
"target": "/malware/Trojan:Win32/InstallCore"
},
{
"id": "ALF:JASYP:PUAWin32/Systweak",
"display_name": "ALF:JASYP:PUAWin32/Systweak",
"target": null
},
{
"id": "Trojan:Win32/Dapato",
"display_name": "Trojan:Win32/Dapato",
"target": "/malware/Trojan:Win32/Dapato"
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1132.001",
"name": "Standard Encoding",
"display_name": "T1132.001 - Standard Encoding"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "TA0006",
"name": "Credential Access",
"display_name": "TA0006 - Credential Access"
},
{
"id": "TA0009",
"name": "Collection",
"display_name": "TA0009 - Collection"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1070.003",
"name": "Clear Command History",
"display_name": "T1070.003 - Clear Command History"
},
{
"id": "T1001.003",
"name": "Protocol Impersonation",
"display_name": "T1001.003 - Protocol Impersonation"
},
{
"id": "T1505",
"name": "Server Software Component",
"display_name": "T1505 - Server Software Component"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "651f177187ed5eba41657bf4",
"export_count": 27,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 485,
"hostname": 551,
"URL": 1019,
"FileHash-SHA256": 650,
"CVE": 5,
"FileHash-MD5": 425,
"FileHash-SHA1": 224,
"FilePath": 2,
"email": 2
},
"indicator_count": 3363,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 218,
"modified_text": "897 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "651f177187ed5eba41657bf4",
"name": "Packed.VMProt/ Packed.VMProtect Apple| iOS | Mac attack techapply.com",
"description": "Significantly infected Apple ID. and various devices; spyrixkeylogger, spyware, networm, tracking, beacons, injection, full control iOS and apple devices as well as OS. Appears as investigated. Not a lawful investigated. 5+ year (analysis reveals dated CVE's and malware specially targets individual) of spying, tagging, targeting, cyber criminal, cyber harassment, unlocker, disabled apple IDs. Interface / dummy core, collection, webdisk harvesting, cyber criminal behavior. Possible red teaming. js user, code written for a variety programs/systems, C2, relay router. robots. \ncyber threat.\nhired\ntargeted \nbotnets\nmalware\nAI",
"modified": "2023-11-04T16:00:22.229000",
"created": "2023-10-05T20:07:13.805000",
"tags": [
"engineering",
"united",
"cyber threat",
"team",
"malware",
"telefonica co",
"heur",
"malicious site",
"ip reputation",
"bambernek pony",
"zeus",
"nymaim",
"facebook",
"raccoon",
"download",
"kronos",
"ramnit",
"simda",
"bank",
"phishing",
"citadel",
"zbot",
"pykspa",
"agent",
"maltiverse",
"noname057",
"copyright",
"reserved",
"flag",
"date",
"name server",
"markmonitor",
"server",
"organization",
"germany germany",
"sample",
"session details",
"click",
"misc attack",
"et tor",
"known tor",
"relayrouter",
"exit",
"node traffic",
"exit node",
"traffic group",
"suricata alerts",
"event category",
"analysis",
"malicious url",
"windows nt",
"wow64",
"response",
"gmt contenttype",
"gecko host",
"vary",
"gmt etag",
"general gets",
"script",
"parking crew",
"apple",
"apple id",
"tsara",
"tsara brashears",
"spyware",
"cyber criminal",
"cyber stalking",
"track",
"track iphone",
"accept all platforms",
"infringement",
"intellectual property",
"suricata",
"alert",
"red team",
"happywifehappylife",
"malicious",
"revenge",
"posts",
"post",
"post to web",
"post to server",
"exploit",
"command_and_control",
"toggle",
"logon",
"login",
"privilege",
"ios",
"attack",
"mitre",
"Packed.VMProt",
"apple engineering",
"abuse",
"cve",
"robots",
"arizona",
"bounce",
"canada",
"croatia",
"base64_encoded",
"%samplepath%",
"tagging",
"png image",
"PSI-USA, Inc. dba Domain Robot Organization",
"dns",
"query",
"evasive",
"crack",
"record type",
"ttl value",
"dns replication",
"santa fe",
"available from",
"registrar abuse",
"iana id",
"domain status",
"creation date",
"registrar url",
"code",
"dapato",
"predator",
"win64",
"conduit",
"fakeinstaller",
"installpack",
"generic",
"downloader",
"spyrixkeylogger",
"bitminer",
"loadmoney",
"filetour",
"wacatac",
"fusioncore",
"cleaner",
"networm",
"mediaget",
"softonic",
"trojan",
"encpk",
"qbot",
"swrort",
"kraddare",
"systweak",
"iobit",
"installcore",
"artemis",
"riskware",
"dllinject",
"driverpack",
"trojanspy",
"webtoolbar",
"cisco umbrella",
"ip hostname",
"safe site",
"site",
"targeted",
"AI",
"dllinject"
],
"references": [
"Spyware",
"Parking Crew Spyware",
"c.parkingcrew.net 185.53.178.30 TTL: 9\tPSI-USA, Inc. dba Domain Robot Organization: Team Internet AG Name Server: NS-1403.AWSDNS-47.ORG",
"http://service.appleid.apple.online.hqvce.techapply.com/apple/f625bbcc3a59f078ffa95159c719501e/index.php?itunes=_connect-run&secure=5540zef1415405412104ef151511d7f84f5ze1f510eec8bd0e",
"service.appleid.apple.online.hqvce.techapply.com 76.223.35.103 TTL: 600\tTitanic Hosting, Inc. Name Server: NS1.DNE.COM",
"d38psrni17bvxu.cloudfront.net 18.239.196.136 TTL: 60\tMarkMonitor, Inc. Organization: Amazon.com, Inc. Name Server: NS-1306.AWSDNS-35.ORG",
"https://www.hybrid-analysis.com/sample/6450c8bb8cec78135dd4891507099d1407ef1d9af40bc250251eb99888c20f7e/651eda366e1436b384026c6d",
"wTools",
"Research and Analysis",
"go.microsoft.com 184.26.158.64 TTL: 2672\tMarkMonitor, Inc. Organization: Microsoft Corporation Name Server: NS1.MSFT.NET",
"dllinject"
],
"public": 1,
"adversary": "Cyber Criminal",
"targeted_countries": [
"Argentina",
"Ireland",
"United States of America"
],
"malware_families": [
{
"id": "Looquer",
"display_name": "Looquer",
"target": null
},
{
"id": "TinyZBot - S0004",
"display_name": "TinyZBot - S0004",
"target": null
},
{
"id": "Ramnit",
"display_name": "Ramnit",
"target": null
},
{
"id": "Bambernek Pony",
"display_name": "Bambernek Pony",
"target": null
},
{
"id": "Ransom:Win32/Nymaim",
"display_name": "Ransom:Win32/Nymaim",
"target": "/malware/Ransom:Win32/Nymaim"
},
{
"id": "Backdoor:Win32/Simda",
"display_name": "Backdoor:Win32/Simda",
"target": "/malware/Backdoor:Win32/Simda"
},
{
"id": "TrojanSpy:Win32/Kronos",
"display_name": "TrojanSpy:Win32/Kronos",
"target": "/malware/TrojanSpy:Win32/Kronos"
},
{
"id": "Trojan:Win32/Raccoonstealer",
"display_name": "Trojan:Win32/Raccoonstealer",
"target": "/malware/Trojan:Win32/Raccoonstealer"
},
{
"id": "Packed.VMProtect",
"display_name": "Packed.VMProtect",
"target": null
},
{
"id": "Spammer:Win32/Noname",
"display_name": "Spammer:Win32/Noname",
"target": "/malware/Spammer:Win32/Noname"
},
{
"id": "Worm:Win32/Pykspa",
"display_name": "Worm:Win32/Pykspa",
"target": "/malware/Worm:Win32/Pykspa"
},
{
"id": "Banker",
"display_name": "Banker",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "Trojan:MSIL/Razy",
"display_name": "Trojan:MSIL/Razy",
"target": "/malware/Trojan:MSIL/Razy"
},
{
"id": "Trojan:Win32/Wacatac",
"display_name": "Trojan:Win32/Wacatac",
"target": "/malware/Trojan:Win32/Wacatac"
},
{
"id": "ALF:PUA:Win32/IObit",
"display_name": "ALF:PUA:Win32/IObit",
"target": null
},
{
"id": "TrojanDownloader:Win32/Kraddare",
"display_name": "TrojanDownloader:Win32/Kraddare",
"target": "/malware/TrojanDownloader:Win32/Kraddare"
},
{
"id": "ALF:PUA:Win32/FusionCore",
"display_name": "ALF:PUA:Win32/FusionCore",
"target": null
},
{
"id": "ALF:HeraklezEval:PUA:Win32/SpyrixKeylogger",
"display_name": "ALF:HeraklezEval:PUA:Win32/SpyrixKeylogger",
"target": null
},
{
"id": "Trojan:Win32/Qbot",
"display_name": "Trojan:Win32/Qbot",
"target": "/malware/Trojan:Win32/Qbot"
},
{
"id": "Trojan:Win32/InstallCore",
"display_name": "Trojan:Win32/InstallCore",
"target": "/malware/Trojan:Win32/InstallCore"
},
{
"id": "ALF:JASYP:PUAWin32/Systweak",
"display_name": "ALF:JASYP:PUAWin32/Systweak",
"target": null
},
{
"id": "Trojan:Win32/Dapato",
"display_name": "Trojan:Win32/Dapato",
"target": "/malware/Trojan:Win32/Dapato"
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1132.001",
"name": "Standard Encoding",
"display_name": "T1132.001 - Standard Encoding"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "TA0006",
"name": "Credential Access",
"display_name": "TA0006 - Credential Access"
},
{
"id": "TA0009",
"name": "Collection",
"display_name": "TA0009 - Collection"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1070.003",
"name": "Clear Command History",
"display_name": "T1070.003 - Clear Command History"
},
{
"id": "T1001.003",
"name": "Protocol Impersonation",
"display_name": "T1001.003 - Protocol Impersonation"
},
{
"id": "T1505",
"name": "Server Software Component",
"display_name": "T1505 - Server Software Component"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 37,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 485,
"hostname": 551,
"URL": 1019,
"FileHash-SHA256": 650,
"CVE": 5,
"FileHash-MD5": 425,
"FileHash-SHA1": 224,
"FilePath": 2,
"email": 2
},
"indicator_count": 3363,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 227,
"modified_text": "897 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "651f175a87ed5eba41657bf3",
"name": "Packed.VMProt/ Packed.VMProtect Apple| iOS | Mac attack techapply.com",
"description": "Significantly infected Apple ID. and various devices; spyrixkeylogger, spyware, networm, tracking, beacons, injection, full control iOS and apple devices as well as OS. Appears as investigated. Not a lawful investigated. 5+ year (analysis reveals dated CVE's and malware specially targets individual) of spying, tagging, targeting, cyber criminal, cyber harassment, unlocker, disabled apple IDs. Interface / dummy core, collection, webdisk harvesting, cyber criminal behavior. Possible red teaming. js user, code written for a variety programs/systems, C2, relay router. robots. \ncyber threat.\nhired\ntargeted \nbotnets\nmalware\nAI",
"modified": "2023-11-04T16:00:22.229000",
"created": "2023-10-05T20:06:50.075000",
"tags": [
"engineering",
"united",
"cyber threat",
"team",
"malware",
"telefonica co",
"heur",
"malicious site",
"ip reputation",
"bambernek pony",
"zeus",
"nymaim",
"facebook",
"raccoon",
"download",
"kronos",
"ramnit",
"simda",
"bank",
"phishing",
"citadel",
"zbot",
"pykspa",
"agent",
"maltiverse",
"noname057",
"copyright",
"reserved",
"flag",
"date",
"name server",
"markmonitor",
"server",
"organization",
"germany germany",
"sample",
"session details",
"click",
"misc attack",
"et tor",
"known tor",
"relayrouter",
"exit",
"node traffic",
"exit node",
"traffic group",
"suricata alerts",
"event category",
"analysis",
"malicious url",
"windows nt",
"wow64",
"response",
"gmt contenttype",
"gecko host",
"vary",
"gmt etag",
"general gets",
"script",
"parking crew",
"apple",
"apple id",
"tsara",
"tsara brashears",
"spyware",
"cyber criminal",
"cyber stalking",
"track",
"track iphone",
"accept all platforms",
"infringement",
"intellectual property",
"suricata",
"alert",
"red team",
"happywifehappylife",
"malicious",
"revenge",
"posts",
"post",
"post to web",
"post to server",
"exploit",
"command_and_control",
"toggle",
"logon",
"login",
"privilege",
"ios",
"attack",
"mitre",
"Packed.VMProt",
"apple engineering",
"abuse",
"cve",
"robots",
"arizona",
"bounce",
"canada",
"croatia",
"base64_encoded",
"%samplepath%",
"tagging",
"png image",
"PSI-USA, Inc. dba Domain Robot Organization",
"dns",
"query",
"evasive",
"crack",
"record type",
"ttl value",
"dns replication",
"santa fe",
"available from",
"registrar abuse",
"iana id",
"domain status",
"creation date",
"registrar url",
"code",
"dapato",
"predator",
"win64",
"conduit",
"fakeinstaller",
"installpack",
"generic",
"downloader",
"spyrixkeylogger",
"bitminer",
"loadmoney",
"filetour",
"wacatac",
"fusioncore",
"cleaner",
"networm",
"mediaget",
"softonic",
"trojan",
"encpk",
"qbot",
"swrort",
"kraddare",
"systweak",
"iobit",
"installcore",
"artemis",
"riskware",
"dllinject",
"driverpack",
"trojanspy",
"webtoolbar",
"cisco umbrella",
"ip hostname",
"safe site",
"site",
"targeted",
"AI",
"dllinject"
],
"references": [
"Spyware",
"Parking Crew Spyware",
"c.parkingcrew.net 185.53.178.30 TTL: 9\tPSI-USA, Inc. dba Domain Robot Organization: Team Internet AG Name Server: NS-1403.AWSDNS-47.ORG",
"http://service.appleid.apple.online.hqvce.techapply.com/apple/f625bbcc3a59f078ffa95159c719501e/index.php?itunes=_connect-run&secure=5540zef1415405412104ef151511d7f84f5ze1f510eec8bd0e",
"service.appleid.apple.online.hqvce.techapply.com 76.223.35.103 TTL: 600\tTitanic Hosting, Inc. Name Server: NS1.DNE.COM",
"d38psrni17bvxu.cloudfront.net 18.239.196.136 TTL: 60\tMarkMonitor, Inc. Organization: Amazon.com, Inc. Name Server: NS-1306.AWSDNS-35.ORG",
"https://www.hybrid-analysis.com/sample/6450c8bb8cec78135dd4891507099d1407ef1d9af40bc250251eb99888c20f7e/651eda366e1436b384026c6d",
"wTools",
"Research and Analysis",
"go.microsoft.com 184.26.158.64 TTL: 2672\tMarkMonitor, Inc. Organization: Microsoft Corporation Name Server: NS1.MSFT.NET",
"dllinject"
],
"public": 1,
"adversary": "Cyber Criminal",
"targeted_countries": [
"Argentina",
"Ireland",
"United States of America"
],
"malware_families": [
{
"id": "Looquer",
"display_name": "Looquer",
"target": null
},
{
"id": "TinyZBot - S0004",
"display_name": "TinyZBot - S0004",
"target": null
},
{
"id": "Ramnit",
"display_name": "Ramnit",
"target": null
},
{
"id": "Bambernek Pony",
"display_name": "Bambernek Pony",
"target": null
},
{
"id": "Ransom:Win32/Nymaim",
"display_name": "Ransom:Win32/Nymaim",
"target": "/malware/Ransom:Win32/Nymaim"
},
{
"id": "Backdoor:Win32/Simda",
"display_name": "Backdoor:Win32/Simda",
"target": "/malware/Backdoor:Win32/Simda"
},
{
"id": "TrojanSpy:Win32/Kronos",
"display_name": "TrojanSpy:Win32/Kronos",
"target": "/malware/TrojanSpy:Win32/Kronos"
},
{
"id": "Trojan:Win32/Raccoonstealer",
"display_name": "Trojan:Win32/Raccoonstealer",
"target": "/malware/Trojan:Win32/Raccoonstealer"
},
{
"id": "Packed.VMProtect",
"display_name": "Packed.VMProtect",
"target": null
},
{
"id": "Spammer:Win32/Noname",
"display_name": "Spammer:Win32/Noname",
"target": "/malware/Spammer:Win32/Noname"
},
{
"id": "Worm:Win32/Pykspa",
"display_name": "Worm:Win32/Pykspa",
"target": "/malware/Worm:Win32/Pykspa"
},
{
"id": "Banker",
"display_name": "Banker",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "Trojan:MSIL/Razy",
"display_name": "Trojan:MSIL/Razy",
"target": "/malware/Trojan:MSIL/Razy"
},
{
"id": "Trojan:Win32/Wacatac",
"display_name": "Trojan:Win32/Wacatac",
"target": "/malware/Trojan:Win32/Wacatac"
},
{
"id": "ALF:PUA:Win32/IObit",
"display_name": "ALF:PUA:Win32/IObit",
"target": null
},
{
"id": "TrojanDownloader:Win32/Kraddare",
"display_name": "TrojanDownloader:Win32/Kraddare",
"target": "/malware/TrojanDownloader:Win32/Kraddare"
},
{
"id": "ALF:PUA:Win32/FusionCore",
"display_name": "ALF:PUA:Win32/FusionCore",
"target": null
},
{
"id": "ALF:HeraklezEval:PUA:Win32/SpyrixKeylogger",
"display_name": "ALF:HeraklezEval:PUA:Win32/SpyrixKeylogger",
"target": null
},
{
"id": "Trojan:Win32/Qbot",
"display_name": "Trojan:Win32/Qbot",
"target": "/malware/Trojan:Win32/Qbot"
},
{
"id": "Trojan:Win32/InstallCore",
"display_name": "Trojan:Win32/InstallCore",
"target": "/malware/Trojan:Win32/InstallCore"
},
{
"id": "ALF:JASYP:PUAWin32/Systweak",
"display_name": "ALF:JASYP:PUAWin32/Systweak",
"target": null
},
{
"id": "Trojan:Win32/Dapato",
"display_name": "Trojan:Win32/Dapato",
"target": "/malware/Trojan:Win32/Dapato"
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1132.001",
"name": "Standard Encoding",
"display_name": "T1132.001 - Standard Encoding"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "TA0006",
"name": "Credential Access",
"display_name": "TA0006 - Credential Access"
},
{
"id": "TA0009",
"name": "Collection",
"display_name": "TA0009 - Collection"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1070.003",
"name": "Clear Command History",
"display_name": "T1070.003 - Clear Command History"
},
{
"id": "T1001.003",
"name": "Protocol Impersonation",
"display_name": "T1001.003 - Protocol Impersonation"
},
{
"id": "T1505",
"name": "Server Software Component",
"display_name": "T1505 - Server Software Component"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 34,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 485,
"hostname": 551,
"URL": 1019,
"FileHash-SHA256": 650,
"CVE": 5,
"FileHash-MD5": 425,
"FileHash-SHA1": 224,
"FilePath": 2,
"email": 2
},
"indicator_count": 3363,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 226,
"modified_text": "897 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65406318211eb8c95155b062",
"name": "Strictor CNC | APT37 | IP148.251.234.93 | Anonymizer | RedlineStealer | BruteForce | ddos",
"description": "",
"modified": "2023-10-31T02:14:48.782000",
"created": "2023-10-31T02:14:48.782000",
"tags": [
"generic malware",
"hybridanalysis",
"date filename",
"blacklist sat",
"sun jun",
"file",
"mon jun",
"thu jun",
"contacted",
"ip lookup",
"open",
"open ports",
"antivirus",
"less see",
"all av",
"detection ratio",
"ids detections",
"http post",
"strictor cnc",
"005000",
"002000000"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": "6518f9615a88e0f1e325bde4",
"export_count": 10,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 687,
"domain": 723,
"FileHash-MD5": 1,
"FileHash-SHA1": 1,
"FileHash-SHA256": 1519,
"URL": 2751
},
"indicator_count": 5682,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 218,
"modified_text": "901 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "653f057040b1f322c64402e0",
"name": "Strictor CNC | APT37 | IP148.251.234.93 | Anonymizer | Redline",
"description": "",
"modified": "2023-10-31T02:00:24.579000",
"created": "2023-10-30T01:22:56.776000",
"tags": [
"generic malware",
"hybridanalysis",
"date filename",
"blacklist sat",
"sun jun",
"file",
"mon jun",
"thu jun",
"contacted",
"ip lookup",
"open",
"open ports",
"antivirus",
"less see",
"all av",
"detection ratio",
"ids detections",
"http post",
"strictor cnc",
"005000",
"002000000"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": "6518f9615a88e0f1e325bde4",
"export_count": 10,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 687,
"domain": 723,
"FileHash-MD5": 1,
"FileHash-SHA1": 1,
"FileHash-SHA256": 1519,
"URL": 2751
},
"indicator_count": 5682,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 219,
"modified_text": "901 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6518f9615a88e0f1e325bde4",
"name": "Strictor CNC | APT37 | IP148.251.234.93 | Anonymizer | Redline",
"description": "Mail Spammer, IMAP Attacker, HTTP Spammer, Bruteforce login attacker, HTTP Attacker, HTTP Spammer, Dropper.Trojan.Agent, DangerousSig [Trj], RedLineStealer, Proxy, FireHOL, Apt37, mitre-attack, https://attack.mitre.org/groups/G0067/, IP: 148.251.234.93,\n\n \"tag\":\n [\"anonymization\",\n \"apt\",\n \"redlinestealer\",\n \"malware\",\n \"malware_download\",\n \"apache\",\n \"ddos\",\n \"rfi\",\n \"attacker\",\n \"login\",\n \"bruteforce\",\n \"bot\",\n \"joomla\",\n \"wordpress\",\n \"abuse\",\n \"imap\",\n \"pop3\",\n \"sasl\",\n \"mail\",\n \"spam\",\n \"anonymizer\"], \n#discord #slack",
"modified": "2023-10-31T02:00:24.579000",
"created": "2023-10-01T04:45:21.492000",
"tags": [
"generic malware",
"hybridanalysis",
"date filename",
"blacklist sat",
"sun jun",
"file",
"mon jun",
"thu jun",
"contacted",
"ip lookup",
"open",
"open ports",
"antivirus",
"less see",
"all av",
"detection ratio",
"ids detections",
"http post",
"strictor cnc",
"005000",
"002000000"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 687,
"domain": 723,
"FileHash-MD5": 1,
"FileHash-SHA1": 1,
"FileHash-SHA256": 1519,
"URL": 2751
},
"indicator_count": 5682,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 228,
"modified_text": "901 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6342b2b087554c9d5209b50b",
"name": "iphone",
"description": "",
"modified": "2022-11-09T00:03:32.403000",
"created": "2022-10-09T11:38:24.078000",
"tags": [],
"references": [
"iMessages.app"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": "622775d4f2c38a89fdd0128a",
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Lazzo115",
"id": "210949",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 306,
"URL": 1938,
"hostname": 808,
"FileHash-SHA256": 1768,
"FileHash-SHA1": 1
},
"indicator_count": 4821,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 8,
"modified_text": "1257 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "620c3b1f8af7ea0dcf2c1218",
"name": "Jeeng / Powerbox",
"description": "",
"modified": "2022-06-12T22:01:23.105000",
"created": "2022-02-15T23:45:35.234000",
"tags": [
"Jeeng",
"tim pool",
"timcast"
],
"references": [
"cf20ed53-cb6d-4dfd-a4e8-794fbe163efc.pcap"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 10,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scnrscnr",
"id": "126475",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_126475/resized/80/avatar_67ca5b7bae.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 9072,
"domain": 2500,
"URL": 13548,
"hostname": 3584,
"FileHash-MD5": 197,
"FileHash-SHA1": 162,
"CVE": 3,
"CIDR": 20,
"SSLCertFingerprint": 2,
"email": 19,
"BitcoinAddress": 1
},
"indicator_count": 29108,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 97,
"modified_text": "1407 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "623b7febb8bc01a01e42ab3d",
"name": "Democracy.works_3.23.22",
"description": "",
"modified": "2022-04-22T00:03:50.614000",
"created": "2022-03-23T20:15:39.720000",
"tags": [],
"references": [
"Democracy.works_3.23.22..pdf"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Kailula4",
"id": "131997",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 10812,
"hostname": 2537,
"domain": 1018,
"FileHash-SHA256": 3788,
"CVE": 2,
"FileHash-MD5": 2,
"FileHash-SHA1": 1
},
"indicator_count": 18160,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 412,
"modified_text": "1458 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "623920a2146150d2d8525a73",
"name": "DEMOCRACY.WORKS",
"description": "",
"modified": "2022-04-20T00:02:21.571000",
"created": "2022-03-22T01:04:34.472000",
"tags": [],
"references": [
"DEMOCRACY.WORKS.pdf"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Kailula4",
"id": "131997",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 9861,
"domain": 945,
"hostname": 2031,
"FileHash-SHA256": 3611,
"CVE": 1,
"FileHash-MD5": 2,
"FileHash-SHA1": 1
},
"indicator_count": 16452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 414,
"modified_text": "1460 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "62310336c0071a6c73cd7c34",
"name": "AppleAutoUpdate",
"description": "",
"modified": "2022-04-14T00:01:40.805000",
"created": "2022-03-15T21:20:54.633000",
"tags": [
"WannaCry",
"Apple Zero Day"
],
"references": [
"AppleAutoUpdate.pdf"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Ransomware.WannaCry-9856297-0",
"display_name": "Win.Ransomware.WannaCry-9856297-0",
"target": null
}
],
"attack_ids": [],
"industries": [
"Technology"
],
"TLP": "white",
"cloned_from": null,
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Kailula4",
"id": "131997",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4607,
"hostname": 1953,
"domain": 619,
"FileHash-SHA256": 2226
},
"indicator_count": 9405,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 411,
"modified_text": "1466 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "622775d4f2c38a89fdd0128a",
"name": "iMessages.app 03.01.2022",
"description": "",
"modified": "2022-04-07T00:04:02.553000",
"created": "2022-03-08T15:27:16.349000",
"tags": [],
"references": [
"iMessages.app"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Kailula4",
"id": "131997",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 306,
"URL": 1937,
"hostname": 808,
"FileHash-SHA256": 1768,
"FileHash-SHA1": 1
},
"indicator_count": 4820,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 408,
"modified_text": "1473 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"references": [
"oas-japac-domains-applecomputer.cn",
"Can the DoD no questions asked target a SA victim",
"86.140.232.148 [scanning_host]",
"http://www.youtube.com/gen_204?cplatform=tablet&c=android&cver=5.6.36&cos=Android&cosver=4.4.2&cbr=com.google.android.youtube&cbrv",
"CS IDS: Matches rule ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port)",
"https://coloradosprings.americanlisted.com/pets-animals/beautiful-ragdoll-kittens_31591993.html",
"Emotet | YouTube \u2022 Darklivity Podcast \"Unhinged Horror\"",
"104.86.182.8 [command_and_control]",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"apps.apple.com",
"service.appleid.apple.online.hqvce.techapply.com 76.223.35.103 TTL: 600\tTitanic Hosting, Inc. Name Server: NS1.DNE.COM",
"monitor.kyos.ninja",
"rp.downloadastrocdn.com [command_and_control]",
"CS IDS: Matches rule ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent",
"https://uatapp.pacificcross.com.ph/Oqapv2uatRedirect/",
"Antivirus Detections: Win.Trojan.Gamarue-9832405-0 , Trojan:Win32/Pariham.A",
"https://tulach.cc/ [phishing attacks]",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"Antivirus Detections: Backdoor:Win32/Likseput.B , PWS:Win32/QQpass.B!MTB , Trojan:Win32/Scrarev.C , Trojan:Win32/Speesipro.A , Trojan:Win32/Zombie.A , TrojanDownloader:Win32/Cutwail.BS , TrojanDownloader:Win32/Nemucod ,",
"CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token) Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)",
"dev-2.ernestatech.com",
"$RTD4NQU.exe - Sigma Rule: Audit Policy Tampering Via Auditpolicy",
"https://otx.alienvault.com/indicator/url/http://ipodtouch.co/?cid=oas-japac-domains-applecomputer.com.cn/ing/product+validatie.php",
"t.name",
"Target agreed and complied with all lie detector measures.",
"CS Sigma: Matches rule Chromium Browser Instance Executed With Custom Extension by Aedan Russell, frack113, X__Junior (Nextron Systems)",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"hello-world-mute-unit-3072.a-rahimi-farahani.workers.dev",
"api.mr-2538.dev-phoenix.diagnostics.si.siemens.cloud",
"Tracking: mailtrack.io \u2022 nr-data.net \u2022 tracking.bullseyeedu.com \u2022 https://smtp.mail.pentrack.com \u2022 tracking.vetsindexes.com",
"wallpapers-nature.com",
"http://e.id?e.id:e.id.getAttribute",
"http://audaxgroup.appleid.com/",
"http://tracking.3061331.corn10wuk.club",
"Redirect: schemas.microsoft.com",
"1080p-torrent.ml",
"https://pegasus.pahamify.com/ \u2022 pahamify.com \u2022 pegasus.pahamify.com \u2022 activation.pahamify.com \u2022 httpspegasus.pahamify.com",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://wallpapers-nature.com/%20tsara-brashears/urlscan-io \u2022",
"CS IDS: Matches rule ET MALWARE Suspected RisePro TCP Heartbeat Packet",
"CS IDS: Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)",
"Spyware",
"iphonegermany.com",
"Link found in https://house.mo.com",
"Der Zugriff\u2022 Kanna \u2022 MyDoom \u2022 Sigur",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://software-free-phone-2018.win/62ae8f9b-d0cb-4b4c-8318-dd7900e1d092/e29481e9-a792-46a8-bbf0-188ed2a816ae/?brand=Apple&browser=Safari&btd=dHJr",
"https://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/SearchDetails.aspx?Id=7a025cc6-5167-43cf-947f-387a3b830778",
"http://git.io/yBU2rg",
"CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)",
"https://otx.alienvault.com/pulse/6694bb9be1b61bf820500004",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ iOS unlocker & password decryption]",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"FormBook: FileHash-SHA256 5b9fa34fac18f4084221969800faddfe1cf0afc22d601d211ee695934e7d62cb",
"https://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2",
"http://critical-system-failure7250.21ny35098453.com-bm3y-v806d9gk.cricket/",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"location.search",
"tv.apple.com [Apple Backdoor| Attack | Hacking]",
"Matches rule ET INFO Observed Google DNS over HTTPS Domain (dns google in TLS SNI)",
"https://software-free-phone-2018.win/7a7c1101-0538-49de-925f-4f4675a5fd1f/3b0669f6-a07e-4eb8-8e2b-d0282d482c1a/?brand=Lenovo&browser=Chr",
"CS IDS: Matches rule (stream_tcp) data sent on stream not accepting data",
"monitoring.eurovision.net",
"https://hybrid-analysis.com/sample/d26000dfe1137f05f9187996dc752a703000402fe9e35a8ea216e9215a34560d",
"https://icloud.ch/cn/ipod-touch/",
"Pop: HIO50 C1 X Amz Cf Id: Jt aBPO2nI3Nt D0E4nzqpun66btDLhJ41kQwhDASrIukoWyUOWE1w==",
"object.prototype.hasownproperty.call",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"https://meumundogay-com.sexogratis.page/locker",
"Jays Youtube Bot.exe > FileHash-SHA256 00514527e00ee001d042",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://www.irby.com/iub-en/services/testing-and-monitoring",
"www.supernetforme.com [command_and_control]",
"IDS: Commonly Abused File Sharing Site Domain Observed (sendspace .com in TLS SNI)",
"iamrobert.com Y.A.S.",
"https://otx.alienvault.com/pulse/699b907c5375efb7ce1639b8",
"CS Sigma: Matches rule Suspicious Add Scheduled Task Parent by Florian Roth (Nextron Systems)",
"http://www.icloud-sms-alert.com/",
"https://es.pornhat.com/models/the-sex-creator/",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"robert-aebi.appleid.com",
"https://multicash.smbcgroup.com/gb/App/Authentication/Challenge",
"https://4.base.maps.ls.hereapi.com/maptile/2.1/maptile/newest/normal.day.mobile/{z}/{x}/{y}/256/PNG8?apiKey=wzEuHW02YdaEjU0Em-SwWQBtxbfF86-OfUuq1z93NI4",
"https://wallpapers-nature.com/tsara-brashears/urlscan-io",
"Critical CS Sigma: Matches rule Suspicious Double Extension File Execution by Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems)",
"edgedl.me.gvt1.com",
"apple.com-auth.eu [Find apple] | https://applemusic-spotlight.myunidays.com/US/en-US? [compromise via apple media]",
"209.85.145.113 [malware]",
"Democracy.works_3.23.22..pdf",
"There is fear in silence or speaking out",
"http://information.7174932.cakcuk.az/tracking/tracking.php?id=8459701&page=904",
"Crowdsourced YARA rules: Matches rule MAL_Ramnit_May19_1 from ruleset crime_nansh0u by Florian Roth (Nextron Systems)",
"apple.com(-inc.cc)",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://www.reddit.com/user/",
"https://graph.facebook.com/v3.3/590584968016991/mobile_sdk_gk?fields=gatekeepers&format=json&sdk_version=5.0.0&sdk=android&platform=android",
"https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"all-live.secure2storeapple.xxianzi.com \u2022 https://www.symbios.pk/apple-ipod-5-32gb",
"Crowdsourced YARA rules: Matches rule win_ramnit_auto from ruleset win.ramnit_auto by Felix Bilstein - yara-signator at cocacoding dot com",
"tulach.cc [AM | phishing]",
"Parking Crew Spyware",
"Google_Chrome_64bit_v136.0.7103.49.exe",
"If someone is believed to be a threat they have right to due process.",
"apps.apple.com/us/app/id$",
"Research and Analysis",
"https://icloud.ch/",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"MALWARE STEALER TROJAN EVADER | WEXTRACT.EXE .MUI | TXTRESSE | via https://www.virustotal.com/gui/domain/www.youtube.com",
"TXTRESSE: FileHash-SHA256 00001dd58b69582cc30a16b000bce3d96d369487444385489084719676afba4d",
"FormBook: http://45.159.189.105/bot/regex",
"capitana.onthewifi.com",
"globalworker1.sol.us",
"CS IDS: Matches rule (http_inspect) HTTP response has UTF character set that failed to normalize",
"https://hybrid-analysis.com/sample/e4306740e79c65c90242aef93fceeb93fa6da74577570c7b4a04399879349c37/696298b7667c4a112d04eac7",
"I am very upset. Whoever is doing this is sick.",
"Relic: bam.nr-data.net [Apple Private Data Collection]",
"https://www.hybrid-analysis.com/sample/6450c8bb8cec78135dd4891507099d1407ef1d9af40bc250251eb99888c20f7e/651eda366e1436b384026c6d",
"https://s.go-mpulse.net/boomerang/XZ4AH-ABKPW-SQPBC-CYWES-BCG6V",
"Crowdsourced YARA rules: Matches rule UPX from ruleset UPX by kevoreilly",
"www.search.app.goo.gl",
"https://rector-fitiology.icu/99c8d3a6-be16-421a-87a8-40701eae8149?zoneid=6543079&bannerid=18710758&browser=chrome&os=ios&devic",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"https://dnsorangetel.dn2.n-helix.com",
"TrojanDownloader:Win32/Upatre , Virus:Win32/Sality.AT , Win.Downloader.Small-1645",
"103.224.182.253 [command_and_control]",
"Yara Detections BackdoorWin32Simda",
"CS Sigma: Matches rule Scheduled Task Creation by Florian Roth (Nextron Systems)",
"dllinject",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"^ by Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems) ^",
"iMessages.app",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"[w and w.o https] applemusic-spotlight.myunidays.com [Multilingual Portable.exe Apple music compromise]",
"worker-m-tlcus1.sol.us",
"d38psrni17bvxu.cloudfront.net 18.239.196.136 TTL: 60\tMarkMonitor, Inc. Organization: Amazon.com, Inc. Name Server: NS-1306.AWSDNS-35.ORG",
"CVE-2017-0147 \u2022 CVE-2023-4966 \u2022 CVE-2023-22518",
"https://www.youtube.com/watch?v=GyuMozsVyYs",
"dashboard-proxy-sc-ncus-j7ynx.falcon- core.microsoft-falcon.net",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"http://decafsmob.this.id",
"Gowi Live Bot.exe",
"cf20ed53-cb6d-4dfd-a4e8-794fbe163efc.pcap",
"AppleAutoUpdate.pdf",
"Remote threats: http://watchhers.net/index.php \u2022 http://eye.infunvip.com/appinterface/other/login.remote",
"http://init-p01st.push.apple.com/bag [= Google.com.uy modified browser - malicious] apple.com-auth.eu \u2022 appleid.apple.com-auth.eu\u2022",
"CS IDS: Matches rule ET MALWARE Win32/Ramnit Checkin Matches rule MALWARE-CNC Win.Trojan.Ramnit variant outbound detected",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"Emotet: www.youtube.com/watch?v=GyuMozsVyYs",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"https://aspmx.l.google.com/",
"applestore.id",
"https://ispy-official.com/ X Cache: Redirect from cloudfront Via: 1.1 030fe0607711293dda988e571617a9f2.cloudfront.net CloudFront X Amz Cf",
"checkip.dyndns.org [command_and_control]",
"IDS : Commonly Abused File Sharing Site Domain Observed (sendspace .com in DNS Lookup)",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"http://service.appleid.apple.online.hqvce.techapply.com/apple/f625bbcc3a59f078ffa95159c719501e/index.php?itunes=_connect-run&secure=5540zef1415405412104ef151511d7f84f5ze1f510eec8bd0e",
"Crowdsourced IDS rules: Matches rule: (port_scan) UDP filtered",
"de-smtp-inbound-1.mimecast.com de-smtp-inbound-2.mimecast.com",
"CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)",
"https://seedbeej.pk/tin/index.php?QBOT.zip. [ phishing plus]",
"https://www.facebooksunglassshop.com/",
"https://fairspin.io/?track_id=44698569&pid=1&geo=6252001&utm_source=bonafides&utm_medium=&utm_campaign=smarttds&utm_term=incorrect_param",
"https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [apple media compromise. Pega behavior?]",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"cdn.fuckporntube.com",
"IDS Detections: Backdoor.Win32.Pushdo.s Checkin Backdoor.Win32.Pushdo.s Checkin Suspicious csrss.exe in URI",
"api.us-1.a.mimecastprotect.com l.uk-1.a.mimecastprotect.com",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"Crowdsourced IDS rules: Matches rule: ET MALWARE Win32/Ramnit Checkin | Matches rule ET DNS Query for .cc TLD",
"DEMOCRACY.WORKS.pdf",
"http://193.233.132.62/hera/amadka.exe | https://www.info-only-men.com/landing/mlp88g?subPublisher=popunder:eu-adsrv.rtbsuperhub.com&zone=popunder:eu-adsrv.rtbsuperhub.com&",
"https://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/SearchDetails.aspx?Id=f3ee4c4e-e009-4d69-82da-eef3bad1ecc4",
"https://search.app.goo.gl/?ofl=https://lens.google&al=googleapp://lens?lens_data=KAw&apn=com.google.android.googlequicksearchbox&amv=301204913&isi=284815942&ius=googleapp&ibi=com.goog",
"103.224.182.246 [command_and_control]",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"https://www.hybrid-analysis.com/sample/d4f0fd95f42482e96d982df3d538f67ee9c8756834486dd2cf33e1679c90af50/65812fd9a34bc52aac0b910f",
"c.parkingcrew.net 185.53.178.30 TTL: 9\tPSI-USA, Inc. dba Domain Robot Organization: Team Internet AG Name Server: NS-1403.AWSDNS-47.ORG",
"https://www.virustotal.com/gui/url/6a627ce5fd6be7b3c0b5637e6b1facfa92c279d25ff9b1f50fe131c91591d804/summary",
"https://wallpapers-nature.com/%20tsara-brashears/urlscan-io",
"name-playatoms-pa.googleapis.com [ nr-data Apple tv tracking]",
"smtp2.icl-privaterelay.appleid.com",
"browser.events.data.msn.com | events-sandbox.data.msn.com",
"http://iyfsearch.com/&ap=67&be=203&fe=198&dc=198&perf= [phishing]",
"id.google.com",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"nr-data.net [New Relic Tracking | Apple Private Data Collection]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 apple collection]",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"ddos.dnsnb8.net [command_and_control]",
"critical-failure-alert2286.40ek97931491.com-4nj1ze3ivfwy.website",
"go.microsoft.com 184.26.158.64 TTL: 2672\tMarkMonitor, Inc. Organization: Microsoft Corporation Name Server: NS1.MSFT.NET",
"Pahamify Pegasus",
"wTools",
"CS Sigma: Matches rule Suspicious Schtasks Schedule Type With High Privileges by Nasreddine Bencherchali (Nextron Systems)",
"hasownproperty.call",
"WEXTRACT.EXE .MUI: FileHash-SHA256 00e5aefb5ffd357e995d1a4ee30735a692780b203cd58e6239637471047d51a4",
"CS Sigma: Matches rule Disable Windows Defender Functionalities Via Registry Keys by AlertIQ, J\u00e1n Tren\u010dansk\u00fd, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan",
"3.163.189.120 [Tracking]",
"https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t \u2022 wallpapers-nature.com",
"a.default.meta.applestore.id",
"http://apple.support.com/ht***** redirect",
"mac.store",
"https://www.virustotal.com/gui/file/2ab9e32cd78f2b538c36f145b790f78f1262bcfcf1a5d6d019e7a2a151a24424/summary",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"https://www.virustotal.com/gui/file/00e5aefb5ffd357e995d1a4ee30735a692780b203cd58e6239637471047d51a4/detection",
"$RTD4NQU.exe - Yara rule: INDICATOR TOOL UAC NSISUAC",
"Crowdsourced IDS rules: Matches rule: MALWARE-CNC Win.Trojan.Ramnit variant outbound detected",
"nr-data.net [Apple Private Data Collection]",
"FormBook: 45.159.189.105",
"IDS: TLS Handshake Failure",
"CS Sigma: Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke",
"http://m.xiang5.com/keyword/17655.html&ht=%E9%98%BF%E6%BD%BC%E5%B0%8F%E8%AF%B4%E5%9C%A8%E7%BA%BF%E9%98%85%E8%AF%BB%E5%85%8D%E8%B4%B9%E9%98%85%E8%AF%BB_%E9%98%BF%E6%BD%BC%E5%B0%8F%E8%AF%B4%E5%9C%A8%E7%BA%BF%E9%98%85%E8%AF%BB%E5%85%A8%E6%9C%AC%E6%97%A0%E5%BC%B9%E7%AA%97-%E9%A6%99%E7%BD%91%E5%B0%8F%E8%AF%B4%E6%89%8B%E6%9C%BA%E7%89%88&uaddr=https:/www.sogou.com/link?url=58p16RfDRLtDzo-0AEmfJoGs8rDRUEq4ejjohgXqBYnQGuHk6xSRXg..&h=1080&w=1920&cd=24&lg=zh-CN&ua=mozilla/5.0%20(windows%20nt%2010.0;%20win64;%20x64)%20",
"https://plussizedesi.com/wp-content/uploads/2022/07/SniperGhostWarrior2BlackBox_Version_Download_INSTALL.pdf",
"tv.apple.com",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"CS IDS: Matches rule ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)",
"https://www.nextron-systems.com/notes-on-virustotal-matches/",
"states.app"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": [],
"unique_indicators": 0
},
"other": {
"adversary": [
"Cyber Criminal",
"[Unnamed group]"
],
"malware_families": [
"Pws:win32/qqpass.b!mtb",
"Backdoor:win32/likseput.b",
"Generic.asmalws",
"Gen:nn.zemsilf.34170",
"Downware",
"Msil_bladabindi.g.gen",
"Trojan.hotkeychick",
"Darkkomet.ife",
"Backdoor.dtr.15",
"Absolute uninstaller",
"Alf:heraklezeval:trojanspy:win32/socstealer",
"Sigriskware.lespeedtechnologyltd",
"Program.freemake",
"Gen:variant.ursu",
"Asparnet.p",
"Trojan.js.iframe",
"Trojan.bat.qhost",
"Magazine phishing",
"Installcore.gen7",
"Worm.allaple",
"Bscope.trojandownloader",
"Trojan.bayrob",
"Maltiverse",
"Worm:win32/benjamin",
"Trojan.downloader",
"Wacatac.b",
"Win32:trojan-gen",
"Redirector.an",
"Trojan.win32.pdf.alien",
"Gen:variant.tedy hacktool.vulndriver",
"Win.downloader.small-1645",
"Trojandropper.autit",
"Trojan:win32/qbot",
"Alf:pua:win32/iobit",
"Kryptik.gkqr",
"Alf:heraklezeval:pua:win32/spyrixkeylogger",
"Ramnit",
"Riskware.netfilter",
"Malware",
"Html:script",
"Trojan.small",
"Troj_gen.f04ie00ci19",
"Goldfinder",
"Csqkhtaai",
"Trojware.js.adware.agent",
"Scrinject.eric",
"Gamehack",
"Trojan:win32/dapato",
"Spammer:win32/noname",
"Sabsik.fl.b",
"Invicta stealer",
"Virus:win32/sality.at",
"Quasar rat",
"Adware.dealply",
"Worm:win32/bloored",
"Packed.vmprotect",
"Trojandownloader:win32/nemucod",
"Trojanspy",
"Mimikatz",
"Heur:hoax.pcfixer",
"Win32:rmndrp [inf]",
"Pe.heur",
"Html:redirba",
"Trojanspy:win32/kronos",
"Trojan:win32/scrarev.c",
"Gen:nn.zemsilf.32515",
"Emotet",
"Win.malware.elenooka-6996044-0",
"Applicunwnt@#2n6\tirs",
"Static ai - malicious pe",
"Vm201.0.b70b.malware",
"Dropper.wanna",
"Generic.application.js.sobrab.1",
"Backdoor.nhopro",
"Exploit.zip.heuristic",
"Trojan.msil.injurer.cbd",
"Autorunit",
"Agent tesla",
"Der zugriff",
"Azorult",
"Application.auslogics",
"Bscope.trojan",
"Gen:heur.msil.inject",
"Gen:variant.jacard",
"Warezov.gen3",
"Trojan.otnr",
"Nemucod.21c8",
"Deepscan:generic.brresmon.1",
"Suspici.1f4405d1",
"Vb:trojan.valyria",
"Scrinject.b",
"Webtoolbar",
"Adwaresig [adw]",
"Riskware.hacktool.agent",
"Heur.bzc.yax.boxter.819",
"Faceliker.d",
"Pua.wombat",
"Adware.pcappstore/veryfast",
"Backdoor:win32/simda",
"Tulach malware",
"Html:redirme",
"Wisecleaner.a potentially unwanted",
"Alf:jasyp:puawin32/systweak",
"Tinyzbot - s0004",
"Agent.mu",
"Win.ransomware.wannacry-9856297-0",
"Trojandownloader:win32/cutwail.bs",
"Agen.1144657",
"Nettool.remoteexec",
"Hacktool",
"Mimikatz - s0002",
"Downloader.opencandy",
"Vdehu.a",
"Hacktool.bruteforce",
"Agent.ocj",
"Adware.kuzitui",
"Bscope.adware.msil",
"Trojan:win32/xtrat",
"Hw32.packed",
"Application.deceptor",
"Trojan.linux.generic",
"Trojan.gandcrypt",
"Banker",
"Downloader.generic",
"Trojan.ransom.gandcrab",
"Kanna",
"Cobalt strike",
"Trojan.khalesi 2\tadware 2",
"Apnic",
"Silent",
"Js:trojan.hidelink 2",
"Hsbc",
"Dropper.trojan.agent",
"Ml.attribute",
"Downldr.gen",
"Hacktool.crack",
"Gen:variant.bulz",
"Trojanbanker.banbra",
"Gen:nn.zexaf.34090",
"Freemake.a potentially unwanted",
"Virus:win95/cerebrus",
"Alf:pua:win32/fusioncore",
"Orcus rat",
"Win32:botx-gen\\ [trj]",
"Zbot",
"Packed.themida",
"Trojan.cookiesstealer",
"Worm.chir",
"Trojan.downloader33",
"Wat:blacked-e",
"Adware.browsefoxcrtd",
"Driverreviver.a potentially unwanted",
"Behaveslike.icloader",
"Trojan:msil/razy",
"Injector.cuam",
"Adware",
"Sibot",
"Worm.boychi",
"Looquer",
"Phishing jpmorgan chase and co.",
"Trojan:win32/pariham.a",
"Backdoor.predator",
"Heur:trojan.diztakun",
"Trojan:win32/wacatac",
"Win32:cryptor",
"Tel:trojan:html/phishing",
"Webtoolbar.asparnet",
"W32.malware",
"Backdoor.androm",
"Nsis",
"Clicker.vb",
"Worm.autorun",
"Trojan:win32/zombie.a",
"Bscope.backdoor",
"W32.hfsautob",
"Unsafe.ai_score_95% 2",
"Hacktool.cheatengine",
"Kryptik.dawvk",
"Trojan.brsecmon",
"Gen:variant.symmi",
"Malicious.f01f67",
"Gen:variant.application.bundler.downloadguide",
"Tool.patcher",
"Virus.sality",
"Remote utilities",
"Infected.webpage",
"Trojandownloader:win32/upatre",
"Trojan.rozena",
"Xtreme rat",
"Gen:heur.msil.androm",
"Bambernek pony",
"Trojan.clipbanker",
"Qvm05.1.08e5.malware",
"Unsafe.ai_score_94%",
"Honeypot",
"Behaveslike.downloader",
"Virus.ramnit/nimnul",
"Slf:trojan:win32/grandoreiro.a",
"Mydoom",
"Pup.systweak",
"Bondat.a",
"Trojandownloader:win32/kraddare",
"Gen:variant.application.bundler",
"Googletoolbar",
"Generic.js.blackhole",
"Redline stealer",
"Trojan.crifi.1",
"Cve-2014-3153",
"Blacknet rat",
"Worm:win32/pykspa",
"Win.virus.polyransom-5704625-0",
"Agen.1045143",
"Dropper.gen",
"Packed.dico",
"Pegasus",
"Cve exploits",
"Ai:fileinfector.eaeea7850c",
"Trojan:win32/glupteba.km!mtb",
"Js:trojan.clicker",
"Heur:exploit.script",
"Mxresicn.heur",
"Adware.oxypumper",
"Trojan.msil",
"Ransom:win32/nymaim",
"Doplik.j",
"Installcore.np",
"Tsgeneric",
"W32.installcore.agx",
"Gen:variant.msilheracles",
"Trojan:win32/installcore",
"Trojan:win32/raccoonstealer",
"Am",
"Trojan:win32/icedid.di!mtb",
"Goldmax - s0588",
"Riskware.crack",
"Sigur",
"Hoax.deceptpcclean",
"Agent.cux.gen",
"Trojan.ransom.generickd",
"Trojan:win32/speesipro.a",
"Trojan.wisdomeyes.16070401.9500",
"Application.bitcoinminer"
],
"industries": [
"Civil society",
"Financial",
"Crime victims",
"Telecommunications",
"Government",
"Technology",
"Media",
"Legal"
],
"unique_indicators": 186039
}
}
},
"false_positive": [],
"alexa": "http://www.alexa.com/siteinfo/phoneticarts.com",
"whois": "http://whois.domaintools.com/phoneticarts.com",
"domain": "phoneticarts.com",
"hostname": "alt7.phoneticarts.com"
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 35,
"pulses": [
{
"id": "699c6ef61298b57cd7275728",
"name": "Apple Support IOC\u2019s IcedID | Bloored | Mydoom worm | iOS IOC\u2019s",
"description": "A list of Apple and Apple related iOS\u2019s linked to a malicious redirect found in an apple.support.com redirect. Two separate Apple ID\u2019s on one iPhone. | Mimecast compromised with Emotet. iCloud siphoning. Related to Pulse found in references. | IOC\u2019s came from a single url.",
"modified": "2026-03-25T07:05:10.628000",
"created": "2026-02-23T15:15:02.857000",
"tags": [
"ipv4",
"http",
"passive dns",
"files domain",
"united",
"unknown ns",
"for privacy",
"ip address",
"domain",
"dynamicloader",
"antivirus",
"yara rule",
"fe ff",
"write c",
"msvisualcpp60",
"rsds",
"e8 c8",
"e8 a8",
"ff e1",
"unknown",
"worm",
"launch",
"write",
"explorer",
"february",
"push",
"service",
"files",
"reverse dns",
"america flag",
"america asn",
"url add",
"otx logo",
"all ipv4",
"searc",
"date checked",
"server response",
"results dec",
"unknown soa",
"present aug",
"present oct",
"present sep",
"present nov",
"moved",
"error",
"title",
"win32mydoom feb",
"aaaa",
"name servers",
"trojan",
"servers",
"virtool",
"united states",
"apple",
"crlf line",
"unicode text",
"utf8",
"ff d5",
"ascii text",
"ee fc",
"suspicious",
"music",
"malware",
"role title",
"ttl value",
".cc",
"d4 f5",
"msvisualcpp2002",
"msvisualcpp2005",
"apple support",
".ch",
"privaterelay",
"pattern match",
"ck id",
"mitre att",
"ck matrix",
"href",
"et info",
"general",
"local",
"path",
"click",
"learn",
"command",
"name tactics",
"informative",
"adversaries",
"spawns",
"defense evasion",
"t1480 execution",
"present jun",
"backdoor",
"present may",
"status",
"ransom",
"high",
"medium",
"windows",
"tofsee",
"loaderid",
"lidfileupd",
"localcfg",
"rndhex",
"stream",
"delete",
"emotet",
"bot network",
"mitm",
"screenshot",
"mimecast"
],
"references": [
"http://apple.support.com/ht***** redirect",
"https://otx.alienvault.com/pulse/699b907c5375efb7ce1639b8",
"mac.store",
"https://icloud.ch/cn/ipod-touch/",
"https://icloud.ch/",
"https://multicash.smbcgroup.com/gb/App/Authentication/Challenge",
"https://uatapp.pacificcross.com.ph/Oqapv2uatRedirect/",
"Redirect: schemas.microsoft.com",
"apple.com(-inc.cc)",
"oas-japac-domains-applecomputer.cn",
"robert-aebi.appleid.com",
"smtp2.icl-privaterelay.appleid.com",
"http://audaxgroup.appleid.com/",
"https://otx.alienvault.com/indicator/url/http://ipodtouch.co/?cid=oas-japac-domains-applecomputer.com.cn/ing/product+validatie.php",
"iphonegermany.com",
"api.mr-2538.dev-phoenix.diagnostics.si.siemens.cloud",
"https://aspmx.l.google.com/",
"api.us-1.a.mimecastprotect.com l.uk-1.a.mimecastprotect.com",
"de-smtp-inbound-1.mimecast.com de-smtp-inbound-2.mimecast.com",
"http://www.icloud-sms-alert.com/",
"monitoring.eurovision.net",
"https://www.irby.com/iub-en/services/testing-and-monitoring",
"monitor.kyos.ninja"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Trojan:Win32/IcedId.DI!MTB",
"display_name": "Trojan:Win32/IcedId.DI!MTB",
"target": "/malware/Trojan:Win32/IcedId.DI!MTB"
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
},
{
"id": "Worm:Win32/Bloored",
"display_name": "Worm:Win32/Bloored",
"target": "/malware/Worm:Win32/Bloored"
},
{
"id": "Win.Malware.Elenooka-6996044-0",
"display_name": "Win.Malware.Elenooka-6996044-0",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "TA0029",
"name": "Privilege Escalation",
"display_name": "TA0029 - Privilege Escalation"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6031,
"hostname": 1971,
"domain": 1125,
"FileHash-SHA256": 1715,
"email": 18,
"FileHash-MD5": 317,
"FileHash-SHA1": 164
},
"indicator_count": 11341,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "25 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6962b68da732abc66a0c2caf",
"name": "Der Zugriff \u2022 Kanna \u2022 MyDoom \u2022 Sigur - Pahamify Pegasus",
"description": "Pahamify Pegasus | Execution Attack, Access Attack | Drive by Compromise | \nSifting through Pahamify Pegasus this is no longer your computer , injection, google connects, remote connections, remote mouse movement, remote access, Google espionage, bad traffic, Apple complicit access. This is your Google account and browser, this is your appleid. Still researching\u2026. || \n*https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_ ||\nMalware: Der Zugriff ,\nKanna ,\nMyDoom ,\nSigur \n#firebase #google_connection #bible_gateway_honeypot #crypto #hidden_users #who_else",
"modified": "2026-02-09T19:00:09.890000",
"created": "2026-01-10T20:29:01.675000",
"tags": [
"ip address",
"status code",
"kb body",
"iocs",
"deny age",
"cloudfront",
"utc google",
"tag manager",
"g8t6ln06z40",
"utc na",
"google tag",
"injection",
"t1055 malware",
"tree",
"help v",
"defense evasion",
"injection t1055",
"resolved ips",
"get http",
"dns resolutions",
"v memory",
"pattern domains",
"full reports",
"v help",
"memory pattern",
"urls https",
"hashes",
"tiktok",
"microsoft",
"dashboard falcon",
"request",
"windows nt",
"win64",
"khtml",
"gecko",
"response",
"appleid",
"united",
"name servers",
"aaaa",
"servers",
"moved",
"script urls",
"passive dns",
"urls",
"data upload",
"extraction",
"failed",
"jsvendor",
"jsapp",
"script script",
"cssapp",
"jsfirebase",
"pegasus",
"encrypt",
"title error",
"ipv4",
"files",
"reverse dns",
"united states",
"malware",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"execution att",
"t1204 user",
"script",
"beginstring",
"bad traffic",
"et info",
"null",
"title",
"refresh",
"span",
"strings",
"error",
"tools",
"meta",
"look",
"verify",
"restart",
"mitre att",
"ascii text",
"pattern match",
"ck matrix",
"tls handshake",
"hybrid",
"general",
"local",
"path",
"click",
"ck techniques",
"access att",
"div div",
"a li",
"ul div",
"record value",
"emails",
"accept",
"referen https",
"microsoft-falcon.net",
"proxy",
"status",
"certificate",
"updated date",
"whois server",
"zipcode",
"entries http",
"scans show",
"search",
"matches x",
"type",
"gmt cache",
"all ipv4",
"america flag",
"america asn",
"sameorigin",
"urls show",
"date checked",
"url hostname",
"server response",
"google safe",
"results jan",
"ipv4 add",
"win32mydoom jan",
"trojan",
"worm",
"expiration date",
"files show",
"date hash",
"avast avg",
"win32mydoom",
"backdoor",
"found",
"gmt connection",
"control",
"content type",
"twitter",
"dynamicloader",
"medium",
"high",
"msie",
"wow64",
"slcc2",
"media center",
"write",
"global",
"domain name",
"hostname",
"apple",
"racebook",
"mouse movement",
"remote mouse",
"domain",
"hostname add",
"url analysis",
"crlf line",
"ff d5",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"f0 ff",
"ff bb",
"music",
"push",
"autorun",
"unknown",
"present sep",
"present may",
"present jan",
"present aug",
"cname",
"present nov",
"present jun",
"apache",
"body",
"pragma",
"found registry",
"able",
"model",
"indicator",
"source",
"show technique",
"file",
"internet",
"errore",
"erreur",
"download",
"service",
"crypto",
"compiler",
"installer",
"yang",
"updater",
"shutdown",
"thunk",
"este",
"install",
"reboot",
"code",
"downloader",
"sigur",
"kanna",
"der zugriff",
"google",
"chrome",
"Pahamify Pegasus",
"christoper p. ahmann",
"law enforcement",
"retaliation",
"phone",
"espionage",
"united states",
"m brian sabey",
"quasi government",
"target",
"monitored targeting",
"aig",
"therahand (old name)",
"target: tsara brashears",
"douglas county, co",
"sheriff",
"industry and commerce",
"worker\u2019s compensation",
"crime",
"financial crime",
"danger",
"nem tih",
"amazon",
"aws",
"amazon aws",
"deal",
"deal with it lawfully",
"pay victim",
"protecting reimer"
],
"references": [
"https://pegasus.pahamify.com/ \u2022 pahamify.com \u2022 pegasus.pahamify.com \u2022 activation.pahamify.com \u2022 httpspegasus.pahamify.com",
"https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_",
"Der Zugriff\u2022 Kanna \u2022 MyDoom \u2022 Sigur",
"Pahamify Pegasus",
"Matches rule ET INFO Observed Google DNS over HTTPS Domain (dns google in TLS SNI)",
"https://graph.facebook.com/v3.3/590584968016991/mobile_sdk_gk?fields=gatekeepers&format=json&sdk_version=5.0.0&sdk=android&platform=android",
"https://4.base.maps.ls.hereapi.com/maptile/2.1/maptile/newest/normal.day.mobile/{z}/{x}/{y}/256/PNG8?apiKey=wzEuHW02YdaEjU0Em-SwWQBtxbfF86-OfUuq1z93NI4",
"tv.apple.com",
"dashboard-proxy-sc-ncus-j7ynx.falcon- core.microsoft-falcon.net",
"Antivirus Detections: Win.Trojan.Gamarue-9832405-0 , Trojan:Win32/Pariham.A",
"IDS : Commonly Abused File Sharing Site Domain Observed (sendspace .com in DNS Lookup)",
"IDS: Commonly Abused File Sharing Site Domain Observed (sendspace .com in TLS SNI)",
"IDS: TLS Handshake Failure",
"Yara Detections BackdoorWin32Simda",
"Google_Chrome_64bit_v136.0.7103.49.exe",
"https://hybrid-analysis.com/sample/e4306740e79c65c90242aef93fceeb93fa6da74577570c7b4a04399879349c37/696298b7667c4a112d04eac7",
"https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t \u2022 wallpapers-nature.com",
"https://wallpapers-nature.com/%20tsara-brashears/urlscan-io \u2022",
"https://wallpapers-nature.com/tsara-brashears/urlscan-io"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Trojan:Win32/Pariham.A",
"display_name": "Trojan:Win32/Pariham.A",
"target": "/malware/Trojan:Win32/Pariham.A"
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
},
{
"id": "Virus:Win95/Cerebrus",
"display_name": "Virus:Win95/Cerebrus",
"target": "/malware/Virus:Win95/Cerebrus"
},
{
"id": "AutoRunIt",
"display_name": "AutoRunIt",
"target": null
},
{
"id": "Sigur",
"display_name": "Sigur",
"target": null
},
{
"id": "Kanna",
"display_name": "Kanna",
"target": null
},
{
"id": "Der Zugriff",
"display_name": "Der Zugriff",
"target": null
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1566.002",
"name": "Spearphishing Link",
"display_name": "T1566.002 - Spearphishing Link"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1589",
"name": "Gather Victim Identity Information",
"display_name": "T1589 - Gather Victim Identity Information"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1592",
"name": "Gather Victim Host Information",
"display_name": "T1592 - Gather Victim Host Information"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1444",
"name": "Masquerade as Legitimate Application",
"display_name": "T1444 - Masquerade as Legitimate Application"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1110",
"name": "Brute Force",
"display_name": "T1110 - Brute Force"
},
{
"id": "T1005",
"name": "Data from Local System",
"display_name": "T1005 - Data from Local System"
},
{
"id": "T1007",
"name": "System Service Discovery",
"display_name": "T1007 - System Service Discovery"
},
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1029",
"name": "Scheduled Transfer",
"display_name": "T1029 - Scheduled Transfer"
},
{
"id": "T1033",
"name": "System Owner/User Discovery",
"display_name": "T1033 - System Owner/User Discovery"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1049",
"name": "System Network Connections Discovery",
"display_name": "T1049 - System Network Connections Discovery"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1074",
"name": "Data Staged",
"display_name": "T1074 - Data Staged"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1102",
"name": "Web Service",
"display_name": "T1102 - Web Service"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1124",
"name": "System Time Discovery",
"display_name": "T1124 - System Time Discovery"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1213",
"name": "Data from Information Repositories",
"display_name": "T1213 - Data from Information Repositories"
},
{
"id": "T1222",
"name": "File and Directory Permissions Modification",
"display_name": "T1222 - File and Directory Permissions Modification"
},
{
"id": "T1486",
"name": "Data Encrypted for Impact",
"display_name": "T1486 - Data Encrypted for Impact"
},
{
"id": "T1489",
"name": "Service Stop",
"display_name": "T1489 - Service Stop"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1529",
"name": "System Shutdown/Reboot",
"display_name": "T1529 - System Shutdown/Reboot"
},
{
"id": "T1543",
"name": "Create or Modify System Process",
"display_name": "T1543 - Create or Modify System Process"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1555",
"name": "Credentials from Password Stores",
"display_name": "T1555 - Credentials from Password Stores"
},
{
"id": "T1559",
"name": "Inter-Process Communication",
"display_name": "T1559 - Inter-Process Communication"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1569",
"name": "System Services",
"display_name": "T1569 - System Services"
},
{
"id": "T1570",
"name": "Lateral Tool Transfer",
"display_name": "T1570 - Lateral Tool Transfer"
},
{
"id": "T1614",
"name": "System Location Discovery",
"display_name": "T1614 - System Location Discovery"
},
{
"id": "T1569.002",
"name": "Service Execution",
"display_name": "T1569.002 - Service Execution"
},
{
"id": "T1543.003",
"name": "Windows Service",
"display_name": "T1543.003 - Windows Service"
},
{
"id": "T1546.015",
"name": "Component Object Model Hijacking",
"display_name": "T1546.015 - Component Object Model Hijacking"
},
{
"id": "T1055.003",
"name": "Thread Execution Hijacking",
"display_name": "T1055.003 - Thread Execution Hijacking"
},
{
"id": "T1134.001",
"name": "Token Impersonation/Theft",
"display_name": "T1134.001 - Token Impersonation/Theft"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1134.002",
"name": "Create Process with Token",
"display_name": "T1134.002 - Create Process with Token"
},
{
"id": "T1070.006",
"name": "Timestomp",
"display_name": "T1070.006 - Timestomp"
},
{
"id": "T1564.003",
"name": "Hidden Window",
"display_name": "T1564.003 - Hidden Window"
},
{
"id": "T1497.003",
"name": "Time Based Evasion",
"display_name": "T1497.003 - Time Based Evasion"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1497.002",
"name": "User Activity Based Checks",
"display_name": "T1497.002 - User Activity Based Checks"
},
{
"id": "T1070.004",
"name": "File Deletion",
"display_name": "T1070.004 - File Deletion"
},
{
"id": "T1027.005",
"name": "Indicator Removal from Tools",
"display_name": "T1027.005 - Indicator Removal from Tools"
},
{
"id": "T1518.001",
"name": "Security Software Discovery",
"display_name": "T1518.001 - Security Software Discovery"
},
{
"id": "T1074.001",
"name": "Local Data Staging",
"display_name": "T1074.001 - Local Data Staging"
},
{
"id": "T1560.002",
"name": "Archive via Library",
"display_name": "T1560.002 - Archive via Library"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
}
],
"industries": [
"Civil Society",
"Legal",
"Government",
"Technology",
"Telecommunications",
"Financial"
],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6094,
"domain": 1195,
"hostname": 2001,
"FileHash-SHA256": 2598,
"FileHash-MD5": 546,
"FileHash-SHA1": 403,
"email": 16,
"CVE": 2,
"SSLCertFingerprint": 3
},
"indicator_count": 12858,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "69 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2bb5d9ee8577ab5519f2c",
"name": "Meritshealth with DoD links? ",
"description": "",
"modified": "2026-01-13T00:05:56.401000",
"created": "2025-10-05T18:39:25.286000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68e2b14d83bb63502feac65e",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1365,
"URL": 11172,
"hostname": 2780,
"FileHash-MD5": 381,
"FileHash-SHA256": 4420,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 20486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "96 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2b14d83bb63502feac65e",
"name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.",
"description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?",
"modified": "2026-01-07T00:00:30.717000",
"created": "2025-10-05T17:56:29.109000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1328,
"URL": 9931,
"hostname": 2621,
"FileHash-MD5": 381,
"FileHash-SHA256": 4360,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 18989,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "102 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "676493c5607a603f1785a935",
"name": "https://ginko.garden/pl/contact tel:+48 797 920 339 ip4 77.79.221.180 77.79.221.148",
"description": "Pasywna replikacja DNS: \n77.79.221.180 \nSugerowany opis:\nPe\u0142ny tekst Ginko.Garden - Nowoczesne dekoracje i pergole metalowe - wedi dweud eu glass - metaloplastyka.\nSugerowane identyfikatory ATT&CK:\nOgr\u00f3d - Nowoczesne dekoracje z metalu do ogrodu - bi\u017cuteria ogrodowa i dekoracje szklane - pergole metalowe - metaloplastyka Meta Tagi s\u0142owa kluczowe Nowoczesne dekoracje z metalu do ogrodu - pergole metalowe - Ginko.\n77.79.221.148 \n46.41.159.227 \n46.41.159.177",
"modified": "2025-07-28T11:51:42.400000",
"created": "2024-12-19T21:44:37.537000",
"tags": [
"copyright",
"customevent",
"typeof e",
"boomerang",
"typeof t",
"macintosh",
"os x",
"post",
"typeof",
"iframe",
"date",
"nazwa rekordu",
"aaaaa",
"na wniosek",
"bezpieczestwo",
"serwer",
"przerwa",
"informacja o",
"prace",
"nazwa",
"hasze",
"adresy url",
"nazwa http",
"configoverride",
"continuity",
"pageparam s",
"iframedelay",
"autoxhr",
"historia",
"nazwa https",
"uytkownik",
"zenbox",
"komunikacja",
"pliki",
"rozmiar",
"kb data",
"wykrycia nie",
"mitre",
"ids nie",
"sigmy nie",
"submission",
"sha256",
"ssdeep",
"file type",
"html internet",
"magic html",
"unicode text",
"utf8 text",
"trid hypertext",
"markup language"
],
"references": [
"https://s.go-mpulse.net/boomerang/XZ4AH-ABKPW-SQPBC-CYWES-BCG6V",
"https://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/SearchDetails.aspx?Id=7a025cc6-5167-43cf-947f-387a3b830778",
"https://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/SearchDetails.aspx?Id=f3ee4c4e-e009-4d69-82da-eef3bad1ecc4"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 14,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Arek-BTC",
"id": "212764",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1334,
"hostname": 454,
"domain": 346,
"IPv6": 2,
"IPv4": 36,
"FileHash-SHA256": 1499,
"FileHash-MD5": 92,
"FileHash-SHA1": 74,
"CVE": 1,
"email": 1
},
"indicator_count": 3839,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 123,
"modified_text": "265 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6695e27f356a22d97fba5ca8",
"name": "Critical attack/s continues to affect YouTube Creator/s account/s",
"description": "Related to YouTube creator/s attack/s. Found as part of Jays Youtube Bot.exe and YouTube bots.\nFull CnC, access and id devices. Redirects views, resells. spoofs, binds and/or accounts. FRAUD! \nReference: YARA Signature Match - THOR APT Scanner\nRULE: SUSP_Wextract_Anomaly_Unsigned_May23\nRULE_SET: Livehunt - Suspicious290 Indicators \ud83c\udff9\nRULE_TYPE: THOR APT Scanner's rule set only \ud83d\udd28\nRULE_LINK: https://valhalla.nextron-systems.com/info/rule/SUSP_Wextract_Anomaly_Unsigned_May23\nDESCRIPTION: Detects an anomalous unsigned wextract that contains additional code and has been seen abused to deliver malware\nREFERENCE: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/deconstructing-amadeys-latest-multi-stage-attack-and-malware-distribution/\nRULE_AUTHOR: X__Junior\nThor for details #susp_wextract_anomaly_unsigned_may23",
"modified": "2024-08-15T02:00:24.886000",
"created": "2024-07-16T03:01:17.316000",
"tags": [
"win32 exe",
"wextract",
"kb file",
"files",
"file type",
"javascript",
"graph",
"ip detections",
"country",
"userprofile",
"runtime modules",
"samplepath",
"delnoderundll32",
"mpgph131 hr",
"hourly rl",
"highest c",
"mpgph131 lg",
"onlogon rl",
"highest",
"process",
"registrya",
"registry keys",
"registry",
"windows policy",
"shell folders",
"file execution",
"binary data",
"security center",
"text c",
"peexe c",
"xml c",
"zip c",
"file system",
"written c",
"dropped",
"hashes",
"windows nt",
"wow64",
"referer https",
"date thu",
"get https",
"request",
"gecko response",
"gmt connection",
"gmt vary",
"etag",
"accept",
"win64",
"query",
"windows get",
"internal",
"set file",
"create",
"create process",
"windows read",
"shutdown system",
"modify access",
"delete registry",
"enumerate",
"behavior tags",
"k0pmbc",
"spsfsb",
"ctsu",
"efq78c",
"egw7od",
"en3i8d",
"i6ydgd",
"iz1fbc",
"izt63",
"kum7z",
"vs2003",
"sp1 build",
"contained",
"info compiler",
"products",
"header intel",
"name md5",
"type",
"language",
"simplified",
"army",
"variant sides",
"with russia",
"ramnit",
"netsupport rat",
"sneaky server",
"replacement",
"unauthorized",
"sim unlock",
"emotet",
"chaos",
"malicious",
"critical",
"copy",
"life",
"pe32",
"intel",
"ms windows",
"ms visual",
"win32 dynamic",
"link library",
"win16 ne",
"pe32 compiler",
"cc linker",
"urls",
"gandi sas",
"domains",
"cloudflare",
"ii llc",
"psiusa",
"domain robot",
"ltd dba",
"com laude",
"ascio",
"contacted",
"ms word",
"document",
"b file",
"html",
"javascript jac",
"html iu3",
"executed by usa",
"#wextract",
"#unsigned",
"thor",
"stealer",
"evader",
"systemroot",
"grum",
"high",
"delete c",
"cape",
"write",
"103 read",
"clsid read",
"date read",
"trojan",
"united",
"unknown",
"status",
"cname",
"creation date",
"search",
"as1921",
"austria unknown",
"emails",
"expiration date",
"date",
"pragma",
"next",
"passive dns",
"backdoor",
"win32",
"scan endpoints",
"all scoreblue",
"ipv4",
"usa",
"co",
"teams",
"cybercrime",
"spoof",
"benjamin",
"dynamicloader",
"write c",
"pe32 executable",
"show",
"yara rule",
"windows",
"recon",
"worm",
"powershell",
"june",
"delphi",
"malware",
"malice",
"retaliation",
"through the nights",
"apple",
"lenovo",
"ios",
"hackers",
"move",
"moved"
],
"references": [
"WEXTRACT.EXE .MUI: FileHash-SHA256 00e5aefb5ffd357e995d1a4ee30735a692780b203cd58e6239637471047d51a4",
"MALWARE STEALER TROJAN EVADER | WEXTRACT.EXE .MUI | TXTRESSE | via https://www.virustotal.com/gui/domain/www.youtube.com",
"CS Sigma: Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke",
"Critical CS Sigma: Matches rule Suspicious Double Extension File Execution by Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems)",
"^ by Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems) ^",
"CS Sigma: Matches rule Disable Windows Defender Functionalities Via Registry Keys by AlertIQ, J\u00e1n Tren\u010dansk\u00fd, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan",
"CS Sigma: Matches rule Chromium Browser Instance Executed With Custom Extension by Aedan Russell, frack113, X__Junior (Nextron Systems)",
"CS Sigma: Matches rule Suspicious Add Scheduled Task Parent by Florian Roth (Nextron Systems)",
"CS Sigma: Matches rule Suspicious Schtasks Schedule Type With High Privileges by Nasreddine Bencherchali (Nextron Systems)",
"CS Sigma: Matches rule Scheduled Task Creation by Florian Roth (Nextron Systems)",
"CS IDS: Matches rule (stream_tcp) data sent on stream not accepting data",
"CS IDS: Matches rule (http_inspect) HTTP response has UTF character set that failed to normalize",
"CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)",
"CS IDS: Matches rule ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port)",
"CS IDS: Matches rule ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)",
"CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token) Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)",
"CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)",
"CS IDS: Matches rule ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent",
"CS IDS: Matches rule ET MALWARE Suspected RisePro TCP Heartbeat Packet",
"CS IDS: Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)",
"CS IDS: Matches rule ET MALWARE Win32/Ramnit Checkin Matches rule MALWARE-CNC Win.Trojan.Ramnit variant outbound detected",
"TXTRESSE: FileHash-SHA256 00001dd58b69582cc30a16b000bce3d96d369487444385489084719676afba4d",
"Crowdsourced YARA rules: Matches rule UPX from ruleset UPX by kevoreilly",
"Crowdsourced YARA rules: Matches rule win_ramnit_auto from ruleset win.ramnit_auto by Felix Bilstein - yara-signator at cocacoding dot com",
"Crowdsourced YARA rules: Matches rule MAL_Ramnit_May19_1 from ruleset crime_nansh0u by Florian Roth (Nextron Systems)",
"Crowdsourced IDS rules: Matches rule: MALWARE-CNC Win.Trojan.Ramnit variant outbound detected",
"Crowdsourced IDS rules: Matches rule: (port_scan) UDP filtered",
"Crowdsourced IDS rules: Matches rule: ET MALWARE Win32/Ramnit Checkin | Matches rule ET DNS Query for .cc TLD",
"https://www.nextron-systems.com/notes-on-virustotal-matches/",
"TrojanDownloader:Win32/Upatre , Virus:Win32/Sality.AT , Win.Downloader.Small-1645",
"Antivirus Detections: Backdoor:Win32/Likseput.B , PWS:Win32/QQpass.B!MTB , Trojan:Win32/Scrarev.C , Trojan:Win32/Speesipro.A , Trojan:Win32/Zombie.A , TrojanDownloader:Win32/Cutwail.BS , TrojanDownloader:Win32/Nemucod ,",
"IDS Detections: Backdoor.Win32.Pushdo.s Checkin Backdoor.Win32.Pushdo.s Checkin Suspicious csrss.exe in URI",
"https://www.virustotal.com/gui/file/00e5aefb5ffd357e995d1a4ee30735a692780b203cd58e6239637471047d51a4/detection",
"Jays Youtube Bot.exe > FileHash-SHA256 00514527e00ee001d042",
"https://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2",
"https://www.youtube.com/watch?v=GyuMozsVyYs",
"Emotet | YouTube \u2022 Darklivity Podcast \"Unhinged Horror\"",
"https://otx.alienvault.com/pulse/6694bb9be1b61bf820500004",
"http://193.233.132.62/hera/amadka.exe | https://www.info-only-men.com/landing/mlp88g?subPublisher=popunder:eu-adsrv.rtbsuperhub.com&zone=popunder:eu-adsrv.rtbsuperhub.com&",
"https://software-free-phone-2018.win/62ae8f9b-d0cb-4b4c-8318-dd7900e1d092/e29481e9-a792-46a8-bbf0-188ed2a816ae/?brand=Apple&browser=Safari&btd=dHJr",
"nr-data.net [Apple Private Data Collection]",
"https://rector-fitiology.icu/99c8d3a6-be16-421a-87a8-40701eae8149?zoneid=6543079&bannerid=18710758&browser=chrome&os=ios&devic",
"https://software-free-phone-2018.win/7a7c1101-0538-49de-925f-4f4675a5fd1f/3b0669f6-a07e-4eb8-8e2b-d0282d482c1a/?brand=Lenovo&browser=Chr"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "WAT:Blacked-E",
"display_name": "WAT:Blacked-E",
"target": null
},
{
"id": "Win32:RmnDrp [Inf]",
"display_name": "Win32:RmnDrp [Inf]",
"target": null
},
{
"id": "AI:FileInfector.EAEEA7850C",
"display_name": "AI:FileInfector.EAEEA7850C",
"target": null
},
{
"id": "Virus.Ramnit/Nimnul",
"display_name": "Virus.Ramnit/Nimnul",
"target": null
},
{
"id": "Trojan.Crifi.1",
"display_name": "Trojan.Crifi.1",
"target": null
},
{
"id": "Trojan.MSIL.Injurer.cbd",
"display_name": "Trojan.MSIL.Injurer.cbd",
"target": null
},
{
"id": "Win.Downloader.Small-1645",
"display_name": "Win.Downloader.Small-1645",
"target": null
},
{
"id": "Trojan:Win32/Scrarev.C",
"display_name": "Trojan:Win32/Scrarev.C",
"target": "/malware/Trojan:Win32/Scrarev.C"
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "Trojan:Win32/Speesipro.A",
"display_name": "Trojan:Win32/Speesipro.A",
"target": "/malware/Trojan:Win32/Speesipro.A"
},
{
"id": "Virus:Win32/Sality.AT",
"display_name": "Virus:Win32/Sality.AT",
"target": "/malware/Virus:Win32/Sality.AT"
},
{
"id": "TrojanDownloader:Win32/Upatre",
"display_name": "TrojanDownloader:Win32/Upatre",
"target": "/malware/TrojanDownloader:Win32/Upatre"
},
{
"id": "TrojanDownloader:Win32/Cutwail.BS",
"display_name": "TrojanDownloader:Win32/Cutwail.BS",
"target": "/malware/TrojanDownloader:Win32/Cutwail.BS"
},
{
"id": "TrojanDownloader:Win32/Nemucod",
"display_name": "TrojanDownloader:Win32/Nemucod",
"target": "/malware/TrojanDownloader:Win32/Nemucod"
},
{
"id": "PWS:Win32/QQpass.B!MTB",
"display_name": "PWS:Win32/QQpass.B!MTB",
"target": "/malware/PWS:Win32/QQpass.B!MTB"
},
{
"id": "Backdoor:Win32/Likseput.B",
"display_name": "Backdoor:Win32/Likseput.B",
"target": "/malware/Backdoor:Win32/Likseput.B"
},
{
"id": "Worm:Win32/Benjamin",
"display_name": "Worm:Win32/Benjamin",
"target": "/malware/Worm:Win32/Benjamin"
},
{
"id": "ALF:HeraklezEval:TrojanSpy:Win32/SocStealer",
"display_name": "ALF:HeraklezEval:TrojanSpy:Win32/SocStealer",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1588",
"name": "Obtain Capabilities",
"display_name": "T1588 - Obtain Capabilities"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1472",
"name": "Generate Fraudulent Advertising Revenue",
"display_name": "T1472 - Generate Fraudulent Advertising Revenue"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1539",
"name": "Steal Web Session Cookie",
"display_name": "T1539 - Steal Web Session Cookie"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1134.004",
"name": "Parent PID Spoofing",
"display_name": "T1134.004 - Parent PID Spoofing"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1003.007",
"name": "Proc Filesystem",
"display_name": "T1003.007 - Proc Filesystem"
},
{
"id": "T1042",
"name": "Change Default File Association",
"display_name": "T1042 - Change Default File Association"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
}
],
"industries": [
"Media",
"Technology",
"Civil Society",
"Crime Victims"
],
"TLP": "green",
"cloned_from": null,
"export_count": 30,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 4312,
"domain": 1056,
"hostname": 1818,
"URL": 5125,
"FileHash-MD5": 310,
"FileHash-SHA1": 221,
"email": 3
},
"indicator_count": 12845,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 228,
"modified_text": "612 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65ea6410c1e1b1185951ef98",
"name": "Win32:BotX-gen\\ [Trj] \u2022Jays Youtube Bot.exe attack executed (Copy)",
"description": "",
"modified": "2024-04-05T12:00:46.637000",
"created": "2024-03-08T01:04:16.906000",
"tags": [
"referrer",
"tsara brashears",
"password bypass",
"apple phone",
"unlocker",
"shell code",
"script",
"pe resource",
"execution",
"sneaky server",
"emotet",
"android",
"download",
"malware",
"relic",
"monitoring",
"installer",
"formbook",
"urls",
"contacted",
"win32 exe",
"parents",
"type name",
"msrsaapp",
"files",
"file type",
"kb file",
"b file",
"graph",
"pe32 executable",
"ms windows",
"intel",
"generic cil",
"executable",
"mono",
"win32 dynamic",
"link library",
"win16 ne",
"samplename",
"samplepath",
"jays youtube",
"rticon neutral",
"details",
"header intel",
"name md5",
"type",
"language",
"contained",
"ico rtgroupicon",
"neutral",
"net technology",
"corporation",
"domains",
"markmonitor inc",
"malicious",
"cnc",
"network",
"bypass password",
"network probe",
"dns query",
"as20940",
"united",
"aaaa",
"search",
"showing",
"date",
"passive dns",
"registrar",
"unknown",
"encrypt",
"next",
"domain",
"emails",
"name servers",
"as199524",
"record value",
"rst seen",
"last seen",
"asn country",
"cname",
"as15169 google",
"scan endpoints",
"all octoseek",
"pulse pulses",
"files ip",
"as4788",
"address",
"pulses",
"win32",
"entries",
"dadjoke",
"ms defender",
"united kingdom",
"germany unknown",
"as46606",
"as14061",
"servers",
"as12576 ee",
"russia unknown",
"as3320 deutsche",
"gamaredon",
"armageddon",
"as8068",
"script urls",
"for privacy",
"script domains",
"certificate",
"meta",
"creation date",
"as14627",
"ipv4",
"onthewifi",
"as54113",
"trojan",
"flywheel",
"sea x",
"accept",
"ransom",
"post http",
"langserbian",
"sublangdefault",
"rticon",
"process32nextw",
"medium",
"t1055",
"high",
"ip address",
"generic",
"body",
"markus",
"june",
"copy",
"bitcoin"
],
"references": [
"FormBook: FileHash-SHA256 5b9fa34fac18f4084221969800faddfe1cf0afc22d601d211ee695934e7d62cb",
"FormBook: 45.159.189.105",
"FormBook: http://45.159.189.105/bot/regex",
"Emotet: www.youtube.com/watch?v=GyuMozsVyYs",
"Relic: bam.nr-data.net [Apple Private Data Collection]",
"capitana.onthewifi.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Germany"
],
"malware_families": [
{
"id": "Win32:Trojan-gen",
"display_name": "Win32:Trojan-gen",
"target": null
},
{
"id": "Win32:Cryptor",
"display_name": "Win32:Cryptor",
"target": null
},
{
"id": "Win.Virus.PolyRansom-5704625-0",
"display_name": "Win.Virus.PolyRansom-5704625-0",
"target": null
},
{
"id": "SLF:Trojan:Win32/Grandoreiro.A",
"display_name": "SLF:Trojan:Win32/Grandoreiro.A",
"target": null
},
{
"id": "Win32:BotX-gen\\ [Trj]",
"display_name": "Win32:BotX-gen\\ [Trj]",
"target": null
},
{
"id": "Trojan:Win32/Glupteba.KM!MTB",
"display_name": "Trojan:Win32/Glupteba.KM!MTB",
"target": "/malware/Trojan:Win32/Glupteba.KM!MTB"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1188",
"name": "Multi-hop Proxy",
"display_name": "T1188 - Multi-hop Proxy"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "65e863bebbf95e0dc5a4169a",
"export_count": 47,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 309,
"FileHash-SHA1": 307,
"FileHash-SHA256": 3084,
"URL": 3066,
"domain": 1085,
"hostname": 1709,
"CVE": 1,
"email": 7
},
"indicator_count": 9568,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 227,
"modified_text": "744 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65e863bebbf95e0dc5a4169a",
"name": "Win32:BotX-gen\\ [Trj] \u2022Jays Youtube Bot.exe attack expected",
"description": "Network compromised updated Apple device was directed (303) to a server. This is one of several botnets found. onthewifi \u2206 {Win32:BotX-gen\\ [Trj]} \u2022 Injection process | Password bypass. Studies targets behavior | Checks for other devices | Glupteba: \n Glupteba is a trojan-type program, malicious software that installs other programs of this type. Cyber criminals can perform a number of actions of a malicious hacker's choice on your device.",
"modified": "2024-04-05T12:00:46.637000",
"created": "2024-03-06T12:38:22.052000",
"tags": [
"referrer",
"tsara brashears",
"password bypass",
"apple phone",
"unlocker",
"shell code",
"script",
"pe resource",
"execution",
"sneaky server",
"emotet",
"android",
"download",
"malware",
"relic",
"monitoring",
"installer",
"formbook",
"urls",
"contacted",
"win32 exe",
"parents",
"type name",
"msrsaapp",
"files",
"file type",
"kb file",
"b file",
"graph",
"pe32 executable",
"ms windows",
"intel",
"generic cil",
"executable",
"mono",
"win32 dynamic",
"link library",
"win16 ne",
"samplename",
"samplepath",
"jays youtube",
"rticon neutral",
"details",
"header intel",
"name md5",
"type",
"language",
"contained",
"ico rtgroupicon",
"neutral",
"net technology",
"corporation",
"domains",
"markmonitor inc",
"malicious",
"cnc",
"network",
"bypass password",
"network probe",
"dns query",
"as20940",
"united",
"aaaa",
"search",
"showing",
"date",
"passive dns",
"registrar",
"unknown",
"encrypt",
"next",
"domain",
"emails",
"name servers",
"as199524",
"record value",
"rst seen",
"last seen",
"asn country",
"cname",
"as15169 google",
"scan endpoints",
"all octoseek",
"pulse pulses",
"files ip",
"as4788",
"address",
"pulses",
"win32",
"entries",
"dadjoke",
"ms defender",
"united kingdom",
"germany unknown",
"as46606",
"as14061",
"servers",
"as12576 ee",
"russia unknown",
"as3320 deutsche",
"gamaredon",
"armageddon",
"as8068",
"script urls",
"for privacy",
"script domains",
"certificate",
"meta",
"creation date",
"as14627",
"ipv4",
"onthewifi",
"as54113",
"trojan",
"flywheel",
"sea x",
"accept",
"ransom",
"post http",
"langserbian",
"sublangdefault",
"rticon",
"process32nextw",
"medium",
"t1055",
"high",
"ip address",
"generic",
"body",
"markus",
"june",
"copy",
"bitcoin"
],
"references": [
"FormBook: FileHash-SHA256 5b9fa34fac18f4084221969800faddfe1cf0afc22d601d211ee695934e7d62cb",
"FormBook: 45.159.189.105",
"FormBook: http://45.159.189.105/bot/regex",
"Emotet: www.youtube.com/watch?v=GyuMozsVyYs",
"Relic: bam.nr-data.net [Apple Private Data Collection]",
"capitana.onthewifi.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Germany"
],
"malware_families": [
{
"id": "Win32:Trojan-gen",
"display_name": "Win32:Trojan-gen",
"target": null
},
{
"id": "Win32:Cryptor",
"display_name": "Win32:Cryptor",
"target": null
},
{
"id": "Win.Virus.PolyRansom-5704625-0",
"display_name": "Win.Virus.PolyRansom-5704625-0",
"target": null
},
{
"id": "SLF:Trojan:Win32/Grandoreiro.A",
"display_name": "SLF:Trojan:Win32/Grandoreiro.A",
"target": null
},
{
"id": "Win32:BotX-gen\\ [Trj]",
"display_name": "Win32:BotX-gen\\ [Trj]",
"target": null
},
{
"id": "Trojan:Win32/Glupteba.KM!MTB",
"display_name": "Trojan:Win32/Glupteba.KM!MTB",
"target": "/malware/Trojan:Win32/Glupteba.KM!MTB"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1188",
"name": "Multi-hop Proxy",
"display_name": "T1188 - Multi-hop Proxy"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 53,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 309,
"FileHash-SHA1": 307,
"FileHash-SHA256": 3084,
"URL": 3066,
"domain": 1085,
"hostname": 1709,
"CVE": 1,
"email": 7
},
"indicator_count": 9568,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 221,
"modified_text": "744 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65caca061fbb7674de86ec7b",
"name": "Invicta Stealer",
"description": "Invicta Stealer is equipped to steal data from most locations of a system which makes it a dangerous threat.\nLink found in https://house.mo.com",
"modified": "2024-03-14T01:01:47.115000",
"created": "2024-02-13T01:46:46.969000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"historical ssl",
"resolutions",
"communicating",
"whois whois",
"subdomains",
"referrer",
"problems",
"core",
"startpage",
"june",
"passive dns",
"urls",
"domain",
"otx telemetry",
"body",
"gmt content",
"x adblock",
"scan endpoints",
"all octoseek",
"hostname",
"date",
"encrypt",
"threat roundup",
"october",
"november",
"march",
"february",
"apple ios",
"april",
"tsara brashears",
"copy",
"hacktool",
"phishing",
"metro",
"crypto",
"installer",
"awful",
"united",
"unknown",
"germany unknown",
"search",
"servers",
"registrar",
"name servers",
"status",
"next",
"moved",
"address",
"creation date",
"showing",
"ipv4",
"pulse submit",
"url analysis",
"accept",
"aaaa",
"record type",
"ttl value",
"html document",
"ascii text",
"anchor hrefs",
"hrefs",
"anchor",
"anchor href",
"threat",
"paste",
"iocs",
"analyze",
"hostnames",
"url https",
"sample",
"server",
"code",
"registry domain",
"dnssec",
"registrar url",
"registrar whois",
"iana id",
"registrar abuse",
"tech email",
"fake update",
"utilizes new",
"idat loader",
"stealc",
"urls http",
"isadultno",
"adposbottom",
"adformatplain",
"adnetworks",
"quasar rat",
"ip detections",
"country",
"cellbrite",
"execution",
"pegasus",
"malware",
"agent tesla",
"attack",
"ukraine",
"silent",
"invicta stealer",
"redline stealer",
"orcus rat",
"files",
"germany asn",
"as196763",
"a domains",
"redacted for",
"record value",
"for privacy",
"emails",
"name",
"contacted urls",
"bundled",
"de indicators",
"domains",
"hashes",
"gmbh version",
"status page",
"service privacy",
"legal",
"impressum",
"pulse pulses",
"location united",
"open",
"cookie",
"customer",
"0 report",
"sea alt",
"certificate",
"#targeting",
"#discordwallets",
"house.mo.gov"
],
"references": [
"https://www.facebooksunglassshop.com/",
"CVE-2017-0147 \u2022 CVE-2023-4966 \u2022 CVE-2023-22518",
"https://ispy-official.com/ X Cache: Redirect from cloudfront Via: 1.1 030fe0607711293dda988e571617a9f2.cloudfront.net CloudFront X Amz Cf",
"Pop: HIO50 C1 X Amz Cf Id: Jt aBPO2nI3Nt D0E4nzqpun66btDLhJ41kQwhDASrIukoWyUOWE1w==",
"apple.com-auth.eu [Find apple] | https://applemusic-spotlight.myunidays.com/US/en-US? [compromise via apple media]",
"http://init-p01st.push.apple.com/bag [= Google.com.uy modified browser - malicious] apple.com-auth.eu \u2022 appleid.apple.com-auth.eu\u2022",
"https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [apple media compromise. Pega behavior?]",
"all-live.secure2storeapple.xxianzi.com \u2022 https://www.symbios.pk/apple-ipod-5-32gb",
"http://m.xiang5.com/keyword/17655.html&ht=%E9%98%BF%E6%BD%BC%E5%B0%8F%E8%AF%B4%E5%9C%A8%E7%BA%BF%E9%98%85%E8%AF%BB%E5%85%8D%E8%B4%B9%E9%98%85%E8%AF%BB_%E9%98%BF%E6%BD%BC%E5%B0%8F%E8%AF%B4%E5%9C%A8%E7%BA%BF%E9%98%85%E8%AF%BB%E5%85%A8%E6%9C%AC%E6%97%A0%E5%BC%B9%E7%AA%97-%E9%A6%99%E7%BD%91%E5%B0%8F%E8%AF%B4%E6%89%8B%E6%9C%BA%E7%89%88&uaddr=https:/www.sogou.com/link?url=58p16RfDRLtDzo-0AEmfJoGs8rDRUEq4ejjohgXqBYnQGuHk6xSRXg..&h=1080&w=1920&cd=24&lg=zh-CN&ua=mozilla/5.0%20(windows%20nt%2010.0;%20win64;%20x64)%20",
"Tracking: mailtrack.io \u2022 nr-data.net \u2022 tracking.bullseyeedu.com \u2022 https://smtp.mail.pentrack.com \u2022 tracking.vetsindexes.com",
"Remote threats: http://watchhers.net/index.php \u2022 http://eye.infunvip.com/appinterface/other/login.remote",
"https://plussizedesi.com/wp-content/uploads/2022/07/SniperGhostWarrior2BlackBox_Version_Download_INSTALL.pdf",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ iOS unlocker & password decryption]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 apple collection]",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"wallpapers-nature.com",
"https://wallpapers-nature.com/%20tsara-brashears/urlscan-io",
"https://wallpapers-nature.com/tsara-brashears/urlscan-io",
"hello-world-mute-unit-3072.a-rahimi-farahani.workers.dev",
"edgedl.me.gvt1.com",
"Link found in https://house.mo.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Invicta Stealer",
"display_name": "Invicta Stealer",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
},
{
"id": "RedLine Stealer",
"display_name": "RedLine Stealer",
"target": null
},
{
"id": "Orcus RAT",
"display_name": "Orcus RAT",
"target": null
},
{
"id": "Silent",
"display_name": "Silent",
"target": null
}
],
"attack_ids": [],
"industries": [
"Government",
"Civil Society",
"Technology"
],
"TLP": "white",
"cloned_from": null,
"export_count": 65,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 153,
"FileHash-SHA1": 145,
"FileHash-SHA256": 3848,
"CVE": 3,
"URL": 8291,
"domain": 2541,
"hostname": 3034,
"email": 13
},
"indicator_count": 18028,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 222,
"modified_text": "766 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65a836104ede1963b0502042",
"name": "Not even Google",
"description": "https://shadow.googlecnapps.cn\njoshuajenkinslaw.com",
"modified": "2024-02-16T17:02:44.115000",
"created": "2024-01-17T20:18:24.316000",
"tags": [
"ssl certificate",
"threat roundup",
"whois record",
"march",
"october",
"contacted",
"july",
"april",
"june",
"roundup",
"august",
"copy",
"execution",
"plugx",
"goldfinder",
"sibot",
"hacktool",
"february",
"ransomexx",
"ermac",
"emotet",
"agent tesla",
"nokoyawa"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 20,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 1315,
"URL": 1384,
"domain": 327,
"hostname": 516,
"FileHash-MD5": 19,
"FileHash-SHA1": 19
},
"indicator_count": 3580,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 220,
"modified_text": "793 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "https://alt7.phoneticarts.com",
"type": "URL"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "https://alt7.phoneticarts.com",
"type": "URL",
"found": false,
"verdict": "clean",
"error": null
},
"from_cache": true,
"_cached_at": 1776642268.974176
}