{ "type": "URL", "indicator": "https://amazon.co.jp.rozbek.ltd", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://amazon.co.jp.rozbek.ltd", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3749906778, "indicator": "https://amazon.co.jp.rozbek.ltd", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 36, "pulses": [ { "id": "66d86e0d76778bf1bcb47e5d", "name": "AS140227 enriched", "description": "", "modified": "2025-06-07T15:40:37.476000", "created": "2024-09-04T14:26:21.356000", "tags": [], "references": [ "https://www.virustotal.com/graph/g883116b41ba0417e98c7d99988fd2464797fb1fe54054692a35fe49c03255297" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 15, "FileHash-SHA1": 15, "FileHash-SHA256": 1331, "domain": 4165, "hostname": 3720, "URL": 11188, "CVE": 1 }, "indicator_count": 20435, "is_author": false, "is_subscribing": null, "subscriber_count": 181, "modified_text": "316 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d8d8d8238606c85e7a3979", "name": "AS200019 alexhost srl", "description": "", "modified": "2025-06-07T15:39:05.533000", "created": "2024-09-04T22:02:00.596000", "tags": [], "references": [ "https://www.virustotal.com/graph/gf011ff2560014743857f4dc25899d89d7afb2779d5ae47a28a60412eb0de8f07" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1193, "hostname": 1141, "URL": 3301, "FileHash-SHA256": 626, "CVE": 3 }, "indicator_count": 6264, "is_author": false, "is_subscribing": null, "subscriber_count": 178, "modified_text": "316 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6687495ad1e4ef814ec26c75", "name": "Remote Network Attack | JakyllHyde: Malicious Keyword Tool Index | Sabey Data Centers", "description": "Research shows compromise originated from Sabey Data Centers. High Priority 'Malicious' \nRemotely connects to victim network is injection,", "modified": "2024-09-05T06:26:17.295000", "created": "2024-07-05T01:16:10.251000", "tags": [ "read c", "get na", "sthubei", "otaokexing", "unknown", "write c", "outaokexing", "cntaokexing", "ms windows", "pe32", "win64", "write", "next", "win32", "malware", "copy", "keyword tool", "historical ssl", "referrer", "vs2010", "file", "sections", "signature", "file version", "windows system", "internal name", "version", "portable", "info compiler", "analyzer paste", "iocs", "url https", "samples", "cisco umbrella", "site", "safe site", "alexa top", "million", "heur", "malware site", "malicious site", "iframe", "alexa", "deepscan", "crack", "fusioncore", "cleaner", "riskware", "jakyllhyde", "china unknown", "asnone china", "cname", "as4812 china", "as4134 chinanet", "date", "moved", "search", "status", "body", "as4837 china", "bad request", "passive dns", "gmt content", "type", "scan endpoints", "all scoreblue", "twitter", "trojan", "urls", "machinename", "alibaba cloud", "computing", "beijing", "domains", "contacted", "ip detections", "country", "files", "file type", "signals mutexes", "local", "localc", "mutexes", "as31122 digiweb", "ireland unknown", "a domains", "gmt server", "pulse pulses", "pragma", "ipv4", "apache", "get http", "request", "host", "accept", "response", "date mon", "http requests", "connection", "server", "pluginrun", "ip traffic", "hashes", "user", "dns resolutions", "ff ff", "lowdatetime", "mofresourcename", "portclsmof", "hdaudiomofname", "processorwmi", "acpimofresource", "mofresource", "registry keys", "counter", "files written", "files dropped", "registry", "samplepath", "windir", "created c", "shell commands", "monitor", "arg0", "tree", "synchronization", "yara signature", "match", "thor apt", "scanner rule", "livehunt", "ruletype", "rule feed", "rulelink", "microsoft", "ruleauthor", "backdoor", "injection", "sabey data centers", "vbs", "remote attack", "extreme targeting", "116.207.118.87", "192.168.56.103", "linux", "locate linux deployed", "track", "tracking", "track all devices", "android", "apple", "apple webkit" ], "references": [ "Win32/JakyllHyde - RUNDLL32.EXE FileHash-SHA1 01021c698664f7567b787d7bce266124ec0a226fb2e586125d109beb0ad0ba17", "Found in a malicious keyword index: http://m.xiang5.com/keyword/17655.html&htE5-: Family", "IDS Detections: Win32/JakyllHyde C2 Activity Win32/JakyllHyde C2 Activity M2 PE EXE or DLL Windows file download HTTP", "Alerts: dead_host injection_runpe network_icmp allocates_execute_remote_process disables_proxy injection_modifies_memory modifies_proxy_wpad", "Alerts: origin_langid multiple_useragents process_interest recon_beacon injection_resumethread antivm_vmware_in_instruction dumped_buffer network_bind network_http allocates_rwx antisandbox_foregroundwindows antisandbox_sleep antivm_disk_size", "Trojan:Win32/JakyllHyde: CnC IP's -183.95.89.203 116.211.100.182 Exploit Source: IPv4 116.207.118.87 163.171.134.109", "Trojan:Win32/JakyllHyde: FileHash-SHA256 01021c698664f7567b787d7bce266124ec0a226fb2e586125d109beb0ad0ba17 - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA256 37a641988cfb33066c12b68b23bec0623e3d0715d21d6e3b7304bdd7238c8790 - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA256 002d9916a54c7ea70c931dca29c0a4500020d8040b9e446a5472b9089c29c8bc - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA256 440165588e14516e1ef13b6240aad27a0e8c49744c8383590425b3cc9d7f23f1 - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA256 47d9e427da3dfe5253d0047c40fb773db59dbccb0ff650e86ce7490b2c520c2d - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA256 7512f88162744b57efd14cc5fb98bc7cf5588fa25c218a1e92fe8048932450a8 -trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA1 0c795954123ebf1806cdafef2b66322f8d40d3ac - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA1 f971b96cd514dc62a43b51f32e3a440fe3e0c6d4 - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA1 732198087c6a88afa356ea729bd3b8bb16c41901 - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA1 f02ebf4d8955c363d615a53cc44b048d75b7cefb - adware", "Trojan:Win32/JakyllHyde: FileHash-SHA1 800c8a5f93b04d6c5dc491ab582cd75165918f5f - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA1 b45c02987811425c672f56e011f394f94cc29a7b - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA1 be97e5638139ee689312e23022d2e55e58d123c6 - trojan", "Trojan:Win32/JakyllHyde: FileHash-MD5: 0dd69941b0f01d1ee4d49c228f832bed - trojan", "Trojan:Win32/JakyllHyde: FileHash-MD5: 2f237a35379a5fa46168e3a01667f32c - trojan", "Trojan:Win32/JakyllHyde: FileHash-MD5: 35fc2b92d534f652ffe4ec3cbc3347b6 - adware", "Trojan:Win32/JakyllHyde: FileHash-MD5: 4d4cd0582109e110967bce75534031ed -trojan", "Trojan:Win32/JakyllHyde: FileHash-MD5: 8eeda8077a13f12aa72c8b7b5f457734 -trojan", "Trojan:Win32/JakyllHyde: FileHash-MD5: d6d906a1c4061d3f41053b4548c7ea69 - trojan", "Trojan:Win32/JakyllHyde: FileHash-MD5: fa7d0ef6c2c634e4f0e890c3d5b4cf4f - trojan", "YARA Signature Match - THOR APT Scanner: RULE_TYPE: Valhalla Rule Feed Only \u26a1", "RULE_LINK: https://valhalla.nextron-systems.com/info/rule/Malformed_Copyright_Statements RULE_AUTHOR: Florian Roth", "DESCRIPTION: Detects malformed Microsoft copyright statements in executables RULE_AUTHOR: Florian Roth", "RULE_LINK: https://valhalla.nextron-systems.com/info/rule/Malformed_Copyright_Statements RULE_AUTHOR: Florian Roth", "More information: https://www.nextron-systems.com/notes-on-virustotal-matches/ RULE_AUTHOR: Florian Roth", "#copyright #statements #malformed_copyright_statements", "ETPRO MALWARE Win32/JakyllHyde C2: https://www.joesandbox.com/analysis/754158/0/html", "Snort IDS: 2836073 ETPRO MALWARE Win32/JakyllHyde C2 Activity 192.168.2.3:49698 ->", "ETPRO MALWARE Win32/JakyllHyde C2 Activity M2 - Source IP: 116.211.100.21 - Destination IP: 192.168.2.3", "ETPRO MALWARE Win32/JakyllHyde C2 Activity - Source IP: 192.168.2.3 - Destination IP: 116.211.100.21", "ET MALWARE Win32/Eyoorun.D Variant Checkin - Source IP: 192.168.2.3 - Destination IP: 116.211.100.21", "ETPRO MALWARE Win32/JakyllHyde C2 Activity - Source IP: 192.168.2.3 - Destination IP: 116.211.100.21", "ET MALWARE Win32/Eyoorun.D Variant Checkin - Source IP: 192.168.2.3 - Destination IP: 116.211.100.21", "ET TROJAN W32/Witch.3FA0!tr CnC Actiivty M2 - Source IP: 192.168.2.3 - Destination IP: 116.211.100.21", "ETPRO MALWARE Win32/JakyllHyde C2 Activity M2 - Source IP: 116.211.100.21 - Destination IP: 192.168.2.3", "System process connects to network (likely due to code injection or exploit)", "Snort IDS alert for network traffic | Detected VMProtect packer", "W32/Witch.3FA0!tr: FileHash-MD5 38be6c6b799140f435bc1b1d42275d7c", "W32/Witch.3FA0!tr: FileHash-SHA1 13ed578302cc1f302a8a9df9308859486aeb4d0b", "W32/Witch.3FA0!tr: 601928c4508162aed7491ea4995eca7361be6faeac3c06ee5fc5302e686e26448", "http://tuijian.adhei.com/douyu/v1/encrypt/gamebox_m.cs", "http://tuijian.adhei.com/douyu/v1/encrypt/gamebox_m.css", "http://tuijian.adhei.com/douyu/v /encrypt/gamebox_m.css", "http://ssp.1rtb.com/imp?ua=Mozilla/5.0+(Linux;+U;+Android+4.3.1;+en-us;+GT-I8190+Build/JZO54K)+AppleWebKit/534.30+", "http://57d7.zhanyu66.com/air.thinlinuxforandroid.apk", "http://sdk.1rtb.com/sdk/req_ad?app_package=com.scpp.plus&device_type=1&device_adid=92841014150fc3fd&device_geo_lat=&app_name=%E8%B", "http://ssp.1rtb.com/tracker?ua=Mozilla/5.0+(Linux;+Android+7.1.2;+SM-T555+Build/NMF26X;+wv)+AppleWebKit/537.36+(KHTML,+like+Gecko)", "https://simulator-api.666phonemanager.com/advert/gamebox_winpop/online", "http://ssp.1rtb.com/imp?ua=Mozilla/5.0+(Linux;+Android+7.1.2;+SM-T555+Build/NMF26X;+wv)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Version/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "China", "Hong Kong", "Singapore" ], "malware_families": [ { "id": "Trojan:Win32/JakyllHyde", "display_name": "Trojan:Win32/JakyllHyde", "target": "/malware/Trojan:Win32/JakyllHyde" }, { "id": "SecuriteInfo.com.Trojan.GenericKD.32885218.16582.30886.dll", "display_name": "SecuriteInfo.com.Trojan.GenericKD.32885218.16582.30886.dll", "target": null }, { "id": "W32/Witch.3FA0!tr", "display_name": "W32/Witch.3FA0!tr", "target": null } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1037", "name": "Boot or Logon Initialization Scripts", "display_name": "T1037 - Boot or Logon Initialization Scripts" }, { "id": "T1037.001", "name": "Logon Script (Windows)", "display_name": "T1037.001 - Logon Script (Windows)" }, { "id": "T1037.002", "name": "Logon Script (Mac)", "display_name": "T1037.002 - Logon Script (Mac)" }, { "id": "T1037.003", "name": "Network Logon Script", "display_name": "T1037.003 - Network Logon Script" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1003.003", "name": "NTDS", "display_name": "T1003.003 - NTDS" }, { "id": "T1003.002", "name": "Security Account Manager", "display_name": "T1003.002 - Security Account Manager" }, { "id": "T1003.004", "name": "LSA Secrets", "display_name": "T1003.004 - LSA Secrets" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1039", "name": "Data from Network Shared Drive", "display_name": "T1039 - Data from Network Shared Drive" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 682, "FileHash-SHA1": 327, "FileHash-SHA256": 2911, "SSLCertFingerprint": 4, "URL": 13039, "domain": 1038, "hostname": 2764, "email": 2, "CVE": 2 }, "indicator_count": 20769, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "592 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6597fa4da16bd99cc5c02528", "name": "Botnet Campaign", "description": "", "modified": "2024-02-04T12:05:19.275000", "created": "2024-01-05T12:47:09.406000", "tags": [ "ciphersuite", "delete c", "search", "entries", "united", "stcalifornia", "lmenlo park", "ometa platforms", "odigicert inc", "cndigicert sha2", "copy", "write", "unknown", "no expiration", "expiration", "filehashsha256", "hostname", "domain", "ipv4", "url http", "url https", "filehashmd5", "filehashsha1", "next", "iocs", "pdf report", "pcap", "scan endpoints", "win64", "stix", "openioc", "enter", "ssl certificate", "whois record", "apple ios", "communicating", "referrer", "contacted", "resolutions", "threat roundup", "password", "networks", "hacktool", "crypto", "twitter", "june", "probe", "ransomware", "malware", "tsara brashears", "botnet campaign", "january", "content reputation", "et" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": "6597f9c7542ffc6fffaecb30", "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2469, "FileHash-SHA1": 2295, "FileHash-SHA256": 4925, "SSLCertFingerprint": 2, "URL": 4484, "domain": 2044, "hostname": 2375, "email": 18, "CVE": 4 }, "indicator_count": 18616, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "805 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6597fa4d4b5e060fb8a606a8", "name": "Botnet Campaign", "description": "", "modified": "2024-02-04T12:05:19.275000", "created": "2024-01-05T12:47:09.403000", "tags": [ "ciphersuite", "delete c", "search", "entries", "united", "stcalifornia", "lmenlo park", "ometa platforms", "odigicert inc", "cndigicert sha2", "copy", "write", "unknown", "no expiration", "expiration", "filehashsha256", "hostname", "domain", "ipv4", "url http", "url https", "filehashmd5", "filehashsha1", "next", "iocs", "pdf report", "pcap", "scan endpoints", "win64", "stix", "openioc", "enter", "ssl certificate", "whois record", "apple ios", "communicating", "referrer", "contacted", "resolutions", "threat roundup", "password", "networks", "hacktool", "crypto", "twitter", "june", "probe", "ransomware", "malware", "tsara brashears", "botnet campaign", "january", "content reputation", "et" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": "6597f9c7542ffc6fffaecb30", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2469, "FileHash-SHA1": 2295, "FileHash-SHA256": 4925, "SSLCertFingerprint": 2, "URL": 4484, "domain": 2044, "hostname": 2375, "email": 18, "CVE": 4 }, "indicator_count": 18616, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "805 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6597f9c7542ffc6fffaecb30", "name": "Injection (RunPE) |Win.Packer - https://myminiweb.com", "description": "polypragmonic, dns, win.packer, ig hacking, network bind, tracking", "modified": "2024-02-04T12:05:19.275000", "created": "2024-01-05T12:44:55.030000", "tags": [ "ciphersuite", "delete c", "search", "entries", "united", "stcalifornia", "lmenlo park", "ometa platforms", "odigicert inc", "cndigicert sha2", "copy", "write", "unknown", "no expiration", "expiration", "filehashsha256", "hostname", "domain", "ipv4", "url http", "url https", "filehashmd5", "filehashsha1", "next", "iocs", "pdf report", "pcap", "scan endpoints", "win64", "stix", "openioc", "enter", "ssl certificate", "whois record", "apple ios", "communicating", "referrer", "contacted", "resolutions", "threat roundup", "password", "networks", "hacktool", "crypto", "twitter", "june", "probe", "ransomware", "malware", "tsara brashears", "botnet campaign", "january", "content reputation", "et" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2469, "FileHash-SHA1": 2295, "FileHash-SHA256": 4925, "SSLCertFingerprint": 2, "URL": 4484, "domain": 2044, "hostname": 2375, "email": 18, "CVE": 4 }, "indicator_count": 18616, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "805 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656a9c2eeebaf7b69d0e12ba", "name": "Domain Seized - http://server3.elgenero.com/cgi-bin/xdown.cgi", "description": "", "modified": "2023-12-20T17:01:34.161000", "created": "2023-12-02T02:53:34.585000", "tags": [ "safe site", "million", "cisco umbrella", "alexa top", "site", "tag count", "tld count", "jul jan", "team alexa", "count blacklist", "maltiverse", "redirme", "cronup threat", "intel malware", "malicious site", "malware", "no data", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "united", "cyber threat", "engineering", "team", "malware site", "covid19", "phishing site", "phishing", "phishtank", "bank", "zbot", "malicious", "download", "suppobox", "zeus", "nymaim", "matsnu", "artemis", "virut", "panama", "smsspy", "cobalt strike", "emotet", "bradesco", "stealer", "facebook", "service", "simda", "runescape", "cutwail", "unruy", "bandoo", "tinba", "pykspa", "domaiq", "ave maria", "citadel", "pony", "keitaro", "ponmocup", "ransomware", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "sha256", "sha1", "ascii text", "date", "unknown", "body", "error", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "malicious url", "union", "unsafe", "node tcp", "traffic", "tor known", "tor relayrouter", "spammer", "threats et", "ssl certificate", "contacted", "whois record", "whois whois", "historical ssl", "apple ios", "resolutions", "bundled", "referrer", "collections", "android", "banker", "keylogger", "generic malware", "generic", "blacklist http", "ac32a", "heur", "alexa", "xtrat", "iframe", "installcore", "win64", "crack", "xrat", "nircmd", "swrort", "agent", "filetour", "cleaner", "patcher", "adload", "wacatac", "riskware", "acint", "conduit", "fakealert", "opencandy", "xtreme", "downldr", "outbreak", "iobit", "rostpay", "dropper", "mediaget", "installpack", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "floxif", "presenoker", "fusioncore", "exploit", "filerepmetagen", "download json", "hostname", "hostnames", "mail spammer", "anonymizer", "firehol proxy", "asyncrat", "genkryptik", "fuery", "webtoolbar", "trojanspy", "dropped", "execution", "contacted urls", "http spammer", "host", "ip address", "site top", "site safe", "blacklist https", "tsara brashears", "kgs0", "kls0", "critical risk", "attack", "hacktool", "installer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Latvia", "Poland", "Germany" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "655b9a90e44a70d0fbbde981", "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1117, "FileHash-SHA1": 664, "FileHash-SHA256": 3426, "domain": 977, "hostname": 2269, "URL": 5554, "CVE": 23, "URI": 8, "Mutex": 1 }, "indicator_count": 14039, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "851 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655b9a90e44a70d0fbbde981", "name": "Domain Seized - http://server3.elgenero.com/cgi-bin/xdown.cgi", "description": "Domain stated ' SEIZED' by Departing Homeland Security\nSeizure links below seem a bit questionable: \n\nhttp://server3.elgenero.com/iprc_seized_banner.png\nhttp://kickass.to/IPRC_Seized_2016_kat.jpg\nhttp://kickass.to/the-adventures-of-tom-sawyer-t2068537.html\t\nhttp://bludv.tv/iprc_seized_banner.png\nhttp://z-lib.org/iprc_seized_banner.png\nIPRC_Seized_2016_kat.jpg\n... just banners? Moved and continue? Okay.\nListed below also listed in seized domain. Domains,URL's and Botnetwork Hosts still seem to exist.\nhttp://alohatube.xyz/search/tsara-brashears\nalohatube.xyz\nhttps://alohatube.xyz/search/tsara-brashears\nhttps://www.anyxxxtube.net/search-porn/tsara-brashears/\nhttp://45.159.189.105/bot/regex\t\nhttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbia\t\nnr-data.net", "modified": "2023-12-20T17:01:34.161000", "created": "2023-11-20T17:42:40.771000", "tags": [ "safe site", "million", "cisco umbrella", "alexa top", "site", "tag count", "tld count", "jul jan", "team alexa", "count blacklist", "maltiverse", "redirme", "cronup threat", "intel malware", "malicious site", "malware", "no data", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "united", "cyber threat", "engineering", "team", "malware site", "covid19", "phishing site", "phishing", "phishtank", "bank", "zbot", "malicious", "download", "suppobox", "zeus", "nymaim", "matsnu", "artemis", "virut", "panama", "smsspy", "cobalt strike", "emotet", "bradesco", "stealer", "facebook", "service", "simda", "runescape", "cutwail", "unruy", "bandoo", "tinba", "pykspa", "domaiq", "ave maria", "citadel", "pony", "keitaro", "ponmocup", "ransomware", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "sha256", "sha1", "ascii text", "date", "unknown", "body", "error", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "malicious url", "union", "unsafe", "node tcp", "traffic", "tor known", "tor relayrouter", "spammer", "threats et", "ssl certificate", "contacted", "whois record", "whois whois", "historical ssl", "apple ios", "resolutions", "bundled", "referrer", "collections", "android", "banker", "keylogger", "generic malware", "generic", "blacklist http", "ac32a", "heur", "alexa", "xtrat", "iframe", "installcore", "win64", "crack", "xrat", "nircmd", "swrort", "agent", "filetour", "cleaner", "patcher", "adload", "wacatac", "riskware", "acint", "conduit", "fakealert", "opencandy", "xtreme", "downldr", "outbreak", "iobit", "rostpay", "dropper", "mediaget", "installpack", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "floxif", "presenoker", "fusioncore", "exploit", "filerepmetagen", "download json", "hostname", "hostnames", "mail spammer", "anonymizer", "firehol proxy", "asyncrat", "genkryptik", "fuery", "webtoolbar", "trojanspy", "dropped", "execution", "contacted urls", "http spammer", "host", "ip address", "site top", "site safe", "blacklist https", "tsara brashears", "kgs0", "kls0", "critical risk", "attack", "hacktool", "installer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Latvia", "Poland", "Germany" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 46, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1117, "FileHash-SHA1": 664, "FileHash-SHA256": 3426, "domain": 977, "hostname": 2269, "URL": 5554, "CVE": 23, "URI": 8, "Mutex": 1 }, "indicator_count": 14039, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "851 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655ad8e83914549cd4658f8e", "name": "Radar Ineractive \u2022 Inmortal \u2022 HSBC.com", "description": "carrotbat malware, SHAREit services.exe, typosquatting, fraud services, privilege, location tracking, cyber stalking, masquerading, malvertizing, malicious website, C2, control, apple, android, services, CNC, hack tools,\nMaps are real tools. \nhttps://www.anyxxxtube.net/search-porn/tsara-brashears/ (phishing & botnetwork)\nhttp://45.159.189.105/bot/regex (Botnetwork)\nhttps://www.sweetheartvideo.com/tsara-brashears/\nwww.sweetheartvideo.com\t(Tsara Brashears Botnetwork created by attacker)\nhttp://182.22.25.124:7878/182.22.25.124:443\nhttps://pin.it/ (aka malicious Pinterest)\nhttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (100% straight female target - defamation, libel)\ndis.io\npin.it (changed targets Pinterest to this)\nRadar Ineractive \u2022 Inmortal \u2022 HSBC.com", "modified": "2023-12-20T02:02:59.943000", "created": "2023-11-20T03:56:24.105000", "tags": [ "log id", "gmtn", "passive dns", "urls", "tls web", "encrypt", "ca issuers", "f9970e", "bd6en timestamp", "a487132c3b", "false", "ssl certificate", "tsara brashears", "contacted", "referrer", "copy", "historical ssl", "collections", "password", "networks", "botnet campaign", "skynet", "fall", "hacktool", "malware", "critical", "relic", "monitoring", "attack", "hiddentear", "metro", "test", "detection list", "pattern match", "root ca", "authority", "class", "script", "mitre att", "temp", "ck id", "show technique", "ck matrix", "date", "unknown", "meta", "span", "error", "refresh", "body", "generator", "look", "verify", "restart", "hybrid", "accept", "click", "strings", "tools", "whois record", "msgid10053", "msgid10051", "communicating", "anid", "execution", "null", "core", "installer", "threat roundup", "apple ios", "august", "highly targeted", "apple", "sqli dumper", "april", "february", "awful", "radar ineractive", "october", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "blacklist", "cisco umbrella", "site", "wormx", "malicious site", "safe site", "malware site", "alexa top", "million", "phishing site", "alexa", "phishing", "agent", "bank", "inmortal", "united", "cyber threat", "pony", "cnc zeus", "tracker", "cnc server", "covid19", "engineering", "http spammer", "host", "azorult", "asyncrat", "cobalt strike", "team", "hsbc" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 815, "FileHash-SHA256": 3404, "SSLCertFingerprint": 2, "URL": 8938, "domain": 1194, "hostname": 2705, "FileHash-SHA1": 457, "CIDR": 7, "CVE": 3 }, "indicator_count": 17525, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "852 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655ad83180deb1186bb4f466", "name": "Carrotbat Malware | Stalker Suite | gogglemaps.com", "description": "carrotbat malware, SHAREit services.exe, typosquatting, fraud services, privilege, location tracking, cyber stalking, masquerading, malvertizing, malicious website, C2, control, apple, android, services, CNC, hack tools, botnetwork \nMaps are real tools. \nhttps://www.anyxxxtube.net/search-porn/tsara-brashears/ (phishing & botnetwork)\nhttp://45.159.189.105/bot/regex (Botnetwork)\nhttps://www.sweetheartvideo.com/tsara-brashears/\nwww.sweetheartvideo.com\t(Tsara Brashears Botnetwork created by attacker)\nhttp://182.22.25.124:7878/182.22.25.124:443\nhttps://pin.it/ (aka malicious Pinterest)\nhttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (100% straight female target - defamation, libel)\ndis.io\npin.it (changed targets Pinterest to this)", "modified": "2023-12-20T02:02:59.943000", "created": "2023-11-20T03:53:21.699000", "tags": [ "log id", "gmtn", "passive dns", "urls", "tls web", "encrypt", "ca issuers", "f9970e", "bd6en timestamp", "a487132c3b", "false", "ssl certificate", "tsara brashears", "contacted", "referrer", "copy", "historical ssl", "collections", "password", "networks", "botnet campaign", "skynet", "fall", "hacktool", "malware", "critical", "relic", "monitoring", "attack", "hiddentear", "metro", "test", "detection list", "pattern match", "root ca", "authority", "class", "script", "mitre att", "temp", "ck id", "show technique", "ck matrix", "date", "unknown", "meta", "span", "error", "refresh", "body", "generator", "look", "verify", "restart", "hybrid", "accept", "click", "strings", "tools", "whois record", "msgid10053", "msgid10051", "communicating", "anid", "execution", "null", "core", "installer", "threat roundup", "apple ios", "august", "highly targeted", "apple", "sqli dumper", "april", "february", "awful", "radar ineractive", "october", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "blacklist", "cisco umbrella", "site", "wormx", "malicious site", "safe site", "malware site", "alexa top", "million", "phishing site", "alexa", "phishing", "agent", "bank", "inmortal", "united", "cyber threat", "pony", "cnc zeus", "tracker", "cnc server", "covid19", "engineering", "http spammer", "host", "azorult", "asyncrat", "cobalt strike", "team", "hsbc", "noname057", "generic malware", "blacklist http", "malicious url" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 815, "FileHash-SHA256": 3404, "SSLCertFingerprint": 2, "URL": 8938, "domain": 1195, "hostname": 2705, "FileHash-SHA1": 457, "CIDR": 7, "CVE": 3 }, "indicator_count": 17526, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "852 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655650c9b2be6cc930c92cf3", "name": "https://myaccount.uscis.gov/", "description": "HOW!?!? My device was remotely logged into this account somehow.\nThis is egregious. Silence Threats. I have no connection to this but was contacted by a while ago. I don't know how or why a part of the government would attack a person with a TBI and C1 - S1 Spinal cord injury allegedly caused by Colorado physical therapist and protect him. Why is victim, tracked and unsafe, receiving death threats, monitored, denied medical care, stalked EVERYWHERE. \nEven felons aren't monitored for life. STOP.\nWill this get us killed. Do the right thing.\nGod bless America, purge the government.\nThe truth should set you fee not get you harmed.", "modified": "2023-12-16T15:00:49.451000", "created": "2023-11-16T17:26:33", "tags": [ "whois record", "ssl certificate", "whois whois", "communicating", "referrer", "ip address", "contacted", "pe resource", "historical ssl", "collections wow", "cobalt", "stealer", "quasar", "remcos", "ursnif", "fabookie", "name verdict", "exit", "node tcp", "traffic", "united", "et tor", "known tor", "relayrouter", "anonymizer", "tor known", "tor relayrouter", "cisco umbrella", "site", "safe site", "heur", "maltiverse", "million", "alexa top", "unsafe", "html", "team", "riskware", "malware", "phishing", "union", "bank", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "artemis", "installcore", "webshell", "exploit", "crack", "webtoolbar", "detection list", "blacklist http", "september", "threat roundup", "execution", "metro", "formbook", "kgs0", "kls0", "blacklist https", "malicious site", "malware site", "phishing site", "download", "malicious", "azorult", "service", "runescape", "facebook", "genkryptik", "fuery", "wacatac", "alexa", "dbatloader", "nanocore rat", "agent tesla", "binder", "dridex", "hawkeye", "small", "netwire", "trojan", "redline stealer", "lumma stealer", "trojanspy", "redline", "lumma", "tsara brashears", "whois", "asn owner", "highly targeted", "relacionada", "lolkek", "emotet", "dark power", "wiper", "ransomware", "cobalt strike", "quasar rat", "core", "bitrat", "hacktool", "critical", "copy", "installer", "meta", "as15169 google", "aaaa", "a domains", "videosdewebcams", "search", "passive dns", "urls", "record value", "date", "certificate", "scan endpoints", "all octoseek", "pulse pulses", "files" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany" ], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 102, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 204, "FileHash-SHA1": 182, "FileHash-SHA256": 6268, "URL": 13989, "domain": 3229, "hostname": 4412, "CVE": 19, "email": 3 }, "indicator_count": 28306, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "855 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655652f6ddcbf952a599cded", "name": "https://myaccount.uscis.gov/", "description": "After Mark Montano Md reported alleged acts by Jeffrey Scott Reimer after receiving 'multiple' reports of him aggressively pursuing Brashears, she was contacted, told she violated the Patriot Act by Big O Tires?!! Received letters from the above and harassed for years. Colorado Workers compensation is so corrupt this may be my last post. She was immediately framed , blamed, porn smeared and stalked. Denied medical care , when received died on surgery table, revised and disabled. Even the mafia would tackle only the associates bringing undue negative attention to their own organization.", "modified": "2023-12-16T15:00:49.451000", "created": "2023-11-16T17:35:50.285000", "tags": [ "whois record", "ssl certificate", "whois whois", "communicating", "referrer", "ip address", "contacted", "pe resource", "historical ssl", "collections wow", "cobalt", "stealer", "quasar", "remcos", "ursnif", "fabookie", "name verdict", "exit", "node tcp", "traffic", "united", "et tor", "known tor", "relayrouter", "anonymizer", "tor known", "tor relayrouter", "cisco umbrella", "site", "safe site", "heur", "maltiverse", "million", "alexa top", "unsafe", "html", "team", "riskware", "malware", "phishing", "union", "bank", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "artemis", "installcore", "webshell", "exploit", "crack", "webtoolbar", "detection list", "blacklist http", "september", "threat roundup", "execution", "metro", "formbook", "kgs0", "kls0", "blacklist https", "malicious site", "malware site", "phishing site", "download", "malicious", "azorult", "service", "runescape", "facebook", "genkryptik", "fuery", "wacatac", "alexa", "dbatloader", "nanocore rat", "agent tesla", "binder", "dridex", "hawkeye", "small", "netwire", "trojan", "redline stealer", "lumma stealer", "trojanspy", "redline", "lumma", "tsara brashears", "whois", "asn owner", "highly targeted", "relacionada", "lolkek", "emotet", "dark power", "wiper", "ransomware", "cobalt strike", "quasar rat", "core", "bitrat", "hacktool", "critical", "copy", "installer", "meta", "as15169 google", "aaaa", "a domains", "videosdewebcams", "search", "passive dns", "urls", "record value", "date", "certificate", "scan endpoints", "all octoseek", "pulse pulses", "files" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany" ], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 100, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 204, "FileHash-SHA1": 182, "FileHash-SHA256": 6268, "URL": 13989, "domain": 3229, "hostname": 4412, "CVE": 19, "email": 3 }, "indicator_count": 28306, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "855 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65565477da453c46f05a6ac4", "name": "BTW VirusTotal - \" interesting files written to disk during execution'", "description": "", "modified": "2023-12-16T15:00:49.451000", "created": "2023-11-16T17:42:15.123000", "tags": [ "whois record", "ssl certificate", "whois whois", "communicating", "referrer", "ip address", "contacted", "pe resource", "historical ssl", "collections wow", "cobalt", "stealer", "quasar", "remcos", "ursnif", "fabookie", "name verdict", "exit", "node tcp", "traffic", "united", "et tor", "known tor", "relayrouter", "anonymizer", "tor known", "tor relayrouter", "cisco umbrella", "site", "safe site", "heur", "maltiverse", "million", "alexa top", "unsafe", "html", "team", "riskware", "malware", "phishing", "union", "bank", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "artemis", "installcore", "webshell", "exploit", "crack", "webtoolbar", "detection list", "blacklist http", "september", "threat roundup", "execution", "metro", "formbook", "kgs0", "kls0", "blacklist https", "malicious site", "malware site", "phishing site", "download", "malicious", "azorult", "service", "runescape", "facebook", "genkryptik", "fuery", "wacatac", "alexa", "dbatloader", "nanocore rat", "agent tesla", "binder", "dridex", "hawkeye", "small", "netwire", "trojan", "redline stealer", "lumma stealer", "trojanspy", "redline", "lumma", "tsara brashears", "whois", "asn owner", "highly targeted", "relacionada", "lolkek", "emotet", "dark power", "wiper", "ransomware", "cobalt strike", "quasar rat", "core", "bitrat", "hacktool", "critical", "copy", "installer", "meta", "as15169 google", "aaaa", "a domains", "videosdewebcams", "search", "passive dns", "urls", "record value", "date", "certificate", "scan endpoints", "all octoseek", "pulse pulses", "files" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany" ], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "655650c9b2be6cc930c92cf3", "export_count": 101, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 204, "FileHash-SHA1": 182, "FileHash-SHA256": 6268, "URL": 13989, "domain": 3229, "hostname": 4412, "CVE": 19, "email": 3 }, "indicator_count": 28306, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "855 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655657ca2e402d4f98283de9", "name": "https://myaccount.uscis.gov/ ", "description": "", "modified": "2023-12-16T15:00:49.451000", "created": "2023-11-16T17:56:26.312000", "tags": [ "whois record", "ssl certificate", "whois whois", "communicating", "referrer", "ip address", "contacted", "pe resource", "historical ssl", "collections wow", "cobalt", "stealer", "quasar", "remcos", "ursnif", "fabookie", "name verdict", "exit", "node tcp", "traffic", "united", "et tor", "known tor", "relayrouter", "anonymizer", "tor known", "tor relayrouter", "cisco umbrella", "site", "safe site", "heur", "maltiverse", "million", "alexa top", "unsafe", "html", "team", "riskware", "malware", "phishing", "union", "bank", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "artemis", "installcore", "webshell", "exploit", "crack", "webtoolbar", "detection list", "blacklist http", "september", "threat roundup", "execution", "metro", "formbook", "kgs0", "kls0", "blacklist https", "malicious site", "malware site", "phishing site", "download", "malicious", "azorult", "service", "runescape", "facebook", "genkryptik", "fuery", "wacatac", "alexa", "dbatloader", "nanocore rat", "agent tesla", "binder", "dridex", "hawkeye", "small", "netwire", "trojan", "redline stealer", "lumma stealer", "trojanspy", "redline", "lumma", "tsara brashears", "whois", "asn owner", "highly targeted", "relacionada", "lolkek", "emotet", "dark power", "wiper", "ransomware", "cobalt strike", "quasar rat", "core", "bitrat", "hacktool", "critical", "copy", "installer", "meta", "as15169 google", "aaaa", "a domains", "videosdewebcams", "search", "passive dns", "urls", "record value", "date", "certificate", "scan endpoints", "all octoseek", "pulse pulses", "files" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany" ], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "655650c9b2be6cc930c92cf3", "export_count": 100, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 204, "FileHash-SHA1": 182, "FileHash-SHA256": 6268, "URL": 13989, "domain": 3229, "hostname": 4412, "CVE": 19, "email": 3 }, "indicator_count": 28306, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "855 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655686e2c072557f03e9cba2", "name": "https://myaccount.uscis.gov/ [pulse created by Octoseek]", "description": "", "modified": "2023-12-16T15:00:49.451000", "created": "2023-11-16T21:17:22.087000", "tags": [ "whois record", "ssl certificate", "whois whois", "communicating", "referrer", "ip address", "contacted", "pe resource", "historical ssl", "collections wow", "cobalt", "stealer", "quasar", "remcos", "ursnif", "fabookie", "name verdict", "exit", "node tcp", "traffic", "united", "et tor", "known tor", "relayrouter", "anonymizer", "tor known", "tor relayrouter", "cisco umbrella", "site", "safe site", "heur", "maltiverse", "million", "alexa top", "unsafe", "html", "team", "riskware", "malware", "phishing", "union", "bank", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "artemis", "installcore", "webshell", "exploit", "crack", "webtoolbar", "detection list", "blacklist http", "september", "threat roundup", "execution", "metro", "formbook", "kgs0", "kls0", "blacklist https", "malicious site", "malware site", "phishing site", "download", "malicious", "azorult", "service", "runescape", "facebook", "genkryptik", "fuery", "wacatac", "alexa", "dbatloader", "nanocore rat", "agent tesla", "binder", "dridex", "hawkeye", "small", "netwire", "trojan", "redline stealer", "lumma stealer", "trojanspy", "redline", "lumma", "tsara brashears", "whois", "asn owner", "highly targeted", "relacionada", "lolkek", "emotet", "dark power", "wiper", "ransomware", "cobalt strike", "quasar rat", "core", "bitrat", "hacktool", "critical", "copy", "installer", "meta", "as15169 google", "aaaa", "a domains", "videosdewebcams", "search", "passive dns", "urls", "record value", "date", "certificate", "scan endpoints", "all octoseek", "pulse pulses", "files" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany" ], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "655650c9b2be6cc930c92cf3", "export_count": 102, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 204, "FileHash-SHA1": 182, "FileHash-SHA256": 6268, "URL": 13989, "domain": 3229, "hostname": 4412, "CVE": 19, "email": 3 }, "indicator_count": 28306, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "855 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65580c52bf98f256b6a01da6", "name": "https://myaccount.uscis.gov/", "description": "", "modified": "2023-12-16T15:00:49.451000", "created": "2023-11-18T00:58:58.944000", "tags": [ "whois record", "ssl certificate", "whois whois", "communicating", "referrer", "ip address", "contacted", "pe resource", "historical ssl", "collections wow", "cobalt", "stealer", "quasar", "remcos", "ursnif", "fabookie", "name verdict", "exit", "node tcp", "traffic", "united", "et tor", "known tor", "relayrouter", "anonymizer", "tor known", "tor relayrouter", "cisco umbrella", "site", "safe site", "heur", "maltiverse", "million", "alexa top", "unsafe", "html", "team", "riskware", "malware", "phishing", "union", "bank", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "artemis", "installcore", "webshell", "exploit", "crack", "webtoolbar", "detection list", "blacklist http", "september", "threat roundup", "execution", "metro", "formbook", "kgs0", "kls0", "blacklist https", "malicious site", "malware site", "phishing site", "download", "malicious", "azorult", "service", "runescape", "facebook", "genkryptik", "fuery", "wacatac", "alexa", "dbatloader", "nanocore rat", "agent tesla", "binder", "dridex", "hawkeye", "small", "netwire", "trojan", "redline stealer", "lumma stealer", "trojanspy", "redline", "lumma", "tsara brashears", "whois", "asn owner", "highly targeted", "relacionada", "lolkek", "emotet", "dark power", "wiper", "ransomware", "cobalt strike", "quasar rat", "core", "bitrat", "hacktool", "critical", "copy", "installer", "meta", "as15169 google", "aaaa", "a domains", "videosdewebcams", "search", "passive dns", "urls", "record value", "date", "certificate", "scan endpoints", "all octoseek", "pulse pulses", "files" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany" ], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "655650c9b2be6cc930c92cf3", "export_count": 101, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 204, "FileHash-SHA1": 182, "FileHash-SHA256": 6268, "URL": 13989, "domain": 3229, "hostname": 4412, "CVE": 19, "email": 3 }, "indicator_count": 28306, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "855 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656aac25a8a2caaddf0d3b88", "name": "https://myaccount.uscis.gov/", "description": "", "modified": "2023-12-16T15:00:49.451000", "created": "2023-12-02T04:01:41.427000", "tags": [ "whois record", "ssl certificate", "whois whois", "communicating", "referrer", "ip address", "contacted", "pe resource", "historical ssl", "collections wow", "cobalt", "stealer", "quasar", "remcos", "ursnif", "fabookie", "name verdict", "exit", "node tcp", "traffic", "united", "et tor", "known tor", "relayrouter", "anonymizer", "tor known", "tor relayrouter", "cisco umbrella", "site", "safe site", "heur", "maltiverse", "million", "alexa top", "unsafe", "html", "team", "riskware", "malware", "phishing", "union", "bank", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "artemis", "installcore", "webshell", "exploit", "crack", "webtoolbar", "detection list", "blacklist http", "september", "threat roundup", "execution", "metro", "formbook", "kgs0", "kls0", "blacklist https", "malicious site", "malware site", "phishing site", "download", "malicious", "azorult", "service", "runescape", "facebook", "genkryptik", "fuery", "wacatac", "alexa", "dbatloader", "nanocore rat", "agent tesla", "binder", "dridex", "hawkeye", "small", "netwire", "trojan", "redline stealer", "lumma stealer", "trojanspy", "redline", "lumma", "tsara brashears", "whois", "asn owner", "highly targeted", "relacionada", "lolkek", "emotet", "dark power", "wiper", "ransomware", "cobalt strike", "quasar rat", "core", "bitrat", "hacktool", "critical", "copy", "installer", "meta", "as15169 google", "aaaa", "a domains", "videosdewebcams", "search", "passive dns", "urls", "record value", "date", "certificate", "scan endpoints", "all octoseek", "pulse pulses", "files" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany" ], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "655652f6ddcbf952a599cded", "export_count": 93, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 204, "FileHash-SHA1": 182, "FileHash-SHA256": 6268, "URL": 13989, "domain": 3229, "hostname": 4412, "CVE": 19, "email": 3 }, "indicator_count": 28306, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "855 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "654c8f263fa4666e1d6fc809", "name": "Fraud Metro T-Mobile | Malware.300983 | C2", "description": "Tas.mo previously had a Metro T-Mobile logo. \n(www-temp.metrobyt-mobile.com)\nFraud phone services.\nDGA\nTargets/controls\nsongculture.com\nhttp://www.songculture.com\t\nhttps://songculture.com/kedenc\nhttps://songculture.com/tsara-brashears-music\nhttps://songculture.com/tsara-lynn-brashears\nhttps://www.songculture.com\n\ncommand_and_control IP addresses:\n112.124.193.155 command_and_control\t\t\t\n58.216.109.26 command_and_control\t\t\t\n61.147.112.247 command_and_control\t\n112.124.193.155 command_and_control\t\t\t\n58.216.109.26 command_and_control\t\t\t\t\n61.147.112.247 command_and_control\t\nExploits:\t\t\n115.223.11.149 exploit_source\t\n124.236.96.175 exploit_source\t\t\t\t\n157.185.144.117 exploit_source\t\t\t\n210.245.121.219 exploit_source\t\t\t\n58.220.74.29 exploit_source\t\t\t\t\n59.48.165.148 exploit_source\t\t\t\n119.206.200.181 scanning_host\t\t\t\n119.207.67.23 scanning_host\t\t\t\n157.185.179.222 scanning_host", "modified": "2023-12-09T07:02:38.219000", "created": "2023-11-09T07:49:58.299000", "tags": [ "ssl certificate", "whois record", "contacted", "threat roundup", "communicating", "historical ssl", "referrer", "whois whois", "july", "august", "site", "cisco umbrella", "alexa top", "softcnapp", "malicious site", "site top", "million", "safe site", "malware site", "malware", "downldr", "presenoker", "artemis", "team", "iframe", "malware.300983", "gamehack", "noname057", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "united", "cyber threat", "maltiverse qrat", "engineering", "team malware", "team gen", "download", "malicious", "suppobox", "phishing", "blacklist http", "low risk", "domain", "malware found", "ip address", "apache cms", "unknown", "minimal low", "security risk", "medium high", "critical" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Malware.300983", "display_name": "Malware.300983", "target": null }, { "id": "GameHack", "display_name": "GameHack", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 250, "FileHash-MD5": 335, "FileHash-SHA1": 200, "FileHash-SHA256": 1079, "URL": 3863, "hostname": 889, "CVE": 2 }, "indicator_count": 6618, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "863 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "654d29cdaf1e1d19c6a1896b", "name": "Fraud Metro T-Mobile | Malware.300983 | C2", "description": "", "modified": "2023-12-09T07:02:38.219000", "created": "2023-11-09T18:49:49.105000", "tags": [ "ssl certificate", "whois record", "contacted", "threat roundup", "communicating", "historical ssl", "referrer", "whois whois", "july", "august", "site", "cisco umbrella", "alexa top", "softcnapp", "malicious site", "site top", "million", "safe site", "malware site", "malware", "downldr", "presenoker", "artemis", "team", "iframe", "malware.300983", "gamehack", "noname057", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "united", "cyber threat", "maltiverse qrat", "engineering", "team malware", "team gen", "download", "malicious", "suppobox", "phishing", "blacklist http", "low risk", "domain", "malware found", "ip address", "apache cms", "unknown", "minimal low", "security risk", "medium high", "critical" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Malware.300983", "display_name": "Malware.300983", "target": null }, { "id": "GameHack", "display_name": "GameHack", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "654c8f263fa4666e1d6fc809", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 250, "FileHash-MD5": 335, "FileHash-SHA1": 200, "FileHash-SHA256": 1079, "URL": 3863, "hostname": 889, "CVE": 2 }, "indicator_count": 6618, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "863 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "654c87f9b3623737e66706dc", "name": "CNC | tas.mo", "description": "Tas.mo previously had a Metro T-Mobile logo. \n(www-temp.metrobyt-mobile.com)\nFraud phone services. DGA?\nTargeting/controlling \nsongculture.com\nhttp://www.songculture.com\t\nhttps://songculture.com/kedenc\nhttps://songculture.com/tsara-brashears-music\nhttps://songculture.com/tsara-lynn-brashears\nhttps://www.songculture.com\ncommand_and_control IP addresses:\n112.124.193.155 command_and_control\t\t\t\n58.216.109.26 command_and_control\t\t\t\nI61.147.112.247 command_and_control\t\n112.124.193.155 command_and_control\t\t\t\n58.216.109.26 command_and_control\t\t\t\t\n61.147.112.247 command_and_control\t\nExploits:\t\t\n115.223.11.149 exploit_source\t\t\t\n124.236.96.175 exploit_source\t\t\t\t\n157.185.144.117 exploit_source\t\t\t\n210.245.121.219 exploit_source\t\t\t\n58.220.74.29 exploit_source\t\t\t\t\n59.48.165.148 exploit_source\t\t\t\n119.206.200.181 scanning_host\t\t\t\n119.207.67.23 scanning_host\t\t\t\n157.185.179.222 scanning_host", "modified": "2023-12-09T05:05:07.918000", "created": "2023-11-09T07:19:21.583000", "tags": [ "ssl certificate", "whois record", "contacted", "threat roundup", "communicating", "historical ssl", "referrer", "whois whois", "july", "august", "site", "cisco umbrella", "alexa top", "softcnapp", "malicious site", "site top", "million", "safe site", "malware site", "malware", "downldr", "presenoker", "artemis", "team", "iframe", "malware.300983", "gamehack", "noname057", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "united", "cyber threat", "maltiverse qrat", "engineering", "team malware", "team gen", "download", "malicious", "suppobox", "phishing", "blacklist http" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Malware.300983", "display_name": "Malware.300983", "target": null }, { "id": "GameHack", "display_name": "GameHack", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 249, "FileHash-MD5": 335, "FileHash-SHA1": 200, "FileHash-SHA256": 1079, "URL": 3860, "hostname": 889, "CVE": 2 }, "indicator_count": 6614, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "863 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a56285d6eb74c2b87a48", "name": "RacoonStealer", "description": "", "modified": "2023-12-06T16:46:26.043000", "created": "2023-12-06T16:46:26.043000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 20, "FileHash-SHA1": 18, "FileHash-SHA256": 708, "hostname": 396, "URL": 1264, "domain": 197 }, "indicator_count": 2603, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a55c9ecc3c75c949f951", "name": "Command and Control: PublicDomainRegistry.com", "description": "", "modified": "2023-12-06T16:46:20.192000", "created": "2023-12-06T16:46:20.192000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 20, "FileHash-SHA1": 18, "FileHash-SHA256": 708, "hostname": 396, "URL": 1264, "domain": 197 }, "indicator_count": 2603, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a1bf9ae4cfe4669a779c", "name": "Agent Tesla", "description": "", "modified": "2023-12-06T16:30:55.036000", "created": "2023-12-06T16:30:55.036000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 2906, "hostname": 1675, "FileHash-MD5": 65, "FileHash-SHA1": 66, "URL": 6938, "domain": 1727, "email": 1 }, "indicator_count": 13379, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a1b6abdfb076f2821940", "name": "FORMBOOK", "description": "", "modified": "2023-12-06T16:30:46.983000", "created": "2023-12-06T16:30:46.983000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 2906, "hostname": 1675, "FileHash-MD5": 65, "FileHash-SHA1": 66, "URL": 6938, "domain": 1727, "email": 1 }, "indicator_count": 13379, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a1af4208c92832a9ae98", "name": "SKYNET", "description": "", "modified": "2023-12-06T16:30:39.892000", "created": "2023-12-06T16:30:39.892000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 2906, "hostname": 1675, "FileHash-MD5": 65, "FileHash-SHA1": 66, "URL": 6938, "domain": 1727, "email": 1 }, "indicator_count": 13379, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a1a14208c92832a9ae97", "name": "Command and Control \u2022 Phishing \u2022 Hacking \u2022 Scanning Host \u2022 BotNetwork", "description": "", "modified": "2023-12-06T16:30:25.110000", "created": "2023-12-06T16:30:25.110000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 2906, "hostname": 1675, "FileHash-MD5": 65, "FileHash-SHA1": 66, "URL": 6938, "domain": 1727, "email": 1 }, "indicator_count": 13379, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a197d1f648020fa5206c", "name": "Command and Control \u2022 Phishing \u2022 Hacking \u2022 Scanning Host \u2022 BotNetwork", "description": "", "modified": "2023-12-06T16:30:15.426000", "created": "2023-12-06T16:30:15.426000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 2906, "hostname": 1675, "FileHash-MD5": 65, "FileHash-SHA1": 66, "URL": 6938, "domain": 1727, "email": 1 }, "indicator_count": 13379, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a18f5700cbc5aba025c9", "name": "Command and Control \u2022 Phishing \u2022 Hacking \u2022 Scanning Host \u2022 BotNetwork", "description": "", "modified": "2023-12-06T16:30:07.880000", "created": "2023-12-06T16:30:07.880000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 2906, "hostname": 1675, "FileHash-MD5": 65, "FileHash-SHA1": 66, "URL": 6938, "domain": 1727, "email": 1 }, "indicator_count": 13379, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6508b62ef29292d04d729129", "name": "RacoonStealer ", "description": "", "modified": "2023-10-18T18:02:51.172000", "created": "2023-09-18T20:42:22.131000", "tags": [ "pe resource", "ssl certificate", "contacted", "historical ssl", "execution", "whois record", "collections", "daily domain", "hunting", "osint analysis", "Command and Control", "malware bazaar", "qvfunction", "indicator", "file", "js user", "scanning", "scanning host", "dynamic", "dynamic dns", "dynamic isp", "stealer", "additional_payloads", "malware_download", "MacOS", "diskwriter", "zip", "Pexee", "executables", "malicious", "dropped-by-smokeloader", "bazaar cloud", "malicious host", "fraud host", "phishing mob", "gambling", "mob", "phishing", "trojans", "exploits", "Suricata", "MITRE ATT&CKS\u2122", "Dnssec", "Dnssec unsigned", "unsigned", "tracking", "http://cloudbazaar.org/" ], "references": [ "Hybrid Analysis", "Data Analysis", "Research" ], "public": 1, "adversary": "[Unnamed group]", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "Trojan:MSIL/RacoonStealer", "display_name": "Trojan:MSIL/RacoonStealer", "target": "/malware/Trojan:MSIL/RacoonStealer" }, { "id": "TrojanSpy:MSIL/RacoonStealer", "display_name": "TrojanSpy:MSIL/RacoonStealer", "target": "/malware/TrojanSpy:MSIL/RacoonStealer" }, { "id": "Ransom:Win32/Vidar", "display_name": "Ransom:Win32/Vidar", "target": "/malware/Ransom:Win32/Vidar" }, { "id": "Mohazo", "display_name": "Mohazo", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "Trojan:Win32/ArkeiStealer", "display_name": "Trojan:Win32/ArkeiStealer", "target": "/malware/Trojan:Win32/ArkeiStealer" }, { "id": "Trojan:JS/SmokeLoader", "display_name": "Trojan:JS/SmokeLoader", "target": "/malware/Trojan:JS/SmokeLoader" } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" }, { "id": "T1017", "name": "Application Deployment Software", "display_name": "T1017 - Application Deployment Software" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Technology", "Hosting", "Domain Register" ], "TLP": "white", "cloned_from": "6508b5180d5f16e36a8ec042", "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 20, "FileHash-SHA1": 18, "FileHash-SHA256": 708, "URL": 1264, "domain": 197, "hostname": 396 }, "indicator_count": 2603, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "914 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6508b5180d5f16e36a8ec042", "name": "Command and Control: PublicDomainRegistry.com", "description": "DGA Domain\nFraud Host: Many of the domains are purchased by spammers, malvertizers, cyber criminals, etc.\n\nStealers\nphishing\nmalware \nMalicious Host", "modified": "2023-10-18T18:02:51.172000", "created": "2023-09-18T20:37:44.801000", "tags": [ "pe resource", "ssl certificate", "contacted", "historical ssl", "execution", "whois record", "collections", "daily domain", "hunting", "osint analysis", "Command and Control", "malware bazaar", "qvfunction", "indicator", "file", "js user", "scanning", "scanning host", "dynamic", "dynamic dns", "dynamic isp", "stealer", "additional_payloads", "malware_download", "MacOS", "diskwriter", "zip", "Pexee", "executables", "malicious", "dropped-by-smokeloader", "bazaar cloud", "malicious host", "fraud host", "phishing mob", "gambling", "mob", "phishing", "trojans", "exploits", "Suricata", "MITRE ATT&CKS\u2122", "Dnssec", "Dnssec unsigned", "unsigned", "tracking", "http://cloudbazaar.org/" ], "references": [ "Hybrid Analysis", "Data Analysis", "Research" ], "public": 1, "adversary": "[Unnamed group]", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "Trojan:MSIL/RacoonStealer", "display_name": "Trojan:MSIL/RacoonStealer", "target": "/malware/Trojan:MSIL/RacoonStealer" }, { "id": "TrojanSpy:MSIL/RacoonStealer", "display_name": "TrojanSpy:MSIL/RacoonStealer", "target": "/malware/TrojanSpy:MSIL/RacoonStealer" }, { "id": "Ransom:Win32/Vidar", "display_name": "Ransom:Win32/Vidar", "target": "/malware/Ransom:Win32/Vidar" }, { "id": "Mohazo", "display_name": "Mohazo", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "Trojan:Win32/ArkeiStealer", "display_name": "Trojan:Win32/ArkeiStealer", "target": "/malware/Trojan:Win32/ArkeiStealer" }, { "id": "Trojan:JS/SmokeLoader", "display_name": "Trojan:JS/SmokeLoader", "target": "/malware/Trojan:JS/SmokeLoader" } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" }, { "id": "T1017", "name": "Application Deployment Software", "display_name": "T1017 - Application Deployment Software" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Technology", "Hosting", "Domain Register" ], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 20, "FileHash-SHA1": 18, "FileHash-SHA256": 708, "URL": 1264, "domain": 197, "hostname": 396 }, "indicator_count": 2603, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "914 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64f8c8f9ff01647942e89ab9", "name": "Command and Control \u2022 Phishing \u2022 Hacking \u2022 Scanning Host \u2022 BotNetwork", "description": "Extremely Robust hacking campaign for a single individual with a small publishing company. \nTsara Brashears targeted individual in command and control , phishing, porn, hacking, etc scheme.\nIPv4 45.159.189.105 command_and_control\t\t\t\t\t\nURL\nhttp://matfyz.cz/ phishing\t\t\tNo Expiration\t\nURL\nhttp://www.craftbychristians.com/wufn/ phishing\n No Expiration\t\t\n\nURL\nhttps://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing No Expiration\t\t\nhttps://www.milehighmedia.com/legal/2257 phishing\t\t\t\nIPv4 20.99.133.109 scanning_host\t\t\t\nIPv4 218.85.157.99 scanning_host", "modified": "2023-10-06T16:01:17.992000", "created": "2023-09-06T18:46:17.482000", "tags": [ "contacted", "threat roundup", "whois record", "execution", "october", "april", "whois whois", "december", "march", "tsara brashears", "copy", "core", "hacktool", "emotet", "goldbackdoor", "attack", "metro", "nanocore", "remcos", "qakbot", "download", "malware", "hijacker", "monitoring", "skynet", "contacted urls", "ssl certificate", "historical ssl", "august", "formbook", "agent tesla", "korplug", "relic", "colibri loader" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6938, "FileHash-MD5": 65, "FileHash-SHA1": 66, "FileHash-SHA256": 2906, "domain": 1727, "hostname": 1675, "email": 1, "CVE": 1 }, "indicator_count": 13379, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "926 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64f90e2ef2e0986363ea32d6", "name": "Agent Tesla ", "description": "", "modified": "2023-10-06T16:01:17.992000", "created": "2023-09-06T23:41:34.623000", "tags": [ "contacted", "threat roundup", "whois record", "execution", "october", "april", "whois whois", "december", "march", "tsara brashears", "copy", "core", "hacktool", "emotet", "goldbackdoor", "attack", "metro", "nanocore", "remcos", "qakbot", "download", "malware", "hijacker", "monitoring", "skynet", "contacted urls", "ssl certificate", "historical ssl", "august", "formbook", "agent tesla", "korplug", "relic", "colibri loader" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64f90d8d4f80ef4f0b04fb01", "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6938, "FileHash-MD5": 65, "FileHash-SHA1": 66, "FileHash-SHA256": 2906, "domain": 1727, "hostname": 1675, "email": 1, "CVE": 1 }, "indicator_count": 13379, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "926 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64f90d8d4f80ef4f0b04fb01", "name": "FORMBOOK ", "description": "", "modified": "2023-10-06T16:01:17.992000", "created": "2023-09-06T23:38:53.528000", "tags": [ "contacted", "threat roundup", "whois record", "execution", "october", "april", "whois whois", "december", "march", "tsara brashears", "copy", "core", "hacktool", "emotet", "goldbackdoor", "attack", "metro", "nanocore", "remcos", "qakbot", "download", "malware", "hijacker", "monitoring", "skynet", "contacted urls", "ssl certificate", "historical ssl", "august", "formbook", "agent tesla", "korplug", "relic", "colibri loader" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64f90d760420bd54f0bba54e", "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6938, "FileHash-MD5": 65, "FileHash-SHA1": 66, "FileHash-SHA256": 2906, "domain": 1727, "hostname": 1675, "email": 1, "CVE": 1 }, "indicator_count": 13379, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "926 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64f90d760420bd54f0bba54e", "name": "SKYNET ", "description": "", "modified": "2023-10-06T16:01:17.992000", "created": "2023-09-06T23:38:30.148000", "tags": [ "contacted", "threat roundup", "whois record", "execution", "october", "april", "whois whois", "december", "march", "tsara brashears", "copy", "core", "hacktool", "emotet", "goldbackdoor", "attack", "metro", "nanocore", "remcos", "qakbot", "download", "malware", "hijacker", "monitoring", "skynet", "contacted urls", "ssl certificate", "historical ssl", "august", "formbook", "agent tesla", "korplug", "relic", "colibri loader" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64f8c8f9ff01647942e89ab9", "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6938, "FileHash-MD5": 65, "FileHash-SHA1": 66, "FileHash-SHA256": 2906, "domain": 1727, "hostname": 1675, "email": 1, "CVE": 1 }, "indicator_count": 13379, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "926 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64f8c90130e2cd1b887859ad", "name": "Command and Control \u2022 Phishing \u2022 Hacking \u2022 Scanning Host \u2022 BotNetwork", "description": "Extremely Robust hacking campaign for a single individual with a small publishing company. \nTsara Brashears targeted individual in command and control , phishing, porn, hacking, etc scheme.\nIPv4 45.159.189.105 command_and_control\t\t\t\t\t\nURL\nhttp://matfyz.cz/ phishing\t\t\tNo Expiration\t\nURL\nhttp://www.craftbychristians.com/wufn/ phishing\n No Expiration\t\t\n\nURL\nhttps://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing No Expiration\t\t\nhttps://www.milehighmedia.com/legal/2257 phishing\t\t\t\nIPv4 20.99.133.109 scanning_host\t\t\t\nIPv4 218.85.157.99 scanning_host", "modified": "2023-10-06T16:01:17.992000", "created": "2023-09-06T18:46:25.683000", "tags": [ "contacted", "threat roundup", "whois record", "execution", "october", "april", "whois whois", "december", "march", "tsara brashears", "copy", "core", "hacktool", "emotet", "goldbackdoor", "attack", "metro", "nanocore", "remcos", "qakbot", "download", "malware", "hijacker", "monitoring", "skynet", "contacted urls", "ssl certificate", "historical ssl", "august", "formbook", "agent tesla", "korplug", "relic", "colibri loader" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6938, "FileHash-MD5": 65, "FileHash-SHA1": 66, "FileHash-SHA256": 2906, "domain": 1727, "hostname": 1675, "email": 1, "CVE": 1 }, "indicator_count": 13379, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "926 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64f8c8ff2590e49e9ecd6b67", "name": "Command and Control \u2022 Phishing \u2022 Hacking \u2022 Scanning Host \u2022 BotNetwork", "description": "Extremely Robust hacking campaign for a single individual with a small publishing company. \nTsara Brashears targeted individual in command and control , phishing, porn, hacking, etc scheme.\nIPv4 45.159.189.105 command_and_control\t\t\t\t\t\nURL\nhttp://matfyz.cz/ phishing\t\t\tNo Expiration\t\nURL\nhttp://www.craftbychristians.com/wufn/ phishing\n No Expiration\t\t\n\nURL\nhttps://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing No Expiration\t\t\nhttps://www.milehighmedia.com/legal/2257 phishing\t\t\t\nIPv4 20.99.133.109 scanning_host\t\t\t\nIPv4 218.85.157.99 scanning_host", "modified": "2023-10-06T16:01:17.992000", "created": "2023-09-06T18:46:23.127000", "tags": [ "contacted", "threat roundup", "whois record", "execution", "october", "april", "whois whois", "december", "march", "tsara brashears", "copy", "core", "hacktool", "emotet", "goldbackdoor", "attack", "metro", "nanocore", "remcos", "qakbot", "download", "malware", "hijacker", "monitoring", "skynet", "contacted urls", "ssl certificate", "historical ssl", "august", "formbook", "agent tesla", "korplug", "relic", "colibri loader" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6938, "FileHash-MD5": 65, "FileHash-SHA1": 66, "FileHash-SHA256": 2906, "domain": 1727, "hostname": 1675, "email": 1, "CVE": 1 }, "indicator_count": 13379, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "926 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "http://57d7.zhanyu66.com/air.thinlinuxforandroid.apk", "http://tuijian.adhei.com/douyu/v1/encrypt/gamebox_m.css", "Trojan:Win32/JakyllHyde: FileHash-SHA256 01021c698664f7567b787d7bce266124ec0a226fb2e586125d109beb0ad0ba17 - trojan", "Trojan:Win32/JakyllHyde: FileHash-MD5: 2f237a35379a5fa46168e3a01667f32c - trojan", "Found in a malicious keyword index: http://m.xiang5.com/keyword/17655.html&htE5-: Family", "RULE_LINK: https://valhalla.nextron-systems.com/info/rule/Malformed_Copyright_Statements RULE_AUTHOR: Florian Roth", "Trojan:Win32/JakyllHyde: FileHash-MD5: 0dd69941b0f01d1ee4d49c228f832bed - trojan", "ETPRO MALWARE Win32/JakyllHyde C2: https://www.joesandbox.com/analysis/754158/0/html", "https://www.virustotal.com/graph/g883116b41ba0417e98c7d99988fd2464797fb1fe54054692a35fe49c03255297", "ETPRO MALWARE Win32/JakyllHyde C2 Activity M2 - Source IP: 116.211.100.21 - Destination IP: 192.168.2.3", "ET MALWARE Win32/Eyoorun.D Variant Checkin - Source IP: 192.168.2.3 - Destination IP: 116.211.100.21", "Trojan:Win32/JakyllHyde: FileHash-SHA1 0c795954123ebf1806cdafef2b66322f8d40d3ac - trojan", "W32/Witch.3FA0!tr: 601928c4508162aed7491ea4995eca7361be6faeac3c06ee5fc5302e686e26448", "Trojan:Win32/JakyllHyde: FileHash-MD5: d6d906a1c4061d3f41053b4548c7ea69 - trojan", "http://ssp.1rtb.com/imp?ua=Mozilla/5.0+(Linux;+U;+Android+4.3.1;+en-us;+GT-I8190+Build/JZO54K)+AppleWebKit/534.30+", "http://tuijian.adhei.com/douyu/v1/encrypt/gamebox_m.cs", "Trojan:Win32/JakyllHyde: FileHash-SHA1 b45c02987811425c672f56e011f394f94cc29a7b - trojan", "Alerts: origin_langid multiple_useragents process_interest recon_beacon injection_resumethread antivm_vmware_in_instruction dumped_buffer network_bind network_http allocates_rwx antisandbox_foregroundwindows antisandbox_sleep antivm_disk_size", "Trojan:Win32/JakyllHyde: FileHash-MD5: 8eeda8077a13f12aa72c8b7b5f457734 -trojan", "IDS Detections: Win32/JakyllHyde C2 Activity Win32/JakyllHyde C2 Activity M2 PE EXE or DLL Windows file download HTTP", "Snort IDS alert for network traffic | Detected VMProtect packer", "Snort IDS: 2836073 ETPRO MALWARE Win32/JakyllHyde C2 Activity 192.168.2.3:49698 ->", "Trojan:Win32/JakyllHyde: FileHash-SHA1 800c8a5f93b04d6c5dc491ab582cd75165918f5f - trojan", "DESCRIPTION: Detects malformed Microsoft copyright statements in executables RULE_AUTHOR: Florian Roth", "W32/Witch.3FA0!tr: FileHash-SHA1 13ed578302cc1f302a8a9df9308859486aeb4d0b", "http://tuijian.adhei.com/douyu/v /encrypt/gamebox_m.css", "http://sdk.1rtb.com/sdk/req_ad?app_package=com.scpp.plus&device_type=1&device_adid=92841014150fc3fd&device_geo_lat=&app_name=%E8%B", "https://www.virustotal.com/graph/gf011ff2560014743857f4dc25899d89d7afb2779d5ae47a28a60412eb0de8f07", "System process connects to network (likely due to code injection or exploit)", "Trojan:Win32/JakyllHyde: FileHash-SHA1 be97e5638139ee689312e23022d2e55e58d123c6 - trojan", "YARA Signature Match - THOR APT Scanner: RULE_TYPE: Valhalla Rule Feed Only \u26a1", "#copyright #statements #malformed_copyright_statements", "http://ssp.1rtb.com/tracker?ua=Mozilla/5.0+(Linux;+Android+7.1.2;+SM-T555+Build/NMF26X;+wv)+AppleWebKit/537.36+(KHTML,+like+Gecko)", "http://ssp.1rtb.com/imp?ua=Mozilla/5.0+(Linux;+Android+7.1.2;+SM-T555+Build/NMF26X;+wv)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Version/", "Research", "W32/Witch.3FA0!tr: FileHash-MD5 38be6c6b799140f435bc1b1d42275d7c", "Trojan:Win32/JakyllHyde: FileHash-SHA256 47d9e427da3dfe5253d0047c40fb773db59dbccb0ff650e86ce7490b2c520c2d - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA256 440165588e14516e1ef13b6240aad27a0e8c49744c8383590425b3cc9d7f23f1 - trojan", "More information: https://www.nextron-systems.com/notes-on-virustotal-matches/ RULE_AUTHOR: Florian Roth", "Trojan:Win32/JakyllHyde: FileHash-SHA1 f02ebf4d8955c363d615a53cc44b048d75b7cefb - adware", "Trojan:Win32/JakyllHyde: FileHash-SHA1 f971b96cd514dc62a43b51f32e3a440fe3e0c6d4 - trojan", "Trojan:Win32/JakyllHyde: FileHash-MD5: 35fc2b92d534f652ffe4ec3cbc3347b6 - adware", "ET TROJAN W32/Witch.3FA0!tr CnC Actiivty M2 - Source IP: 192.168.2.3 - Destination IP: 116.211.100.21", "Trojan:Win32/JakyllHyde: FileHash-SHA256 37a641988cfb33066c12b68b23bec0623e3d0715d21d6e3b7304bdd7238c8790 - trojan", "Hybrid Analysis", "Trojan:Win32/JakyllHyde: FileHash-SHA256 002d9916a54c7ea70c931dca29c0a4500020d8040b9e446a5472b9089c29c8bc - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA256 7512f88162744b57efd14cc5fb98bc7cf5588fa25c218a1e92fe8048932450a8 -trojan", "Data Analysis", "Trojan:Win32/JakyllHyde: CnC IP's -183.95.89.203 116.211.100.182 Exploit Source: IPv4 116.207.118.87 163.171.134.109", "https://simulator-api.666phonemanager.com/advert/gamebox_winpop/online", "ETPRO MALWARE Win32/JakyllHyde C2 Activity - Source IP: 192.168.2.3 - Destination IP: 116.211.100.21", "Alerts: dead_host injection_runpe network_icmp allocates_execute_remote_process disables_proxy injection_modifies_memory modifies_proxy_wpad", "Trojan:Win32/JakyllHyde: FileHash-MD5: 4d4cd0582109e110967bce75534031ed -trojan", "Win32/JakyllHyde - RUNDLL32.EXE FileHash-SHA1 01021c698664f7567b787d7bce266124ec0a226fb2e586125d109beb0ad0ba17", "Trojan:Win32/JakyllHyde: FileHash-SHA1 732198087c6a88afa356ea729bd3b8bb16c41901 - trojan", "Trojan:Win32/JakyllHyde: FileHash-MD5: fa7d0ef6c2c634e4f0e890c3d5b4cf4f - trojan" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "[Unnamed group]" ], "malware_families": [ "Securiteinfo.com.trojan.generickd.32885218.16582.30886.dll", "Mohazo", "Trojan:msil/racoonstealer", "Trojan:win32/arkeistealer", "Trojanspy:msil/racoonstealer", "Et", "Trojan:js/smokeloader", "W32/witch.3fa0!tr", "Redline", "Webtoolbar", "Redline stealer", "Content reputation", "Gamehack", "Generic", "Inmortal", "Ransom:win32/vidar", "Lumma", "Hsbc", "Radar ineractive", "Trojan:win32/jakyllhyde", "Trojanspy", "Malware.300983" ], "industries": [ "Domain register", "Technology", "Hosting" ], "unique_indicators": 140329 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/rozbek.ltd", "whois": "http://whois.domaintools.com/rozbek.ltd", "domain": "rozbek.ltd", "hostname": "amazon.co.jp.rozbek.ltd" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 36, "pulses": [ { "id": "66d86e0d76778bf1bcb47e5d", "name": "AS140227 enriched", "description": "", "modified": "2025-06-07T15:40:37.476000", "created": "2024-09-04T14:26:21.356000", "tags": [], "references": [ "https://www.virustotal.com/graph/g883116b41ba0417e98c7d99988fd2464797fb1fe54054692a35fe49c03255297" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 15, "FileHash-SHA1": 15, "FileHash-SHA256": 1331, "domain": 4165, "hostname": 3720, "URL": 11188, "CVE": 1 }, "indicator_count": 20435, "is_author": false, "is_subscribing": null, "subscriber_count": 181, "modified_text": "316 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d8d8d8238606c85e7a3979", "name": "AS200019 alexhost srl", "description": "", "modified": "2025-06-07T15:39:05.533000", "created": "2024-09-04T22:02:00.596000", "tags": [], "references": [ "https://www.virustotal.com/graph/gf011ff2560014743857f4dc25899d89d7afb2779d5ae47a28a60412eb0de8f07" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1193, "hostname": 1141, "URL": 3301, "FileHash-SHA256": 626, "CVE": 3 }, "indicator_count": 6264, "is_author": false, "is_subscribing": null, "subscriber_count": 178, "modified_text": "316 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6687495ad1e4ef814ec26c75", "name": "Remote Network Attack | JakyllHyde: Malicious Keyword Tool Index | Sabey Data Centers", "description": "Research shows compromise originated from Sabey Data Centers. High Priority 'Malicious' \nRemotely connects to victim network is injection,", "modified": "2024-09-05T06:26:17.295000", "created": "2024-07-05T01:16:10.251000", "tags": [ "read c", "get na", "sthubei", "otaokexing", "unknown", "write c", "outaokexing", "cntaokexing", "ms windows", "pe32", "win64", "write", "next", "win32", "malware", "copy", "keyword tool", "historical ssl", "referrer", "vs2010", "file", "sections", "signature", "file version", "windows system", "internal name", "version", "portable", "info compiler", "analyzer paste", "iocs", "url https", "samples", "cisco umbrella", "site", "safe site", "alexa top", "million", "heur", "malware site", "malicious site", "iframe", "alexa", "deepscan", "crack", "fusioncore", "cleaner", "riskware", "jakyllhyde", "china unknown", "asnone china", "cname", "as4812 china", "as4134 chinanet", "date", "moved", "search", "status", "body", "as4837 china", "bad request", "passive dns", "gmt content", "type", "scan endpoints", "all scoreblue", "twitter", "trojan", "urls", "machinename", "alibaba cloud", "computing", "beijing", "domains", "contacted", "ip detections", "country", "files", "file type", "signals mutexes", "local", "localc", "mutexes", "as31122 digiweb", "ireland unknown", "a domains", "gmt server", "pulse pulses", "pragma", "ipv4", "apache", "get http", "request", "host", "accept", "response", "date mon", "http requests", "connection", "server", "pluginrun", "ip traffic", "hashes", "user", "dns resolutions", "ff ff", "lowdatetime", "mofresourcename", "portclsmof", "hdaudiomofname", "processorwmi", "acpimofresource", "mofresource", "registry keys", "counter", "files written", "files dropped", "registry", "samplepath", "windir", "created c", "shell commands", "monitor", "arg0", "tree", "synchronization", "yara signature", "match", "thor apt", "scanner rule", "livehunt", "ruletype", "rule feed", "rulelink", "microsoft", "ruleauthor", "backdoor", "injection", "sabey data centers", "vbs", "remote attack", "extreme targeting", "116.207.118.87", "192.168.56.103", "linux", "locate linux deployed", "track", "tracking", "track all devices", "android", "apple", "apple webkit" ], "references": [ "Win32/JakyllHyde - RUNDLL32.EXE FileHash-SHA1 01021c698664f7567b787d7bce266124ec0a226fb2e586125d109beb0ad0ba17", "Found in a malicious keyword index: http://m.xiang5.com/keyword/17655.html&htE5-: Family", "IDS Detections: Win32/JakyllHyde C2 Activity Win32/JakyllHyde C2 Activity M2 PE EXE or DLL Windows file download HTTP", "Alerts: dead_host injection_runpe network_icmp allocates_execute_remote_process disables_proxy injection_modifies_memory modifies_proxy_wpad", "Alerts: origin_langid multiple_useragents process_interest recon_beacon injection_resumethread antivm_vmware_in_instruction dumped_buffer network_bind network_http allocates_rwx antisandbox_foregroundwindows antisandbox_sleep antivm_disk_size", "Trojan:Win32/JakyllHyde: CnC IP's -183.95.89.203 116.211.100.182 Exploit Source: IPv4 116.207.118.87 163.171.134.109", "Trojan:Win32/JakyllHyde: FileHash-SHA256 01021c698664f7567b787d7bce266124ec0a226fb2e586125d109beb0ad0ba17 - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA256 37a641988cfb33066c12b68b23bec0623e3d0715d21d6e3b7304bdd7238c8790 - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA256 002d9916a54c7ea70c931dca29c0a4500020d8040b9e446a5472b9089c29c8bc - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA256 440165588e14516e1ef13b6240aad27a0e8c49744c8383590425b3cc9d7f23f1 - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA256 47d9e427da3dfe5253d0047c40fb773db59dbccb0ff650e86ce7490b2c520c2d - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA256 7512f88162744b57efd14cc5fb98bc7cf5588fa25c218a1e92fe8048932450a8 -trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA1 0c795954123ebf1806cdafef2b66322f8d40d3ac - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA1 f971b96cd514dc62a43b51f32e3a440fe3e0c6d4 - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA1 732198087c6a88afa356ea729bd3b8bb16c41901 - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA1 f02ebf4d8955c363d615a53cc44b048d75b7cefb - adware", "Trojan:Win32/JakyllHyde: FileHash-SHA1 800c8a5f93b04d6c5dc491ab582cd75165918f5f - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA1 b45c02987811425c672f56e011f394f94cc29a7b - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA1 be97e5638139ee689312e23022d2e55e58d123c6 - trojan", "Trojan:Win32/JakyllHyde: FileHash-MD5: 0dd69941b0f01d1ee4d49c228f832bed - trojan", "Trojan:Win32/JakyllHyde: FileHash-MD5: 2f237a35379a5fa46168e3a01667f32c - trojan", "Trojan:Win32/JakyllHyde: FileHash-MD5: 35fc2b92d534f652ffe4ec3cbc3347b6 - adware", "Trojan:Win32/JakyllHyde: FileHash-MD5: 4d4cd0582109e110967bce75534031ed -trojan", "Trojan:Win32/JakyllHyde: FileHash-MD5: 8eeda8077a13f12aa72c8b7b5f457734 -trojan", "Trojan:Win32/JakyllHyde: FileHash-MD5: d6d906a1c4061d3f41053b4548c7ea69 - trojan", "Trojan:Win32/JakyllHyde: FileHash-MD5: fa7d0ef6c2c634e4f0e890c3d5b4cf4f - trojan", "YARA Signature Match - THOR APT Scanner: RULE_TYPE: Valhalla Rule Feed Only \u26a1", "RULE_LINK: https://valhalla.nextron-systems.com/info/rule/Malformed_Copyright_Statements RULE_AUTHOR: Florian Roth", "DESCRIPTION: Detects malformed Microsoft copyright statements in executables RULE_AUTHOR: Florian Roth", "RULE_LINK: https://valhalla.nextron-systems.com/info/rule/Malformed_Copyright_Statements RULE_AUTHOR: Florian Roth", "More information: https://www.nextron-systems.com/notes-on-virustotal-matches/ RULE_AUTHOR: Florian Roth", "#copyright #statements #malformed_copyright_statements", "ETPRO MALWARE Win32/JakyllHyde C2: https://www.joesandbox.com/analysis/754158/0/html", "Snort IDS: 2836073 ETPRO MALWARE Win32/JakyllHyde C2 Activity 192.168.2.3:49698 ->", "ETPRO MALWARE Win32/JakyllHyde C2 Activity M2 - Source IP: 116.211.100.21 - Destination IP: 192.168.2.3", "ETPRO MALWARE Win32/JakyllHyde C2 Activity - Source IP: 192.168.2.3 - Destination IP: 116.211.100.21", "ET MALWARE Win32/Eyoorun.D Variant Checkin - Source IP: 192.168.2.3 - Destination IP: 116.211.100.21", "ETPRO MALWARE Win32/JakyllHyde C2 Activity - Source IP: 192.168.2.3 - Destination IP: 116.211.100.21", "ET MALWARE Win32/Eyoorun.D Variant Checkin - Source IP: 192.168.2.3 - Destination IP: 116.211.100.21", "ET TROJAN W32/Witch.3FA0!tr CnC Actiivty M2 - Source IP: 192.168.2.3 - Destination IP: 116.211.100.21", "ETPRO MALWARE Win32/JakyllHyde C2 Activity M2 - Source IP: 116.211.100.21 - Destination IP: 192.168.2.3", "System process connects to network (likely due to code injection or exploit)", "Snort IDS alert for network traffic | Detected VMProtect packer", "W32/Witch.3FA0!tr: FileHash-MD5 38be6c6b799140f435bc1b1d42275d7c", "W32/Witch.3FA0!tr: FileHash-SHA1 13ed578302cc1f302a8a9df9308859486aeb4d0b", "W32/Witch.3FA0!tr: 601928c4508162aed7491ea4995eca7361be6faeac3c06ee5fc5302e686e26448", "http://tuijian.adhei.com/douyu/v1/encrypt/gamebox_m.cs", "http://tuijian.adhei.com/douyu/v1/encrypt/gamebox_m.css", "http://tuijian.adhei.com/douyu/v /encrypt/gamebox_m.css", "http://ssp.1rtb.com/imp?ua=Mozilla/5.0+(Linux;+U;+Android+4.3.1;+en-us;+GT-I8190+Build/JZO54K)+AppleWebKit/534.30+", "http://57d7.zhanyu66.com/air.thinlinuxforandroid.apk", "http://sdk.1rtb.com/sdk/req_ad?app_package=com.scpp.plus&device_type=1&device_adid=92841014150fc3fd&device_geo_lat=&app_name=%E8%B", "http://ssp.1rtb.com/tracker?ua=Mozilla/5.0+(Linux;+Android+7.1.2;+SM-T555+Build/NMF26X;+wv)+AppleWebKit/537.36+(KHTML,+like+Gecko)", "https://simulator-api.666phonemanager.com/advert/gamebox_winpop/online", "http://ssp.1rtb.com/imp?ua=Mozilla/5.0+(Linux;+Android+7.1.2;+SM-T555+Build/NMF26X;+wv)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Version/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "China", "Hong Kong", "Singapore" ], "malware_families": [ { "id": "Trojan:Win32/JakyllHyde", "display_name": "Trojan:Win32/JakyllHyde", "target": "/malware/Trojan:Win32/JakyllHyde" }, { "id": "SecuriteInfo.com.Trojan.GenericKD.32885218.16582.30886.dll", "display_name": "SecuriteInfo.com.Trojan.GenericKD.32885218.16582.30886.dll", "target": null }, { "id": "W32/Witch.3FA0!tr", "display_name": "W32/Witch.3FA0!tr", "target": null } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1037", "name": "Boot or Logon Initialization Scripts", "display_name": "T1037 - Boot or Logon Initialization Scripts" }, { "id": "T1037.001", "name": "Logon Script (Windows)", "display_name": "T1037.001 - Logon Script (Windows)" }, { "id": "T1037.002", "name": "Logon Script (Mac)", "display_name": "T1037.002 - Logon Script (Mac)" }, { "id": "T1037.003", "name": "Network Logon Script", "display_name": "T1037.003 - Network Logon Script" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1003.003", "name": "NTDS", "display_name": "T1003.003 - NTDS" }, { "id": "T1003.002", "name": "Security Account Manager", "display_name": "T1003.002 - Security Account Manager" }, { "id": "T1003.004", "name": "LSA Secrets", "display_name": "T1003.004 - LSA Secrets" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1039", "name": "Data from Network Shared Drive", "display_name": "T1039 - Data from Network Shared Drive" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 682, "FileHash-SHA1": 327, "FileHash-SHA256": 2911, "SSLCertFingerprint": 4, "URL": 13039, "domain": 1038, "hostname": 2764, "email": 2, "CVE": 2 }, "indicator_count": 20769, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "592 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6597fa4da16bd99cc5c02528", "name": "Botnet Campaign", "description": "", "modified": "2024-02-04T12:05:19.275000", "created": "2024-01-05T12:47:09.406000", "tags": [ "ciphersuite", "delete c", "search", "entries", "united", "stcalifornia", "lmenlo park", "ometa platforms", "odigicert inc", "cndigicert sha2", "copy", "write", "unknown", "no expiration", "expiration", "filehashsha256", "hostname", "domain", "ipv4", "url http", "url https", "filehashmd5", "filehashsha1", "next", "iocs", "pdf report", "pcap", "scan endpoints", "win64", "stix", "openioc", "enter", "ssl certificate", "whois record", "apple ios", "communicating", "referrer", "contacted", "resolutions", "threat roundup", "password", "networks", "hacktool", "crypto", "twitter", "june", "probe", "ransomware", "malware", "tsara brashears", "botnet campaign", "january", "content reputation", "et" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": "6597f9c7542ffc6fffaecb30", "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2469, "FileHash-SHA1": 2295, "FileHash-SHA256": 4925, "SSLCertFingerprint": 2, "URL": 4484, "domain": 2044, "hostname": 2375, "email": 18, "CVE": 4 }, "indicator_count": 18616, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "805 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6597fa4d4b5e060fb8a606a8", "name": "Botnet Campaign", "description": "", "modified": "2024-02-04T12:05:19.275000", "created": "2024-01-05T12:47:09.403000", "tags": [ "ciphersuite", "delete c", "search", "entries", "united", "stcalifornia", "lmenlo park", "ometa platforms", "odigicert inc", "cndigicert sha2", "copy", "write", "unknown", "no expiration", "expiration", "filehashsha256", "hostname", "domain", "ipv4", "url http", "url https", "filehashmd5", "filehashsha1", "next", "iocs", "pdf report", "pcap", "scan endpoints", "win64", "stix", "openioc", "enter", "ssl certificate", "whois record", "apple ios", "communicating", "referrer", "contacted", "resolutions", "threat roundup", "password", "networks", "hacktool", "crypto", "twitter", "june", "probe", "ransomware", "malware", "tsara brashears", "botnet campaign", "january", "content reputation", "et" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": "6597f9c7542ffc6fffaecb30", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2469, "FileHash-SHA1": 2295, "FileHash-SHA256": 4925, "SSLCertFingerprint": 2, "URL": 4484, "domain": 2044, "hostname": 2375, "email": 18, "CVE": 4 }, "indicator_count": 18616, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "805 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6597f9c7542ffc6fffaecb30", "name": "Injection (RunPE) |Win.Packer - https://myminiweb.com", "description": "polypragmonic, dns, win.packer, ig hacking, network bind, tracking", "modified": "2024-02-04T12:05:19.275000", "created": "2024-01-05T12:44:55.030000", "tags": [ "ciphersuite", "delete c", "search", "entries", "united", "stcalifornia", "lmenlo park", "ometa platforms", "odigicert inc", "cndigicert sha2", "copy", "write", "unknown", "no expiration", "expiration", "filehashsha256", "hostname", "domain", "ipv4", "url http", "url https", "filehashmd5", "filehashsha1", "next", "iocs", "pdf report", "pcap", "scan endpoints", "win64", "stix", "openioc", "enter", "ssl certificate", "whois record", "apple ios", "communicating", "referrer", "contacted", "resolutions", "threat roundup", "password", "networks", "hacktool", "crypto", "twitter", "june", "probe", "ransomware", "malware", "tsara brashears", "botnet campaign", "january", "content reputation", "et" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2469, "FileHash-SHA1": 2295, "FileHash-SHA256": 4925, "SSLCertFingerprint": 2, "URL": 4484, "domain": 2044, "hostname": 2375, "email": 18, "CVE": 4 }, "indicator_count": 18616, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "805 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656a9c2eeebaf7b69d0e12ba", "name": "Domain Seized - http://server3.elgenero.com/cgi-bin/xdown.cgi", "description": "", "modified": "2023-12-20T17:01:34.161000", "created": "2023-12-02T02:53:34.585000", "tags": [ "safe site", "million", "cisco umbrella", "alexa top", "site", "tag count", "tld count", "jul jan", "team alexa", "count blacklist", "maltiverse", "redirme", "cronup threat", "intel malware", "malicious site", "malware", "no data", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "united", "cyber threat", "engineering", "team", "malware site", "covid19", "phishing site", "phishing", "phishtank", "bank", "zbot", "malicious", "download", "suppobox", "zeus", "nymaim", "matsnu", "artemis", "virut", "panama", "smsspy", "cobalt strike", "emotet", "bradesco", "stealer", "facebook", "service", "simda", "runescape", "cutwail", "unruy", "bandoo", "tinba", "pykspa", "domaiq", "ave maria", "citadel", "pony", "keitaro", "ponmocup", "ransomware", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "sha256", "sha1", "ascii text", "date", "unknown", "body", "error", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "malicious url", "union", "unsafe", "node tcp", "traffic", "tor known", "tor relayrouter", "spammer", "threats et", "ssl certificate", "contacted", "whois record", "whois whois", "historical ssl", "apple ios", "resolutions", "bundled", "referrer", "collections", "android", "banker", "keylogger", "generic malware", "generic", "blacklist http", "ac32a", "heur", "alexa", "xtrat", "iframe", "installcore", "win64", "crack", "xrat", "nircmd", "swrort", "agent", "filetour", "cleaner", "patcher", "adload", "wacatac", "riskware", "acint", "conduit", "fakealert", "opencandy", "xtreme", "downldr", "outbreak", "iobit", "rostpay", "dropper", "mediaget", "installpack", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "floxif", "presenoker", "fusioncore", "exploit", "filerepmetagen", "download json", "hostname", "hostnames", "mail spammer", "anonymizer", "firehol proxy", "asyncrat", "genkryptik", "fuery", "webtoolbar", "trojanspy", "dropped", "execution", "contacted urls", "http spammer", "host", "ip address", "site top", "site safe", "blacklist https", "tsara brashears", "kgs0", "kls0", "critical risk", "attack", "hacktool", "installer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Latvia", "Poland", "Germany" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "655b9a90e44a70d0fbbde981", "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1117, "FileHash-SHA1": 664, "FileHash-SHA256": 3426, "domain": 977, "hostname": 2269, "URL": 5554, "CVE": 23, "URI": 8, "Mutex": 1 }, "indicator_count": 14039, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "851 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655b9a90e44a70d0fbbde981", "name": "Domain Seized - http://server3.elgenero.com/cgi-bin/xdown.cgi", "description": "Domain stated ' SEIZED' by Departing Homeland Security\nSeizure links below seem a bit questionable: \n\nhttp://server3.elgenero.com/iprc_seized_banner.png\nhttp://kickass.to/IPRC_Seized_2016_kat.jpg\nhttp://kickass.to/the-adventures-of-tom-sawyer-t2068537.html\t\nhttp://bludv.tv/iprc_seized_banner.png\nhttp://z-lib.org/iprc_seized_banner.png\nIPRC_Seized_2016_kat.jpg\n... just banners? Moved and continue? Okay.\nListed below also listed in seized domain. Domains,URL's and Botnetwork Hosts still seem to exist.\nhttp://alohatube.xyz/search/tsara-brashears\nalohatube.xyz\nhttps://alohatube.xyz/search/tsara-brashears\nhttps://www.anyxxxtube.net/search-porn/tsara-brashears/\nhttp://45.159.189.105/bot/regex\t\nhttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbia\t\nnr-data.net", "modified": "2023-12-20T17:01:34.161000", "created": "2023-11-20T17:42:40.771000", "tags": [ "safe site", "million", "cisco umbrella", "alexa top", "site", "tag count", "tld count", "jul jan", "team alexa", "count blacklist", "maltiverse", "redirme", "cronup threat", "intel malware", "malicious site", "malware", "no data", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "united", "cyber threat", "engineering", "team", "malware site", "covid19", "phishing site", "phishing", "phishtank", "bank", "zbot", "malicious", "download", "suppobox", "zeus", "nymaim", "matsnu", "artemis", "virut", "panama", "smsspy", "cobalt strike", "emotet", "bradesco", "stealer", "facebook", "service", "simda", "runescape", "cutwail", "unruy", "bandoo", "tinba", "pykspa", "domaiq", "ave maria", "citadel", "pony", "keitaro", "ponmocup", "ransomware", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "sha256", "sha1", "ascii text", "date", "unknown", "body", "error", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "malicious url", "union", "unsafe", "node tcp", "traffic", "tor known", "tor relayrouter", "spammer", "threats et", "ssl certificate", "contacted", "whois record", "whois whois", "historical ssl", "apple ios", "resolutions", "bundled", "referrer", "collections", "android", "banker", "keylogger", "generic malware", "generic", "blacklist http", "ac32a", "heur", "alexa", "xtrat", "iframe", "installcore", "win64", "crack", "xrat", "nircmd", "swrort", "agent", "filetour", "cleaner", "patcher", "adload", "wacatac", "riskware", "acint", "conduit", "fakealert", "opencandy", "xtreme", "downldr", "outbreak", "iobit", "rostpay", "dropper", "mediaget", "installpack", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "floxif", "presenoker", "fusioncore", "exploit", "filerepmetagen", "download json", "hostname", "hostnames", "mail spammer", "anonymizer", "firehol proxy", "asyncrat", "genkryptik", "fuery", "webtoolbar", "trojanspy", "dropped", "execution", "contacted urls", "http spammer", "host", "ip address", "site top", "site safe", "blacklist https", "tsara brashears", "kgs0", "kls0", "critical risk", "attack", "hacktool", "installer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Latvia", "Poland", "Germany" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 46, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1117, "FileHash-SHA1": 664, "FileHash-SHA256": 3426, "domain": 977, "hostname": 2269, "URL": 5554, "CVE": 23, "URI": 8, "Mutex": 1 }, "indicator_count": 14039, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "851 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655ad8e83914549cd4658f8e", "name": "Radar Ineractive \u2022 Inmortal \u2022 HSBC.com", "description": "carrotbat malware, SHAREit services.exe, typosquatting, fraud services, privilege, location tracking, cyber stalking, masquerading, malvertizing, malicious website, C2, control, apple, android, services, CNC, hack tools,\nMaps are real tools. \nhttps://www.anyxxxtube.net/search-porn/tsara-brashears/ (phishing & botnetwork)\nhttp://45.159.189.105/bot/regex (Botnetwork)\nhttps://www.sweetheartvideo.com/tsara-brashears/\nwww.sweetheartvideo.com\t(Tsara Brashears Botnetwork created by attacker)\nhttp://182.22.25.124:7878/182.22.25.124:443\nhttps://pin.it/ (aka malicious Pinterest)\nhttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (100% straight female target - defamation, libel)\ndis.io\npin.it (changed targets Pinterest to this)\nRadar Ineractive \u2022 Inmortal \u2022 HSBC.com", "modified": "2023-12-20T02:02:59.943000", "created": "2023-11-20T03:56:24.105000", "tags": [ "log id", "gmtn", "passive dns", "urls", "tls web", "encrypt", "ca issuers", "f9970e", "bd6en timestamp", "a487132c3b", "false", "ssl certificate", "tsara brashears", "contacted", "referrer", "copy", "historical ssl", "collections", "password", "networks", "botnet campaign", "skynet", "fall", "hacktool", "malware", "critical", "relic", "monitoring", "attack", "hiddentear", "metro", "test", "detection list", "pattern match", "root ca", "authority", "class", "script", "mitre att", "temp", "ck id", "show technique", "ck matrix", "date", "unknown", "meta", "span", "error", "refresh", "body", "generator", "look", "verify", "restart", "hybrid", "accept", "click", "strings", "tools", "whois record", "msgid10053", "msgid10051", "communicating", "anid", "execution", "null", "core", "installer", "threat roundup", "apple ios", "august", "highly targeted", "apple", "sqli dumper", "april", "february", "awful", "radar ineractive", "october", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "blacklist", "cisco umbrella", "site", "wormx", "malicious site", "safe site", "malware site", "alexa top", "million", "phishing site", "alexa", "phishing", "agent", "bank", "inmortal", "united", "cyber threat", "pony", "cnc zeus", "tracker", "cnc server", "covid19", "engineering", "http spammer", "host", "azorult", "asyncrat", "cobalt strike", "team", "hsbc" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 815, "FileHash-SHA256": 3404, "SSLCertFingerprint": 2, "URL": 8938, "domain": 1194, "hostname": 2705, "FileHash-SHA1": 457, "CIDR": 7, "CVE": 3 }, "indicator_count": 17525, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "852 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655ad83180deb1186bb4f466", "name": "Carrotbat Malware | Stalker Suite | gogglemaps.com", "description": "carrotbat malware, SHAREit services.exe, typosquatting, fraud services, privilege, location tracking, cyber stalking, masquerading, malvertizing, malicious website, C2, control, apple, android, services, CNC, hack tools, botnetwork \nMaps are real tools. \nhttps://www.anyxxxtube.net/search-porn/tsara-brashears/ (phishing & botnetwork)\nhttp://45.159.189.105/bot/regex (Botnetwork)\nhttps://www.sweetheartvideo.com/tsara-brashears/\nwww.sweetheartvideo.com\t(Tsara Brashears Botnetwork created by attacker)\nhttp://182.22.25.124:7878/182.22.25.124:443\nhttps://pin.it/ (aka malicious Pinterest)\nhttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (100% straight female target - defamation, libel)\ndis.io\npin.it (changed targets Pinterest to this)", "modified": "2023-12-20T02:02:59.943000", "created": "2023-11-20T03:53:21.699000", "tags": [ "log id", "gmtn", "passive dns", "urls", "tls web", "encrypt", "ca issuers", "f9970e", "bd6en timestamp", "a487132c3b", "false", "ssl certificate", "tsara brashears", "contacted", "referrer", "copy", "historical ssl", "collections", "password", "networks", "botnet campaign", "skynet", "fall", "hacktool", "malware", "critical", "relic", "monitoring", "attack", "hiddentear", "metro", "test", "detection list", "pattern match", "root ca", "authority", "class", "script", "mitre att", "temp", "ck id", "show technique", "ck matrix", "date", "unknown", "meta", "span", "error", "refresh", "body", "generator", "look", "verify", "restart", "hybrid", "accept", "click", "strings", "tools", "whois record", "msgid10053", "msgid10051", "communicating", "anid", "execution", "null", "core", "installer", "threat roundup", "apple ios", "august", "highly targeted", "apple", "sqli dumper", "april", "february", "awful", "radar ineractive", "october", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "blacklist", "cisco umbrella", "site", "wormx", "malicious site", "safe site", "malware site", "alexa top", "million", "phishing site", "alexa", "phishing", "agent", "bank", "inmortal", "united", "cyber threat", "pony", "cnc zeus", "tracker", "cnc server", "covid19", "engineering", "http spammer", "host", "azorult", "asyncrat", "cobalt strike", "team", "hsbc", "noname057", "generic malware", "blacklist http", "malicious url" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 815, "FileHash-SHA256": 3404, "SSLCertFingerprint": 2, "URL": 8938, "domain": 1195, "hostname": 2705, "FileHash-SHA1": 457, "CIDR": 7, "CVE": 3 }, "indicator_count": 17526, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "852 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://amazon.co.jp.rozbek.ltd", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://amazon.co.jp.rozbek.ltd", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776681358.0858524 }