{ "type": "URL", "indicator": "https://api.dawsodemo.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://api.dawsodemo.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3754856266, "indicator": "https://api.dawsodemo.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 50, "pulses": [ { "id": "6523344e4adc85389899504c", "name": "Unsupported IE 404 account running BotNet Command & Control [by OctoSeek]", "description": "", "modified": "2024-10-13T03:00:28.081000", "created": "2023-10-08T22:59:26.040000", "tags": [ "united", "contacted urls", "whois record", "contacted", "malicious site", "malware", "phishing site", "anonymizer", "heur", "control server", "facebook", "cobalt strike", "execution", "installcore", "phishing", "service", "core", "metro", "icmp", "hacktool", "download", "relic", "monitoring", "installer", "steam", "bank", "dnspionage", "crack", "unsafe", "ramnit", "emotet", "malware site", "proxy", "exploit", "fakealert", "team", "redline stealer", "laplasclipper", "cisco umbrella", "site", "safe site", "alexa top", "million", "alexa", "downloader", "opencandy", "generic", "presenoker", "maltiverse", "trojanspy", "date", "unknown", "windir", "markmonitor", "name server", "av detection", "september", "default browser", "guest system", "hybrid", "general", "click", "strings", "class", "critical", "blacklist", "union", "Embarcadero Delphi", "whois whois", "referrer", "ssl certificate", "communicating", "resolutions", "parent parent", "dropped", "stealer", "banker", "keylogger", "attack", "apple", "detection list", "ip address", "netsky", "firehol proxy", "noname057", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "FireHol", "Proxy", "Pexee", "Bank of America Corporation Malware Download", "CVE-2017-11882", "Alexa SANS Internet Storm Center", "MCI Verizon Block", "NaN" ], "references": [ "http://ww1.tsx.org/_fd", "https://www.milehighmedia.com/legal/2257 (exploit source | revenge porn)", "Target \u2192 https://www.pinterest.com/pinkbuffalorun/ (EMOTET) Full control taken. True Board owner (a legitimate business) was likely very unaware Pinterest activities all flowed through the Dark Web. (Research shows over 5000 followers | 1 million visits per mo | more than 1 million pins re-pinned)", "http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel (remote hacking/potentially maliciousRedTeam)", "http://45.159.189.105/bot/online?guid=WALKER-PC&key=b73f03cae5752ff4c823f89de539b59754bc4e65d43970358b17bcf21fb6c4e5 (remote hacking)", "http://clipper.guru/bot/online?guid=WALKER-PC (remote hacking)", "Target \u2192 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (attached to Pinterest account)", "https://firebaseremoteconfig.googleapis.com/v1/projects/16163253122/namespaces/firebase:fetch (remote hacking)", "firebaseremoteconfig.googleapis.com (remote hacking)", "remote.telegrafix.com (remote hacking)", "fb582cc7cfcfa64786caff627cc34ff7aedf7a97620d0cd2eb927d4bb3b7653d", "remote.haverhillcc.com (remote hacking)", "http://ax.itunes.apple.com/WebObjects/MZStoreServices.woa/ws/RSS/toppaidapplications/limit=10/xml", "http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409", "http://init-p01st.push.apple.com/bag (remote hacking)", "https://support.apple.com/en-us/HT201265. Targets (iOS ID)", "apple.com. (malicious version/header)", "https://www.apple.com/sitemap/", "https://applemusic-spotlight.myunidays.com/US/en-US? (remote hacking)", "http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409", "init.ess.apple.com (remote hacking)", "applepaydayloans.com", "www.metrobyt-mobile.com (So very hacked. Should be shut down. No corporate headquarters. Malicious practices by many independent owners)", "https://applepaydayloans.com/", "https://sinister.ly/Thread-Apple-empty-box?page=13", "7651508989a859a165a3e587268021e3ce3734b3e8711d06a101068c60dfdbbe ( Spyware| tsetup.2.4.4.exe | Downloader.Agent!1.E2F1 (CLASSIC) |Telegram Messenger Inc WeExtract malicious installation on targets media & devices)", "https://support.Apple.com/de", "http://www.Apple.com/quicktime/download", "http://www.Apple.com/quicktime/download/standalone.html", "https://urldefense.us/v2/url?u=http-3A__support.apple.com_kb_HT2693&d=DwMGaQ&c=mcnPvAfk3Xtjyky7sc3uA24Vk9hJzQ1fEHisENJPWek&r=PjGDHIUs1kNE6nRUZrOEsufSDp8LBQ-SwHI1wE1Z0Qo&m=zBlvHUR-UT1fW5-53xrUtd5Uj5DBn30a-XGaqZ1lyWh4YCJi5SWOvg3tVORPEuat&s=OJ-NfystLux9f25c44kAAuBLCoTAo6gQJ7EMKHRlrCk&e=&data=05", "https://www.roseoubleu.fr/panier (phishing)", "Roksit.net", "stagelight.pl (malicious/ pattern match)", "www.jamesbgriffinlaw.com (malicious host)", "Data Analytics", "Behavior Pattern Match Analysis", "45.159.189.105 (Command and Control)", "http://45.159.189.105/bot/regex (Bot Command)", "151.101.0.84 US - United States Pinterest Botnet Command and Control Server - 23.62.46.21", "AS54113 Fastly Autonomous System aggregation for Pinterest United States Botnet Command and Control Server", "DetectItEasy PE32 Installer: Inno Setup Module (6.0.0) [unicode] Compiler: Embarcadero Delphi (10.3 Rio) [Professional] Linker: Turbo Linker (2.25*,Delphi) [GUI32,signed] Overlay: Inno Setup Installer data", "(unsupported_iexplore exploit/redirect) https://www.pinterest.com/pin/mood--35536284546940000/ (Dark Web Trace)" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TEL:Delphi/Obfuscator", "display_name": "TEL:Delphi/Obfuscator", "target": "/malware/TEL:Delphi/Obfuscator" }, { "id": "LaplasClipper", "display_name": "LaplasClipper", "target": null }, { "id": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "display_name": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "target": null }, { "id": "SLFPER:InstallCore", "display_name": "SLFPER:InstallCore", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "ALF:Program:OpenCandy:Remnant", "display_name": "ALF:Program:OpenCandy:Remnant", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "generic.malware", "display_name": "generic.malware", "target": null }, { "id": "Anonymizer", "display_name": "Anonymizer", "target": null }, { "id": "#HSTR:HackTool:Win32/Mimikatz", "display_name": "#HSTR:HackTool:Win32/Mimikatz", "target": null }, { "id": "PWS:MSIL/Steam", "display_name": "PWS:MSIL/Steam", "target": "/malware/PWS:MSIL/Steam" }, { "id": "Trojan.HTML.Agent", "display_name": "Trojan.HTML.Agent", "target": null }, { "id": "Gen:Variant.Zusy", "display_name": "Gen:Variant.Zusy", "target": null }, { "id": "Worm:Win32/Netsky", "display_name": "Worm:Win32/Netsky", "target": "/malware/Worm:Win32/Netsky" }, { "id": "Sodin Ransomware", "display_name": "Sodin Ransomware", "target": null }, { "id": "Keyloggers", "display_name": "Keyloggers", "target": null }, { "id": "Proxy", "display_name": "Proxy", "target": null }, { "id": "TEL:Trojan:Win32/Emotet", "display_name": "TEL:Trojan:Win32/Emotet", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat", "display_name": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat", "target": null }, { "id": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar", "display_name": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar", "target": null }, { "id": "AdwareSig [Adw] ml.Generic", "display_name": "AdwareSig [Adw] ml.Generic", "target": null }, { "id": "W32.Hack.Generic", "display_name": "W32.Hack.Generic", "target": null }, { "id": "Trojan.Ole2.Vbs", "display_name": "Trojan.Ole2.Vbs", "target": null }, { "id": "QVM20.1.8D80.Malware", "display_name": "QVM20.1.8D80.Malware", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Backdoor.Mokes", "display_name": "Backdoor.Mokes", "target": null }, { "id": "AdWare.DropWare", "display_name": "AdWare.DropWare", "target": null }, { "id": "Gen:Variant.Razy", "display_name": "Gen:Variant.Razy", "target": null }, { "id": "Generic.31fcc75f", "display_name": "Generic.31fcc75f", "target": null }, { "id": "Trojan.Generic", "display_name": "Trojan.Generic", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "malware.generic", "display_name": "malware.generic", "target": null }, { "id": "Gen:Variant.Bulz", "display_name": "Gen:Variant.Bulz", "target": null }, { "id": "GameHack.DR", "display_name": "GameHack.DR", "target": null }, { "id": "Dropper.Binder", "display_name": "Dropper.Binder", "target": null }, { "id": "malicious.22a4c0", "display_name": "malicious.22a4c0", "target": null }, { "id": "SdBot.CAOC", "display_name": "SdBot.CAOC", "target": null }, { "id": "ml.Generic", "display_name": "ml.Generic", "target": null }, { "id": "Trojan.Ransom.GenericKD", "display_name": "Trojan.Ransom.GenericKD", "target": null }, { "id": "Phish.AB", "display_name": "Phish.AB", "target": null }, { "id": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea", "display_name": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": "6506b48d699080b4bfd334c5", "export_count": 74, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7761, "CVE": 6, "FileHash-MD5": 285, "FileHash-SHA1": 165, "FileHash-SHA256": 5059, "domain": 987, "hostname": 2399 }, "indicator_count": 16662, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "553 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65f980471600645142bcd924", "name": "Control Server | Browser Install| Kernel Modules and Extensions ", "description": "", "modified": "2024-04-15T08:03:32.381000", "created": "2024-03-19T12:08:39.100000", "tags": [ "hostname", "sort", "domain", "type", "hostname c", "all octoseek", "groups", "search filter", "time", "x show", "indicator type", "cidr", "for privacy", "unknown", "united", "link", "search", "servers", "strapi app", "passive dns", "urls", "date", "body", "meta", "span", "next", "octoseek", "url https", "url http", "role title", "added active", "execution", "ssl certificate", "whois record", "contacted", "pe resource", "bundled", "historical ssl", "referrer", "communicating", "collections", "status", "emails", "creation date", "record value", "expiration date", "showing", "threat analyzer", "threat", "iocs", "hostnames", "urls https", "samples", "firehol", "proxy", "detection list", "ip address", "blacklist", "malicious url", "anonymizer", "botnet command", "malware", "generic malware", "count blacklist", "no data", "tag count", "detection", "count", "generic", "blacklist http", "cisco umbrella", "site", "heur", "safe site", "malware site", "alexa top", "million", "filerepmetagen", "filerepmalware", "artemis", "presenoker", "unsafe", "riskware", "crack", "opencandy", "downloader", "coinminer", "installpack", "agent", "fusioncore", "conduit", "wacatac", "zbot", "cl0p", "maltiverse", "trojanspy", "engb", "emotet", "cyberwar", "ursnif", "attack", "hacktool", "ransomexx", "startpage", "bitrat", "ryuk", "agent tesla", "stealer", "critical", "copy", "evilnum", "threat report", "back", "ip summary", "url summary", "summary", "download csv", "download", "json sample", "malicious site", "phishing site", "iframe", "domaiq", "alexa", "downldr", "phishing", "cyber threat", "control server", "team", "installcore", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "bank", "name verdict", "falcon sandbox", "reports", "falcon", "traffic et", "policy windows", "update p2p", "activity", "windir", "mitre att", "ck id", "show technique", "ck matrix", "hybrid", "general", "path", "click", "strings", "contact", "paste", "win32", "gmt content", "scan endpoints", "ipv4", "pulse pulses", "files", "accept", "date hash", "avast avg", "entries", "as15169 google", "aaaa", "ireland unknown", "germany unknown", "as43350 nforce" ], "references": [ "https://api.wavebrowserbase.com", "Ransom: message.htm.com", "ZBot: https://brain.snappykraken.com/api/v1/events-recorder/clicked?clicked=eyJxdWVyeV9zdHJpbmciOiJkako3SW5WeWJDSTZJbWgwZEhCek9sd3ZYQzl0WlhSaGJtOXBZV1pwYm1GdVkybGhiQzVqYjIxY0x6OTFkRzFmYzI5MWNtTmxQV1Z0WVdsc1gzTnBaMjVoZEhWeVpTWmhiWEE3ZFhSdFgyMWxaR2wxYlQxbGJXRnBiQ1poYlhBN2RYUnRYMk5oYlhCaGFXZHVQWEJ5YjIxdmRHbHZiaUlzSW1oaGMyZ2lPaUkwTjFGWlUzZFlTMkYxVDA1dVIxb2lMQ0pqYjI1MFlXTjBYMlZ0WVdsc0lqb2lhbWx0YlhrdWQyRnNhMlZ5UUdGc2JITjBZWFJsTG1OdmJTSjk9IiwicmVxdWVzdF9kYXRhIjp7ImRqSjdJblZ5YkNJNkltaDBkSEJ6T2x3dlhDOXRaWFJoYm05cFlX", "Ryuk: https://brain.snappykraken.com/api/v1/events-recorder/clicked?clicked=eyJxdWVyeV9zdHJpbmciOiJkako3SW5WeWJDSTZJbWgwZEhCek9sd3ZYQzkzZDNjdWEybHdiR2x1WjJWeUxtTnZiVnd2WldOdmJtOXRhV010Wm05eVpXTmhjM1J6WEM5cGJuUmxjbVZ6ZEMxeVlYUmxjeUlzSW1oaGMyZ2lPaUpzYmtJMWFUSjJkbmRvU21GQ1RuZ2lMQ0pqYjI1MFlXTjBYMlZ0WVdsc0lqb2liV052ZUVCdGIzSnlhWE56WlhsbGJtZHBibVZsY21sdVp5NWpiMjBpZlE9IiwicmVxdWVzdF9kYXRhIjp7ImRqSjdJblZ5YkNJNkltaDBkSEJ6T2x3dlhDOTNkM2N1YTJsd2JHbHVaMlZ5TG1OdmJWd3ZaV052Ym05dGFXTXRabTl5WldOaGMzUnpYQzlwYm5SbGNtVnpkQzF5", "Ryuk: http://kramtechnology.com/", "Ryuk: kramtechnology.com", "Pony: https://allspice.ordavida.com/api/mailings/opened/PMRGSZBCHIYTMNZQGYWCE33SM4RDUIRZGQZDONDBGIZC2MBXMM2S2NBYMM2S2YTEHE3C2MJZGI4DSOBYHAYTGNRZEIWCE5TFOJZWS33OEI5CENBCFQRHG2LHEI5CEYSPONYXS4RRGFBUIY3DKRIHSSRRK44WSY3FNM4ESVTJKZMHOWRTJBLXIYLIHFRWS3DUKU6SE7I=.gif", "Botnet Server IP: 141.226.230.48", "newrelic.se" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "Germany" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1547.006", "name": "Kernel Modules and Extensions", "display_name": "T1547.006 - Kernel Modules and Extensions" } ], "industries": [], "TLP": "green", "cloned_from": "65f55ed2015e05ffbc2b72a8", "export_count": 186942, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9838, "domain": 2085, "hostname": 3006, "FileHash-SHA256": 3685, "FileHash-MD5": 965, "FileHash-SHA1": 532, "email": 6, "CVE": 7 }, "indicator_count": 20124, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "734 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65f55ed2015e05ffbc2b72a8", "name": "Control Server | Browser Install| Kernel Modules and Extensions", "description": "", "modified": "2024-04-15T08:03:32.381000", "created": "2024-03-16T08:56:50.387000", "tags": [ "hostname", "sort", "domain", "type", "hostname c", "all octoseek", "groups", "search filter", "time", "x show", "indicator type", "cidr", "for privacy", "unknown", "united", "link", "search", "servers", "strapi app", "passive dns", "urls", "date", "body", "meta", "span", "next", "octoseek", "url https", "url http", "role title", "added active", "execution", "ssl certificate", "whois record", "contacted", "pe resource", "bundled", "historical ssl", "referrer", "communicating", "collections", "status", "emails", "creation date", "record value", "expiration date", "showing", "threat analyzer", "threat", "iocs", "hostnames", "urls https", "samples", "firehol", "proxy", "detection list", "ip address", "blacklist", "malicious url", "anonymizer", "botnet command", "malware", "generic malware", "count blacklist", "no data", "tag count", "detection", "count", "generic", "blacklist http", "cisco umbrella", "site", "heur", "safe site", "malware site", "alexa top", "million", "filerepmetagen", "filerepmalware", "artemis", "presenoker", "unsafe", "riskware", "crack", "opencandy", "downloader", "coinminer", "installpack", "agent", "fusioncore", "conduit", "wacatac", "zbot", "cl0p", "maltiverse", "trojanspy", "engb", "emotet", "cyberwar", "ursnif", "attack", "hacktool", "ransomexx", "startpage", "bitrat", "ryuk", "agent tesla", "stealer", "critical", "copy", "evilnum", "threat report", "back", "ip summary", "url summary", "summary", "download csv", "download", "json sample", "malicious site", "phishing site", "iframe", "domaiq", "alexa", "downldr", "phishing", "cyber threat", "control server", "team", "installcore", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "bank", "name verdict", "falcon sandbox", "reports", "falcon", "traffic et", "policy windows", "update p2p", "activity", "windir", "mitre att", "ck id", "show technique", "ck matrix", "hybrid", "general", "path", "click", "strings", "contact", "paste", "win32", "gmt content", "scan endpoints", "ipv4", "pulse pulses", "files", "accept", "date hash", "avast avg", "entries", "as15169 google", "aaaa", "ireland unknown", "germany unknown", "as43350 nforce" ], "references": [ "https://api.wavebrowserbase.com", "Ransom: message.htm.com", "ZBot: https://brain.snappykraken.com/api/v1/events-recorder/clicked?clicked=eyJxdWVyeV9zdHJpbmciOiJkako3SW5WeWJDSTZJbWgwZEhCek9sd3ZYQzl0WlhSaGJtOXBZV1pwYm1GdVkybGhiQzVqYjIxY0x6OTFkRzFmYzI5MWNtTmxQV1Z0WVdsc1gzTnBaMjVoZEhWeVpTWmhiWEE3ZFhSdFgyMWxaR2wxYlQxbGJXRnBiQ1poYlhBN2RYUnRYMk5oYlhCaGFXZHVQWEJ5YjIxdmRHbHZiaUlzSW1oaGMyZ2lPaUkwTjFGWlUzZFlTMkYxVDA1dVIxb2lMQ0pqYjI1MFlXTjBYMlZ0WVdsc0lqb2lhbWx0YlhrdWQyRnNhMlZ5UUdGc2JITjBZWFJsTG1OdmJTSjk9IiwicmVxdWVzdF9kYXRhIjp7ImRqSjdJblZ5YkNJNkltaDBkSEJ6T2x3dlhDOXRaWFJoYm05cFlX", "Ryuk: https://brain.snappykraken.com/api/v1/events-recorder/clicked?clicked=eyJxdWVyeV9zdHJpbmciOiJkako3SW5WeWJDSTZJbWgwZEhCek9sd3ZYQzkzZDNjdWEybHdiR2x1WjJWeUxtTnZiVnd2WldOdmJtOXRhV010Wm05eVpXTmhjM1J6WEM5cGJuUmxjbVZ6ZEMxeVlYUmxjeUlzSW1oaGMyZ2lPaUpzYmtJMWFUSjJkbmRvU21GQ1RuZ2lMQ0pqYjI1MFlXTjBYMlZ0WVdsc0lqb2liV052ZUVCdGIzSnlhWE56WlhsbGJtZHBibVZsY21sdVp5NWpiMjBpZlE9IiwicmVxdWVzdF9kYXRhIjp7ImRqSjdJblZ5YkNJNkltaDBkSEJ6T2x3dlhDOTNkM2N1YTJsd2JHbHVaMlZ5TG1OdmJWd3ZaV052Ym05dGFXTXRabTl5WldOaGMzUnpYQzlwYm5SbGNtVnpkQzF5", "Ryuk: http://kramtechnology.com/", "Ryuk: kramtechnology.com", "Pony: https://allspice.ordavida.com/api/mailings/opened/PMRGSZBCHIYTMNZQGYWCE33SM4RDUIRZGQZDONDBGIZC2MBXMM2S2NBYMM2S2YTEHE3C2MJZGI4DSOBYHAYTGNRZEIWCE5TFOJZWS33OEI5CENBCFQRHG2LHEI5CEYSPONYXS4RRGFBUIY3DKRIHSSRRK44WSY3FNM4ESVTJKZMHOWRTJBLXIYLIHFRWS3DUKU6SE7I=.gif", "Botnet Server IP: 141.226.230.48", "newrelic.se" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "Germany" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1547.006", "name": "Kernel Modules and Extensions", "display_name": "T1547.006 - Kernel Modules and Extensions" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 82, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9838, "domain": 2085, "hostname": 3006, "FileHash-SHA256": 3685, "FileHash-MD5": 965, "FileHash-SHA1": 532, "email": 6, "CVE": 7 }, "indicator_count": 20124, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "734 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65f980ad16123b5d52f5f76f", "name": "DNS Hijacking - \u4e5d\u79c0\u76f4\u64ad-\u9ad8\u54c1\u8d28\u7f8e\u5973\u5728\u7ebf\u89c6\u9891\u4e92\u52a8\u793e\u533a -MilesIT.com [Report originated from octoseek]", "description": "", "modified": "2024-04-13T11:00:32.548000", "created": "2024-03-19T12:10:21.291000", "tags": [ "q htpps", "g htpps", "q https", "virustotal", "exif standard", "tiff image", "msie", "windows nt", "wow64", "slcc2", "media center", "default", "jpeg image", "search", "copy", "code", "write", "pecompact", "february", "packer", "delphi", "win32", "persistence", "execution", "next", "create c", "delete c", "intel", "ms windows", "pe32", "precreate read", "united", "show", "regsetvalueexa", "trojan", "markus", "mozilla", "write c", "json", "entries", "ascii text", "data", "as15169", "error", "malware", "win64", "denmark as32934", "ip hostname", "reverse ip", "lookup country", "as7018 att", "as14618", "as54113", "country code", "as36081 state", "redirect chain", "redirection", "location", "lakewood", "emails", "as name", "ssl certificate", "whois record", "k0pmbc", "spsfsb", "zwdk9d", "vwdzfe", "contacted", "referrer", "ntmzac", "historical ssl", "august", "hacktool", "core", "agent tesla", "emotet", "chaos", "ransomexx", "quasar", "algorithm", "v3 serial", "number", "cus cnamazon", "validity", "subject public", "key info", "key algorithm", "key identifier", "subject key", "first", "server", "registrar abuse", "date", "markmonitor", "epic games", "iana id", "contact phone", "domain status", "registrar whois", "registrar", "win32 exe", "python", "launchres", "win32 dll", "unrealengine", "detections type", "name", "bundled", "ctsu", "smokeloader", "privateloader", "relic", "monitoring", "startpage", "\u7f8e\u5973\u76f4\u64ad", "\u7f8e\u5973\u89c6\u9891", "\u7f8e\u5973\u4e3b\u64ad", "\u89c6\u9891\u804a\u5929", "\u89c6\u9891\u4ea4\u53cb", "\u7f8e\u5973\u4ea4\u53cb", "\u7f8e\u5973\u79c0\u573a", "\u6e05\u7eaf\u7f8e\u5973", "\u6027\u611f\u7f8e\u5973", "\u7f8e\u5973\u4e92\u52a8", "\u7f8e\u5973\u804a\u5929", "\u7f8e\u5973\u5728\u7ebf\u8868\u6f14", "\u7f8e\u5973\u76f4\u64ad\u95f4", "\u7f8e\u5973\u804a\u5929\u5ba4", "icp2021030667", "0110542", "copyright", "rights reserved", "resolutions", "contacted urls", "siblings domain", "siblings", "parent domain", "cname", "whitelisted", "status", "as15169 google", "asnone united", "servers", "aaaa", "body", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "site top", "heur", "alexa top", "safe site", "million", "million alexa", "site safe", "malicious site", "unsafe", "alexa", "riskware", "artemis", "blacknet rat", "quasar rat", "crack", "presenoker", "dapato", "stealer", "phish", "memscan", "nsis", "phishing", "bulz", "maltiverse", "trojanspy", "blacknet", "zbot", "aig", "unknown", "passive dns", "urls", "expiresthu", "gmt path", "scan endpoints", "encrypt", "dynamicloader", "high", "medium", "qaeaav12", "windows", "cape", "windows wget", "suspicious", "powershell", "canvas", "form", "showing", "all octoseek", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "cus cnr3", "olet", "l http", "wifi", "wifi access", "wifi hotspot", "wifi internet", "southwest wifi", "inflight", "inflight entertainment", "southwest", "comedy", "internet", "strong", "drama", "google chrome", "business select", "internet access", "apple safari", "book", "rapid", "love", "summer", "poppy", "floyd", "district", "jackson", "kevin", "live", "music", "upgrade", "gift", "lost", "carol", "canada", "cobalt strike", "malicious", "fragtor", "phishing paypal", "mail spammer" ], "references": [ "https://www.9xiuzb.com/activity/activity_pcunion?piusr=t_420", "tracking.epicgames.com | epicgames.com | https://www.epicgames.com/id/activate", "Conneted to Network: drcody@milesit.com | milesit.com | milestechnologies.com | info.milestechnologies.com | www.milesit.com | www.milestechnologies.com", "Conneted to Network: http://seed.wavebrowser.co/seed?osname=win&channel=stable&milestone=1 | f16ac036e3.nxcli.net", "Conneted to Network: https://getconnected.southwestwifi.com | www.coloradoltcpartnership.org", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/58d35aa65e820e83be595049b9e5a223ffb1f5f9111b64ccdd2622479cda9e1b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/233e5b27962a141061eff04ae07699d1a2faa8d47077a2da31770a5f59327ee3", "https://otx.alienvault.com/indicator/file/58d35aa65e820e83be595049b9e5a223ffb1f5f9111b64ccdd2622479cda9e1b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/f0d38614f706da3a08acdf7188eac139a352621ccada40e5e22d191412acc357", "Phone purchased for target by a 'self-proclaimed' W/F PI from Lakewood, Colorado w/o consent/prior knowledge. PI fitful, so target paid for phone.", "Found claims PI was a hacker. Brother a hitman. Verbalized non-specific affiliation w/City of Lakewood. Refused to provide target phone passcode.", "Target admits to ignoring major signs: 'PI' called just before request submitted.Spent hours researching & denouncing targets former 'questionable 'PI", "'PI' feigned high concern for target, begged her to meet at 10 P.M. Target refused. Target states she will only meet in safe public spot in daylight.", "'PI' arrives in separate car w/unseen veteran. Points out DV LP to target , states he's not with her. Leads target to restaurant 'to talk'. Stays awhile.", "'PI' orders 2 meals. Leaves restaurant a few times. Talks about troubled mother w/medication addictions. Incredibly emotional vowing to be better.", "Emotionally demands disabled target cash advanced to pay all bills. Denies formerly alleged abilities & skills, still wants $1500 for 4 hours of nothing.", "Of note: Alleging Federal Investigator calls target. Found her in Bark? No. He asks for $4G to relocate target in 2 days provide hacker secured iPhone.", "'PI' claims to have information. Sends picture of who he claims is attacker now millionaire owner of Mile High Sports & Rehabilitation. Asks if she knew.", "Target knows nothing about assaulter. Chicago Fed text photo for target to confirm identity of attacker. Be sends a photo of Dr. John T. Sasha.", "Target was treated by Dr. Sasha, was not assaulter. Target relays Law Firm dropped her as she refused to include Sasha in Injury claim.", "Goal to present targets case, blame & have Sacha removed by board of Colorado attorneys. Widely known firm angrily begins misconduct in her case.", "Fed alleged if Sasha was in cahoots she could get millions. Target again refused. Alleging Chicago Fed contends be needs to move her 50+ miles.", "Fed lost interest after satisfied Sasha wasn't of interest. Target interest to rid self of hackers and stalkers. Inundated with calls from fake PI's.", "Colorado doesn't require a PI licensure. That's a major problem as many stalkers, malicious hackers & the ruthless are drawn to this occupation.", "Metro T-Mobile refuses refund. Allows target to store phone with them in resealed box. When retrieved box opened and tampered with.", "Issues: Target contacted a single PI from a very compromised device, received sealed as gift from trusted person via provider. Others contact her.", "I know this isn't a blog. If someone is targeted, every device will be compromised. It's the goal of the attackers. Unwarranted bounty found.", "Law enforcement aware and assure target in person she's not a suspect in any crime is Colorado or nationally. All DA's, law enforcement PI's check.", "You can either have a runner or become a hacker. Only 2 choices for targeted individuals. Target needs to become ethical hacker or ethical grey hat, Purple teamer.", "Device security reset temporarily before epicgames[.]com a resource being used attempted to self download. Relentless...", "Self whitelisting tool, domains moved within nginx." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Bulz", "display_name": "Bulz", "target": null }, { "id": "Quasar", "display_name": "Quasar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Fragtor", "display_name": "Fragtor", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" } ], "industries": [], "TLP": "white", "cloned_from": "65f4ba867ec44a4dc0e6fc96", "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8753, "domain": 1525, "hostname": 3740, "FileHash-SHA256": 6746, "FileHash-MD5": 619, "FileHash-SHA1": 509, "SSLCertFingerprint": 3, "CVE": 8, "CIDR": 5, "email": 7 }, "indicator_count": 21915, "is_author": false, "is_subscribing": null, "subscriber_count": 235, "modified_text": "736 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65f4ba867ec44a4dc0e6fc96", "name": "DNS Hijacking - \u4e5d\u79c0\u76f4\u64ad-\u9ad8\u54c1\u8d28\u7f8e\u5973\u5728\u7ebf\u89c6\u9891\u4e92\u52a8\u793e\u533a -MilesIT.com", "description": "Jiuxiu Live - High-quality beauty online video interactive community - \u4e5d\u79c0\u76f4\u64ad-\u9ad8\u54c1\u8d28\u7f8e\u5973\u5728\u7ebf\u89c6\u9891\u4e92\u52a8\u793e\u533a -porn dump. Performed tiny DNS test on affected target. \nDNS stuffing pornography. DNSpionage , custom browser, DNS tunneling encoding data, programs, protocols, DNS queries, responses, amplification attack; perform (DDoS) on server, flood attack, spoofing. Attack. Miles IT & affiliated logging inas target. Pitfall of being compromised for some; you won't speak to legitimate business unless you know & recognize voice. \nSome notations in references.", "modified": "2024-04-13T11:00:32.548000", "created": "2024-03-15T21:15:50.802000", "tags": [ "q htpps", "g htpps", "q https", "virustotal", "exif standard", "tiff image", "msie", "windows nt", "wow64", "slcc2", "media center", "default", "jpeg image", "search", "copy", "code", "write", "pecompact", "february", "packer", "delphi", "win32", "persistence", "execution", "next", "create c", "delete c", "intel", "ms windows", "pe32", "precreate read", "united", "show", "regsetvalueexa", "trojan", "markus", "mozilla", "write c", "json", "entries", "ascii text", "data", "as15169", "error", "malware", "win64", "denmark as32934", "ip hostname", "reverse ip", "lookup country", "as7018 att", "as14618", "as54113", "country code", "as36081 state", "redirect chain", "redirection", "location", "lakewood", "emails", "as name", "ssl certificate", "whois record", "k0pmbc", "spsfsb", "zwdk9d", "vwdzfe", "contacted", "referrer", "ntmzac", "historical ssl", "august", "hacktool", "core", "agent tesla", "emotet", "chaos", "ransomexx", "quasar", "algorithm", "v3 serial", "number", "cus cnamazon", "validity", "subject public", "key info", "key algorithm", "key identifier", "subject key", "first", "server", "registrar abuse", "date", "markmonitor", "epic games", "iana id", "contact phone", "domain status", "registrar whois", "registrar", "win32 exe", "python", "launchres", "win32 dll", "unrealengine", "detections type", "name", "bundled", "ctsu", "smokeloader", "privateloader", "relic", "monitoring", "startpage", "\u7f8e\u5973\u76f4\u64ad", "\u7f8e\u5973\u89c6\u9891", "\u7f8e\u5973\u4e3b\u64ad", "\u89c6\u9891\u804a\u5929", "\u89c6\u9891\u4ea4\u53cb", "\u7f8e\u5973\u4ea4\u53cb", "\u7f8e\u5973\u79c0\u573a", "\u6e05\u7eaf\u7f8e\u5973", "\u6027\u611f\u7f8e\u5973", "\u7f8e\u5973\u4e92\u52a8", "\u7f8e\u5973\u804a\u5929", "\u7f8e\u5973\u5728\u7ebf\u8868\u6f14", "\u7f8e\u5973\u76f4\u64ad\u95f4", "\u7f8e\u5973\u804a\u5929\u5ba4", "icp2021030667", "0110542", "copyright", "rights reserved", "resolutions", "contacted urls", "siblings domain", "siblings", "parent domain", "cname", "whitelisted", "status", "as15169 google", "asnone united", "servers", "aaaa", "body", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "site top", "heur", "alexa top", "safe site", "million", "million alexa", "site safe", "malicious site", "unsafe", "alexa", "riskware", "artemis", "blacknet rat", "quasar rat", "crack", "presenoker", "dapato", "stealer", "phish", "memscan", "nsis", "phishing", "bulz", "maltiverse", "trojanspy", "blacknet", "zbot", "aig", "unknown", "passive dns", "urls", "expiresthu", "gmt path", "scan endpoints", "encrypt", "dynamicloader", "high", "medium", "qaeaav12", "windows", "cape", "windows wget", "suspicious", "powershell", "canvas", "form", "showing", "all octoseek", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "cus cnr3", "olet", "l http", "wifi", "wifi access", "wifi hotspot", "wifi internet", "southwest wifi", "inflight", "inflight entertainment", "southwest", "comedy", "internet", "strong", "drama", "google chrome", "business select", "internet access", "apple safari", "book", "rapid", "love", "summer", "poppy", "floyd", "district", "jackson", "kevin", "live", "music", "upgrade", "gift", "lost", "carol", "canada", "cobalt strike", "malicious", "fragtor", "phishing paypal", "mail spammer" ], "references": [ "https://www.9xiuzb.com/activity/activity_pcunion?piusr=t_420", "tracking.epicgames.com | epicgames.com | https://www.epicgames.com/id/activate", "Conneted to Network: drcody@milesit.com | milesit.com | milestechnologies.com | info.milestechnologies.com | www.milesit.com | www.milestechnologies.com", "Conneted to Network: http://seed.wavebrowser.co/seed?osname=win&channel=stable&milestone=1 | f16ac036e3.nxcli.net", "Conneted to Network: https://getconnected.southwestwifi.com | www.coloradoltcpartnership.org", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/58d35aa65e820e83be595049b9e5a223ffb1f5f9111b64ccdd2622479cda9e1b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/233e5b27962a141061eff04ae07699d1a2faa8d47077a2da31770a5f59327ee3", "https://otx.alienvault.com/indicator/file/58d35aa65e820e83be595049b9e5a223ffb1f5f9111b64ccdd2622479cda9e1b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/f0d38614f706da3a08acdf7188eac139a352621ccada40e5e22d191412acc357", "Phone purchased for target by a 'self-proclaimed' W/F PI from Lakewood, Colorado w/o consent/prior knowledge. PI fitful, so target paid for phone.", "Found claims PI was a hacker. Brother a hitman. Verbalized non-specific affiliation w/City of Lakewood. Refused to provide target phone passcode.", "Target admits to ignoring major signs: 'PI' called just before request submitted.Spent hours researching & denouncing targets former 'questionable 'PI", "'PI' feigned high concern for target, begged her to meet at 10 P.M. Target refused. Target states she will only meet in safe public spot in daylight.", "'PI' arrives in separate car w/unseen veteran. Points out DV LP to target , states he's not with her. Leads target to restaurant 'to talk'. Stays awhile.", "'PI' orders 2 meals. Leaves restaurant a few times. Talks about troubled mother w/medication addictions. Incredibly emotional vowing to be better.", "Emotionally demands disabled target cash advanced to pay all bills. Denies formerly alleged abilities & skills, still wants $1500 for 4 hours of nothing.", "Of note: Alleging Federal Investigator calls target. Found her in Bark? No. He asks for $4G to relocate target in 2 days provide hacker secured iPhone.", "'PI' claims to have information. Sends picture of who he claims is attacker now millionaire owner of Mile High Sports & Rehabilitation. Asks if she knew.", "Target knows nothing about assaulter. Chicago Fed text photo for target to confirm identity of attacker. Be sends a photo of Dr. John T. Sasha.", "Target was treated by Dr. Sasha, was not assaulter. Target relays Law Firm dropped her as she refused to include Sasha in Injury claim.", "Goal to present targets case, blame & have Sacha removed by board of Colorado attorneys. Widely known firm angrily begins misconduct in her case.", "Fed alleged if Sasha was in cahoots she could get millions. Target again refused. Alleging Chicago Fed contends be needs to move her 50+ miles.", "Fed lost interest after satisfied Sasha wasn't of interest. Target interest to rid self of hackers and stalkers. Inundated with calls from fake PI's.", "Colorado doesn't require a PI licensure. That's a major problem as many stalkers, malicious hackers & the ruthless are drawn to this occupation.", "Metro T-Mobile refuses refund. Allows target to store phone with them in resealed box. When retrieved box opened and tampered with.", "Issues: Target contacted a single PI from a very compromised device, received sealed as gift from trusted person via provider. Others contact her.", "I know this isn't a blog. If someone is targeted, every device will be compromised. It's the goal of the attackers. Unwarranted bounty found.", "Law enforcement aware and assure target in person she's not a suspect in any crime is Colorado or nationally. All DA's, law enforcement PI's check.", "You can either have a runner or become a hacker. Only 2 choices for targeted individuals. Target needs to become ethical hacker or ethical grey hat, Purple teamer.", "Device security reset temporarily before epicgames[.]com a resource being used attempted to self download. Relentless...", "Self whitelisting tool, domains moved within nginx." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Bulz", "display_name": "Bulz", "target": null }, { "id": "Quasar", "display_name": "Quasar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Fragtor", "display_name": "Fragtor", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 60, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8753, "domain": 1525, "hostname": 3740, "FileHash-SHA256": 6746, "FileHash-MD5": 619, "FileHash-SHA1": 509, "SSLCertFingerprint": 3, "CVE": 8, "CIDR": 5, "email": 7 }, "indicator_count": 21915, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "736 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b7119615db47ea27706a86", "name": "Esurance Remote Attacks| Emotet | Lolkek | Part I", "description": "Emotet is a kind of malware originally designed as a banking Trojan aimed at stealing financial data, but it's evolved to become a major threat to users everywhere.\n\nLater versions evolved to use macro-enabled documents to retrieve the virus payload from command and control. They have been advised .", "modified": "2024-04-12T23:03:13.367000", "created": "2024-01-29T02:46:46.076000", "tags": [ "ssl certificate", "xamzexpires600", "whois record", "url collection", "collections", "historical ssl", "referrer", "contacted", "resolutions", "web gateway", "emotet", "urls http", "whois whois", "domains", "lolkek", "core", "caddywiper", "awful", "urls url", "cymulate", "malware", "com laude", "ltd dba", "first", "utc submissions", "submitters", "cloudflarenet", "internet domain", "service bs", "corp", "dynadot", "twitter", "optimizer", "amazonaes", "summary iocs", "graph community", "origin1", "ver33", "dtamlb", "smlb", "csc corporate", "gandi sas", "namecheap inc", "google", "amazon02", "apple", "remote attacks" ], "references": [ "https://www.esurance.com/", "https://www.malwarebytes.com/emotet" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null } ], "attack_ids": [], "industries": [ "Telecom", "Civil Society", "Insurance" ], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9102, "CVE": 5, "FileHash-MD5": 68, "FileHash-SHA1": 67, "FileHash-SHA256": 2209, "domain": 1427, "hostname": 4334 }, "indicator_count": 17212, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "736 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65eada25525805ad74c32b54", "name": "(Cloned from OTX user) OTX pulses modified and deleted by ???", "description": "", "modified": "2024-04-06T11:00:59.869000", "created": "2024-03-08T09:28:05.923000", "tags": [ "referrer", "execution", "dropped", "apple ios", "contacted", "partru", "sneaky server", "replacement", "unauthorized", "emotet", "submission", "alienvault", "open threat", "learn", "ssdeep", "file type", "html internet", "magic html", "ascii text", "trid file", "google tag", "gtmkvjvztk", "anchor hrefs", "urls", "domains", "registrar", "ltd dba", "com laude", "markmonitor", "ip detections", "country", "graph", "hashes cape", "sandbox", "zenbox", "files c", "filesgoogle c", "written c", "extensions", "process", "created", "processes tree", "hour ago", "scan endpoints", "all scoreblue", "report spam", "modified", "scan", "iocs", "learn more", "hostname", "filehashsha256", "next", "url https", "url http", "adriana1984 mar", "role title", "added active", "related pulses", "entries", "united", "asnone united", "aaaa", "simple secure", "passive dns", "search", "showing", "class", "status", "creation date", "servers", "name servers", "date", "title error", "body", "files ip", "address", "location united", "asn asnone", "nameservers", "unknown", "ddos", "ipv4", "pulse submit", "url analysis" ], "references": [ "David Bombal & Cisco Discuss: https://m.soundcloud.com/davidbombal/455-why-hack-in-when-you-can-just-log-in (not an exploit as far as I know. I watched it on YT)", "b7f8599765659c19eafe733a51daf8ffd1dde24bedf876c1aba7bd7f2dbf9aa2 | www.akabomedia.co.uk", "Insecure headers found in search histories: games.com, microsoft.com, adrianafiore1984@gmail.com , secure.login.gov, static.secure.login.gov", "https://secure.login.gov/events/disavow?disavowal_token=Bxut7GJU9magrrk282lmt62q0KM4iP6R9mOGNH7yz9k", "https://secure.login.gov/users/password/edit?request_id=5aa8520c-5fb1-4db9-b52f-39fee61ba899&reset_password_token=T318N3voD8NtXgE_1er2", "https://static.secure.login.gov/packs/js/password_toggle_component-3d373a08.js", "https://secure.login.gov/users/password/edit?reset_password_token=B2J-ZWmp6vfu7teQ7Zvr", "Unsure of connection to issues: http://www.login.gov/es/help | http://www.login.gov/es/help\\u003c | http://www.microsoft.com/lin... |", "http://www.microsoft.com/link | https://www.login.gov/contact | https://www.login.gov/contact/ | https://www.login.gov/es/contact", "https://www.login.gov/help& | https://www.login.gov/help/ | https://www.login.gov/help/__", "login.gov | uscis.gov | usertesting.com | www.epic | www.login.gov | www.microsoft.com | http://games.com/activate http://microsoft.com/link", "https://secure.login.gov/users/password/edit?request_id=5aa8520c-5fb1-4db9-b52f-39fee61ba899&reset_password_token=T318N3voD8NtXgE_1er2", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (password decoder)", "https://static.secure.login.gov/packs/js/password_toggle_component-3d373a08.js", "https://secure.login.gov/users/password/edit?request_id=5aa8520c-5fb1-4db9-b52f-39fee61ba899&reset_password_token=T318N3voD8NtXgE_1er2", "https://secure.login.gov/users/password/edit?request_id=7ea7896d-dfb0-40c6-b75b-5fbfab101cb8", "https://secure.login.gov/users/password/edit?reset_password_token=B2J-ZWmp6vfu7teQ7Zvr", "server-18-161-6-16.hio52.r.cloudfront.net", "http://www.w3.org/TR/html4/loose.dtd | 128.30.52.37 | www.w3.org (definite issues)", "http://quantum.emsbk.com/ | deadmin.kaisa.sbs | kaisa.sbs", "Group commentators discussed profile link changed. Also,when some users utilize 'Suggested IoC's' , bulk IoC's' are deleted before able to be included", "Noticed a few users have multiple accounts w/same name, different followers, different follower count. Love this tool. Have questions about potential attacks", "A few haven't logged in in months or sometimes longer (life) notice pulses modified, missing or can't log in.", "Email issue, virustotal also affected. Some having different IP's, different language, an American user VT ; telemetry content, strings, old browsers. Total menu change", "Phishing: http://search.searchffr.com/?source=bing-bb9&uid=9a283646-64de-4df2-84b5-9951528bd4ed&uc=20180405&ap=appfocus63&i_id=recipes__1.30" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1555.005", "name": "Password Managers", "display_name": "T1555.005 - Password Managers" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1162", "name": "Login Item", "display_name": "T1162 - Login Item" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": "65e9b2408fd9557692402b03", "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 260, "FileHash-SHA1": 196, "FileHash-SHA256": 1855, "URL": 1204, "domain": 225, "hostname": 466, "CVE": 2, "email": 3 }, "indicator_count": 4211, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "743 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e9b2408fd9557692402b03", "name": "Why are OTX pulses modified and by whom when it's not the user?", "description": "There are several OTC accounts that are experiencing unauthorized logins. Users have a common theme, keen awareness, learning from experiences, Apple , state, gov personal accounts of being hacked, have personal network/router , phone or relatives and.or associated (civil society) experiencing cyber attacks.Indicators are being removed at record pace. Some pulses have been deleted altogether. Threat actors are logging in as user by exploiting or creating a vulnerability on user device or login. From what I've learned , there is a history on user device. I hope I'm still allowed to use platform after this. I noticed some accounts were submitting and modifying 24/7. A user in a TH group forum discussed bulk deletion, non-public modified and deleted Pulses.", "modified": "2024-04-06T11:00:59.869000", "created": "2024-03-07T12:25:36.098000", "tags": [ "referrer", "execution", "dropped", "apple ios", "contacted", "partru", "sneaky server", "replacement", "unauthorized", "emotet", "submission", "alienvault", "open threat", "learn", "ssdeep", "file type", "html internet", "magic html", "ascii text", "trid file", "google tag", "gtmkvjvztk", "anchor hrefs", "urls", "domains", "registrar", "ltd dba", "com laude", "markmonitor", "ip detections", "country", "graph", "hashes cape", "sandbox", "zenbox", "files c", "filesgoogle c", "written c", "extensions", "process", "created", "processes tree", "hour ago", "scan endpoints", "all scoreblue", "report spam", "modified", "scan", "iocs", "learn more", "hostname", "filehashsha256", "next", "url https", "url http", "adriana1984 mar", "role title", "added active", "related pulses", "entries", "united", "asnone united", "aaaa", "simple secure", "passive dns", "search", "showing", "class", "status", "creation date", "servers", "name servers", "date", "title error", "body", "files ip", "address", "location united", "asn asnone", "nameservers", "unknown", "ddos", "ipv4", "pulse submit", "url analysis" ], "references": [ "David Bombal & Cisco Discuss: https://m.soundcloud.com/davidbombal/455-why-hack-in-when-you-can-just-log-in (not an exploit as far as I know. I watched it on YT)", "b7f8599765659c19eafe733a51daf8ffd1dde24bedf876c1aba7bd7f2dbf9aa2 | www.akabomedia.co.uk", "Insecure headers found in search histories: games.com, microsoft.com, adrianafiore1984@gmail.com , secure.login.gov, static.secure.login.gov", "https://secure.login.gov/events/disavow?disavowal_token=Bxut7GJU9magrrk282lmt62q0KM4iP6R9mOGNH7yz9k", "https://secure.login.gov/users/password/edit?request_id=5aa8520c-5fb1-4db9-b52f-39fee61ba899&reset_password_token=T318N3voD8NtXgE_1er2", "https://static.secure.login.gov/packs/js/password_toggle_component-3d373a08.js", "https://secure.login.gov/users/password/edit?reset_password_token=B2J-ZWmp6vfu7teQ7Zvr", "Unsure of connection to issues: http://www.login.gov/es/help | http://www.login.gov/es/help\\u003c | http://www.microsoft.com/lin... |", "http://www.microsoft.com/link | https://www.login.gov/contact | https://www.login.gov/contact/ | https://www.login.gov/es/contact", "https://www.login.gov/help& | https://www.login.gov/help/ | https://www.login.gov/help/__", "login.gov | uscis.gov | usertesting.com | www.epic | www.login.gov | www.microsoft.com | http://games.com/activate http://microsoft.com/link", "https://secure.login.gov/users/password/edit?request_id=5aa8520c-5fb1-4db9-b52f-39fee61ba899&reset_password_token=T318N3voD8NtXgE_1er2", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (password decoder)", "https://static.secure.login.gov/packs/js/password_toggle_component-3d373a08.js", "https://secure.login.gov/users/password/edit?request_id=5aa8520c-5fb1-4db9-b52f-39fee61ba899&reset_password_token=T318N3voD8NtXgE_1er2", "https://secure.login.gov/users/password/edit?request_id=7ea7896d-dfb0-40c6-b75b-5fbfab101cb8", "https://secure.login.gov/users/password/edit?reset_password_token=B2J-ZWmp6vfu7teQ7Zvr", "server-18-161-6-16.hio52.r.cloudfront.net", "http://www.w3.org/TR/html4/loose.dtd | 128.30.52.37 | www.w3.org (definite issues)", "http://quantum.emsbk.com/ | deadmin.kaisa.sbs | kaisa.sbs", "Group commentators discussed profile link changed. Also,when some users utilize 'Suggested IoC's' , bulk IoC's' are deleted before able to be included", "Noticed a few users have multiple accounts w/same name, different followers, different follower count. Love this tool. Have questions about potential attacks", "A few haven't logged in in months or sometimes longer (life) notice pulses modified, missing or can't log in.", "Email issue, virustotal also affected. Some having different IP's, different language, an American user VT ; telemetry content, strings, old browsers. Total menu change", "Phishing: http://search.searchffr.com/?source=bing-bb9&uid=9a283646-64de-4df2-84b5-9951528bd4ed&uc=20180405&ap=appfocus63&i_id=recipes__1.30" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1555.005", "name": "Password Managers", "display_name": "T1555.005 - Password Managers" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1162", "name": "Login Item", "display_name": "T1162 - Login Item" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 39, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 260, "FileHash-SHA1": 196, "FileHash-SHA256": 1855, "URL": 1204, "domain": 225, "hostname": 466, "CVE": 2, "email": 3 }, "indicator_count": 4211, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "743 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65bca8fcbe62297d71b47c33", "name": "Ragnar Locker", "description": "\u2022 FBI Flash CU-000163-MW: RagnarLocker Ransomware Indicators of Compromise\n\u2022 Found in https://www.Esurance.com\n 108.26.193.165\nAS 701 (UUNET)\n\u2022108.26.193.165 Postal Code: 02465 Reverse Domain Lookup: pool-108-26-193-165.bstnma.fios.verizon.net \n| Ragnar Locker is ransomware for Windows and Linux that exfiltrates information from a compromised machine, encrypts files using the Salsa20 encryption algorithm, and demands that victims pay a ransom to recover their data. The Ragnar Locker group is known to employ a double extortion tactic.", "modified": "2024-03-03T08:00:03.432000", "created": "2024-02-02T08:34:04.425000", "tags": [ "referrer", "contacted", "whois record", "ssl certificate", "whois whois", "contacted urls", "execution", "historical ssl", "red team", "gang breached", "agent tesla", "redline stealer", "metro", "android", "urls url", "files", "kgs0", "kls0", "orgtechhandle", "orgtechref", "orgabusehandle", "orgdnshandle", "orgdnsref", "whois lookup", "netrange", "nethandle", "net108", "net1080000", "communicating", "urls http", "ransomware gang", "breached", "team", "first", "utc submissions", "submitters", "gandi sas", "psiusa", "domain robot", "porkbun llc", "keysystems gmbh", "csc corporate", "domains", "domain name", "network pty", "tucows", "com laude", "dynadot inc" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8354, "FileHash-MD5": 104, "FileHash-SHA1": 81, "FileHash-SHA256": 2711, "CIDR": 5, "CVE": 6, "domain": 1489, "hostname": 3058, "email": 5 }, "indicator_count": 15813, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "777 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65de941acedcdd661f0593b6", "name": "Esurance Remote Attacks (Cloned. Who modifies reports? This happens to me)", "description": "", "modified": "2024-02-28T02:02:02.807000", "created": "2024-02-28T02:02:02.807000", "tags": [ "ssl certificate", "xamzexpires600", "whois record", "url collection", "collections", "historical ssl", "referrer", "contacted", "resolutions", "web gateway", "emotet", "urls http", "whois whois", "domains", "lolkek", "core", "caddywiper", "awful", "urls url", "cymulate", "malware", "com laude", "ltd dba", "first", "utc submissions", "submitters", "cloudflarenet", "internet domain", "service bs", "corp", "dynadot", "twitter", "optimizer", "amazonaes", "summary iocs", "graph community", "origin1", "ver33", "dtamlb", "smlb", "csc corporate", "gandi sas", "namecheap inc", "google", "amazon02", "apple", "remote attacks" ], "references": [ "https://www.esurance.com/", "https://www.malwarebytes.com/emotet" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null } ], "attack_ids": [], "industries": [ "Telecom", "Civil Society", "Insurance" ], "TLP": "white", "cloned_from": "65b711a6f49f057c311f2642", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8575, "CVE": 4, "FileHash-MD5": 47, "FileHash-SHA1": 46, "FileHash-SHA256": 1951, "domain": 1394, "hostname": 4095 }, "indicator_count": 16112, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "781 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b80763e9d9e18cf87d985b", "name": "Esurance Remote Attacks| Emotet | Lolkek | Part I", "description": "", "modified": "2024-02-28T02:01:51.407000", "created": "2024-01-29T20:15:31.163000", "tags": [ "ssl certificate", "xamzexpires600", "whois record", "url collection", "collections", "historical ssl", "referrer", "contacted", "resolutions", "web gateway", "emotet", "urls http", "whois whois", "domains", "lolkek", "core", "caddywiper", "awful", "urls url", "cymulate", "malware", "com laude", "ltd dba", "first", "utc submissions", "submitters", "cloudflarenet", "internet domain", "service bs", "corp", "dynadot", "twitter", "optimizer", "amazonaes", "summary iocs", "graph community", "origin1", "ver33", "dtamlb", "smlb", "csc corporate", "gandi sas", "namecheap inc", "google", "amazon02", "apple", "remote attacks" ], "references": [ "https://www.esurance.com/", "https://www.malwarebytes.com/emotet" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null } ], "attack_ids": [], "industries": [ "Telecom", "Civil Society", "Insurance" ], "TLP": "white", "cloned_from": "65b711a6f49f057c311f2642", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8575, "CVE": 4, "FileHash-MD5": 47, "FileHash-SHA1": 46, "FileHash-SHA256": 1951, "domain": 1394, "hostname": 4095 }, "indicator_count": 16112, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "781 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b711a6f49f057c311f2642", "name": "Esurance Remote Attacks| Emotet | Lolkek | Part I", "description": "Emotet is a kind of malware originally designed as a banking Trojan aimed at stealing financial data, but it's evolved to become a major threat to users everywhere.\n\nLater versions evolved to use macro-enabled documents to retrieve the virus payload from command and control. They have been advised .", "modified": "2024-02-28T02:01:51.407000", "created": "2024-01-29T02:47:02.117000", "tags": [ "ssl certificate", "xamzexpires600", "whois record", "url collection", "collections", "historical ssl", "referrer", "contacted", "resolutions", "web gateway", "emotet", "urls http", "whois whois", "domains", "lolkek", "core", "caddywiper", "awful", "urls url", "cymulate", "malware", "com laude", "ltd dba", "first", "utc submissions", "submitters", "cloudflarenet", "internet domain", "service bs", "corp", "dynadot", "twitter", "optimizer", "amazonaes", "summary iocs", "graph community", "origin1", "ver33", "dtamlb", "smlb", "csc corporate", "gandi sas", "namecheap inc", "google", "amazon02", "apple", "remote attacks" ], "references": [ "https://www.esurance.com/", "https://www.malwarebytes.com/emotet" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null } ], "attack_ids": [], "industries": [ "Telecom", "Civil Society", "Insurance" ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8575, "CVE": 4, "FileHash-MD5": 47, "FileHash-SHA1": 46, "FileHash-SHA256": 1951, "domain": 1394, "hostname": 4095 }, "indicator_count": 16112, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "781 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b7119e9272b1426729e1ed", "name": "Esurance Remote Attacks| Emotet | Lolkek | Part I", "description": "Emotet is a kind of malware originally designed as a banking Trojan aimed at stealing financial data, but it's evolved to become a major threat to users everywhere.\n\nLater versions evolved to use macro-enabled documents to retrieve the virus payload from command and control. They have been advised .", "modified": "2024-02-28T02:01:51.407000", "created": "2024-01-29T02:46:54.594000", "tags": [ "ssl certificate", "xamzexpires600", "whois record", "url collection", "collections", "historical ssl", "referrer", "contacted", "resolutions", "web gateway", "emotet", "urls http", "whois whois", "domains", "lolkek", "core", "caddywiper", "awful", "urls url", "cymulate", "malware", "com laude", "ltd dba", "first", "utc submissions", "submitters", "cloudflarenet", "internet domain", "service bs", "corp", "dynadot", "twitter", "optimizer", "amazonaes", "summary iocs", "graph community", "origin1", "ver33", "dtamlb", "smlb", "csc corporate", "gandi sas", "namecheap inc", "google", "amazon02", "apple", "remote attacks" ], "references": [ "https://www.esurance.com/", "https://www.malwarebytes.com/emotet" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null } ], "attack_ids": [], "industries": [ "Telecom", "Civil Society", "Insurance" ], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8575, "CVE": 4, "FileHash-MD5": 47, "FileHash-SHA1": 46, "FileHash-SHA256": 1951, "domain": 1394, "hostname": 4095 }, "indicator_count": 16112, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "781 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659d687f92ebb4f3d613ae0c", "name": "Mimikatz | www.ssc.spaceforce.mil ", "description": "", "modified": "2024-01-09T15:38:39.547000", "created": "2024-01-09T15:38:39.547000", "tags": [ "a domains", "united", "as20940", "aaaa", "as16625 akamai", "link", "passive dns", "space systems", "urls", "search", "encrypt", "ssl certificate", "whois record", "whois whois", "historical ssl", "referrer", "resolutions", "communicating", "collections", "contacted", "sneaky server", "team", "metro", "hacktool", "tsara brashears", "apple ios", "highly targeted", "core", "android", "formbook", "emotet", "download", "malware", "malicious", "critical", "copy", "relic", "monitoring", "installer", "first", "utc submissions", "submitters", "gandi sas", "csc corporate", "domains", "cloudflare", "cloudflarenet", "akamaias", "summary iocs", "b item", "cisco umbrella", "site", "maltiverse", "heur", "safe site", "alexa top", "million", "tsgeneric", "riskware", "unsafe", "phishing", "union", "bank", "opencandy", "exploit", "agent", "mimikatz", "webtoolbar", "no expiration", "expiration", "indicator role", "pulses url", "url https", "domain", "url http", "brashears type", "showing", "entries" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "655cd0f065d2e5a6c92369e5", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 101, "FileHash-SHA1": 81, "hostname": 1376, "URL": 3305, "domain": 572, "FileHash-SHA256": 3300, "CVE": 4, "email": 1 }, "indicator_count": 8740, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "831 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656a9b46382eefe9b0acda21", "name": "http://fireeyei.iowa.gov/", "description": "", "modified": "2023-12-26T23:03:25.397000", "created": "2023-12-02T02:49:42.129000", "tags": [ "passive dns", "urls", "scan endpoints", "pulse pulses", "files", "verdict", "domain", "files ip", "address", "location united", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "pattern match", "script", "beginstring", "severity", "null", "unknown", "date", "error", "refresh", "span", "class", "generator", "critical", "tools", "body", "look", "verify", "restart", "meta", "hybrid", "general", "click", "strings", "ssl certificate", "whois record", "historical ssl", "referrer", "resolutions", "contacted", "historical", "communicating", "whois whois", "siblings", "execution", "united", "malware", "phishing site", "malicious site", "malware site", "ibm xforce", "exchange", "mail spammer", "firehol", "phishing", "fuery", "unsafe", "rostpay", "wacatac", "genkryptik", "riskware", "artemis", "qakbot", "asyncrat", "cobalt strike", "team", "installcore", "generic malware", "keylogger", "downloader", "tag count", "mon feb", "threat report", "ip summary", "url summary", "summary", "sample", "first", "blacklist https", "productidis", "cisco umbrella", "site", "alexa top", "million", "safe site", "adware", "heur", "filerepmalware", "seraph", "webcompanion", "redline stealer", "opencandy", "azorult", "service", "runescape", "facebook", "bank", "download", "maltiverse", "site top", "site safe", "malicious", "cve201711882", "phish", "driverreviver", "o.gen", "redline", "blacklist http", "microsoft", "detection list", "blacklist", "south carolina", "union", "traffic", "node tcp", "spammer", "tor known", "tor relayrouter", "host" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "DriverReviver", "display_name": "DriverReviver", "target": null }, { "id": "O.gen", "display_name": "O.gen", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "green", "cloned_from": "65642d43a6029c41643dfb5e", "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 816, "hostname": 1542, "URL": 5023, "FileHash-SHA256": 1827, "FileHash-MD5": 786, "FileHash-SHA1": 403, "CVE": 4 }, "indicator_count": 10401, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "844 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65642d43a6029c41643dfb5e", "name": "http://fireeyei.iowa.gov/", "description": "Found in http://kaplanmorrell.com/meet-kaplan-morrel/meet-ronda-cordova/", "modified": "2023-12-26T23:03:25.397000", "created": "2023-11-27T05:46:43.630000", "tags": [ "passive dns", "urls", "scan endpoints", "pulse pulses", "files", "verdict", "domain", "files ip", "address", "location united", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "pattern match", "script", "beginstring", "severity", "null", "unknown", "date", "error", "refresh", "span", "class", "generator", "critical", "tools", "body", "look", "verify", "restart", "meta", "hybrid", "general", "click", "strings", "ssl certificate", "whois record", "historical ssl", "referrer", "resolutions", "contacted", "historical", "communicating", "whois whois", "siblings", "execution", "united", "malware", "phishing site", "malicious site", "malware site", "ibm xforce", "exchange", "mail spammer", "firehol", "phishing", "fuery", "unsafe", "rostpay", "wacatac", "genkryptik", "riskware", "artemis", "qakbot", "asyncrat", "cobalt strike", "team", "installcore", "generic malware", "keylogger", "downloader", "tag count", "mon feb", "threat report", "ip summary", "url summary", "summary", "sample", "first", "blacklist https", "productidis", "cisco umbrella", "site", "alexa top", "million", "safe site", "adware", "heur", "filerepmalware", "seraph", "webcompanion", "redline stealer", "opencandy", "azorult", "service", "runescape", "facebook", "bank", "download", "maltiverse", "site top", "site safe", "malicious", "cve201711882", "phish", "driverreviver", "o.gen", "redline", "blacklist http", "microsoft", "detection list", "blacklist", "south carolina", "union", "traffic", "node tcp", "spammer", "tor known", "tor relayrouter", "host" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "DriverReviver", "display_name": "DriverReviver", "target": null }, { "id": "O.gen", "display_name": "O.gen", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 816, "hostname": 1542, "URL": 5023, "FileHash-SHA256": 1827, "FileHash-MD5": 786, "FileHash-SHA1": 403, "CVE": 4 }, "indicator_count": 10401, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "844 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656aa27f81a9096f5889a9d0", "name": "WebToolbar | www.ssc.spaceforce.mil ", "description": "", "modified": "2023-12-21T15:00:07.190000", "created": "2023-12-02T03:20:31.494000", "tags": [ "a domains", "united", "as20940", "aaaa", "as16625 akamai", "link", "passive dns", "space systems", "urls", "search", "encrypt", "ssl certificate", "whois record", "whois whois", "historical ssl", "referrer", "resolutions", "communicating", "collections", "contacted", "sneaky server", "team", "metro", "hacktool", "tsara brashears", "apple ios", "highly targeted", "core", "android", "formbook", "emotet", "download", "malware", "malicious", "critical", "copy", "relic", "monitoring", "installer", "first", "utc submissions", "submitters", "gandi sas", "csc corporate", "domains", "cloudflare", "cloudflarenet", "akamaias", "summary iocs", "b item", "cisco umbrella", "site", "maltiverse", "heur", "safe site", "alexa top", "million", "tsgeneric", "riskware", "unsafe", "phishing", "union", "bank", "opencandy", "exploit", "agent", "mimikatz", "webtoolbar", "no expiration", "expiration", "indicator role", "pulses url", "url https", "domain", "url http", "brashears type", "showing", "entries" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "655cd0f065d2e5a6c92369e5", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 101, "FileHash-SHA1": 81, "hostname": 1376, "URL": 3305, "domain": 572, "FileHash-SHA256": 3300, "CVE": 4, "email": 1 }, "indicator_count": 8740, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "850 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655ce5116519bd86d1f1bdee", "name": "FormBook | www.ssc.spaceforce.mil 'Hoax' | Spyware | Fraud Services", "description": "", "modified": "2023-12-21T15:00:07.190000", "created": "2023-11-21T17:12:49.783000", "tags": [ "a domains", "united", "as20940", "aaaa", "as16625 akamai", "link", "passive dns", "space systems", "urls", "search", "encrypt", "ssl certificate", "whois record", "whois whois", "historical ssl", "referrer", "resolutions", "communicating", "collections", "contacted", "sneaky server", "team", "metro", "hacktool", "tsara brashears", "apple ios", "highly targeted", "core", "android", "formbook", "emotet", "download", "malware", "malicious", "critical", "copy", "relic", "monitoring", "installer", "first", "utc submissions", "submitters", "gandi sas", "csc corporate", "domains", "cloudflare", "cloudflarenet", "akamaias", "summary iocs", "b item", "cisco umbrella", "site", "maltiverse", "heur", "safe site", "alexa top", "million", "tsgeneric", "riskware", "unsafe", "phishing", "union", "bank", "opencandy", "exploit", "agent", "mimikatz", "webtoolbar", "no expiration", "expiration", "indicator role", "pulses url", "url https", "domain", "url http", "brashears type", "showing", "entries" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 101, "FileHash-SHA1": 81, "hostname": 1376, "URL": 3305, "domain": 572, "FileHash-SHA256": 3300, "CVE": 4, "email": 1 }, "indicator_count": 8740, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "850 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655cd0f065d2e5a6c92369e5", "name": "www.ssc.spaceforce.mil", "description": "", "modified": "2023-12-21T15:00:07.190000", "created": "2023-11-21T15:46:56.740000", "tags": [ "a domains", "united", "as20940", "aaaa", "as16625 akamai", "link", "passive dns", "space systems", "urls", "search", "encrypt", "ssl certificate", "whois record", "whois whois", "historical ssl", "referrer", "resolutions", "communicating", "collections", "contacted", "sneaky server", "team", "metro", "hacktool", "tsara brashears", "apple ios", "highly targeted", "core", "android", "formbook", "emotet", "download", "malware", "malicious", "critical", "copy", "relic", "monitoring", "installer", "first", "utc submissions", "submitters", "gandi sas", "csc corporate", "domains", "cloudflare", "cloudflarenet", "akamaias", "summary iocs", "b item", "cisco umbrella", "site", "maltiverse", "heur", "safe site", "alexa top", "million", "tsgeneric", "riskware", "unsafe", "phishing", "union", "bank", "opencandy", "exploit", "agent", "mimikatz", "webtoolbar", "no expiration", "expiration", "indicator role", "pulses url", "url https", "domain", "url http", "brashears type", "showing", "entries" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 101, "FileHash-SHA1": 81, "hostname": 1376, "URL": 3305, "domain": 572, "FileHash-SHA256": 3300, "CVE": 4, "email": 1 }, "indicator_count": 8740, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "850 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656a9c2eeebaf7b69d0e12ba", "name": "Domain Seized - http://server3.elgenero.com/cgi-bin/xdown.cgi", "description": "", "modified": "2023-12-20T17:01:34.161000", "created": "2023-12-02T02:53:34.585000", "tags": [ "safe site", "million", "cisco umbrella", "alexa top", "site", "tag count", "tld count", "jul jan", "team alexa", "count blacklist", "maltiverse", "redirme", "cronup threat", "intel malware", "malicious site", "malware", "no data", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "united", "cyber threat", "engineering", "team", "malware site", "covid19", "phishing site", "phishing", "phishtank", "bank", "zbot", "malicious", "download", "suppobox", "zeus", "nymaim", "matsnu", "artemis", "virut", "panama", "smsspy", "cobalt strike", "emotet", "bradesco", "stealer", "facebook", "service", "simda", "runescape", "cutwail", "unruy", "bandoo", "tinba", "pykspa", "domaiq", "ave maria", "citadel", "pony", "keitaro", "ponmocup", "ransomware", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "sha256", "sha1", "ascii text", "date", "unknown", "body", "error", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "malicious url", "union", "unsafe", "node tcp", "traffic", "tor known", "tor relayrouter", "spammer", "threats et", "ssl certificate", "contacted", "whois record", "whois whois", "historical ssl", "apple ios", "resolutions", "bundled", "referrer", "collections", "android", "banker", "keylogger", "generic malware", "generic", "blacklist http", "ac32a", "heur", "alexa", "xtrat", "iframe", "installcore", "win64", "crack", "xrat", "nircmd", "swrort", "agent", "filetour", "cleaner", "patcher", "adload", "wacatac", "riskware", "acint", "conduit", "fakealert", "opencandy", "xtreme", "downldr", "outbreak", "iobit", "rostpay", "dropper", "mediaget", "installpack", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "floxif", "presenoker", "fusioncore", "exploit", "filerepmetagen", "download json", "hostname", "hostnames", "mail spammer", "anonymizer", "firehol proxy", "asyncrat", "genkryptik", "fuery", "webtoolbar", "trojanspy", "dropped", "execution", "contacted urls", "http spammer", "host", "ip address", "site top", "site safe", "blacklist https", "tsara brashears", "kgs0", "kls0", "critical risk", "attack", "hacktool", "installer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Latvia", "Poland", "Germany" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "655b9a90e44a70d0fbbde981", "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1117, "FileHash-SHA1": 664, "FileHash-SHA256": 3426, "domain": 977, "hostname": 2269, "URL": 5554, "CVE": 23, "URI": 8, "Mutex": 1 }, "indicator_count": 14039, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "851 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655b9a90e44a70d0fbbde981", "name": "Domain Seized - http://server3.elgenero.com/cgi-bin/xdown.cgi", "description": "Domain stated ' SEIZED' by Departing Homeland Security\nSeizure links below seem a bit questionable: \n\nhttp://server3.elgenero.com/iprc_seized_banner.png\nhttp://kickass.to/IPRC_Seized_2016_kat.jpg\nhttp://kickass.to/the-adventures-of-tom-sawyer-t2068537.html\t\nhttp://bludv.tv/iprc_seized_banner.png\nhttp://z-lib.org/iprc_seized_banner.png\nIPRC_Seized_2016_kat.jpg\n... just banners? Moved and continue? Okay.\nListed below also listed in seized domain. Domains,URL's and Botnetwork Hosts still seem to exist.\nhttp://alohatube.xyz/search/tsara-brashears\nalohatube.xyz\nhttps://alohatube.xyz/search/tsara-brashears\nhttps://www.anyxxxtube.net/search-porn/tsara-brashears/\nhttp://45.159.189.105/bot/regex\t\nhttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbia\t\nnr-data.net", "modified": "2023-12-20T17:01:34.161000", "created": "2023-11-20T17:42:40.771000", "tags": [ "safe site", "million", "cisco umbrella", "alexa top", "site", "tag count", "tld count", "jul jan", "team alexa", "count blacklist", "maltiverse", "redirme", "cronup threat", "intel malware", "malicious site", "malware", "no data", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "united", "cyber threat", "engineering", "team", "malware site", "covid19", "phishing site", "phishing", "phishtank", "bank", "zbot", "malicious", "download", "suppobox", "zeus", "nymaim", "matsnu", "artemis", "virut", "panama", "smsspy", "cobalt strike", "emotet", "bradesco", "stealer", "facebook", "service", "simda", "runescape", "cutwail", "unruy", "bandoo", "tinba", "pykspa", "domaiq", "ave maria", "citadel", "pony", "keitaro", "ponmocup", "ransomware", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "sha256", "sha1", "ascii text", "date", "unknown", "body", "error", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "malicious url", "union", "unsafe", "node tcp", "traffic", "tor known", "tor relayrouter", "spammer", "threats et", "ssl certificate", "contacted", "whois record", "whois whois", "historical ssl", "apple ios", "resolutions", "bundled", "referrer", "collections", "android", "banker", "keylogger", "generic malware", "generic", "blacklist http", "ac32a", "heur", "alexa", "xtrat", "iframe", "installcore", "win64", "crack", "xrat", "nircmd", "swrort", "agent", "filetour", "cleaner", "patcher", "adload", "wacatac", "riskware", "acint", "conduit", "fakealert", "opencandy", "xtreme", "downldr", "outbreak", "iobit", "rostpay", "dropper", "mediaget", "installpack", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "floxif", "presenoker", "fusioncore", "exploit", "filerepmetagen", "download json", "hostname", "hostnames", "mail spammer", "anonymizer", "firehol proxy", "asyncrat", "genkryptik", "fuery", "webtoolbar", "trojanspy", "dropped", "execution", "contacted urls", "http spammer", "host", "ip address", "site top", "site safe", "blacklist https", "tsara brashears", "kgs0", "kls0", "critical risk", "attack", "hacktool", "installer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Latvia", "Poland", "Germany" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 46, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1117, "FileHash-SHA1": 664, "FileHash-SHA256": 3426, "domain": 977, "hostname": 2269, "URL": 5554, "CVE": 23, "URI": 8, "Mutex": 1 }, "indicator_count": 14039, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "851 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655af35616dbd4781c681948", "name": "Spyware: http://browser.events.data.microsoftstart.cn", "description": "", "modified": "2023-12-19T13:01:12.394000", "created": "2023-11-20T05:49:10.586000", "tags": [ "linkid246338", "whois record", "ssl certificate", "contacted", "execution", "historical ssl", "whois whois", "communicating", "resolutions", "referrer", "random", "august", "lockbit", "attack", "core", "name verdict", "falcon sandbox", "pattern match", "root ca", "done adding", "catalog file", "authority", "class", "mitre att", "script", "temp", "ascii text", "date", "unknown", "service", "generator", "critical", "error", "meta", "hybrid", "local", "click", "strings", "threat roundup" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "green", "cloned_from": "655a13e4538e896c00f2077e", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 34, "FileHash-SHA1": 28, "FileHash-SHA256": 2526, "URL": 3515, "domain": 458, "hostname": 1092 }, "indicator_count": 7653, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "852 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655a13e4538e896c00f2077e", "name": "Spyware: http://browser.events.data.microsoftstart.cn", "description": "This report is generated by MITRE ATT&CK\u2122 and produced by the team at the University of California, San Francisco, and is available on the web, via the Microsoft Research website.\nTulach, 114.114.114.114, spyware, phishing, fraud, malvertizing, password cracker, iPhone unlocker, malicious, media sharing, miscellaneous attacks.", "modified": "2023-12-19T13:01:12.394000", "created": "2023-11-19T13:55:48.898000", "tags": [ "linkid246338", "whois record", "ssl certificate", "contacted", "execution", "historical ssl", "whois whois", "communicating", "resolutions", "referrer", "random", "august", "lockbit", "attack", "core", "name verdict", "falcon sandbox", "pattern match", "root ca", "done adding", "catalog file", "authority", "class", "mitre att", "script", "temp", "ascii text", "date", "unknown", "service", "generator", "critical", "error", "meta", "hybrid", "local", "click", "strings", "threat roundup" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 34, "FileHash-SHA1": 28, "FileHash-SHA256": 2526, "URL": 3515, "domain": 458, "hostname": 1092 }, "indicator_count": 7653, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "852 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655aef8a8cc2e0929f2aa5ea", "name": "Python Initiated Connection | Spyware | Remote Attacks |", "description": "", "modified": "2023-12-18T23:03:18.732000", "created": "2023-11-20T05:32:58.400000", "tags": [ "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "contenttype", "phpsessid", "cisco umbrella", "alexa top", "million", "safe site", "site", "whois record", "ssl certificate", "execution", "dropped", "whois whois", "historical ssl", "copy", "tsara brashears", "communicating", "referrer", "cobalt strike", "hacktool", "emotet", "download", "malware", "malicious", "critical", "relic", "monitoring", "installer", "android", "agent tesla", "et", "october", "contacted", "threat roundup", "january", "cyberstalking", "attack", "icmp", "banker", "keylogger", "google llc", "gc abuse", "orgid", "direct", "whois lookup", "netrange", "nethandle", "net34", "net340000", "googl2", "comment", "gc", "dns replication", "date", "domain", "win32 exe", "driver pro", "files", "detections type", "name", "optimizer pro", "javascript", "text", "text ip", "aacr", "type name", "email", "email delivery", "email fwd", "delivery status", "notification", "name verdict", "runtime process", "sha1", "size", "localappdata", "temp", "prefetch8", "unicode text", "type data", "programfiles", "win64", "hybrid", "click", "strings", "youth", "pe resource", "apple private", "data collection", "hidden privacy", "threats https", "legal", "amazon aws", "wife happy", "vhash", "authentihash", "ssdeep", "file type", "magic pe32", "intel", "ms windows", "trid windows", "os2 executable", "compiler", "delphi", "sections", "md5 code", "data", "children", "file size", "dropped files", "google update", "setup sha256", "kb file" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null }, { "id": "GC", "display_name": "GC", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": "655950034e6ae4650a6b02ce", "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12901, "hostname": 4445, "domain": 3685, "FileHash-MD5": 197, "FileHash-SHA256": 5136, "FileHash-SHA1": 170, "CIDR": 1, "email": 2, "CVE": 4 }, "indicator_count": 26541, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "852 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655950034e6ae4650a6b02ce", "name": "Python Initiated Connection | Spyware | Remote Attacks | | Part 4", "description": "Apple, Mac, iOS, phishing, frauds services, malware, trojan.allesgreh/trojan.allesgreh/respat, spyware, Google abuse, used to obsessively spy and stalk SA victim Tsara Brashears and possibly others. Python Initiated Connection, WScriptShell_Case_Anomaly.\nPulse: http://secure-appleid-com-uh2hdgo2m7pjuusohde19c8tqs.sssa79.com/\n[Concerning Pre populated content: A security alert has been sent to a secure Apple account in the US, but what exactly is it and what does it mean? and how did it end up in this post-mortem?\u2190((threat?))Let me tell you a]", "modified": "2023-12-18T23:03:18.732000", "created": "2023-11-19T00:00:03.258000", "tags": [ "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "contenttype", "phpsessid", "cisco umbrella", "alexa top", "million", "safe site", "site", "whois record", "ssl certificate", "execution", "dropped", "whois whois", "historical ssl", "copy", "tsara brashears", "communicating", "referrer", "cobalt strike", "hacktool", "emotet", "download", "malware", "malicious", "critical", "relic", "monitoring", "installer", "android", "agent tesla", "et", "october", "contacted", "threat roundup", "january", "cyberstalking", "attack", "icmp", "banker", "keylogger", "google llc", "gc abuse", "orgid", "direct", "whois lookup", "netrange", "nethandle", "net34", "net340000", "googl2", "comment", "gc", "dns replication", "date", "domain", "win32 exe", "driver pro", "files", "detections type", "name", "optimizer pro", "javascript", "text", "text ip", "aacr", "type name", "email", "email delivery", "email fwd", "delivery status", "notification", "name verdict", "runtime process", "sha1", "size", "localappdata", "temp", "prefetch8", "unicode text", "type data", "programfiles", "win64", "hybrid", "click", "strings", "youth", "pe resource", "apple private", "data collection", "hidden privacy", "threats https", "legal", "amazon aws", "wife happy", "vhash", "authentihash", "ssdeep", "file type", "magic pe32", "intel", "ms windows", "trid windows", "os2 executable", "compiler", "delphi", "sections", "md5 code", "data", "children", "file size", "dropped files", "google update", "setup sha256", "kb file" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null }, { "id": "GC", "display_name": "GC", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12901, "hostname": 4445, "domain": 3685, "FileHash-MD5": 197, "FileHash-SHA256": 5136, "FileHash-SHA1": 170, "CIDR": 1, "email": 2, "CVE": 4 }, "indicator_count": 26541, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "852 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655907b4d8c905f4475d8bcc", "name": "Apple iOS Spyware | Remote Attacks | Fraud Services | Part 3", "description": "Apple, Mac, iOS, phishing, frauds, malware, spyware, Google abuse, used to obsessively spy and stalk SA victim Tsara Brashears and probably others. \nPulse: http://secure-appleid-com-uh2hdgo2m7pjuusohde19c8tqs.sssa79.com/\n[Concerning Pre populated content: A security alert has been sent to a secure Apple account in the US, but what exactly is it and what does it mean? and how did it end up in this post-mortem?\u2190((threat?))Let me tell you a]", "modified": "2023-12-18T16:03:26.037000", "created": "2023-11-18T18:51:32.856000", "tags": [ "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "contenttype", "phpsessid", "cisco umbrella", "alexa top", "million", "safe site", "site", "whois record", "ssl certificate", "execution", "dropped", "whois whois", "historical ssl", "copy", "tsara brashears", "communicating", "referrer", "cobalt strike", "hacktool", "emotet", "download", "malware", "malicious", "critical", "relic", "monitoring", "installer", "android", "agent tesla", "et" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8650, "hostname": 3073, "domain": 2708, "FileHash-MD5": 118, "FileHash-SHA256": 3552, "FileHash-SHA1": 104 }, "indicator_count": 18205, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "853 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655907b9da2479892590b77a", "name": "Apple iOS Spyware | Remote Attacks | Fraud Services | Part 3", "description": "Apple, Mac, iOS, phishing, frauds, malware, spyware, Google abuse, used to obsessively spy and stalk SA victim Tsara Brashears and probably others. \nPulse: http://secure-appleid-com-uh2hdgo2m7pjuusohde19c8tqs.sssa79.com/\n[Concerning Pre populated content: A security alert has been sent to a secure Apple account in the US, but what exactly is it and what does it mean? and how did it end up in this post-mortem?\u2190((threat?))Let me tell you a]", "modified": "2023-12-18T16:03:26.037000", "created": "2023-11-18T18:51:37.411000", "tags": [ "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "contenttype", "phpsessid", "cisco umbrella", "alexa top", "million", "safe site", "site", "whois record", "ssl certificate", "execution", "dropped", "whois whois", "historical ssl", "copy", "tsara brashears", "communicating", "referrer", "cobalt strike", "hacktool", "emotet", "download", "malware", "malicious", "critical", "relic", "monitoring", "installer", "android", "agent tesla", "et" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8650, "hostname": 3073, "domain": 2708, "FileHash-MD5": 118, "FileHash-SHA256": 3552, "FileHash-SHA1": 104 }, "indicator_count": 18205, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "853 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65552832e2ebc1d277d13420", "name": "Threat Network", "description": "Malvertizing,\nt.call, \nHello,\nhttps://www.milehighmedia.com/legal/2257,\nphishing,\ntrojanspyware,\nmonitoring,\nhttps://to.hofer.at/iphone,\nNXDOMAIN", "modified": "2023-12-15T19:02:53.792000", "created": "2023-11-15T20:21:06.879000", "tags": [ "a nxdomain", "unknown", "dns show", "search", "status hostname", "query type", "address first", "seen last", "seen asn", "country unknown", "contacted", "pe resource", "isadmin", "collections", "neural netw", "problems", "threat network", "infrastructure", "referrer", "ads into", "javascript", "javascript http", "win32 exe", "type name" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 260, "hostname": 331, "URL": 904, "FileHash-MD5": 67, "FileHash-SHA1": 47, "FileHash-SHA256": 1533 }, "indicator_count": 3142, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "856 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65552550c406412cd83dec6f", "name": "t.call | https://www.milehighmedia.com/legal/2257 (phishing)", "description": "Malvertizing\nt.call\nhttps://www.milehighmedia.com/legal/2257 (T Brazzers| Phishing)\nphishing\ntrojanspyware\nmonitoring", "modified": "2023-12-15T19:02:53.792000", "created": "2023-11-15T20:08:48.881000", "tags": [ "a nxdomain", "unknown", "dns show", "search", "status hostname", "query type", "address first", "seen last", "seen asn", "country unknown", "contacted", "pe resource", "isadmin", "collections", "neural netw", "problems", "threat network", "infrastructure", "referrer", "ads into", "javascript", "javascript http", "win32 exe", "type name" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 260, "hostname": 331, "URL": 904, "FileHash-MD5": 67, "FileHash-SHA1": 47, "FileHash-SHA256": 1533 }, "indicator_count": 3142, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "856 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65568a146bed0e035fee11e7", "name": "Threat Network", "description": "", "modified": "2023-12-15T19:02:53.792000", "created": "2023-11-16T21:31:00.134000", "tags": [ "a nxdomain", "unknown", "dns show", "search", "status hostname", "query type", "address first", "seen last", "seen asn", "country unknown", "contacted", "pe resource", "isadmin", "collections", "neural netw", "problems", "threat network", "infrastructure", "referrer", "ads into", "javascript", "javascript http", "win32 exe", "type name" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "65552832e2ebc1d277d13420", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 260, "hostname": 331, "URL": 904, "FileHash-MD5": 67, "FileHash-SHA1": 47, "FileHash-SHA256": 1533 }, "indicator_count": 3142, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "856 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655689e7e3250ae1a6a9be2f", "name": "t.call | https://www.milehighmedia.com/legal/2257 (phishing)", "description": "", "modified": "2023-12-15T19:02:53.792000", "created": "2023-11-16T21:30:15.183000", "tags": [ "a nxdomain", "unknown", "dns show", "search", "status hostname", "query type", "address first", "seen last", "seen asn", "country unknown", "contacted", "pe resource", "isadmin", "collections", "neural netw", "problems", "threat network", "infrastructure", "referrer", "ads into", "javascript", "javascript http", "win32 exe", "type name" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "65552550c406412cd83dec6f", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 260, "hostname": 331, "URL": 904, "FileHash-MD5": 67, "FileHash-SHA1": 47, "FileHash-SHA256": 1533 }, "indicator_count": 3142, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "856 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65568ab12429c394dc4b91ea", "name": "iOS Unlocker| Apple | ATT | Monitoring| http://mobile.suddenlink2go", "description": "", "modified": "2023-12-14T15:03:30.417000", "created": "2023-11-16T21:33:37.838000", "tags": [ "united", "blacklist", "malicious site", "mail spammer", "detection list", "cisco umbrella", "site", "safe site", "malware", "phishing site", "heur", "malware site", "alexa top", "million", "unsafe", "artemis", "riskware", "conduit", "agent", "opencandy", "xtrat", "iframe", "cleaner", "team", "installpack", "xrat", "tiggre", "presenoker", "fusioncore", "wacatac", "azorult", "phishing", "service", "runescape", "facebook", "bank", "download", "crack", "softcnapp", "trojanspy", "maltiverse", "falcon sandbox", "pattern match", "root ca", "authority", "class", "script", "ascii text", "mitre att", "localappdata", "temp", "ck id", "date", "unknown", "generator", "critical", "error", "meta", "hybrid", "general", "local", "click", "strings", "expiressun", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "pt3uc1", "path", "movies", "watch", "html info", "meta tags", "suddenlink tv", "trackers amazon", "pt3rc1", "whois record", "whois whois", "ssl certificate", "historical", "historical ssl", "referrer", "communicating", "dropped", "contacted", "apple ios", "hacktool", "metro", "malicious", "crypto", "installer", "attack", "awful", "brian sabey", "aig", "civicaIg", "tracking", "password crack", "tulach", "target tsara brashears", "tylerknott", "att", "monitoring", "spyware", "spying", "cybercrime", "tulach", "hughesnet", "ios", "toshiba", "attack", "malvertizing", "cyber stalking", "porn", "pornhub" ], "references": [ "http://mobile.suddenlink2go.com/", "https://hybrid-analysis.com/sample/889790f55a8a29ee75463bbcf014c3ed6cc76e6cd0278e491ec9fa1ed14862c4/655374e9921d5d73860b7db3", "https://applemusic-spotlight.myunidays.com/US/en-US?", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "myhughesnet.com", "dishmail.net", "home.toshiba.com", "ytq2rs56.haogfw.com", "pornhub.com", "http://trk.brother-root-rich-of.xyz/campaign?id=4f1426e9-22f8-4e7a-9c32-1b2d42867559&var1=&extcid=w9A2DTCOAL56FRAK125KMLAI", "http://trk.reverseparameter.site/gg/izuyv?to=https://mine-top-gratis-application.pw/e29481e9-a792-46a8-bbf0-188ed2a816ae/f10439e6-e61a-4420-ba88-29e9d1c5d2ea?brand=Lenovo&btd=dHJrLm1vYmlsZXRvcDIwMTh0ZWNoaWUueHl6&exptoken=MTU1NzUxMjgzMjgyMw==&lang=ar&model=K6+Note&td=dHJrLnJldmVyc2VwYXJhbWV0ZXIuc2l0ZS9wcmNlZWQ", "monitor.cablelan.net", "https://monitor.rodgersmith.com", "https://www.everycloudtech.com/free-mail-flow-monitor" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": "6553b88c316cfb531b9c4c10", "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 144, "FileHash-SHA1": 179, "FileHash-SHA256": 4528, "CVE": 7, "domain": 2024, "hostname": 3556, "URL": 10455 }, "indicator_count": 20893, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "857 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6553b88c316cfb531b9c4c10", "name": "iOS Unlocker| Apple | ATT | Monitoring| http://mobile.suddenlink2go.com", "description": "spyware, 114.114.114.114, Tulach, C2, apple iOS, passwords, crack, unlock , click, att, hughesnet", "modified": "2023-12-14T15:03:30.417000", "created": "2023-11-14T18:12:28.459000", "tags": [ "united", "blacklist", "malicious site", "mail spammer", "detection list", "cisco umbrella", "site", "safe site", "malware", "phishing site", "heur", "malware site", "alexa top", "million", "unsafe", "artemis", "riskware", "conduit", "agent", "opencandy", "xtrat", "iframe", "cleaner", "team", "installpack", "xrat", "tiggre", "presenoker", "fusioncore", "wacatac", "azorult", "phishing", "service", "runescape", "facebook", "bank", "download", "crack", "softcnapp", "trojanspy", "maltiverse", "falcon sandbox", "pattern match", "root ca", "authority", "class", "script", "ascii text", "mitre att", "localappdata", "temp", "ck id", "date", "unknown", "generator", "critical", "error", "meta", "hybrid", "general", "local", "click", "strings", "expiressun", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "pt3uc1", "path", "movies", "watch", "html info", "meta tags", "suddenlink tv", "trackers amazon", "pt3rc1", "whois record", "whois whois", "ssl certificate", "historical", "historical ssl", "referrer", "communicating", "dropped", "contacted", "apple ios", "hacktool", "metro", "malicious", "crypto", "installer", "attack", "awful", "brian sabey", "aig", "civicaIg", "tracking", "password crack", "tulach", "target tsara brashears", "tylerknott", "att", "monitoring", "spyware", "spying", "cybercrime", "tulach", "hughesnet", "ios", "toshiba", "attack", "malvertizing", "cyber stalking", "porn", "pornhub" ], "references": [ "http://mobile.suddenlink2go.com/", "https://hybrid-analysis.com/sample/889790f55a8a29ee75463bbcf014c3ed6cc76e6cd0278e491ec9fa1ed14862c4/655374e9921d5d73860b7db3", "https://applemusic-spotlight.myunidays.com/US/en-US?", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "myhughesnet.com", "dishmail.net", "home.toshiba.com", "ytq2rs56.haogfw.com", "pornhub.com", "http://trk.brother-root-rich-of.xyz/campaign?id=4f1426e9-22f8-4e7a-9c32-1b2d42867559&var1=&extcid=w9A2DTCOAL56FRAK125KMLAI", "http://trk.reverseparameter.site/gg/izuyv?to=https://mine-top-gratis-application.pw/e29481e9-a792-46a8-bbf0-188ed2a816ae/f10439e6-e61a-4420-ba88-29e9d1c5d2ea?brand=Lenovo&btd=dHJrLm1vYmlsZXRvcDIwMTh0ZWNoaWUueHl6&exptoken=MTU1NzUxMjgzMjgyMw==&lang=ar&model=K6+Note&td=dHJrLnJldmVyc2VwYXJhbWV0ZXIuc2l0ZS9wcmNlZWQ", "monitor.cablelan.net", "https://monitor.rodgersmith.com", "https://www.everycloudtech.com/free-mail-flow-monitor" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 144, "FileHash-SHA1": 179, "FileHash-SHA256": 4528, "CVE": 7, "domain": 2024, "hostname": 3556, "URL": 10455 }, "indicator_count": 20893, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "857 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65568d67bd96e06ab44b9b95", "name": "TrojanDownloader:Win32/Cutwail.BS/Win.Trojan.Pushdo-20", "description": "", "modified": "2023-12-14T12:03:15.957000", "created": "2023-11-16T21:45:11.721000", "tags": [ "passive dns", "urls", "t1604023287", "scan endpoints", "all search", "otx octoseek", "url http", "pulse pulses", "http", "ip address", "ssl certificate", "whois record", "resolutions", "referrer", "historical ssl", "communicating", "threat roundup", "whois whois", "apple", "stopransomware", "core", "discord", "metro", "blister", "cobalt strike", "hacktool", "june", "name verdict", "pattern match", "et tor", "known tor", "misc attack", "link", "woff2", "relayrouter", "exit", "node traffic", "ascii text", "date", "click", "unknown", "meta", "hybrid", "general", "local", "strings", "class", "generator", "critical", "error", "execution", "malware", "network", "roblox", "united", "as13335", "a domains", "status", "aaaa", "search", "script urls", "creation date", "showing", "pixel", "win32", "download", "t1507537243" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Roblox", "display_name": "Roblox", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [], "TLP": "green", "cloned_from": "65536bdc3676a40633a619be", "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11333, "FileHash-MD5": 81, "FileHash-SHA1": 74, "FileHash-SHA256": 3269, "domain": 2748, "hostname": 3475, "email": 2, "CVE": 2 }, "indicator_count": 20984, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "857 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65536bdc3676a40633a619be", "name": "TrojanDownloader:Win32/Cutwail.BS/Win.Trojan.Pushdo-20", "description": "backdoor,trojan downloaders, networm, phishing, tracking, spyware, device commands...", "modified": "2023-12-14T12:03:15.957000", "created": "2023-11-14T12:45:16.667000", "tags": [ "passive dns", "urls", "t1604023287", "scan endpoints", "all search", "otx octoseek", "url http", "pulse pulses", "http", "ip address", "ssl certificate", "whois record", "resolutions", "referrer", "historical ssl", "communicating", "threat roundup", "whois whois", "apple", "stopransomware", "core", "discord", "metro", "blister", "cobalt strike", "hacktool", "june", "name verdict", "pattern match", "et tor", "known tor", "misc attack", "link", "woff2", "relayrouter", "exit", "node traffic", "ascii text", "date", "click", "unknown", "meta", "hybrid", "general", "local", "strings", "class", "generator", "critical", "error", "execution", "malware", "network", "roblox", "united", "as13335", "a domains", "status", "aaaa", "search", "script urls", "creation date", "showing", "pixel", "win32", "download", "t1507537243" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Roblox", "display_name": "Roblox", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11333, "FileHash-MD5": 81, "FileHash-SHA1": 74, "FileHash-SHA256": 3269, "domain": 2748, "hostname": 3475, "email": 2, "CVE": 2 }, "indicator_count": 20984, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "857 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65536bc6301b7cdf7d04e095", "name": "TrojanDownloader:Win32/Cutwail.BS/Win.Trojan.Pushdo-20", "description": "backdoor,trojan downloaders, networm, phishing, tracking, spyware, device commands...", "modified": "2023-12-14T12:03:15.957000", "created": "2023-11-14T12:44:54.422000", "tags": [ "passive dns", "urls", "t1604023287", "scan endpoints", "all search", "otx octoseek", "url http", "pulse pulses", "http", "ip address", "ssl certificate", "whois record", "resolutions", "referrer", "historical ssl", "communicating", "threat roundup", "whois whois", "apple", "stopransomware", "core", "discord", "metro", "blister", "cobalt strike", "hacktool", "june", "name verdict", "pattern match", "et tor", "known tor", "misc attack", "link", "woff2", "relayrouter", "exit", "node traffic", "ascii text", "date", "click", "unknown", "meta", "hybrid", "general", "local", "strings", "class", "generator", "critical", "error", "execution", "malware", "network", "roblox", "united", "as13335", "a domains", "status", "aaaa", "search", "script urls", "creation date", "showing", "pixel", "win32", "download", "t1507537243" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Roblox", "display_name": "Roblox", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11333, "FileHash-MD5": 81, "FileHash-SHA1": 74, "FileHash-SHA256": 3269, "domain": 2748, "hostname": 3475, "email": 2, "CVE": 2 }, "indicator_count": 20984, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "857 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a835fc0836f148fa45c8", "name": "Unsupported IE 404 account running BotNet Command & Control [by OctoSeek]", "description": "", "modified": "2023-12-06T16:58:29.243000", "created": "2023-12-06T16:58:29.243000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "URL": 7203, "hostname": 2260, "FileHash-SHA256": 4835, "FileHash-MD5": 283, "FileHash-SHA1": 163, "domain": 915 }, "indicator_count": 15665, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a7fc464f9f56ac33a389", "name": "Hidden Users |Injection| Milum Botnet | Tulach Malware | Emotet", "description": "", "modified": "2023-12-06T16:57:32.030000", "created": "2023-12-06T16:57:32.030000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 3487, "domain": 3202, "CVE": 5, "FileHash-SHA256": 1943, "URL": 14072, "FileHash-MD5": 70, "FileHash-SHA1": 56 }, "indicator_count": 22835, "is_author": false, "is_subscribing": null, "subscriber_count": 114, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a7e7daf278491d9f9eb4", "name": "Hidden Users |Injection| Milum Botnet | Tulach Malware | Emotet", "description": "", "modified": "2023-12-06T16:57:11.228000", "created": "2023-12-06T16:57:11.228000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 3487, "domain": 3202, "CVE": 5, "FileHash-SHA256": 1943, "URL": 14072, "FileHash-MD5": 70, "FileHash-SHA1": 56 }, "indicator_count": 22835, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a521974bdb5d6dbda092", "name": "", "description": "", "modified": "2023-12-06T16:45:21.776000", "created": "2023-12-06T16:45:21.776000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "URL": 7203, "hostname": 2260, "FileHash-SHA256": 4835, "FileHash-MD5": 283, "FileHash-SHA1": 163, "domain": 915 }, "indicator_count": 15665, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a5109ecc3c75c949f950", "name": "Unsupported IE 404 account running BotNet Command & Control Server | B/L", "description": "", "modified": "2023-12-06T16:45:04.296000", "created": "2023-12-06T16:45:04.296000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "URL": 7203, "hostname": 2260, "FileHash-SHA256": 4835, "FileHash-MD5": 283, "FileHash-SHA1": 163, "domain": 915 }, "indicator_count": 15665, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a4f322399eb1db2a07b2", "name": "Hijacked Pinterest Account Spreader, BotNet Control Server | Unsupported IE", "description": "", "modified": "2023-12-06T16:44:35.786000", "created": "2023-12-06T16:44:35.786000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "URL": 7203, "hostname": 2260, "FileHash-SHA256": 4835, "FileHash-MD5": 283, "FileHash-SHA1": 163, "domain": 915 }, "indicator_count": 15665, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a4e083c4acd789ea7e58", "name": "Blacklisted", "description": "", "modified": "2023-12-06T16:44:16.060000", "created": "2023-12-06T16:44:16.060000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "URL": 7203, "hostname": 2258, "FileHash-SHA256": 4835, "FileHash-MD5": 283, "FileHash-SHA1": 163, "domain": 915 }, "indicator_count": 15663, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a4d5c14495fcf65ee8a5", "name": "Netsky", "description": "", "modified": "2023-12-06T16:44:05.631000", "created": "2023-12-06T16:44:05.631000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "URL": 7203, "hostname": 2260, "FileHash-SHA256": 4835, "FileHash-MD5": 283, "FileHash-SHA1": 163, "domain": 915 }, "indicator_count": 15665, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a4cb97598bac143dc90b", "name": "Critical: Pinterest Cyber Espionage", "description": "", "modified": "2023-12-06T16:43:55.639000", "created": "2023-12-06T16:43:55.639000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "URL": 7203, "hostname": 2260, "FileHash-SHA256": 4835, "FileHash-MD5": 283, "FileHash-SHA1": 163, "domain": 915 }, "indicator_count": 15665, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "654136b5eb9bdd21070ff9d7", "name": "Cyber Espionage", "description": "Cyber warfare. Extravagant attack that includes, phishing, monitoring, spyware, tracking, remote vehicle tracking, API calls after identification of anything computerized; car, phone, mobile phone, mail, ups, television. Apple private data services nr-data.net. This may be a Honeypot. Interesting. Attacker alleging to be a government contractor actively attacks and porn smears alleged SA victim assaulted by someone with his last name. Coincidence or Honeypot?\nTarget still at risk.\nTarget again is Tsara Brashears. \nSevere privacy invasion.\nShhhh....Active Silencing", "modified": "2023-11-30T07:01:37.424000", "created": "2023-10-31T17:17:41.263000", "tags": [ "contacted", "resolutions", "origin1", "ip address", "list", "communicating", "cyber threat", "united", "phishing", "phishing site", "covid19", "threat report", "ip summary", "url summary", "summary", "detection list", "installcore", "nymaim", "suppobox", "malicious", "cisco umbrella", "site", "alexa top", "million", "safe site", "malware", "malware site", "malicious site", "heur", "exploit", "alexa", "riskware", "team", "blacklist https", "blacklist", "facebook", "engineering", "iframe", "downloader", "unsafe", "artemis", "trojanx", "agent", "unruy", "win64", "fakealert", "fusioncore", "redirector", "killav", "trojan", "lokibot", "emotet", "redline stealer", "cobalt strike", "citadel", "vawtrak", "qakbot", "qbot", "bankerx", "dropper", "nimda", "formbook", "swrort", "adwind", "crack", "generic", "wacatac", "opencandy", "nircmd", "downldr", "filetour", "cleaner", "conduit", "tiggre", "presenoker", "zpevdo", "webcompanion", "seraph", "tofsee", "xrat", "xtrat", "patcher", "adload", "stealer", "vidar", "raccoon", "bank", "urls", "generic malware", "noname057", "reimer", "agency", "charles", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "name verdict", "date", "root ca", "markmonitor", "name server", "windir", "unknown", "swisscom root", "post root", "trust", "hybrid", "general", "click", "strings", "class", "generator", "critical", "error", "defence", "fraud", "logistics", "ipv4", "scan endpoints", "all search", "otx octoseek", "report spam", "author", "cyber warfare", "created", "months ago", "modified", "next", "url https", "url http", "all octoseek", "month ago", "utmsourcemailer", "ck id", "t1140", "filehashsha256", "tsara brashears", "adult content", "pornography", "malvertizing", "privacy invasion", "privilege escalation", "packed", "aig.com", "aig.rastreator.mx", "apple", "ios", "tracking", "monitoring", "nr-data.net", "asp.net" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" } ], "industries": [ "Defense", "Government" ], "TLP": "green", "cloned_from": null, "export_count": 70, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 166, "FileHash-SHA1": 125, "FileHash-SHA256": 5806, "URL": 16475, "domain": 3302, "hostname": 5135, "CVE": 16, "email": 8 }, "indicator_count": 31033, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "871 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "654136c1ac991f85328604d2", "name": "Cyber Espionage", "description": "Cyber warfare. Extravagant attack that includes, phishing, monitoring, spyware, tracking, remote vehicle tracking, API calls after identification of anything computerized; car, phone, mobile phone, mail, ups, television. Apple private data services nr-data.net. This may be a Honeypot. Interesting. Attacker alleging to be a government contractor actively attacks and porn smears alleged SA victim assaulted by someone with his last name. Coincidence or Honeypot?\nTarget still at risk.\nTarget again is Tsara Brashears. \nSevere privacy invasion.\nShhhh....Active Silencing", "modified": "2023-11-30T07:01:37.424000", "created": "2023-10-31T17:17:52.382000", "tags": [ "contacted", "resolutions", "origin1", "ip address", "list", "communicating", "cyber threat", "united", "phishing", "phishing site", "covid19", "threat report", "ip summary", "url summary", "summary", "detection list", "installcore", "nymaim", "suppobox", "malicious", "cisco umbrella", "site", "alexa top", "million", "safe site", "malware", "malware site", "malicious site", "heur", "exploit", "alexa", "riskware", "team", "blacklist https", "blacklist", "facebook", "engineering", "iframe", "downloader", "unsafe", "artemis", "trojanx", "agent", "unruy", "win64", "fakealert", "fusioncore", "redirector", "killav", "trojan", "lokibot", "emotet", "redline stealer", "cobalt strike", "citadel", "vawtrak", "qakbot", "qbot", "bankerx", "dropper", "nimda", "formbook", "swrort", "adwind", "crack", "generic", "wacatac", "opencandy", "nircmd", "downldr", "filetour", "cleaner", "conduit", "tiggre", "presenoker", "zpevdo", "webcompanion", "seraph", "tofsee", "xrat", "xtrat", "patcher", "adload", "stealer", "vidar", "raccoon", "bank", "urls", "generic malware", "noname057", "reimer", "agency", "charles", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "name verdict", "date", "root ca", "markmonitor", "name server", "windir", "unknown", "swisscom root", "post root", "trust", "hybrid", "general", "click", "strings", "class", "generator", "critical", "error", "defence", "fraud", "logistics", "ipv4", "scan endpoints", "all search", "otx octoseek", "report spam", "author", "cyber warfare", "created", "months ago", "modified", "next", "url https", "url http", "all octoseek", "month ago", "utmsourcemailer", "ck id", "t1140", "filehashsha256", "tsara brashears", "adult content", "pornography", "malvertizing", "privacy invasion", "privilege escalation", "packed", "aig.com", "aig.rastreator.mx", "apple", "ios", "tracking", "monitoring", "nr-data.net", "asp.net" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" } ], "industries": [ "Defense", "Government" ], "TLP": "green", "cloned_from": null, "export_count": 69, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 166, "FileHash-SHA1": 125, "FileHash-SHA256": 5806, "URL": 16475, "domain": 3302, "hostname": 5135, "CVE": 16, "email": 8 }, "indicator_count": 31033, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "871 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "654136c8e530066ae793dc64", "name": "Cyber Espionage", "description": "Cyber warfare. Extravagant attack that includes, phishing, monitoring, spyware, tracking, remote vehicle tracking, API calls after identification of anything computerized; car, phone, mobile phone, mail, ups, television. Apple private data services nr-data.net. This may be a Honeypot. Interesting. Attacker alleging to be a government contractor actively attacks and porn smears alleged SA victim assaulted by someone with his last name. Coincidence or Honeypot?\nTarget still at risk.\nTarget again is Tsara Brashears. \nSevere privacy invasion.\nShhhh....Active Silencing", "modified": "2023-11-30T07:01:37.424000", "created": "2023-10-31T17:18:00.623000", "tags": [ "contacted", "resolutions", "origin1", "ip address", "list", "communicating", "cyber threat", "united", "phishing", "phishing site", "covid19", "threat report", "ip summary", "url summary", "summary", "detection list", "installcore", "nymaim", "suppobox", "malicious", "cisco umbrella", "site", "alexa top", "million", "safe site", "malware", "malware site", "malicious site", "heur", "exploit", "alexa", "riskware", "team", "blacklist https", "blacklist", "facebook", "engineering", "iframe", "downloader", "unsafe", "artemis", "trojanx", "agent", "unruy", "win64", "fakealert", "fusioncore", "redirector", "killav", "trojan", "lokibot", "emotet", "redline stealer", "cobalt strike", "citadel", "vawtrak", "qakbot", "qbot", "bankerx", "dropper", "nimda", "formbook", "swrort", "adwind", "crack", "generic", "wacatac", "opencandy", "nircmd", "downldr", "filetour", "cleaner", "conduit", "tiggre", "presenoker", "zpevdo", "webcompanion", "seraph", "tofsee", "xrat", "xtrat", "patcher", "adload", "stealer", "vidar", "raccoon", "bank", "urls", "generic malware", "noname057", "reimer", "agency", "charles", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "name verdict", "date", "root ca", "markmonitor", "name server", "windir", "unknown", "swisscom root", "post root", "trust", "hybrid", "general", "click", "strings", "class", "generator", "critical", "error", "defence", "fraud", "logistics", "ipv4", "scan endpoints", "all search", "otx octoseek", "report spam", "author", "cyber warfare", "created", "months ago", "modified", "next", "url https", "url http", "all octoseek", "month ago", "utmsourcemailer", "ck id", "t1140", "filehashsha256", "tsara brashears", "adult content", "pornography", "malvertizing", "privacy invasion", "privilege escalation", "packed", "aig.com", "aig.rastreator.mx", "apple", "ios", "tracking", "monitoring", "nr-data.net", "asp.net" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" } ], "industries": [ "Defense", "Government" ], "TLP": "green", "cloned_from": null, "export_count": 69, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 166, "FileHash-SHA1": 125, "FileHash-SHA256": 5806, "URL": 16475, "domain": 3302, "hostname": 5135, "CVE": 16, "email": 8 }, "indicator_count": 31033, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "871 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65413ea960cc79abf6d446fb", "name": "Vawtrak credential stealer | CNC", "description": "Cyber warfare\nTracking\nMonitoring\nMalvertizing\nCNC\nKeylogging\nBotNet\nSever Privacy Invasion", "modified": "2023-11-30T07:01:37.424000", "created": "2023-10-31T17:51:37.016000", "tags": [ "contacted", "resolutions", "origin1", "ip address", "list", "communicating", "cyber threat", "united", "phishing", "phishing site", "covid19", "threat report", "ip summary", "url summary", "summary", "detection list", "installcore", "nymaim", "suppobox", "malicious", "cisco umbrella", "site", "alexa top", "million", "safe site", "malware", "malware site", "malicious site", "heur", "exploit", "alexa", "riskware", "team", "blacklist https", "blacklist", "facebook", "engineering", "iframe", "downloader", "unsafe", "artemis", "trojanx", "agent", "unruy", "win64", "fakealert", "fusioncore", "redirector", "killav", "trojan", "lokibot", "emotet", "redline stealer", "cobalt strike", "citadel", "vawtrak", "qakbot", "qbot", "bankerx", "dropper", "nimda", "formbook", "swrort", "adwind", "crack", "generic", "wacatac", "opencandy", "nircmd", "downldr", "filetour", "cleaner", "conduit", "tiggre", "presenoker", "zpevdo", "webcompanion", "seraph", "tofsee", "xrat", "xtrat", "patcher", "adload", "stealer", "vidar", "raccoon", "bank", "urls", "generic malware", "noname057", "reimer", "agency", "charles", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "name verdict", "date", "root ca", "markmonitor", "name server", "windir", "unknown", "swisscom root", "post root", "trust", "hybrid", "general", "click", "strings", "class", "generator", "critical", "error", "defence", "fraud", "logistics", "ipv4", "scan endpoints", "all search", "otx octoseek", "report spam", "author", "cyber warfare", "created", "months ago", "modified", "next", "url https", "url http", "all octoseek", "month ago", "utmsourcemailer", "ck id", "t1140", "filehashsha256", "keylogger", "sample path", "Miles IT" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 74, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 166, "FileHash-SHA1": 125, "FileHash-SHA256": 5688, "URL": 15015, "domain": 3262, "hostname": 4687, "CVE": 16, "email": 8 }, "indicator_count": 28967, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "871 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6545be6e02e0f9f82cb1febf", "name": "Vawtrak credential stealer | CNC", "description": "", "modified": "2023-11-30T07:01:37.424000", "created": "2023-11-04T03:45:50.234000", "tags": [ "contacted", "resolutions", "origin1", "ip address", "list", "communicating", "cyber threat", "united", "phishing", "phishing site", "covid19", "threat report", "ip summary", "url summary", "summary", "detection list", "installcore", "nymaim", "suppobox", "malicious", "cisco umbrella", "site", "alexa top", "million", "safe site", "malware", "malware site", "malicious site", "heur", "exploit", "alexa", "riskware", "team", "blacklist https", "blacklist", "facebook", "engineering", "iframe", "downloader", "unsafe", "artemis", "trojanx", "agent", "unruy", "win64", "fakealert", "fusioncore", "redirector", "killav", "trojan", "lokibot", "emotet", "redline stealer", "cobalt strike", "citadel", "vawtrak", "qakbot", "qbot", "bankerx", "dropper", "nimda", "formbook", "swrort", "adwind", "crack", "generic", "wacatac", "opencandy", "nircmd", "downldr", "filetour", "cleaner", "conduit", "tiggre", "presenoker", "zpevdo", "webcompanion", "seraph", "tofsee", "xrat", "xtrat", "patcher", "adload", "stealer", "vidar", "raccoon", "bank", "urls", "generic malware", "noname057", "reimer", "agency", "charles", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "name verdict", "date", "root ca", "markmonitor", "name server", "windir", "unknown", "swisscom root", "post root", "trust", "hybrid", "general", "click", "strings", "class", "generator", "critical", "error", "defence", "fraud", "logistics", "ipv4", "scan endpoints", "all search", "otx octoseek", "report spam", "author", "cyber warfare", "created", "months ago", "modified", "next", "url https", "url http", "all octoseek", "month ago", "utmsourcemailer", "ck id", "t1140", "filehashsha256", "keylogger", "sample path", "Miles IT" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "green", "cloned_from": "65413ea960cc79abf6d446fb", "export_count": 86, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 166, "FileHash-SHA1": 125, "FileHash-SHA256": 5688, "URL": 15015, "domain": 3262, "hostname": 4687, "CVE": 16, "email": 8 }, "indicator_count": 28967, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "871 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.malwarebytes.com/emotet", "https://secure.login.gov/users/password/edit?reset_password_token=B2J-ZWmp6vfu7teQ7Zvr", "Found claims PI was a hacker. Brother a hitman. Verbalized non-specific affiliation w/City of Lakewood. Refused to provide target phone passcode.", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/233e5b27962a141061eff04ae07699d1a2faa8d47077a2da31770a5f59327ee3", "Target admits to ignoring major signs: 'PI' called just before request submitted.Spent hours researching & denouncing targets former 'questionable 'PI", "https://secure.login.gov/users/password/edit?request_id=5aa8520c-5fb1-4db9-b52f-39fee61ba899&reset_password_token=T318N3voD8NtXgE_1er2", "https://applemusic-spotlight.myunidays.com/US/en-US?", "monitor.cablelan.net", "(unsupported_iexplore exploit/redirect) https://www.pinterest.com/pin/mood--35536284546940000/ (Dark Web Trace)", "tracking.epicgames.com | epicgames.com | https://www.epicgames.com/id/activate", "remote.telegrafix.com (remote hacking)", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://secure.login.gov/users/password/edit?request_id=7ea7896d-dfb0-40c6-b75b-5fbfab101cb8", "AS54113 Fastly Autonomous System aggregation for Pinterest United States Botnet Command and Control Server", "Fed lost interest after satisfied Sasha wasn't of interest. Target interest to rid self of hackers and stalkers. Inundated with calls from fake PI's.", "https://static.secure.login.gov/packs/js/password_toggle_component-3d373a08.js", "fb582cc7cfcfa64786caff627cc34ff7aedf7a97620d0cd2eb927d4bb3b7653d", "Ryuk: kramtechnology.com", "dishmail.net", "https://api.wavebrowserbase.com", "login.gov | uscis.gov | usertesting.com | www.epic | www.login.gov | www.microsoft.com | http://games.com/activate http://microsoft.com/link", "server-18-161-6-16.hio52.r.cloudfront.net", "DetectItEasy PE32 Installer: Inno Setup Module (6.0.0) [unicode] Compiler: Embarcadero Delphi (10.3 Rio) [Professional] Linker: Turbo Linker (2.25*,Delphi) [GUI32,signed] Overlay: Inno Setup Installer data", "Emotionally demands disabled target cash advanced to pay all bills. Denies formerly alleged abilities & skills, still wants $1500 for 4 hours of nothing.", "You can either have a runner or become a hacker. Only 2 choices for targeted individuals. Target needs to become ethical hacker or ethical grey hat, Purple teamer.", "home.toshiba.com", "Goal to present targets case, blame & have Sacha removed by board of Colorado attorneys. Widely known firm angrily begins misconduct in her case.", "Of note: Alleging Federal Investigator calls target. Found her in Bark? No. He asks for $4G to relocate target in 2 days provide hacker secured iPhone.", "https://www.milehighmedia.com/legal/2257 (exploit source | revenge porn)", "Behavior Pattern Match Analysis", "http://mobile.suddenlink2go.com/", "https://hybrid-analysis.com/sample/889790f55a8a29ee75463bbcf014c3ed6cc76e6cd0278e491ec9fa1ed14862c4/655374e9921d5d73860b7db3", "45.159.189.105 (Command and Control)", "https://urldefense.us/v2/url?u=http-3A__support.apple.com_kb_HT2693&d=DwMGaQ&c=mcnPvAfk3Xtjyky7sc3uA24Vk9hJzQ1fEHisENJPWek&r=PjGDHIUs1kNE6nRUZrOEsufSDp8LBQ-SwHI1wE1Z0Qo&m=zBlvHUR-UT1fW5-53xrUtd5Uj5DBn30a-XGaqZ1lyWh4YCJi5SWOvg3tVORPEuat&s=OJ-NfystLux9f25c44kAAuBLCoTAo6gQJ7EMKHRlrCk&e=&data=05", "http://www.w3.org/TR/html4/loose.dtd | 128.30.52.37 | www.w3.org (definite issues)", "init.ess.apple.com (remote hacking)", "ytq2rs56.haogfw.com", "https://www.9xiuzb.com/activity/activity_pcunion?piusr=t_420", "https://applepaydayloans.com/", "Ryuk: http://kramtechnology.com/", "https://secure.login.gov/events/disavow?disavowal_token=Bxut7GJU9magrrk282lmt62q0KM4iP6R9mOGNH7yz9k", "https://www.everycloudtech.com/free-mail-flow-monitor", "https://www.roseoubleu.fr/panier (phishing)", "151.101.0.84 US - United States Pinterest Botnet Command and Control Server - 23.62.46.21", "b7f8599765659c19eafe733a51daf8ffd1dde24bedf876c1aba7bd7f2dbf9aa2 | www.akabomedia.co.uk", "Insecure headers found in search histories: games.com, microsoft.com, adrianafiore1984@gmail.com , secure.login.gov, static.secure.login.gov", "http://trk.reverseparameter.site/gg/izuyv?to=https://mine-top-gratis-application.pw/e29481e9-a792-46a8-bbf0-188ed2a816ae/f10439e6-e61a-4420-ba88-29e9d1c5d2ea?brand=Lenovo&btd=dHJrLm1vYmlsZXRvcDIwMTh0ZWNoaWUueHl6&exptoken=MTU1NzUxMjgzMjgyMw==&lang=ar&model=K6+Note&td=dHJrLnJldmVyc2VwYXJhbWV0ZXIuc2l0ZS9wcmNlZWQ", "Ryuk: https://brain.snappykraken.com/api/v1/events-recorder/clicked?clicked=eyJxdWVyeV9zdHJpbmciOiJkako3SW5WeWJDSTZJbWgwZEhCek9sd3ZYQzkzZDNjdWEybHdiR2x1WjJWeUxtTnZiVnd2WldOdmJtOXRhV010Wm05eVpXTmhjM1J6WEM5cGJuUmxjbVZ6ZEMxeVlYUmxjeUlzSW1oaGMyZ2lPaUpzYmtJMWFUSjJkbmRvU21GQ1RuZ2lMQ0pqYjI1MFlXTjBYMlZ0WVdsc0lqb2liV052ZUVCdGIzSnlhWE56WlhsbGJtZHBibVZsY21sdVp5NWpiMjBpZlE9IiwicmVxdWVzdF9kYXRhIjp7ImRqSjdJblZ5YkNJNkltaDBkSEJ6T2x3dlhDOTNkM2N1YTJsd2JHbHVaMlZ5TG1OdmJWd3ZaV052Ym05dGFXTXRabTl5WldOaGMzUnpYQzlwYm5SbGNtVnpkQzF5", "http://www.Apple.com/quicktime/download", "https://support.apple.com/en-us/HT201265. Targets (iOS ID)", "http://init-p01st.push.apple.com/bag (remote hacking)", "Phone purchased for target by a 'self-proclaimed' W/F PI from Lakewood, Colorado w/o consent/prior knowledge. PI fitful, so target paid for phone.", "'PI' orders 2 meals. Leaves restaurant a few times. Talks about troubled mother w/medication addictions. Incredibly emotional vowing to be better.", "ZBot: https://brain.snappykraken.com/api/v1/events-recorder/clicked?clicked=eyJxdWVyeV9zdHJpbmciOiJkako3SW5WeWJDSTZJbWgwZEhCek9sd3ZYQzl0WlhSaGJtOXBZV1pwYm1GdVkybGhiQzVqYjIxY0x6OTFkRzFmYzI5MWNtTmxQV1Z0WVdsc1gzTnBaMjVoZEhWeVpTWmhiWEE3ZFhSdFgyMWxaR2wxYlQxbGJXRnBiQ1poYlhBN2RYUnRYMk5oYlhCaGFXZHVQWEJ5YjIxdmRHbHZiaUlzSW1oaGMyZ2lPaUkwTjFGWlUzZFlTMkYxVDA1dVIxb2lMQ0pqYjI1MFlXTjBYMlZ0WVdsc0lqb2lhbWx0YlhrdWQyRnNhMlZ5UUdGc2JITjBZWFJsTG1OdmJTSjk9IiwicmVxdWVzdF9kYXRhIjp7ImRqSjdJblZ5YkNJNkltaDBkSEJ6T2x3dlhDOXRaWFJoYm05cFlX", "myhughesnet.com", "pornhub.com", "I know this isn't a blog. If someone is targeted, every device will be compromised. It's the goal of the attackers. Unwarranted bounty found.", "https://www.login.gov/help& | https://www.login.gov/help/ | https://www.login.gov/help/__", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/f0d38614f706da3a08acdf7188eac139a352621ccada40e5e22d191412acc357", "Target \u2192 https://www.pinterest.com/pinkbuffalorun/ (EMOTET) Full control taken. True Board owner (a legitimate business) was likely very unaware Pinterest activities all flowed through the Dark Web. (Research shows over 5000 followers | 1 million visits per mo | more than 1 million pins re-pinned)", "https://applemusic-spotlight.myunidays.com/US/en-US? (remote hacking)", "Colorado doesn't require a PI licensure. That's a major problem as many stalkers, malicious hackers & the ruthless are drawn to this occupation.", "Metro T-Mobile refuses refund. Allows target to store phone with them in resealed box. When retrieved box opened and tampered with.", "http://45.159.189.105/bot/online?guid=WALKER-PC&key=b73f03cae5752ff4c823f89de539b59754bc4e65d43970358b17bcf21fb6c4e5 (remote hacking)", "Pony: https://allspice.ordavida.com/api/mailings/opened/PMRGSZBCHIYTMNZQGYWCE33SM4RDUIRZGQZDONDBGIZC2MBXMM2S2NBYMM2S2YTEHE3C2MJZGI4DSOBYHAYTGNRZEIWCE5TFOJZWS33OEI5CENBCFQRHG2LHEI5CEYSPONYXS4RRGFBUIY3DKRIHSSRRK44WSY3FNM4ESVTJKZMHOWRTJBLXIYLIHFRWS3DUKU6SE7I=.gif", "Issues: Target contacted a single PI from a very compromised device, received sealed as gift from trusted person via provider. Others contact her.", "firebaseremoteconfig.googleapis.com (remote hacking)", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (password decoder)", "'PI' claims to have information. Sends picture of who he claims is attacker now millionaire owner of Mile High Sports & Rehabilitation. Asks if she knew.", "David Bombal & Cisco Discuss: https://m.soundcloud.com/davidbombal/455-why-hack-in-when-you-can-just-log-in (not an exploit as far as I know. I watched it on YT)", "stagelight.pl (malicious/ pattern match)", "Roksit.net", "Conneted to Network: drcody@milesit.com | milesit.com | milestechnologies.com | info.milestechnologies.com | www.milesit.com | www.milestechnologies.com", "http://clipper.guru/bot/online?guid=WALKER-PC (remote hacking)", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/58d35aa65e820e83be595049b9e5a223ffb1f5f9111b64ccdd2622479cda9e1b", "http://ax.itunes.apple.com/WebObjects/MZStoreServices.woa/ws/RSS/toppaidapplications/limit=10/xml", "http://45.159.189.105/bot/regex (Bot Command)", "Unsure of connection to issues: http://www.login.gov/es/help | http://www.login.gov/es/help\\u003c | http://www.microsoft.com/lin... |", "Email issue, virustotal also affected. Some having different IP's, different language, an American user VT ; telemetry content, strings, old browsers. Total menu change", "Conneted to Network: https://getconnected.southwestwifi.com | www.coloradoltcpartnership.org", "7651508989a859a165a3e587268021e3ce3734b3e8711d06a101068c60dfdbbe ( Spyware| tsetup.2.4.4.exe | Downloader.Agent!1.E2F1 (CLASSIC) |Telegram Messenger Inc WeExtract malicious installation on targets media & devices)", "remote.haverhillcc.com (remote hacking)", "www.jamesbgriffinlaw.com (malicious host)", "https://monitor.rodgersmith.com", "Group commentators discussed profile link changed. Also,when some users utilize 'Suggested IoC's' , bulk IoC's' are deleted before able to be included", "www.metrobyt-mobile.com (So very hacked. Should be shut down. No corporate headquarters. Malicious practices by many independent owners)", "https://www.apple.com/sitemap/", "http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel (remote hacking/potentially maliciousRedTeam)", "applepaydayloans.com", "http://www.Apple.com/quicktime/download/standalone.html", "Noticed a few users have multiple accounts w/same name, different followers, different follower count. Love this tool. Have questions about potential attacks", "https://www.esurance.com/", "Data Analytics", "Phishing: http://search.searchffr.com/?source=bing-bb9&uid=9a283646-64de-4df2-84b5-9951528bd4ed&uc=20180405&ap=appfocus63&i_id=recipes__1.30", "https://otx.alienvault.com/indicator/file/58d35aa65e820e83be595049b9e5a223ffb1f5f9111b64ccdd2622479cda9e1b", "'PI' arrives in separate car w/unseen veteran. Points out DV LP to target , states he's not with her. Leads target to restaurant 'to talk'. Stays awhile.", "http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409", "Botnet Server IP: 141.226.230.48", "apple.com. (malicious version/header)", "Target knows nothing about assaulter. Chicago Fed text photo for target to confirm identity of attacker. Be sends a photo of Dr. John T. Sasha.", "http://www.microsoft.com/link | https://www.login.gov/contact | https://www.login.gov/contact/ | https://www.login.gov/es/contact", "Target \u2192 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (attached to Pinterest account)", "http://quantum.emsbk.com/ | deadmin.kaisa.sbs | kaisa.sbs", "Device security reset temporarily before epicgames[.]com a resource being used attempted to self download. Relentless...", "Self whitelisting tool, domains moved within nginx.", "https://sinister.ly/Thread-Apple-empty-box?page=13", "Conneted to Network: http://seed.wavebrowser.co/seed?osname=win&channel=stable&milestone=1 | f16ac036e3.nxcli.net", "'PI' feigned high concern for target, begged her to meet at 10 P.M. Target refused. Target states she will only meet in safe public spot in daylight.", "http://trk.brother-root-rich-of.xyz/campaign?id=4f1426e9-22f8-4e7a-9c32-1b2d42867559&var1=&extcid=w9A2DTCOAL56FRAK125KMLAI", "Law enforcement aware and assure target in person she's not a suspect in any crime is Colorado or nationally. All DA's, law enforcement PI's check.", "newrelic.se", "A few haven't logged in in months or sometimes longer (life) notice pulses modified, missing or can't log in.", "Fed alleged if Sasha was in cahoots she could get millions. Target again refused. Alleging Chicago Fed contends be needs to move her 50+ miles.", "http://ww1.tsx.org/_fd", "https://firebaseremoteconfig.googleapis.com/v1/projects/16163253122/namespaces/firebase:fetch (remote hacking)", "Ransom: message.htm.com", "https://support.Apple.com/de", "Target was treated by Dr. Sasha, was not assaulter. Target relays Law Firm dropped her as she refused to include Sasha in Injury claim." ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Trojan.html.agent", "Gen:variant.bulz", "Bulz", "Webtoolbar", "Generic", "Tel:trojan:win32/emotet", "Blacknet", "Artemis", "Alf:program:opencandy:remnant", "Sdbot.caoc", "Zbot", "Skynet", "Slfper:installcore", "Trojan.ransom.generickd", "Malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tunsafe.ai_score_98% 1\tmobigame 1\tbanker,evasive,retefe 1\tprogram.unwanted 1\tmalicious.high.ml 1\tkryptik.dawvk 1\tunsafe.ai_score_91% 1\tadwar", "Generic.31fcc75f", "Redline stealer", "Trojan.ole2.vbs", "Lolkek", "Gamehack.dr", "Redline", "Proxy", "Gc", "Malware.generic", "Dropper.binder", "Qvm20.1.8d80.malware", "Et", "Generic.malware", "Cl0p", "W32.hack.generic", "Worm:win32/netsky", "Backdoor.mokes", "Ramnit", "Sodin ransomware", "Trojan.generic", "Roblox", "Quasar", "Tel:delphi/obfuscator", "Keyloggers", "Maltiverse", "Pws:msil/steam", "Cobalt strike - s0154", "Malicious.22a4c0", "Undefined 1\tms 1\txyz 1\tgl 1\tnet tld aggregation com ms xyz gl net 20% 20% 20% 20% 20% tld\tcount com\t1 undefined\tnan ms\t1 xyz\t1 gl\t1 net\t1 combined blacklist timeline hybrid-analysis maltiverse resea", "Anonymizer", "Laplasclipper", "Gen:variant.zusy", "Phish.ab", "Ml.generic", "#lowfi:siga:trojanspy:msil/keylogger", "Generic.asmalws malicious_confidence_70% 1\til:trojan.msilzilla 1\tfilerepmalware 1\transom.sabsik 1\tbehaveslike.dropper 1\tmicrosoft phishing 1\tbackdoor.mokes 1\tphishing bank of america corporat", "Driverreviver", "Adwaresig [adw] ml.generic", "Trojanspy", "#hstr:hacktool:win32/mimikatz", "O.gen", "Fragtor", "Gen:variant.razy", "Emotet", "Relic", "Adware.dropware" ], "industries": [ "Government", "Telecom", "Civil society", "Defense", "Insurance" ], "unique_indicators": 219740 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/dawsodemo.com", "whois": "http://whois.domaintools.com/dawsodemo.com", "domain": "dawsodemo.com", "hostname": "api.dawsodemo.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 50, "pulses": [ { "id": "6523344e4adc85389899504c", "name": "Unsupported IE 404 account running BotNet Command & Control [by OctoSeek]", "description": "", "modified": "2024-10-13T03:00:28.081000", "created": "2023-10-08T22:59:26.040000", "tags": [ "united", "contacted urls", "whois record", "contacted", "malicious site", "malware", "phishing site", "anonymizer", "heur", "control server", "facebook", "cobalt strike", "execution", "installcore", "phishing", "service", "core", "metro", "icmp", "hacktool", "download", "relic", "monitoring", "installer", "steam", "bank", "dnspionage", "crack", "unsafe", "ramnit", "emotet", "malware site", "proxy", "exploit", "fakealert", "team", "redline stealer", "laplasclipper", "cisco umbrella", "site", "safe site", "alexa top", "million", "alexa", "downloader", "opencandy", "generic", "presenoker", "maltiverse", "trojanspy", "date", "unknown", "windir", "markmonitor", "name server", "av detection", "september", "default browser", "guest system", "hybrid", "general", "click", "strings", "class", "critical", "blacklist", "union", "Embarcadero Delphi", "whois whois", "referrer", "ssl certificate", "communicating", "resolutions", "parent parent", "dropped", "stealer", "banker", "keylogger", "attack", "apple", "detection list", "ip address", "netsky", "firehol proxy", "noname057", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "FireHol", "Proxy", "Pexee", "Bank of America Corporation Malware Download", "CVE-2017-11882", "Alexa SANS Internet Storm Center", "MCI Verizon Block", "NaN" ], "references": [ "http://ww1.tsx.org/_fd", "https://www.milehighmedia.com/legal/2257 (exploit source | revenge porn)", "Target \u2192 https://www.pinterest.com/pinkbuffalorun/ (EMOTET) Full control taken. True Board owner (a legitimate business) was likely very unaware Pinterest activities all flowed through the Dark Web. (Research shows over 5000 followers | 1 million visits per mo | more than 1 million pins re-pinned)", "http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel (remote hacking/potentially maliciousRedTeam)", "http://45.159.189.105/bot/online?guid=WALKER-PC&key=b73f03cae5752ff4c823f89de539b59754bc4e65d43970358b17bcf21fb6c4e5 (remote hacking)", "http://clipper.guru/bot/online?guid=WALKER-PC (remote hacking)", "Target \u2192 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (attached to Pinterest account)", "https://firebaseremoteconfig.googleapis.com/v1/projects/16163253122/namespaces/firebase:fetch (remote hacking)", "firebaseremoteconfig.googleapis.com (remote hacking)", "remote.telegrafix.com (remote hacking)", "fb582cc7cfcfa64786caff627cc34ff7aedf7a97620d0cd2eb927d4bb3b7653d", "remote.haverhillcc.com (remote hacking)", "http://ax.itunes.apple.com/WebObjects/MZStoreServices.woa/ws/RSS/toppaidapplications/limit=10/xml", "http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409", "http://init-p01st.push.apple.com/bag (remote hacking)", "https://support.apple.com/en-us/HT201265. Targets (iOS ID)", "apple.com. (malicious version/header)", "https://www.apple.com/sitemap/", "https://applemusic-spotlight.myunidays.com/US/en-US? (remote hacking)", "http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409", "init.ess.apple.com (remote hacking)", "applepaydayloans.com", "www.metrobyt-mobile.com (So very hacked. Should be shut down. No corporate headquarters. Malicious practices by many independent owners)", "https://applepaydayloans.com/", "https://sinister.ly/Thread-Apple-empty-box?page=13", "7651508989a859a165a3e587268021e3ce3734b3e8711d06a101068c60dfdbbe ( Spyware| tsetup.2.4.4.exe | Downloader.Agent!1.E2F1 (CLASSIC) |Telegram Messenger Inc WeExtract malicious installation on targets media & devices)", "https://support.Apple.com/de", "http://www.Apple.com/quicktime/download", "http://www.Apple.com/quicktime/download/standalone.html", "https://urldefense.us/v2/url?u=http-3A__support.apple.com_kb_HT2693&d=DwMGaQ&c=mcnPvAfk3Xtjyky7sc3uA24Vk9hJzQ1fEHisENJPWek&r=PjGDHIUs1kNE6nRUZrOEsufSDp8LBQ-SwHI1wE1Z0Qo&m=zBlvHUR-UT1fW5-53xrUtd5Uj5DBn30a-XGaqZ1lyWh4YCJi5SWOvg3tVORPEuat&s=OJ-NfystLux9f25c44kAAuBLCoTAo6gQJ7EMKHRlrCk&e=&data=05", "https://www.roseoubleu.fr/panier (phishing)", "Roksit.net", "stagelight.pl (malicious/ pattern match)", "www.jamesbgriffinlaw.com (malicious host)", "Data Analytics", "Behavior Pattern Match Analysis", "45.159.189.105 (Command and Control)", "http://45.159.189.105/bot/regex (Bot Command)", "151.101.0.84 US - United States Pinterest Botnet Command and Control Server - 23.62.46.21", "AS54113 Fastly Autonomous System aggregation for Pinterest United States Botnet Command and Control Server", "DetectItEasy PE32 Installer: Inno Setup Module (6.0.0) [unicode] Compiler: Embarcadero Delphi (10.3 Rio) [Professional] Linker: Turbo Linker (2.25*,Delphi) [GUI32,signed] Overlay: Inno Setup Installer data", "(unsupported_iexplore exploit/redirect) https://www.pinterest.com/pin/mood--35536284546940000/ (Dark Web Trace)" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TEL:Delphi/Obfuscator", "display_name": "TEL:Delphi/Obfuscator", "target": "/malware/TEL:Delphi/Obfuscator" }, { "id": "LaplasClipper", "display_name": "LaplasClipper", "target": null }, { "id": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "display_name": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "target": null }, { "id": "SLFPER:InstallCore", "display_name": "SLFPER:InstallCore", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "ALF:Program:OpenCandy:Remnant", "display_name": "ALF:Program:OpenCandy:Remnant", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "generic.malware", "display_name": "generic.malware", "target": null }, { "id": "Anonymizer", "display_name": "Anonymizer", "target": null }, { "id": "#HSTR:HackTool:Win32/Mimikatz", "display_name": "#HSTR:HackTool:Win32/Mimikatz", "target": null }, { "id": "PWS:MSIL/Steam", "display_name": "PWS:MSIL/Steam", "target": "/malware/PWS:MSIL/Steam" }, { "id": "Trojan.HTML.Agent", "display_name": "Trojan.HTML.Agent", "target": null }, { "id": "Gen:Variant.Zusy", "display_name": "Gen:Variant.Zusy", "target": null }, { "id": "Worm:Win32/Netsky", "display_name": "Worm:Win32/Netsky", "target": "/malware/Worm:Win32/Netsky" }, { "id": "Sodin Ransomware", "display_name": "Sodin Ransomware", "target": null }, { "id": "Keyloggers", "display_name": "Keyloggers", "target": null }, { "id": "Proxy", "display_name": "Proxy", "target": null }, { "id": "TEL:Trojan:Win32/Emotet", "display_name": "TEL:Trojan:Win32/Emotet", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat", "display_name": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat", "target": null }, { "id": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar", "display_name": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar", "target": null }, { "id": "AdwareSig [Adw] ml.Generic", "display_name": "AdwareSig [Adw] ml.Generic", "target": null }, { "id": "W32.Hack.Generic", "display_name": "W32.Hack.Generic", "target": null }, { "id": "Trojan.Ole2.Vbs", "display_name": "Trojan.Ole2.Vbs", "target": null }, { "id": "QVM20.1.8D80.Malware", "display_name": "QVM20.1.8D80.Malware", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Backdoor.Mokes", "display_name": "Backdoor.Mokes", "target": null }, { "id": "AdWare.DropWare", "display_name": "AdWare.DropWare", "target": null }, { "id": "Gen:Variant.Razy", "display_name": "Gen:Variant.Razy", "target": null }, { "id": "Generic.31fcc75f", "display_name": "Generic.31fcc75f", "target": null }, { "id": "Trojan.Generic", "display_name": "Trojan.Generic", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "malware.generic", "display_name": "malware.generic", "target": null }, { "id": "Gen:Variant.Bulz", "display_name": "Gen:Variant.Bulz", "target": null }, { "id": "GameHack.DR", "display_name": "GameHack.DR", "target": null }, { "id": "Dropper.Binder", "display_name": "Dropper.Binder", "target": null }, { "id": "malicious.22a4c0", "display_name": "malicious.22a4c0", "target": null }, { "id": "SdBot.CAOC", "display_name": "SdBot.CAOC", "target": null }, { "id": "ml.Generic", "display_name": "ml.Generic", "target": null }, { "id": "Trojan.Ransom.GenericKD", "display_name": "Trojan.Ransom.GenericKD", "target": null }, { "id": "Phish.AB", "display_name": "Phish.AB", "target": null }, { "id": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea", "display_name": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": "6506b48d699080b4bfd334c5", "export_count": 74, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7761, "CVE": 6, "FileHash-MD5": 285, "FileHash-SHA1": 165, "FileHash-SHA256": 5059, "domain": 987, "hostname": 2399 }, "indicator_count": 16662, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "553 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65f980471600645142bcd924", "name": "Control Server | Browser Install| Kernel Modules and Extensions ", "description": "", "modified": "2024-04-15T08:03:32.381000", "created": "2024-03-19T12:08:39.100000", "tags": [ "hostname", "sort", "domain", "type", "hostname c", "all octoseek", "groups", "search filter", "time", "x show", "indicator type", "cidr", "for privacy", "unknown", "united", "link", "search", "servers", "strapi app", "passive dns", "urls", "date", "body", "meta", "span", "next", "octoseek", "url https", "url http", "role title", "added active", "execution", "ssl certificate", "whois record", "contacted", "pe resource", "bundled", "historical ssl", "referrer", "communicating", "collections", "status", "emails", "creation date", "record value", "expiration date", "showing", "threat analyzer", "threat", "iocs", "hostnames", "urls https", "samples", "firehol", "proxy", "detection list", "ip address", "blacklist", "malicious url", "anonymizer", "botnet command", "malware", "generic malware", "count blacklist", "no data", "tag count", "detection", "count", "generic", "blacklist http", "cisco umbrella", "site", "heur", "safe site", "malware site", "alexa top", "million", "filerepmetagen", "filerepmalware", "artemis", "presenoker", "unsafe", "riskware", "crack", "opencandy", "downloader", "coinminer", "installpack", "agent", "fusioncore", "conduit", "wacatac", "zbot", "cl0p", "maltiverse", "trojanspy", "engb", "emotet", "cyberwar", "ursnif", "attack", "hacktool", "ransomexx", "startpage", "bitrat", "ryuk", "agent tesla", "stealer", "critical", "copy", "evilnum", "threat report", "back", "ip summary", "url summary", "summary", "download csv", "download", "json sample", "malicious site", "phishing site", "iframe", "domaiq", "alexa", "downldr", "phishing", "cyber threat", "control server", "team", "installcore", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "bank", "name verdict", "falcon sandbox", "reports", "falcon", "traffic et", "policy windows", "update p2p", "activity", "windir", "mitre att", "ck id", "show technique", "ck matrix", "hybrid", "general", "path", "click", "strings", "contact", "paste", "win32", "gmt content", "scan endpoints", "ipv4", "pulse pulses", "files", "accept", "date hash", "avast avg", "entries", "as15169 google", "aaaa", "ireland unknown", "germany unknown", "as43350 nforce" ], "references": [ "https://api.wavebrowserbase.com", "Ransom: message.htm.com", "ZBot: https://brain.snappykraken.com/api/v1/events-recorder/clicked?clicked=eyJxdWVyeV9zdHJpbmciOiJkako3SW5WeWJDSTZJbWgwZEhCek9sd3ZYQzl0WlhSaGJtOXBZV1pwYm1GdVkybGhiQzVqYjIxY0x6OTFkRzFmYzI5MWNtTmxQV1Z0WVdsc1gzTnBaMjVoZEhWeVpTWmhiWEE3ZFhSdFgyMWxaR2wxYlQxbGJXRnBiQ1poYlhBN2RYUnRYMk5oYlhCaGFXZHVQWEJ5YjIxdmRHbHZiaUlzSW1oaGMyZ2lPaUkwTjFGWlUzZFlTMkYxVDA1dVIxb2lMQ0pqYjI1MFlXTjBYMlZ0WVdsc0lqb2lhbWx0YlhrdWQyRnNhMlZ5UUdGc2JITjBZWFJsTG1OdmJTSjk9IiwicmVxdWVzdF9kYXRhIjp7ImRqSjdJblZ5YkNJNkltaDBkSEJ6T2x3dlhDOXRaWFJoYm05cFlX", "Ryuk: https://brain.snappykraken.com/api/v1/events-recorder/clicked?clicked=eyJxdWVyeV9zdHJpbmciOiJkako3SW5WeWJDSTZJbWgwZEhCek9sd3ZYQzkzZDNjdWEybHdiR2x1WjJWeUxtTnZiVnd2WldOdmJtOXRhV010Wm05eVpXTmhjM1J6WEM5cGJuUmxjbVZ6ZEMxeVlYUmxjeUlzSW1oaGMyZ2lPaUpzYmtJMWFUSjJkbmRvU21GQ1RuZ2lMQ0pqYjI1MFlXTjBYMlZ0WVdsc0lqb2liV052ZUVCdGIzSnlhWE56WlhsbGJtZHBibVZsY21sdVp5NWpiMjBpZlE9IiwicmVxdWVzdF9kYXRhIjp7ImRqSjdJblZ5YkNJNkltaDBkSEJ6T2x3dlhDOTNkM2N1YTJsd2JHbHVaMlZ5TG1OdmJWd3ZaV052Ym05dGFXTXRabTl5WldOaGMzUnpYQzlwYm5SbGNtVnpkQzF5", "Ryuk: http://kramtechnology.com/", "Ryuk: kramtechnology.com", "Pony: https://allspice.ordavida.com/api/mailings/opened/PMRGSZBCHIYTMNZQGYWCE33SM4RDUIRZGQZDONDBGIZC2MBXMM2S2NBYMM2S2YTEHE3C2MJZGI4DSOBYHAYTGNRZEIWCE5TFOJZWS33OEI5CENBCFQRHG2LHEI5CEYSPONYXS4RRGFBUIY3DKRIHSSRRK44WSY3FNM4ESVTJKZMHOWRTJBLXIYLIHFRWS3DUKU6SE7I=.gif", "Botnet Server IP: 141.226.230.48", "newrelic.se" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "Germany" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1547.006", "name": "Kernel Modules and Extensions", "display_name": "T1547.006 - Kernel Modules and Extensions" } ], "industries": [], "TLP": "green", "cloned_from": "65f55ed2015e05ffbc2b72a8", "export_count": 186942, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9838, "domain": 2085, "hostname": 3006, "FileHash-SHA256": 3685, "FileHash-MD5": 965, "FileHash-SHA1": 532, "email": 6, "CVE": 7 }, "indicator_count": 20124, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "734 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65f55ed2015e05ffbc2b72a8", "name": "Control Server | Browser Install| Kernel Modules and Extensions", "description": "", "modified": "2024-04-15T08:03:32.381000", "created": "2024-03-16T08:56:50.387000", "tags": [ "hostname", "sort", "domain", "type", "hostname c", "all octoseek", "groups", "search filter", "time", "x show", "indicator type", "cidr", "for privacy", "unknown", "united", "link", "search", "servers", "strapi app", "passive dns", "urls", "date", "body", "meta", "span", "next", "octoseek", "url https", "url http", "role title", "added active", "execution", "ssl certificate", "whois record", "contacted", "pe resource", "bundled", "historical ssl", "referrer", "communicating", "collections", "status", "emails", "creation date", "record value", "expiration date", "showing", "threat analyzer", "threat", "iocs", "hostnames", "urls https", "samples", "firehol", "proxy", "detection list", "ip address", "blacklist", "malicious url", "anonymizer", "botnet command", "malware", "generic malware", "count blacklist", "no data", "tag count", "detection", "count", "generic", "blacklist http", "cisco umbrella", "site", "heur", "safe site", "malware site", "alexa top", "million", "filerepmetagen", "filerepmalware", "artemis", "presenoker", "unsafe", "riskware", "crack", "opencandy", "downloader", "coinminer", "installpack", "agent", "fusioncore", "conduit", "wacatac", "zbot", "cl0p", "maltiverse", "trojanspy", "engb", "emotet", "cyberwar", "ursnif", "attack", "hacktool", "ransomexx", "startpage", "bitrat", "ryuk", "agent tesla", "stealer", "critical", "copy", "evilnum", "threat report", "back", "ip summary", "url summary", "summary", "download csv", "download", "json sample", "malicious site", "phishing site", "iframe", "domaiq", "alexa", "downldr", "phishing", "cyber threat", "control server", "team", "installcore", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "bank", "name verdict", "falcon sandbox", "reports", "falcon", "traffic et", "policy windows", "update p2p", "activity", "windir", "mitre att", "ck id", "show technique", "ck matrix", "hybrid", "general", "path", "click", "strings", "contact", "paste", "win32", "gmt content", "scan endpoints", "ipv4", "pulse pulses", "files", "accept", "date hash", "avast avg", "entries", "as15169 google", "aaaa", "ireland unknown", "germany unknown", "as43350 nforce" ], "references": [ "https://api.wavebrowserbase.com", "Ransom: message.htm.com", "ZBot: https://brain.snappykraken.com/api/v1/events-recorder/clicked?clicked=eyJxdWVyeV9zdHJpbmciOiJkako3SW5WeWJDSTZJbWgwZEhCek9sd3ZYQzl0WlhSaGJtOXBZV1pwYm1GdVkybGhiQzVqYjIxY0x6OTFkRzFmYzI5MWNtTmxQV1Z0WVdsc1gzTnBaMjVoZEhWeVpTWmhiWEE3ZFhSdFgyMWxaR2wxYlQxbGJXRnBiQ1poYlhBN2RYUnRYMk5oYlhCaGFXZHVQWEJ5YjIxdmRHbHZiaUlzSW1oaGMyZ2lPaUkwTjFGWlUzZFlTMkYxVDA1dVIxb2lMQ0pqYjI1MFlXTjBYMlZ0WVdsc0lqb2lhbWx0YlhrdWQyRnNhMlZ5UUdGc2JITjBZWFJsTG1OdmJTSjk9IiwicmVxdWVzdF9kYXRhIjp7ImRqSjdJblZ5YkNJNkltaDBkSEJ6T2x3dlhDOXRaWFJoYm05cFlX", "Ryuk: https://brain.snappykraken.com/api/v1/events-recorder/clicked?clicked=eyJxdWVyeV9zdHJpbmciOiJkako3SW5WeWJDSTZJbWgwZEhCek9sd3ZYQzkzZDNjdWEybHdiR2x1WjJWeUxtTnZiVnd2WldOdmJtOXRhV010Wm05eVpXTmhjM1J6WEM5cGJuUmxjbVZ6ZEMxeVlYUmxjeUlzSW1oaGMyZ2lPaUpzYmtJMWFUSjJkbmRvU21GQ1RuZ2lMQ0pqYjI1MFlXTjBYMlZ0WVdsc0lqb2liV052ZUVCdGIzSnlhWE56WlhsbGJtZHBibVZsY21sdVp5NWpiMjBpZlE9IiwicmVxdWVzdF9kYXRhIjp7ImRqSjdJblZ5YkNJNkltaDBkSEJ6T2x3dlhDOTNkM2N1YTJsd2JHbHVaMlZ5TG1OdmJWd3ZaV052Ym05dGFXTXRabTl5WldOaGMzUnpYQzlwYm5SbGNtVnpkQzF5", "Ryuk: http://kramtechnology.com/", "Ryuk: kramtechnology.com", "Pony: https://allspice.ordavida.com/api/mailings/opened/PMRGSZBCHIYTMNZQGYWCE33SM4RDUIRZGQZDONDBGIZC2MBXMM2S2NBYMM2S2YTEHE3C2MJZGI4DSOBYHAYTGNRZEIWCE5TFOJZWS33OEI5CENBCFQRHG2LHEI5CEYSPONYXS4RRGFBUIY3DKRIHSSRRK44WSY3FNM4ESVTJKZMHOWRTJBLXIYLIHFRWS3DUKU6SE7I=.gif", "Botnet Server IP: 141.226.230.48", "newrelic.se" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "Germany" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1547.006", "name": "Kernel Modules and Extensions", "display_name": "T1547.006 - Kernel Modules and Extensions" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 82, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9838, "domain": 2085, "hostname": 3006, "FileHash-SHA256": 3685, "FileHash-MD5": 965, "FileHash-SHA1": 532, "email": 6, "CVE": 7 }, "indicator_count": 20124, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "734 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65f980ad16123b5d52f5f76f", "name": "DNS Hijacking - \u4e5d\u79c0\u76f4\u64ad-\u9ad8\u54c1\u8d28\u7f8e\u5973\u5728\u7ebf\u89c6\u9891\u4e92\u52a8\u793e\u533a -MilesIT.com [Report originated from octoseek]", "description": "", "modified": "2024-04-13T11:00:32.548000", "created": "2024-03-19T12:10:21.291000", "tags": [ "q htpps", "g htpps", "q https", "virustotal", "exif standard", "tiff image", "msie", "windows nt", "wow64", "slcc2", "media center", "default", "jpeg image", "search", "copy", "code", "write", "pecompact", "february", "packer", "delphi", "win32", "persistence", "execution", "next", "create c", "delete c", "intel", "ms windows", "pe32", "precreate read", "united", "show", "regsetvalueexa", "trojan", "markus", "mozilla", "write c", "json", "entries", "ascii text", "data", "as15169", "error", "malware", "win64", "denmark as32934", "ip hostname", "reverse ip", "lookup country", "as7018 att", "as14618", "as54113", "country code", "as36081 state", "redirect chain", "redirection", "location", "lakewood", "emails", "as name", "ssl certificate", "whois record", "k0pmbc", "spsfsb", "zwdk9d", "vwdzfe", "contacted", "referrer", "ntmzac", "historical ssl", "august", "hacktool", "core", "agent tesla", "emotet", "chaos", "ransomexx", "quasar", "algorithm", "v3 serial", "number", "cus cnamazon", "validity", "subject public", "key info", "key algorithm", "key identifier", "subject key", "first", "server", "registrar abuse", "date", "markmonitor", "epic games", "iana id", "contact phone", "domain status", "registrar whois", "registrar", "win32 exe", "python", "launchres", "win32 dll", "unrealengine", "detections type", "name", "bundled", "ctsu", "smokeloader", "privateloader", "relic", "monitoring", "startpage", "\u7f8e\u5973\u76f4\u64ad", "\u7f8e\u5973\u89c6\u9891", "\u7f8e\u5973\u4e3b\u64ad", "\u89c6\u9891\u804a\u5929", "\u89c6\u9891\u4ea4\u53cb", "\u7f8e\u5973\u4ea4\u53cb", "\u7f8e\u5973\u79c0\u573a", "\u6e05\u7eaf\u7f8e\u5973", "\u6027\u611f\u7f8e\u5973", "\u7f8e\u5973\u4e92\u52a8", "\u7f8e\u5973\u804a\u5929", "\u7f8e\u5973\u5728\u7ebf\u8868\u6f14", "\u7f8e\u5973\u76f4\u64ad\u95f4", "\u7f8e\u5973\u804a\u5929\u5ba4", "icp2021030667", "0110542", "copyright", "rights reserved", "resolutions", "contacted urls", "siblings domain", "siblings", "parent domain", "cname", "whitelisted", "status", "as15169 google", "asnone united", "servers", "aaaa", "body", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "site top", "heur", "alexa top", "safe site", "million", "million alexa", "site safe", "malicious site", "unsafe", "alexa", "riskware", "artemis", "blacknet rat", "quasar rat", "crack", "presenoker", "dapato", "stealer", "phish", "memscan", "nsis", "phishing", "bulz", "maltiverse", "trojanspy", "blacknet", "zbot", "aig", "unknown", "passive dns", "urls", "expiresthu", "gmt path", "scan endpoints", "encrypt", "dynamicloader", "high", "medium", "qaeaav12", "windows", "cape", "windows wget", "suspicious", "powershell", "canvas", "form", "showing", "all octoseek", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "cus cnr3", "olet", "l http", "wifi", "wifi access", "wifi hotspot", "wifi internet", "southwest wifi", "inflight", "inflight entertainment", "southwest", "comedy", "internet", "strong", "drama", "google chrome", "business select", "internet access", "apple safari", "book", "rapid", "love", "summer", "poppy", "floyd", "district", "jackson", "kevin", "live", "music", "upgrade", "gift", "lost", "carol", "canada", "cobalt strike", "malicious", "fragtor", "phishing paypal", "mail spammer" ], "references": [ "https://www.9xiuzb.com/activity/activity_pcunion?piusr=t_420", "tracking.epicgames.com | epicgames.com | https://www.epicgames.com/id/activate", "Conneted to Network: drcody@milesit.com | milesit.com | milestechnologies.com | info.milestechnologies.com | www.milesit.com | www.milestechnologies.com", "Conneted to Network: http://seed.wavebrowser.co/seed?osname=win&channel=stable&milestone=1 | f16ac036e3.nxcli.net", "Conneted to Network: https://getconnected.southwestwifi.com | www.coloradoltcpartnership.org", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/58d35aa65e820e83be595049b9e5a223ffb1f5f9111b64ccdd2622479cda9e1b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/233e5b27962a141061eff04ae07699d1a2faa8d47077a2da31770a5f59327ee3", "https://otx.alienvault.com/indicator/file/58d35aa65e820e83be595049b9e5a223ffb1f5f9111b64ccdd2622479cda9e1b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/f0d38614f706da3a08acdf7188eac139a352621ccada40e5e22d191412acc357", "Phone purchased for target by a 'self-proclaimed' W/F PI from Lakewood, Colorado w/o consent/prior knowledge. PI fitful, so target paid for phone.", "Found claims PI was a hacker. Brother a hitman. Verbalized non-specific affiliation w/City of Lakewood. Refused to provide target phone passcode.", "Target admits to ignoring major signs: 'PI' called just before request submitted.Spent hours researching & denouncing targets former 'questionable 'PI", "'PI' feigned high concern for target, begged her to meet at 10 P.M. Target refused. Target states she will only meet in safe public spot in daylight.", "'PI' arrives in separate car w/unseen veteran. Points out DV LP to target , states he's not with her. Leads target to restaurant 'to talk'. Stays awhile.", "'PI' orders 2 meals. Leaves restaurant a few times. Talks about troubled mother w/medication addictions. Incredibly emotional vowing to be better.", "Emotionally demands disabled target cash advanced to pay all bills. Denies formerly alleged abilities & skills, still wants $1500 for 4 hours of nothing.", "Of note: Alleging Federal Investigator calls target. Found her in Bark? No. He asks for $4G to relocate target in 2 days provide hacker secured iPhone.", "'PI' claims to have information. Sends picture of who he claims is attacker now millionaire owner of Mile High Sports & Rehabilitation. Asks if she knew.", "Target knows nothing about assaulter. Chicago Fed text photo for target to confirm identity of attacker. Be sends a photo of Dr. John T. Sasha.", "Target was treated by Dr. Sasha, was not assaulter. Target relays Law Firm dropped her as she refused to include Sasha in Injury claim.", "Goal to present targets case, blame & have Sacha removed by board of Colorado attorneys. Widely known firm angrily begins misconduct in her case.", "Fed alleged if Sasha was in cahoots she could get millions. Target again refused. Alleging Chicago Fed contends be needs to move her 50+ miles.", "Fed lost interest after satisfied Sasha wasn't of interest. Target interest to rid self of hackers and stalkers. Inundated with calls from fake PI's.", "Colorado doesn't require a PI licensure. That's a major problem as many stalkers, malicious hackers & the ruthless are drawn to this occupation.", "Metro T-Mobile refuses refund. Allows target to store phone with them in resealed box. When retrieved box opened and tampered with.", "Issues: Target contacted a single PI from a very compromised device, received sealed as gift from trusted person via provider. Others contact her.", "I know this isn't a blog. If someone is targeted, every device will be compromised. It's the goal of the attackers. Unwarranted bounty found.", "Law enforcement aware and assure target in person she's not a suspect in any crime is Colorado or nationally. All DA's, law enforcement PI's check.", "You can either have a runner or become a hacker. Only 2 choices for targeted individuals. Target needs to become ethical hacker or ethical grey hat, Purple teamer.", "Device security reset temporarily before epicgames[.]com a resource being used attempted to self download. Relentless...", "Self whitelisting tool, domains moved within nginx." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Bulz", "display_name": "Bulz", "target": null }, { "id": "Quasar", "display_name": "Quasar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Fragtor", "display_name": "Fragtor", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" } ], "industries": [], "TLP": "white", "cloned_from": "65f4ba867ec44a4dc0e6fc96", "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8753, "domain": 1525, "hostname": 3740, "FileHash-SHA256": 6746, "FileHash-MD5": 619, "FileHash-SHA1": 509, "SSLCertFingerprint": 3, "CVE": 8, "CIDR": 5, "email": 7 }, "indicator_count": 21915, "is_author": false, "is_subscribing": null, "subscriber_count": 235, "modified_text": "736 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65f4ba867ec44a4dc0e6fc96", "name": "DNS Hijacking - \u4e5d\u79c0\u76f4\u64ad-\u9ad8\u54c1\u8d28\u7f8e\u5973\u5728\u7ebf\u89c6\u9891\u4e92\u52a8\u793e\u533a -MilesIT.com", "description": "Jiuxiu Live - High-quality beauty online video interactive community - \u4e5d\u79c0\u76f4\u64ad-\u9ad8\u54c1\u8d28\u7f8e\u5973\u5728\u7ebf\u89c6\u9891\u4e92\u52a8\u793e\u533a -porn dump. Performed tiny DNS test on affected target. \nDNS stuffing pornography. DNSpionage , custom browser, DNS tunneling encoding data, programs, protocols, DNS queries, responses, amplification attack; perform (DDoS) on server, flood attack, spoofing. Attack. Miles IT & affiliated logging inas target. Pitfall of being compromised for some; you won't speak to legitimate business unless you know & recognize voice. \nSome notations in references.", "modified": "2024-04-13T11:00:32.548000", "created": "2024-03-15T21:15:50.802000", "tags": [ "q htpps", "g htpps", "q https", "virustotal", "exif standard", "tiff image", "msie", "windows nt", "wow64", "slcc2", "media center", "default", "jpeg image", "search", "copy", "code", "write", "pecompact", "february", "packer", "delphi", "win32", "persistence", "execution", "next", "create c", "delete c", "intel", "ms windows", "pe32", "precreate read", "united", "show", "regsetvalueexa", "trojan", "markus", "mozilla", "write c", "json", "entries", "ascii text", "data", "as15169", "error", "malware", "win64", "denmark as32934", "ip hostname", "reverse ip", "lookup country", "as7018 att", "as14618", "as54113", "country code", "as36081 state", "redirect chain", "redirection", "location", "lakewood", "emails", "as name", "ssl certificate", "whois record", "k0pmbc", "spsfsb", "zwdk9d", "vwdzfe", "contacted", "referrer", "ntmzac", "historical ssl", "august", "hacktool", "core", "agent tesla", "emotet", "chaos", "ransomexx", "quasar", "algorithm", "v3 serial", "number", "cus cnamazon", "validity", "subject public", "key info", "key algorithm", "key identifier", "subject key", "first", "server", "registrar abuse", "date", "markmonitor", "epic games", "iana id", "contact phone", "domain status", "registrar whois", "registrar", "win32 exe", "python", "launchres", "win32 dll", "unrealengine", "detections type", "name", "bundled", "ctsu", "smokeloader", "privateloader", "relic", "monitoring", "startpage", "\u7f8e\u5973\u76f4\u64ad", "\u7f8e\u5973\u89c6\u9891", "\u7f8e\u5973\u4e3b\u64ad", "\u89c6\u9891\u804a\u5929", "\u89c6\u9891\u4ea4\u53cb", "\u7f8e\u5973\u4ea4\u53cb", "\u7f8e\u5973\u79c0\u573a", "\u6e05\u7eaf\u7f8e\u5973", "\u6027\u611f\u7f8e\u5973", "\u7f8e\u5973\u4e92\u52a8", "\u7f8e\u5973\u804a\u5929", "\u7f8e\u5973\u5728\u7ebf\u8868\u6f14", "\u7f8e\u5973\u76f4\u64ad\u95f4", "\u7f8e\u5973\u804a\u5929\u5ba4", "icp2021030667", "0110542", "copyright", "rights reserved", "resolutions", "contacted urls", "siblings domain", "siblings", "parent domain", "cname", "whitelisted", "status", "as15169 google", "asnone united", "servers", "aaaa", "body", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "site top", "heur", "alexa top", "safe site", "million", "million alexa", "site safe", "malicious site", "unsafe", "alexa", "riskware", "artemis", "blacknet rat", "quasar rat", "crack", "presenoker", "dapato", "stealer", "phish", "memscan", "nsis", "phishing", "bulz", "maltiverse", "trojanspy", "blacknet", "zbot", "aig", "unknown", "passive dns", "urls", "expiresthu", "gmt path", "scan endpoints", "encrypt", "dynamicloader", "high", "medium", "qaeaav12", "windows", "cape", "windows wget", "suspicious", "powershell", "canvas", "form", "showing", "all octoseek", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "cus cnr3", "olet", "l http", "wifi", "wifi access", "wifi hotspot", "wifi internet", "southwest wifi", "inflight", "inflight entertainment", "southwest", "comedy", "internet", "strong", "drama", "google chrome", "business select", "internet access", "apple safari", "book", "rapid", "love", "summer", "poppy", "floyd", "district", "jackson", "kevin", "live", "music", "upgrade", "gift", "lost", "carol", "canada", "cobalt strike", "malicious", "fragtor", "phishing paypal", "mail spammer" ], "references": [ "https://www.9xiuzb.com/activity/activity_pcunion?piusr=t_420", "tracking.epicgames.com | epicgames.com | https://www.epicgames.com/id/activate", "Conneted to Network: drcody@milesit.com | milesit.com | milestechnologies.com | info.milestechnologies.com | www.milesit.com | www.milestechnologies.com", "Conneted to Network: http://seed.wavebrowser.co/seed?osname=win&channel=stable&milestone=1 | f16ac036e3.nxcli.net", "Conneted to Network: https://getconnected.southwestwifi.com | www.coloradoltcpartnership.org", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/58d35aa65e820e83be595049b9e5a223ffb1f5f9111b64ccdd2622479cda9e1b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/233e5b27962a141061eff04ae07699d1a2faa8d47077a2da31770a5f59327ee3", "https://otx.alienvault.com/indicator/file/58d35aa65e820e83be595049b9e5a223ffb1f5f9111b64ccdd2622479cda9e1b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/f0d38614f706da3a08acdf7188eac139a352621ccada40e5e22d191412acc357", "Phone purchased for target by a 'self-proclaimed' W/F PI from Lakewood, Colorado w/o consent/prior knowledge. PI fitful, so target paid for phone.", "Found claims PI was a hacker. Brother a hitman. Verbalized non-specific affiliation w/City of Lakewood. Refused to provide target phone passcode.", "Target admits to ignoring major signs: 'PI' called just before request submitted.Spent hours researching & denouncing targets former 'questionable 'PI", "'PI' feigned high concern for target, begged her to meet at 10 P.M. Target refused. Target states she will only meet in safe public spot in daylight.", "'PI' arrives in separate car w/unseen veteran. Points out DV LP to target , states he's not with her. Leads target to restaurant 'to talk'. Stays awhile.", "'PI' orders 2 meals. Leaves restaurant a few times. Talks about troubled mother w/medication addictions. Incredibly emotional vowing to be better.", "Emotionally demands disabled target cash advanced to pay all bills. Denies formerly alleged abilities & skills, still wants $1500 for 4 hours of nothing.", "Of note: Alleging Federal Investigator calls target. Found her in Bark? No. He asks for $4G to relocate target in 2 days provide hacker secured iPhone.", "'PI' claims to have information. Sends picture of who he claims is attacker now millionaire owner of Mile High Sports & Rehabilitation. Asks if she knew.", "Target knows nothing about assaulter. Chicago Fed text photo for target to confirm identity of attacker. Be sends a photo of Dr. John T. Sasha.", "Target was treated by Dr. Sasha, was not assaulter. Target relays Law Firm dropped her as she refused to include Sasha in Injury claim.", "Goal to present targets case, blame & have Sacha removed by board of Colorado attorneys. Widely known firm angrily begins misconduct in her case.", "Fed alleged if Sasha was in cahoots she could get millions. Target again refused. Alleging Chicago Fed contends be needs to move her 50+ miles.", "Fed lost interest after satisfied Sasha wasn't of interest. Target interest to rid self of hackers and stalkers. Inundated with calls from fake PI's.", "Colorado doesn't require a PI licensure. That's a major problem as many stalkers, malicious hackers & the ruthless are drawn to this occupation.", "Metro T-Mobile refuses refund. Allows target to store phone with them in resealed box. When retrieved box opened and tampered with.", "Issues: Target contacted a single PI from a very compromised device, received sealed as gift from trusted person via provider. Others contact her.", "I know this isn't a blog. If someone is targeted, every device will be compromised. It's the goal of the attackers. Unwarranted bounty found.", "Law enforcement aware and assure target in person she's not a suspect in any crime is Colorado or nationally. All DA's, law enforcement PI's check.", "You can either have a runner or become a hacker. Only 2 choices for targeted individuals. Target needs to become ethical hacker or ethical grey hat, Purple teamer.", "Device security reset temporarily before epicgames[.]com a resource being used attempted to self download. Relentless...", "Self whitelisting tool, domains moved within nginx." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Bulz", "display_name": "Bulz", "target": null }, { "id": "Quasar", "display_name": "Quasar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Fragtor", "display_name": "Fragtor", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 60, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8753, "domain": 1525, "hostname": 3740, "FileHash-SHA256": 6746, "FileHash-MD5": 619, "FileHash-SHA1": 509, "SSLCertFingerprint": 3, "CVE": 8, "CIDR": 5, "email": 7 }, "indicator_count": 21915, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "736 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b7119615db47ea27706a86", "name": "Esurance Remote Attacks| Emotet | Lolkek | Part I", "description": "Emotet is a kind of malware originally designed as a banking Trojan aimed at stealing financial data, but it's evolved to become a major threat to users everywhere.\n\nLater versions evolved to use macro-enabled documents to retrieve the virus payload from command and control. They have been advised .", "modified": "2024-04-12T23:03:13.367000", "created": "2024-01-29T02:46:46.076000", "tags": [ "ssl certificate", "xamzexpires600", "whois record", "url collection", "collections", "historical ssl", "referrer", "contacted", "resolutions", "web gateway", "emotet", "urls http", "whois whois", "domains", "lolkek", "core", "caddywiper", "awful", "urls url", "cymulate", "malware", "com laude", "ltd dba", "first", "utc submissions", "submitters", "cloudflarenet", "internet domain", "service bs", "corp", "dynadot", "twitter", "optimizer", "amazonaes", "summary iocs", "graph community", "origin1", "ver33", "dtamlb", "smlb", "csc corporate", "gandi sas", "namecheap inc", "google", "amazon02", "apple", "remote attacks" ], "references": [ "https://www.esurance.com/", "https://www.malwarebytes.com/emotet" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null } ], "attack_ids": [], "industries": [ "Telecom", "Civil Society", "Insurance" ], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9102, "CVE": 5, "FileHash-MD5": 68, "FileHash-SHA1": 67, "FileHash-SHA256": 2209, "domain": 1427, "hostname": 4334 }, "indicator_count": 17212, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "736 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65eada25525805ad74c32b54", "name": "(Cloned from OTX user) OTX pulses modified and deleted by ???", "description": "", "modified": "2024-04-06T11:00:59.869000", "created": "2024-03-08T09:28:05.923000", "tags": [ "referrer", "execution", "dropped", "apple ios", "contacted", "partru", "sneaky server", "replacement", "unauthorized", "emotet", "submission", "alienvault", "open threat", "learn", "ssdeep", "file type", "html internet", "magic html", "ascii text", "trid file", "google tag", "gtmkvjvztk", "anchor hrefs", "urls", "domains", "registrar", "ltd dba", "com laude", "markmonitor", "ip detections", "country", "graph", "hashes cape", "sandbox", "zenbox", "files c", "filesgoogle c", "written c", "extensions", "process", "created", "processes tree", "hour ago", "scan endpoints", "all scoreblue", "report spam", "modified", "scan", "iocs", "learn more", "hostname", "filehashsha256", "next", "url https", "url http", "adriana1984 mar", "role title", "added active", "related pulses", "entries", "united", "asnone united", "aaaa", "simple secure", "passive dns", "search", "showing", "class", "status", "creation date", "servers", "name servers", "date", "title error", "body", "files ip", "address", "location united", "asn asnone", "nameservers", "unknown", "ddos", "ipv4", "pulse submit", "url analysis" ], "references": [ "David Bombal & Cisco Discuss: https://m.soundcloud.com/davidbombal/455-why-hack-in-when-you-can-just-log-in (not an exploit as far as I know. I watched it on YT)", "b7f8599765659c19eafe733a51daf8ffd1dde24bedf876c1aba7bd7f2dbf9aa2 | www.akabomedia.co.uk", "Insecure headers found in search histories: games.com, microsoft.com, adrianafiore1984@gmail.com , secure.login.gov, static.secure.login.gov", "https://secure.login.gov/events/disavow?disavowal_token=Bxut7GJU9magrrk282lmt62q0KM4iP6R9mOGNH7yz9k", "https://secure.login.gov/users/password/edit?request_id=5aa8520c-5fb1-4db9-b52f-39fee61ba899&reset_password_token=T318N3voD8NtXgE_1er2", "https://static.secure.login.gov/packs/js/password_toggle_component-3d373a08.js", "https://secure.login.gov/users/password/edit?reset_password_token=B2J-ZWmp6vfu7teQ7Zvr", "Unsure of connection to issues: http://www.login.gov/es/help | http://www.login.gov/es/help\\u003c | http://www.microsoft.com/lin... |", "http://www.microsoft.com/link | https://www.login.gov/contact | https://www.login.gov/contact/ | https://www.login.gov/es/contact", "https://www.login.gov/help& | https://www.login.gov/help/ | https://www.login.gov/help/__", "login.gov | uscis.gov | usertesting.com | www.epic | www.login.gov | www.microsoft.com | http://games.com/activate http://microsoft.com/link", "https://secure.login.gov/users/password/edit?request_id=5aa8520c-5fb1-4db9-b52f-39fee61ba899&reset_password_token=T318N3voD8NtXgE_1er2", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (password decoder)", "https://static.secure.login.gov/packs/js/password_toggle_component-3d373a08.js", "https://secure.login.gov/users/password/edit?request_id=5aa8520c-5fb1-4db9-b52f-39fee61ba899&reset_password_token=T318N3voD8NtXgE_1er2", "https://secure.login.gov/users/password/edit?request_id=7ea7896d-dfb0-40c6-b75b-5fbfab101cb8", "https://secure.login.gov/users/password/edit?reset_password_token=B2J-ZWmp6vfu7teQ7Zvr", "server-18-161-6-16.hio52.r.cloudfront.net", "http://www.w3.org/TR/html4/loose.dtd | 128.30.52.37 | www.w3.org (definite issues)", "http://quantum.emsbk.com/ | deadmin.kaisa.sbs | kaisa.sbs", "Group commentators discussed profile link changed. Also,when some users utilize 'Suggested IoC's' , bulk IoC's' are deleted before able to be included", "Noticed a few users have multiple accounts w/same name, different followers, different follower count. Love this tool. Have questions about potential attacks", "A few haven't logged in in months or sometimes longer (life) notice pulses modified, missing or can't log in.", "Email issue, virustotal also affected. Some having different IP's, different language, an American user VT ; telemetry content, strings, old browsers. Total menu change", "Phishing: http://search.searchffr.com/?source=bing-bb9&uid=9a283646-64de-4df2-84b5-9951528bd4ed&uc=20180405&ap=appfocus63&i_id=recipes__1.30" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1555.005", "name": "Password Managers", "display_name": "T1555.005 - Password Managers" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1162", "name": "Login Item", "display_name": "T1162 - Login Item" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": "65e9b2408fd9557692402b03", "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 260, "FileHash-SHA1": 196, "FileHash-SHA256": 1855, "URL": 1204, "domain": 225, "hostname": 466, "CVE": 2, "email": 3 }, "indicator_count": 4211, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "743 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e9b2408fd9557692402b03", "name": "Why are OTX pulses modified and by whom when it's not the user?", "description": "There are several OTC accounts that are experiencing unauthorized logins. Users have a common theme, keen awareness, learning from experiences, Apple , state, gov personal accounts of being hacked, have personal network/router , phone or relatives and.or associated (civil society) experiencing cyber attacks.Indicators are being removed at record pace. Some pulses have been deleted altogether. Threat actors are logging in as user by exploiting or creating a vulnerability on user device or login. From what I've learned , there is a history on user device. I hope I'm still allowed to use platform after this. I noticed some accounts were submitting and modifying 24/7. A user in a TH group forum discussed bulk deletion, non-public modified and deleted Pulses.", "modified": "2024-04-06T11:00:59.869000", "created": "2024-03-07T12:25:36.098000", "tags": [ "referrer", "execution", "dropped", "apple ios", "contacted", "partru", "sneaky server", "replacement", "unauthorized", "emotet", "submission", "alienvault", "open threat", "learn", "ssdeep", "file type", "html internet", "magic html", "ascii text", "trid file", "google tag", "gtmkvjvztk", "anchor hrefs", "urls", "domains", "registrar", "ltd dba", "com laude", "markmonitor", "ip detections", "country", "graph", "hashes cape", "sandbox", "zenbox", "files c", "filesgoogle c", "written c", "extensions", "process", "created", "processes tree", "hour ago", "scan endpoints", "all scoreblue", "report spam", "modified", "scan", "iocs", "learn more", "hostname", "filehashsha256", "next", "url https", "url http", "adriana1984 mar", "role title", "added active", "related pulses", "entries", "united", "asnone united", "aaaa", "simple secure", "passive dns", "search", "showing", "class", "status", "creation date", "servers", "name servers", "date", "title error", "body", "files ip", "address", "location united", "asn asnone", "nameservers", "unknown", "ddos", "ipv4", "pulse submit", "url analysis" ], "references": [ "David Bombal & Cisco Discuss: https://m.soundcloud.com/davidbombal/455-why-hack-in-when-you-can-just-log-in (not an exploit as far as I know. I watched it on YT)", "b7f8599765659c19eafe733a51daf8ffd1dde24bedf876c1aba7bd7f2dbf9aa2 | www.akabomedia.co.uk", "Insecure headers found in search histories: games.com, microsoft.com, adrianafiore1984@gmail.com , secure.login.gov, static.secure.login.gov", "https://secure.login.gov/events/disavow?disavowal_token=Bxut7GJU9magrrk282lmt62q0KM4iP6R9mOGNH7yz9k", "https://secure.login.gov/users/password/edit?request_id=5aa8520c-5fb1-4db9-b52f-39fee61ba899&reset_password_token=T318N3voD8NtXgE_1er2", "https://static.secure.login.gov/packs/js/password_toggle_component-3d373a08.js", "https://secure.login.gov/users/password/edit?reset_password_token=B2J-ZWmp6vfu7teQ7Zvr", "Unsure of connection to issues: http://www.login.gov/es/help | http://www.login.gov/es/help\\u003c | http://www.microsoft.com/lin... |", "http://www.microsoft.com/link | https://www.login.gov/contact | https://www.login.gov/contact/ | https://www.login.gov/es/contact", "https://www.login.gov/help& | https://www.login.gov/help/ | https://www.login.gov/help/__", "login.gov | uscis.gov | usertesting.com | www.epic | www.login.gov | www.microsoft.com | http://games.com/activate http://microsoft.com/link", "https://secure.login.gov/users/password/edit?request_id=5aa8520c-5fb1-4db9-b52f-39fee61ba899&reset_password_token=T318N3voD8NtXgE_1er2", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (password decoder)", "https://static.secure.login.gov/packs/js/password_toggle_component-3d373a08.js", "https://secure.login.gov/users/password/edit?request_id=5aa8520c-5fb1-4db9-b52f-39fee61ba899&reset_password_token=T318N3voD8NtXgE_1er2", "https://secure.login.gov/users/password/edit?request_id=7ea7896d-dfb0-40c6-b75b-5fbfab101cb8", "https://secure.login.gov/users/password/edit?reset_password_token=B2J-ZWmp6vfu7teQ7Zvr", "server-18-161-6-16.hio52.r.cloudfront.net", "http://www.w3.org/TR/html4/loose.dtd | 128.30.52.37 | www.w3.org (definite issues)", "http://quantum.emsbk.com/ | deadmin.kaisa.sbs | kaisa.sbs", "Group commentators discussed profile link changed. Also,when some users utilize 'Suggested IoC's' , bulk IoC's' are deleted before able to be included", "Noticed a few users have multiple accounts w/same name, different followers, different follower count. Love this tool. Have questions about potential attacks", "A few haven't logged in in months or sometimes longer (life) notice pulses modified, missing or can't log in.", "Email issue, virustotal also affected. Some having different IP's, different language, an American user VT ; telemetry content, strings, old browsers. Total menu change", "Phishing: http://search.searchffr.com/?source=bing-bb9&uid=9a283646-64de-4df2-84b5-9951528bd4ed&uc=20180405&ap=appfocus63&i_id=recipes__1.30" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1555.005", "name": "Password Managers", "display_name": "T1555.005 - Password Managers" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1162", "name": "Login Item", "display_name": "T1162 - Login Item" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 39, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 260, "FileHash-SHA1": 196, "FileHash-SHA256": 1855, "URL": 1204, "domain": 225, "hostname": 466, "CVE": 2, "email": 3 }, "indicator_count": 4211, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "743 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65bca8fcbe62297d71b47c33", "name": "Ragnar Locker", "description": "\u2022 FBI Flash CU-000163-MW: RagnarLocker Ransomware Indicators of Compromise\n\u2022 Found in https://www.Esurance.com\n 108.26.193.165\nAS 701 (UUNET)\n\u2022108.26.193.165 Postal Code: 02465 Reverse Domain Lookup: pool-108-26-193-165.bstnma.fios.verizon.net \n| Ragnar Locker is ransomware for Windows and Linux that exfiltrates information from a compromised machine, encrypts files using the Salsa20 encryption algorithm, and demands that victims pay a ransom to recover their data. The Ragnar Locker group is known to employ a double extortion tactic.", "modified": "2024-03-03T08:00:03.432000", "created": "2024-02-02T08:34:04.425000", "tags": [ "referrer", "contacted", "whois record", "ssl certificate", "whois whois", "contacted urls", "execution", "historical ssl", "red team", "gang breached", "agent tesla", "redline stealer", "metro", "android", "urls url", "files", "kgs0", "kls0", "orgtechhandle", "orgtechref", "orgabusehandle", "orgdnshandle", "orgdnsref", "whois lookup", "netrange", "nethandle", "net108", "net1080000", "communicating", "urls http", "ransomware gang", "breached", "team", "first", "utc submissions", "submitters", "gandi sas", "psiusa", "domain robot", "porkbun llc", "keysystems gmbh", "csc corporate", "domains", "domain name", "network pty", "tucows", "com laude", "dynadot inc" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8354, "FileHash-MD5": 104, "FileHash-SHA1": 81, "FileHash-SHA256": 2711, "CIDR": 5, "CVE": 6, "domain": 1489, "hostname": 3058, "email": 5 }, "indicator_count": 15813, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "777 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65de941acedcdd661f0593b6", "name": "Esurance Remote Attacks (Cloned. Who modifies reports? This happens to me)", "description": "", "modified": "2024-02-28T02:02:02.807000", "created": "2024-02-28T02:02:02.807000", "tags": [ "ssl certificate", "xamzexpires600", "whois record", "url collection", "collections", "historical ssl", "referrer", "contacted", "resolutions", "web gateway", "emotet", "urls http", "whois whois", "domains", "lolkek", "core", "caddywiper", "awful", "urls url", "cymulate", "malware", "com laude", "ltd dba", "first", "utc submissions", "submitters", "cloudflarenet", "internet domain", "service bs", "corp", "dynadot", "twitter", "optimizer", "amazonaes", "summary iocs", "graph community", "origin1", "ver33", "dtamlb", "smlb", "csc corporate", "gandi sas", "namecheap inc", "google", "amazon02", "apple", "remote attacks" ], "references": [ "https://www.esurance.com/", "https://www.malwarebytes.com/emotet" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null } ], "attack_ids": [], "industries": [ "Telecom", "Civil Society", "Insurance" ], "TLP": "white", "cloned_from": "65b711a6f49f057c311f2642", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8575, "CVE": 4, "FileHash-MD5": 47, "FileHash-SHA1": 46, "FileHash-SHA256": 1951, "domain": 1394, "hostname": 4095 }, "indicator_count": 16112, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "781 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://api.dawsodemo.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://api.dawsodemo.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776629416.6134439 }