{ "type": "URL", "indicator": "https://api.ip.sb/ipif/with", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://api.ip.sb/ipif/with", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3809834887, "indicator": "https://api.ip.sb/ipif/with", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 9, "pulses": [ { "id": "69b2b76c9a490b69b6a085b3", "name": "Exodus/cellbrite clone by Q Vashti", "description": "", "modified": "2026-03-12T12:54:04.160000", "created": "2026-03-12T12:54:04.160000", "tags": [ "ssl certificate", "network", "malware", "whois record", "contacted", "pegasus", "resolutions", "communicating", "sa victim", "assaulter", "quasar", "brian sabey", "go.sabey", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls https", "samples", "united", "aaaa", "status", "susp", "search", "passive dns", "urls", "domain", "creation date", "date", "next", "show", "domain related", "feeds ioc", "maltiverse", "analyze", "scan endpoints", "all octoseek", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "all search", "otx octoseek", "hostname", "pulse submit", "url analysis", "files", "china unknown", "as4134 chinanet", "unknown", "name servers", "showing", "namesilo", "domain name", "dynadot llc", "as8075", "script urls", "netherlands", "a domains", "capture", "asnone united", "record value", "expiration date", "entries", "cname", "tulach", "algorithm", "v3 serial", "number", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "first", "server", "available from", "iana id", "registrar abuse", "registrar url", "registrar whois", "abuse contact", "email", "registry domain", "code", "win32 exe", "ufed iphone", "cellebrite ufed", "setup", "tjprojmain", "ufed4pc", "win32 dll", "detections type", "name", "responder", "exodus", "android", "office open", "xml document", "cellebrite", "type name", "pdf cellebrite", "ufed release", "cellbrite", "privilege https", "targets sa", "survivor", "getprocaddress", "indicator", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "file", "pattern match", "observed email", "path", "factory", "hybrid", "general", "model", "comspec", "click", "title", "page", "body doctype", "quoth", "raven", "gmt content", "type", "vary", "accept", "october", "december", "copy", "execution", "awful", "referrer", "april", "kimsuky", "malicious", "crypto", "startpage", "hacktool", "installer", "tofsee", "historical ssl", "threat roundup", "phishing", "utc submissions", "submitters", "csc corporate", "domains", "twitter", "dropbox", "incapsula", "summary iocs", "graph community", "registrarsafe", "gandi sas", "google llc", "amazon02", "google", "akamaias", "facebook", "service", "patch", "namecheapnet", "cloudflarenet", "amazonaes", "gmo internet", "apple", "tsara brashears", "keylogger" ], "references": [ "https://tulach.cc/", "cellebrite.com | https://cellebrite.com/en/federal-government/", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://twitter.com/PORNO_SEXYBABES", "hanmail.net", "114.114.114.114", "work.a-poster.info", "www-stage40.pornhub.com", "go.sabey.com", "sabey.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Exodus", "display_name": "Exodus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "PWS:Win32/Raven", "display_name": "PWS:Win32/Raven", "target": "/malware/PWS:Win32/Raven" }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null }, { "id": "VirTool:Win32/Tofsee", "display_name": "VirTool:Win32/Tofsee", "target": "/malware/VirTool:Win32/Tofsee" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": "6916e098df39114161354b23", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4295, "FileHash-MD5": 322, "FileHash-SHA1": 296, "FileHash-SHA256": 3255, "domain": 2911, "hostname": 2894, "CVE": 2, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 13986, "is_author": false, "is_subscribing": null, "subscriber_count": 65, "modified_text": "80 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6952febb1dbcf05ee601f050", "name": "Pegasus Ongoing l Cellbrite | Exodus | Brian Sabey | HallRender | Tulach (1.29.24)", "description": "", "modified": "2025-12-29T22:20:43.238000", "created": "2025-12-29T22:20:43.238000", "tags": [ "ssl certificate", "network", "malware", "whois record", "contacted", "pegasus", "resolutions", "communicating", "sa victim", "assaulter", "quasar", "brian sabey", "go.sabey", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls https", "samples", "united", "aaaa", "status", "susp", "search", "passive dns", "urls", "domain", "creation date", "date", "next", "show", "domain related", "feeds ioc", "maltiverse", "analyze", "scan endpoints", "all octoseek", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "all search", "otx octoseek", "hostname", "pulse submit", "url analysis", "files", "china unknown", "as4134 chinanet", "unknown", "name servers", "showing", "namesilo", "domain name", "dynadot llc", "as8075", "script urls", "netherlands", "a domains", "capture", "asnone united", "record value", "expiration date", "entries", "cname", "tulach", "algorithm", "v3 serial", "number", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "first", "server", "available from", "iana id", "registrar abuse", "registrar url", "registrar whois", "abuse contact", "email", "registry domain", "code", "win32 exe", "ufed iphone", "cellebrite ufed", "setup", "tjprojmain", "ufed4pc", "win32 dll", "detections type", "name", "responder", "exodus", "android", "office open", "xml document", "cellebrite", "type name", "pdf cellebrite", "ufed release", "cellbrite", "privilege https", "targets sa", "survivor", "getprocaddress", "indicator", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "file", "pattern match", "observed email", "path", "factory", "hybrid", "general", "model", "comspec", "click", "title", "page", "body doctype", "quoth", "raven", "gmt content", "type", "vary", "accept", "october", "december", "copy", "execution", "awful", "referrer", "april", "kimsuky", "malicious", "crypto", "startpage", "hacktool", "installer", "tofsee", "historical ssl", "threat roundup", "phishing", "utc submissions", "submitters", "csc corporate", "domains", "twitter", "dropbox", "incapsula", "summary iocs", "graph community", "registrarsafe", "gandi sas", "google llc", "amazon02", "google", "akamaias", "facebook", "service", "patch", "namecheapnet", "cloudflarenet", "amazonaes", "gmo internet", "apple", "tsara brashears", "keylogger" ], "references": [ "https://tulach.cc/", "cellebrite.com | https://cellebrite.com/en/federal-government/", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://twitter.com/PORNO_SEXYBABES", "hanmail.net", "114.114.114.114", "work.a-poster.info", "www-stage40.pornhub.com", "go.sabey.com", "sabey.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Exodus", "display_name": "Exodus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "PWS:Win32/Raven", "display_name": "PWS:Win32/Raven", "target": "/malware/PWS:Win32/Raven" }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null }, { "id": "VirTool:Win32/Tofsee", "display_name": "VirTool:Win32/Tofsee", "target": "/malware/VirTool:Win32/Tofsee" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": "65b80a20bbcd0eb305a740ec", "export_count": 40664, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4101, "FileHash-MD5": 322, "FileHash-SHA1": 296, "FileHash-SHA256": 3155, "domain": 2894, "hostname": 2847, "CVE": 2, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 13628, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "152 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6916e098df39114161354b23", "name": "Exodus l Cellbrite \u2022 Pegasus | Brian Sabey | HallRender | Tulach ", "description": "", "modified": "2025-12-14T07:05:42.106000", "created": "2025-11-14T07:56:08.872000", "tags": [ "ssl certificate", "network", "malware", "whois record", "contacted", "pegasus", "resolutions", "communicating", "sa victim", "assaulter", "quasar", "brian sabey", "go.sabey", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls https", "samples", "united", "aaaa", "status", "susp", "search", "passive dns", "urls", "domain", "creation date", "date", "next", "show", "domain related", "feeds ioc", "maltiverse", "analyze", "scan endpoints", "all octoseek", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "all search", "otx octoseek", "hostname", "pulse submit", "url analysis", "files", "china unknown", "as4134 chinanet", "unknown", "name servers", "showing", "namesilo", "domain name", "dynadot llc", "as8075", "script urls", "netherlands", "a domains", "capture", "asnone united", "record value", "expiration date", "entries", "cname", "tulach", "algorithm", "v3 serial", "number", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "first", "server", "available from", "iana id", "registrar abuse", "registrar url", "registrar whois", "abuse contact", "email", "registry domain", "code", "win32 exe", "ufed iphone", "cellebrite ufed", "setup", "tjprojmain", "ufed4pc", "win32 dll", "detections type", "name", "responder", "exodus", "android", "office open", "xml document", "cellebrite", "type name", "pdf cellebrite", "ufed release", "cellbrite", "privilege https", "targets sa", "survivor", "getprocaddress", "indicator", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "file", "pattern match", "observed email", "path", "factory", "hybrid", "general", "model", "comspec", "click", "title", "page", "body doctype", "quoth", "raven", "gmt content", "type", "vary", "accept", "october", "december", "copy", "execution", "awful", "referrer", "april", "kimsuky", "malicious", "crypto", "startpage", "hacktool", "installer", "tofsee", "historical ssl", "threat roundup", "phishing", "utc submissions", "submitters", "csc corporate", "domains", "twitter", "dropbox", "incapsula", "summary iocs", "graph community", "registrarsafe", "gandi sas", "google llc", "amazon02", "google", "akamaias", "facebook", "service", "patch", "namecheapnet", "cloudflarenet", "amazonaes", "gmo internet", "apple", "tsara brashears", "keylogger" ], "references": [ "https://tulach.cc/", "cellebrite.com | https://cellebrite.com/en/federal-government/", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://twitter.com/PORNO_SEXYBABES", "hanmail.net", "114.114.114.114", "work.a-poster.info", "www-stage40.pornhub.com", "go.sabey.com", "sabey.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Exodus", "display_name": "Exodus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "PWS:Win32/Raven", "display_name": "PWS:Win32/Raven", "target": "/malware/PWS:Win32/Raven" }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null }, { "id": "VirTool:Win32/Tofsee", "display_name": "VirTool:Win32/Tofsee", "target": "/malware/VirTool:Win32/Tofsee" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": "65a76c2901b34c79a681596d", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4295, "FileHash-MD5": 322, "FileHash-SHA1": 296, "FileHash-SHA256": 3255, "domain": 2911, "hostname": 2894, "CVE": 2, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 13986, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "168 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68d37e35f99d852d38beb769", "name": "Cryptex Port Key \u2022 RedLine Stealer affects Threat Research Platform/s", "description": "#attack? #honeypot?", "modified": "2025-10-24T04:02:54.218000", "created": "2025-09-24T05:14:28.101000", "tags": [ "x00x00n", "memcommit", "regopenkeyexw", "regsz", "else", "ipnnoysrdi tr", "writeconsolew", "cryptexportkey", "invalid pointer", "x1ex00x00n", "redline stealer", "service", "powershell", "tools", "persistence", "execution", "dock", "write", "updater", "malware", "passive dns", "urls", "url add", "ip address", "related nids", "files location", "hong kong", "united", "present jul", "present dec", "search", "present may", "a domains", "name servers", "unknown aaaa", "trojan", "present jan", "present sep", "moved", "title", "span td", "td td", "tr tr", "a li", "ipv4 internet", "span", "meta", "gmt content", "ipv4 add", "reverse dns", "trojanx", "location hong kong", "software", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "ssl certificate", "spawns", "development att", "ascii text", "pattern match", "mitre att", "ck matrix", "sha1", "odigicert inc", "network traffic", "general", "local", "path", "encrypt", "copy md5", "copy sha1", "copy sha256", "sha256", "size", "crlf line", "urlhttps", "extracted files", "acquires", "networking", "readiness" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1086", "name": "PowerShell", "display_name": "T1086 - PowerShell" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 150, "FileHash-SHA1": 148, "FileHash-SHA256": 3059, "domain": 1277, "URL": 4166, "hostname": 1251, "SSLCertFingerprint": 10, "email": 1 }, "indicator_count": 10062, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "219 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66e94760a415fb970ab2dfdd", "name": "Pornhub Api connected to Targets phone via Remote Telegram install", "description": "Cyber attack named 'Project Endgame' by threat actors || Cyber criminal IMMEDIATELY remotely accessed targets device when it was new from manufacturer. Remote installation of telegram app, installed pornhub. Dumping, making all types of pornography appear to come from targets and associated persons devices. It's never ending. || Win32:PWSX-gen\\ [Trj]\n#Lowfi:HSTR:Win32/Exprio\nALF:Trojan:BAT/EnvVarCharReplacement\nBackdoor:Win32/Tofsee\nTrojan:Win32/Azorult\nTrojan:Win32/Danabot\nTrojan:Win32/Eqtonex\nTrojan:Win32/Meredrop\nTrojanDownloader:Win32/Tofsee\nVirTool:Win32/Obfuscator\nWin.Dropper.Tofsee-10023347-0", "modified": "2024-10-17T08:04:26.924000", "created": "2024-09-17T09:09:52.842000", "tags": [ "all scoreblue", "contacted", "telegram", "pornhub", "hostname", "domain", "iocs", "pdf report", "pcap", "stix", "openioc", "ck t1003", "os credential", "dumping t1005", "local system", "t1012", "registry t1018", "remote system", "discovery t1027", "files", "t1053", "whitelisted", "agent", "as13414 twitter", "as14061", "as15169 google", "as16552", "as16276", "as19679 dropbox", "as22612", "as25019", "as32934", "as35680", "as62597", "as54113", "as397241", "as397240", "nsone as63949", "as35819", "china unknown", "chrome", "code", "as16552 tiggee", "as2914 ntt", "as25019 saudi", "asnone hong", "as63949 linode", "as7303 telecom", "as8151", "as9318 sk", "asn as13414", "asn as48684", "cookie", "encrypt", "endgame", "emails", "cryp", "delphi", "dynamicloader", "dns", "grum", "germany unknown", "gmt max", "connection", "dns resolutions", "porn", "regsz", "langgeorgian", "sublangdefault", "rticon", "english", "regsetvalueexa", "regdword", "medium", "t1055", "win32", "malware", "copy", "updater", "generic", "delete c", "yara rule", "high", "search", "ms windows", "tofsee", "show", "windows", "russia as49505", "united", "grum", "write", "query", "contacted", "installs", "stream", "unknown", "as46606", "passive dns", "date", "scan endpoints", "pulse pulses", "urls", "as8151", "mexico unknown", "saudi arabia", "as25019 saudi", "china unknown", "as7303 telecom", "hungary unknown", "trojan", "msie", "body", "ransom", "icmp traffic", "pdb path", "filehash", "url http", "http", "address", "russia unknown", "privacy tools", "as396982 google", "as57416 llc", "div div", "span h3", "span div", "h3 p", "as24940 hetzner", "face", "delete", "yara detections", "sinkhole cookie", "value snkz", "pe32", "suspicious", "possible", "as56864 xeon", "ipv4", "pulse submit", "url analysis", "ip address", "location united", "next", "germany unknown", "method", "allowed server", "content length", "content type", "cookie", "registrar abuse", "explorer", "files matching", "homepage", "hungary unknown", "installs ip", "installs", "ip", "link", "mexico unknown", "pegasus", "operation endgame", "public key", "ransom", "twitter redirect", "Kong unknown", "script urls", "servers", "updater", "united kingdom unknown", "unique", "ukraine unknown", "trojan features", "trojan", "tofsee", "title telegram", "tags twitter", "twitter", "tags", "sublangdefault" ], "references": [ "Pornhub.com | Telegram https://t.me/login/36861 | loopprojects.t.me", "Cookie : stel_ssid b86d14460f22d8fea8_13386273115952986987", "www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "https://www.pornhub.com/video/search?search=tsara+brashears", "ads.pornhub.com | ams-v61.pornhub.com | api-stage.pornhub.com", "api-stage.pornhub.com | abtesting.pornhub.com | pornhub.com | cms-stage20.pornhub.com | imgs.pornhub.com | http://tourcdn.girlsdoporn.com", "girlsdoporn.com | bar.pornhub.com | bar.pornhub.com | cdn-d-vid-embed.pornhub.com | http://pornhub.tv/Jena6599 | whatsapp.pornhub.com", "https://sslproxy.gatewayclient3.v.hikops.com", "api2ip.ua \u00bb External IP Lookup Service Domain", "83610e8d2924c9886b25ad530e8ad971.pornhub.com", "Win32:PWSX-gen\\ [Trj] IDS Detections Potential Dridex.Maldoc Minimal Executable Request External IP Address Lookup DNS Query (2ip .ua) Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) Query to a *.top domain - Likely Hostile Suspicious User Agent (Microsoft Internet Explorer) SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 HTTP Request to a *.top domain Dotted Quad Host ZIP Request Possible EXE Download From Suspicious TLD TLS Handshake Failure ... Less", "IDS Detections: Potential Dridex.Maldoc Minimal Executable Request External IP Address Lookup DNS Query (2ip .ua)", "IDS Detections: Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) Query to a *.top domain - Likely Hostile", "IDS Detections: Suspicious User Agent (Microsoft Internet Explorer) SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016", "Win32:RansomX-gen\\ [Ransom] Trojan:Win32/Neconyd.A" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Australia", "Brazil", "Singapore", "Netherlands", "Russian Federation", "Japan", "Malaysia", "Hong Kong", "Ireland", "Korea, Republic of", "France", "United Kingdom of Great Britain and Northern Ireland", "Argentina", "Austria", "China", "Canada", "Germany" ], "malware_families": [ { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "TrojanDownloader:Win32/Tofsee", "display_name": "TrojanDownloader:Win32/Tofsee", "target": "/malware/TrojanDownloader:Win32/Tofsee" }, { "id": "Win32:PWSX-gen\\ [Trj]", "display_name": "Win32:PWSX-gen\\ [Trj]", "target": null }, { "id": "Win.Dropper.Tofsee-10023347-0", "display_name": "Win.Dropper.Tofsee-10023347-0", "target": null }, { "id": "#Lowfi:HSTR:Win32/Exprio", "display_name": "#Lowfi:HSTR:Win32/Exprio", "target": null }, { "id": "VirTool:Win32/Obfuscator", "display_name": "VirTool:Win32/Obfuscator", "target": "/malware/VirTool:Win32/Obfuscator" }, { "id": "Trojan:Win32/Meredrop", "display_name": "Trojan:Win32/Meredrop", "target": "/malware/Trojan:Win32/Meredrop" }, { "id": "Trojan:Win32/Eqtonex", "display_name": "Trojan:Win32/Eqtonex", "target": "/malware/Trojan:Win32/Eqtonex" }, { "id": "Trojan:Win32/Danabot", "display_name": "Trojan:Win32/Danabot", "target": "/malware/Trojan:Win32/Danabot" }, { "id": "Trojan:Win32/Azorult", "display_name": "Trojan:Win32/Azorult", "target": "/malware/Trojan:Win32/Azorult" }, { "id": "ALF:Trojan:BAT/EnvVarCharReplacement", "display_name": "ALF:Trojan:BAT/EnvVarCharReplacement", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1443", "name": "Remotely Install Application", "display_name": "T1443 - Remotely Install Application" }, { "id": "T1478", "name": "Install Insecure or Malicious Configuration", "display_name": "T1478 - Install Insecure or Malicious Configuration" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1570, "FileHash-SHA1": 1301, "FileHash-SHA256": 3497, "URL": 3835, "domain": 1475, "hostname": 2405, "CIDR": 1, "email": 23 }, "indicator_count": 14107, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "591 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a76c2901b34c79a681596d", "name": "Exodus l Cellbrite | Brian Sabey | HallRender | Tulach", "description": "Brian Sabey of Hall Render Law firm is incredibly entrenched in spying on a single target. Having made contact,impersonal invitations to meet, filing a lawsuit dismissed by a judge , paying to silence SA victim and spending many years spying, destroying digital profile m libel, malvertizing is concerning. \nConsidering Brashears death threats, following , being approached and attempts on her personal safety is unwarranted. Brashears was the confirmed victim of life threatening SA. How does the Federal Government allow this? Found embedded in Brashears link that came from her iPhone.", "modified": "2024-02-16T05:03:15.321000", "created": "2024-01-17T05:56:57.948000", "tags": [ "ssl certificate", "network", "malware", "whois record", "contacted", "pegasus", "resolutions", "communicating", "sa victim", "assaulter", "quasar", "brian sabey", "go.sabey", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls https", "samples", "united", "aaaa", "status", "susp", "search", "passive dns", "urls", "domain", "creation date", "date", "next", "show", "domain related", "feeds ioc", "maltiverse", "analyze", "scan endpoints", "all octoseek", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "all search", "otx octoseek", "hostname", "pulse submit", "url analysis", "files", "china unknown", "as4134 chinanet", "unknown", "name servers", "showing", "namesilo", "domain name", "dynadot llc", "as8075", "script urls", "netherlands", "a domains", "capture", "asnone united", "record value", "expiration date", "entries", "cname", "tulach", "algorithm", "v3 serial", "number", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "first", "server", "available from", "iana id", "registrar abuse", "registrar url", "registrar whois", "abuse contact", "email", "registry domain", "code", "win32 exe", "ufed iphone", "cellebrite ufed", "setup", "tjprojmain", "ufed4pc", "win32 dll", "detections type", "name", "responder", "exodus", "android", "office open", "xml document", "cellebrite", "type name", "pdf cellebrite", "ufed release", "cellbrite", "privilege https", "targets sa", "survivor", "getprocaddress", "indicator", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "file", "pattern match", "observed email", "path", "factory", "hybrid", "general", "model", "comspec", "click", "title", "page", "body doctype", "quoth", "raven", "gmt content", "type", "vary", "accept", "october", "december", "copy", "execution", "awful", "referrer", "april", "kimsuky", "malicious", "crypto", "startpage", "hacktool", "installer", "tofsee", "historical ssl", "threat roundup", "phishing", "utc submissions", "submitters", "csc corporate", "domains", "twitter", "dropbox", "incapsula", "summary iocs", "graph community", "registrarsafe", "gandi sas", "google llc", "amazon02", "google", "akamaias", "facebook", "service", "patch", "namecheapnet", "cloudflarenet", "amazonaes", "gmo internet", "apple", "tsara brashears", "keylogger" ], "references": [ "https://tulach.cc/", "cellebrite.com | https://cellebrite.com/en/federal-government/", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://twitter.com/PORNO_SEXYBABES", "hanmail.net", "114.114.114.114", "work.a-poster.info", "www-stage40.pornhub.com", "go.sabey.com", "sabey.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Exodus", "display_name": "Exodus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "PWS:Win32/Raven", "display_name": "PWS:Win32/Raven", "target": "/malware/PWS:Win32/Raven" }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null }, { "id": "VirTool:Win32/Tofsee", "display_name": "VirTool:Win32/Tofsee", "target": "/malware/VirTool:Win32/Tofsee" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4101, "FileHash-MD5": 322, "FileHash-SHA1": 296, "FileHash-SHA256": 3155, "domain": 2894, "hostname": 2847, "CVE": 2, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 13628, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "835 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a77c6a22a236495c4548d6", "name": "PEGASUS | Exodus l Cellbrite | Brian Sabey | HallRender | Tulach", "description": "I'm unclear if the legitimatecy of use of Cellbrite considering Brashears was the attacked. Brashears has spoken with every authority on her own terms. Law enforcement 'you're not that important. You're not a suspect .' FBI -' Brashears victim of Identity theft case that lasted months. Alleged false reports removed.' PI's - 'someone is abusing privilege' Was a SA advocate Non Profit. Awareness Saves & social media deleted by hackers", "modified": "2024-02-16T05:03:15.321000", "created": "2024-01-17T07:06:18.453000", "tags": [ "ssl certificate", "network", "malware", "whois record", "contacted", "pegasus", "resolutions", "communicating", "sa victim", "assaulter", "quasar", "brian sabey", "go.sabey", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls https", "samples", "united", "aaaa", "status", "susp", "search", "passive dns", "urls", "domain", "creation date", "date", "next", "show", "domain related", "feeds ioc", "maltiverse", "analyze", "scan endpoints", "all octoseek", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "all search", "otx octoseek", "hostname", "pulse submit", "url analysis", "files", "china unknown", "as4134 chinanet", "unknown", "name servers", "showing", "namesilo", "domain name", "dynadot llc", "as8075", "script urls", "netherlands", "a domains", "capture", "asnone united", "record value", "expiration date", "entries", "cname", "tulach", "algorithm", "v3 serial", "number", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "first", "server", "available from", "iana id", "registrar abuse", "registrar url", "registrar whois", "abuse contact", "email", "registry domain", "code", "win32 exe", "ufed iphone", "cellebrite ufed", "setup", "tjprojmain", "ufed4pc", "win32 dll", "detections type", "name", "responder", "exodus", "android", "office open", "xml document", "cellebrite", "type name", "pdf cellebrite", "ufed release", "cellbrite", "privilege https", "targets sa", "survivor", "getprocaddress", "indicator", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "file", "pattern match", "observed email", "path", "factory", "hybrid", "general", "model", "comspec", "click", "title", "page", "body doctype", "quoth", "raven", "gmt content", "type", "vary", "accept", "october", "december", "copy", "execution", "awful", "referrer", "april", "kimsuky", "malicious", "crypto", "startpage", "hacktool", "installer", "tofsee", "historical ssl", "threat roundup", "phishing", "utc submissions", "submitters", "csc corporate", "domains", "twitter", "dropbox", "incapsula", "summary iocs", "graph community", "registrarsafe", "gandi sas", "google llc", "amazon02", "google", "akamaias", "facebook", "service", "patch", "namecheapnet", "cloudflarenet", "amazonaes", "gmo internet", "remote", "malvertizing", "spying", "cyber stalking" ], "references": [ "https://tulach.cc/", "go.sabey.com", "sabey.com", "cellebrite.com", "https://cellebrite.com/en/federal-government/ [Pegasus ck privilege collection]", "https://www.pornhub.com/video/search?search=tsara+brashears", "remote.aciscomputers.com", "https://track.toccha.com/978eb025-0a62-46fa-827c-d71aa0524818?zoneid=5939372&ua=high&subzone_id=3038557&set=social&country=SY®ion=49&isp=syriatelmobiletelecom&useragent=Mozilla/5.0", "114.114.114.114 [Tulach]", "nr-data.net [Apple Private Data Collection]", "defenselawyernj.com", "attorney-marketing-specialists.com ?", "https://itunes.apple.com/app/apple-store/id284815942/us/app/image-recognition-and-searcher/id1450230225", "http://www.apple.com/appleca/AppleIncRootCertificate.cer", "http://flexlucky.com/isurvey/en/?devicemodel=iPhone&carrier=\u00aeion=Tbilisi&brand=Apple&browser=GoogleApp&prize=cur&u=track.bawiwia.com&isp=JSCGlobalErty&ts=29900ce7-726c-4c9f-b0c3-21ff2f859648&country=GE&click_id=wuo4jm6db011lufu2f8h138c&partner=5658402&skip=yes&frame={frame}&cost=0.010100&lang=en", "https://t.me/hermitspyware/24", "hyundai-smg.com | http://hyundai-smg.com/index.php?route=information/contact | http://hyundai-smg.com/index.php?route=information/contact", "https://imazing.com/guides/detect-pegasus-and-other-spyware-on-iphone", "http://watchhers.net/index.php [remote attackers | malware spreader]", "api-stage.pornhub.com", "newbrazzers.com [y8.com]", "www.videolan.org [info solutions]", "www2.blackbagtech.com [hidden users included]", "http://subtitles.rest7.com/subs/The.Expanse.S03E11.720p.HDTV.x264-KILLERS[eztv].mkv", "http://pegasus.diskel.co.uk/ [phishing]", "wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Language", "fds.cellebrite.com", "http://www1.mychartahn.org/?tm=1&subid4=1671014887.0191400000&kw=Patient+Portal&KW1=Patient+Access+Network&KW2=Patient+Self+Check+In+System&KW3=Electronic+Health+Record+EHR+System&KW4=Patient+Appointment+Scheduling+System&KW5=Medical+Billing+System+Software&KW6=Patient+Financial+Assistance&searchbox=0&domainname=0&backfill=0", "healthcare.greatcall.com [fake call centers | PHI & PII info stealers]", "http://download.virtualbox.org/virtualbox/debian", "match.pegasus.isi.edu", "asp.net", "http://dropbox.com/ [ intrusions/ dropbox stealer]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Exodus", "display_name": "Exodus", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "VirTool:Win32/Tofsee", "display_name": "VirTool:Win32/Tofsee", "target": "/malware/VirTool:Win32/Tofsee" }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null }, { "id": "PWS:Win32/Raven", "display_name": "PWS:Win32/Raven", "target": "/malware/PWS:Win32/Raven" }, { "id": "Trojan:Win32/Comspec", "display_name": "Trojan:Win32/Comspec", "target": "/malware/Trojan:Win32/Comspec" }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1588.004", "name": "Digital Certificates", "display_name": "T1588.004 - Digital Certificates" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" } ], "industries": [ "Individual", "Patient", "Healthcare", "Survivor" ], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4101, "FileHash-MD5": 322, "FileHash-SHA1": 296, "FileHash-SHA256": 3157, "domain": 2903, "hostname": 2847, "CVE": 2, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 13639, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "835 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b80a20bbcd0eb305a740ec", "name": "Exodus l Cellbrite | Brian Sabey | HallRender | Tulach", "description": "", "modified": "2024-02-16T05:03:15.321000", "created": "2024-01-29T20:27:12.899000", "tags": [ "ssl certificate", "network", "malware", "whois record", "contacted", "pegasus", "resolutions", "communicating", "sa victim", "assaulter", "quasar", "brian sabey", "go.sabey", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls https", "samples", "united", "aaaa", "status", "susp", "search", "passive dns", "urls", "domain", "creation date", "date", "next", "show", "domain related", "feeds ioc", "maltiverse", "analyze", "scan endpoints", "all octoseek", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "all search", "otx octoseek", "hostname", "pulse submit", "url analysis", "files", "china unknown", "as4134 chinanet", "unknown", "name servers", "showing", "namesilo", "domain name", "dynadot llc", "as8075", "script urls", "netherlands", "a domains", "capture", "asnone united", "record value", "expiration date", "entries", "cname", "tulach", "algorithm", "v3 serial", "number", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "first", "server", "available from", "iana id", "registrar abuse", "registrar url", "registrar whois", "abuse contact", "email", "registry domain", "code", "win32 exe", "ufed iphone", "cellebrite ufed", "setup", "tjprojmain", "ufed4pc", "win32 dll", "detections type", "name", "responder", "exodus", "android", "office open", "xml document", "cellebrite", "type name", "pdf cellebrite", "ufed release", "cellbrite", "privilege https", "targets sa", "survivor", "getprocaddress", "indicator", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "file", "pattern match", "observed email", "path", "factory", "hybrid", "general", "model", "comspec", "click", "title", "page", "body doctype", "quoth", "raven", "gmt content", "type", "vary", "accept", "october", "december", "copy", "execution", "awful", "referrer", "april", "kimsuky", "malicious", "crypto", "startpage", "hacktool", "installer", "tofsee", "historical ssl", "threat roundup", "phishing", "utc submissions", "submitters", "csc corporate", "domains", "twitter", "dropbox", "incapsula", "summary iocs", "graph community", "registrarsafe", "gandi sas", "google llc", "amazon02", "google", "akamaias", "facebook", "service", "patch", "namecheapnet", "cloudflarenet", "amazonaes", "gmo internet", "apple", "tsara brashears", "keylogger" ], "references": [ "https://tulach.cc/", "cellebrite.com | https://cellebrite.com/en/federal-government/", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://twitter.com/PORNO_SEXYBABES", "hanmail.net", "114.114.114.114", "work.a-poster.info", "www-stage40.pornhub.com", "go.sabey.com", "sabey.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Exodus", "display_name": "Exodus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "PWS:Win32/Raven", "display_name": "PWS:Win32/Raven", "target": "/malware/PWS:Win32/Raven" }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null }, { "id": "VirTool:Win32/Tofsee", "display_name": "VirTool:Win32/Tofsee", "target": "/malware/VirTool:Win32/Tofsee" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": "65a76c2901b34c79a681596d", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4101, "FileHash-MD5": 322, "FileHash-SHA1": 296, "FileHash-SHA256": 3155, "domain": 2894, "hostname": 2847, "CVE": 2, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 13628, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "835 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658303b7e2b4417d9e24a7cc", "name": "Reddit Honeypot | Cyber Defense Firm Attack", "description": "", "modified": "2024-01-19T12:02:13.495000", "created": "2023-12-20T15:09:43.783000", "tags": [ "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "sha1", "sha256", "runtime process", "date", "unknown", "error", "path", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "accept", "url http", "filehashmd5", "url https", "search otx", "octoseek report", "spam author", "reddit", "tulach c2", "created", "minutes ago", "added active", "related pulses", "am", "no expiration", "indicator role", "pulses url", "showing", "entries", "dded active", "copyright", "reserved", "cve cve20170199", "win32 exe", "android", "http response", "final url", "ip address", "status code", "body length", "kb body", "headers", "manager", "files", "detections type", "name", "lord krishna", "right", "tjprojmain", "windows", "secure", "headers nel", "ssl certificate", "whois whois", "historical ssl", "referrer", "logistics", "cyber defense", "firm collection", "ioc honeypot", "list for", "malware", "open", "attack", "contacted", "dropped", "bundled", "problems", "whois record", "domains", "execution", "agent tesla", "azorult", "project", "startpage", "vhash", "authentihash", "imphash", "rich pe", "ssdeep", "file type", "magic pe32", "installer", "compiler", "nsis", "serial number", "g4 code", "signing rsa4096", "sha384", "root g4", "valid from", "algorithm", "thumbprint", "fast corporate", "from", "pe resource", "collection", "vt graph", "paulsmith", "apple tv", "apple music", "$RTD4NQU.exe", "no data", "tag count", "ioc search", "new ioc", "teams api", "contact", "search", "iocs", "summary", "nisis", "executable", "ms windows", "trid win64", "generic", "sections", "sha256 file", "type type", "chi2", "dkey english", "xml rtmanifest", "english us", "overlay", "learn", "botnet", "honeypot", "ejkaej saBey k7-^Oa" ], "references": [ "https://www.reddit.com/user/", "https://www.virustotal.com/gui/url/6a627ce5fd6be7b3c0b5637e6b1facfa92c279d25ff9b1f50fe131c91591d804/summary", "Gowi Live Bot.exe", "https://www.virustotal.com/gui/file/2ab9e32cd78f2b538c36f145b790f78f1262bcfcf1a5d6d019e7a2a151a24424/summary", "https://www.hybrid-analysis.com/sample/d4f0fd95f42482e96d982df3d538f67ee9c8756834486dd2cf33e1679c90af50/65812fd9a34bc52aac0b910f", "nr-data.net [New Relic Tracking | Apple Private Data Collection]", "[w and w.o https] applemusic-spotlight.myunidays.com [Multilingual Portable.exe Apple music compromise]", "tv.apple.com [Apple Backdoor| Attack | Hacking]", "name-playatoms-pa.googleapis.com [ nr-data Apple tv tracking]", "browser.events.data.msn.com | events-sandbox.data.msn.com", "https://tulach.cc/ [phishing attacks]", "tulach.cc [AM | phishing]", "$RTD4NQU.exe - Sigma Rule: Audit Policy Tampering Via Auditpolicy", "$RTD4NQU.exe - Yara rule: INDICATOR TOOL UAC NSISUAC", "3.163.189.120 [Tracking]", "86.140.232.148 [scanning_host]", "https://seedbeej.pk/tin/index.php?QBOT.zip. [ phishing plus]", "http://iyfsearch.com/&ap=67&be=203&fe=198&dc=198&perf= [phishing]", "checkip.dyndns.org [command_and_control]", "104.86.182.8 [command_and_control]", "103.224.182.253 [command_and_control]", "103.224.182.246 [command_and_control]", "www.supernetforme.com [command_and_control]", "rp.downloadastrocdn.com [command_and_control]", "ddos.dnsnb8.net [command_and_control]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "AM", "display_name": "AM", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "adware.pcappstore/veryfast", "display_name": "adware.pcappstore/veryfast", "target": null }, { "id": "NSIS", "display_name": "NSIS", "target": null }, { "id": "Static AI - Malicious PE", "display_name": "Static AI - Malicious PE", "target": null }, { "id": "HoneyPot", "display_name": "HoneyPot", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 392, "FileHash-SHA1": 374, "FileHash-SHA256": 5560, "URL": 7433, "domain": 1461, "hostname": 2463, "CVE": 3, "email": 1 }, "indicator_count": 17687, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "863 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "nr-data.net [Apple Private Data Collection]", "rp.downloadastrocdn.com [command_and_control]", "http://watchhers.net/index.php [remote attackers | malware spreader]", "https://www.pornhub.com/video/search?search=tsara+brashears", "Pornhub.com | Telegram https://t.me/login/36861 | loopprojects.t.me", "hyundai-smg.com | http://hyundai-smg.com/index.php?route=information/contact | http://hyundai-smg.com/index.php?route=information/contact", "http://subtitles.rest7.com/subs/The.Expanse.S03E11.720p.HDTV.x264-KILLERS[eztv].mkv", "IDS Detections: Potential Dridex.Maldoc Minimal Executable Request External IP Address Lookup DNS Query (2ip .ua)", "checkip.dyndns.org [command_and_control]", "http://pegasus.diskel.co.uk/ [phishing]", "104.86.182.8 [command_and_control]", "wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Language", "http://flexlucky.com/isurvey/en/?devicemodel=iPhone&carrier=\u00aeion=Tbilisi&brand=Apple&browser=GoogleApp&prize=cur&u=track.bawiwia.com&isp=JSCGlobalErty&ts=29900ce7-726c-4c9f-b0c3-21ff2f859648&country=GE&click_id=wuo4jm6db011lufu2f8h138c&partner=5658402&skip=yes&frame={frame}&cost=0.010100&lang=en", "api-stage.pornhub.com", "www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "https://track.toccha.com/978eb025-0a62-46fa-827c-d71aa0524818?zoneid=5939372&ua=high&subzone_id=3038557&set=social&country=SY®ion=49&isp=syriatelmobiletelecom&useragent=Mozilla/5.0", "healthcare.greatcall.com [fake call centers | PHI & PII info stealers]", "tulach.cc [AM | phishing]", "go.sabey.com", "https://tulach.cc/ [phishing attacks]", "tv.apple.com [Apple Backdoor| Attack | Hacking]", "www-stage40.pornhub.com", "IDS Detections: Suspicious User Agent (Microsoft Internet Explorer) SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016", "3.163.189.120 [Tracking]", "api-stage.pornhub.com | abtesting.pornhub.com | pornhub.com | cms-stage20.pornhub.com | imgs.pornhub.com | http://tourcdn.girlsdoporn.com", "Win32:RansomX-gen\\ [Ransom] Trojan:Win32/Neconyd.A", "www.videolan.org [info solutions]", "https://www.virustotal.com/gui/url/6a627ce5fd6be7b3c0b5637e6b1facfa92c279d25ff9b1f50fe131c91591d804/summary", "Cookie : stel_ssid b86d14460f22d8fea8_13386273115952986987", "browser.events.data.msn.com | events-sandbox.data.msn.com", "114.114.114.114 [Tulach]", "defenselawyernj.com", "name-playatoms-pa.googleapis.com [ nr-data Apple tv tracking]", "103.224.182.246 [command_and_control]", "attorney-marketing-specialists.com ?", "http://www.apple.com/appleca/AppleIncRootCertificate.cer", "asp.net", "https://itunes.apple.com/app/apple-store/id284815942/us/app/image-recognition-and-searcher/id1450230225", "Win32:PWSX-gen\\ [Trj] IDS Detections Potential Dridex.Maldoc Minimal Executable Request External IP Address Lookup DNS Query (2ip .ua) Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) Query to a *.top domain - Likely Hostile Suspicious User Agent (Microsoft Internet Explorer) SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 HTTP Request to a *.top domain Dotted Quad Host ZIP Request Possible EXE Download From Suspicious TLD TLS Handshake Failure ... Less", "https://www.virustotal.com/gui/file/2ab9e32cd78f2b538c36f145b790f78f1262bcfcf1a5d6d019e7a2a151a24424/summary", "ads.pornhub.com | ams-v61.pornhub.com | api-stage.pornhub.com", "$RTD4NQU.exe - Yara rule: INDICATOR TOOL UAC NSISUAC", "http://www1.mychartahn.org/?tm=1&subid4=1671014887.0191400000&kw=Patient+Portal&KW1=Patient+Access+Network&KW2=Patient+Self+Check+In+System&KW3=Electronic+Health+Record+EHR+System&KW4=Patient+Appointment+Scheduling+System&KW5=Medical+Billing+System+Software&KW6=Patient+Financial+Assistance&searchbox=0&domainname=0&backfill=0", "https://imazing.com/guides/detect-pegasus-and-other-spyware-on-iphone", "103.224.182.253 [command_and_control]", "IDS Detections: Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) Query to a *.top domain - Likely Hostile", "hanmail.net", "girlsdoporn.com | bar.pornhub.com | bar.pornhub.com | cdn-d-vid-embed.pornhub.com | http://pornhub.tv/Jena6599 | whatsapp.pornhub.com", "83610e8d2924c9886b25ad530e8ad971.pornhub.com", "http://download.virtualbox.org/virtualbox/debian", "https://cellebrite.com/en/federal-government/ [Pegasus ck privilege collection]", "[w and w.o https] applemusic-spotlight.myunidays.com [Multilingual Portable.exe Apple music compromise]", "www2.blackbagtech.com [hidden users included]", "work.a-poster.info", "114.114.114.114", "api2ip.ua \u00bb External IP Lookup Service Domain", "newbrazzers.com [y8.com]", "match.pegasus.isi.edu", "fds.cellebrite.com", "cellebrite.com", "$RTD4NQU.exe - Sigma Rule: Audit Policy Tampering Via Auditpolicy", "nr-data.net [New Relic Tracking | Apple Private Data Collection]", "http://dropbox.com/ [ intrusions/ dropbox stealer]", "https://sslproxy.gatewayclient3.v.hikops.com", "https://www.hybrid-analysis.com/sample/d4f0fd95f42482e96d982df3d538f67ee9c8756834486dd2cf33e1679c90af50/65812fd9a34bc52aac0b910f", "www.supernetforme.com [command_and_control]", "https://twitter.com/PORNO_SEXYBABES", "https://seedbeej.pk/tin/index.php?QBOT.zip. [ phishing plus]", "http://iyfsearch.com/&ap=67&be=203&fe=198&dc=198&perf= [phishing]", "https://tulach.cc/", "cellebrite.com | https://cellebrite.com/en/federal-government/", "ddos.dnsnb8.net [command_and_control]", "remote.aciscomputers.com", "86.140.232.148 [scanning_host]", "Gowi Live Bot.exe", "sabey.com", "https://t.me/hermitspyware/24", "https://www.reddit.com/user/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Trojan:win32/comspec", "Honeypot", "Trojandownloader:win32/tofsee", "Tulach", "Agent tesla", "Virtool:win32/tofsee", "Exodus", "Quasar rat", "Win32:pwsx-gen\\ [trj]", "Sabey", "Static ai - malicious pe", "Adware.pcappstore/veryfast", "Hacktool", "Nsis", "Tulach malware", "Trojan:win32/meredrop", "Hallrender", "Trojan:win32/eqtonex", "Alf:trojan:bat/envvarcharreplacement", "Am", "Win.dropper.tofsee-10023347-0", "Trojan:win32/azorult", "#lowfi:hstr:win32/exprio", "Pws:win32/raven", "Kimsuky", "Backdoor:win32/tofsee", "Virtool:win32/obfuscator", "Malware", "Trojan:win32/danabot" ], "industries": [ "Individual", "Patient", "Healthcare", "Survivor" ], "unique_indicators": 56899 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/ip.sb", "whois": "http://whois.domaintools.com/ip.sb", "domain": "ip.sb", "hostname": "api.ip.sb" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 9, "pulses": [ { "id": "69b2b76c9a490b69b6a085b3", "name": "Exodus/cellbrite clone by Q Vashti", "description": "", "modified": "2026-03-12T12:54:04.160000", "created": "2026-03-12T12:54:04.160000", "tags": [ "ssl certificate", "network", "malware", "whois record", "contacted", "pegasus", "resolutions", "communicating", "sa victim", "assaulter", "quasar", "brian sabey", "go.sabey", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls https", "samples", "united", "aaaa", "status", "susp", "search", "passive dns", "urls", "domain", "creation date", "date", "next", "show", "domain related", "feeds ioc", "maltiverse", "analyze", "scan endpoints", "all octoseek", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "all search", "otx octoseek", "hostname", "pulse submit", "url analysis", "files", "china unknown", "as4134 chinanet", "unknown", "name servers", "showing", "namesilo", "domain name", "dynadot llc", "as8075", "script urls", "netherlands", "a domains", "capture", "asnone united", "record value", "expiration date", "entries", "cname", "tulach", "algorithm", "v3 serial", "number", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "first", "server", "available from", "iana id", "registrar abuse", "registrar url", "registrar whois", "abuse contact", "email", "registry domain", "code", "win32 exe", "ufed iphone", "cellebrite ufed", "setup", "tjprojmain", "ufed4pc", "win32 dll", "detections type", "name", "responder", "exodus", "android", "office open", "xml document", "cellebrite", "type name", "pdf cellebrite", "ufed release", "cellbrite", "privilege https", "targets sa", "survivor", "getprocaddress", "indicator", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "file", "pattern match", "observed email", "path", "factory", "hybrid", "general", "model", "comspec", "click", "title", "page", "body doctype", "quoth", "raven", "gmt content", "type", "vary", "accept", "october", "december", "copy", "execution", "awful", "referrer", "april", "kimsuky", "malicious", "crypto", "startpage", "hacktool", "installer", "tofsee", "historical ssl", "threat roundup", "phishing", "utc submissions", "submitters", "csc corporate", "domains", "twitter", "dropbox", "incapsula", "summary iocs", "graph community", "registrarsafe", "gandi sas", "google llc", "amazon02", "google", "akamaias", "facebook", "service", "patch", "namecheapnet", "cloudflarenet", "amazonaes", "gmo internet", "apple", "tsara brashears", "keylogger" ], "references": [ "https://tulach.cc/", "cellebrite.com | https://cellebrite.com/en/federal-government/", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://twitter.com/PORNO_SEXYBABES", "hanmail.net", "114.114.114.114", "work.a-poster.info", "www-stage40.pornhub.com", "go.sabey.com", "sabey.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Exodus", "display_name": "Exodus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "PWS:Win32/Raven", "display_name": "PWS:Win32/Raven", "target": "/malware/PWS:Win32/Raven" }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null }, { "id": "VirTool:Win32/Tofsee", "display_name": "VirTool:Win32/Tofsee", "target": "/malware/VirTool:Win32/Tofsee" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": "6916e098df39114161354b23", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4295, "FileHash-MD5": 322, "FileHash-SHA1": 296, "FileHash-SHA256": 3255, "domain": 2911, "hostname": 2894, "CVE": 2, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 13986, "is_author": false, "is_subscribing": null, "subscriber_count": 65, "modified_text": "80 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6952febb1dbcf05ee601f050", "name": "Pegasus Ongoing l Cellbrite | Exodus | Brian Sabey | HallRender | Tulach (1.29.24)", "description": "", "modified": "2025-12-29T22:20:43.238000", "created": "2025-12-29T22:20:43.238000", "tags": [ "ssl certificate", "network", "malware", "whois record", "contacted", "pegasus", "resolutions", "communicating", "sa victim", "assaulter", "quasar", "brian sabey", "go.sabey", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls https", "samples", "united", "aaaa", "status", "susp", "search", "passive dns", "urls", "domain", "creation date", "date", "next", "show", "domain related", "feeds ioc", "maltiverse", "analyze", "scan endpoints", "all octoseek", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "all search", "otx octoseek", "hostname", "pulse submit", "url analysis", "files", "china unknown", "as4134 chinanet", "unknown", "name servers", "showing", "namesilo", "domain name", "dynadot llc", "as8075", "script urls", "netherlands", "a domains", "capture", "asnone united", "record value", "expiration date", "entries", "cname", "tulach", "algorithm", "v3 serial", "number", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "first", "server", "available from", "iana id", "registrar abuse", "registrar url", "registrar whois", "abuse contact", "email", "registry domain", "code", "win32 exe", "ufed iphone", "cellebrite ufed", "setup", "tjprojmain", "ufed4pc", "win32 dll", "detections type", "name", "responder", "exodus", "android", "office open", "xml document", "cellebrite", "type name", "pdf cellebrite", "ufed release", "cellbrite", "privilege https", "targets sa", "survivor", "getprocaddress", "indicator", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "file", "pattern match", "observed email", "path", "factory", "hybrid", "general", "model", "comspec", "click", "title", "page", "body doctype", "quoth", "raven", "gmt content", "type", "vary", "accept", "october", "december", "copy", "execution", "awful", "referrer", "april", "kimsuky", "malicious", "crypto", "startpage", "hacktool", "installer", "tofsee", "historical ssl", "threat roundup", "phishing", "utc submissions", "submitters", "csc corporate", "domains", "twitter", "dropbox", "incapsula", "summary iocs", "graph community", "registrarsafe", "gandi sas", "google llc", "amazon02", "google", "akamaias", "facebook", "service", "patch", "namecheapnet", "cloudflarenet", "amazonaes", "gmo internet", "apple", "tsara brashears", "keylogger" ], "references": [ "https://tulach.cc/", "cellebrite.com | https://cellebrite.com/en/federal-government/", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://twitter.com/PORNO_SEXYBABES", "hanmail.net", "114.114.114.114", "work.a-poster.info", "www-stage40.pornhub.com", "go.sabey.com", "sabey.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Exodus", "display_name": "Exodus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "PWS:Win32/Raven", "display_name": "PWS:Win32/Raven", "target": "/malware/PWS:Win32/Raven" }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null }, { "id": "VirTool:Win32/Tofsee", "display_name": "VirTool:Win32/Tofsee", "target": "/malware/VirTool:Win32/Tofsee" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": "65b80a20bbcd0eb305a740ec", "export_count": 40664, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4101, "FileHash-MD5": 322, "FileHash-SHA1": 296, "FileHash-SHA256": 3155, "domain": 2894, "hostname": 2847, "CVE": 2, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 13628, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "152 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6916e098df39114161354b23", "name": "Exodus l Cellbrite \u2022 Pegasus | Brian Sabey | HallRender | Tulach ", "description": "", "modified": "2025-12-14T07:05:42.106000", "created": "2025-11-14T07:56:08.872000", "tags": [ "ssl certificate", "network", "malware", "whois record", "contacted", "pegasus", "resolutions", "communicating", "sa victim", "assaulter", "quasar", "brian sabey", "go.sabey", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls https", "samples", "united", "aaaa", "status", "susp", "search", "passive dns", "urls", "domain", "creation date", "date", "next", "show", "domain related", "feeds ioc", "maltiverse", "analyze", "scan endpoints", "all octoseek", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "all search", "otx octoseek", "hostname", "pulse submit", "url analysis", "files", "china unknown", "as4134 chinanet", "unknown", "name servers", "showing", "namesilo", "domain name", "dynadot llc", "as8075", "script urls", "netherlands", "a domains", "capture", "asnone united", "record value", "expiration date", "entries", "cname", "tulach", "algorithm", "v3 serial", "number", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "first", "server", "available from", "iana id", "registrar abuse", "registrar url", "registrar whois", "abuse contact", "email", "registry domain", "code", "win32 exe", "ufed iphone", "cellebrite ufed", "setup", "tjprojmain", "ufed4pc", "win32 dll", "detections type", "name", "responder", "exodus", "android", "office open", "xml document", "cellebrite", "type name", "pdf cellebrite", "ufed release", "cellbrite", "privilege https", "targets sa", "survivor", "getprocaddress", "indicator", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "file", "pattern match", "observed email", "path", "factory", "hybrid", "general", "model", "comspec", "click", "title", "page", "body doctype", "quoth", "raven", "gmt content", "type", "vary", "accept", "october", "december", "copy", "execution", "awful", "referrer", "april", "kimsuky", "malicious", "crypto", "startpage", "hacktool", "installer", "tofsee", "historical ssl", "threat roundup", "phishing", "utc submissions", "submitters", "csc corporate", "domains", "twitter", "dropbox", "incapsula", "summary iocs", "graph community", "registrarsafe", "gandi sas", "google llc", "amazon02", "google", "akamaias", "facebook", "service", "patch", "namecheapnet", "cloudflarenet", "amazonaes", "gmo internet", "apple", "tsara brashears", "keylogger" ], "references": [ "https://tulach.cc/", "cellebrite.com | https://cellebrite.com/en/federal-government/", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://twitter.com/PORNO_SEXYBABES", "hanmail.net", "114.114.114.114", "work.a-poster.info", "www-stage40.pornhub.com", "go.sabey.com", "sabey.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Exodus", "display_name": "Exodus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "PWS:Win32/Raven", "display_name": "PWS:Win32/Raven", "target": "/malware/PWS:Win32/Raven" }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null }, { "id": "VirTool:Win32/Tofsee", "display_name": "VirTool:Win32/Tofsee", "target": "/malware/VirTool:Win32/Tofsee" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": "65a76c2901b34c79a681596d", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4295, "FileHash-MD5": 322, "FileHash-SHA1": 296, "FileHash-SHA256": 3255, "domain": 2911, "hostname": 2894, "CVE": 2, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 13986, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "168 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68d37e35f99d852d38beb769", "name": "Cryptex Port Key \u2022 RedLine Stealer affects Threat Research Platform/s", "description": "#attack? #honeypot?", "modified": "2025-10-24T04:02:54.218000", "created": "2025-09-24T05:14:28.101000", "tags": [ "x00x00n", "memcommit", "regopenkeyexw", "regsz", "else", "ipnnoysrdi tr", "writeconsolew", "cryptexportkey", "invalid pointer", "x1ex00x00n", "redline stealer", "service", "powershell", "tools", "persistence", "execution", "dock", "write", "updater", "malware", "passive dns", "urls", "url add", "ip address", "related nids", "files location", "hong kong", "united", "present jul", "present dec", "search", "present may", "a domains", "name servers", "unknown aaaa", "trojan", "present jan", "present sep", "moved", "title", "span td", "td td", "tr tr", "a li", "ipv4 internet", "span", "meta", "gmt content", "ipv4 add", "reverse dns", "trojanx", "location hong kong", "software", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "ssl certificate", "spawns", "development att", "ascii text", "pattern match", "mitre att", "ck matrix", "sha1", "odigicert inc", "network traffic", "general", "local", "path", "encrypt", "copy md5", "copy sha1", "copy sha256", "sha256", "size", "crlf line", "urlhttps", "extracted files", "acquires", "networking", "readiness" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1086", "name": "PowerShell", "display_name": "T1086 - PowerShell" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 150, "FileHash-SHA1": 148, "FileHash-SHA256": 3059, "domain": 1277, "URL": 4166, "hostname": 1251, "SSLCertFingerprint": 10, "email": 1 }, "indicator_count": 10062, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "219 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66e94760a415fb970ab2dfdd", "name": "Pornhub Api connected to Targets phone via Remote Telegram install", "description": "Cyber attack named 'Project Endgame' by threat actors || Cyber criminal IMMEDIATELY remotely accessed targets device when it was new from manufacturer. Remote installation of telegram app, installed pornhub. Dumping, making all types of pornography appear to come from targets and associated persons devices. It's never ending. || Win32:PWSX-gen\\ [Trj]\n#Lowfi:HSTR:Win32/Exprio\nALF:Trojan:BAT/EnvVarCharReplacement\nBackdoor:Win32/Tofsee\nTrojan:Win32/Azorult\nTrojan:Win32/Danabot\nTrojan:Win32/Eqtonex\nTrojan:Win32/Meredrop\nTrojanDownloader:Win32/Tofsee\nVirTool:Win32/Obfuscator\nWin.Dropper.Tofsee-10023347-0", "modified": "2024-10-17T08:04:26.924000", "created": "2024-09-17T09:09:52.842000", "tags": [ "all scoreblue", "contacted", "telegram", "pornhub", "hostname", "domain", "iocs", "pdf report", "pcap", "stix", "openioc", "ck t1003", "os credential", "dumping t1005", "local system", "t1012", "registry t1018", "remote system", "discovery t1027", "files", "t1053", "whitelisted", "agent", "as13414 twitter", "as14061", "as15169 google", "as16552", "as16276", "as19679 dropbox", "as22612", "as25019", "as32934", "as35680", "as62597", "as54113", "as397241", "as397240", "nsone as63949", "as35819", "china unknown", "chrome", "code", "as16552 tiggee", "as2914 ntt", "as25019 saudi", "asnone hong", "as63949 linode", "as7303 telecom", "as8151", "as9318 sk", "asn as13414", "asn as48684", "cookie", "encrypt", "endgame", "emails", "cryp", "delphi", "dynamicloader", "dns", "grum", "germany unknown", "gmt max", "connection", "dns resolutions", "porn", "regsz", "langgeorgian", "sublangdefault", "rticon", "english", "regsetvalueexa", "regdword", "medium", "t1055", "win32", "malware", "copy", "updater", "generic", "delete c", "yara rule", "high", "search", "ms windows", "tofsee", "show", "windows", "russia as49505", "united", "grum", "write", "query", "contacted", "installs", "stream", "unknown", "as46606", "passive dns", "date", "scan endpoints", "pulse pulses", "urls", "as8151", "mexico unknown", "saudi arabia", "as25019 saudi", "china unknown", "as7303 telecom", "hungary unknown", "trojan", "msie", "body", "ransom", "icmp traffic", "pdb path", "filehash", "url http", "http", "address", "russia unknown", "privacy tools", "as396982 google", "as57416 llc", "div div", "span h3", "span div", "h3 p", "as24940 hetzner", "face", "delete", "yara detections", "sinkhole cookie", "value snkz", "pe32", "suspicious", "possible", "as56864 xeon", "ipv4", "pulse submit", "url analysis", "ip address", "location united", "next", "germany unknown", "method", "allowed server", "content length", "content type", "cookie", "registrar abuse", "explorer", "files matching", "homepage", "hungary unknown", "installs ip", "installs", "ip", "link", "mexico unknown", "pegasus", "operation endgame", "public key", "ransom", "twitter redirect", "Kong unknown", "script urls", "servers", "updater", "united kingdom unknown", "unique", "ukraine unknown", "trojan features", "trojan", "tofsee", "title telegram", "tags twitter", "twitter", "tags", "sublangdefault" ], "references": [ "Pornhub.com | Telegram https://t.me/login/36861 | loopprojects.t.me", "Cookie : stel_ssid b86d14460f22d8fea8_13386273115952986987", "www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "https://www.pornhub.com/video/search?search=tsara+brashears", "ads.pornhub.com | ams-v61.pornhub.com | api-stage.pornhub.com", "api-stage.pornhub.com | abtesting.pornhub.com | pornhub.com | cms-stage20.pornhub.com | imgs.pornhub.com | http://tourcdn.girlsdoporn.com", "girlsdoporn.com | bar.pornhub.com | bar.pornhub.com | cdn-d-vid-embed.pornhub.com | http://pornhub.tv/Jena6599 | whatsapp.pornhub.com", "https://sslproxy.gatewayclient3.v.hikops.com", "api2ip.ua \u00bb External IP Lookup Service Domain", "83610e8d2924c9886b25ad530e8ad971.pornhub.com", "Win32:PWSX-gen\\ [Trj] IDS Detections Potential Dridex.Maldoc Minimal Executable Request External IP Address Lookup DNS Query (2ip .ua) Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) Query to a *.top domain - Likely Hostile Suspicious User Agent (Microsoft Internet Explorer) SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 HTTP Request to a *.top domain Dotted Quad Host ZIP Request Possible EXE Download From Suspicious TLD TLS Handshake Failure ... Less", "IDS Detections: Potential Dridex.Maldoc Minimal Executable Request External IP Address Lookup DNS Query (2ip .ua)", "IDS Detections: Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) Query to a *.top domain - Likely Hostile", "IDS Detections: Suspicious User Agent (Microsoft Internet Explorer) SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016", "Win32:RansomX-gen\\ [Ransom] Trojan:Win32/Neconyd.A" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Australia", "Brazil", "Singapore", "Netherlands", "Russian Federation", "Japan", "Malaysia", "Hong Kong", "Ireland", "Korea, Republic of", "France", "United Kingdom of Great Britain and Northern Ireland", "Argentina", "Austria", "China", "Canada", "Germany" ], "malware_families": [ { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "TrojanDownloader:Win32/Tofsee", "display_name": "TrojanDownloader:Win32/Tofsee", "target": "/malware/TrojanDownloader:Win32/Tofsee" }, { "id": "Win32:PWSX-gen\\ [Trj]", "display_name": "Win32:PWSX-gen\\ [Trj]", "target": null }, { "id": "Win.Dropper.Tofsee-10023347-0", "display_name": "Win.Dropper.Tofsee-10023347-0", "target": null }, { "id": "#Lowfi:HSTR:Win32/Exprio", "display_name": "#Lowfi:HSTR:Win32/Exprio", "target": null }, { "id": "VirTool:Win32/Obfuscator", "display_name": "VirTool:Win32/Obfuscator", "target": "/malware/VirTool:Win32/Obfuscator" }, { "id": "Trojan:Win32/Meredrop", "display_name": "Trojan:Win32/Meredrop", "target": "/malware/Trojan:Win32/Meredrop" }, { "id": "Trojan:Win32/Eqtonex", "display_name": "Trojan:Win32/Eqtonex", "target": "/malware/Trojan:Win32/Eqtonex" }, { "id": "Trojan:Win32/Danabot", "display_name": "Trojan:Win32/Danabot", "target": "/malware/Trojan:Win32/Danabot" }, { "id": "Trojan:Win32/Azorult", "display_name": "Trojan:Win32/Azorult", "target": "/malware/Trojan:Win32/Azorult" }, { "id": "ALF:Trojan:BAT/EnvVarCharReplacement", "display_name": "ALF:Trojan:BAT/EnvVarCharReplacement", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1443", "name": "Remotely Install Application", "display_name": "T1443 - Remotely Install Application" }, { "id": "T1478", "name": "Install Insecure or Malicious Configuration", "display_name": "T1478 - Install Insecure or Malicious Configuration" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1570, "FileHash-SHA1": 1301, "FileHash-SHA256": 3497, "URL": 3835, "domain": 1475, "hostname": 2405, "CIDR": 1, "email": 23 }, "indicator_count": 14107, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "591 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a76c2901b34c79a681596d", "name": "Exodus l Cellbrite | Brian Sabey | HallRender | Tulach", "description": "Brian Sabey of Hall Render Law firm is incredibly entrenched in spying on a single target. Having made contact,impersonal invitations to meet, filing a lawsuit dismissed by a judge , paying to silence SA victim and spending many years spying, destroying digital profile m libel, malvertizing is concerning. \nConsidering Brashears death threats, following , being approached and attempts on her personal safety is unwarranted. Brashears was the confirmed victim of life threatening SA. How does the Federal Government allow this? Found embedded in Brashears link that came from her iPhone.", "modified": "2024-02-16T05:03:15.321000", "created": "2024-01-17T05:56:57.948000", "tags": [ "ssl certificate", "network", "malware", "whois record", "contacted", "pegasus", "resolutions", "communicating", "sa victim", "assaulter", "quasar", "brian sabey", "go.sabey", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls https", "samples", "united", "aaaa", "status", "susp", "search", "passive dns", "urls", "domain", "creation date", "date", "next", "show", "domain related", "feeds ioc", "maltiverse", "analyze", "scan endpoints", "all octoseek", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "all search", "otx octoseek", "hostname", "pulse submit", "url analysis", "files", "china unknown", "as4134 chinanet", "unknown", "name servers", "showing", "namesilo", "domain name", "dynadot llc", "as8075", "script urls", "netherlands", "a domains", "capture", "asnone united", "record value", "expiration date", "entries", "cname", "tulach", "algorithm", "v3 serial", "number", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "first", "server", "available from", "iana id", "registrar abuse", "registrar url", "registrar whois", "abuse contact", "email", "registry domain", "code", "win32 exe", "ufed iphone", "cellebrite ufed", "setup", "tjprojmain", "ufed4pc", "win32 dll", "detections type", "name", "responder", "exodus", "android", "office open", "xml document", "cellebrite", "type name", "pdf cellebrite", "ufed release", "cellbrite", "privilege https", "targets sa", "survivor", "getprocaddress", "indicator", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "file", "pattern match", "observed email", "path", "factory", "hybrid", "general", "model", "comspec", "click", "title", "page", "body doctype", "quoth", "raven", "gmt content", "type", "vary", "accept", "october", "december", "copy", "execution", "awful", "referrer", "april", "kimsuky", "malicious", "crypto", "startpage", "hacktool", "installer", "tofsee", "historical ssl", "threat roundup", "phishing", "utc submissions", "submitters", "csc corporate", "domains", "twitter", "dropbox", "incapsula", "summary iocs", "graph community", "registrarsafe", "gandi sas", "google llc", "amazon02", "google", "akamaias", "facebook", "service", "patch", "namecheapnet", "cloudflarenet", "amazonaes", "gmo internet", "apple", "tsara brashears", "keylogger" ], "references": [ "https://tulach.cc/", "cellebrite.com | https://cellebrite.com/en/federal-government/", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://twitter.com/PORNO_SEXYBABES", "hanmail.net", "114.114.114.114", "work.a-poster.info", "www-stage40.pornhub.com", "go.sabey.com", "sabey.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Exodus", "display_name": "Exodus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "PWS:Win32/Raven", "display_name": "PWS:Win32/Raven", "target": "/malware/PWS:Win32/Raven" }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null }, { "id": "VirTool:Win32/Tofsee", "display_name": "VirTool:Win32/Tofsee", "target": "/malware/VirTool:Win32/Tofsee" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4101, "FileHash-MD5": 322, "FileHash-SHA1": 296, "FileHash-SHA256": 3155, "domain": 2894, "hostname": 2847, "CVE": 2, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 13628, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "835 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a77c6a22a236495c4548d6", "name": "PEGASUS | Exodus l Cellbrite | Brian Sabey | HallRender | Tulach", "description": "I'm unclear if the legitimatecy of use of Cellbrite considering Brashears was the attacked. Brashears has spoken with every authority on her own terms. Law enforcement 'you're not that important. You're not a suspect .' FBI -' Brashears victim of Identity theft case that lasted months. Alleged false reports removed.' PI's - 'someone is abusing privilege' Was a SA advocate Non Profit. Awareness Saves & social media deleted by hackers", "modified": "2024-02-16T05:03:15.321000", "created": "2024-01-17T07:06:18.453000", "tags": [ "ssl certificate", "network", "malware", "whois record", "contacted", "pegasus", "resolutions", "communicating", "sa victim", "assaulter", "quasar", "brian sabey", "go.sabey", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls https", "samples", "united", "aaaa", "status", "susp", "search", "passive dns", "urls", "domain", "creation date", "date", "next", "show", "domain related", "feeds ioc", "maltiverse", "analyze", "scan endpoints", "all octoseek", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "all search", "otx octoseek", "hostname", "pulse submit", "url analysis", "files", "china unknown", "as4134 chinanet", "unknown", "name servers", "showing", "namesilo", "domain name", "dynadot llc", "as8075", "script urls", "netherlands", "a domains", "capture", "asnone united", "record value", "expiration date", "entries", "cname", "tulach", "algorithm", "v3 serial", "number", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "first", "server", "available from", "iana id", "registrar abuse", "registrar url", "registrar whois", "abuse contact", "email", "registry domain", "code", "win32 exe", "ufed iphone", "cellebrite ufed", "setup", "tjprojmain", "ufed4pc", "win32 dll", "detections type", "name", "responder", "exodus", "android", "office open", "xml document", "cellebrite", "type name", "pdf cellebrite", "ufed release", "cellbrite", "privilege https", "targets sa", "survivor", "getprocaddress", "indicator", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "file", "pattern match", "observed email", "path", "factory", "hybrid", "general", "model", "comspec", "click", "title", "page", "body doctype", "quoth", "raven", "gmt content", "type", "vary", "accept", "october", "december", "copy", "execution", "awful", "referrer", "april", "kimsuky", "malicious", "crypto", "startpage", "hacktool", "installer", "tofsee", "historical ssl", "threat roundup", "phishing", "utc submissions", "submitters", "csc corporate", "domains", "twitter", "dropbox", "incapsula", "summary iocs", "graph community", "registrarsafe", "gandi sas", "google llc", "amazon02", "google", "akamaias", "facebook", "service", "patch", "namecheapnet", "cloudflarenet", "amazonaes", "gmo internet", "remote", "malvertizing", "spying", "cyber stalking" ], "references": [ "https://tulach.cc/", "go.sabey.com", "sabey.com", "cellebrite.com", "https://cellebrite.com/en/federal-government/ [Pegasus ck privilege collection]", "https://www.pornhub.com/video/search?search=tsara+brashears", "remote.aciscomputers.com", "https://track.toccha.com/978eb025-0a62-46fa-827c-d71aa0524818?zoneid=5939372&ua=high&subzone_id=3038557&set=social&country=SY®ion=49&isp=syriatelmobiletelecom&useragent=Mozilla/5.0", "114.114.114.114 [Tulach]", "nr-data.net [Apple Private Data Collection]", "defenselawyernj.com", "attorney-marketing-specialists.com ?", "https://itunes.apple.com/app/apple-store/id284815942/us/app/image-recognition-and-searcher/id1450230225", "http://www.apple.com/appleca/AppleIncRootCertificate.cer", "http://flexlucky.com/isurvey/en/?devicemodel=iPhone&carrier=\u00aeion=Tbilisi&brand=Apple&browser=GoogleApp&prize=cur&u=track.bawiwia.com&isp=JSCGlobalErty&ts=29900ce7-726c-4c9f-b0c3-21ff2f859648&country=GE&click_id=wuo4jm6db011lufu2f8h138c&partner=5658402&skip=yes&frame={frame}&cost=0.010100&lang=en", "https://t.me/hermitspyware/24", "hyundai-smg.com | http://hyundai-smg.com/index.php?route=information/contact | http://hyundai-smg.com/index.php?route=information/contact", "https://imazing.com/guides/detect-pegasus-and-other-spyware-on-iphone", "http://watchhers.net/index.php [remote attackers | malware spreader]", "api-stage.pornhub.com", "newbrazzers.com [y8.com]", "www.videolan.org [info solutions]", "www2.blackbagtech.com [hidden users included]", "http://subtitles.rest7.com/subs/The.Expanse.S03E11.720p.HDTV.x264-KILLERS[eztv].mkv", "http://pegasus.diskel.co.uk/ [phishing]", "wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Language", "fds.cellebrite.com", "http://www1.mychartahn.org/?tm=1&subid4=1671014887.0191400000&kw=Patient+Portal&KW1=Patient+Access+Network&KW2=Patient+Self+Check+In+System&KW3=Electronic+Health+Record+EHR+System&KW4=Patient+Appointment+Scheduling+System&KW5=Medical+Billing+System+Software&KW6=Patient+Financial+Assistance&searchbox=0&domainname=0&backfill=0", "healthcare.greatcall.com [fake call centers | PHI & PII info stealers]", "http://download.virtualbox.org/virtualbox/debian", "match.pegasus.isi.edu", "asp.net", "http://dropbox.com/ [ intrusions/ dropbox stealer]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Exodus", "display_name": "Exodus", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "VirTool:Win32/Tofsee", "display_name": "VirTool:Win32/Tofsee", "target": "/malware/VirTool:Win32/Tofsee" }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null }, { "id": "PWS:Win32/Raven", "display_name": "PWS:Win32/Raven", "target": "/malware/PWS:Win32/Raven" }, { "id": "Trojan:Win32/Comspec", "display_name": "Trojan:Win32/Comspec", "target": "/malware/Trojan:Win32/Comspec" }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1588.004", "name": "Digital Certificates", "display_name": "T1588.004 - Digital Certificates" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" } ], "industries": [ "Individual", "Patient", "Healthcare", "Survivor" ], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4101, "FileHash-MD5": 322, "FileHash-SHA1": 296, "FileHash-SHA256": 3157, "domain": 2903, "hostname": 2847, "CVE": 2, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 13639, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "835 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b80a20bbcd0eb305a740ec", "name": "Exodus l Cellbrite | Brian Sabey | HallRender | Tulach", "description": "", "modified": "2024-02-16T05:03:15.321000", "created": "2024-01-29T20:27:12.899000", "tags": [ "ssl certificate", "network", "malware", "whois record", "contacted", "pegasus", "resolutions", "communicating", "sa victim", "assaulter", "quasar", "brian sabey", "go.sabey", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls https", "samples", "united", "aaaa", "status", "susp", "search", "passive dns", "urls", "domain", "creation date", "date", "next", "show", "domain related", "feeds ioc", "maltiverse", "analyze", "scan endpoints", "all octoseek", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "all search", "otx octoseek", "hostname", "pulse submit", "url analysis", "files", "china unknown", "as4134 chinanet", "unknown", "name servers", "showing", "namesilo", "domain name", "dynadot llc", "as8075", "script urls", "netherlands", "a domains", "capture", "asnone united", "record value", "expiration date", "entries", "cname", "tulach", "algorithm", "v3 serial", "number", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "first", "server", "available from", "iana id", "registrar abuse", "registrar url", "registrar whois", "abuse contact", "email", "registry domain", "code", "win32 exe", "ufed iphone", "cellebrite ufed", "setup", "tjprojmain", "ufed4pc", "win32 dll", "detections type", "name", "responder", "exodus", "android", "office open", "xml document", "cellebrite", "type name", "pdf cellebrite", "ufed release", "cellbrite", "privilege https", "targets sa", "survivor", "getprocaddress", "indicator", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "file", "pattern match", "observed email", "path", "factory", "hybrid", "general", "model", "comspec", "click", "title", "page", "body doctype", "quoth", "raven", "gmt content", "type", "vary", "accept", "october", "december", "copy", "execution", "awful", "referrer", "april", "kimsuky", "malicious", "crypto", "startpage", "hacktool", "installer", "tofsee", "historical ssl", "threat roundup", "phishing", "utc submissions", "submitters", "csc corporate", "domains", "twitter", "dropbox", "incapsula", "summary iocs", "graph community", "registrarsafe", "gandi sas", "google llc", "amazon02", "google", "akamaias", "facebook", "service", "patch", "namecheapnet", "cloudflarenet", "amazonaes", "gmo internet", "apple", "tsara brashears", "keylogger" ], "references": [ "https://tulach.cc/", "cellebrite.com | https://cellebrite.com/en/federal-government/", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://twitter.com/PORNO_SEXYBABES", "hanmail.net", "114.114.114.114", "work.a-poster.info", "www-stage40.pornhub.com", "go.sabey.com", "sabey.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Exodus", "display_name": "Exodus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "PWS:Win32/Raven", "display_name": "PWS:Win32/Raven", "target": "/malware/PWS:Win32/Raven" }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null }, { "id": "VirTool:Win32/Tofsee", "display_name": "VirTool:Win32/Tofsee", "target": "/malware/VirTool:Win32/Tofsee" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": "65a76c2901b34c79a681596d", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4101, "FileHash-MD5": 322, "FileHash-SHA1": 296, "FileHash-SHA256": 3155, "domain": 2894, "hostname": 2847, "CVE": 2, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 13628, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "835 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658303b7e2b4417d9e24a7cc", "name": "Reddit Honeypot | Cyber Defense Firm Attack", "description": "", "modified": "2024-01-19T12:02:13.495000", "created": "2023-12-20T15:09:43.783000", "tags": [ "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "sha1", "sha256", "runtime process", "date", "unknown", "error", "path", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "accept", "url http", "filehashmd5", "url https", "search otx", "octoseek report", "spam author", "reddit", "tulach c2", "created", "minutes ago", "added active", "related pulses", "am", "no expiration", "indicator role", "pulses url", "showing", "entries", "dded active", "copyright", "reserved", "cve cve20170199", "win32 exe", "android", "http response", "final url", "ip address", "status code", "body length", "kb body", "headers", "manager", "files", "detections type", "name", "lord krishna", "right", "tjprojmain", "windows", "secure", "headers nel", "ssl certificate", "whois whois", "historical ssl", "referrer", "logistics", "cyber defense", "firm collection", "ioc honeypot", "list for", "malware", "open", "attack", "contacted", "dropped", "bundled", "problems", "whois record", "domains", "execution", "agent tesla", "azorult", "project", "startpage", "vhash", "authentihash", "imphash", "rich pe", "ssdeep", "file type", "magic pe32", "installer", "compiler", "nsis", "serial number", "g4 code", "signing rsa4096", "sha384", "root g4", "valid from", "algorithm", "thumbprint", "fast corporate", "from", "pe resource", "collection", "vt graph", "paulsmith", "apple tv", "apple music", "$RTD4NQU.exe", "no data", "tag count", "ioc search", "new ioc", "teams api", "contact", "search", "iocs", "summary", "nisis", "executable", "ms windows", "trid win64", "generic", "sections", "sha256 file", "type type", "chi2", "dkey english", "xml rtmanifest", "english us", "overlay", "learn", "botnet", "honeypot", "ejkaej saBey k7-^Oa" ], "references": [ "https://www.reddit.com/user/", "https://www.virustotal.com/gui/url/6a627ce5fd6be7b3c0b5637e6b1facfa92c279d25ff9b1f50fe131c91591d804/summary", "Gowi Live Bot.exe", "https://www.virustotal.com/gui/file/2ab9e32cd78f2b538c36f145b790f78f1262bcfcf1a5d6d019e7a2a151a24424/summary", "https://www.hybrid-analysis.com/sample/d4f0fd95f42482e96d982df3d538f67ee9c8756834486dd2cf33e1679c90af50/65812fd9a34bc52aac0b910f", "nr-data.net [New Relic Tracking | Apple Private Data Collection]", "[w and w.o https] applemusic-spotlight.myunidays.com [Multilingual Portable.exe Apple music compromise]", "tv.apple.com [Apple Backdoor| Attack | Hacking]", "name-playatoms-pa.googleapis.com [ nr-data Apple tv tracking]", "browser.events.data.msn.com | events-sandbox.data.msn.com", "https://tulach.cc/ [phishing attacks]", "tulach.cc [AM | phishing]", "$RTD4NQU.exe - Sigma Rule: Audit Policy Tampering Via Auditpolicy", "$RTD4NQU.exe - Yara rule: INDICATOR TOOL UAC NSISUAC", "3.163.189.120 [Tracking]", "86.140.232.148 [scanning_host]", "https://seedbeej.pk/tin/index.php?QBOT.zip. [ phishing plus]", "http://iyfsearch.com/&ap=67&be=203&fe=198&dc=198&perf= [phishing]", "checkip.dyndns.org [command_and_control]", "104.86.182.8 [command_and_control]", "103.224.182.253 [command_and_control]", "103.224.182.246 [command_and_control]", "www.supernetforme.com [command_and_control]", "rp.downloadastrocdn.com [command_and_control]", "ddos.dnsnb8.net [command_and_control]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "AM", "display_name": "AM", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "adware.pcappstore/veryfast", "display_name": "adware.pcappstore/veryfast", "target": null }, { "id": "NSIS", "display_name": "NSIS", "target": null }, { "id": "Static AI - Malicious PE", "display_name": "Static AI - Malicious PE", "target": null }, { "id": "HoneyPot", "display_name": "HoneyPot", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 392, "FileHash-SHA1": 374, "FileHash-SHA256": 5560, "URL": 7433, "domain": 1461, "hostname": 2463, "CVE": 3, "email": 1 }, "indicator_count": 17687, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "863 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://api.ip.sb/ipif/with", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://api.ip.sb/ipif/with", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780238376.7207806 }