{ "type": "URL", "indicator": "https://api.rvvc.im", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://api.rvvc.im", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 2856289762, "indicator": "https://api.rvvc.im", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 22, "pulses": [ { "id": "691439014fa9d79406a83e8e", "name": "Mirai Botnet \u2022 Michael Crincoli - | Patient Fusion", "description": "I researched this doctor because of patient documentation of unethical practices , injury , blood toxicity and other very strange circumstances experienced by a monitored target. \nMD is based in Arizona, comes to Denver for certain cases. There weren\u2019t any follow ups or return calls after serious side affects that needed aggressive intervention.", "modified": "2025-12-12T05:04:18.490000", "created": "2025-11-12T07:36:33.673000", "tags": [ "practice fusion", "patient fusion", "ave suite", "denver", "help log", "physical", "medicine", "book", "friday", "united", "present aug", "present nov", "present oct", "present sep", "present jul", "present jun", "ip address", "url analysis", "msie", "chrome", "formbook cnc", "checkin", "win64", "next associated", "smokeloader", "twitter", "cookie", "ipv4", "hosting", "suite", "verdict", "present may", "domain add", "files show", "avast avg", "post", "http traffic", "high", "south korea", "taiwan as3462", "python", "agent", "malware", "russia asnone", "czechia as51420", "italy as47217", "belgium as5432", "serbia as15958", "germany as34011", "contacted", "file score", "detections elf", "eseries device", "rce attempt", "outbound python", "user agent", "p2p_cnc", "network_http_post", "network_http", "network_cnc_http", "dead_host", "network_icmp", "osquery_detection", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "defense evasion", "t1480 execution", "signing defense", "tcp syn", "resolverror", "yara detections", "expl", "ddos", "icmp traffic", "copy", "mirai", "writes_to_stdout", "nolookup_communication", "tcp_syn_scan", "network_icmp", "host", "network_irc", "crincoli", "md", "mirai botnet", "brian sabey", "hall render", "michael crincoli", "palantir", "foundry" ], "references": [ "https://www.patientfusion.com/doctor/michael-crincoli-59108", "demos.palantirfoundry.com", "http://southwestphysiatry.com/", "IDS Detections: Linksys E-Series Device RCE Attempt Outbound", "IDS Detections: Python Requests Suspicious User Agent", "IDS Detections: HTTP traffic on port 443 (POST)", "IDS Detections : Mirai Variant Spreading", "Yara Detections : Mirai_Botnet_Malware , Mirai_2 , is__elf , Linux_Mirai", "Yara: Descriptive: Mirai_Botnet_Malware /dev/misc/watchdog \u2022 Mirai_2 /dev/watchdog", "Yara Descriptive: \u2022 is__elf \u007fELF \u2022 Linux_Mirai /dev/watchdog", "http://www.hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears", "http://www.hallrender.com/attorney/brian-sabey-anyxxxtube.net/search-porn/tsara-brashears", "click.marketing.hallrender.com \u2022 hallrender.com \u2022 autodiscover.hallrender.com", "https://click.marketing.hallrender.com/?qs=9f3b0a760973d5628ba046a192f7fe432889bb96dc51578763a9cf11358dcde635e137184c12a031617f00faa9d172d8", "hallrender.com \u2022 wwdancehall.com \u2022 hallplan.vm05.iveins.de\t \u2022 iveins.de \u2022 http://hallplan.vm05.iveins.de", "prosperhall.edsby.com \u2022 http://urlmail.hallrender.com \u2022 http://urlwww.hallrender.com \u2022 http://webdocs.hallrender.com", "http://elite.hallrender.com/TE_3E_PROD/web/ui/dashboard/ActionList_CCC", "https://hallrender.com/attorney/brian-sabey/Accept \u2022 https://hallrender.com/wp-content/uploads/vcards/", "http://hallrender.com/attorney/bsabey \u2022 http://hallrender.com/attorney/gregg-m-wallander", "http://hallrender.com/attorney/gregg-m-wallander/\u2022 http://hallrender.com/resources/ \u2022 http://hallrender.com/resources/blog/ \u2022 http://officemarketing.hallrender.com/ \u2022 http://urlmail.hallrender.com \u2022 http://urlwww.hallrender.com \u2022 http://webdocs.hallrender.com/", "The Hall Render Brian Sabey malicious media campaign was so unexpected.", "MD refused to disclose medication cocktail he was injecting into patient. Patient suffered long term harm." ], "public": 1, "adversary": "", "targeted_countries": [ "Italy", "Netherlands", "Russian Federation", "Belgium", "Germany", "Serbia", "United States of America" ], "malware_families": [ { "id": "Unix.Trojan.Gafgyt-6748839-0", "display_name": "Unix.Trojan.Gafgyt-6748839-0", "target": null }, { "id": "ELF:Hajime-R\\ [Trj]", "display_name": "ELF:Hajime-R\\ [Trj]", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Mirai Variant Spreading", "display_name": "Mirai Variant Spreading", "target": null }, { "id": "DDoS:Linux/Gafgyt", "display_name": "DDoS:Linux/Gafgyt", "target": "/malware/DDoS:Linux/Gafgyt" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1564.005", "name": "Hidden File System", "display_name": "T1564.005 - Hidden File System" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5572, "domain": 788, "hostname": 1607, "email": 6, "FileHash-SHA256": 505, "FileHash-MD5": 132, "FileHash-SHA1": 128, "CVE": 2 }, "indicator_count": 8740, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "129 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e1ece3b935bda6b9d3e10b", "name": "Cyber espionage & Ransomware attacks spread via Phone call? II.", "description": "", "modified": "2024-03-05T22:00:26.685000", "created": "2024-03-01T14:57:39.828000", "tags": [ "ssl certificate", "whois record", "contacted", "execution", "historical ssl", "contacted urls", "whois whois", "zfglddkl58a url", "q0gpyr1balpdgpo", "relacionada", "formbook", "smoke loader", "iframe", "january", "resolutions", "referrer", "threat roundup", "snatch", "ransomware", "hacktool", "record type", "ttl value", "tsara brashears", "apple", "apple ios", "password bypass", "malware", "password", "apple phone", "download", "crypto", "relic", "monitoring", "installer", "tofsee", "core", "qakbot", "lumma stealer", "ransomexx", "communicating", "el0kpmhlfz", "qdkxgr24yz", "kgs0", "kls0", "malicious", "phi", "pii", "dofoil", "worn", "rat", "network", "dns", "trojan", "remote", "phone hacking", "hacked by phone call", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "nginx", "html info", "information", "meta tags", "network", "march", "july", "september", "february", "redline stealer", "probe", "raccoonstealer", "no data", "tag count", "thu apr", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "asyncrat", "redlinestealer", "diamondfox", "first", "botnet command and control", "python connection", "tulach" ], "references": [ "https://www.crccolorado.com/dr-adam-sang", "CS IDS Rules: MALWARE Possible Compromised Host", "CS IDS Rules: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "CS IDS Rules: SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "CS IDS Rules: ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses", "CS IDS Rules: ET AnubisNetworks Sinkhole Cookie Value btst", "http://www.defi-realty.com/jem9/ [phishing]", "http://45.159.189.105/bot/regex [phishing | tracking]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing | data collection| browser vulnerability]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [password decryption]", "https://www.sentinelone.com/blog/going-deep-a-guide-to-reversing-smoke-loader-malware/", "https://attack.mitre.org/software/S0226/", "http://watchhers.net/index.php. [ data collection]", "remotewd.com", "https://remote.krogerlaw.com", "device-local-7e6b3aa6-e3de-4e8f-9213-9f15c92d1d81.remotewd.com", "www.pornhub.com [password decryption]", "www.supernetforme.com [CnC]", "ddos.dnsnb8.net [CnC]", "http://happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg [phishing]", "http://amaiorpascoadetodas2.com/cgi-sys/suspendedpage.cgi?smart-tv-led-55-samsung-55ru7100-ultra-hd-4k-com-conversor-digital-3-hdmi-2-usb-wi-fi-visual-livre-de-cabos-controle-remoto-%C3%9Anico-e-bluetooth-&skullid=539293743", "http://amaiorpascoadetodas2.com/cgi-sys/suspendedpage.cgi?smart-tv-led-55-samsung-55ru7100-ultra-hd-4k-com-conversor-digital-3-hdmi-2-usb-wi-fi-visual-livre-de-cabos-controle-remoto-%C3%9Anico-e-bluetooth-&skullid=539293743", "http://url7639.ascglobal-email.com/wf/open?upn=HDu-2BON2WuckNVJ2U1s3AlMizU2CbfEvFl7S9TXTdQm2nLS-2F0QX6mc4PxuUDVyCyIzMeTvJRSiC633rEV-2B8mukshW0CHiC-2FvQOWOgJR6RGOtzDWutJV4OtjBHGduMDUigvEESSJQD8KXk1UU3bXtRdyd7QpBC-2F7Ti-2Bq6tNr1C4yz-2FXcUbYvtJX4ip5d5t5eXud233BW97tdcojPu0yKWZ0Zm2DyXbj1RIwt-2FO0RcYLC7feNtrpw6OxBd8r4Tc3uHoT7Z9NFErDUBbBuYpsze-2FiBRziGeeMExS5l82Xna4au56co0IdOcfscmwGtC-2BxD3xiJW4v560wXMZQU0G9hqqPVeYTnwZwyfebBz1KLSW-2BIJtHMF6DCNHhatvrb3WM84-2BGpgCxOK1dFKPiKsmPzSc-2BdCAO9BzU3K6G7EaDYNu2cRHdGmat-2BCJs", "https://darkforums.me/Thread-Check-Any-Indian-Vehicle-Owner-Details-home-address-phone-number [Whoa Nelly!]", "https://us-bankofamerica.com/PhoneVerification.php/", "http://www.w3.org/TR/html4/loose.dtd | www.w3.org [collection]", "http://dl.ariamobile.net/mobile/2008.10.a/applications/My_Phone-v2.01-S60v3-[wWw.Ariamobile.Net].zip", "http://iphones.email [redirection chain]", "*Patient PII & PHI at critical risk" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Smoke Loader", "display_name": "Smoke Loader", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Gen:Variant.Zusy", "display_name": "Gen:Variant.Zusy", "target": null }, { "id": "Razy", "display_name": "Razy", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "DangerousObject.Multi", "display_name": "DangerousObject.Multi", "target": null }, { "id": "Trojan.Injector", "display_name": "Trojan.Injector", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "Defacement", "display_name": "Defacement", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1055.012", "name": "Process Hollowing", "display_name": "T1055.012 - Process Hollowing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" } ], "industries": [ "Healthcare", "Civil Society", "Patients" ], "TLP": "white", "cloned_from": "65c09e487b3899f3442aed96", "export_count": 88, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Enqrypted", "id": "272105", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_272105/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 244, "FileHash-SHA1": 237, "FileHash-SHA256": 5468, "URL": 3747, "domain": 2512, "hostname": 1593, "CVE": 4 }, "indicator_count": 13805, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "775 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c970ef974adf44ef24c9a2", "name": "Cyber espionage & Ransomware attacks spread via Phone call?", "description": "", "modified": "2024-03-05T22:00:26.685000", "created": "2024-02-12T01:14:23.337000", "tags": [ "ssl certificate", "whois record", "contacted", "execution", "historical ssl", "contacted urls", "whois whois", "zfglddkl58a url", "q0gpyr1balpdgpo", "relacionada", "formbook", "smoke loader", "iframe", "january", "resolutions", "referrer", "threat roundup", "snatch", "ransomware", "hacktool", "record type", "ttl value", "tsara brashears", "apple", "apple ios", "password bypass", "malware", "password", "apple phone", "download", "crypto", "relic", "monitoring", "installer", "tofsee", "core", "qakbot", "lumma stealer", "ransomexx", "communicating", "el0kpmhlfz", "qdkxgr24yz", "kgs0", "kls0", "malicious", "phi", "pii", "dofoil", "worn", "rat", "network", "dns", "trojan", "remote", "phone hacking", "hacked by phone call", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "nginx", "html info", "information", "meta tags", "network", "march", "july", "september", "february", "redline stealer", "probe", "raccoonstealer", "no data", "tag count", "thu apr", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "asyncrat", "redlinestealer", "diamondfox", "first", "botnet command and control", "python connection", "tulach" ], "references": [ "https://www.crccolorado.com/dr-adam-sang", "CS IDS Rules: MALWARE Possible Compromised Host", "CS IDS Rules: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "CS IDS Rules: SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "CS IDS Rules: ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses", "CS IDS Rules: ET AnubisNetworks Sinkhole Cookie Value btst", "http://www.defi-realty.com/jem9/ [phishing]", "http://45.159.189.105/bot/regex [phishing | tracking]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing | data collection| browser vulnerability]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [password decryption]", "https://www.sentinelone.com/blog/going-deep-a-guide-to-reversing-smoke-loader-malware/", "https://attack.mitre.org/software/S0226/", "http://watchhers.net/index.php. [ data collection]", "remotewd.com", "https://remote.krogerlaw.com", "device-local-7e6b3aa6-e3de-4e8f-9213-9f15c92d1d81.remotewd.com", "www.pornhub.com [password decryption]", "www.supernetforme.com [CnC]", "ddos.dnsnb8.net [CnC]", "http://happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg [phishing]", "http://amaiorpascoadetodas2.com/cgi-sys/suspendedpage.cgi?smart-tv-led-55-samsung-55ru7100-ultra-hd-4k-com-conversor-digital-3-hdmi-2-usb-wi-fi-visual-livre-de-cabos-controle-remoto-%C3%9Anico-e-bluetooth-&skullid=539293743", "http://amaiorpascoadetodas2.com/cgi-sys/suspendedpage.cgi?smart-tv-led-55-samsung-55ru7100-ultra-hd-4k-com-conversor-digital-3-hdmi-2-usb-wi-fi-visual-livre-de-cabos-controle-remoto-%C3%9Anico-e-bluetooth-&skullid=539293743", "http://url7639.ascglobal-email.com/wf/open?upn=HDu-2BON2WuckNVJ2U1s3AlMizU2CbfEvFl7S9TXTdQm2nLS-2F0QX6mc4PxuUDVyCyIzMeTvJRSiC633rEV-2B8mukshW0CHiC-2FvQOWOgJR6RGOtzDWutJV4OtjBHGduMDUigvEESSJQD8KXk1UU3bXtRdyd7QpBC-2F7Ti-2Bq6tNr1C4yz-2FXcUbYvtJX4ip5d5t5eXud233BW97tdcojPu0yKWZ0Zm2DyXbj1RIwt-2FO0RcYLC7feNtrpw6OxBd8r4Tc3uHoT7Z9NFErDUBbBuYpsze-2FiBRziGeeMExS5l82Xna4au56co0IdOcfscmwGtC-2BxD3xiJW4v560wXMZQU0G9hqqPVeYTnwZwyfebBz1KLSW-2BIJtHMF6DCNHhatvrb3WM84-2BGpgCxOK1dFKPiKsmPzSc-2BdCAO9BzU3K6G7EaDYNu2cRHdGmat-2BCJs", "https://darkforums.me/Thread-Check-Any-Indian-Vehicle-Owner-Details-home-address-phone-number [Whoa Nelly!]", "https://us-bankofamerica.com/PhoneVerification.php/", "http://www.w3.org/TR/html4/loose.dtd | www.w3.org [collection]", "http://dl.ariamobile.net/mobile/2008.10.a/applications/My_Phone-v2.01-S60v3-[wWw.Ariamobile.Net].zip", "http://iphones.email [redirection chain]", "*Patient PII & PHI at critical risk" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Smoke Loader", "display_name": "Smoke Loader", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Gen:Variant.Zusy", "display_name": "Gen:Variant.Zusy", "target": null }, { "id": "Razy", "display_name": "Razy", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "DangerousObject.Multi", "display_name": "DangerousObject.Multi", "target": null }, { "id": "Trojan.Injector", "display_name": "Trojan.Injector", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "Defacement", "display_name": "Defacement", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1055.012", "name": "Process Hollowing", "display_name": "T1055.012 - Process Hollowing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" } ], "industries": [ "Healthcare", "Civil Society", "Patients" ], "TLP": "white", "cloned_from": "65c09e487b3899f3442aed96", "export_count": 65, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 244, "FileHash-SHA1": 237, "FileHash-SHA256": 5468, "URL": 3747, "domain": 2512, "hostname": 1593, "CVE": 4 }, "indicator_count": 13805, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "775 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c09e487b3899f3442aed96", "name": "Cyber espionage & Ransomware attacks spread via Phone call?", "description": "", "modified": "2024-03-05T22:00:26.685000", "created": "2024-02-05T08:37:28.774000", "tags": [ "ssl certificate", "whois record", "contacted", "execution", "historical ssl", "contacted urls", "whois whois", "zfglddkl58a url", "q0gpyr1balpdgpo", "relacionada", "formbook", "smoke loader", "iframe", "january", "resolutions", "referrer", "threat roundup", "snatch", "ransomware", "hacktool", "record type", "ttl value", "tsara brashears", "apple", "apple ios", "password bypass", "malware", "password", "apple phone", "download", "crypto", "relic", "monitoring", "installer", "tofsee", "core", "qakbot", "lumma stealer", "ransomexx", "communicating", "el0kpmhlfz", "qdkxgr24yz", "kgs0", "kls0", "malicious", "phi", "pii", "dofoil", "worn", "rat", "network", "dns", "trojan", "remote", "phone hacking", "hacked by phone call", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "nginx", "html info", "information", "meta tags", "network", "march", "july", "september", "february", "redline stealer", "probe", "raccoonstealer", "no data", "tag count", "thu apr", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "asyncrat", "redlinestealer", "diamondfox", "first", "botnet command and control", "python connection", "tulach" ], "references": [ "https://www.crccolorado.com/dr-adam-sang", "CS IDS Rules: MALWARE Possible Compromised Host", "CS IDS Rules: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "CS IDS Rules: SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "CS IDS Rules: ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses", "CS IDS Rules: ET AnubisNetworks Sinkhole Cookie Value btst", "http://www.defi-realty.com/jem9/ [phishing]", "http://45.159.189.105/bot/regex [phishing | tracking]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing | data collection| browser vulnerability]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [password decryption]", "https://www.sentinelone.com/blog/going-deep-a-guide-to-reversing-smoke-loader-malware/", "https://attack.mitre.org/software/S0226/", "http://watchhers.net/index.php. [ data collection]", "remotewd.com", "https://remote.krogerlaw.com", "device-local-7e6b3aa6-e3de-4e8f-9213-9f15c92d1d81.remotewd.com", "www.pornhub.com [password decryption]", "www.supernetforme.com [CnC]", "ddos.dnsnb8.net [CnC]", "http://happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg [phishing]", "http://amaiorpascoadetodas2.com/cgi-sys/suspendedpage.cgi?smart-tv-led-55-samsung-55ru7100-ultra-hd-4k-com-conversor-digital-3-hdmi-2-usb-wi-fi-visual-livre-de-cabos-controle-remoto-%C3%9Anico-e-bluetooth-&skullid=539293743", "http://amaiorpascoadetodas2.com/cgi-sys/suspendedpage.cgi?smart-tv-led-55-samsung-55ru7100-ultra-hd-4k-com-conversor-digital-3-hdmi-2-usb-wi-fi-visual-livre-de-cabos-controle-remoto-%C3%9Anico-e-bluetooth-&skullid=539293743", "http://url7639.ascglobal-email.com/wf/open?upn=HDu-2BON2WuckNVJ2U1s3AlMizU2CbfEvFl7S9TXTdQm2nLS-2F0QX6mc4PxuUDVyCyIzMeTvJRSiC633rEV-2B8mukshW0CHiC-2FvQOWOgJR6RGOtzDWutJV4OtjBHGduMDUigvEESSJQD8KXk1UU3bXtRdyd7QpBC-2F7Ti-2Bq6tNr1C4yz-2FXcUbYvtJX4ip5d5t5eXud233BW97tdcojPu0yKWZ0Zm2DyXbj1RIwt-2FO0RcYLC7feNtrpw6OxBd8r4Tc3uHoT7Z9NFErDUBbBuYpsze-2FiBRziGeeMExS5l82Xna4au56co0IdOcfscmwGtC-2BxD3xiJW4v560wXMZQU0G9hqqPVeYTnwZwyfebBz1KLSW-2BIJtHMF6DCNHhatvrb3WM84-2BGpgCxOK1dFKPiKsmPzSc-2BdCAO9BzU3K6G7EaDYNu2cRHdGmat-2BCJs", "https://darkforums.me/Thread-Check-Any-Indian-Vehicle-Owner-Details-home-address-phone-number [Whoa Nelly!]", "https://us-bankofamerica.com/PhoneVerification.php/", "http://www.w3.org/TR/html4/loose.dtd | www.w3.org [collection]", "http://dl.ariamobile.net/mobile/2008.10.a/applications/My_Phone-v2.01-S60v3-[wWw.Ariamobile.Net].zip", "http://iphones.email [redirection chain]", "*Patient PII & PHI at critical risk" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Smoke Loader", "display_name": "Smoke Loader", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Gen:Variant.Zusy", "display_name": "Gen:Variant.Zusy", "target": null }, { "id": "Razy", "display_name": "Razy", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "DangerousObject.Multi", "display_name": "DangerousObject.Multi", "target": null }, { "id": "Trojan.Injector", "display_name": "Trojan.Injector", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "Defacement", "display_name": "Defacement", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1055.012", "name": "Process Hollowing", "display_name": "T1055.012 - Process Hollowing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" } ], "industries": [ "Healthcare", "Civil Society", "Patients" ], "TLP": "white", "cloned_from": "65c012b5e56cc9474ebb701f", "export_count": 58, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 244, "FileHash-SHA1": 237, "FileHash-SHA256": 5468, "URL": 3747, "domain": 2512, "hostname": 1593, "CVE": 4 }, "indicator_count": 13805, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "775 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c012b5e56cc9474ebb701f", "name": "Cyber espionage & Ransomware attacks spread via Phone calls", "description": "Very strange and critical occurrences of businesses, healthcare facilities and individuals becoming part of a botnet and hacking attack when call connects with certain individuals. Healthcare facilities may be spreading this very critical vulnerability. Attacker has access to every device & camera of affected.\n*Smoke Loader\nSmoke Loader is a malicious bot application that can be used to load other malware.Smoke Loader has been seen in the wild since at least 2011 and has included a number of different payloads. It is notorious for its use of deception and self-protection. It also comes with several plug-ins.", "modified": "2024-03-05T22:00:26.685000", "created": "2024-02-04T22:41:55.432000", "tags": [ "ssl certificate", "whois record", "contacted", "execution", "historical ssl", "contacted urls", "whois whois", "zfglddkl58a url", "q0gpyr1balpdgpo", "relacionada", "formbook", "smoke loader", "iframe", "january", "resolutions", "referrer", "threat roundup", "snatch", "ransomware", "hacktool", "record type", "ttl value", "tsara brashears", "apple", "apple ios", "password bypass", "malware", "password", "apple phone", "download", "crypto", "relic", "monitoring", "installer", "tofsee", "core", "qakbot", "lumma stealer", "ransomexx", "communicating", "el0kpmhlfz", "qdkxgr24yz", "kgs0", "kls0", "malicious", "phi", "pii", "dofoil", "worn", "rat", "network", "dns", "trojan", "remote", "phone hacking", "hacked by phone call", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "nginx", "html info", "information", "meta tags", "network", "march", "july", "september", "february", "redline stealer", "probe", "raccoonstealer", "no data", "tag count", "thu apr", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "asyncrat", "redlinestealer", "diamondfox", "first", "botnet command and control", "python connection", "tulach" ], "references": [ "https://www.crccolorado.com/dr-adam-sang", "CS IDS Rules: MALWARE Possible Compromised Host", "CS IDS Rules: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "CS IDS Rules: SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "CS IDS Rules: ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses", "CS IDS Rules: ET AnubisNetworks Sinkhole Cookie Value btst", "http://www.defi-realty.com/jem9/ [phishing]", "http://45.159.189.105/bot/regex [phishing | tracking]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing | data collection| browser vulnerability]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [password decryption]", "https://www.sentinelone.com/blog/going-deep-a-guide-to-reversing-smoke-loader-malware/", "https://attack.mitre.org/software/S0226/", "http://watchhers.net/index.php. [ data collection]", "remotewd.com", "https://remote.krogerlaw.com", "device-local-7e6b3aa6-e3de-4e8f-9213-9f15c92d1d81.remotewd.com", "www.pornhub.com [password decryption]", "www.supernetforme.com [CnC]", "ddos.dnsnb8.net [CnC]", "http://happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg [phishing]", "http://amaiorpascoadetodas2.com/cgi-sys/suspendedpage.cgi?smart-tv-led-55-samsung-55ru7100-ultra-hd-4k-com-conversor-digital-3-hdmi-2-usb-wi-fi-visual-livre-de-cabos-controle-remoto-%C3%9Anico-e-bluetooth-&skullid=539293743", "http://amaiorpascoadetodas2.com/cgi-sys/suspendedpage.cgi?smart-tv-led-55-samsung-55ru7100-ultra-hd-4k-com-conversor-digital-3-hdmi-2-usb-wi-fi-visual-livre-de-cabos-controle-remoto-%C3%9Anico-e-bluetooth-&skullid=539293743", "http://url7639.ascglobal-email.com/wf/open?upn=HDu-2BON2WuckNVJ2U1s3AlMizU2CbfEvFl7S9TXTdQm2nLS-2F0QX6mc4PxuUDVyCyIzMeTvJRSiC633rEV-2B8mukshW0CHiC-2FvQOWOgJR6RGOtzDWutJV4OtjBHGduMDUigvEESSJQD8KXk1UU3bXtRdyd7QpBC-2F7Ti-2Bq6tNr1C4yz-2FXcUbYvtJX4ip5d5t5eXud233BW97tdcojPu0yKWZ0Zm2DyXbj1RIwt-2FO0RcYLC7feNtrpw6OxBd8r4Tc3uHoT7Z9NFErDUBbBuYpsze-2FiBRziGeeMExS5l82Xna4au56co0IdOcfscmwGtC-2BxD3xiJW4v560wXMZQU0G9hqqPVeYTnwZwyfebBz1KLSW-2BIJtHMF6DCNHhatvrb3WM84-2BGpgCxOK1dFKPiKsmPzSc-2BdCAO9BzU3K6G7EaDYNu2cRHdGmat-2BCJs", "https://darkforums.me/Thread-Check-Any-Indian-Vehicle-Owner-Details-home-address-phone-number [Whoa Nelly!]", "https://us-bankofamerica.com/PhoneVerification.php/", "http://www.w3.org/TR/html4/loose.dtd | www.w3.org [collection]", "http://dl.ariamobile.net/mobile/2008.10.a/applications/My_Phone-v2.01-S60v3-[wWw.Ariamobile.Net].zip", "http://iphones.email [redirection chain]", "*Patient PII & PHI at critical risk" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Smoke Loader", "display_name": "Smoke Loader", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Gen:Variant.Zusy", "display_name": "Gen:Variant.Zusy", "target": null }, { "id": "Razy", "display_name": "Razy", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "DangerousObject.Multi", "display_name": "DangerousObject.Multi", "target": null }, { "id": "Trojan.Injector", "display_name": "Trojan.Injector", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "Defacement", "display_name": "Defacement", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1055.012", "name": "Process Hollowing", "display_name": "T1055.012 - Process Hollowing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" } ], "industries": [ "Healthcare", "Civil Society", "Patients" ], "TLP": "white", "cloned_from": null, "export_count": 62, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 244, "FileHash-SHA1": 237, "FileHash-SHA256": 5468, "URL": 3747, "domain": 2512, "hostname": 1593, "CVE": 4 }, "indicator_count": 13805, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "775 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65be56d6df9d36bac14ccd87", "name": "AZORult CnC", "description": "Behaviors\n\nSteals computer data, such as installed programs, machine globally unique identifier (GUID), system architecture, system language, user name, computer name, and operating system (OS) version\nSteals stored account information used in different installed File Transfer Protocol (FTP) clients or file manager software\nSteals stored email credentials of different mail clients\nSteals user names, passwords, and hostnames from different browsers\nSteals bitcoin wallets - Monero and uCoin\nSteals Steam and telegram credentials\nSteals Skype chat history and messages\nExecutes backdoor commands from a remote malicious user to collect host Internet protocol (IP) information, download/execute/delete file\nCapabilities\n\nInformation Theft\nBackdoor commands\nExploits\nDownload Routine\nImpact\n\nCompromise system security - with backdoor capabilities that can execute malicious commands, downloads and installs additional malwares", "modified": "2024-03-04T14:03:17.574000", "created": "2024-02-03T15:08:06.808000", "tags": [ "ssl certificate", "whois record", "threat roundup", "whois whois", "january", "historical ssl", "referrer", "april", "resolutions", "siblings domain", "march", "february", "obz4usfn0 http", "problems", "threat network", "infrastructure", "st201601152", "startpage", "iframe", "united", "unknown", "search", "showing", "united kingdom", "creation date", "aaaa", "cname", "scan endpoints", "all octoseek", "date", "next", "script urls", "soa nxdomain", "link", "xml title", "portugal", "domain", "status", "expiration date", "pulse pulses", "as44273 host", "domain robot", "as61969 team", "body", "as8075", "netherlands", "servers", "emails", "duo insight", "type", "asnone united", "name servers", "germany unknown", "passive dns", "as14061", "as49453", "lowfi", "a domains", "urls", "privacy inc", "customer", "trojandropper", "dynamicloader", "default", "medium", "entries", "khtml", "download", "show", "activity", "http", "copy", "write", "malware", "adware affiliate", "hostname", "trojan", "pulse submit", "url analysis", "files", "as212913 fop", "russia unknown", "as397240", "as15169 google", "as19237 omnis", "as22169 omnis", "as20068 hawk", "as133618", "as47846", "as22489", "encrypt", "record value", "pragma", "accept ch", "ireland unknown", "msie", "chrome", "style", "gmt setcookie", "as6724 strato", "core", "win32", "backdoor", "expl", "exploit", "ipv4", "virtool", "azorult cnc", "possible", "as7018 att", "regsetvalueexa", "china as4134", "service", "asnone", "dns lookup", "ransom", "push", "eternalblue", "recon", "playgame", "domain name", "as13768 aptum", "meta", "error", "as43350 nforce", "as55286", "as60558 phoenix", "ip address", "registrar", "1996", "contacted", "unlocker", "red team", "af81 http", "execution", "open", "whois sslcert", "suspicious c2", "cve202322518", "collection", "vt graph", "excel", "emotet", "metro", "jeffrey reimer pt", "sharecare", "tsara brashears", "apple", "icloud" ], "references": [ "https://www.sharecare.com/doctor/jeffrey-reimer-6ie6z", "qbot.zip", "imp.fusioninstall.com", "https://mylegalbid.com/malwarebytes", "192.185.223.216 | 192.168.56.1 [malware]", "http://45.159.189.105/bot/regex", "https://success.trendmicro.com/dcx/s/solution/000146108-azorult-malware-information?language=en_US&sfdcIFrameOrigin=null", "http://config.premiuminstaller.com/config/ls/offers.json?pid=installer&ts=2014-10-14T18:54:45.9443368Z&br=CR&adprovider=marmarf", "xhamster.comyouporn.com", "cams4all.com", "watchhers.net", "weconnect.com", "icloud-appleidsuport.com | appleid.com | apple.com | apple-dns.net", "http://install.oinstaller5.com/o/jfaquew_jupdate/setup.exe?mode=dlshift&sf=0&subid=a208&filedescription=setup&adprovider=jfaquew&cpixe", "init.ess.apple.com | 0-courier.push.apple.com | dns1.registrar-servers.com", "Apple -dns1.registrar-servers.com | emails.redvue.com | icloud-appleidsuport.com", "https://songculture.com/tsara-brashears | https://www.songculture.com/tsara-brashears-music", "https://www.songculture.com/tsara-lynn-brashears-music", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "youramateuporn.com", "ns2.abovedomains.com", "ww16.porn-community.porn25.com", "https://totallyspies.1000hentai.com/tag/clover-porn/", "pirateproxy.cc", "mwilliams.dev@gmail.com | piratepages.com", "838114.parkingcrew.net", "static-push-preprod.porndig.com", "www.redtube.comyouporn.com", "https://severeporn-com.pornproxy.page/", "https://spankbang-com.pornproxy.page/593ao/video/sunshine%20mouth%20stuffed%20gagged%20and%20tied%20with%20her%20friend", "yoursexy.porn | indianyouporn.com", "source-6.youporn.express | source-6.sexpornsource.com\t hostname\tsource-3.xxxporn.club | source-2.pornhubs.best | source-2.freepornxo.com", "cdn.pornsocket.com", "http://secure.indianpornpass.com/track/hotpornstuff", "www.anyxxxtube.net", "https://twitter.com/PORNO_SEXYBABES", "http://www.my-sexcam.com/mf6w/?K48hY=mUHPm4taPKwCazx4uoqkcvO3m838TOpLC/XyTruUQEV1lwGjr5ldYJa4yIBvf0ifHE4=&sHB=DPfXxzFpo", "campaign-manager.sharecare.com", "qa.companycam.com", "https://app.join.engineeringim.com/e/er?utm_source=eloqua&utm_medium=email&utm_campaign=&sp_cid=&utm_content=PB_NAM23BSE_PB_06_BATT_PW_Shmuel&sp_aid=27591&sp_rid=31788066&sp_eh=577a94ae55b9b9c106e776e684a2413f8c4dac061fc5b814c054be9e822698d9&s=949606000&lid=79146&elqTrackId=2AD273F3E5AB3555FA7D5FA11122C7C2&elq=a46790e54bbc42d2b0adbc4e6533814e&elqaid=27591&elqat=1", "24-70mm.camera", "dropboxpayments.com", "http://r3.i.lencr.org/ | r3.i.lencr.org | c.lencr.org | x1.c.lencr.org", "http://xred.mooo.com", "https://sexgalaxy.net/tag/rodneymoore/", "http://alive.overit.com/~schoolbu/badmood3.exe", "jimgaffigan.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United Kingdom of Great Britain and Northern Ireland", "United States of America", "Netherlands", "Germany", "France" ], "malware_families": [ { "id": "Adware Affiliate", "display_name": "Adware Affiliate", "target": null }, { "id": "AZORult CnC", "display_name": "AZORult CnC", "target": null }, { "id": "Possible", "display_name": "Possible", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8134, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 737, "FileHash-SHA1": 692, "FileHash-SHA256": 7488, "URL": 6694, "domain": 5247, "hostname": 2932, "email": 49, "CVE": 2, "SSLCertFingerprint": 1 }, "indicator_count": 23842, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "776 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65be56d257bb241c4fa3f68d", "name": "AZORult CnC", "description": "Behaviors\n\nSteals computer data, such as installed programs, machine globally unique identifier (GUID), system architecture, system language, user name, computer name, and operating system (OS) version\nSteals stored account information used in different installed File Transfer Protocol (FTP) clients or file manager software\nSteals stored email credentials of different mail clients\nSteals user names, passwords, and hostnames from different browsers\nSteals bitcoin wallets - Monero and uCoin\nSteals Steam and telegram credentials\nSteals Skype chat history and messages\nExecutes backdoor commands from a remote malicious user to collect host Internet protocol (IP) information, download/execute/delete file\nCapabilities\n\nInformation Theft\nBackdoor commands\nExploits\nDownload Routine\nImpact\n\nCompromise system security - with backdoor capabilities that can execute malicious commands, downloads and installs additional malwares", "modified": "2024-03-04T14:03:17.574000", "created": "2024-02-03T15:08:02.291000", "tags": [ "ssl certificate", "whois record", "threat roundup", "whois whois", "january", "historical ssl", "referrer", "april", "resolutions", "siblings domain", "march", "february", "obz4usfn0 http", "problems", "threat network", "infrastructure", "st201601152", "startpage", "iframe", "united", "unknown", "search", "showing", "united kingdom", "creation date", "aaaa", "cname", "scan endpoints", "all octoseek", "date", "next", "script urls", "soa nxdomain", "link", "xml title", "portugal", "domain", "status", "expiration date", "pulse pulses", "as44273 host", "domain robot", "as61969 team", "body", "as8075", "netherlands", "servers", "emails", "duo insight", "type", "asnone united", "name servers", "germany unknown", "passive dns", "as14061", "as49453", "lowfi", "a domains", "urls", "privacy inc", "customer", "trojandropper", "dynamicloader", "default", "medium", "entries", "khtml", "download", "show", "activity", "http", "copy", "write", "malware", "adware affiliate", "hostname", "trojan", "pulse submit", "url analysis", "files", "as212913 fop", "russia unknown", "as397240", "as15169 google", "as19237 omnis", "as22169 omnis", "as20068 hawk", "as133618", "as47846", "as22489", "encrypt", "record value", "pragma", "accept ch", "ireland unknown", "msie", "chrome", "style", "gmt setcookie", "as6724 strato", "core", "win32", "backdoor", "expl", "exploit", "ipv4", "virtool", "azorult cnc", "possible", "as7018 att", "regsetvalueexa", "china as4134", "service", "asnone", "dns lookup", "ransom", "push", "eternalblue", "recon", "playgame", "domain name", "as13768 aptum", "meta", "error", "as43350 nforce", "as55286", "as60558 phoenix", "ip address", "registrar", "1996", "contacted", "unlocker", "red team", "af81 http", "execution", "open", "whois sslcert", "suspicious c2", "cve202322518", "collection", "vt graph", "excel", "emotet", "metro", "jeffrey reimer pt", "sharecare", "tsara brashears", "apple", "icloud" ], "references": [ "https://www.sharecare.com/doctor/jeffrey-reimer-6ie6z", "qbot.zip", "imp.fusioninstall.com", "https://mylegalbid.com/malwarebytes", "192.185.223.216 | 192.168.56.1 [malware]", "http://45.159.189.105/bot/regex", "https://success.trendmicro.com/dcx/s/solution/000146108-azorult-malware-information?language=en_US&sfdcIFrameOrigin=null", "http://config.premiuminstaller.com/config/ls/offers.json?pid=installer&ts=2014-10-14T18:54:45.9443368Z&br=CR&adprovider=marmarf", "xhamster.comyouporn.com", "cams4all.com", "watchhers.net", "weconnect.com", "icloud-appleidsuport.com | appleid.com | apple.com | apple-dns.net", "http://install.oinstaller5.com/o/jfaquew_jupdate/setup.exe?mode=dlshift&sf=0&subid=a208&filedescription=setup&adprovider=jfaquew&cpixe", "init.ess.apple.com | 0-courier.push.apple.com | dns1.registrar-servers.com", "Apple -dns1.registrar-servers.com | emails.redvue.com | icloud-appleidsuport.com", "https://songculture.com/tsara-brashears | https://www.songculture.com/tsara-brashears-music", "https://www.songculture.com/tsara-lynn-brashears-music", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "youramateuporn.com", "ns2.abovedomains.com", "ww16.porn-community.porn25.com", "https://totallyspies.1000hentai.com/tag/clover-porn/", "pirateproxy.cc", "mwilliams.dev@gmail.com | piratepages.com", "838114.parkingcrew.net", "static-push-preprod.porndig.com", "www.redtube.comyouporn.com", "https://severeporn-com.pornproxy.page/", "https://spankbang-com.pornproxy.page/593ao/video/sunshine%20mouth%20stuffed%20gagged%20and%20tied%20with%20her%20friend", "yoursexy.porn | indianyouporn.com", "source-6.youporn.express | source-6.sexpornsource.com\t hostname\tsource-3.xxxporn.club | source-2.pornhubs.best | source-2.freepornxo.com", "cdn.pornsocket.com", "http://secure.indianpornpass.com/track/hotpornstuff", "www.anyxxxtube.net", "https://twitter.com/PORNO_SEXYBABES", "http://www.my-sexcam.com/mf6w/?K48hY=mUHPm4taPKwCazx4uoqkcvO3m838TOpLC/XyTruUQEV1lwGjr5ldYJa4yIBvf0ifHE4=&sHB=DPfXxzFpo", "campaign-manager.sharecare.com", "qa.companycam.com", "https://app.join.engineeringim.com/e/er?utm_source=eloqua&utm_medium=email&utm_campaign=&sp_cid=&utm_content=PB_NAM23BSE_PB_06_BATT_PW_Shmuel&sp_aid=27591&sp_rid=31788066&sp_eh=577a94ae55b9b9c106e776e684a2413f8c4dac061fc5b814c054be9e822698d9&s=949606000&lid=79146&elqTrackId=2AD273F3E5AB3555FA7D5FA11122C7C2&elq=a46790e54bbc42d2b0adbc4e6533814e&elqaid=27591&elqat=1", "24-70mm.camera", "dropboxpayments.com", "http://r3.i.lencr.org/ | r3.i.lencr.org | c.lencr.org | x1.c.lencr.org", "http://xred.mooo.com", "https://sexgalaxy.net/tag/rodneymoore/", "http://alive.overit.com/~schoolbu/badmood3.exe", "jimgaffigan.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United Kingdom of Great Britain and Northern Ireland", "United States of America", "Netherlands", "Germany", "France" ], "malware_families": [ { "id": "Adware Affiliate", "display_name": "Adware Affiliate", "target": null }, { "id": "AZORult CnC", "display_name": "AZORult CnC", "target": null }, { "id": "Possible", "display_name": "Possible", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 737, "FileHash-SHA1": 692, "FileHash-SHA256": 7488, "URL": 6694, "domain": 5247, "hostname": 2932, "email": 49, "CVE": 2, "SSLCertFingerprint": 1 }, "indicator_count": 23842, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "776 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658303b7e2b4417d9e24a7cc", "name": "Reddit Honeypot | Cyber Defense Firm Attack", "description": "", "modified": "2024-01-19T12:02:13.495000", "created": "2023-12-20T15:09:43.783000", "tags": [ "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "sha1", "sha256", "runtime process", "date", "unknown", "error", "path", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "accept", "url http", "filehashmd5", "url https", "search otx", "octoseek report", "spam author", "reddit", "tulach c2", "created", "minutes ago", "added active", "related pulses", "am", "no expiration", "indicator role", "pulses url", "showing", "entries", "dded active", "copyright", "reserved", "cve cve20170199", "win32 exe", "android", "http response", "final url", "ip address", "status code", "body length", "kb body", "headers", "manager", "files", "detections type", "name", "lord krishna", "right", "tjprojmain", "windows", "secure", "headers nel", "ssl certificate", "whois whois", "historical ssl", "referrer", "logistics", "cyber defense", "firm collection", "ioc honeypot", "list for", "malware", "open", "attack", "contacted", "dropped", "bundled", "problems", "whois record", "domains", "execution", "agent tesla", "azorult", "project", "startpage", "vhash", "authentihash", "imphash", "rich pe", "ssdeep", "file type", "magic pe32", "installer", "compiler", "nsis", "serial number", "g4 code", "signing rsa4096", "sha384", "root g4", "valid from", "algorithm", "thumbprint", "fast corporate", "from", "pe resource", "collection", "vt graph", "paulsmith", "apple tv", "apple music", "$RTD4NQU.exe", "no data", "tag count", "ioc search", "new ioc", "teams api", "contact", "search", "iocs", "summary", "nisis", "executable", "ms windows", "trid win64", "generic", "sections", "sha256 file", "type type", "chi2", "dkey english", "xml rtmanifest", "english us", "overlay", "learn", "botnet", "honeypot", "ejkaej saBey k7-^Oa" ], "references": [ "https://www.reddit.com/user/", "https://www.virustotal.com/gui/url/6a627ce5fd6be7b3c0b5637e6b1facfa92c279d25ff9b1f50fe131c91591d804/summary", "Gowi Live Bot.exe", "https://www.virustotal.com/gui/file/2ab9e32cd78f2b538c36f145b790f78f1262bcfcf1a5d6d019e7a2a151a24424/summary", "https://www.hybrid-analysis.com/sample/d4f0fd95f42482e96d982df3d538f67ee9c8756834486dd2cf33e1679c90af50/65812fd9a34bc52aac0b910f", "nr-data.net [New Relic Tracking | Apple Private Data Collection]", "[w and w.o https] applemusic-spotlight.myunidays.com [Multilingual Portable.exe Apple music compromise]", "tv.apple.com [Apple Backdoor| Attack | Hacking]", "name-playatoms-pa.googleapis.com [ nr-data Apple tv tracking]", "browser.events.data.msn.com | events-sandbox.data.msn.com", "https://tulach.cc/ [phishing attacks]", "tulach.cc [AM | phishing]", "$RTD4NQU.exe - Sigma Rule: Audit Policy Tampering Via Auditpolicy", "$RTD4NQU.exe - Yara rule: INDICATOR TOOL UAC NSISUAC", "3.163.189.120 [Tracking]", "86.140.232.148 [scanning_host]", "https://seedbeej.pk/tin/index.php?QBOT.zip. [ phishing plus]", "http://iyfsearch.com/&ap=67&be=203&fe=198&dc=198&perf= [phishing]", "checkip.dyndns.org [command_and_control]", "104.86.182.8 [command_and_control]", "103.224.182.253 [command_and_control]", "103.224.182.246 [command_and_control]", "www.supernetforme.com [command_and_control]", "rp.downloadastrocdn.com [command_and_control]", "ddos.dnsnb8.net [command_and_control]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "AM", "display_name": "AM", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "adware.pcappstore/veryfast", "display_name": "adware.pcappstore/veryfast", "target": null }, { "id": "NSIS", "display_name": "NSIS", "target": null }, { "id": "Static AI - Malicious PE", "display_name": "Static AI - Malicious PE", "target": null }, { "id": "HoneyPot", "display_name": "HoneyPot", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 392, "FileHash-SHA1": 374, "FileHash-SHA256": 5560, "URL": 7433, "domain": 1461, "hostname": 2463, "CVE": 3, "email": 1 }, "indicator_count": 17687, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "821 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a48b6ea16eeb6b54dfad7c", "name": "https://neca.omeclk.com/portal/wts/uc^cn^ejkaejsaBeyk7-^Oa | Brian Sabey dangerous obsession with Tsara Brashears", "description": "", "modified": "2024-01-15T01:33:34.790000", "created": "2024-01-15T01:33:34.790000", "tags": [ "cisco umbrella", "site", "alexa top", "emotet", "telefonica co", "million", "malware", "detection list", "blacklist", "alexa", "installcore", "heur", "cyber threat", "united", "phishing", "engineering", "phishing site", "team phishing", "spammer", "malicious site", "team", "download", "cobalt strike", "facebook", "artemis", "pony", "binder", "suppobox", "virut", "ramnit", "dropper", "formbook", "azorult", "simda", "downloader", "service", "bank", "zbot", "trojanspy", "heodo", "hostname", "hostnames", "whois record", "kgs0", "kls0", "apple ios", "tsara brashears", "ssl certificate", "elf collection", "cyberstalking", "spyware", "hackers", "installer", "open", "banker", "keylogger", "malicious", "hacktool", "core", "noname057", "generic malware", "safe site", "malware site", "iframe", "riskware", "exploit", "fakealert", "unsafe", "acint", "win64", "nircmd", "agent", "opencandy", "conduit", "swrort", "crack", "installpack", "xtrat", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "unruy", "filetour", "floxif", "cleaner", "patcher", "adload", "presenoker", "wacatac", "fusioncore", "genkryptik", "webtoolbar", "maltiverse", "smokeloader", "download json", "urls", "blacklist http", "kyriazhs1975", "vidar", "strike", "china cobalt", "meterpreter", "nanocore rat", "njrat", "redline stealer", "stealer", "nymaim", "mirai", "ghost rat", "runescape", "bradesco", "msil", "bladabindi", "orkut", "cutwail", "bandoo", "matsnu", "inmortal", "domains", "redline", "control server", "services", "generic", "br", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "squirrelwaffle", "soc http", "soc https", "back", "download csv", "json sample", "injector", "malicious url", "downldr", "covid19 scam", "historical ssl", "referrer", "contacted", "whois whois", "contacted urls", "whois sslcert", "threat roundup", "copy", "august", "execution", "ransomware", "gopher", "remcos", "attack", "radar ineractive", "paypal", "covid19", "phishing chase", "phishing google", "tracker malware", "chase personal", "banking", "javascript", "please", "cnc server", "tracker", "cnc feodo", "phishtank", "threats et", "name verdict", "falcon sandbox", "pattern match", "file", "ascii text", "indicator", "windows nt", "jpeg image", "appdata", "jfif standard", "script", "show", "date", "span", "unknown", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "path", "http header", "tcp traffic", "mitre att", "ck id", "show technique", "ck matrix", "accept", "adware", "ip address", "hsbc", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "trojanx", "webshell", "systweak", "behav", "tiggre", "runtime process", "sha256", "sha1", "mark brian sabey", "brian sabey", "sabey", "apple", "114.114.114.114", "attorney", "law", "spammer", "fraud service", "hallrender", "malvertizing", "cybercrime", "social engineering", "malware hosting", "cyber threat", "iphone unlocker", "malicious", "attacker", "tulach", "tulach.cc", "adult content", "child pornographer", "sabey data centers", "hall render denver", "monitoring", "stalker", "dev", "developer", "cyber harassment", "defacement", "death threats", "miner", "agenttesla", "trojan", "detplock", "networm", "rms", "sneaky server", "replacement", "unauthorized", "steam route", "tool", "probe", "safebae.org", "safebae", "daisy", "daisy coleman", "benjamin", "colorado", "missouri", "telefonica", "boost mobile", "blackievirus.com", "TrojanX", "metro t-mobile", "t-mobile", "mile high media", "CNC", "C2", "malware host", "yixun" ], "references": [ "https://hybrid-analysis.com/sample/a1b9247b6ad18f1cda0304e406333459d4000fced5753f91e5c046f6577c388a", "https://www.hallrender.com/attorney/brian-sabey", "safebae.org", "poemhunter.com", "http://www.hallrender.com/resources/blog/", "http://benjamin.xww.de/", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Hybrid Analysis", "wTools", "Research" ], "public": 1, "adversary": "Tulach | Mark Brian Sabey | Hall Render Law Firm", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "BR", "display_name": "BR", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "Feodo Tracker", "display_name": "Feodo Tracker", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Zpevdo", "display_name": "Zpevdo", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "xRAT", "display_name": "xRAT", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "DarkSide .Beware", "display_name": "DarkSide .Beware", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "SLFPER:BrowserModifier:Win32/MediaMagnet", "display_name": "SLFPER:BrowserModifier:Win32/MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "FORMBOOK", "display_name": "FORMBOOK", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Yixun", "display_name": "Yixun", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": "6590f9b6b1fe0330c655c25f", "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1643, "hostname": 1438, "CVE": 30, "FileHash-MD5": 2853, "FileHash-SHA1": 1584, "FileHash-SHA256": 3001, "URL": 2904, "email": 1 }, "indicator_count": 13454, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "826 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6590f9b6b1fe0330c655c25f", "name": "https://neca.omeclk.com/portal/wts/uc^cn^ejkaejsaBeyk7-^Oa | Brian Sabey dangerous obsession with Tsara Brashears ", "description": "", "modified": "2023-12-31T05:18:46.519000", "created": "2023-12-31T05:18:46.519000", "tags": [ "cisco umbrella", "site", "alexa top", "emotet", "telefonica co", "million", "malware", "detection list", "blacklist", "alexa", "installcore", "heur", "cyber threat", "united", "phishing", "engineering", "phishing site", "team phishing", "spammer", "malicious site", "team", "download", "cobalt strike", "facebook", "artemis", "pony", "binder", "suppobox", "virut", "ramnit", "dropper", "formbook", "azorult", "simda", "downloader", "service", "bank", "zbot", "trojanspy", "heodo", "hostname", "hostnames", "whois record", "kgs0", "kls0", "apple ios", "tsara brashears", "ssl certificate", "elf collection", "cyberstalking", "spyware", "hackers", "installer", "open", "banker", "keylogger", "malicious", "hacktool", "core", "noname057", "generic malware", "safe site", "malware site", "iframe", "riskware", "exploit", "fakealert", "unsafe", "acint", "win64", "nircmd", "agent", "opencandy", "conduit", "swrort", "crack", "installpack", "xtrat", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "unruy", "filetour", "floxif", "cleaner", "patcher", "adload", "presenoker", "wacatac", "fusioncore", "genkryptik", "webtoolbar", "maltiverse", "smokeloader", "download json", "urls", "blacklist http", "kyriazhs1975", "vidar", "strike", "china cobalt", "meterpreter", "nanocore rat", "njrat", "redline stealer", "stealer", "nymaim", "mirai", "ghost rat", "runescape", "bradesco", "msil", "bladabindi", "orkut", "cutwail", "bandoo", "matsnu", "inmortal", "domains", "redline", "control server", "services", "generic", "br", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "squirrelwaffle", "soc http", "soc https", "back", "download csv", "json sample", "injector", "malicious url", "downldr", "covid19 scam", "historical ssl", "referrer", "contacted", "whois whois", "contacted urls", "whois sslcert", "threat roundup", "copy", "august", "execution", "ransomware", "gopher", "remcos", "attack", "radar ineractive", "paypal", "covid19", "phishing chase", "phishing google", "tracker malware", "chase personal", "banking", "javascript", "please", "cnc server", "tracker", "cnc feodo", "phishtank", "threats et", "name verdict", "falcon sandbox", "pattern match", "file", "ascii text", "indicator", "windows nt", "jpeg image", "appdata", "jfif standard", "script", "show", "date", "span", "unknown", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "path", "http header", "tcp traffic", "mitre att", "ck id", "show technique", "ck matrix", "accept", "adware", "ip address", "hsbc", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "trojanx", "webshell", "systweak", "behav", "tiggre", "runtime process", "sha256", "sha1", "mark brian sabey", "brian sabey", "sabey", "apple", "114.114.114.114", "attorney", "law", "spammer", "fraud service", "hallrender", "malvertizing", "cybercrime", "social engineering", "malware hosting", "cyber threat", "iphone unlocker", "malicious", "attacker", "tulach", "tulach.cc", "adult content", "child pornographer", "sabey data centers", "hall render denver", "monitoring", "stalker", "dev", "developer", "cyber harassment", "defacement", "death threats", "miner", "agenttesla", "trojan", "detplock", "networm", "rms", "sneaky server", "replacement", "unauthorized", "steam route", "tool", "probe", "safebae.org", "safebae", "daisy", "daisy coleman", "benjamin", "colorado", "missouri", "telefonica", "boost mobile", "blackievirus.com", "TrojanX", "metro t-mobile", "t-mobile", "mile high media", "CNC", "C2", "malware host", "yixun" ], "references": [ "https://hybrid-analysis.com/sample/a1b9247b6ad18f1cda0304e406333459d4000fced5753f91e5c046f6577c388a", "https://www.hallrender.com/attorney/brian-sabey", "safebae.org", "poemhunter.com", "http://www.hallrender.com/resources/blog/", "http://benjamin.xww.de/", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Hybrid Analysis", "wTools", "Research" ], "public": 1, "adversary": "Tulach | Mark Brian Sabey | Hall Render Law Firm", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "BR", "display_name": "BR", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "Feodo Tracker", "display_name": "Feodo Tracker", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Zpevdo", "display_name": "Zpevdo", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "xRAT", "display_name": "xRAT", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "DarkSide .Beware", "display_name": "DarkSide .Beware", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "SLFPER:BrowserModifier:Win32/MediaMagnet", "display_name": "SLFPER:BrowserModifier:Win32/MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "FORMBOOK", "display_name": "FORMBOOK", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Yixun", "display_name": "Yixun", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": "658741502e029e25c7152cc0", "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1643, "hostname": 1438, "CVE": 30, "FileHash-MD5": 2853, "FileHash-SHA1": 1584, "FileHash-SHA256": 3001, "URL": 2904, "email": 1 }, "indicator_count": 13454, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "841 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658741502e029e25c7152cc0", "name": "busted hijacking", "description": "", "modified": "2023-12-23T20:21:36.641000", "created": "2023-12-23T20:21:36.641000", "tags": [ "cisco umbrella", "site", "alexa top", "emotet", "telefonica co", "million", "malware", "detection list", "blacklist", "alexa", "installcore", "heur", "cyber threat", "united", "phishing", "engineering", "phishing site", "team phishing", "spammer", "malicious site", "team", "download", "cobalt strike", "facebook", "artemis", "pony", "binder", "suppobox", "virut", "ramnit", "dropper", "formbook", "azorult", "simda", "downloader", "service", "bank", "zbot", "trojanspy", "heodo", "hostname", "hostnames", "whois record", "kgs0", "kls0", "apple ios", "tsara brashears", "ssl certificate", "elf collection", "cyberstalking", "spyware", "hackers", "installer", "open", "banker", "keylogger", "malicious", "hacktool", "core", "noname057", "generic malware", "safe site", "malware site", "iframe", "riskware", "exploit", "fakealert", "unsafe", "acint", "win64", "nircmd", "agent", "opencandy", "conduit", "swrort", "crack", "installpack", "xtrat", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "unruy", "filetour", "floxif", "cleaner", "patcher", "adload", "presenoker", "wacatac", "fusioncore", "genkryptik", "webtoolbar", "maltiverse", "smokeloader", "download json", "urls", "blacklist http", "kyriazhs1975", "vidar", "strike", "china cobalt", "meterpreter", "nanocore rat", "njrat", "redline stealer", "stealer", "nymaim", "mirai", "ghost rat", "runescape", "bradesco", "msil", "bladabindi", "orkut", "cutwail", "bandoo", "matsnu", "inmortal", "domains", "redline", "control server", "services", "generic", "br", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "squirrelwaffle", "soc http", "soc https", "back", "download csv", "json sample", "injector", "malicious url", "downldr", "covid19 scam", "historical ssl", "referrer", "contacted", "whois whois", "contacted urls", "whois sslcert", "threat roundup", "copy", "august", "execution", "ransomware", "gopher", "remcos", "attack", "radar ineractive", "paypal", "covid19", "phishing chase", "phishing google", "tracker malware", "chase personal", "banking", "javascript", "please", "cnc server", "tracker", "cnc feodo", "phishtank", "threats et", "name verdict", "falcon sandbox", "pattern match", "file", "ascii text", "indicator", "windows nt", "jpeg image", "appdata", "jfif standard", "script", "show", "date", "span", "unknown", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "path", "http header", "tcp traffic", "mitre att", "ck id", "show technique", "ck matrix", "accept", "adware", "ip address", "hsbc", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "trojanx", "webshell", "systweak", "behav", "tiggre", "runtime process", "sha256", "sha1", "mark brian sabey", "brian sabey", "sabey", "apple", "114.114.114.114", "attorney", "law", "spammer", "fraud service", "hallrender", "malvertizing", "cybercrime", "social engineering", "malware hosting", "cyber threat", "iphone unlocker", "malicious", "attacker", "tulach", "tulach.cc", "adult content", "child pornographer", "sabey data centers", "hall render denver", "monitoring", "stalker", "dev", "developer", "cyber harassment", "defacement", "death threats", "miner", "agenttesla", "trojan", "detplock", "networm", "rms", "sneaky server", "replacement", "unauthorized", "steam route", "tool", "probe", "safebae.org", "safebae", "daisy", "daisy coleman", "benjamin", "colorado", "missouri", "telefonica", "boost mobile", "blackievirus.com", "TrojanX", "metro t-mobile", "t-mobile", "mile high media", "CNC", "C2", "malware host", "yixun" ], "references": [ "https://hybrid-analysis.com/sample/a1b9247b6ad18f1cda0304e406333459d4000fced5753f91e5c046f6577c388a", "https://www.hallrender.com/attorney/brian-sabey", "safebae.org", "poemhunter.com", "http://www.hallrender.com/resources/blog/", "http://benjamin.xww.de/", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Hybrid Analysis", "wTools", "Research" ], "public": 1, "adversary": "Tulach | Mark Brian Sabey | Hall Render Law Firm", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "BR", "display_name": "BR", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "Feodo Tracker", "display_name": "Feodo Tracker", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Zpevdo", "display_name": "Zpevdo", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "xRAT", "display_name": "xRAT", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "DarkSide .Beware", "display_name": "DarkSide .Beware", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "SLFPER:BrowserModifier:Win32/MediaMagnet", "display_name": "SLFPER:BrowserModifier:Win32/MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "FORMBOOK", "display_name": "FORMBOOK", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Yixun", "display_name": "Yixun", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": "6544c99af21a2fde7bd6927e", "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Machidian45", "id": "262704", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1643, "hostname": 1438, "CVE": 30, "FileHash-MD5": 2853, "FileHash-SHA1": 1584, "FileHash-SHA256": 3001, "URL": 2904, "email": 1 }, "indicator_count": 13454, "is_author": false, "is_subscribing": null, "subscriber_count": 32, "modified_text": "848 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6587414f2e029e25c7152cbf", "name": "busted hijacking", "description": "", "modified": "2023-12-23T20:21:35.725000", "created": "2023-12-23T20:21:35.725000", "tags": [ "cisco umbrella", "site", "alexa top", "emotet", "telefonica co", "million", "malware", "detection list", "blacklist", "alexa", "installcore", "heur", "cyber threat", "united", "phishing", "engineering", "phishing site", "team phishing", "spammer", "malicious site", "team", "download", "cobalt strike", "facebook", "artemis", "pony", "binder", "suppobox", "virut", "ramnit", "dropper", "formbook", "azorult", "simda", "downloader", "service", "bank", "zbot", "trojanspy", "heodo", "hostname", "hostnames", "whois record", "kgs0", "kls0", "apple ios", "tsara brashears", "ssl certificate", "elf collection", "cyberstalking", "spyware", "hackers", "installer", "open", "banker", "keylogger", "malicious", "hacktool", "core", "noname057", "generic malware", "safe site", "malware site", "iframe", "riskware", "exploit", "fakealert", "unsafe", "acint", "win64", "nircmd", "agent", "opencandy", "conduit", "swrort", "crack", "installpack", "xtrat", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "unruy", "filetour", "floxif", "cleaner", "patcher", "adload", "presenoker", "wacatac", "fusioncore", "genkryptik", "webtoolbar", "maltiverse", "smokeloader", "download json", "urls", "blacklist http", "kyriazhs1975", "vidar", "strike", "china cobalt", "meterpreter", "nanocore rat", "njrat", "redline stealer", "stealer", "nymaim", "mirai", "ghost rat", "runescape", "bradesco", "msil", "bladabindi", "orkut", "cutwail", "bandoo", "matsnu", "inmortal", "domains", "redline", "control server", "services", "generic", "br", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "squirrelwaffle", "soc http", "soc https", "back", "download csv", "json sample", "injector", "malicious url", "downldr", "covid19 scam", "historical ssl", "referrer", "contacted", "whois whois", "contacted urls", "whois sslcert", "threat roundup", "copy", "august", "execution", "ransomware", "gopher", "remcos", "attack", "radar ineractive", "paypal", "covid19", "phishing chase", "phishing google", "tracker malware", "chase personal", "banking", "javascript", "please", "cnc server", "tracker", "cnc feodo", "phishtank", "threats et", "name verdict", "falcon sandbox", "pattern match", "file", "ascii text", "indicator", "windows nt", "jpeg image", "appdata", "jfif standard", "script", "show", "date", "span", "unknown", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "path", "http header", "tcp traffic", "mitre att", "ck id", "show technique", "ck matrix", "accept", "adware", "ip address", "hsbc", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "trojanx", "webshell", "systweak", "behav", "tiggre", "runtime process", "sha256", "sha1", "mark brian sabey", "brian sabey", "sabey", "apple", "114.114.114.114", "attorney", "law", "spammer", "fraud service", "hallrender", "malvertizing", "cybercrime", "social engineering", "malware hosting", "cyber threat", "iphone unlocker", "malicious", "attacker", "tulach", "tulach.cc", "adult content", "child pornographer", "sabey data centers", "hall render denver", "monitoring", "stalker", "dev", "developer", "cyber harassment", "defacement", "death threats", "miner", "agenttesla", "trojan", "detplock", "networm", "rms", "sneaky server", "replacement", "unauthorized", "steam route", "tool", "probe", "safebae.org", "safebae", "daisy", "daisy coleman", "benjamin", "colorado", "missouri", "telefonica", "boost mobile", "blackievirus.com", "TrojanX", "metro t-mobile", "t-mobile", "mile high media", "CNC", "C2", "malware host", "yixun" ], "references": [ "https://hybrid-analysis.com/sample/a1b9247b6ad18f1cda0304e406333459d4000fced5753f91e5c046f6577c388a", "https://www.hallrender.com/attorney/brian-sabey", "safebae.org", "poemhunter.com", "http://www.hallrender.com/resources/blog/", "http://benjamin.xww.de/", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Hybrid Analysis", "wTools", "Research" ], "public": 1, "adversary": "Tulach | Mark Brian Sabey | Hall Render Law Firm", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "BR", "display_name": "BR", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "Feodo Tracker", "display_name": "Feodo Tracker", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Zpevdo", "display_name": "Zpevdo", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "xRAT", "display_name": "xRAT", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "DarkSide .Beware", "display_name": "DarkSide .Beware", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "SLFPER:BrowserModifier:Win32/MediaMagnet", "display_name": "SLFPER:BrowserModifier:Win32/MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "FORMBOOK", "display_name": "FORMBOOK", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Yixun", "display_name": "Yixun", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": "6544c99af21a2fde7bd6927e", "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Machidian45", "id": "262704", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1643, "hostname": 1438, "CVE": 30, "FileHash-MD5": 2853, "FileHash-SHA1": 1584, "FileHash-SHA256": 3001, "URL": 2904, "email": 1 }, "indicator_count": 13454, "is_author": false, "is_subscribing": null, "subscriber_count": 34, "modified_text": "848 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6544c7a11d7541bdb3bfe5ff", "name": "Radar Ineractive. Law Firm responsible for cyber crime.", "description": "Is this legal. Attorney from Hall Render law firm cyber stalking and malvertizing targets in adult content, dungeons, death scenarios, suicide threats? Pulse auto populates targets: Tsara Brashears 'alleged' SA victim. This may not be the forum for my , death threats should always be investigated as should allegations of assault. Malware, BotNet, car and phone tracking, monitoring, injection, .gov is found throughout. Monitoring of Safebae.org; online movement began by now deceased 'alleged' SA victim, Daisy Coleman of Audrey & Daisy. High Risk surviving target. Crazy cover up? Each target seems to have a state government power 'implicated' in attack. \n\nEd Said", "modified": "2023-12-16T19:40:11.047000", "created": "2023-11-03T10:12:49.539000", "tags": [ "cisco umbrella", "site", "alexa top", "emotet", "telefonica co", "million", "malware", "detection list", "blacklist", "alexa", "installcore", "heur", "cyber threat", "united", "phishing", "engineering", "phishing site", "team phishing", "spammer", "malicious site", "team", "download", "cobalt strike", "facebook", "artemis", "pony", "binder", "suppobox", "virut", "ramnit", "dropper", "formbook", "azorult", "simda", "downloader", "service", "bank", "zbot", "trojanspy", "heodo", "hostname", "hostnames", "whois record", "kgs0", "kls0", "apple ios", "tsara brashears", "ssl certificate", "elf collection", "cyberstalking", "spyware", "hackers", "installer", "open", "banker", "keylogger", "malicious", "hacktool", "core", "noname057", "generic malware", "safe site", "malware site", "iframe", "riskware", "exploit", "fakealert", "unsafe", "acint", "win64", "nircmd", "agent", "opencandy", "conduit", "swrort", "crack", "installpack", "xtrat", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "unruy", "filetour", "floxif", "cleaner", "patcher", "adload", "presenoker", "wacatac", "fusioncore", "genkryptik", "webtoolbar", "maltiverse", "smokeloader", "download json", "urls", "blacklist http", "kyriazhs1975", "vidar", "strike", "china cobalt", "meterpreter", "nanocore rat", "njrat", "redline stealer", "stealer", "nymaim", "mirai", "ghost rat", "runescape", "bradesco", "msil", "bladabindi", "orkut", "cutwail", "bandoo", "matsnu", "inmortal", "domains", "redline", "control server", "services", "generic", "br", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "squirrelwaffle", "soc http", "soc https", "back", "download csv", "json sample", "injector", "malicious url", "downldr", "covid19 scam", "historical ssl", "referrer", "contacted", "whois whois", "contacted urls", "whois sslcert", "threat roundup", "copy", "august", "execution", "ransomware", "gopher", "remcos", "attack", "radar ineractive", "paypal", "covid19", "phishing chase", "phishing google", "tracker malware", "chase personal", "banking", "javascript", "please", "cnc server", "tracker", "cnc feodo", "phishtank", "threats et", "name verdict", "falcon sandbox", "pattern match", "file", "ascii text", "indicator", "windows nt", "jpeg image", "appdata", "jfif standard", "script", "show", "date", "span", "unknown", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "path", "http header", "tcp traffic", "mitre att", "ck id", "show technique", "ck matrix", "accept", "adware", "ip address", "hsbc", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "trojanx", "webshell", "systweak", "behav", "tiggre", "runtime process", "sha256", "sha1", "mark brian sabey", "brian sabey", "sabey", "apple", "114.114.114.114", "attorney", "law", "spammer", "fraud service", "hallrender", "malvertizing", "cybercrime", "social engineering", "malware hosting", "cyber threat", "iphone unlocker", "malicious", "attacker", "tulach", "tulach.cc", "adult content", "child pornographer", "sabey data centers", "hall render denver", "monitoring", "stalker", "dev", "developer", "cyber harassment", "defacement", "death threats", "miner", "agenttesla", "trojan", "detplock", "networm", "rms", "sneaky server", "replacement", "unauthorized", "steam route", "tool", "probe", "safebae.org", "safebae", "daisy", "daisy coleman", "benjamin", "colorado", "missouri", "telefonica", "boost mobile", "blackievirus.com", "TrojanX", "metro t-mobile", "t-mobile", "mile high media", "CNC", "C2", "malware host", "yixun" ], "references": [ "https://hybrid-analysis.com/sample/a1b9247b6ad18f1cda0304e406333459d4000fced5753f91e5c046f6577c388a", "https://www.hallrender.com/attorney/brian-sabey", "safebae.org", "poemhunter.com", "http://www.hallrender.com/resources/blog/", "http://benjamin.xww.de/", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Hybrid Analysis", "wTools", "Research" ], "public": 1, "adversary": "Tulach | Mark Brian Sabey | Hall Render Law Firm", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "BR", "display_name": "BR", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "Feodo Tracker", "display_name": "Feodo Tracker", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Zpevdo", "display_name": "Zpevdo", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "xRAT", "display_name": "xRAT", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "DarkSide .Beware", "display_name": "DarkSide .Beware", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "SLFPER:BrowserModifier:Win32/MediaMagnet", "display_name": "SLFPER:BrowserModifier:Win32/MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "FORMBOOK", "display_name": "FORMBOOK", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Yixun", "display_name": "Yixun", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": null, "export_count": 82, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1644, "hostname": 1438, "CVE": 30, "FileHash-MD5": 2853, "FileHash-SHA1": 1584, "FileHash-SHA256": 3001, "URL": 2904, "email": 1 }, "indicator_count": 13455, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "855 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570816fa5b73f6d66bce4bb", "name": "Sandbox - Vi;https://edu-cisco.org - conti touched", "description": "", "modified": "2023-12-06T14:13:03.193000", "created": "2023-12-06T14:13:03.193000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 231, "domain": 42, "hostname": 154, "URL": 419, "FileHash-MD5": 59, "FileHash-SHA1": 46, "email": 2 }, "indicator_count": 953, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656a94d1bdedd646afda170d", "name": "Resources Hijacking by Attorney 11_03_2023", "description": "", "modified": "2023-12-03T06:04:06.473000", "created": "2023-12-02T02:22:09.814000", "tags": [ "cisco umbrella", "site", "alexa top", "emotet", "telefonica co", "million", "malware", "detection list", "blacklist", "alexa", "installcore", "heur", "cyber threat", "united", "phishing", "engineering", "phishing site", "team phishing", "spammer", "malicious site", "team", "download", "cobalt strike", "facebook", "artemis", "pony", "binder", "suppobox", "virut", "ramnit", "dropper", "formbook", "azorult", "simda", "downloader", "service", "bank", "zbot", "trojanspy", "heodo", "hostname", "hostnames", "whois record", "kgs0", "kls0", "apple ios", "tsara brashears", "ssl certificate", "elf collection", "cyberstalking", "spyware", "hackers", "installer", "open", "banker", "keylogger", "malicious", "hacktool", "core", "noname057", "generic malware", "safe site", "malware site", "iframe", "riskware", "exploit", "fakealert", "unsafe", "acint", "win64", "nircmd", "agent", "opencandy", "conduit", "swrort", "crack", "installpack", "xtrat", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "unruy", "filetour", "floxif", "cleaner", "patcher", "adload", "presenoker", "wacatac", "fusioncore", "genkryptik", "webtoolbar", "maltiverse", "smokeloader", "download json", "urls", "blacklist http", "kyriazhs1975", "vidar", "strike", "china cobalt", "meterpreter", "nanocore rat", "njrat", "redline stealer", "stealer", "nymaim", "mirai", "ghost rat", "runescape", "bradesco", "msil", "bladabindi", "orkut", "cutwail", "bandoo", "matsnu", "inmortal", "domains", "redline", "control server", "services", "generic", "br", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "squirrelwaffle", "soc http", "soc https", "back", "download csv", "json sample", "injector", "malicious url", "downldr", "covid19 scam", "historical ssl", "referrer", "contacted", "whois whois", "contacted urls", "whois sslcert", "threat roundup", "copy", "august", "execution", "ransomware", "gopher", "remcos", "attack", "radar ineractive", "paypal", "covid19", "phishing chase", "phishing google", "tracker malware", "chase personal", "banking", "javascript", "please", "cnc server", "tracker", "cnc feodo", "phishtank", "threats et", "name verdict", "falcon sandbox", "pattern match", "file", "ascii text", "indicator", "windows nt", "jpeg image", "appdata", "jfif standard", "script", "show", "date", "span", "unknown", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "path", "http header", "tcp traffic", "mitre att", "ck id", "show technique", "ck matrix", "accept", "adware", "ip address", "hsbc", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "trojanx", "webshell", "systweak", "behav", "tiggre", "runtime process", "sha256", "sha1", "mark brian sabey", "brian sabey", "sabey", "apple", "114.114.114.114", "attorney", "law", "spammer", "fraud service", "hallrender", "malvertizing", "cybercrime", "social engineering", "malware hosting", "cyber threat", "iphone unlocker", "malicious", "attacker", "tulach", "tulach.cc", "adult content", "child pornographer", "sabey data centers", "hall render denver", "monitoring", "stalker", "dev", "developer", "cyber harassment", "defacement", "death threats", "miner", "agenttesla", "trojan", "detplock", "networm", "rms", "sneaky server", "replacement", "unauthorized", "steam route", "tool", "probe", "safebae.org", "safebae", "daisy", "daisy coleman", "benjamin", "colorado", "missouri", "telefonica", "boost mobile", "blackievirus.com", "TrojanX", "metro t-mobile", "t-mobile", "mile high media", "CNC", "C2", "malware host", "yixun" ], "references": [ "https://hybrid-analysis.com/sample/a1b9247b6ad18f1cda0304e406333459d4000fced5753f91e5c046f6577c388a", "https://www.hallrender.com/attorney/brian-sabey", "safebae.org", "poemhunter.com", "http://www.hallrender.com/resources/blog/", "http://benjamin.xww.de/", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Hybrid Analysis", "wTools", "Research" ], "public": 1, "adversary": "Tulach | Mark Brian Sabey | Hall Render Law Firm", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "BR", "display_name": "BR", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "Feodo Tracker", "display_name": "Feodo Tracker", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Zpevdo", "display_name": "Zpevdo", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "xRAT", "display_name": "xRAT", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "DarkSide .Beware", "display_name": "DarkSide .Beware", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "SLFPER:BrowserModifier:Win32/MediaMagnet", "display_name": "SLFPER:BrowserModifier:Win32/MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "FORMBOOK", "display_name": "FORMBOOK", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Yixun", "display_name": "Yixun", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": "6544d9b0f9b23205eb355210", "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1643, "hostname": 1438, "CVE": 30, "FileHash-MD5": 2853, "FileHash-SHA1": 1584, "FileHash-SHA256": 3001, "URL": 2904, "email": 1 }, "indicator_count": 13454, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "869 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6546d206936ee17a0828d9c9", "name": "Deptlock Browser Compromise attack initiated by malicious (SOC) Partner ", "description": "", "modified": "2023-12-03T06:04:06.473000", "created": "2023-11-04T23:21:42.110000", "tags": [ "cisco umbrella", "site", "alexa top", "emotet", "telefonica co", "million", "malware", "detection list", "blacklist", "alexa", "installcore", "heur", "cyber threat", "united", "phishing", "engineering", "phishing site", "team phishing", "spammer", "malicious site", "team", "download", "cobalt strike", "facebook", "artemis", "pony", "binder", "suppobox", "virut", "ramnit", "dropper", "formbook", "azorult", "simda", "downloader", "service", "bank", "zbot", "trojanspy", "heodo", "hostname", "hostnames", "whois record", "kgs0", "kls0", "apple ios", "tsara brashears", "ssl certificate", "elf collection", "cyberstalking", "spyware", "hackers", "installer", "open", "banker", "keylogger", "malicious", "hacktool", "core", "noname057", "generic malware", "safe site", "malware site", "iframe", "riskware", "exploit", "fakealert", "unsafe", "acint", "win64", "nircmd", "agent", "opencandy", "conduit", "swrort", "crack", "installpack", "xtrat", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "unruy", "filetour", "floxif", "cleaner", "patcher", "adload", "presenoker", "wacatac", "fusioncore", "genkryptik", "webtoolbar", "maltiverse", "smokeloader", "download json", "urls", "blacklist http", "kyriazhs1975", "vidar", "strike", "china cobalt", "meterpreter", "nanocore rat", "njrat", "redline stealer", "stealer", "nymaim", "mirai", "ghost rat", "runescape", "bradesco", "msil", "bladabindi", "orkut", "cutwail", "bandoo", "matsnu", "inmortal", "domains", "redline", "control server", "services", "generic", "br", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "squirrelwaffle", "soc http", "soc https", "back", "download csv", "json sample", "injector", "malicious url", "downldr", "covid19 scam", "historical ssl", "referrer", "contacted", "whois whois", "contacted urls", "whois sslcert", "threat roundup", "copy", "august", "execution", "ransomware", "gopher", "remcos", "attack", "radar ineractive", "paypal", "covid19", "phishing chase", "phishing google", "tracker malware", "chase personal", "banking", "javascript", "please", "cnc server", "tracker", "cnc feodo", "phishtank", "threats et", "name verdict", "falcon sandbox", "pattern match", "file", "ascii text", "indicator", "windows nt", "jpeg image", "appdata", "jfif standard", "script", "show", "date", "span", "unknown", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "path", "http header", "tcp traffic", "mitre att", "ck id", "show technique", "ck matrix", "accept", "adware", "ip address", "hsbc", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "trojanx", "webshell", "systweak", "behav", "tiggre", "runtime process", "sha256", "sha1", "mark brian sabey", "brian sabey", "sabey", "apple", "114.114.114.114", "attorney", "law", "spammer", "fraud service", "hallrender", "malvertizing", "cybercrime", "social engineering", "malware hosting", "cyber threat", "iphone unlocker", "malicious", "attacker", "tulach", "tulach.cc", "adult content", "child pornographer", "sabey data centers", "hall render denver", "monitoring", "stalker", "dev", "developer", "cyber harassment", "defacement", "death threats", "miner", "agenttesla", "trojan", "detplock", "networm", "rms", "sneaky server", "replacement", "unauthorized", "steam route", "tool", "probe", "safebae.org", "safebae", "daisy", "daisy coleman", "benjamin", "colorado", "missouri", "telefonica", "boost mobile", "blackievirus.com", "TrojanX", "metro t-mobile", "t-mobile", "mile high media", "CNC", "C2", "malware host", "yixun" ], "references": [ "https://hybrid-analysis.com/sample/a1b9247b6ad18f1cda0304e406333459d4000fced5753f91e5c046f6577c388a", "https://www.hallrender.com/attorney/brian-sabey", "safebae.org", "poemhunter.com", "http://www.hallrender.com/resources/blog/", "http://benjamin.xww.de/", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Hybrid Analysis", "wTools", "Research" ], "public": 1, "adversary": "Tulach | Mark Brian Sabey | Hall Render Law Firm", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "BR", "display_name": "BR", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "Feodo Tracker", "display_name": "Feodo Tracker", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Zpevdo", "display_name": "Zpevdo", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "xRAT", "display_name": "xRAT", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "DarkSide .Beware", "display_name": "DarkSide .Beware", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "SLFPER:BrowserModifier:Win32/MediaMagnet", "display_name": "SLFPER:BrowserModifier:Win32/MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "FORMBOOK", "display_name": "FORMBOOK", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Yixun", "display_name": "Yixun", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": "6544c7a11d7541bdb3bfe5ff", "export_count": 60, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1643, "hostname": 1438, "CVE": 30, "FileHash-MD5": 2853, "FileHash-SHA1": 1584, "FileHash-SHA256": 3001, "URL": 2904, "email": 1 }, "indicator_count": 13454, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "869 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6545bda27bd3a147ebac71a8", "name": "CNC Feodo Tracker | Resources Hijacking by Attorney ", "description": "", "modified": "2023-12-03T06:04:06.473000", "created": "2023-11-04T03:42:26.978000", "tags": [ "cisco umbrella", "site", "alexa top", "emotet", "telefonica co", "million", "malware", "detection list", "blacklist", "alexa", "installcore", "heur", "cyber threat", "united", "phishing", "engineering", "phishing site", "team phishing", "spammer", "malicious site", "team", "download", "cobalt strike", "facebook", "artemis", "pony", "binder", "suppobox", "virut", "ramnit", "dropper", "formbook", "azorult", "simda", "downloader", "service", "bank", "zbot", "trojanspy", "heodo", "hostname", "hostnames", "whois record", "kgs0", "kls0", "apple ios", "tsara brashears", "ssl certificate", "elf collection", "cyberstalking", "spyware", "hackers", "installer", "open", "banker", "keylogger", "malicious", "hacktool", "core", "noname057", "generic malware", "safe site", "malware site", "iframe", "riskware", "exploit", "fakealert", "unsafe", "acint", "win64", "nircmd", "agent", "opencandy", "conduit", "swrort", "crack", "installpack", "xtrat", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "unruy", "filetour", "floxif", "cleaner", "patcher", "adload", "presenoker", "wacatac", "fusioncore", "genkryptik", "webtoolbar", "maltiverse", "smokeloader", "download json", "urls", "blacklist http", "kyriazhs1975", "vidar", "strike", "china cobalt", "meterpreter", "nanocore rat", "njrat", "redline stealer", "stealer", "nymaim", "mirai", "ghost rat", "runescape", "bradesco", "msil", "bladabindi", "orkut", "cutwail", "bandoo", "matsnu", "inmortal", "domains", "redline", "control server", "services", "generic", "br", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "squirrelwaffle", "soc http", "soc https", "back", "download csv", "json sample", "injector", "malicious url", "downldr", "covid19 scam", "historical ssl", "referrer", "contacted", "whois whois", "contacted urls", "whois sslcert", "threat roundup", "copy", "august", "execution", "ransomware", "gopher", "remcos", "attack", "radar ineractive", "paypal", "covid19", "phishing chase", "phishing google", "tracker malware", "chase personal", "banking", "javascript", "please", "cnc server", "tracker", "cnc feodo", "phishtank", "threats et", "name verdict", "falcon sandbox", "pattern match", "file", "ascii text", "indicator", "windows nt", "jpeg image", "appdata", "jfif standard", "script", "show", "date", "span", "unknown", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "path", "http header", "tcp traffic", "mitre att", "ck id", "show technique", "ck matrix", "accept", "adware", "ip address", "hsbc", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "trojanx", "webshell", "systweak", "behav", "tiggre", "runtime process", "sha256", "sha1", "mark brian sabey", "brian sabey", "sabey", "apple", "114.114.114.114", "attorney", "law", "spammer", "fraud service", "hallrender", "malvertizing", "cybercrime", "social engineering", "malware hosting", "cyber threat", "iphone unlocker", "malicious", "attacker", "tulach", "tulach.cc", "adult content", "child pornographer", "sabey data centers", "hall render denver", "monitoring", "stalker", "dev", "developer", "cyber harassment", "defacement", "death threats", "miner", "agenttesla", "trojan", "detplock", "networm", "rms", "sneaky server", "replacement", "unauthorized", "steam route", "tool", "probe", "safebae.org", "safebae", "daisy", "daisy coleman", "benjamin", "colorado", "missouri", "telefonica", "boost mobile", "blackievirus.com", "TrojanX", "metro t-mobile", "t-mobile", "mile high media", "CNC", "C2", "malware host", "yixun" ], "references": [ "https://hybrid-analysis.com/sample/a1b9247b6ad18f1cda0304e406333459d4000fced5753f91e5c046f6577c388a", "https://www.hallrender.com/attorney/brian-sabey", "safebae.org", "poemhunter.com", "http://www.hallrender.com/resources/blog/", "http://benjamin.xww.de/", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Hybrid Analysis", "wTools", "Research" ], "public": 1, "adversary": "Tulach | Mark Brian Sabey | Hall Render Law Firm", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "BR", "display_name": "BR", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "Feodo Tracker", "display_name": "Feodo Tracker", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Zpevdo", "display_name": "Zpevdo", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "xRAT", "display_name": "xRAT", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "DarkSide .Beware", "display_name": "DarkSide .Beware", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "SLFPER:BrowserModifier:Win32/MediaMagnet", "display_name": "SLFPER:BrowserModifier:Win32/MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "FORMBOOK", "display_name": "FORMBOOK", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Yixun", "display_name": "Yixun", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": "6544d9b0f9b23205eb355210", "export_count": 57, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1643, "hostname": 1438, "CVE": 30, "FileHash-MD5": 2853, "FileHash-SHA1": 1584, "FileHash-SHA256": 3001, "URL": 2904, "email": 1 }, "indicator_count": 13454, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "869 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6545a303731b2df439eb1a3b", "name": "Occamy Remote PC / Device Control", "description": "", "modified": "2023-12-03T06:04:06.473000", "created": "2023-11-04T01:48:51.255000", "tags": [ "cisco umbrella", "site", "alexa top", "emotet", "telefonica co", "million", "malware", "detection list", "blacklist", "alexa", "installcore", "heur", "cyber threat", "united", "phishing", "engineering", "phishing site", "team phishing", "spammer", "malicious site", "team", "download", "cobalt strike", "facebook", "artemis", "pony", "binder", "suppobox", "virut", "ramnit", "dropper", "formbook", "azorult", "simda", "downloader", "service", "bank", "zbot", "trojanspy", "heodo", "hostname", "hostnames", "whois record", "kgs0", "kls0", "apple ios", "tsara brashears", "ssl certificate", "elf collection", "cyberstalking", "spyware", "hackers", "installer", "open", "banker", "keylogger", "malicious", "hacktool", "core", "noname057", "generic malware", "safe site", "malware site", "iframe", "riskware", "exploit", "fakealert", "unsafe", "acint", "win64", "nircmd", "agent", "opencandy", "conduit", "swrort", "crack", "installpack", "xtrat", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "unruy", "filetour", "floxif", "cleaner", "patcher", "adload", "presenoker", "wacatac", "fusioncore", "genkryptik", "webtoolbar", "maltiverse", "smokeloader", "download json", "urls", "blacklist http", "kyriazhs1975", "vidar", "strike", "china cobalt", "meterpreter", "nanocore rat", "njrat", "redline stealer", "stealer", "nymaim", "mirai", "ghost rat", "runescape", "bradesco", "msil", "bladabindi", "orkut", "cutwail", "bandoo", "matsnu", "inmortal", "domains", "redline", "control server", "services", "generic", "br", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "squirrelwaffle", "soc http", "soc https", "back", "download csv", "json sample", "injector", "malicious url", "downldr", "covid19 scam", "historical ssl", "referrer", "contacted", "whois whois", "contacted urls", "whois sslcert", "threat roundup", "copy", "august", "execution", "ransomware", "gopher", "remcos", "attack", "radar ineractive", "paypal", "covid19", "phishing chase", "phishing google", "tracker malware", "chase personal", "banking", "javascript", "please", "cnc server", "tracker", "cnc feodo", "phishtank", "threats et", "name verdict", "falcon sandbox", "pattern match", "file", "ascii text", "indicator", "windows nt", "jpeg image", "appdata", "jfif standard", "script", "show", "date", "span", "unknown", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "path", "http header", "tcp traffic", "mitre att", "ck id", "show technique", "ck matrix", "accept", "adware", "ip address", "hsbc", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "trojanx", "webshell", "systweak", "behav", "tiggre", "runtime process", "sha256", "sha1", "mark brian sabey", "brian sabey", "sabey", "apple", "114.114.114.114", "attorney", "law", "spammer", "fraud service", "hallrender", "malvertizing", "cybercrime", "social engineering", "malware hosting", "cyber threat", "iphone unlocker", "malicious", "attacker", "tulach", "tulach.cc", "adult content", "child pornographer", "sabey data centers", "hall render denver", "monitoring", "stalker", "dev", "developer", "cyber harassment", "defacement", "death threats", "miner", "agenttesla", "trojan", "detplock", "networm", "rms", "sneaky server", "replacement", "unauthorized", "steam route", "tool", "probe", "safebae.org", "safebae", "daisy", "daisy coleman", "benjamin", "colorado", "missouri", "telefonica", "boost mobile", "blackievirus.com", "TrojanX", "metro t-mobile", "t-mobile", "mile high media", "CNC", "C2", "malware host", "yixun" ], "references": [ "https://hybrid-analysis.com/sample/a1b9247b6ad18f1cda0304e406333459d4000fced5753f91e5c046f6577c388a", "https://www.hallrender.com/attorney/brian-sabey", "safebae.org", "poemhunter.com", "http://www.hallrender.com/resources/blog/", "http://benjamin.xww.de/", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Hybrid Analysis", "wTools", "Research" ], "public": 1, "adversary": "Tulach | Mark Brian Sabey | Hall Render Law Firm", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "BR", "display_name": "BR", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "Feodo Tracker", "display_name": "Feodo Tracker", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Zpevdo", "display_name": "Zpevdo", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "xRAT", "display_name": "xRAT", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "DarkSide .Beware", "display_name": "DarkSide .Beware", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "SLFPER:BrowserModifier:Win32/MediaMagnet", "display_name": "SLFPER:BrowserModifier:Win32/MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "FORMBOOK", "display_name": "FORMBOOK", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Yixun", "display_name": "Yixun", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": "6544c99af21a2fde7bd6927e", "export_count": 56, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1643, "hostname": 1438, "CVE": 30, "FileHash-MD5": 2853, "FileHash-SHA1": 1584, "FileHash-SHA256": 3001, "URL": 2904, "email": 1 }, "indicator_count": 13454, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "869 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65459cbd3069e99e327642b6", "name": "Resources Hijacking ", "description": "", "modified": "2023-12-03T06:04:06.473000", "created": "2023-11-04T01:22:05.691000", "tags": [ "cisco umbrella", "site", "alexa top", "emotet", "telefonica co", "million", "malware", "detection list", "blacklist", "alexa", "installcore", "heur", "cyber threat", "united", "phishing", "engineering", "phishing site", "team phishing", "spammer", "malicious site", "team", "download", "cobalt strike", "facebook", "artemis", "pony", "binder", "suppobox", "virut", "ramnit", "dropper", "formbook", "azorult", "simda", "downloader", "service", "bank", "zbot", "trojanspy", "heodo", "hostname", "hostnames", "whois record", "kgs0", "kls0", "apple ios", "tsara brashears", "ssl certificate", "elf collection", "cyberstalking", "spyware", "hackers", "installer", "open", "banker", "keylogger", "malicious", "hacktool", "core", "noname057", "generic malware", "safe site", "malware site", "iframe", "riskware", "exploit", "fakealert", "unsafe", "acint", "win64", "nircmd", "agent", "opencandy", "conduit", "swrort", "crack", "installpack", "xtrat", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "unruy", "filetour", "floxif", "cleaner", "patcher", "adload", "presenoker", "wacatac", "fusioncore", "genkryptik", "webtoolbar", "maltiverse", "smokeloader", "download json", "urls", "blacklist http", "kyriazhs1975", "vidar", "strike", "china cobalt", "meterpreter", "nanocore rat", "njrat", "redline stealer", "stealer", "nymaim", "mirai", "ghost rat", "runescape", "bradesco", "msil", "bladabindi", "orkut", "cutwail", "bandoo", "matsnu", "inmortal", "domains", "redline", "control server", "services", "generic", "br", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "squirrelwaffle", "soc http", "soc https", "back", "download csv", "json sample", "injector", "malicious url", "downldr", "covid19 scam", "historical ssl", "referrer", "contacted", "whois whois", "contacted urls", "whois sslcert", "threat roundup", "copy", "august", "execution", "ransomware", "gopher", "remcos", "attack", "radar ineractive", "paypal", "covid19", "phishing chase", "phishing google", "tracker malware", "chase personal", "banking", "javascript", "please", "cnc server", "tracker", "cnc feodo", "phishtank", "threats et", "name verdict", "falcon sandbox", "pattern match", "file", "ascii text", "indicator", "windows nt", "jpeg image", "appdata", "jfif standard", "script", "show", "date", "span", "unknown", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "path", "http header", "tcp traffic", "mitre att", "ck id", "show technique", "ck matrix", "accept", "adware", "ip address", "hsbc", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "trojanx", "webshell", "systweak", "behav", "tiggre", "runtime process", "sha256", "sha1", "mark brian sabey", "brian sabey", "sabey", "apple", "114.114.114.114", "attorney", "law", "spammer", "fraud service", "hallrender", "malvertizing", "cybercrime", "social engineering", "malware hosting", "cyber threat", "iphone unlocker", "malicious", "attacker", "tulach", "tulach.cc", "adult content", "child pornographer", "sabey data centers", "hall render denver", "monitoring", "stalker", "dev", "developer", "cyber harassment", "defacement", "death threats", "miner", "agenttesla", "trojan", "detplock", "networm", "rms", "sneaky server", "replacement", "unauthorized", "steam route", "tool", "probe", "safebae.org", "safebae", "daisy", "daisy coleman", "benjamin", "colorado", "missouri", "telefonica", "boost mobile", "blackievirus.com", "TrojanX", "metro t-mobile", "t-mobile", "mile high media", "CNC", "C2", "malware host", "yixun" ], "references": [ "https://hybrid-analysis.com/sample/a1b9247b6ad18f1cda0304e406333459d4000fced5753f91e5c046f6577c388a", "https://www.hallrender.com/attorney/brian-sabey", "safebae.org", "poemhunter.com", "http://www.hallrender.com/resources/blog/", "http://benjamin.xww.de/", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Hybrid Analysis", "wTools", "Research" ], "public": 1, "adversary": "Tulach | Mark Brian Sabey | Hall Render Law Firm", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "BR", "display_name": "BR", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "Feodo Tracker", "display_name": "Feodo Tracker", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Zpevdo", "display_name": "Zpevdo", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "xRAT", "display_name": "xRAT", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "DarkSide .Beware", "display_name": "DarkSide .Beware", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "SLFPER:BrowserModifier:Win32/MediaMagnet", "display_name": "SLFPER:BrowserModifier:Win32/MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "FORMBOOK", "display_name": "FORMBOOK", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Yixun", "display_name": "Yixun", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": "6544d9b0f9b23205eb355210", "export_count": 56, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1643, "hostname": 1438, "CVE": 30, "FileHash-MD5": 2853, "FileHash-SHA1": 1584, "FileHash-SHA256": 3001, "URL": 2904, "email": 1 }, "indicator_count": 13454, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "869 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6544d9b0f9b23205eb355210", "name": "Resources Hijacking by Attorney 11_03_2023", "description": "", "modified": "2023-12-03T06:04:06.473000", "created": "2023-11-03T11:29:52.652000", "tags": [ "cisco umbrella", "site", "alexa top", "emotet", "telefonica co", "million", "malware", "detection list", "blacklist", "alexa", "installcore", "heur", "cyber threat", "united", "phishing", "engineering", "phishing site", "team phishing", "spammer", "malicious site", "team", "download", "cobalt strike", "facebook", "artemis", "pony", "binder", "suppobox", "virut", "ramnit", "dropper", "formbook", "azorult", "simda", "downloader", "service", "bank", "zbot", "trojanspy", "heodo", "hostname", "hostnames", "whois record", "kgs0", "kls0", "apple ios", "tsara brashears", "ssl certificate", "elf collection", "cyberstalking", "spyware", "hackers", "installer", "open", "banker", "keylogger", "malicious", "hacktool", "core", "noname057", "generic malware", "safe site", "malware site", "iframe", "riskware", "exploit", "fakealert", "unsafe", "acint", "win64", "nircmd", "agent", "opencandy", "conduit", "swrort", "crack", "installpack", "xtrat", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "unruy", "filetour", "floxif", "cleaner", "patcher", "adload", "presenoker", "wacatac", "fusioncore", "genkryptik", "webtoolbar", "maltiverse", "smokeloader", "download json", "urls", "blacklist http", "kyriazhs1975", "vidar", "strike", "china cobalt", "meterpreter", "nanocore rat", "njrat", "redline stealer", "stealer", "nymaim", "mirai", "ghost rat", "runescape", "bradesco", "msil", "bladabindi", "orkut", "cutwail", "bandoo", "matsnu", "inmortal", "domains", "redline", "control server", "services", "generic", "br", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "squirrelwaffle", "soc http", "soc https", "back", "download csv", "json sample", "injector", "malicious url", "downldr", "covid19 scam", "historical ssl", "referrer", "contacted", "whois whois", "contacted urls", "whois sslcert", "threat roundup", "copy", "august", "execution", "ransomware", "gopher", "remcos", "attack", "radar ineractive", "paypal", "covid19", "phishing chase", "phishing google", "tracker malware", "chase personal", "banking", "javascript", "please", "cnc server", "tracker", "cnc feodo", "phishtank", "threats et", "name verdict", "falcon sandbox", "pattern match", "file", "ascii text", "indicator", "windows nt", "jpeg image", "appdata", "jfif standard", "script", "show", "date", "span", "unknown", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "path", "http header", "tcp traffic", "mitre att", "ck id", "show technique", "ck matrix", "accept", "adware", "ip address", "hsbc", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "trojanx", "webshell", "systweak", "behav", "tiggre", "runtime process", "sha256", "sha1", "mark brian sabey", "brian sabey", "sabey", "apple", "114.114.114.114", "attorney", "law", "spammer", "fraud service", "hallrender", "malvertizing", "cybercrime", "social engineering", "malware hosting", "cyber threat", "iphone unlocker", "malicious", "attacker", "tulach", "tulach.cc", "adult content", "child pornographer", "sabey data centers", "hall render denver", "monitoring", "stalker", "dev", "developer", "cyber harassment", "defacement", "death threats", "miner", "agenttesla", "trojan", "detplock", "networm", "rms", "sneaky server", "replacement", "unauthorized", "steam route", "tool", "probe", "safebae.org", "safebae", "daisy", "daisy coleman", "benjamin", "colorado", "missouri", "telefonica", "boost mobile", "blackievirus.com", "TrojanX", "metro t-mobile", "t-mobile", "mile high media", "CNC", "C2", "malware host", "yixun" ], "references": [ "https://hybrid-analysis.com/sample/a1b9247b6ad18f1cda0304e406333459d4000fced5753f91e5c046f6577c388a", "https://www.hallrender.com/attorney/brian-sabey", "safebae.org", "poemhunter.com", "http://www.hallrender.com/resources/blog/", "http://benjamin.xww.de/", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Hybrid Analysis", "wTools", "Research" ], "public": 1, "adversary": "Tulach | Mark Brian Sabey | Hall Render Law Firm", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "BR", "display_name": "BR", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "Feodo Tracker", "display_name": "Feodo Tracker", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Zpevdo", "display_name": "Zpevdo", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "xRAT", "display_name": "xRAT", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "DarkSide .Beware", "display_name": "DarkSide .Beware", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "SLFPER:BrowserModifier:Win32/MediaMagnet", "display_name": "SLFPER:BrowserModifier:Win32/MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "FORMBOOK", "display_name": "FORMBOOK", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Yixun", "display_name": "Yixun", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": "6544c7a11d7541bdb3bfe5ff", "export_count": 60, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1643, "hostname": 1438, "CVE": 30, "FileHash-MD5": 2853, "FileHash-SHA1": 1584, "FileHash-SHA256": 3001, "URL": 2904, "email": 1 }, "indicator_count": 13454, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "869 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6544c99af21a2fde7bd6927e", "name": "Occamy Remote PC / Device Control ", "description": "", "modified": "2023-12-03T06:04:06.473000", "created": "2023-11-03T10:21:14.428000", "tags": [ "cisco umbrella", "site", "alexa top", "emotet", "telefonica co", "million", "malware", "detection list", "blacklist", "alexa", "installcore", "heur", "cyber threat", "united", "phishing", "engineering", "phishing site", "team phishing", "spammer", "malicious site", "team", "download", "cobalt strike", "facebook", "artemis", "pony", "binder", "suppobox", "virut", "ramnit", "dropper", "formbook", "azorult", "simda", "downloader", "service", "bank", "zbot", "trojanspy", "heodo", "hostname", "hostnames", "whois record", "kgs0", "kls0", "apple ios", "tsara brashears", "ssl certificate", "elf collection", "cyberstalking", "spyware", "hackers", "installer", "open", "banker", "keylogger", "malicious", "hacktool", "core", "noname057", "generic malware", "safe site", "malware site", "iframe", "riskware", "exploit", "fakealert", "unsafe", "acint", "win64", "nircmd", "agent", "opencandy", "conduit", "swrort", "crack", "installpack", "xtrat", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "unruy", "filetour", "floxif", "cleaner", "patcher", "adload", "presenoker", "wacatac", "fusioncore", "genkryptik", "webtoolbar", "maltiverse", "smokeloader", "download json", "urls", "blacklist http", "kyriazhs1975", "vidar", "strike", "china cobalt", "meterpreter", "nanocore rat", "njrat", "redline stealer", "stealer", "nymaim", "mirai", "ghost rat", "runescape", "bradesco", "msil", "bladabindi", "orkut", "cutwail", "bandoo", "matsnu", "inmortal", "domains", "redline", "control server", "services", "generic", "br", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "squirrelwaffle", "soc http", "soc https", "back", "download csv", "json sample", "injector", "malicious url", "downldr", "covid19 scam", "historical ssl", "referrer", "contacted", "whois whois", "contacted urls", "whois sslcert", "threat roundup", "copy", "august", "execution", "ransomware", "gopher", "remcos", "attack", "radar ineractive", "paypal", "covid19", "phishing chase", "phishing google", "tracker malware", "chase personal", "banking", "javascript", "please", "cnc server", "tracker", "cnc feodo", "phishtank", "threats et", "name verdict", "falcon sandbox", "pattern match", "file", "ascii text", "indicator", "windows nt", "jpeg image", "appdata", "jfif standard", "script", "show", "date", "span", "unknown", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "path", "http header", "tcp traffic", "mitre att", "ck id", "show technique", "ck matrix", "accept", "adware", "ip address", "hsbc", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "trojanx", "webshell", "systweak", "behav", "tiggre", "runtime process", "sha256", "sha1", "mark brian sabey", "brian sabey", "sabey", "apple", "114.114.114.114", "attorney", "law", "spammer", "fraud service", "hallrender", "malvertizing", "cybercrime", "social engineering", "malware hosting", "cyber threat", "iphone unlocker", "malicious", "attacker", "tulach", "tulach.cc", "adult content", "child pornographer", "sabey data centers", "hall render denver", "monitoring", "stalker", "dev", "developer", "cyber harassment", "defacement", "death threats", "miner", "agenttesla", "trojan", "detplock", "networm", "rms", "sneaky server", "replacement", "unauthorized", "steam route", "tool", "probe", "safebae.org", "safebae", "daisy", "daisy coleman", "benjamin", "colorado", "missouri", "telefonica", "boost mobile", "blackievirus.com", "TrojanX", "metro t-mobile", "t-mobile", "mile high media", "CNC", "C2", "malware host", "yixun" ], "references": [ "https://hybrid-analysis.com/sample/a1b9247b6ad18f1cda0304e406333459d4000fced5753f91e5c046f6577c388a", "https://www.hallrender.com/attorney/brian-sabey", "safebae.org", "poemhunter.com", "http://www.hallrender.com/resources/blog/", "http://benjamin.xww.de/", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Hybrid Analysis", "wTools", "Research" ], "public": 1, "adversary": "Tulach | Mark Brian Sabey | Hall Render Law Firm", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "BR", "display_name": "BR", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "Feodo Tracker", "display_name": "Feodo Tracker", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Zpevdo", "display_name": "Zpevdo", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "xRAT", "display_name": "xRAT", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "DarkSide .Beware", "display_name": "DarkSide .Beware", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "SLFPER:BrowserModifier:Win32/MediaMagnet", "display_name": "SLFPER:BrowserModifier:Win32/MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "FORMBOOK", "display_name": "FORMBOOK", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Yixun", "display_name": "Yixun", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": "6544c7a11d7541bdb3bfe5ff", "export_count": 59, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1643, "hostname": 1438, "CVE": 30, "FileHash-MD5": 2853, "FileHash-SHA1": 1584, "FileHash-SHA256": 3001, "URL": 2904, "email": 1 }, "indicator_count": 13454, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "869 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "622bff66af821729750147ab", "name": "Sandbox - Vi;https://edu-cisco.org - conti touched", "description": "", "modified": "2022-04-11T00:04:29.819000", "created": "2022-03-12T02:03:18.697000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "ansi", "data", "decrypted ssl", "windows nt", "threat level", "date", "sha256", "pcap", "pcap processing", "windows", "path", "accept", "body", "format", "xbtl", "hybrid", "close", "click", "hosts", "malicious", "general", "local", "factory", "strings", "suspicious", "conti" ], "references": [ "https://hybrid-analysis.com/sample/257842aced71d6a8197f6269f4804e36a3e7aa40755e22479bbe34531411e0c0?environmentId=100" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 231, "URL": 419, "hostname": 154, "domain": 42, "FileHash-MD5": 59, "FileHash-SHA1": 46, "email": 2 }, "indicator_count": 953, "is_author": false, "is_subscribing": null, "subscriber_count": 394, "modified_text": "1470 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "http://install.oinstaller5.com/o/jfaquew_jupdate/setup.exe?mode=dlshift&sf=0&subid=a208&filedescription=setup&adprovider=jfaquew&cpixe", "https://remote.krogerlaw.com", "IDS Detections: HTTP traffic on port 443 (POST)", "http://45.159.189.105/bot/regex", "ns2.abovedomains.com", "www.pornhub.com [password decryption]", "imp.fusioninstall.com", "https://totallyspies.1000hentai.com/tag/clover-porn/", "https://hallrender.com/attorney/brian-sabey/Accept \u2022 https://hallrender.com/wp-content/uploads/vcards/", "yoursexy.porn | indianyouporn.com", "The Hall Render Brian Sabey malicious media campaign was so unexpected.", "checkip.dyndns.org [command_and_control]", "CS IDS Rules: SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "*Patient PII & PHI at critical risk", "http://watchhers.net/index.php. [ data collection]", "838114.parkingcrew.net", "https://spankbang-com.pornproxy.page/593ao/video/sunshine%20mouth%20stuffed%20gagged%20and%20tied%20with%20her%20friend", "https://www.crccolorado.com/dr-adam-sang", "[w and w.o https] applemusic-spotlight.myunidays.com [Multilingual Portable.exe Apple music compromise]", "https://songculture.com/tsara-brashears | https://www.songculture.com/tsara-brashears-music", "https://severeporn-com.pornproxy.page/", "http://www.hallrender.com/resources/blog/", "xhamster.comyouporn.com", "http://secure.indianpornpass.com/track/hotpornstuff", "hallrender.com \u2022 wwdancehall.com \u2022 hallplan.vm05.iveins.de\t \u2022 iveins.de \u2022 http://hallplan.vm05.iveins.de", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "campaign-manager.sharecare.com", "IDS Detections: Linksys E-Series Device RCE Attempt Outbound", "https://us-bankofamerica.com/PhoneVerification.php/", "$RTD4NQU.exe - Yara rule: INDICATOR TOOL UAC NSISUAC", "http://config.premiuminstaller.com/config/ls/offers.json?pid=installer&ts=2014-10-14T18:54:45.9443368Z&br=CR&adprovider=marmarf", "http://alohatube.xyz/search/tsara-brashears", "click.marketing.hallrender.com \u2022 hallrender.com \u2022 autodiscover.hallrender.com", "http://elite.hallrender.com/TE_3E_PROD/web/ui/dashboard/ActionList_CCC", "https://hybrid-analysis.com/sample/a1b9247b6ad18f1cda0304e406333459d4000fced5753f91e5c046f6577c388a", "MD refused to disclose medication cocktail he was injecting into patient. Patient suffered long term harm.", "Research", "https://www.sharecare.com/doctor/jeffrey-reimer-6ie6z", "https://mylegalbid.com/malwarebytes", "https://www.reddit.com/user/", "http://dl.ariamobile.net/mobile/2008.10.a/applications/My_Phone-v2.01-S60v3-[wWw.Ariamobile.Net].zip", "qa.companycam.com", "104.86.182.8 [command_and_control]", "mwilliams.dev@gmail.com | piratepages.com", "http://hallrender.com/attorney/bsabey \u2022 http://hallrender.com/attorney/gregg-m-wallander", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing | data collection| browser vulnerability]", "http://www.w3.org/TR/html4/loose.dtd | www.w3.org [collection]", "http://www.hallrender.com/attorney/brian-sabey-anyxxxtube.net/search-porn/tsara-brashears", "cams4all.com", "https://seedbeej.pk/tin/index.php?QBOT.zip. [ phishing plus]", "http://iphones.email [redirection chain]", "http://southwestphysiatry.com/", "jimgaffigan.com", "http://iyfsearch.com/&ap=67&be=203&fe=198&dc=198&perf= [phishing]", "Apple -dns1.registrar-servers.com | emails.redvue.com | icloud-appleidsuport.com", "https://attack.mitre.org/software/S0226/", "http://www.my-sexcam.com/mf6w/?K48hY=mUHPm4taPKwCazx4uoqkcvO3m838TOpLC/XyTruUQEV1lwGjr5ldYJa4yIBvf0ifHE4=&sHB=DPfXxzFpo", "http://url7639.ascglobal-email.com/wf/open?upn=HDu-2BON2WuckNVJ2U1s3AlMizU2CbfEvFl7S9TXTdQm2nLS-2F0QX6mc4PxuUDVyCyIzMeTvJRSiC633rEV-2B8mukshW0CHiC-2FvQOWOgJR6RGOtzDWutJV4OtjBHGduMDUigvEESSJQD8KXk1UU3bXtRdyd7QpBC-2F7Ti-2Bq6tNr1C4yz-2FXcUbYvtJX4ip5d5t5eXud233BW97tdcojPu0yKWZ0Zm2DyXbj1RIwt-2FO0RcYLC7feNtrpw6OxBd8r4Tc3uHoT7Z9NFErDUBbBuYpsze-2FiBRziGeeMExS5l82Xna4au56co0IdOcfscmwGtC-2BxD3xiJW4v560wXMZQU0G9hqqPVeYTnwZwyfebBz1KLSW-2BIJtHMF6DCNHhatvrb3WM84-2BGpgCxOK1dFKPiKsmPzSc-2BdCAO9BzU3K6G7EaDYNu2cRHdGmat-2BCJs", "Gowi Live Bot.exe", "IDS Detections : Mirai Variant Spreading", "https://success.trendmicro.com/dcx/s/solution/000146108-azorult-malware-information?language=en_US&sfdcIFrameOrigin=null", "tulach.cc [AM | phishing]", "static-push-preprod.porndig.com", "www.supernetforme.com [CnC]", "192.185.223.216 | 192.168.56.1 [malware]", "source-6.youporn.express | source-6.sexpornsource.com\t hostname\tsource-3.xxxporn.club | source-2.pornhubs.best | source-2.freepornxo.com", "youramateuporn.com", "www.anyxxxtube.net", "http://happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg [phishing]", "http://hallrender.com/attorney/gregg-m-wallander/\u2022 http://hallrender.com/resources/ \u2022 http://hallrender.com/resources/blog/ \u2022 http://officemarketing.hallrender.com/ \u2022 http://urlmail.hallrender.com \u2022 http://urlwww.hallrender.com \u2022 http://webdocs.hallrender.com/", "name-playatoms-pa.googleapis.com [ nr-data Apple tv tracking]", "IDS Detections: Python Requests Suspicious User Agent", "86.140.232.148 [scanning_host]", "device-local-7e6b3aa6-e3de-4e8f-9213-9f15c92d1d81.remotewd.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [password decryption]", "CS IDS Rules: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "weconnect.com", "103.224.182.253 [command_and_control]", "rp.downloadastrocdn.com [command_and_control]", "https://www.songculture.com/tsara-lynn-brashears-music", "ww16.porn-community.porn25.com", "watchhers.net", "http://xred.mooo.com", "http://alive.overit.com/~schoolbu/badmood3.exe", "103.224.182.246 [command_and_control]", "3.163.189.120 [Tracking]", "ddos.dnsnb8.net [command_and_control]", "Hybrid Analysis", "http://r3.i.lencr.org/ | r3.i.lencr.org | c.lencr.org | x1.c.lencr.org", "cdn.pornsocket.com", "https://sexgalaxy.net/tag/rodneymoore/", "CS IDS Rules: MALWARE Possible Compromised Host", "https://www.sentinelone.com/blog/going-deep-a-guide-to-reversing-smoke-loader-malware/", "https://darkforums.me/Thread-Check-Any-Indian-Vehicle-Owner-Details-home-address-phone-number [Whoa Nelly!]", "https://www.hallrender.com/attorney/brian-sabey", "Yara: Descriptive: Mirai_Botnet_Malware /dev/misc/watchdog \u2022 Mirai_2 /dev/watchdog", "www.supernetforme.com [command_and_control]", "www.redtube.comyouporn.com", "http://amaiorpascoadetodas2.com/cgi-sys/suspendedpage.cgi?smart-tv-led-55-samsung-55ru7100-ultra-hd-4k-com-conversor-digital-3-hdmi-2-usb-wi-fi-visual-livre-de-cabos-controle-remoto-%C3%9Anico-e-bluetooth-&skullid=539293743", "Yara Descriptive: \u2022 is__elf \u007fELF \u2022 Linux_Mirai /dev/watchdog", "CS IDS Rules: ET AnubisNetworks Sinkhole Cookie Value btst", "pirateproxy.cc", "http://benjamin.xww.de/", "CS IDS Rules: ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses", "poemhunter.com", "https://hybrid-analysis.com/sample/257842aced71d6a8197f6269f4804e36a3e7aa40755e22479bbe34531411e0c0?environmentId=100", "safebae.org", "browser.events.data.msn.com | events-sandbox.data.msn.com", "wTools", "remotewd.com", "$RTD4NQU.exe - Sigma Rule: Audit Policy Tampering Via Auditpolicy", "icloud-appleidsuport.com | appleid.com | apple.com | apple-dns.net", "dropboxpayments.com", "http://www.hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://click.marketing.hallrender.com/?qs=9f3b0a760973d5628ba046a192f7fe432889bb96dc51578763a9cf11358dcde635e137184c12a031617f00faa9d172d8", "prosperhall.edsby.com \u2022 http://urlmail.hallrender.com \u2022 http://urlwww.hallrender.com \u2022 http://webdocs.hallrender.com", "qbot.zip", "nr-data.net [New Relic Tracking | Apple Private Data Collection]", "https://tulach.cc/ [phishing attacks]", "tv.apple.com [Apple Backdoor| Attack | Hacking]", "https://www.patientfusion.com/doctor/michael-crincoli-59108", "init.ess.apple.com | 0-courier.push.apple.com | dns1.registrar-servers.com", "https://app.join.engineeringim.com/e/er?utm_source=eloqua&utm_medium=email&utm_campaign=&sp_cid=&utm_content=PB_NAM23BSE_PB_06_BATT_PW_Shmuel&sp_aid=27591&sp_rid=31788066&sp_eh=577a94ae55b9b9c106e776e684a2413f8c4dac061fc5b814c054be9e822698d9&s=949606000&lid=79146&elqTrackId=2AD273F3E5AB3555FA7D5FA11122C7C2&elq=a46790e54bbc42d2b0adbc4e6533814e&elqaid=27591&elqat=1", "https://twitter.com/PORNO_SEXYBABES", "http://45.159.189.105/bot/regex [phishing | tracking]", "demos.palantirfoundry.com", "https://www.virustotal.com/gui/file/2ab9e32cd78f2b538c36f145b790f78f1262bcfcf1a5d6d019e7a2a151a24424/summary", "http://www.defi-realty.com/jem9/ [phishing]", "ddos.dnsnb8.net [CnC]", "https://www.hybrid-analysis.com/sample/d4f0fd95f42482e96d982df3d538f67ee9c8756834486dd2cf33e1679c90af50/65812fd9a34bc52aac0b910f", "https://www.virustotal.com/gui/url/6a627ce5fd6be7b3c0b5637e6b1facfa92c279d25ff9b1f50fe131c91591d804/summary", "24-70mm.camera", "Yara Detections : Mirai_Botnet_Malware , Mirai_2 , is__elf , Linux_Mirai" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Tulach | Mark Brian Sabey | Hall Render Law Firm" ], "malware_families": [ "Radar ineractive", "Systweak", "Webtoolbar", "Razy", "Malware", "Azorult cnc", "Slfper:browsermodifier:win32/mediamagnet", "Smoke loader", "Ddos:linux/gafgyt", "Vidar", "Honeypot", "Redline", "Noname057", "Ransomware", "Emotet", "Trojanspy", "Ransomexx", "Occamy", "Yixun", "Hacktool", "Generic.malware", "Gen:variant.zusy", "Virtool", "Zpevdo", "Domains", "Possible", "Maltiverse", "Formbook", "Tiggre", "Dangerousobject.multi", "Static ai - malicious pe", "Darkside .beware", "Mirai variant spreading", "Relic", "Simda", "Wacatac", "Qakbot", "Inmortal", "Br", "Nanocore rat", "Trojan.injector", "Unix.trojan.gafgyt-6748839-0", "Nymaim", "Opencandy", "Adware affiliate", "Defacement", "Xrat", "Suppobox", "Tulach malware", "Am", "Feodo tracker", "Elf:hajime-r\\ [trj]", "Iobit", "Lumma stealer", "Tofsee", "Rms", "Cutwail", "Zbot", "Adware.pcappstore/veryfast", "Mirai", "Agent tesla", "Virut", "Sality", "Nsis", "Hsbc" ], "industries": [ "Health", "Patients", "Civil society", "Healthcare" ], "unique_indicators": 74435 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/rvvc.im", "whois": "http://whois.domaintools.com/rvvc.im", "domain": "rvvc.im", "hostname": "api.rvvc.im" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 22, "pulses": [ { "id": "691439014fa9d79406a83e8e", "name": "Mirai Botnet \u2022 Michael Crincoli - | Patient Fusion", "description": "I researched this doctor because of patient documentation of unethical practices , injury , blood toxicity and other very strange circumstances experienced by a monitored target. \nMD is based in Arizona, comes to Denver for certain cases. There weren\u2019t any follow ups or return calls after serious side affects that needed aggressive intervention.", "modified": "2025-12-12T05:04:18.490000", "created": "2025-11-12T07:36:33.673000", "tags": [ "practice fusion", "patient fusion", "ave suite", "denver", "help log", "physical", "medicine", "book", "friday", "united", "present aug", "present nov", "present oct", "present sep", "present jul", "present jun", "ip address", "url analysis", "msie", "chrome", "formbook cnc", "checkin", "win64", "next associated", "smokeloader", "twitter", "cookie", "ipv4", "hosting", "suite", "verdict", "present may", "domain add", "files show", "avast avg", "post", "http traffic", "high", "south korea", "taiwan as3462", "python", "agent", "malware", "russia asnone", "czechia as51420", "italy as47217", "belgium as5432", "serbia as15958", "germany as34011", "contacted", "file score", "detections elf", "eseries device", "rce attempt", "outbound python", "user agent", "p2p_cnc", "network_http_post", "network_http", "network_cnc_http", "dead_host", "network_icmp", "osquery_detection", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "defense evasion", "t1480 execution", "signing defense", "tcp syn", "resolverror", "yara detections", "expl", "ddos", "icmp traffic", "copy", "mirai", "writes_to_stdout", "nolookup_communication", "tcp_syn_scan", "network_icmp", "host", "network_irc", "crincoli", "md", "mirai botnet", "brian sabey", "hall render", "michael crincoli", "palantir", "foundry" ], "references": [ "https://www.patientfusion.com/doctor/michael-crincoli-59108", "demos.palantirfoundry.com", "http://southwestphysiatry.com/", "IDS Detections: Linksys E-Series Device RCE Attempt Outbound", "IDS Detections: Python Requests Suspicious User Agent", "IDS Detections: HTTP traffic on port 443 (POST)", "IDS Detections : Mirai Variant Spreading", "Yara Detections : Mirai_Botnet_Malware , Mirai_2 , is__elf , Linux_Mirai", "Yara: Descriptive: Mirai_Botnet_Malware /dev/misc/watchdog \u2022 Mirai_2 /dev/watchdog", "Yara Descriptive: \u2022 is__elf \u007fELF \u2022 Linux_Mirai /dev/watchdog", "http://www.hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears", "http://www.hallrender.com/attorney/brian-sabey-anyxxxtube.net/search-porn/tsara-brashears", "click.marketing.hallrender.com \u2022 hallrender.com \u2022 autodiscover.hallrender.com", "https://click.marketing.hallrender.com/?qs=9f3b0a760973d5628ba046a192f7fe432889bb96dc51578763a9cf11358dcde635e137184c12a031617f00faa9d172d8", "hallrender.com \u2022 wwdancehall.com \u2022 hallplan.vm05.iveins.de\t \u2022 iveins.de \u2022 http://hallplan.vm05.iveins.de", "prosperhall.edsby.com \u2022 http://urlmail.hallrender.com \u2022 http://urlwww.hallrender.com \u2022 http://webdocs.hallrender.com", "http://elite.hallrender.com/TE_3E_PROD/web/ui/dashboard/ActionList_CCC", "https://hallrender.com/attorney/brian-sabey/Accept \u2022 https://hallrender.com/wp-content/uploads/vcards/", "http://hallrender.com/attorney/bsabey \u2022 http://hallrender.com/attorney/gregg-m-wallander", "http://hallrender.com/attorney/gregg-m-wallander/\u2022 http://hallrender.com/resources/ \u2022 http://hallrender.com/resources/blog/ \u2022 http://officemarketing.hallrender.com/ \u2022 http://urlmail.hallrender.com \u2022 http://urlwww.hallrender.com \u2022 http://webdocs.hallrender.com/", "The Hall Render Brian Sabey malicious media campaign was so unexpected.", "MD refused to disclose medication cocktail he was injecting into patient. Patient suffered long term harm." ], "public": 1, "adversary": "", "targeted_countries": [ "Italy", "Netherlands", "Russian Federation", "Belgium", "Germany", "Serbia", "United States of America" ], "malware_families": [ { "id": "Unix.Trojan.Gafgyt-6748839-0", "display_name": "Unix.Trojan.Gafgyt-6748839-0", "target": null }, { "id": "ELF:Hajime-R\\ [Trj]", "display_name": "ELF:Hajime-R\\ [Trj]", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Mirai Variant Spreading", "display_name": "Mirai Variant Spreading", "target": null }, { "id": "DDoS:Linux/Gafgyt", "display_name": "DDoS:Linux/Gafgyt", "target": "/malware/DDoS:Linux/Gafgyt" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1564.005", "name": "Hidden File System", "display_name": "T1564.005 - Hidden File System" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5572, "domain": 788, "hostname": 1607, "email": 6, "FileHash-SHA256": 505, "FileHash-MD5": 132, "FileHash-SHA1": 128, "CVE": 2 }, "indicator_count": 8740, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "129 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e1ece3b935bda6b9d3e10b", "name": "Cyber espionage & Ransomware attacks spread via Phone call? II.", "description": "", "modified": "2024-03-05T22:00:26.685000", "created": "2024-03-01T14:57:39.828000", "tags": [ "ssl certificate", "whois record", "contacted", "execution", "historical ssl", "contacted urls", "whois whois", "zfglddkl58a url", "q0gpyr1balpdgpo", "relacionada", "formbook", "smoke loader", "iframe", "january", "resolutions", "referrer", "threat roundup", "snatch", "ransomware", "hacktool", "record type", "ttl value", "tsara brashears", "apple", "apple ios", "password bypass", "malware", "password", "apple phone", "download", "crypto", "relic", "monitoring", "installer", "tofsee", "core", "qakbot", "lumma stealer", "ransomexx", "communicating", "el0kpmhlfz", "qdkxgr24yz", "kgs0", "kls0", "malicious", "phi", "pii", "dofoil", "worn", "rat", "network", "dns", "trojan", "remote", "phone hacking", "hacked by phone call", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "nginx", "html info", "information", "meta tags", "network", "march", "july", "september", "february", "redline stealer", "probe", "raccoonstealer", "no data", "tag count", "thu apr", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "asyncrat", "redlinestealer", "diamondfox", "first", "botnet command and control", "python connection", "tulach" ], "references": [ "https://www.crccolorado.com/dr-adam-sang", "CS IDS Rules: MALWARE Possible Compromised Host", "CS IDS Rules: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "CS IDS Rules: SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "CS IDS Rules: ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses", "CS IDS Rules: ET AnubisNetworks Sinkhole Cookie Value btst", "http://www.defi-realty.com/jem9/ [phishing]", "http://45.159.189.105/bot/regex [phishing | tracking]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing | data collection| browser vulnerability]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [password decryption]", "https://www.sentinelone.com/blog/going-deep-a-guide-to-reversing-smoke-loader-malware/", "https://attack.mitre.org/software/S0226/", "http://watchhers.net/index.php. [ data collection]", "remotewd.com", "https://remote.krogerlaw.com", "device-local-7e6b3aa6-e3de-4e8f-9213-9f15c92d1d81.remotewd.com", "www.pornhub.com [password decryption]", "www.supernetforme.com [CnC]", "ddos.dnsnb8.net [CnC]", "http://happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg [phishing]", "http://amaiorpascoadetodas2.com/cgi-sys/suspendedpage.cgi?smart-tv-led-55-samsung-55ru7100-ultra-hd-4k-com-conversor-digital-3-hdmi-2-usb-wi-fi-visual-livre-de-cabos-controle-remoto-%C3%9Anico-e-bluetooth-&skullid=539293743", "http://amaiorpascoadetodas2.com/cgi-sys/suspendedpage.cgi?smart-tv-led-55-samsung-55ru7100-ultra-hd-4k-com-conversor-digital-3-hdmi-2-usb-wi-fi-visual-livre-de-cabos-controle-remoto-%C3%9Anico-e-bluetooth-&skullid=539293743", "http://url7639.ascglobal-email.com/wf/open?upn=HDu-2BON2WuckNVJ2U1s3AlMizU2CbfEvFl7S9TXTdQm2nLS-2F0QX6mc4PxuUDVyCyIzMeTvJRSiC633rEV-2B8mukshW0CHiC-2FvQOWOgJR6RGOtzDWutJV4OtjBHGduMDUigvEESSJQD8KXk1UU3bXtRdyd7QpBC-2F7Ti-2Bq6tNr1C4yz-2FXcUbYvtJX4ip5d5t5eXud233BW97tdcojPu0yKWZ0Zm2DyXbj1RIwt-2FO0RcYLC7feNtrpw6OxBd8r4Tc3uHoT7Z9NFErDUBbBuYpsze-2FiBRziGeeMExS5l82Xna4au56co0IdOcfscmwGtC-2BxD3xiJW4v560wXMZQU0G9hqqPVeYTnwZwyfebBz1KLSW-2BIJtHMF6DCNHhatvrb3WM84-2BGpgCxOK1dFKPiKsmPzSc-2BdCAO9BzU3K6G7EaDYNu2cRHdGmat-2BCJs", "https://darkforums.me/Thread-Check-Any-Indian-Vehicle-Owner-Details-home-address-phone-number [Whoa Nelly!]", "https://us-bankofamerica.com/PhoneVerification.php/", "http://www.w3.org/TR/html4/loose.dtd | www.w3.org [collection]", "http://dl.ariamobile.net/mobile/2008.10.a/applications/My_Phone-v2.01-S60v3-[wWw.Ariamobile.Net].zip", "http://iphones.email [redirection chain]", "*Patient PII & PHI at critical risk" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Smoke Loader", "display_name": "Smoke Loader", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Gen:Variant.Zusy", "display_name": "Gen:Variant.Zusy", "target": null }, { "id": "Razy", "display_name": "Razy", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "DangerousObject.Multi", "display_name": "DangerousObject.Multi", "target": null }, { "id": "Trojan.Injector", "display_name": "Trojan.Injector", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "Defacement", "display_name": "Defacement", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1055.012", "name": "Process Hollowing", "display_name": "T1055.012 - Process Hollowing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" } ], "industries": [ "Healthcare", "Civil Society", "Patients" ], "TLP": "white", "cloned_from": "65c09e487b3899f3442aed96", "export_count": 88, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Enqrypted", "id": "272105", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_272105/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 244, "FileHash-SHA1": 237, "FileHash-SHA256": 5468, "URL": 3747, "domain": 2512, "hostname": 1593, "CVE": 4 }, "indicator_count": 13805, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "775 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c970ef974adf44ef24c9a2", "name": "Cyber espionage & Ransomware attacks spread via Phone call?", "description": "", "modified": "2024-03-05T22:00:26.685000", "created": "2024-02-12T01:14:23.337000", "tags": [ "ssl certificate", "whois record", "contacted", "execution", "historical ssl", "contacted urls", "whois whois", "zfglddkl58a url", "q0gpyr1balpdgpo", "relacionada", "formbook", "smoke loader", "iframe", "january", "resolutions", "referrer", "threat roundup", "snatch", "ransomware", "hacktool", "record type", "ttl value", "tsara brashears", "apple", "apple ios", "password bypass", "malware", "password", "apple phone", "download", "crypto", "relic", "monitoring", "installer", "tofsee", "core", "qakbot", "lumma stealer", "ransomexx", "communicating", "el0kpmhlfz", "qdkxgr24yz", "kgs0", "kls0", "malicious", "phi", "pii", "dofoil", "worn", "rat", "network", "dns", "trojan", "remote", "phone hacking", "hacked by phone call", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "nginx", "html info", "information", "meta tags", "network", "march", "july", "september", "february", "redline stealer", "probe", "raccoonstealer", "no data", "tag count", "thu apr", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "asyncrat", "redlinestealer", "diamondfox", "first", "botnet command and control", "python connection", "tulach" ], "references": [ "https://www.crccolorado.com/dr-adam-sang", "CS IDS Rules: MALWARE Possible Compromised Host", "CS IDS Rules: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "CS IDS Rules: SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "CS IDS Rules: ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses", "CS IDS Rules: ET AnubisNetworks Sinkhole Cookie Value btst", "http://www.defi-realty.com/jem9/ [phishing]", "http://45.159.189.105/bot/regex [phishing | tracking]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing | data collection| browser vulnerability]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [password decryption]", "https://www.sentinelone.com/blog/going-deep-a-guide-to-reversing-smoke-loader-malware/", "https://attack.mitre.org/software/S0226/", "http://watchhers.net/index.php. [ data collection]", "remotewd.com", "https://remote.krogerlaw.com", "device-local-7e6b3aa6-e3de-4e8f-9213-9f15c92d1d81.remotewd.com", "www.pornhub.com [password decryption]", "www.supernetforme.com [CnC]", "ddos.dnsnb8.net [CnC]", "http://happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg [phishing]", "http://amaiorpascoadetodas2.com/cgi-sys/suspendedpage.cgi?smart-tv-led-55-samsung-55ru7100-ultra-hd-4k-com-conversor-digital-3-hdmi-2-usb-wi-fi-visual-livre-de-cabos-controle-remoto-%C3%9Anico-e-bluetooth-&skullid=539293743", "http://amaiorpascoadetodas2.com/cgi-sys/suspendedpage.cgi?smart-tv-led-55-samsung-55ru7100-ultra-hd-4k-com-conversor-digital-3-hdmi-2-usb-wi-fi-visual-livre-de-cabos-controle-remoto-%C3%9Anico-e-bluetooth-&skullid=539293743", "http://url7639.ascglobal-email.com/wf/open?upn=HDu-2BON2WuckNVJ2U1s3AlMizU2CbfEvFl7S9TXTdQm2nLS-2F0QX6mc4PxuUDVyCyIzMeTvJRSiC633rEV-2B8mukshW0CHiC-2FvQOWOgJR6RGOtzDWutJV4OtjBHGduMDUigvEESSJQD8KXk1UU3bXtRdyd7QpBC-2F7Ti-2Bq6tNr1C4yz-2FXcUbYvtJX4ip5d5t5eXud233BW97tdcojPu0yKWZ0Zm2DyXbj1RIwt-2FO0RcYLC7feNtrpw6OxBd8r4Tc3uHoT7Z9NFErDUBbBuYpsze-2FiBRziGeeMExS5l82Xna4au56co0IdOcfscmwGtC-2BxD3xiJW4v560wXMZQU0G9hqqPVeYTnwZwyfebBz1KLSW-2BIJtHMF6DCNHhatvrb3WM84-2BGpgCxOK1dFKPiKsmPzSc-2BdCAO9BzU3K6G7EaDYNu2cRHdGmat-2BCJs", "https://darkforums.me/Thread-Check-Any-Indian-Vehicle-Owner-Details-home-address-phone-number [Whoa Nelly!]", "https://us-bankofamerica.com/PhoneVerification.php/", "http://www.w3.org/TR/html4/loose.dtd | www.w3.org [collection]", "http://dl.ariamobile.net/mobile/2008.10.a/applications/My_Phone-v2.01-S60v3-[wWw.Ariamobile.Net].zip", "http://iphones.email [redirection chain]", "*Patient PII & PHI at critical risk" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Smoke Loader", "display_name": "Smoke Loader", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Gen:Variant.Zusy", "display_name": "Gen:Variant.Zusy", "target": null }, { "id": "Razy", "display_name": "Razy", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "DangerousObject.Multi", "display_name": "DangerousObject.Multi", "target": null }, { "id": "Trojan.Injector", "display_name": "Trojan.Injector", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "Defacement", "display_name": "Defacement", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1055.012", "name": "Process Hollowing", "display_name": "T1055.012 - Process Hollowing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" } ], "industries": [ "Healthcare", "Civil Society", "Patients" ], "TLP": "white", "cloned_from": "65c09e487b3899f3442aed96", "export_count": 65, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 244, "FileHash-SHA1": 237, "FileHash-SHA256": 5468, "URL": 3747, "domain": 2512, "hostname": 1593, "CVE": 4 }, "indicator_count": 13805, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "775 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c09e487b3899f3442aed96", "name": "Cyber espionage & Ransomware attacks spread via Phone call?", "description": "", "modified": "2024-03-05T22:00:26.685000", "created": "2024-02-05T08:37:28.774000", "tags": [ "ssl certificate", "whois record", "contacted", "execution", "historical ssl", "contacted urls", "whois whois", "zfglddkl58a url", "q0gpyr1balpdgpo", "relacionada", "formbook", "smoke loader", "iframe", "january", "resolutions", "referrer", "threat roundup", "snatch", "ransomware", "hacktool", "record type", "ttl value", "tsara brashears", "apple", "apple ios", "password bypass", "malware", "password", "apple phone", "download", "crypto", "relic", "monitoring", "installer", "tofsee", "core", "qakbot", "lumma stealer", "ransomexx", "communicating", "el0kpmhlfz", "qdkxgr24yz", "kgs0", "kls0", "malicious", "phi", "pii", "dofoil", "worn", "rat", "network", "dns", "trojan", "remote", "phone hacking", "hacked by phone call", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "nginx", "html info", "information", "meta tags", "network", "march", "july", "september", "february", "redline stealer", "probe", "raccoonstealer", "no data", "tag count", "thu apr", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "asyncrat", "redlinestealer", "diamondfox", "first", "botnet command and control", "python connection", "tulach" ], "references": [ "https://www.crccolorado.com/dr-adam-sang", "CS IDS Rules: MALWARE Possible Compromised Host", "CS IDS Rules: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "CS IDS Rules: SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "CS IDS Rules: ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses", "CS IDS Rules: ET AnubisNetworks Sinkhole Cookie Value btst", "http://www.defi-realty.com/jem9/ [phishing]", "http://45.159.189.105/bot/regex [phishing | tracking]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing | data collection| browser vulnerability]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [password decryption]", "https://www.sentinelone.com/blog/going-deep-a-guide-to-reversing-smoke-loader-malware/", "https://attack.mitre.org/software/S0226/", "http://watchhers.net/index.php. [ data collection]", "remotewd.com", "https://remote.krogerlaw.com", "device-local-7e6b3aa6-e3de-4e8f-9213-9f15c92d1d81.remotewd.com", "www.pornhub.com [password decryption]", "www.supernetforme.com [CnC]", "ddos.dnsnb8.net [CnC]", "http://happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg [phishing]", "http://amaiorpascoadetodas2.com/cgi-sys/suspendedpage.cgi?smart-tv-led-55-samsung-55ru7100-ultra-hd-4k-com-conversor-digital-3-hdmi-2-usb-wi-fi-visual-livre-de-cabos-controle-remoto-%C3%9Anico-e-bluetooth-&skullid=539293743", "http://amaiorpascoadetodas2.com/cgi-sys/suspendedpage.cgi?smart-tv-led-55-samsung-55ru7100-ultra-hd-4k-com-conversor-digital-3-hdmi-2-usb-wi-fi-visual-livre-de-cabos-controle-remoto-%C3%9Anico-e-bluetooth-&skullid=539293743", "http://url7639.ascglobal-email.com/wf/open?upn=HDu-2BON2WuckNVJ2U1s3AlMizU2CbfEvFl7S9TXTdQm2nLS-2F0QX6mc4PxuUDVyCyIzMeTvJRSiC633rEV-2B8mukshW0CHiC-2FvQOWOgJR6RGOtzDWutJV4OtjBHGduMDUigvEESSJQD8KXk1UU3bXtRdyd7QpBC-2F7Ti-2Bq6tNr1C4yz-2FXcUbYvtJX4ip5d5t5eXud233BW97tdcojPu0yKWZ0Zm2DyXbj1RIwt-2FO0RcYLC7feNtrpw6OxBd8r4Tc3uHoT7Z9NFErDUBbBuYpsze-2FiBRziGeeMExS5l82Xna4au56co0IdOcfscmwGtC-2BxD3xiJW4v560wXMZQU0G9hqqPVeYTnwZwyfebBz1KLSW-2BIJtHMF6DCNHhatvrb3WM84-2BGpgCxOK1dFKPiKsmPzSc-2BdCAO9BzU3K6G7EaDYNu2cRHdGmat-2BCJs", "https://darkforums.me/Thread-Check-Any-Indian-Vehicle-Owner-Details-home-address-phone-number [Whoa Nelly!]", "https://us-bankofamerica.com/PhoneVerification.php/", "http://www.w3.org/TR/html4/loose.dtd | www.w3.org [collection]", "http://dl.ariamobile.net/mobile/2008.10.a/applications/My_Phone-v2.01-S60v3-[wWw.Ariamobile.Net].zip", "http://iphones.email [redirection chain]", "*Patient PII & PHI at critical risk" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Smoke Loader", "display_name": "Smoke Loader", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Gen:Variant.Zusy", "display_name": "Gen:Variant.Zusy", "target": null }, { "id": "Razy", "display_name": "Razy", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "DangerousObject.Multi", "display_name": "DangerousObject.Multi", "target": null }, { "id": "Trojan.Injector", "display_name": "Trojan.Injector", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "Defacement", "display_name": "Defacement", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1055.012", "name": "Process Hollowing", "display_name": "T1055.012 - Process Hollowing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" } ], "industries": [ "Healthcare", "Civil Society", "Patients" ], "TLP": "white", "cloned_from": "65c012b5e56cc9474ebb701f", "export_count": 58, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 244, "FileHash-SHA1": 237, "FileHash-SHA256": 5468, "URL": 3747, "domain": 2512, "hostname": 1593, "CVE": 4 }, "indicator_count": 13805, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "775 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c012b5e56cc9474ebb701f", "name": "Cyber espionage & Ransomware attacks spread via Phone calls", "description": "Very strange and critical occurrences of businesses, healthcare facilities and individuals becoming part of a botnet and hacking attack when call connects with certain individuals. Healthcare facilities may be spreading this very critical vulnerability. Attacker has access to every device & camera of affected.\n*Smoke Loader\nSmoke Loader is a malicious bot application that can be used to load other malware.Smoke Loader has been seen in the wild since at least 2011 and has included a number of different payloads. It is notorious for its use of deception and self-protection. It also comes with several plug-ins.", "modified": "2024-03-05T22:00:26.685000", "created": "2024-02-04T22:41:55.432000", "tags": [ "ssl certificate", "whois record", "contacted", "execution", "historical ssl", "contacted urls", "whois whois", "zfglddkl58a url", "q0gpyr1balpdgpo", "relacionada", "formbook", "smoke loader", "iframe", "january", "resolutions", "referrer", "threat roundup", "snatch", "ransomware", "hacktool", "record type", "ttl value", "tsara brashears", "apple", "apple ios", "password bypass", "malware", "password", "apple phone", "download", "crypto", "relic", "monitoring", "installer", "tofsee", "core", "qakbot", "lumma stealer", "ransomexx", "communicating", "el0kpmhlfz", "qdkxgr24yz", "kgs0", "kls0", "malicious", "phi", "pii", "dofoil", "worn", "rat", "network", "dns", "trojan", "remote", "phone hacking", "hacked by phone call", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "nginx", "html info", "information", "meta tags", "network", "march", "july", "september", "february", "redline stealer", "probe", "raccoonstealer", "no data", "tag count", "thu apr", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "asyncrat", "redlinestealer", "diamondfox", "first", "botnet command and control", "python connection", "tulach" ], "references": [ "https://www.crccolorado.com/dr-adam-sang", "CS IDS Rules: MALWARE Possible Compromised Host", "CS IDS Rules: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "CS IDS Rules: SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "CS IDS Rules: ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses", "CS IDS Rules: ET AnubisNetworks Sinkhole Cookie Value btst", "http://www.defi-realty.com/jem9/ [phishing]", "http://45.159.189.105/bot/regex [phishing | tracking]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing | data collection| browser vulnerability]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [password decryption]", "https://www.sentinelone.com/blog/going-deep-a-guide-to-reversing-smoke-loader-malware/", "https://attack.mitre.org/software/S0226/", "http://watchhers.net/index.php. [ data collection]", "remotewd.com", "https://remote.krogerlaw.com", "device-local-7e6b3aa6-e3de-4e8f-9213-9f15c92d1d81.remotewd.com", "www.pornhub.com [password decryption]", "www.supernetforme.com [CnC]", "ddos.dnsnb8.net [CnC]", "http://happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg [phishing]", "http://amaiorpascoadetodas2.com/cgi-sys/suspendedpage.cgi?smart-tv-led-55-samsung-55ru7100-ultra-hd-4k-com-conversor-digital-3-hdmi-2-usb-wi-fi-visual-livre-de-cabos-controle-remoto-%C3%9Anico-e-bluetooth-&skullid=539293743", "http://amaiorpascoadetodas2.com/cgi-sys/suspendedpage.cgi?smart-tv-led-55-samsung-55ru7100-ultra-hd-4k-com-conversor-digital-3-hdmi-2-usb-wi-fi-visual-livre-de-cabos-controle-remoto-%C3%9Anico-e-bluetooth-&skullid=539293743", "http://url7639.ascglobal-email.com/wf/open?upn=HDu-2BON2WuckNVJ2U1s3AlMizU2CbfEvFl7S9TXTdQm2nLS-2F0QX6mc4PxuUDVyCyIzMeTvJRSiC633rEV-2B8mukshW0CHiC-2FvQOWOgJR6RGOtzDWutJV4OtjBHGduMDUigvEESSJQD8KXk1UU3bXtRdyd7QpBC-2F7Ti-2Bq6tNr1C4yz-2FXcUbYvtJX4ip5d5t5eXud233BW97tdcojPu0yKWZ0Zm2DyXbj1RIwt-2FO0RcYLC7feNtrpw6OxBd8r4Tc3uHoT7Z9NFErDUBbBuYpsze-2FiBRziGeeMExS5l82Xna4au56co0IdOcfscmwGtC-2BxD3xiJW4v560wXMZQU0G9hqqPVeYTnwZwyfebBz1KLSW-2BIJtHMF6DCNHhatvrb3WM84-2BGpgCxOK1dFKPiKsmPzSc-2BdCAO9BzU3K6G7EaDYNu2cRHdGmat-2BCJs", "https://darkforums.me/Thread-Check-Any-Indian-Vehicle-Owner-Details-home-address-phone-number [Whoa Nelly!]", "https://us-bankofamerica.com/PhoneVerification.php/", "http://www.w3.org/TR/html4/loose.dtd | www.w3.org [collection]", "http://dl.ariamobile.net/mobile/2008.10.a/applications/My_Phone-v2.01-S60v3-[wWw.Ariamobile.Net].zip", "http://iphones.email [redirection chain]", "*Patient PII & PHI at critical risk" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Smoke Loader", "display_name": "Smoke Loader", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Gen:Variant.Zusy", "display_name": "Gen:Variant.Zusy", "target": null }, { "id": "Razy", "display_name": "Razy", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "DangerousObject.Multi", "display_name": "DangerousObject.Multi", "target": null }, { "id": "Trojan.Injector", "display_name": "Trojan.Injector", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "Defacement", "display_name": "Defacement", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1055.012", "name": "Process Hollowing", "display_name": "T1055.012 - Process Hollowing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" } ], "industries": [ "Healthcare", "Civil Society", "Patients" ], "TLP": "white", "cloned_from": null, "export_count": 62, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 244, "FileHash-SHA1": 237, "FileHash-SHA256": 5468, "URL": 3747, "domain": 2512, "hostname": 1593, "CVE": 4 }, "indicator_count": 13805, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "775 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65be56d6df9d36bac14ccd87", "name": "AZORult CnC", "description": "Behaviors\n\nSteals computer data, such as installed programs, machine globally unique identifier (GUID), system architecture, system language, user name, computer name, and operating system (OS) version\nSteals stored account information used in different installed File Transfer Protocol (FTP) clients or file manager software\nSteals stored email credentials of different mail clients\nSteals user names, passwords, and hostnames from different browsers\nSteals bitcoin wallets - Monero and uCoin\nSteals Steam and telegram credentials\nSteals Skype chat history and messages\nExecutes backdoor commands from a remote malicious user to collect host Internet protocol (IP) information, download/execute/delete file\nCapabilities\n\nInformation Theft\nBackdoor commands\nExploits\nDownload Routine\nImpact\n\nCompromise system security - with backdoor capabilities that can execute malicious commands, downloads and installs additional malwares", "modified": "2024-03-04T14:03:17.574000", "created": "2024-02-03T15:08:06.808000", "tags": [ "ssl certificate", "whois record", "threat roundup", "whois whois", "january", "historical ssl", "referrer", "april", "resolutions", "siblings domain", "march", "february", "obz4usfn0 http", "problems", "threat network", "infrastructure", "st201601152", "startpage", "iframe", "united", "unknown", "search", "showing", "united kingdom", "creation date", "aaaa", "cname", "scan endpoints", "all octoseek", "date", "next", "script urls", "soa nxdomain", "link", "xml title", "portugal", "domain", "status", "expiration date", "pulse pulses", "as44273 host", "domain robot", "as61969 team", "body", "as8075", "netherlands", "servers", "emails", "duo insight", "type", "asnone united", "name servers", "germany unknown", "passive dns", "as14061", "as49453", "lowfi", "a domains", "urls", "privacy inc", "customer", "trojandropper", "dynamicloader", "default", "medium", "entries", "khtml", "download", "show", "activity", "http", "copy", "write", "malware", "adware affiliate", "hostname", "trojan", "pulse submit", "url analysis", "files", "as212913 fop", "russia unknown", "as397240", "as15169 google", "as19237 omnis", "as22169 omnis", "as20068 hawk", "as133618", "as47846", "as22489", "encrypt", "record value", "pragma", "accept ch", "ireland unknown", "msie", "chrome", "style", "gmt setcookie", "as6724 strato", "core", "win32", "backdoor", "expl", "exploit", "ipv4", "virtool", "azorult cnc", "possible", "as7018 att", "regsetvalueexa", "china as4134", "service", "asnone", "dns lookup", "ransom", "push", "eternalblue", "recon", "playgame", "domain name", "as13768 aptum", "meta", "error", "as43350 nforce", "as55286", "as60558 phoenix", "ip address", "registrar", "1996", "contacted", "unlocker", "red team", "af81 http", "execution", "open", "whois sslcert", "suspicious c2", "cve202322518", "collection", "vt graph", "excel", "emotet", "metro", "jeffrey reimer pt", "sharecare", "tsara brashears", "apple", "icloud" ], "references": [ "https://www.sharecare.com/doctor/jeffrey-reimer-6ie6z", "qbot.zip", "imp.fusioninstall.com", "https://mylegalbid.com/malwarebytes", "192.185.223.216 | 192.168.56.1 [malware]", "http://45.159.189.105/bot/regex", "https://success.trendmicro.com/dcx/s/solution/000146108-azorult-malware-information?language=en_US&sfdcIFrameOrigin=null", "http://config.premiuminstaller.com/config/ls/offers.json?pid=installer&ts=2014-10-14T18:54:45.9443368Z&br=CR&adprovider=marmarf", "xhamster.comyouporn.com", "cams4all.com", "watchhers.net", "weconnect.com", "icloud-appleidsuport.com | appleid.com | apple.com | apple-dns.net", "http://install.oinstaller5.com/o/jfaquew_jupdate/setup.exe?mode=dlshift&sf=0&subid=a208&filedescription=setup&adprovider=jfaquew&cpixe", "init.ess.apple.com | 0-courier.push.apple.com | dns1.registrar-servers.com", "Apple -dns1.registrar-servers.com | emails.redvue.com | icloud-appleidsuport.com", "https://songculture.com/tsara-brashears | https://www.songculture.com/tsara-brashears-music", "https://www.songculture.com/tsara-lynn-brashears-music", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "youramateuporn.com", "ns2.abovedomains.com", "ww16.porn-community.porn25.com", "https://totallyspies.1000hentai.com/tag/clover-porn/", "pirateproxy.cc", "mwilliams.dev@gmail.com | piratepages.com", "838114.parkingcrew.net", "static-push-preprod.porndig.com", "www.redtube.comyouporn.com", "https://severeporn-com.pornproxy.page/", "https://spankbang-com.pornproxy.page/593ao/video/sunshine%20mouth%20stuffed%20gagged%20and%20tied%20with%20her%20friend", "yoursexy.porn | indianyouporn.com", "source-6.youporn.express | source-6.sexpornsource.com\t hostname\tsource-3.xxxporn.club | source-2.pornhubs.best | source-2.freepornxo.com", "cdn.pornsocket.com", "http://secure.indianpornpass.com/track/hotpornstuff", "www.anyxxxtube.net", "https://twitter.com/PORNO_SEXYBABES", "http://www.my-sexcam.com/mf6w/?K48hY=mUHPm4taPKwCazx4uoqkcvO3m838TOpLC/XyTruUQEV1lwGjr5ldYJa4yIBvf0ifHE4=&sHB=DPfXxzFpo", "campaign-manager.sharecare.com", "qa.companycam.com", "https://app.join.engineeringim.com/e/er?utm_source=eloqua&utm_medium=email&utm_campaign=&sp_cid=&utm_content=PB_NAM23BSE_PB_06_BATT_PW_Shmuel&sp_aid=27591&sp_rid=31788066&sp_eh=577a94ae55b9b9c106e776e684a2413f8c4dac061fc5b814c054be9e822698d9&s=949606000&lid=79146&elqTrackId=2AD273F3E5AB3555FA7D5FA11122C7C2&elq=a46790e54bbc42d2b0adbc4e6533814e&elqaid=27591&elqat=1", "24-70mm.camera", "dropboxpayments.com", "http://r3.i.lencr.org/ | r3.i.lencr.org | c.lencr.org | x1.c.lencr.org", "http://xred.mooo.com", "https://sexgalaxy.net/tag/rodneymoore/", "http://alive.overit.com/~schoolbu/badmood3.exe", "jimgaffigan.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United Kingdom of Great Britain and Northern Ireland", "United States of America", "Netherlands", "Germany", "France" ], "malware_families": [ { "id": "Adware Affiliate", "display_name": "Adware Affiliate", "target": null }, { "id": "AZORult CnC", "display_name": "AZORult CnC", "target": null }, { "id": "Possible", "display_name": "Possible", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8134, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 737, "FileHash-SHA1": 692, "FileHash-SHA256": 7488, "URL": 6694, "domain": 5247, "hostname": 2932, "email": 49, "CVE": 2, "SSLCertFingerprint": 1 }, "indicator_count": 23842, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "776 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65be56d257bb241c4fa3f68d", "name": "AZORult CnC", "description": "Behaviors\n\nSteals computer data, such as installed programs, machine globally unique identifier (GUID), system architecture, system language, user name, computer name, and operating system (OS) version\nSteals stored account information used in different installed File Transfer Protocol (FTP) clients or file manager software\nSteals stored email credentials of different mail clients\nSteals user names, passwords, and hostnames from different browsers\nSteals bitcoin wallets - Monero and uCoin\nSteals Steam and telegram credentials\nSteals Skype chat history and messages\nExecutes backdoor commands from a remote malicious user to collect host Internet protocol (IP) information, download/execute/delete file\nCapabilities\n\nInformation Theft\nBackdoor commands\nExploits\nDownload Routine\nImpact\n\nCompromise system security - with backdoor capabilities that can execute malicious commands, downloads and installs additional malwares", "modified": "2024-03-04T14:03:17.574000", "created": "2024-02-03T15:08:02.291000", "tags": [ "ssl certificate", "whois record", "threat roundup", "whois whois", "january", "historical ssl", "referrer", "april", "resolutions", "siblings domain", "march", "february", "obz4usfn0 http", "problems", "threat network", "infrastructure", "st201601152", "startpage", "iframe", "united", "unknown", "search", "showing", "united kingdom", "creation date", "aaaa", "cname", "scan endpoints", "all octoseek", "date", "next", "script urls", "soa nxdomain", "link", "xml title", "portugal", "domain", "status", "expiration date", "pulse pulses", "as44273 host", "domain robot", "as61969 team", "body", "as8075", "netherlands", "servers", "emails", "duo insight", "type", "asnone united", "name servers", "germany unknown", "passive dns", "as14061", "as49453", "lowfi", "a domains", "urls", "privacy inc", "customer", "trojandropper", "dynamicloader", "default", "medium", "entries", "khtml", "download", "show", "activity", "http", "copy", "write", "malware", "adware affiliate", "hostname", "trojan", "pulse submit", "url analysis", "files", "as212913 fop", "russia unknown", "as397240", "as15169 google", "as19237 omnis", "as22169 omnis", "as20068 hawk", "as133618", "as47846", "as22489", "encrypt", "record value", "pragma", "accept ch", "ireland unknown", "msie", "chrome", "style", "gmt setcookie", "as6724 strato", "core", "win32", "backdoor", "expl", "exploit", "ipv4", "virtool", "azorult cnc", "possible", "as7018 att", "regsetvalueexa", "china as4134", "service", "asnone", "dns lookup", "ransom", "push", "eternalblue", "recon", "playgame", "domain name", "as13768 aptum", "meta", "error", "as43350 nforce", "as55286", "as60558 phoenix", "ip address", "registrar", "1996", "contacted", "unlocker", "red team", "af81 http", "execution", "open", "whois sslcert", "suspicious c2", "cve202322518", "collection", "vt graph", "excel", "emotet", "metro", "jeffrey reimer pt", "sharecare", "tsara brashears", "apple", "icloud" ], "references": [ "https://www.sharecare.com/doctor/jeffrey-reimer-6ie6z", "qbot.zip", "imp.fusioninstall.com", "https://mylegalbid.com/malwarebytes", "192.185.223.216 | 192.168.56.1 [malware]", "http://45.159.189.105/bot/regex", "https://success.trendmicro.com/dcx/s/solution/000146108-azorult-malware-information?language=en_US&sfdcIFrameOrigin=null", "http://config.premiuminstaller.com/config/ls/offers.json?pid=installer&ts=2014-10-14T18:54:45.9443368Z&br=CR&adprovider=marmarf", "xhamster.comyouporn.com", "cams4all.com", "watchhers.net", "weconnect.com", "icloud-appleidsuport.com | appleid.com | apple.com | apple-dns.net", "http://install.oinstaller5.com/o/jfaquew_jupdate/setup.exe?mode=dlshift&sf=0&subid=a208&filedescription=setup&adprovider=jfaquew&cpixe", "init.ess.apple.com | 0-courier.push.apple.com | dns1.registrar-servers.com", "Apple -dns1.registrar-servers.com | emails.redvue.com | icloud-appleidsuport.com", "https://songculture.com/tsara-brashears | https://www.songculture.com/tsara-brashears-music", "https://www.songculture.com/tsara-lynn-brashears-music", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "youramateuporn.com", "ns2.abovedomains.com", "ww16.porn-community.porn25.com", "https://totallyspies.1000hentai.com/tag/clover-porn/", "pirateproxy.cc", "mwilliams.dev@gmail.com | piratepages.com", "838114.parkingcrew.net", "static-push-preprod.porndig.com", "www.redtube.comyouporn.com", "https://severeporn-com.pornproxy.page/", "https://spankbang-com.pornproxy.page/593ao/video/sunshine%20mouth%20stuffed%20gagged%20and%20tied%20with%20her%20friend", "yoursexy.porn | indianyouporn.com", "source-6.youporn.express | source-6.sexpornsource.com\t hostname\tsource-3.xxxporn.club | source-2.pornhubs.best | source-2.freepornxo.com", "cdn.pornsocket.com", "http://secure.indianpornpass.com/track/hotpornstuff", "www.anyxxxtube.net", "https://twitter.com/PORNO_SEXYBABES", "http://www.my-sexcam.com/mf6w/?K48hY=mUHPm4taPKwCazx4uoqkcvO3m838TOpLC/XyTruUQEV1lwGjr5ldYJa4yIBvf0ifHE4=&sHB=DPfXxzFpo", "campaign-manager.sharecare.com", "qa.companycam.com", "https://app.join.engineeringim.com/e/er?utm_source=eloqua&utm_medium=email&utm_campaign=&sp_cid=&utm_content=PB_NAM23BSE_PB_06_BATT_PW_Shmuel&sp_aid=27591&sp_rid=31788066&sp_eh=577a94ae55b9b9c106e776e684a2413f8c4dac061fc5b814c054be9e822698d9&s=949606000&lid=79146&elqTrackId=2AD273F3E5AB3555FA7D5FA11122C7C2&elq=a46790e54bbc42d2b0adbc4e6533814e&elqaid=27591&elqat=1", "24-70mm.camera", "dropboxpayments.com", "http://r3.i.lencr.org/ | r3.i.lencr.org | c.lencr.org | x1.c.lencr.org", "http://xred.mooo.com", "https://sexgalaxy.net/tag/rodneymoore/", "http://alive.overit.com/~schoolbu/badmood3.exe", "jimgaffigan.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United Kingdom of Great Britain and Northern Ireland", "United States of America", "Netherlands", "Germany", "France" ], "malware_families": [ { "id": "Adware Affiliate", "display_name": "Adware Affiliate", "target": null }, { "id": "AZORult CnC", "display_name": "AZORult CnC", "target": null }, { "id": "Possible", "display_name": "Possible", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 737, "FileHash-SHA1": 692, "FileHash-SHA256": 7488, "URL": 6694, "domain": 5247, "hostname": 2932, "email": 49, "CVE": 2, "SSLCertFingerprint": 1 }, "indicator_count": 23842, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "776 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658303b7e2b4417d9e24a7cc", "name": "Reddit Honeypot | Cyber Defense Firm Attack", "description": "", "modified": "2024-01-19T12:02:13.495000", "created": "2023-12-20T15:09:43.783000", "tags": [ "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "sha1", "sha256", "runtime process", "date", "unknown", "error", "path", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "accept", "url http", "filehashmd5", "url https", "search otx", "octoseek report", "spam author", "reddit", "tulach c2", "created", "minutes ago", "added active", "related pulses", "am", "no expiration", "indicator role", "pulses url", "showing", "entries", "dded active", "copyright", "reserved", "cve cve20170199", "win32 exe", "android", "http response", "final url", "ip address", "status code", "body length", "kb body", "headers", "manager", "files", "detections type", "name", "lord krishna", "right", "tjprojmain", "windows", "secure", "headers nel", "ssl certificate", "whois whois", "historical ssl", "referrer", "logistics", "cyber defense", "firm collection", "ioc honeypot", "list for", "malware", "open", "attack", "contacted", "dropped", "bundled", "problems", "whois record", "domains", "execution", "agent tesla", "azorult", "project", "startpage", "vhash", "authentihash", "imphash", "rich pe", "ssdeep", "file type", "magic pe32", "installer", "compiler", "nsis", "serial number", "g4 code", "signing rsa4096", "sha384", "root g4", "valid from", "algorithm", "thumbprint", "fast corporate", "from", "pe resource", "collection", "vt graph", "paulsmith", "apple tv", "apple music", "$RTD4NQU.exe", "no data", "tag count", "ioc search", "new ioc", "teams api", "contact", "search", "iocs", "summary", "nisis", "executable", "ms windows", "trid win64", "generic", "sections", "sha256 file", "type type", "chi2", "dkey english", "xml rtmanifest", "english us", "overlay", "learn", "botnet", "honeypot", "ejkaej saBey k7-^Oa" ], "references": [ "https://www.reddit.com/user/", "https://www.virustotal.com/gui/url/6a627ce5fd6be7b3c0b5637e6b1facfa92c279d25ff9b1f50fe131c91591d804/summary", "Gowi Live Bot.exe", "https://www.virustotal.com/gui/file/2ab9e32cd78f2b538c36f145b790f78f1262bcfcf1a5d6d019e7a2a151a24424/summary", "https://www.hybrid-analysis.com/sample/d4f0fd95f42482e96d982df3d538f67ee9c8756834486dd2cf33e1679c90af50/65812fd9a34bc52aac0b910f", "nr-data.net [New Relic Tracking | Apple Private Data Collection]", "[w and w.o https] applemusic-spotlight.myunidays.com [Multilingual Portable.exe Apple music compromise]", "tv.apple.com [Apple Backdoor| Attack | Hacking]", "name-playatoms-pa.googleapis.com [ nr-data Apple tv tracking]", "browser.events.data.msn.com | events-sandbox.data.msn.com", "https://tulach.cc/ [phishing attacks]", "tulach.cc [AM | phishing]", "$RTD4NQU.exe - Sigma Rule: Audit Policy Tampering Via Auditpolicy", "$RTD4NQU.exe - Yara rule: INDICATOR TOOL UAC NSISUAC", "3.163.189.120 [Tracking]", "86.140.232.148 [scanning_host]", "https://seedbeej.pk/tin/index.php?QBOT.zip. [ phishing plus]", "http://iyfsearch.com/&ap=67&be=203&fe=198&dc=198&perf= [phishing]", "checkip.dyndns.org [command_and_control]", "104.86.182.8 [command_and_control]", "103.224.182.253 [command_and_control]", "103.224.182.246 [command_and_control]", "www.supernetforme.com [command_and_control]", "rp.downloadastrocdn.com [command_and_control]", "ddos.dnsnb8.net [command_and_control]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "AM", "display_name": "AM", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "adware.pcappstore/veryfast", "display_name": "adware.pcappstore/veryfast", "target": null }, { "id": "NSIS", "display_name": "NSIS", "target": null }, { "id": "Static AI - Malicious PE", "display_name": "Static AI - Malicious PE", "target": null }, { "id": "HoneyPot", "display_name": "HoneyPot", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 392, "FileHash-SHA1": 374, "FileHash-SHA256": 5560, "URL": 7433, "domain": 1461, "hostname": 2463, "CVE": 3, "email": 1 }, "indicator_count": 17687, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "821 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a48b6ea16eeb6b54dfad7c", "name": "https://neca.omeclk.com/portal/wts/uc^cn^ejkaejsaBeyk7-^Oa | Brian Sabey dangerous obsession with Tsara Brashears", "description": "", "modified": "2024-01-15T01:33:34.790000", "created": "2024-01-15T01:33:34.790000", "tags": [ "cisco umbrella", "site", "alexa top", "emotet", "telefonica co", "million", "malware", "detection list", "blacklist", "alexa", "installcore", "heur", "cyber threat", "united", "phishing", "engineering", "phishing site", "team phishing", "spammer", "malicious site", "team", "download", "cobalt strike", "facebook", "artemis", "pony", "binder", "suppobox", "virut", "ramnit", "dropper", "formbook", "azorult", "simda", "downloader", "service", "bank", "zbot", "trojanspy", "heodo", "hostname", "hostnames", "whois record", "kgs0", "kls0", "apple ios", "tsara brashears", "ssl certificate", "elf collection", "cyberstalking", "spyware", "hackers", "installer", "open", "banker", "keylogger", "malicious", "hacktool", "core", "noname057", "generic malware", "safe site", "malware site", "iframe", "riskware", "exploit", "fakealert", "unsafe", "acint", "win64", "nircmd", "agent", "opencandy", "conduit", "swrort", "crack", "installpack", "xtrat", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "unruy", "filetour", "floxif", "cleaner", "patcher", "adload", "presenoker", "wacatac", "fusioncore", "genkryptik", "webtoolbar", "maltiverse", "smokeloader", "download json", "urls", "blacklist http", "kyriazhs1975", "vidar", "strike", "china cobalt", "meterpreter", "nanocore rat", "njrat", "redline stealer", "stealer", "nymaim", "mirai", "ghost rat", "runescape", "bradesco", "msil", "bladabindi", "orkut", "cutwail", "bandoo", "matsnu", "inmortal", "domains", "redline", "control server", "services", "generic", "br", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "squirrelwaffle", "soc http", "soc https", "back", "download csv", "json sample", "injector", "malicious url", "downldr", "covid19 scam", "historical ssl", "referrer", "contacted", "whois whois", "contacted urls", "whois sslcert", "threat roundup", "copy", "august", "execution", "ransomware", "gopher", "remcos", "attack", "radar ineractive", "paypal", "covid19", "phishing chase", "phishing google", "tracker malware", "chase personal", "banking", "javascript", "please", "cnc server", "tracker", "cnc feodo", "phishtank", "threats et", "name verdict", "falcon sandbox", "pattern match", "file", "ascii text", "indicator", "windows nt", "jpeg image", "appdata", "jfif standard", "script", "show", "date", "span", "unknown", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "path", "http header", "tcp traffic", "mitre att", "ck id", "show technique", "ck matrix", "accept", "adware", "ip address", "hsbc", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "trojanx", "webshell", "systweak", "behav", "tiggre", "runtime process", "sha256", "sha1", "mark brian sabey", "brian sabey", "sabey", "apple", "114.114.114.114", "attorney", "law", "spammer", "fraud service", "hallrender", "malvertizing", "cybercrime", "social engineering", "malware hosting", "cyber threat", "iphone unlocker", "malicious", "attacker", "tulach", "tulach.cc", "adult content", "child pornographer", "sabey data centers", "hall render denver", "monitoring", "stalker", "dev", "developer", "cyber harassment", "defacement", "death threats", "miner", "agenttesla", "trojan", "detplock", "networm", "rms", "sneaky server", "replacement", "unauthorized", "steam route", "tool", "probe", "safebae.org", "safebae", "daisy", "daisy coleman", "benjamin", "colorado", "missouri", "telefonica", "boost mobile", "blackievirus.com", "TrojanX", "metro t-mobile", "t-mobile", "mile high media", "CNC", "C2", "malware host", "yixun" ], "references": [ "https://hybrid-analysis.com/sample/a1b9247b6ad18f1cda0304e406333459d4000fced5753f91e5c046f6577c388a", "https://www.hallrender.com/attorney/brian-sabey", "safebae.org", "poemhunter.com", "http://www.hallrender.com/resources/blog/", "http://benjamin.xww.de/", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Hybrid Analysis", "wTools", "Research" ], "public": 1, "adversary": "Tulach | Mark Brian Sabey | Hall Render Law Firm", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "BR", "display_name": "BR", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "Feodo Tracker", "display_name": "Feodo Tracker", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Zpevdo", "display_name": "Zpevdo", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "xRAT", "display_name": "xRAT", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "DarkSide .Beware", "display_name": "DarkSide .Beware", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "SLFPER:BrowserModifier:Win32/MediaMagnet", "display_name": "SLFPER:BrowserModifier:Win32/MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "FORMBOOK", "display_name": "FORMBOOK", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Yixun", "display_name": "Yixun", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": "6590f9b6b1fe0330c655c25f", "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1643, "hostname": 1438, "CVE": 30, "FileHash-MD5": 2853, "FileHash-SHA1": 1584, "FileHash-SHA256": 3001, "URL": 2904, "email": 1 }, "indicator_count": 13454, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "826 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6590f9b6b1fe0330c655c25f", "name": "https://neca.omeclk.com/portal/wts/uc^cn^ejkaejsaBeyk7-^Oa | Brian Sabey dangerous obsession with Tsara Brashears ", "description": "", "modified": "2023-12-31T05:18:46.519000", "created": "2023-12-31T05:18:46.519000", "tags": [ "cisco umbrella", "site", "alexa top", "emotet", "telefonica co", "million", "malware", "detection list", "blacklist", "alexa", "installcore", "heur", "cyber threat", "united", "phishing", "engineering", "phishing site", "team phishing", "spammer", "malicious site", "team", "download", "cobalt strike", "facebook", "artemis", "pony", "binder", "suppobox", "virut", "ramnit", "dropper", "formbook", "azorult", "simda", "downloader", "service", "bank", "zbot", "trojanspy", "heodo", "hostname", "hostnames", "whois record", "kgs0", "kls0", "apple ios", "tsara brashears", "ssl certificate", "elf collection", "cyberstalking", "spyware", "hackers", "installer", "open", "banker", "keylogger", "malicious", "hacktool", "core", "noname057", "generic malware", "safe site", "malware site", "iframe", "riskware", "exploit", "fakealert", "unsafe", "acint", "win64", "nircmd", "agent", "opencandy", "conduit", "swrort", "crack", "installpack", "xtrat", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "unruy", "filetour", "floxif", "cleaner", "patcher", "adload", "presenoker", "wacatac", "fusioncore", "genkryptik", "webtoolbar", "maltiverse", "smokeloader", "download json", "urls", "blacklist http", "kyriazhs1975", "vidar", "strike", "china cobalt", "meterpreter", "nanocore rat", "njrat", "redline stealer", "stealer", "nymaim", "mirai", "ghost rat", "runescape", "bradesco", "msil", "bladabindi", "orkut", "cutwail", "bandoo", "matsnu", "inmortal", "domains", "redline", "control server", "services", "generic", "br", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "squirrelwaffle", "soc http", "soc https", "back", "download csv", "json sample", "injector", "malicious url", "downldr", "covid19 scam", "historical ssl", "referrer", "contacted", "whois whois", "contacted urls", "whois sslcert", "threat roundup", "copy", "august", "execution", "ransomware", "gopher", "remcos", "attack", "radar ineractive", "paypal", "covid19", "phishing chase", "phishing google", "tracker malware", "chase personal", "banking", "javascript", "please", "cnc server", "tracker", "cnc feodo", "phishtank", "threats et", "name verdict", "falcon sandbox", "pattern match", "file", "ascii text", "indicator", "windows nt", "jpeg image", "appdata", "jfif standard", "script", "show", "date", "span", "unknown", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "path", "http header", "tcp traffic", "mitre att", "ck id", "show technique", "ck matrix", "accept", "adware", "ip address", "hsbc", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "trojanx", "webshell", "systweak", "behav", "tiggre", "runtime process", "sha256", "sha1", "mark brian sabey", "brian sabey", "sabey", "apple", "114.114.114.114", "attorney", "law", "spammer", "fraud service", "hallrender", "malvertizing", "cybercrime", "social engineering", "malware hosting", "cyber threat", "iphone unlocker", "malicious", "attacker", "tulach", "tulach.cc", "adult content", "child pornographer", "sabey data centers", "hall render denver", "monitoring", "stalker", "dev", "developer", "cyber harassment", "defacement", "death threats", "miner", "agenttesla", "trojan", "detplock", "networm", "rms", "sneaky server", "replacement", "unauthorized", "steam route", "tool", "probe", "safebae.org", "safebae", "daisy", "daisy coleman", "benjamin", "colorado", "missouri", "telefonica", "boost mobile", "blackievirus.com", "TrojanX", "metro t-mobile", "t-mobile", "mile high media", "CNC", "C2", "malware host", "yixun" ], "references": [ "https://hybrid-analysis.com/sample/a1b9247b6ad18f1cda0304e406333459d4000fced5753f91e5c046f6577c388a", "https://www.hallrender.com/attorney/brian-sabey", "safebae.org", "poemhunter.com", "http://www.hallrender.com/resources/blog/", "http://benjamin.xww.de/", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Hybrid Analysis", "wTools", "Research" ], "public": 1, "adversary": "Tulach | Mark Brian Sabey | Hall Render Law Firm", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "BR", "display_name": "BR", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "Feodo Tracker", "display_name": "Feodo Tracker", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Zpevdo", "display_name": "Zpevdo", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "xRAT", "display_name": "xRAT", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "DarkSide .Beware", "display_name": "DarkSide .Beware", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "SLFPER:BrowserModifier:Win32/MediaMagnet", "display_name": "SLFPER:BrowserModifier:Win32/MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "FORMBOOK", "display_name": "FORMBOOK", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Yixun", "display_name": "Yixun", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": "658741502e029e25c7152cc0", "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1643, "hostname": 1438, "CVE": 30, "FileHash-MD5": 2853, "FileHash-SHA1": 1584, "FileHash-SHA256": 3001, "URL": 2904, "email": 1 }, "indicator_count": 13454, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "841 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://api.rvvc.im", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://api.rvvc.im", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776684446.9068263 }