{
"type": "URL",
"indicator": "https://assets.md.docs.tw/",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://assets.md.docs.tw/",
"type": "url",
"type_title": "URL",
"validation": [],
"base_indicator": {
"id": 3773967762,
"indicator": "https://assets.md.docs.tw/",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 47,
"pulses": [
{
"id": "6951f52a5af00a9be445ad41",
"name": "Mirai - HoneyPot | Pegasus | Therahand HoneyPot Bot Network",
"description": "A HoneyPot Bot Network created to protect a criminal who worked for a company formerly known as Therahand Wellness. This company employed an unquestioned but admittedly guilty SA\u2019r. | Name tactics used in an attempt to draw in victims to leave truthful negative reviews about Jeffrey Reimer | The website is extremely malicious. NSO Pegasus & Palantir relationship.\n\nWhat a pity there is no work done in the state of Colorado to convict medical unprofessionals unless they are poor assistants , Latin, African American or , Native. | Colorado has a known race issue. \n\nColorado ranks poor for getting rape kits tested.\nPoor possibly outranking Baltimore,MD in police brutality. \nPoor at solving it attempting to solve crimes. Law enforcement literally collects paper, evidence and turns evidence away at times. \n\nThis system allows the actual criminal\nto track victim.\nIf he wants to be the victim of this crime against persons let him be. \n\n *Pegasus & Israel and 99% of all tags auto populated by OTX.",
"modified": "2026-01-28T02:03:16.337000",
"created": "2025-12-29T03:27:38.183000",
"tags": [
"no expiration",
"expiration",
"url http",
"url https",
"iocs",
"enter source",
"url or",
"name servers",
"a domains",
"accept encoding",
"urls",
"emails",
"servers",
"url add",
"http",
"files domain",
"files related",
"related tags",
"united",
"gmt contenttype",
"ipv4 add",
"url analysis",
"files",
"present dec",
"cname",
"virtool",
"cryp",
"ip address",
"trojan",
"win32",
"therahand",
"jeffrey reimer",
"reimer dpt",
"msie",
"chrome",
"unknown ns",
"unknown cname",
"record value",
"accept",
"encrypt",
"passive dns",
"moved",
"wp engine",
"meta",
"wordpress",
"pegasus",
"america flag",
"america asn",
"reverse dns",
"flag",
"bad traffic",
"et info",
"tls handshake",
"failure",
"analysis",
"tor analysis",
"dns requests",
"united states",
"hostname",
"pulse submit",
"domain",
"files ip",
"eva lisa",
"eva reimer",
"all ipv4",
"dynamic_content",
"fingerprinting",
"size",
"pattern match",
"mitre att",
"ck id",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"status",
"hostname add",
"evasion",
"proximity",
"pulse pulses",
"address",
"learn",
"adversaries",
"name tactics",
"suspicious",
"informative",
"defense evasion",
"command",
"initial access",
"spawns",
"present mar",
"present jun",
"title",
"windows nt",
"wow64",
"slcc2",
"media center",
"data recovery",
"ms windows",
"process32nextw",
"intel",
"pe32",
"format",
"mozilla",
"installcapital",
"generic",
"write",
"unknown",
"malware",
"next",
"installer",
"template",
"div div",
"request blocked",
"helvetica neue",
"helvetica segoe",
"ui arial",
"script script",
"pragma",
"port",
"destination",
"binbusybox",
"high",
"post",
"icmp traffic",
"dns query",
"newstatusurl",
"mirai",
"prefetch8",
"ck matrix",
"localappdata",
"info",
"ssl certificate",
"czech republic",
"prefetch1",
"prefetch2",
"israel israel",
"analysis tip",
"href",
"ascii text",
"null",
"refresh",
"span",
"iframe",
"error",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"beginstring",
"windir",
"openurl c",
"programfiles",
"related nids",
"files location",
"flag united",
"dynamicloader",
"medium",
"named pipe",
"win64",
"download",
"delphi",
"smartassembly",
"m. brian sabey",
"quasi government",
"no such agency",
"facebook",
"search",
"date",
"showing",
"ukraine",
"\u2018buzz\u2019",
"alex karp",
"peter theil",
"elon musk",
"ff d5",
"yara rule",
"ee fc",
"generic http",
"exe upload",
"f0 ff",
"eb e1",
"ff bb",
"show process",
"sha1",
"sub domain",
"show technique",
"network traffic",
"class",
"starfield",
"cyber crime",
"yara detections",
"top source",
"top destination",
"source source",
"filehash",
"sha256 add",
"av detections",
"ids detections",
"alerts",
"show",
"dock",
"execution",
"present feb",
"value",
"content type",
"mirai",
"sha256",
"body",
"gmt content",
"ddos",
"mtb sep",
"hosting",
"domain robot",
"expiration date",
"welcome",
"apple",
"christopher p. ahmann",
"tsara",
"monitored target",
"github https",
"github",
"smart assembly",
"red hat",
"hackers",
"google"
],
"references": [
"https://therahand.com",
"www.socialimages.reputationdatabase.com",
"Mirai: Yara Detections SUSP_ELF_LNX_UPX_Compressed_File , UPX , ELFHighEntropy , ElfUPX , elf_empty_sections",
"Alerts: dead_host network_icmp nolookup_communication p2p_cnc",
"Israel : https://tollfreeforwarding.com/virtual-phone-number/israel/360 \u2022 siteassets.parastorage.com",
"Palantir \u2022 NSO Group \u2022 Meta \u2022 Douglas County Sheriff \u2022 Palantir \u2022 Foundry \u2022 Therahand \u2022 Graphite \u2022 US .Government",
"Christopher P. \u2018Buzz\u2019 Ahmann \u2022 No Such Agency \u2022 Hall Render Brian Sabey via Therahand",
"https://hybrid-analysis.com/sample/489b309feb70c5267454229633f4eae3a98112498da2f78b1819ec343d938867/6951ab3dc7cfb38abf021a06",
"https://hybrid-analysis.com/sample/fecd023f35b153f1c71353834588a545d312da5c78ec0bba9bc10d93c3490f5e",
"https://hybrid-analysis.com/sample/fecd023f35b153f1c71353834588a545d312da5c78ec0bba9bc10d93c3490f5e",
"BinBusyBox: 0x.un5t48l3.host",
"ASN: 213.202.211.188\u2022 0x.un5t48l3.host \u2022 srv1354.dedicated.server-hosting.expert Germany",
"AS24961 MyLoc Managed IT AG",
"PSI | Planned Systems International https://www.plan-sys.com/cyber",
"Smart Assembly | https://github.com/red-gate/SmartAssembly-demo",
"https://www.red-gate.com/products/smartassembly",
"https://cdphe.colorado.gov/sexual-violence-prevention/sexual-violence-prevention-statistics-resources",
"Colorado maintains a public-facing police misconduct database via the state's",
"Peace Officer Standards and Training (POST) Board website, available at post.coag.gov.",
"Sexual Assault against both Men and Women in the State of Colorado leads the nation. Great work!"
],
"public": 1,
"adversary": "NSO Pegasus",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "FakeAV.FOR",
"display_name": "FakeAV.FOR",
"target": null
},
{
"id": "Win32:MalOb-DB\\ [Cryp]",
"display_name": "Win32:MalOb-DB\\ [Cryp]",
"target": null
},
{
"id": "Win.Trojan.Agent-306281",
"display_name": "Win.Trojan.Agent-306281",
"target": null
},
{
"id": "VirTool:Win32/Obfuscator.KI",
"display_name": "VirTool:Win32/Obfuscator.KI",
"target": "/malware/VirTool:Win32/Obfuscator.KI"
},
{
"id": "Win32:MalOb-DB\\ [Cryp]",
"display_name": "Win32:MalOb-DB\\ [Cryp]",
"target": null
},
{
"id": "ELF:Mirai-GH\\ [Trj]",
"display_name": "ELF:Mirai-GH\\ [Trj]",
"target": null
},
{
"id": "ELF:Gafgyt-DZ\\ [Trj]",
"display_name": "ELF:Gafgyt-DZ\\ [Trj]",
"target": null
},
{
"id": "Unix.Trojan.Mirai-5607483-0",
"display_name": "Unix.Trojan.Mirai-5607483-0",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1432",
"name": "Access Contact List",
"display_name": "T1432 - Access Contact List"
},
{
"id": "T1036.005",
"name": "Match Legitimate Name or Location",
"display_name": "T1036.005 - Match Legitimate Name or Location"
},
{
"id": "T1472",
"name": "Generate Fraudulent Advertising Revenue",
"display_name": "T1472 - Generate Fraudulent Advertising Revenue"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "TA0008",
"name": "Lateral Movement",
"display_name": "TA0008 - Lateral Movement"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 10,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 523,
"FileHash-SHA1": 402,
"FileHash-SHA256": 2165,
"URL": 4953,
"domain": 1118,
"hostname": 1951,
"email": 12,
"SSLCertFingerprint": 52,
"CVE": 2
},
"indicator_count": 11178,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "81 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2bb5d9ee8577ab5519f2c",
"name": "Meritshealth with DoD links? ",
"description": "",
"modified": "2026-01-13T00:05:56.401000",
"created": "2025-10-05T18:39:25.286000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68e2b14d83bb63502feac65e",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1365,
"URL": 11172,
"hostname": 2780,
"FileHash-MD5": 381,
"FileHash-SHA256": 4420,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 20486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "96 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2b14d83bb63502feac65e",
"name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.",
"description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?",
"modified": "2026-01-07T00:00:30.717000",
"created": "2025-10-05T17:56:29.109000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1328,
"URL": 9931,
"hostname": 2621,
"FileHash-MD5": 381,
"FileHash-SHA256": 4360,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 18989,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "102 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6935c92c5fc93fd873c6aa6d",
"name": "[COINBASECARTEL] - Ransomware Victim: Cinvestav - RedPacket Security | CVE-2025-11727 (New)",
"description": "Related to multiple exploits. Government Cyber Defense implications but shows as very legitimate looking masquerading. I am not positive and don\u2019t want to move to Belfast. Populated NSA [.] gov domains and subdomains (w/o no headers) lightly researched but does not assert a government identity. \n*New CVE-2025-11727",
"modified": "2026-01-06T18:04:02.620000",
"created": "2025-12-07T18:36:28.055000",
"tags": [
"memcommit",
"read c",
"t1082",
"cryptexportkey",
"invalid pointer",
"write",
"msil",
"malware",
"media",
"autorun",
"countries",
"united",
"america",
"high defense",
"evasion",
"t1055",
"ck technique",
"technique id",
"allocates",
"potential code",
"attempts",
"threatintel",
"dark web",
"coinbasecartel",
"ransomware",
"osint",
"tor",
"data breach",
"cinvestav",
"ai generated",
"ransomware leak",
"page",
"november",
"investigacin y",
"nacional",
"mexican",
"mexico",
"present nov",
"verdana",
"td tr",
"passive dns",
"ip address",
"urls",
"aaaa",
"present may",
"present oct",
"present jul",
"virtool",
"present sep",
"present jun",
"win32",
"default",
"unicode",
"png image",
"rgba",
"high",
"dock",
"execution",
"xport",
"unknown",
"data upload",
"extraction",
"will",
"data",
"name cloudflare",
"hostmaster name",
"org cloudflare",
"townsend st",
"city san",
"us creation",
"kelihos",
"ipv4",
"present dec",
"files",
"domain",
"search",
"hostname",
"verdict",
"location united",
"asn as16625",
"akamai",
"urls show",
"date checked",
"url hostname",
"server response",
"google safe",
"results nov",
"present aug",
"backdoor",
"msie",
"chrome",
"trojan",
"mtb aug",
"worm",
"cryp",
"junkpoly",
"twitter",
"trojandropper",
"title",
"germany unknown",
"ipv4 add",
"pulse pulses",
"hosting",
"reverse dns",
"cologne",
"search engine",
"gse compromised",
"redacted for",
"privacy admin",
"privacy tech",
"server",
"organization",
"street",
"city",
"stateprovince",
"postal code",
"country",
"resolver domain",
"cape sa",
"virustot",
"type pdf",
"name",
"lookups",
"email abuse",
"historical ssl",
"certificates",
"first",
"graph summary",
"cname",
"address",
"ip2location",
"bogon ip",
"admin",
"network",
"wifi password",
"ssid",
"demo",
"details",
"failed",
"include review",
"exclude sugges",
"onlv",
"x try",
"find s",
"typ url",
"url data",
"severity att",
"module load",
"icmp traffic",
"dns query",
"t1055 jseval",
"windows nt",
"port",
"entries",
"destination",
"medium",
"show",
"pecompact",
"june",
"service",
"next",
"xserver",
"encrypt",
"t1129",
"windows module",
"dlls",
"convention",
"windows native"
],
"references": [
"Search Engines \u2022 Browser Extensions | Google.com.? | Duck DNS",
"Related : Tsara Brashears Dead campaign | ET | Emotet Botnet | Injection",
"hallplan.vm05.iveins.de",
"https://otx.alienvault.com/pulse/65b85faa9b8e3e1206d7f25c",
"Masquerading as? : bitcoin-king.nsa.mx \u2022 cpcontacts.nsa.mx \u2022 vulkanslot-bet777.nsa.mx",
"Name : iveins.de Service : connect",
"https://www.redpacketsecurity.com/coinbasecartel-ransomware-victim-cinvestav \u2022 evilginx.redpacketsecurity.com",
"phish-demo-poc.phish-demo-poc.redpacketsecurity.com \u2022 phish-demo-poc.redpacketsecurity.com",
"https://otx.alienvault.com/indicator/cve/CVE-2025-11727"
],
"public": 1,
"adversary": "COINBASECARTEL",
"targeted_countries": [
"United States of America",
"Sweden",
"Bangladesh",
"Japan"
],
"malware_families": [
{
"id": "Trojan:Win32/Tiggre!rfn",
"display_name": "Trojan:Win32/Tiggre!rfn",
"target": "/malware/Trojan:Win32/Tiggre!rfn"
},
{
"id": "MSIL:Agent-DQ\\ [Trj]",
"display_name": "MSIL:Agent-DQ\\ [Trj]",
"target": null
},
{
"id": "VirTool:MSIL/Covent.A",
"display_name": "VirTool:MSIL/Covent.A",
"target": "/malware/VirTool:MSIL/Covent.A"
},
{
"id": "Trojan:Win32/Pynamer!rfn",
"display_name": "Trojan:Win32/Pynamer!rfn",
"target": "/malware/Trojan:Win32/Pynamer!rfn"
},
{
"id": "Win64:TrojanX",
"display_name": "Win64:TrojanX",
"target": null
},
{
"id": "VirTool:MSIL/Covent",
"display_name": "VirTool:MSIL/Covent",
"target": "/malware/VirTool:MSIL/Covent"
},
{
"id": "#Lowfi:HSTR:MSIL/Obfuscator.Deepsea",
"display_name": "#Lowfi:HSTR:MSIL/Obfuscator.Deepsea",
"target": null
},
{
"id": "Win32:Malware",
"display_name": "Win32:Malware",
"target": null
},
{
"id": "Kelihos",
"display_name": "Kelihos",
"target": null
},
{
"id": "CVE-2025-11727",
"display_name": "CVE-2025-11727",
"target": null
},
{
"id": "Exploit:JS/CVE-2014-0322",
"display_name": "Exploit:JS/CVE-2014-0322",
"target": "/malware/Exploit:JS/CVE-2014-0322"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1091",
"name": "Replication Through Removable Media",
"display_name": "T1091 - Replication Through Removable Media"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1098",
"name": "Account Manipulation",
"display_name": "T1098 - Account Manipulation"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1190",
"name": "Exploit Public-Facing Application",
"display_name": "T1190 - Exploit Public-Facing Application"
}
],
"industries": [
"Education"
],
"TLP": "white",
"cloned_from": null,
"export_count": 15,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 144,
"FileHash-SHA1": 117,
"FileHash-SHA256": 1746,
"URL": 5018,
"hostname": 1827,
"domain": 1072,
"CVE": 3,
"email": 2,
"SSLCertFingerprint": 9
},
"indicator_count": 9938,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "102 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "692d02f096f3ec8b5b507496",
"name": "Google Drive: Share Files Online with Secure Cloud Storage | Google Workspace",
"description": "nJRAT | Corrupted Google Drive sent to targets former device. Years long social engineering may have been involved. All\nIoC\u2019s Appears to involve years of social engineering. Google\ndrive service in question is a storage service based in Vietnam. | \n\nBotnet / Check-ins / Spyware / Cams. [Anon Sec Botnet subdomain name pulsed. Close directly related to zalo.me\nand tbtteams.com]\nRequires further research.\n\nThis pulse is a bit confusing due where and who it originated from.",
"modified": "2025-12-31T02:01:50.101000",
"created": "2025-12-01T02:52:32.483000",
"tags": [
"business",
"enterprise",
"drive",
"english",
"google drive",
"try drive",
"business small",
"workspace",
"sign",
"strong",
"find",
"life",
"tools",
"protect",
"cloud",
"simple",
"android",
"indonesia",
"video",
"mb download",
"shared may",
"shared",
"learn",
"drive drive",
"name date",
"javascript",
"dynamicloader",
"medium",
"minimal headers",
"high",
"observed get",
"get http",
"united",
"yara rule",
"http",
"write",
"guard",
"malware",
"read c",
"ms windows",
"intel",
"png image",
"rgba",
"pe32",
"get na",
"explorer",
"music",
"virlock",
"media",
"ho chi",
"minh city",
"viet nam",
"storage company",
"limited",
"google",
"address as",
"luutruso",
"cloudflar",
"domain",
"asn15169",
"asn56153",
"asn13335",
"cisco",
"umbrella rank",
"apex domain",
"url https",
"kb stylesheet",
"kb font",
"kb image",
"image",
"kb script",
"november",
"resource path",
"size",
"type mimetype",
"primary request",
"redirect chain",
"kb document",
"urls",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"defense evasion",
"spawns",
"t1590 gather",
"windir",
"openurl c",
"prefetch2",
"tor analysis",
"dns requests",
"domain address",
"rsdsq jfu",
"ollydbg ollydbg",
"wireshark",
"external",
"binary file",
"mitre att",
"ck matrix",
"aaaa",
"cong ty",
"co phan",
"code",
"province hcm",
"files",
"ip address",
"request",
"flag",
"country",
"contacted hosts",
"process details",
"link initial",
"t1480 execution",
"domains",
"moved",
"gmt content",
"all ipv4",
"url analysis",
"location viet",
"title",
"error",
"problem",
"url add",
"related nids",
"files location",
"flag united",
"development att",
"name server",
"markmonitor",
"localappdata",
"programfiles",
"edge",
"hyundai",
"social engineering",
".mil",
"hackers",
"phishing eml",
"summary",
"cisco umbrella",
"google safe",
"browsing",
"current dns",
"a record",
"ip information",
"ipasns ip",
"detail domain",
"domain tree",
"links apex",
"transfer",
"b script",
"b stylesheet",
"frame b830",
"b document",
"value",
"december",
"degurafregistry",
"gat object",
"jsl object",
"gapijstiming",
"iframe function",
"domainpath name",
"nid value",
"source level",
"files domain",
"files related",
"tags",
"related tags",
"virustotal",
"foundry",
"pulse otx",
"dark",
"vietnam",
"present aug",
"present nov",
"present jul",
"present sep",
"unknown aaaa",
"search",
"name servers",
"present oct",
"trojan",
"data upload",
"extraction",
"se https",
"include review",
"exclude sugges",
"find s",
"failed",
"typ don",
"faith",
"study",
"romeo\u2019s",
"juliettes",
"femme fatales",
"strategy",
"honey pot",
"honey traps",
"spy",
"helix",
"anons",
"passive dns",
"pulse pulses",
"files ip",
"address",
"location united",
"asn as400519",
"whois registrar",
"ms defender",
"files matching",
"number",
"sample analysis",
"hide samples",
"date hash",
"cameras",
"cams",
"spycam",
"botnet",
"vietnam",
"company limited",
"dnssec",
"status",
"india unknown",
"present may",
"espionage",
"hostname add",
"generic",
"cnc activity",
"backdoor",
"ipv4",
"anonsecbotnet",
"iptv"
],
"references": [
"drive.google.com/",
"https://foundry2-lbl.dvr.dn2.n-helix.com/",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/c7aa2b182b17cfb5efb3367e0bc7b36e7088ab43a8fb21a772a0f8f90b7329d9",
"zalo.me | href | Binary File | ATT&CK ID T1566.002",
"https://account.helix.com/activate/start",
"anonsecbotnet.cameraddns.net \u2022 cameraddns.net \u2022 http://iptv.cameraddns.net/cotich/ \u2022 http://iptv.cameraddns.net/cotichC \u2022",
"https://iptv.cameraddns.net/kodi/zips/plugin.video.iptvjson]",
"Terse Unencrypted Request for Google - Likely Connectivity Check",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/c7aa2b182b17cfb5efb3367e0bc7b36e7088ab43a8fb21a772a0f8f90b7329d9",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/d334c3220573f98da1a0eef13be9c8b0053447519b3a6ace3728bcffa10b99b6",
"cpcalendars.hyundaibariavungtau3s.com \u2022 cpcontacts.hyundaibariavungtau3s.com",
"https://hyundaibariavungtau3s.com/vehicle/stargazer",
"https://hyundaibariavungtau3s.com/vehicle/ioniq-5",
"https://hyundaibariavungtau3s.com/vehicle/new-hyundai-venue",
"https://hyundaibariavungtau3s.com/vehicle/new-hyundai-palisade",
"https://hyundaibariavungtau3s.com/vehicle/hyundai-custin",
"https://hyundaibariavungtau3s.com/wp-content/themes/flatsome/inc/extensions/flatsome-live-search/",
"https://delivery-mp-microsoft.dvrx.dn3.n-helix.com \u2022 https://dnsplay.dn2.n-helix.com",
"https://dnss2.dn2.n-helix.com \u2022 https://dnssounib.dn2.n-helix.com/",
"https://foundry2-lbl.dvr.dn2.n-helix.com/ \u2022 https://node8-serve.dvrx.dn3.n-helix.com \u2022 https://sfbambi-tel.dn2.n-helix.com \u2022 https://softlayer3.dn2.n-helix.com",
"http://bjdclub.ru/out.phtml?www.skyxxxgals.info/feet-licking-porn/",
"http://www.yayabay.com/forum/adclick.php?url=http%3a%2f%2fhkprice.info%2fpornstars%2f22466",
"https://asianleak.com/videos/8120/sg-cousin-showering-spy-cam",
"feedback-pa.clients6.google.com/v1/survey/trigger/",
"https://feedback-pa.clients6.google.com/v1/survey/trigger/trigger_anonymous?key=AIzaSyD3LJeW4Q6gtdgJlyeFZUp-GhpIoc6EUeg",
"anonsecbotnet.cameraddns.net \u2022 http://anonsecbotnet.cameraddns.net \u2022 https://anonsecbotnet.cameraddns.net"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Virus.Virlock-6804475-0",
"display_name": "Win.Virus.Virlock-6804475-0",
"target": null
},
{
"id": "Win.Malware.Bzub-6727003-0",
"display_name": "Win.Malware.Bzub-6727003-0",
"target": null
},
{
"id": "Win.Trojan.Generic-9801687-0",
"display_name": "Win.Trojan.Generic-9801687-0",
"target": null
},
{
"id": "NID",
"display_name": "NID",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Trojan:Win32/Floxif.E",
"display_name": "Trojan:Win32/Floxif.E",
"target": "/malware/Trojan:Win32/Floxif.E"
},
{
"id": "Win.Dropper.njRAT-10015886-0",
"display_name": "Win.Dropper.njRAT-10015886-0",
"target": null
},
{
"id": "Win.Packed.Generic-9795615-0",
"display_name": "Win.Packed.Generic-9795615-0",
"target": null
},
{
"id": "Backdoor:MSIL/Bladabindi.AJ GC!",
"display_name": "Backdoor:MSIL/Bladabindi.AJ GC!",
"target": "/malware/Backdoor:MSIL/Bladabindi.AJ GC!"
},
{
"id": "Win.Packed.Generic-9795615-0\t.",
"display_name": "Win.Packed.Generic-9795615-0\t.",
"target": null
},
{
"id": "Backdoor:MSIL/Bladabindi.AJ",
"display_name": "Backdoor:MSIL/Bladabindi.AJ",
"target": "/malware/Backdoor:MSIL/Bladabindi.AJ"
},
{
"id": "Win.Packed.Fecn-7077459-0",
"display_name": "Win.Packed.Fecn-7077459-0",
"target": null
},
{
"id": "Trojan:MSIL/Ranos.A",
"display_name": "Trojan:MSIL/Ranos.A",
"target": "/malware/Trojan:MSIL/Ranos.A"
},
{
"id": "Win.Trojan.Generic-6417450-0",
"display_name": "Win.Trojan.Generic-6417450-0",
"target": null
},
{
"id": "ALF:Backdoor:MSIL/Noancooe.KA",
"display_name": "ALF:Backdoor:MSIL/Noancooe.KA",
"target": null
},
{
"id": "Win.Packed.Msilperseus-9956592-0",
"display_name": "Win.Packed.Msilperseus-9956592-0",
"target": null
},
{
"id": "Trojan:MSIL/ClipBanker",
"display_name": "Trojan:MSIL/ClipBanker",
"target": "/malware/Trojan:MSIL/ClipBanker"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1194",
"name": "Spearphishing via Service",
"display_name": "T1194 - Spearphishing via Service"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1039",
"name": "Data from Network Shared Drive",
"display_name": "T1039 - Data from Network Shared Drive"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1444",
"name": "Masquerade as Legitimate Application",
"display_name": "T1444 - Masquerade as Legitimate Application"
},
{
"id": "T1567.002",
"name": "Exfiltration to Cloud Storage",
"display_name": "T1567.002 - Exfiltration to Cloud Storage"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1911,
"hostname": 714,
"FileHash-SHA256": 1304,
"FileHash-MD5": 159,
"FileHash-SHA1": 71,
"SSLCertFingerprint": 2,
"domain": 421,
"CVE": 1,
"email": 4
},
"indicator_count": 4587,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "109 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "690e8b773dc39921d88abd44",
"name": "Nanocore - Affected",
"description": "- wmsspacer.gif\n| Photography: WMSspacer.gif, |[wmstransparent.org,]\n* YARA Detections : \nDotNET_Reactor\nSystem.Security.Cryptography.AesCryptoServiceProvider\nSystem.Security.Cryptography\nSystem.Security.Cryptography ~\nI CryptoTransform |\n Wmsspacer, i.g.sg.js..png.com, on-screen.|",
"modified": "2025-12-07T23:02:29.645000",
"created": "2025-11-08T00:14:47.600000",
"tags": [
"hgnvastlaiz",
"read c",
"medium",
"rgba",
"memcommit",
"delete",
"png image",
"unicode",
"dock",
"execution",
"malware",
"crlf line",
"speichermedium",
"productversion",
"fileversion",
"engine dll",
"internalname",
"einstellungen",
"comodo ca",
"limited st",
"yara detections",
"next pe",
"eula",
"policy",
"direct",
"opencandy",
"suspicious_write_exe",
"network_icmp",
"process_martian",
"present jun",
"present jul",
"domain",
"united",
"ip address",
"unknown ns",
"ms windows",
"intel",
"verisign",
"time stamping",
"unknown",
"class",
"write",
"markus",
"temple",
"msie",
"windows nt",
"get http",
"lehash",
"av detections",
"ids detections",
"alerts",
"file score",
"low risk",
"compromised_site_redirector_fromcharcode",
"present aug",
"passive dns",
"all ipv4",
"urls",
"files",
"hosting",
"america flag",
"win32",
"ipv4 add",
"signed file, valid signature. revoked.",
"united states",
"pws",
"atros",
"fiha",
"search",
"entries",
"present oct",
"next associated",
"show",
"high",
"wow64",
"slcc2",
"next",
"domain add",
"poland",
"poland unknown",
"ipv4",
"location poland",
"poland asn",
"et policy",
"pe exe",
"dll windows",
"amazon s3",
"location united",
"associated urls",
"date checked",
"url hostname",
"server response",
"google safe",
"results feb",
"nanocore",
"url add",
"http",
"related nids",
"files location",
"flag united",
"malicious image",
"files domain",
"files related",
"pulses otx",
"related tags",
"resources whois",
"virustotal",
"present sep",
"status",
"present nov",
"present mar",
"trojan",
"script script",
"div div",
"link",
"a li",
"meta",
"sweden",
"invalid url",
"head title",
"title head",
"reference",
"bad request",
"server",
"netherlands",
"creation date",
"date",
"running server",
"ahmann",
"christopher",
"p",
"tam",
"legal",
"treece",
"alfrey",
"muscat",
"adversaries",
"cyber crime",
"quasi",
"government"
],
"references": [
"wmsspacer.gif : 548f2d6f4d0d820c6c5ffbeffcbd7f0e73193e2932eefe542accc84762deec87",
"ceidg.gov.pl \u2022 https://www.csrc.gov.cn.lxcvc.com/ \u2022 www.alt.krasnopil-silrada.gov.ua",
"http://www.mof.gov.cn.lxcvc.com/ \u2022 http://www.mohurd.gov.cn.lxcvc.com/ \u2022",
"www.opencandy.com",
"http://www.opencandy.com/privacy \u2022 http://www.opencandy.com/privacy-policy. \u2022 license@opencandy.com \u2022",
"Yara Detections : compromised_site_redirector_fromcharcode",
"Matches rule: skip20_sqllang_hook from ruleset skip20_sqllang_hook by Mathieu Tartare ",
"Matches rule Adobe_XMP_Identifier from ruleset Adobe_XMP_Identifier by InQuest Labs",
"http://pcoptimizerpro.com/eula.aspx \u2022 http://www.pcoptimizerpro.com/privacypolicy.aspx",
"pcoptimizerpro.com \u2022 www.pcoptimizerpro.com",
"PE EXE UpdatesDll.dll : 69081ab853021bd28bf7fb1eb4eac3199623c8ed413589e6f3898806a15f0f23",
"YARA: DotNET_Reactor System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography System.Security.Cryptography ICryptoTransform",
"https://img.fkcdn.com/image/kg8avm80/mobile/j/f/9/apple-iphone-12-dummyapplefsn-200x200-imafwg8dkyh2zgrh.jpeg",
"https://heavyfetish.com/search/CHEESE-PIZZA-porn/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Trojan.Nanocore-5",
"display_name": "Win.Trojan.Nanocore-5",
"target": null
},
{
"id": "Win.Trojan.Adinstall-2",
"display_name": "Win.Trojan.Adinstall-2",
"target": null
},
{
"id": "PSW.Generic13",
"display_name": "PSW.Generic13",
"target": null
},
{
"id": "Atros.UPK",
"display_name": "Atros.UPK",
"target": null
},
{
"id": "Luhe.Fiha.A",
"display_name": "Luhe.Fiha.A",
"target": null
},
{
"id": "Pua.Optimizerpro/PCOptimizerPro",
"display_name": "Pua.Optimizerpro/PCOptimizerPro",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1102",
"name": "Web Service",
"display_name": "T1102 - Web Service"
},
{
"id": "T1491.001",
"name": "Internal Defacement",
"display_name": "T1491.001 - Internal Defacement"
},
{
"id": "T1204.003",
"name": "Malicious Image",
"display_name": "T1204.003 - Malicious Image"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 12,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 753,
"FileHash-SHA1": 622,
"FileHash-SHA256": 4336,
"URL": 2448,
"domain": 300,
"hostname": 788,
"CVE": 1,
"email": 4
},
"indicator_count": 9252,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "132 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68f93b1cebf80f48450bd517",
"name": "Yuner - File deletion and Disk Wiping / Cyberstalking ",
"description": "",
"modified": "2025-11-21T18:02:11.054000",
"created": "2025-10-22T20:14:20.632000",
"tags": [
"server nginx",
"date fri",
"etag w",
"urls",
"passive dns",
"acceptranges",
"contentlength",
"date thu",
"gmt expires",
"server",
"code",
"link",
"script script",
"south africa",
"ipv4",
"files",
"location south",
"accept",
"present aug",
"certificate",
"hostname add",
"domain",
"files ip",
"unknown a",
"script urls",
"ip address",
"unknown soa",
"unknown ns",
"reverse dns",
"africa flag",
"asn as16637",
"dns resolutions",
"domains top",
"level",
"unique tld",
"related pulses",
"tags none",
"indicator facts",
"title",
"ipv4 add",
"opinion",
"netacea",
"lockbit",
"wannacry attack",
"nhs trusts",
"council",
"uk government",
"protect",
"cni safe",
"acls",
"praio",
"prink",
"prsc",
"prla",
"lg2en",
"cti98",
"search",
"seiko epson",
"corporation",
"arc file",
"malware",
"delete c",
"default",
"show",
"write",
"next",
"unknown",
"united",
"tlsv1",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"as15169",
"port",
"execution",
"dock",
"capture",
"persistence",
"yara detections",
"filehash",
"md5 add",
"pulse pulses",
"av detections",
"ids detections",
"alerts",
"analysis date",
"file score",
"low risk",
"cabinet archive",
"microsoft",
"read c",
"dynamicloader",
"medium",
"ltda me",
"high",
"write c",
"entries",
"checks",
"delphi",
"win32",
"url pulse",
"data upload",
"extraction",
"find suggested",
"type",
"domain hostname",
"url add",
"http",
"related nids",
"files location",
"ireland flag",
"files domain",
"chrome",
"ireland unknown",
"pulse submit",
"url analysis",
"body",
"date",
"status",
"name servers",
"creation date",
"expiration date",
"flag united",
"destination",
"systemdrive",
"html document",
"crlf line",
"updater",
"copy",
"unknown aaaa",
"moved",
"domain add",
"extri data",
"enter sc",
"extr include",
"review exclude",
"sugges",
"present jul",
"saudi arabia",
"present mar",
"present oct",
"present jun",
"present feb",
"present nov",
"present may",
"eeee",
"eeeeeee",
"eeeeee",
"eefe",
"ebeee",
"ee eme",
"eeheee",
"eeefee e",
"eeeee e",
"vmprotect",
"push",
"local",
"defender",
"regsetvalueexa",
"utf8 unicode"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Lockbit",
"display_name": "Lockbit",
"target": null
},
{
"id": "ALF:HeraklezEval:PUA:Win32/UltraDownloads",
"display_name": "ALF:HeraklezEval:PUA:Win32/UltraDownloads",
"target": null
},
{
"id": "Other Dangerous Malware",
"display_name": "Other Dangerous Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1199",
"name": "Trusted Relationship",
"display_name": "T1199 - Trusted Relationship"
},
{
"id": "T1561",
"name": "Disk Wipe",
"display_name": "T1561 - Disk Wipe"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
}
],
"industries": [
"Oil"
],
"TLP": "green",
"cloned_from": "68f9288e0d98f3b44c2cb90c",
"export_count": 12,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 648,
"hostname": 1604,
"FileHash-SHA256": 1826,
"URL": 4153,
"FileHash-MD5": 102,
"FileHash-SHA1": 60,
"SSLCertFingerprint": 18,
"CVE": 2,
"email": 5
},
"indicator_count": 8418,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "148 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68f9288e0d98f3b44c2cb90c",
"name": "Ultrasounds attack - South African criminal group-Denver, Vo affects critical infrastructure , Oil and public safety",
"description": "South African and Ethiopian crime group with Denver , Co presence is not only infiltrating infrastructure from banking to oil, they are human traffickers, hitmen and yes, I received this tip from team member Pheona who a \u2018sassa.gov.za\u2018 South African link recurrently as a top search suggestion in a \u2018targets\u2019 browser. The most frightening piece is that a name listed is of an Ethiopian man who attempted to force a very targeted victim to go somewhere with him,, be his girlfriend and did show up outside of her residence in a different City & County. He also knew the exact name of where she purchased specific items. If you can see this. Please help the best way you can. Something is incredibly wrong. [OTX auto populated Title: We can\u2019t rely on goodwill to protect our critical infrastructure - Help Net Security]",
"modified": "2025-11-21T18:02:11.054000",
"created": "2025-10-22T18:55:10.527000",
"tags": [
"server nginx",
"date fri",
"etag w",
"urls",
"passive dns",
"acceptranges",
"contentlength",
"date thu",
"gmt expires",
"server",
"code",
"link",
"script script",
"south africa",
"ipv4",
"files",
"location south",
"accept",
"present aug",
"certificate",
"hostname add",
"domain",
"files ip",
"unknown a",
"script urls",
"ip address",
"unknown soa",
"unknown ns",
"reverse dns",
"africa flag",
"asn as16637",
"dns resolutions",
"domains top",
"level",
"unique tld",
"related pulses",
"tags none",
"indicator facts",
"title",
"ipv4 add",
"opinion",
"netacea",
"lockbit",
"wannacry attack",
"nhs trusts",
"council",
"uk government",
"protect",
"cni safe",
"acls",
"praio",
"prink",
"prsc",
"prla",
"lg2en",
"cti98",
"search",
"seiko epson",
"corporation",
"arc file",
"malware",
"delete c",
"default",
"show",
"write",
"next",
"unknown",
"united",
"tlsv1",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"as15169",
"port",
"execution",
"dock",
"capture",
"persistence",
"yara detections",
"filehash",
"md5 add",
"pulse pulses",
"av detections",
"ids detections",
"alerts",
"analysis date",
"file score",
"low risk",
"cabinet archive",
"microsoft",
"read c",
"dynamicloader",
"medium",
"ltda me",
"high",
"write c",
"entries",
"checks",
"delphi",
"win32",
"url pulse",
"data upload",
"extraction",
"find suggested",
"type",
"domain hostname",
"url add",
"http",
"related nids",
"files location",
"ireland flag",
"files domain",
"chrome",
"ireland unknown",
"pulse submit",
"url analysis",
"body",
"date",
"status",
"name servers",
"creation date",
"expiration date",
"flag united",
"destination",
"systemdrive",
"html document",
"crlf line",
"updater",
"copy",
"unknown aaaa",
"moved",
"domain add",
"extri data",
"enter sc",
"extr include",
"review exclude",
"sugges",
"present jul",
"saudi arabia",
"present mar",
"present oct",
"present jun",
"present feb",
"present nov",
"present may",
"eeee",
"eeeeeee",
"eeeeee",
"eefe",
"ebeee",
"ee eme",
"eeheee",
"eeefee e",
"eeeee e",
"vmprotect",
"push",
"local",
"defender",
"regsetvalueexa",
"utf8 unicode"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Lockbit",
"display_name": "Lockbit",
"target": null
},
{
"id": "ALF:HeraklezEval:PUA:Win32/UltraDownloads",
"display_name": "ALF:HeraklezEval:PUA:Win32/UltraDownloads",
"target": null
},
{
"id": "Other Dangerous Malware",
"display_name": "Other Dangerous Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1199",
"name": "Trusted Relationship",
"display_name": "T1199 - Trusted Relationship"
},
{
"id": "T1561",
"name": "Disk Wipe",
"display_name": "T1561 - Disk Wipe"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
}
],
"industries": [
"Oil"
],
"TLP": "green",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 648,
"hostname": 1604,
"FileHash-SHA256": 1826,
"URL": 4153,
"FileHash-MD5": 102,
"FileHash-SHA1": 60,
"SSLCertFingerprint": 18,
"CVE": 2,
"email": 5
},
"indicator_count": 8418,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "148 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68d3caa9524bb6b5460615f3",
"name": "Legacy.Trojan affects threat researchers networks & portals and/or platforms",
"description": "Legacy.Trojan affects threat researchers networks & portals and/or platforms or via platforms as a medium.\n[otx auto populated: Adversaries may be able to gain access to a victim's network through a range of techniques, as well as using a variety of other techniques to evade detection and detection.]\n#honeypot #capture #advesaries #fireeye #github",
"modified": "2025-10-24T10:01:25.310000",
"created": "2025-09-24T10:40:40.987000",
"tags": [
"text drag",
"browse to",
"select file",
"or drop",
"yara detections",
"runlevel",
"av detections",
"ids detections",
"alerts",
"analysis date",
"inject",
"stncphpphp more",
"virustotal api",
"comments",
"related tags",
"passive dns",
"republic",
"ipv4 add",
"location korea",
"korea",
"asn as9318",
"dns resolutions",
"pulses otx",
"close",
"dynamicloader",
"backdoor",
"tgt session",
"reads",
"dynamic",
"write",
"chopper",
"pho exploit",
"backdoor",
"fireeye",
"low risk",
"drop",
"create snapshot",
"hangover_appinbot",
"kns dropper",
"self",
"md5 sha256",
"google safe",
"browsing",
"server response",
"response code",
"vary",
"mimikatz",
"silence malware",
"trojanagent",
"legacy",
"password",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"initial access",
"defense evasion",
"spawns",
"copy md5",
"copy sha1",
"copy sha256",
"selection",
"ascii text",
"crlf line",
"windir",
"openurl c",
"appearance code",
"password",
"urlhttps",
"username",
"flag",
"united",
"markmonitor",
"github",
"server",
"date",
"click",
"apt 1",
"high",
"read c",
"search",
"medium",
"show",
"windows",
"cmd c",
"ms windows",
"next",
"copy",
"ver",
"businesseconomy"
],
"references": [
"Files",
"Yara : KINS_dropper , apt_win_mutex_apt1 , Hangover_Fuddol , Hangover_Tymtin_Degrab",
"Yara: Hangover_Smackdown_various , Hangover_Foler , Hangover_UpdateEx ,",
"Yara: Hangover_Smackdown_Downloader , Hangover_Vacrhan_Downloader",
"Yara: HKTL_NATBypass_Dec22_1 , power_pe_injection , Mimikatz_Logfile",
"Yara: Mimikatz_Strings , Silence_malware_2 , EquationGroup_elgingamble , EquationGroup_cmsd",
"Yara: EquationGroup_ebbshave , EquationGroup_eggbasket , EquationGroup_sambal",
"Yara: Mimikatz_Logfile SID : * NTLM : Authentication Id : wdigest : Mimikatz_Strings sekurlsa::logonpasswords"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Ireland"
],
"malware_families": [
{
"id": "Php.Exploit.C99-27",
"display_name": "Php.Exploit.C99-27",
"target": null
},
{
"id": "Backdoor:ASP/Chopper.F!dha",
"display_name": "Backdoor:ASP/Chopper.F!dha",
"target": "/malware/Backdoor:ASP/Chopper.F!dha"
},
{
"id": "Legacy.Trojan.Agent-37025",
"display_name": "Legacy.Trojan.Agent-37025",
"target": null
},
{
"id": "Ver",
"display_name": "Ver",
"target": null
}
],
"attack_ids": [
{
"id": "T1110.001",
"name": "Password Guessing",
"display_name": "T1110.001 - Password Guessing"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1110",
"name": "Brute Force",
"display_name": "T1110 - Brute Force"
},
{
"id": "T1459",
"name": "Device Unlock Code Guessing or Brute Force",
"display_name": "T1459 - Device Unlock Code Guessing or Brute Force"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 87,
"FileHash-SHA1": 84,
"FileHash-SHA256": 1049,
"URL": 1688,
"hostname": 544,
"email": 5,
"domain": 292,
"CVE": 2
},
"indicator_count": 3751,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "176 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "685186035e5fb63846d29e45",
"name": "Regarding Minority Report 2.0 | Aggresive Remote device tracking (multiple) | Network Rat",
"description": "Abuse.\nWhy is so much of this in plain sight? .\nMalicious tactics abused by preemptive policing recently implemented by Tech Bros under current Trump administration.\nThee governing Cyber Defense / AI / Data collection firm. | foundry2-lbl.dvr.dn2.n-helix.com | \nhttp://foundry2-lbl.dvr.dn2.n-helix.com |\nhttps://foundry2-lbl.dvr.dn2.n-helix.com |\nhttps://nl.cyberriskalliance.com/assets/icons/twitter.png |\nhttps://axis.snxd.com/track/0\n| track.getbuilt.com | \nRelates to Denver female \u2018allegedly\u2019 injured \u2018in PT.\nA malicious prosecution case against alleged victim after a Detective brought \u2018MTI\u2019 case to controlled Denver DA was dismissed by judge. Injured victim paid a pathetic settlement; especially considering the seriousness of the response of the government. \nThis type\nof tracking silencing is critically dangerous. \nHosanna make no haste to rescue all\nof victims of civilian & victim targeting.\n*Crowdsourced",
"modified": "2025-07-17T14:01:34.245000",
"created": "2025-06-17T15:13:07.233000",
"tags": [
"body",
"cps https",
"location",
"urls server",
"cloudfront",
"united",
"unknown aaaa",
"search",
"digital press",
"moved",
"digital culture",
"ip address",
"creation date",
"record value",
"entries",
"date",
"meta",
"urls",
"http",
"passive dns",
"unique",
"pulse pulses",
"related nids",
"files location",
"flag united",
"showing",
"rich content",
"system",
"cdn amazon",
"amazons3 tls",
"certificate",
"redirects",
"ua9385760744",
"utc na",
"utc google",
"tag manager",
"gk4vnlmd3b9",
"server",
"amazon",
"net1832001",
"net18160001",
"address range",
"cidr",
"network name",
"allocation type",
"whois server",
"entity amazon4",
"handle",
"present mar",
"present feb",
"unknown cname",
"urls show",
"date checked",
"url hostname",
"server response",
"aaaa"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 48,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 2075,
"URL": 5471,
"hostname": 1531,
"domain": 1013,
"FileHash-MD5": 55,
"FileHash-SHA1": 53,
"CVE": 1,
"SSLCertFingerprint": 1,
"email": 1,
"CIDR": 2
},
"indicator_count": 10203,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "275 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "685186983a4dd00c2b45b255",
"name": "Source:\thttps://cloud.samsara.com/o/79639/flee",
"description": "",
"modified": "2025-07-17T14:01:34.245000",
"created": "2025-06-17T15:15:36.505000",
"tags": [
"body",
"cps https",
"location",
"urls server",
"cloudfront",
"united",
"unknown aaaa",
"search",
"digital press",
"moved",
"digital culture",
"ip address",
"creation date",
"record value",
"entries",
"date",
"meta",
"urls",
"http",
"passive dns",
"unique",
"pulse pulses",
"related nids",
"files location",
"flag united",
"showing",
"rich content",
"system",
"cdn amazon",
"amazons3 tls",
"certificate",
"redirects",
"ua9385760744",
"utc na",
"utc google",
"tag manager",
"gk4vnlmd3b9",
"server",
"amazon",
"net1832001",
"net18160001",
"address range",
"cidr",
"network name",
"allocation type",
"whois server",
"entity amazon4",
"handle",
"present mar",
"present feb",
"unknown cname",
"urls show",
"date checked",
"url hostname",
"server response",
"aaaa"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "685186035e5fb63846d29e45",
"export_count": 47,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 2075,
"URL": 5471,
"hostname": 1531,
"domain": 1013,
"FileHash-MD5": 55,
"FileHash-SHA1": 53,
"CVE": 1,
"SSLCertFingerprint": 1,
"email": 1,
"CIDR": 2
},
"indicator_count": 10203,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "275 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68743733a69ce827f6156f5c",
"name": "W3.org | Google Spy engine | Tracking, Malware Repository | www.W3.org https://www.searchw3.com/ > ww.google.com.uy",
"description": "",
"modified": "2025-07-13T22:46:11.685000",
"created": "2025-07-13T22:46:11.685000",
"tags": [
"http response",
"final url",
"ip address",
"status code",
"body length",
"kb body",
"sha256",
"headers",
"expired",
"acceptencoding",
"html info",
"title home",
"tags viewport",
"trackers google",
"tag manager",
"gsddf3d2bzf",
"historical ssl",
"referrer",
"december",
"formbook",
"round",
"apple ios",
"tsara brashears",
"unlocker",
"collection",
"vt graph",
"socgholish",
"blister",
"hacktool",
"hiddentear",
"gootloader",
"agent tesla",
"crypto",
"installer",
"life",
"malware",
"open",
"korplug",
"tofsee",
"date",
"name servers",
"status",
"passive dns",
"urls",
"scan endpoints",
"all scoreblue",
"pulse submit",
"url analysis",
"files",
"no data",
"tag count",
"analyzer threat",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"heur",
"cisco umbrella",
"alexa top",
"million",
"site",
"alexa",
"maltiverse",
"xcnfe",
"safe site",
"phishing",
"remcos",
"malicious",
"miner",
"bank",
"agenttesla",
"agent",
"unknown",
"downloader",
"unsafe",
"trojan",
"detplock",
"artemis",
"networm",
"win64",
"redline stealer",
"limerat",
"venom rat",
"trojanspy",
"tld count",
"png image",
"jpeg image",
"rgba",
"exif standard",
"tiff image",
"pattern match",
"ascii text",
"united",
"jfif",
"sha1",
"core",
"general",
"starfield",
"hybrid",
"local",
"encrypt",
"click",
"strings",
"adobea",
"daga",
"as30148 sucuri",
"td tr",
"search",
"span td",
"as44273 host",
"creation date",
"a domains",
"xtra",
"meta",
"back",
"verdict",
"domain",
"aaaa",
"as15169 google",
"asnone united",
"nxdomain",
"sucuri security",
"a li",
"span",
"class",
"body",
"sucuri website",
"a div",
"authority",
"record value",
"showing",
"gmt content",
"x sucuri",
"high",
"related pulses",
"show",
"guard",
"entries",
"win32",
"west domains",
"next",
"ipv4",
"asnone germany",
"object",
"com cnt",
"dem fin",
"gov int",
"nav onl",
"phy pre",
"formbook cnc",
"checkin",
"found",
"error",
"code",
"create c",
"read c",
"delete",
"write",
"default",
"dock",
"execution",
"copy",
"xport",
"firewall",
"body doctype",
"section",
"dcrat",
"analyzer paste",
"iocs",
"hostnames",
"url https",
"blacklist",
"cl0p ransomware",
"zbot",
"malware site",
"team memscan",
"cl0p",
"algorithm",
"data",
"v3 serial",
"number",
"cus starizona",
"cngo daddy",
"g2 validity",
"subject public",
"key info",
"certificate",
"whois lookup",
"netrange",
"nethandle",
"net192",
"net1920000",
"as174",
"as3257",
"sucuri",
"sucur2",
"verisign",
"whois database",
"server",
"registrar abuse",
"icann whois",
"whois status",
"registrar iana",
"form",
"temple",
"first",
"android",
"win32 exe",
"html",
"bobby fischer",
"office open",
"detections type",
"name",
"pdf dealer",
"price list",
"pdf my",
"crime",
"taiwan unknown",
"as3462",
"as131148 bank",
"as21342",
"all search",
"otx scoreblue",
"pulse pulses",
"cname",
"as22612",
"as43350 nforce",
"win32upatre jun",
"expiration date",
"hostname",
"lowfi",
"date hash",
"avast avg",
"date checked",
"url hostname",
"server response",
"google safe",
"results jun",
"files show",
"registrar",
"china unknown",
"title",
"network",
"fakedout threat",
"urls http",
"maltiverse safe",
"malicious url",
"team",
"phishtank",
"services",
"botnet command",
"control server",
"mining",
"betabot",
"team malware",
"engineering",
"stealer",
"service",
"vawtrak",
"virut",
"emotet",
"simda",
"redline",
"fri oct",
"media sharing",
"known infection source",
"bot networks",
"malware",
"malware repository",
"spyware"
],
"references": [
"https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/",
"ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,",
"Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]",
"https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities",
"Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint",
"Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self",
"Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect",
"IP\u2019s Contacted: 192.124.249.187",
"Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile",
"Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=",
"www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Cl0p",
"display_name": "Cl0p",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "6688e0ffb31d4881f3238713",
"export_count": 21,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 4080,
"URL": 11952,
"hostname": 4638,
"domain": 4301,
"FileHash-MD5": 2236,
"FileHash-SHA1": 1140,
"CVE": 8,
"SSLCertFingerprint": 20,
"email": 8,
"CIDR": 1
},
"indicator_count": 28384,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "279 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6802db5065a2d5648af92de3",
"name": "Pegasus Spyware",
"description": "If you see one of these IP addresses on your Android device, know this: the government is spying on you. It is recommended to perform a clean install of the latest version of Android, without Google services and with a proper firewall. Don't forget to disable RCS to decrease the attack surface.",
"modified": "2025-05-20T10:00:22.858000",
"created": "2025-04-18T23:08:00.201000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "esjsonexe",
"id": "320409",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 255,
"hostname": 318,
"URL": 762,
"FileHash-SHA256": 288
},
"indicator_count": 1623,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 18,
"modified_text": "333 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "674248a40f08120e523708eb",
"name": "cqbpy.nakula.fun (enriched)",
"description": "",
"modified": "2024-12-23T21:01:08.932000",
"created": "2024-11-23T21:27:00.332000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "skocherhan",
"id": "249290",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2,
"FileHash-SHA1": 2,
"FileHash-SHA256": 60,
"hostname": 383,
"domain": 63,
"URL": 487
},
"indicator_count": 997,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 177,
"modified_text": "481 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "67264874826a7c8efb017e83",
"name": "unfamiiiiardates (enriched)",
"description": "",
"modified": "2024-12-02T15:01:26.132000",
"created": "2024-11-02T15:42:44.989000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 13,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "skocherhan",
"id": "249290",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2,
"FileHash-SHA1": 2,
"FileHash-SHA256": 94,
"hostname": 67,
"domain": 70,
"URL": 212
},
"indicator_count": 447,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 177,
"modified_text": "502 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "656aafd0e93efa420f74123c",
"name": "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335",
"description": "",
"modified": "2024-10-12T01:00:47.836000",
"created": "2023-12-02T04:17:20.189000",
"tags": [
"ssl certificate",
"contacted",
"threat roundup",
"whois record",
"communicating",
"subdomains",
"resolutions",
"june",
"july",
"october",
"august",
"noname057",
"generic malware",
"ice fog",
"tag count",
"thu nov",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"first",
"generic",
"detection list",
"blacklist http",
"cisco umbrella",
"site",
"heur",
"alexa top",
"safe site",
"million",
"malware",
"alexa",
"malware site",
"malicious site",
"unsafe",
"artemis",
"fakealert",
"exploit",
"opencandy",
"riskware",
"genkryptik",
"iframe",
"tiggre",
"presenoker",
"agent",
"conduit",
"wacatac",
"phishing",
"redline stealer",
"dropper",
"cobalt strike",
"acint",
"nircmd",
"swrort",
"downldr",
"systweak",
"behav",
"crack",
"filetour",
"cleaner",
"installpack",
"xrat",
"fusioncore",
"azorult",
"service",
"runescape",
"facebook",
"bank",
"download",
"blacknet rat",
"stealer",
"maltiverse",
"webtoolbar",
"trojanspy",
"united",
"engineering",
"cyber threat",
"phishing site",
"america",
"emotet",
"zbot",
"malicious",
"steam",
"team",
"indonesia",
"miner",
"ransomware",
"ramnit",
"pe resource",
"historical ssl",
"execution",
"hacktool",
"metasploit",
"relic",
"monitoring",
"android",
"skynet",
"et",
"anonymizer",
"trojanx",
"back",
"laplasclipper",
"win64",
"trojan",
"ghost rat",
"suppobox",
"asyncrat",
"union",
"samples",
"blacklist",
"malicious url",
"hostname",
"hostnames",
"tsara brashears",
"reinsurance",
"pinnacol insurance",
"industry and commerce",
"state",
"danger",
"warning",
"nr-data.net",
"apple",
"data.net",
"asp.net",
"domains",
"hashes",
"reverse dns",
"general full",
"resource",
"software",
"asn15169",
"google",
"url http",
"server",
"hash",
"get h2",
"main",
"cookie",
"thu dec",
"germany",
"frankfurt",
"netherlands",
"asn20446",
"highwinds3",
"page url",
"search live",
"api blog",
"docs pricing",
"tags",
"november",
"us summary",
"http",
"google safe",
"browsing",
"adware",
"xtrat",
"firehol",
"microsoft",
"control server",
"services",
"msil",
"hiloti",
"asn16509",
"amazon02",
"fastly",
"asn54113",
"prague",
"login",
"listen live",
"centura health",
"colorado jobs",
"eeo public",
"filing url",
"blacklist https",
"mimikatz",
"beach research",
"de indicators",
"copyright",
"gmbh version",
"follow",
"softcnapp",
"philadelphia",
"gamehack",
"value",
"line",
"variables",
"nreum",
"postrelease",
"url https",
"security tls",
"protocol h2",
"name value",
"scam",
"gesponsert url",
"outputldjh",
"oid2",
"uhis2",
"uh1200",
"uw1600",
"uah1200",
"uaw1600",
"ucd24",
"usd1",
"utz60",
"no data",
"coinminer",
"ip address",
"exchange",
"http attacker",
"states",
"jimburkedentistry",
"leder-family",
"adam lee",
"erika lee",
"malvertizing"
],
"references": [
"http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335",
"https://www.denverpost.com/2018/07/17/marijuana-workers-compensation/amp/ Source",
"http://jcsservices.in/gkqikjxn/index.php?pnz=jim@thejimburkefamily.com",
"http://www.burkedentistry.com/Quarryville-Dentist-and-Staff/1567",
"http://tracks.theleders.family",
"photos.theleders.family",
"http://45.159.189.105/bot/regex (tracks Tsara Brashears)",
"45.159.189.105 (CNC IP \u2022 Tracking Tsara Brashears)",
"http://mobtrack.trkclk.net",
"https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"nr-data.net",
"https://wallpapers-nature.com/%20tsara-brashears/urlscan-io",
"103.233.208.9 (CNC IP)",
"apex.jquery.com (scammer | works for who?)",
"api.useragentswitch.com",
"bam-cell.nr-data.net (Apple Private Data Collection | since found, result continuously modified)",
"dns.google (DNS client services - Doug Cole)",
"https://www.9and10news.com/2021/09/17/fbi-releases-update-on-suspicious-packages-left-at-att-stores/",
"https://api.openinstall.io/api/v2/android/otby76/init?certFinger=44:B4:38:61:15:B4:57:55:B5:BF:D1:6B:34:CC:60:72:DA:C7:40:CE&macAddress=6D:51:08:93:04:7B&serialNumber=&apiVersion=2.3.0&deviceId=&pkg=com.mobikok.ecoupon&version=8.1.0&installId=&androidId=91ed20d90734918e&versionCode=333\u00d7tamp=1684541379839",
"apple-dns.net",
"emails.redvue.com (apple DNS w/amvima)",
"142.250.180.4 (init.ess)",
"init.ess.apple.com (Highly malicious. Will infiltrate devices when exploited. Spyware)",
"freeimdatingsites.thomasdobo.eu",
"https://urlscan.io/result/07fe876e-8864-474f-8b32-ba2d50c9a242/#indicators",
"https://urlscan.io/domain/maxwam.tk",
"https://urlscan.io/result/e770a861-9818-4309-b31e-fd18510532a7/#indicators"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Generic",
"display_name": "Generic",
"target": null
},
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Beach Research",
"display_name": "Beach Research",
"target": null
},
{
"id": "GameHack",
"display_name": "GameHack",
"target": null
},
{
"id": "States",
"display_name": "States",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1123",
"name": "Audio Capture",
"display_name": "T1123 - Audio Capture"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "6562908e28e6cdc237fbf8db",
"export_count": 107,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1956,
"FileHash-SHA1": 867,
"FileHash-SHA256": 3895,
"URL": 11195,
"domain": 2959,
"hostname": 3575,
"CVE": 16,
"SSLCertFingerprint": 1,
"email": 1
},
"indicator_count": 24465,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 230,
"modified_text": "554 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6688e142f0c8f5ddecbc788c",
"name": "Google Spy engine | Tracking, Malware Repository",
"description": "www.W3.org https://www.searchw3.com/ > ww.google.com.uy. All tags auto populated. Did not spend time documenting all as pulse is quite large. I was able to prove the the compromises are active. I will make much smaller reports.\n(Botnet Commands, Google Spy engine | Tracking, Malware Repository, Stealer, iPhone unlocker)",
"modified": "2024-08-05T04:01:42.283000",
"created": "2024-07-06T06:16:34.388000",
"tags": [
"http response",
"final url",
"ip address",
"status code",
"body length",
"kb body",
"sha256",
"headers",
"expired",
"acceptencoding",
"html info",
"title home",
"tags viewport",
"trackers google",
"tag manager",
"gsddf3d2bzf",
"historical ssl",
"referrer",
"december",
"formbook",
"round",
"apple ios",
"tsara brashears",
"unlocker",
"collection",
"vt graph",
"socgholish",
"blister",
"hacktool",
"hiddentear",
"gootloader",
"agent tesla",
"crypto",
"installer",
"life",
"malware",
"open",
"korplug",
"tofsee",
"date",
"name servers",
"status",
"passive dns",
"urls",
"scan endpoints",
"all scoreblue",
"pulse submit",
"url analysis",
"files",
"no data",
"tag count",
"analyzer threat",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"heur",
"cisco umbrella",
"alexa top",
"million",
"site",
"alexa",
"maltiverse",
"xcnfe",
"safe site",
"phishing",
"remcos",
"malicious",
"miner",
"bank",
"agenttesla",
"agent",
"unknown",
"downloader",
"unsafe",
"trojan",
"detplock",
"artemis",
"networm",
"win64",
"redline stealer",
"limerat",
"venom rat",
"trojanspy",
"tld count",
"png image",
"jpeg image",
"rgba",
"exif standard",
"tiff image",
"pattern match",
"ascii text",
"united",
"jfif",
"sha1",
"core",
"general",
"starfield",
"hybrid",
"local",
"encrypt",
"click",
"strings",
"adobea",
"daga",
"as30148 sucuri",
"td tr",
"search",
"span td",
"as44273 host",
"creation date",
"a domains",
"xtra",
"meta",
"back",
"verdict",
"domain",
"aaaa",
"as15169 google",
"asnone united",
"nxdomain",
"sucuri security",
"a li",
"span",
"class",
"body",
"sucuri website",
"a div",
"authority",
"record value",
"showing",
"gmt content",
"x sucuri",
"high",
"related pulses",
"show",
"guard",
"entries",
"win32",
"west domains",
"next",
"ipv4",
"asnone germany",
"object",
"com cnt",
"dem fin",
"gov int",
"nav onl",
"phy pre",
"formbook cnc",
"checkin",
"found",
"error",
"code",
"create c",
"read c",
"delete",
"write",
"default",
"dock",
"execution",
"copy",
"xport",
"firewall",
"body doctype",
"section",
"dcrat",
"analyzer paste",
"iocs",
"hostnames",
"url https",
"blacklist",
"cl0p ransomware",
"zbot",
"malware site",
"team memscan",
"cl0p",
"algorithm",
"data",
"v3 serial",
"number",
"cus starizona",
"cngo daddy",
"g2 validity",
"subject public",
"key info",
"certificate",
"whois lookup",
"netrange",
"nethandle",
"net192",
"net1920000",
"as174",
"as3257",
"sucuri",
"sucur2",
"verisign",
"whois database",
"server",
"registrar abuse",
"icann whois",
"whois status",
"registrar iana",
"form",
"temple",
"first",
"android",
"win32 exe",
"html",
"bobby fischer",
"office open",
"detections type",
"name",
"pdf dealer",
"price list",
"pdf my",
"crime",
"taiwan unknown",
"as3462",
"as131148 bank",
"as21342",
"all search",
"otx scoreblue",
"pulse pulses",
"cname",
"as22612",
"as43350 nforce",
"win32upatre jun",
"expiration date",
"hostname",
"lowfi",
"date hash",
"avast avg",
"date checked",
"url hostname",
"server response",
"google safe",
"results jun",
"files show",
"registrar",
"china unknown",
"title",
"network",
"fakedout threat",
"urls http",
"maltiverse safe",
"malicious url",
"team",
"phishtank",
"services",
"botnet command",
"control server",
"mining",
"betabot",
"team malware",
"engineering",
"stealer",
"service",
"vawtrak",
"virut",
"emotet",
"simda",
"redline",
"fri oct",
"media sharing",
"known infection source",
"bot networks",
"malware",
"malware repository",
"spyware"
],
"references": [
"https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/",
"ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,",
"Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]",
"https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities",
"Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint",
"Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self",
"Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect",
"IP\u2019s Contacted: 192.124.249.187",
"Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile",
"Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=",
"www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Cl0p",
"display_name": "Cl0p",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 94,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 4080,
"URL": 11952,
"hostname": 4638,
"domain": 4301,
"FileHash-MD5": 2236,
"FileHash-SHA1": 1140,
"CVE": 8,
"SSLCertFingerprint": 20,
"email": 8,
"CIDR": 1
},
"indicator_count": 28384,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 230,
"modified_text": "622 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6688e0ffb31d4881f3238713",
"name": "Google Spy engine | Tracking, Malware Repository",
"description": "www.W3.org https://www.searchw3.com/ > ww.google.com.uy. All tags auto populated. Did not spend time documenting all as pulse is quite large. I was able to prove the the compromises are active. I will make much smaller reports.\n(Botnet Commands, Google Spy engine | Tracking, Malware Repository, Stealer, iPhone unlocker)",
"modified": "2024-08-05T04:01:42.283000",
"created": "2024-07-06T06:15:27.994000",
"tags": [
"http response",
"final url",
"ip address",
"status code",
"body length",
"kb body",
"sha256",
"headers",
"expired",
"acceptencoding",
"html info",
"title home",
"tags viewport",
"trackers google",
"tag manager",
"gsddf3d2bzf",
"historical ssl",
"referrer",
"december",
"formbook",
"round",
"apple ios",
"tsara brashears",
"unlocker",
"collection",
"vt graph",
"socgholish",
"blister",
"hacktool",
"hiddentear",
"gootloader",
"agent tesla",
"crypto",
"installer",
"life",
"malware",
"open",
"korplug",
"tofsee",
"date",
"name servers",
"status",
"passive dns",
"urls",
"scan endpoints",
"all scoreblue",
"pulse submit",
"url analysis",
"files",
"no data",
"tag count",
"analyzer threat",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"heur",
"cisco umbrella",
"alexa top",
"million",
"site",
"alexa",
"maltiverse",
"xcnfe",
"safe site",
"phishing",
"remcos",
"malicious",
"miner",
"bank",
"agenttesla",
"agent",
"unknown",
"downloader",
"unsafe",
"trojan",
"detplock",
"artemis",
"networm",
"win64",
"redline stealer",
"limerat",
"venom rat",
"trojanspy",
"tld count",
"png image",
"jpeg image",
"rgba",
"exif standard",
"tiff image",
"pattern match",
"ascii text",
"united",
"jfif",
"sha1",
"core",
"general",
"starfield",
"hybrid",
"local",
"encrypt",
"click",
"strings",
"adobea",
"daga",
"as30148 sucuri",
"td tr",
"search",
"span td",
"as44273 host",
"creation date",
"a domains",
"xtra",
"meta",
"back",
"verdict",
"domain",
"aaaa",
"as15169 google",
"asnone united",
"nxdomain",
"sucuri security",
"a li",
"span",
"class",
"body",
"sucuri website",
"a div",
"authority",
"record value",
"showing",
"gmt content",
"x sucuri",
"high",
"related pulses",
"show",
"guard",
"entries",
"win32",
"west domains",
"next",
"ipv4",
"asnone germany",
"object",
"com cnt",
"dem fin",
"gov int",
"nav onl",
"phy pre",
"formbook cnc",
"checkin",
"found",
"error",
"code",
"create c",
"read c",
"delete",
"write",
"default",
"dock",
"execution",
"copy",
"xport",
"firewall",
"body doctype",
"section",
"dcrat",
"analyzer paste",
"iocs",
"hostnames",
"url https",
"blacklist",
"cl0p ransomware",
"zbot",
"malware site",
"team memscan",
"cl0p",
"algorithm",
"data",
"v3 serial",
"number",
"cus starizona",
"cngo daddy",
"g2 validity",
"subject public",
"key info",
"certificate",
"whois lookup",
"netrange",
"nethandle",
"net192",
"net1920000",
"as174",
"as3257",
"sucuri",
"sucur2",
"verisign",
"whois database",
"server",
"registrar abuse",
"icann whois",
"whois status",
"registrar iana",
"form",
"temple",
"first",
"android",
"win32 exe",
"html",
"bobby fischer",
"office open",
"detections type",
"name",
"pdf dealer",
"price list",
"pdf my",
"crime",
"taiwan unknown",
"as3462",
"as131148 bank",
"as21342",
"all search",
"otx scoreblue",
"pulse pulses",
"cname",
"as22612",
"as43350 nforce",
"win32upatre jun",
"expiration date",
"hostname",
"lowfi",
"date hash",
"avast avg",
"date checked",
"url hostname",
"server response",
"google safe",
"results jun",
"files show",
"registrar",
"china unknown",
"title",
"network",
"fakedout threat",
"urls http",
"maltiverse safe",
"malicious url",
"team",
"phishtank",
"services",
"botnet command",
"control server",
"mining",
"betabot",
"team malware",
"engineering",
"stealer",
"service",
"vawtrak",
"virut",
"emotet",
"simda",
"redline",
"fri oct",
"media sharing",
"known infection source",
"bot networks",
"malware",
"malware repository",
"spyware"
],
"references": [
"https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/",
"ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,",
"Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]",
"https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities",
"Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint",
"Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self",
"Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect",
"IP\u2019s Contacted: 192.124.249.187",
"Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile",
"Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=",
"www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Cl0p",
"display_name": "Cl0p",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 89,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 4080,
"URL": 11952,
"hostname": 4638,
"domain": 4301,
"FileHash-MD5": 2236,
"FileHash-SHA1": 1140,
"CVE": 8,
"SSLCertFingerprint": 20,
"email": 8,
"CIDR": 1
},
"indicator_count": 28384,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 229,
"modified_text": "622 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6688e15588a794b95443b46d",
"name": "Google Spy engine | Tracking, Malware Repository",
"description": "www.W3.org https://www.searchw3.com/ > ww.google.com.uy. All tags auto populated. Did not spend time documenting all as pulse is quite large. I was able to prove the the compromises are active. I will make much smaller reports.\n(Botnet Commands, Google Spy engine | Tracking, Malware Repository, Stealer, iPhone unlocker)\nSorry so sloppy and large.\nAll tags , malware families and ATT&CK mechanisms auto populated",
"modified": "2024-08-05T02:03:31.529000",
"created": "2024-07-06T06:16:53.461000",
"tags": [
"http response",
"final url",
"ip address",
"status code",
"body length",
"kb body",
"sha256",
"headers",
"expired",
"acceptencoding",
"html info",
"title home",
"tags viewport",
"trackers google",
"tag manager",
"gsddf3d2bzf",
"historical ssl",
"referrer",
"december",
"formbook",
"round",
"apple ios",
"tsara brashears",
"unlocker",
"collection",
"vt graph",
"socgholish",
"blister",
"hacktool",
"hiddentear",
"gootloader",
"agent tesla",
"crypto",
"installer",
"life",
"malware",
"open",
"korplug",
"tofsee",
"date",
"name servers",
"status",
"passive dns",
"urls",
"scan endpoints",
"all scoreblue",
"pulse submit",
"url analysis",
"files",
"no data",
"tag count",
"analyzer threat",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"heur",
"cisco umbrella",
"alexa top",
"million",
"site",
"alexa",
"maltiverse",
"xcnfe",
"safe site",
"phishing",
"remcos",
"malicious",
"miner",
"bank",
"agenttesla",
"agent",
"unknown",
"downloader",
"unsafe",
"trojan",
"detplock",
"artemis",
"networm",
"win64",
"redline stealer",
"limerat",
"venom rat",
"trojanspy",
"tld count",
"png image",
"jpeg image",
"rgba",
"exif standard",
"tiff image",
"pattern match",
"ascii text",
"united",
"jfif",
"sha1",
"core",
"general",
"starfield",
"hybrid",
"local",
"encrypt",
"click",
"strings",
"adobea",
"daga",
"as30148 sucuri",
"td tr",
"search",
"span td",
"as44273 host",
"creation date",
"a domains",
"xtra",
"meta",
"back",
"verdict",
"domain",
"aaaa",
"as15169 google",
"asnone united",
"nxdomain",
"sucuri security",
"a li",
"span",
"class",
"body",
"sucuri website",
"a div",
"authority",
"record value",
"showing",
"gmt content",
"x sucuri",
"high",
"related pulses",
"show",
"guard",
"entries",
"win32",
"west domains",
"next",
"ipv4",
"asnone germany",
"object",
"com cnt",
"dem fin",
"gov int",
"nav onl",
"phy pre",
"formbook cnc",
"checkin",
"found",
"error",
"code",
"create c",
"read c",
"delete",
"write",
"default",
"dock",
"execution",
"copy",
"xport",
"firewall",
"body doctype",
"section",
"dcrat",
"analyzer paste",
"iocs",
"hostnames",
"url https",
"blacklist",
"cl0p ransomware",
"zbot",
"malware site",
"team memscan",
"cl0p",
"algorithm",
"data",
"v3 serial",
"number",
"cus starizona",
"cngo daddy",
"g2 validity",
"subject public",
"key info",
"certificate",
"whois lookup",
"netrange",
"nethandle",
"net192",
"net1920000",
"as174",
"as3257",
"sucuri",
"sucur2",
"verisign",
"whois database",
"server",
"registrar abuse",
"icann whois",
"whois status",
"registrar iana",
"form",
"temple",
"first",
"android",
"win32 exe",
"html",
"bobby fischer",
"office open",
"detections type",
"name",
"pdf dealer",
"price list",
"pdf my",
"crime",
"taiwan unknown",
"as3462",
"as131148 bank",
"as21342",
"all search",
"otx scoreblue",
"pulse pulses",
"cname",
"as22612",
"as43350 nforce",
"win32upatre jun",
"expiration date",
"hostname",
"lowfi",
"date hash",
"avast avg",
"date checked",
"url hostname",
"server response",
"google safe",
"results jun",
"files show",
"registrar",
"china unknown",
"title",
"file size",
"b file",
"detections file",
"gzip chrome",
"cache entry",
"graph",
"ip detections",
"country",
"domains",
"internet domain",
"service bs",
"corp",
"namecheap inc",
"csc corporate",
"tucows",
"epik llc",
"tucows domains"
],
"references": [
"https://www.searchw3.com/",
"IP\u2019s Contacted: 192.124.249.187",
"Ransomware: message.htm.com",
"https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities",
"Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint",
"Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self",
"Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect",
"192.124.249.187",
"Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Cl0p",
"display_name": "Cl0p",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 73,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 3731,
"URL": 11926,
"hostname": 4626,
"domain": 4135,
"FileHash-MD5": 1530,
"FileHash-SHA1": 762,
"CVE": 8,
"SSLCertFingerprint": 20,
"email": 8,
"CIDR": 1
},
"indicator_count": 26747,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 231,
"modified_text": "622 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "657ab025b97f20f31bbfcd70",
"name": "CryptInject \u2022 Inmortal \u2022 Invoke-Mimikatz \u2022 WannaCry Kill Switch",
"description": "Alleged attorney defending Jeffrey Scott Reimer DPT. Firm uses every possible tool to destroy, make life unbearable, threaten and cause harm to targets. I don't feel safe. I hope this research helps the next target.\n\nMissouri government is seen throughout. The corruption is mafia deep. There is tracking. In person stalking, theft, identity theft, mail theft, modification of records and services, legitimate death threats,etc.\nOpen records act: Target has made multiple reports to authorities regarding physical assaults, threats, phone hacking, etc. OCA: Reports show a settlement was paid by Brian Sabey in part to help Tsara Brashears discover hacker.\nI've been receiving death threats, followed, property accessed, tampering. Attacking entire family including her children, father and beyond.",
"modified": "2024-01-13T06:01:05.467000",
"created": "2023-12-14T07:35:01.537000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"historical ssl",
"communicating",
"referrer",
"execution",
"tsara brashears",
"highly targeted",
"njrat",
"ransomware",
"heodo",
"tag count",
"thu aug",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"malicious url",
"blacklist https",
"united",
"firehol",
"maltiverse",
"cyber threat",
"control server",
"host",
"phishing",
"engineering",
"paypal",
"download",
"malware",
"nanocore rat",
"meterpreter",
"pony",
"facebook",
"stealer",
"redline stealer",
"dnspionage",
"mirai",
"nanocore",
"bradesco",
"emotet",
"cobalt strike",
"bank",
"zeus",
"zbot",
"suppobox",
"generic",
"site",
"cisco umbrella",
"alexa top",
"million",
"reverse dns",
"general full",
"url https",
"resource",
"protocol h2",
"security tls",
"software",
"get h2",
"hash",
"main",
"search live",
"api blog",
"docs pricing",
"december",
"hall render",
"advisory",
"brochure url",
"link url",
"linkedin link",
"facebook link",
"value",
"login",
"variables",
"modernizr",
"lsmeta function",
"lsoldgsqueue",
"de indicators",
"domains",
"hashes",
"copyright",
"gmbh version",
"no data",
"tld count",
"urls",
"count blacklist",
"heur",
"html",
"site top",
"malicious site",
"malware site",
"riskware",
"exploit",
"win64",
"unsafe",
"genkryptik",
"artemis",
"opencandy",
"agent",
"dropper",
"fakealert",
"acint",
"nircmd",
"swrort",
"downldr",
"systweak",
"behav",
"crack",
"tiggre",
"presenoker",
"filetour",
"cleaner",
"conduit",
"wacatac",
"mimikatz",
"redirector",
"deepscan",
"iframe",
"memscan",
"suspicious",
"magazine",
"applicunwnt",
"alexa",
"phish",
"win32.pdf.alien",
"freemake",
"webtoolbar",
"trojanspy",
"label",
"input",
"form",
"button",
"render",
"articles",
"column",
"brian",
"search",
"contact",
"span",
"accept",
"this",
"close",
"district",
"ultimate",
"ip address",
"blacklist",
"covid19",
"phishing chase",
"windows nt",
"khtml",
"gecko",
"veryhigh",
"aes256gcm",
"digicert global",
"g2 tls",
"rsa sha256",
"bypass",
"formbook",
"generic malware",
"cutwail",
"safe site",
"phishing site",
"team",
"tofsee",
"azorult",
"service",
"runescape",
"remcos",
"malicious",
"miner",
"hacktool",
"agenttesla",
"unknown",
"downloader",
"trojan",
"detplock",
"networm",
"cryptinject",
"beach research",
"rms",
"redline",
"brian sabey",
"hallrender.com",
"hallrender.com/attorney/brian-sabey",
"tulach",
"tulach.cc",
"mo.gov",
"safebae.org",
"civicalg.com",
"civicalg",
"passive dns",
"domain",
"registrar",
"scan endpoints",
"all octoseek",
"hostname",
"pulse pulses",
"date",
"next",
"computer",
"company limited",
"first",
"utc submissions",
"submitters",
"gti9158",
"gti9080l",
"gti9128v",
"summary iocs",
"graph community",
"namecheap inc",
"cloudflare",
"com laude",
"ltd dba",
"porkbun llc",
"ii llc",
"csc corporate",
"amazon02",
"google",
"cloudflarenet",
"akamaias",
"innova co",
"indonesia",
"level3",
"china telecom",
"mb setup",
"mb opera",
"mb qimage",
"mb iesettings",
"mb super",
"optimizer",
"premium",
"pattern match",
"file",
"ascii text",
"indicator",
"jpeg image",
"et tor",
"known tor",
"misc attack",
"relayrouter",
"general",
"hybrid",
"local",
"click",
"strings",
"class",
"generator",
"critical",
"error",
"traffic",
"tor known",
"exit",
"node tcp",
"tor relayrouter",
"spammer",
"tor exit",
"threats et",
"node udp",
"adware",
"quasar rat",
"installpack",
"xrat",
"fusioncore",
"union",
"raccoon",
"metastealer",
"xtrat",
"blacklist http",
"url http",
"hijacking",
"information",
"report spam",
"attorney",
"trojanx",
"zpevdo",
"vidar",
"agent tesla",
"nymaim",
"virut",
"occamy",
"iobit",
"sality",
"all search",
"otx octoseek",
"author avatar",
"role title",
"added active",
"related pulses",
"entries",
"indicator role",
"title added",
"active related",
"pulses url",
"pulses",
"ipv4",
"expiration",
"no expiration",
"iocs",
"create new",
"site safe",
"lovgate",
"unruy",
"patcher",
"nsis",
"installcore",
"adload",
"cve201711882",
"sonbokli",
"ubot",
"hsbc",
"uztuby",
"malicious host",
"microsoft",
"psexec",
"brontok",
"startpage",
"keygen",
"fareit",
"secrisk",
"floxif",
"threat roundup",
"c2 raccoon",
"march",
"critical risk",
"apple phone",
"unlocker",
"installer",
"laplasclipper",
"blister",
"june",
"name verdict",
"falcon sandbox",
"malware generic",
"tue dec",
"temp",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"twitter",
"seraph",
"bazaloader",
"media",
"security",
"technology",
"dns replication",
"virustotal",
"win32 exe",
"files",
"detections type",
"name",
"notepad",
"java",
"update checker",
"verisign",
"server",
"asia pacific",
"data",
"whois database",
"registrar abuse",
"apnic whois",
"apnic",
"icann whois",
"nanjing",
"cnnic",
"hackers",
"virus network",
"relacionada",
"cyberstalking",
"excel",
"macros sneaky",
"unauthorized",
"wannacry kill",
"attack",
"core",
"qakbot",
"lumma stealer",
"ransomexx",
"quasar",
"metro",
"copy",
"project",
"cnc server",
"proxy",
"ramnit",
"cl0p",
"inmortal",
"noname057",
"jul jan",
"fri jun",
"tag tag",
"failed_code_integrity_checks",
"python_initiated-connection",
"powershell_create_scheduled",
"creation_of_an_executable_by_an_executable",
"botnetwork",
"c2",
"apple hacking",
"government relations",
"abuse",
"download csv",
"json ip",
"linkid252669",
"adwaresig",
"suspected",
"filerepmalware",
"dapato",
"predator",
"fakeinstaller",
"spyrixkeylogger",
"bitminer",
"loadmoney",
"mediaget",
"softonic",
"encpk",
"qbot",
"kraddare",
"dllinject",
"driverpack",
"genpack",
"offercore",
"vitzo",
"babar",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"b body",
"sha256",
"headers",
"connection",
"pragma",
"team malware",
"binder",
"pykspa",
"feodo",
"mark",
"bomb",
"whois whois",
"whois parent",
"glupteba",
"setup stub",
"c2ae"
],
"references": [
"https://hallrender.com/attorney/brian-sabey",
"https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad",
"https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)",
"https://www.hallrender.com/attorney/brian-sabey/#breadcrumb",
"192.124.249.53:80",
"hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)",
"https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)",
"https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)",
"https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)",
"https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)",
"Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)",
"http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)",
"114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)",
"rp.dudaran2.com [routerlogin.net to safebae.org]",
"vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]",
"https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]",
"https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=",
"http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378",
"https://poemhunter.com/tsara-brashears/",
"https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]",
"http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)",
"https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd",
"government.westlaw.com",
"web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )",
"safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic",
"west-sca.duckdns.org",
"us-west-2.es.amazonaws.com (pslicorp)",
"hero9780.duckdns.org ( government.westlaw.com/house of mo)",
"https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)",
"http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)",
"www.hallrender.com (malware hosting)",
"https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"www.dead-speak.com",
"www42.jhonisdead.com",
"alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)",
"https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)",
"www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)",
"poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)",
"fakecelebporno.com",
"batchcourtexpressservicesqa.westlaw.com",
"batchpublicrecords.westlaw.com",
"apple-aqo.com (1 DNSPod.net)",
"http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)",
"c.oooooooooo.ga (c.apple.com cdn)",
"https://www.anyxxxtube.net/media/favicon/apple",
"init.ess.apple.com ( Code Script \u2022 MortalK)",
"34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)",
"000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)",
"https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]",
"https://www.hallrender.com/attorney/brian-sabey"
],
"public": 1,
"adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor",
"targeted_countries": [],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "WIN32.PDF.Alien",
"display_name": "WIN32.PDF.Alien",
"target": null
},
{
"id": "Freemake",
"display_name": "Freemake",
"target": null
},
{
"id": "Redirector",
"display_name": "Redirector",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "Behav",
"display_name": "Behav",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Beach Research",
"display_name": "Beach Research",
"target": null
},
{
"id": "RMS",
"display_name": "RMS",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
},
{
"id": "WIN32.PDF.ALIEN",
"display_name": "WIN32.PDF.ALIEN",
"target": null
},
{
"id": "ZeuS",
"display_name": "ZeuS",
"target": null
},
{
"id": "SuppoBox",
"display_name": "SuppoBox",
"target": null
},
{
"id": "Trojan:Win32/Wacatac",
"display_name": "Trojan:Win32/Wacatac",
"target": "/malware/Trojan:Win32/Wacatac"
},
{
"id": "ALF:Trojan:Win32/FormBook",
"display_name": "ALF:Trojan:Win32/FormBook",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "njRAT",
"display_name": "njRAT",
"target": null
},
{
"id": "Trojan:Win32/Tiggre",
"display_name": "Trojan:Win32/Tiggre",
"target": "/malware/Trojan:Win32/Tiggre"
},
{
"id": "Invoke-Mimikatz",
"display_name": "Invoke-Mimikatz",
"target": null
},
{
"id": "China Telecom",
"display_name": "China Telecom",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Sonbokli",
"display_name": "Sonbokli",
"target": null
},
{
"id": "Ubot",
"display_name": "Ubot",
"target": null
},
{
"id": "HSBC",
"display_name": "HSBC",
"target": null
},
{
"id": "Uztuby",
"display_name": "Uztuby",
"target": null
},
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Cl0p",
"display_name": "Cl0p",
"target": null
},
{
"id": "Inmortal",
"display_name": "Inmortal",
"target": null
},
{
"id": "Domains",
"display_name": "Domains",
"target": null
},
{
"id": "Vitzo",
"display_name": "Vitzo",
"target": null
},
{
"id": "Babar",
"display_name": "Babar",
"target": null
},
{
"id": "Qbot",
"display_name": "Qbot",
"target": null
},
{
"id": "WannaCry Kill Switch",
"display_name": "WannaCry Kill Switch",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1100",
"name": "Web Shell",
"display_name": "T1100 - Web Shell"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
}
],
"industries": [
"Health"
],
"TLP": "white",
"cloned_from": null,
"export_count": 512,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 2001,
"hostname": 3531,
"URL": 7519,
"FileHash-MD5": 2851,
"FileHash-SHA1": 1622,
"FileHash-SHA256": 5092,
"CVE": 24,
"email": 9,
"CIDR": 4
},
"indicator_count": 22653,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 229,
"modified_text": "827 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "659d6ae800440c0befb47e22",
"name": "BazaLoader affiliates use elaborate infection chains via notable victim interaction",
"description": "",
"modified": "2024-01-13T06:01:05.467000",
"created": "2024-01-09T15:48:56.676000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"historical ssl",
"communicating",
"referrer",
"execution",
"tsara brashears",
"highly targeted",
"njrat",
"ransomware",
"heodo",
"tag count",
"thu aug",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"malicious url",
"blacklist https",
"united",
"firehol",
"maltiverse",
"cyber threat",
"control server",
"host",
"phishing",
"engineering",
"paypal",
"download",
"malware",
"nanocore rat",
"meterpreter",
"pony",
"facebook",
"stealer",
"redline stealer",
"dnspionage",
"mirai",
"nanocore",
"bradesco",
"emotet",
"cobalt strike",
"bank",
"zeus",
"zbot",
"suppobox",
"generic",
"site",
"cisco umbrella",
"alexa top",
"million",
"reverse dns",
"general full",
"url https",
"resource",
"protocol h2",
"security tls",
"software",
"get h2",
"hash",
"main",
"search live",
"api blog",
"docs pricing",
"december",
"hall render",
"advisory",
"brochure url",
"link url",
"linkedin link",
"facebook link",
"value",
"login",
"variables",
"modernizr",
"lsmeta function",
"lsoldgsqueue",
"de indicators",
"domains",
"hashes",
"copyright",
"gmbh version",
"no data",
"tld count",
"urls",
"count blacklist",
"heur",
"html",
"site top",
"malicious site",
"malware site",
"riskware",
"exploit",
"win64",
"unsafe",
"genkryptik",
"artemis",
"opencandy",
"agent",
"dropper",
"fakealert",
"acint",
"nircmd",
"swrort",
"downldr",
"systweak",
"behav",
"crack",
"tiggre",
"presenoker",
"filetour",
"cleaner",
"conduit",
"wacatac",
"mimikatz",
"redirector",
"deepscan",
"iframe",
"memscan",
"suspicious",
"magazine",
"applicunwnt",
"alexa",
"phish",
"win32.pdf.alien",
"freemake",
"webtoolbar",
"trojanspy",
"label",
"input",
"form",
"button",
"render",
"articles",
"column",
"brian",
"search",
"contact",
"span",
"accept",
"this",
"close",
"district",
"ultimate",
"ip address",
"blacklist",
"covid19",
"phishing chase",
"windows nt",
"khtml",
"gecko",
"veryhigh",
"aes256gcm",
"digicert global",
"g2 tls",
"rsa sha256",
"bypass",
"formbook",
"generic malware",
"cutwail",
"safe site",
"phishing site",
"team",
"tofsee",
"azorult",
"service",
"runescape",
"remcos",
"malicious",
"miner",
"hacktool",
"agenttesla",
"unknown",
"downloader",
"trojan",
"detplock",
"networm",
"cryptinject",
"beach research",
"rms",
"redline",
"brian sabey",
"hallrender.com",
"hallrender.com/attorney/brian-sabey",
"tulach",
"tulach.cc",
"mo.gov",
"safebae.org",
"civicalg.com",
"civicalg",
"passive dns",
"domain",
"registrar",
"scan endpoints",
"all octoseek",
"hostname",
"pulse pulses",
"date",
"next",
"computer",
"company limited",
"first",
"utc submissions",
"submitters",
"gti9158",
"gti9080l",
"gti9128v",
"summary iocs",
"graph community",
"namecheap inc",
"cloudflare",
"com laude",
"ltd dba",
"porkbun llc",
"ii llc",
"csc corporate",
"amazon02",
"google",
"cloudflarenet",
"akamaias",
"innova co",
"indonesia",
"level3",
"china telecom",
"mb setup",
"mb opera",
"mb qimage",
"mb iesettings",
"mb super",
"optimizer",
"premium",
"pattern match",
"file",
"ascii text",
"indicator",
"jpeg image",
"et tor",
"known tor",
"misc attack",
"relayrouter",
"general",
"hybrid",
"local",
"click",
"strings",
"class",
"generator",
"critical",
"error",
"traffic",
"tor known",
"exit",
"node tcp",
"tor relayrouter",
"spammer",
"tor exit",
"threats et",
"node udp",
"adware",
"quasar rat",
"installpack",
"xrat",
"fusioncore",
"union",
"raccoon",
"metastealer",
"xtrat",
"blacklist http",
"url http",
"hijacking",
"information",
"report spam",
"attorney",
"trojanx",
"zpevdo",
"vidar",
"agent tesla",
"nymaim",
"virut",
"occamy",
"iobit",
"sality",
"all search",
"otx octoseek",
"author avatar",
"role title",
"added active",
"related pulses",
"entries",
"indicator role",
"title added",
"active related",
"pulses url",
"pulses",
"ipv4",
"expiration",
"no expiration",
"iocs",
"create new",
"site safe",
"lovgate",
"unruy",
"patcher",
"nsis",
"installcore",
"adload",
"cve201711882",
"sonbokli",
"ubot",
"hsbc",
"uztuby",
"malicious host",
"microsoft",
"psexec",
"brontok",
"startpage",
"keygen",
"fareit",
"secrisk",
"floxif",
"threat roundup",
"c2 raccoon",
"march",
"critical risk",
"apple phone",
"unlocker",
"installer",
"laplasclipper",
"blister",
"june",
"name verdict",
"falcon sandbox",
"malware generic",
"tue dec",
"temp",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"twitter",
"seraph",
"bazaloader",
"media",
"security",
"technology",
"dns replication",
"virustotal",
"win32 exe",
"files",
"detections type",
"name",
"notepad",
"java",
"update checker",
"verisign",
"server",
"asia pacific",
"data",
"whois database",
"registrar abuse",
"apnic whois",
"apnic",
"icann whois",
"nanjing",
"cnnic",
"hackers",
"virus network",
"relacionada",
"cyberstalking",
"excel",
"macros sneaky",
"unauthorized",
"wannacry kill",
"attack",
"core",
"qakbot",
"lumma stealer",
"ransomexx",
"quasar",
"metro",
"copy",
"project",
"cnc server",
"proxy",
"ramnit",
"cl0p",
"inmortal",
"noname057",
"jul jan",
"fri jun",
"tag tag",
"failed_code_integrity_checks",
"python_initiated-connection",
"powershell_create_scheduled",
"creation_of_an_executable_by_an_executable",
"botnetwork",
"c2",
"apple hacking",
"government relations",
"abuse",
"download csv",
"json ip",
"linkid252669",
"adwaresig",
"suspected",
"filerepmalware",
"dapato",
"predator",
"fakeinstaller",
"spyrixkeylogger",
"bitminer",
"loadmoney",
"mediaget",
"softonic",
"encpk",
"qbot",
"kraddare",
"dllinject",
"driverpack",
"genpack",
"offercore",
"vitzo",
"babar",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"b body",
"sha256",
"headers",
"connection",
"pragma",
"team malware",
"binder",
"pykspa",
"feodo",
"mark",
"bomb",
"whois whois",
"whois parent",
"glupteba",
"setup stub",
"c2ae"
],
"references": [
"https://hallrender.com/attorney/brian-sabey",
"https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad",
"https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)",
"https://www.hallrender.com/attorney/brian-sabey/#breadcrumb",
"192.124.249.53:80",
"hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)",
"https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)",
"https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)",
"https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)",
"https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)",
"Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)",
"http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)",
"114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)",
"rp.dudaran2.com [routerlogin.net to safebae.org]",
"vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]",
"https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]",
"https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=",
"http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378",
"https://poemhunter.com/tsara-brashears/",
"https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]",
"http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)",
"https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd",
"government.westlaw.com",
"web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )",
"safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic",
"west-sca.duckdns.org",
"us-west-2.es.amazonaws.com (pslicorp)",
"hero9780.duckdns.org ( government.westlaw.com/house of mo)",
"https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)",
"http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)",
"www.hallrender.com (malware hosting)",
"https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"www.dead-speak.com",
"www42.jhonisdead.com",
"alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)",
"https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)",
"www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)",
"poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)",
"fakecelebporno.com",
"batchcourtexpressservicesqa.westlaw.com",
"batchpublicrecords.westlaw.com",
"apple-aqo.com (1 DNSPod.net)",
"http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)",
"c.oooooooooo.ga (c.apple.com cdn)",
"https://www.anyxxxtube.net/media/favicon/apple",
"init.ess.apple.com ( Code Script \u2022 MortalK)",
"34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)",
"000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)",
"https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]",
"https://www.hallrender.com/attorney/brian-sabey"
],
"public": 1,
"adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor",
"targeted_countries": [],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "WIN32.PDF.Alien",
"display_name": "WIN32.PDF.Alien",
"target": null
},
{
"id": "Freemake",
"display_name": "Freemake",
"target": null
},
{
"id": "Redirector",
"display_name": "Redirector",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "Behav",
"display_name": "Behav",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Beach Research",
"display_name": "Beach Research",
"target": null
},
{
"id": "RMS",
"display_name": "RMS",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
},
{
"id": "WIN32.PDF.ALIEN",
"display_name": "WIN32.PDF.ALIEN",
"target": null
},
{
"id": "ZeuS",
"display_name": "ZeuS",
"target": null
},
{
"id": "SuppoBox",
"display_name": "SuppoBox",
"target": null
},
{
"id": "Trojan:Win32/Wacatac",
"display_name": "Trojan:Win32/Wacatac",
"target": "/malware/Trojan:Win32/Wacatac"
},
{
"id": "ALF:Trojan:Win32/FormBook",
"display_name": "ALF:Trojan:Win32/FormBook",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "njRAT",
"display_name": "njRAT",
"target": null
},
{
"id": "Trojan:Win32/Tiggre",
"display_name": "Trojan:Win32/Tiggre",
"target": "/malware/Trojan:Win32/Tiggre"
},
{
"id": "Invoke-Mimikatz",
"display_name": "Invoke-Mimikatz",
"target": null
},
{
"id": "China Telecom",
"display_name": "China Telecom",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Sonbokli",
"display_name": "Sonbokli",
"target": null
},
{
"id": "Ubot",
"display_name": "Ubot",
"target": null
},
{
"id": "HSBC",
"display_name": "HSBC",
"target": null
},
{
"id": "Uztuby",
"display_name": "Uztuby",
"target": null
},
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Cl0p",
"display_name": "Cl0p",
"target": null
},
{
"id": "Inmortal",
"display_name": "Inmortal",
"target": null
},
{
"id": "Domains",
"display_name": "Domains",
"target": null
},
{
"id": "Vitzo",
"display_name": "Vitzo",
"target": null
},
{
"id": "Babar",
"display_name": "Babar",
"target": null
},
{
"id": "Qbot",
"display_name": "Qbot",
"target": null
},
{
"id": "WannaCry Kill Switch",
"display_name": "WannaCry Kill Switch",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1100",
"name": "Web Shell",
"display_name": "T1100 - Web Shell"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
}
],
"industries": [
"Health"
],
"TLP": "white",
"cloned_from": "657c045ef15bd06d27da1b08",
"export_count": 250,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 2001,
"hostname": 3531,
"URL": 7519,
"FileHash-MD5": 2851,
"FileHash-SHA1": 1622,
"FileHash-SHA256": 5092,
"CVE": 24,
"email": 9,
"CIDR": 4
},
"indicator_count": 22653,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 225,
"modified_text": "827 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "658ef8c00492cc6bdaa8b605",
"name": "CryptInject \u2022 Inmortal \u2022 Invoke-Mimikatz \u2022 WannaCry Kill Switch | https://safebae.org",
"description": "",
"modified": "2024-01-13T06:01:05.467000",
"created": "2023-12-29T16:50:08.330000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"historical ssl",
"communicating",
"referrer",
"execution",
"tsara brashears",
"highly targeted",
"njrat",
"ransomware",
"heodo",
"tag count",
"thu aug",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"malicious url",
"blacklist https",
"united",
"firehol",
"maltiverse",
"cyber threat",
"control server",
"host",
"phishing",
"engineering",
"paypal",
"download",
"malware",
"nanocore rat",
"meterpreter",
"pony",
"facebook",
"stealer",
"redline stealer",
"dnspionage",
"mirai",
"nanocore",
"bradesco",
"emotet",
"cobalt strike",
"bank",
"zeus",
"zbot",
"suppobox",
"generic",
"site",
"cisco umbrella",
"alexa top",
"million",
"reverse dns",
"general full",
"url https",
"resource",
"protocol h2",
"security tls",
"software",
"get h2",
"hash",
"main",
"search live",
"api blog",
"docs pricing",
"december",
"hall render",
"advisory",
"brochure url",
"link url",
"linkedin link",
"facebook link",
"value",
"login",
"variables",
"modernizr",
"lsmeta function",
"lsoldgsqueue",
"de indicators",
"domains",
"hashes",
"copyright",
"gmbh version",
"no data",
"tld count",
"urls",
"count blacklist",
"heur",
"html",
"site top",
"malicious site",
"malware site",
"riskware",
"exploit",
"win64",
"unsafe",
"genkryptik",
"artemis",
"opencandy",
"agent",
"dropper",
"fakealert",
"acint",
"nircmd",
"swrort",
"downldr",
"systweak",
"behav",
"crack",
"tiggre",
"presenoker",
"filetour",
"cleaner",
"conduit",
"wacatac",
"mimikatz",
"redirector",
"deepscan",
"iframe",
"memscan",
"suspicious",
"magazine",
"applicunwnt",
"alexa",
"phish",
"win32.pdf.alien",
"freemake",
"webtoolbar",
"trojanspy",
"label",
"input",
"form",
"button",
"render",
"articles",
"column",
"brian",
"search",
"contact",
"span",
"accept",
"this",
"close",
"district",
"ultimate",
"ip address",
"blacklist",
"covid19",
"phishing chase",
"windows nt",
"khtml",
"gecko",
"veryhigh",
"aes256gcm",
"digicert global",
"g2 tls",
"rsa sha256",
"bypass",
"formbook",
"generic malware",
"cutwail",
"safe site",
"phishing site",
"team",
"tofsee",
"azorult",
"service",
"runescape",
"remcos",
"malicious",
"miner",
"hacktool",
"agenttesla",
"unknown",
"downloader",
"trojan",
"detplock",
"networm",
"cryptinject",
"beach research",
"rms",
"redline",
"brian sabey",
"hallrender.com",
"hallrender.com/attorney/brian-sabey",
"tulach",
"tulach.cc",
"mo.gov",
"safebae.org",
"civicalg.com",
"civicalg",
"passive dns",
"domain",
"registrar",
"scan endpoints",
"all octoseek",
"hostname",
"pulse pulses",
"date",
"next",
"computer",
"company limited",
"first",
"utc submissions",
"submitters",
"gti9158",
"gti9080l",
"gti9128v",
"summary iocs",
"graph community",
"namecheap inc",
"cloudflare",
"com laude",
"ltd dba",
"porkbun llc",
"ii llc",
"csc corporate",
"amazon02",
"google",
"cloudflarenet",
"akamaias",
"innova co",
"indonesia",
"level3",
"china telecom",
"mb setup",
"mb opera",
"mb qimage",
"mb iesettings",
"mb super",
"optimizer",
"premium",
"pattern match",
"file",
"ascii text",
"indicator",
"jpeg image",
"et tor",
"known tor",
"misc attack",
"relayrouter",
"general",
"hybrid",
"local",
"click",
"strings",
"class",
"generator",
"critical",
"error",
"traffic",
"tor known",
"exit",
"node tcp",
"tor relayrouter",
"spammer",
"tor exit",
"threats et",
"node udp",
"adware",
"quasar rat",
"installpack",
"xrat",
"fusioncore",
"union",
"raccoon",
"metastealer",
"xtrat",
"blacklist http",
"url http",
"hijacking",
"information",
"report spam",
"attorney",
"trojanx",
"zpevdo",
"vidar",
"agent tesla",
"nymaim",
"virut",
"occamy",
"iobit",
"sality",
"all search",
"otx octoseek",
"author avatar",
"role title",
"added active",
"related pulses",
"entries",
"indicator role",
"title added",
"active related",
"pulses url",
"pulses",
"ipv4",
"expiration",
"no expiration",
"iocs",
"create new",
"site safe",
"lovgate",
"unruy",
"patcher",
"nsis",
"installcore",
"adload",
"cve201711882",
"sonbokli",
"ubot",
"hsbc",
"uztuby",
"malicious host",
"microsoft",
"psexec",
"brontok",
"startpage",
"keygen",
"fareit",
"secrisk",
"floxif",
"threat roundup",
"c2 raccoon",
"march",
"critical risk",
"apple phone",
"unlocker",
"installer",
"laplasclipper",
"blister",
"june",
"name verdict",
"falcon sandbox",
"malware generic",
"tue dec",
"temp",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"twitter",
"seraph",
"bazaloader",
"media",
"security",
"technology",
"dns replication",
"virustotal",
"win32 exe",
"files",
"detections type",
"name",
"notepad",
"java",
"update checker",
"verisign",
"server",
"asia pacific",
"data",
"whois database",
"registrar abuse",
"apnic whois",
"apnic",
"icann whois",
"nanjing",
"cnnic",
"hackers",
"virus network",
"relacionada",
"cyberstalking",
"excel",
"macros sneaky",
"unauthorized",
"wannacry kill",
"attack",
"core",
"qakbot",
"lumma stealer",
"ransomexx",
"quasar",
"metro",
"copy",
"project",
"cnc server",
"proxy",
"ramnit",
"cl0p",
"inmortal",
"noname057",
"jul jan",
"fri jun",
"tag tag",
"failed_code_integrity_checks",
"python_initiated-connection",
"powershell_create_scheduled",
"creation_of_an_executable_by_an_executable",
"botnetwork",
"c2",
"apple hacking",
"government relations",
"abuse",
"download csv",
"json ip",
"linkid252669",
"adwaresig",
"suspected",
"filerepmalware",
"dapato",
"predator",
"fakeinstaller",
"spyrixkeylogger",
"bitminer",
"loadmoney",
"mediaget",
"softonic",
"encpk",
"qbot",
"kraddare",
"dllinject",
"driverpack",
"genpack",
"offercore",
"vitzo",
"babar",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"b body",
"sha256",
"headers",
"connection",
"pragma",
"team malware",
"binder",
"pykspa",
"feodo",
"mark",
"bomb",
"whois whois",
"whois parent",
"glupteba",
"setup stub",
"c2ae"
],
"references": [
"https://hallrender.com/attorney/brian-sabey",
"https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad",
"https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)",
"https://www.hallrender.com/attorney/brian-sabey/#breadcrumb",
"192.124.249.53:80",
"hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)",
"https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)",
"https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)",
"https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)",
"https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)",
"Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)",
"http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)",
"114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)",
"rp.dudaran2.com [routerlogin.net to safebae.org]",
"vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]",
"https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]",
"https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=",
"http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378",
"https://poemhunter.com/tsara-brashears/",
"https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]",
"http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)",
"https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd",
"government.westlaw.com",
"web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )",
"safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic",
"west-sca.duckdns.org",
"us-west-2.es.amazonaws.com (pslicorp)",
"hero9780.duckdns.org ( government.westlaw.com/house of mo)",
"https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)",
"http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)",
"www.hallrender.com (malware hosting)",
"https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"www.dead-speak.com",
"www42.jhonisdead.com",
"alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)",
"https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)",
"www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)",
"poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)",
"fakecelebporno.com",
"batchcourtexpressservicesqa.westlaw.com",
"batchpublicrecords.westlaw.com",
"apple-aqo.com (1 DNSPod.net)",
"http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)",
"c.oooooooooo.ga (c.apple.com cdn)",
"https://www.anyxxxtube.net/media/favicon/apple",
"init.ess.apple.com ( Code Script \u2022 MortalK)",
"34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)",
"000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)",
"https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]",
"https://www.hallrender.com/attorney/brian-sabey"
],
"public": 1,
"adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor",
"targeted_countries": [],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "WIN32.PDF.Alien",
"display_name": "WIN32.PDF.Alien",
"target": null
},
{
"id": "Freemake",
"display_name": "Freemake",
"target": null
},
{
"id": "Redirector",
"display_name": "Redirector",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "Behav",
"display_name": "Behav",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Beach Research",
"display_name": "Beach Research",
"target": null
},
{
"id": "RMS",
"display_name": "RMS",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
},
{
"id": "WIN32.PDF.ALIEN",
"display_name": "WIN32.PDF.ALIEN",
"target": null
},
{
"id": "ZeuS",
"display_name": "ZeuS",
"target": null
},
{
"id": "SuppoBox",
"display_name": "SuppoBox",
"target": null
},
{
"id": "Trojan:Win32/Wacatac",
"display_name": "Trojan:Win32/Wacatac",
"target": "/malware/Trojan:Win32/Wacatac"
},
{
"id": "ALF:Trojan:Win32/FormBook",
"display_name": "ALF:Trojan:Win32/FormBook",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "njRAT",
"display_name": "njRAT",
"target": null
},
{
"id": "Trojan:Win32/Tiggre",
"display_name": "Trojan:Win32/Tiggre",
"target": "/malware/Trojan:Win32/Tiggre"
},
{
"id": "Invoke-Mimikatz",
"display_name": "Invoke-Mimikatz",
"target": null
},
{
"id": "China Telecom",
"display_name": "China Telecom",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Sonbokli",
"display_name": "Sonbokli",
"target": null
},
{
"id": "Ubot",
"display_name": "Ubot",
"target": null
},
{
"id": "HSBC",
"display_name": "HSBC",
"target": null
},
{
"id": "Uztuby",
"display_name": "Uztuby",
"target": null
},
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Cl0p",
"display_name": "Cl0p",
"target": null
},
{
"id": "Inmortal",
"display_name": "Inmortal",
"target": null
},
{
"id": "Domains",
"display_name": "Domains",
"target": null
},
{
"id": "Vitzo",
"display_name": "Vitzo",
"target": null
},
{
"id": "Babar",
"display_name": "Babar",
"target": null
},
{
"id": "Qbot",
"display_name": "Qbot",
"target": null
},
{
"id": "WannaCry Kill Switch",
"display_name": "WannaCry Kill Switch",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1100",
"name": "Web Shell",
"display_name": "T1100 - Web Shell"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
}
],
"industries": [
"Health"
],
"TLP": "white",
"cloned_from": "658dd341d97d04b0253392d4",
"export_count": 518,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 2001,
"hostname": 3531,
"URL": 7519,
"FileHash-MD5": 2851,
"FileHash-SHA1": 1622,
"FileHash-SHA256": 5092,
"CVE": 24,
"email": 9,
"CIDR": 4
},
"indicator_count": 22653,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 234,
"modified_text": "827 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "658dd341d97d04b0253392d4",
"name": "CryptInject \u2022 Inmortal \u2022 Invoke-Mimikatz \u2022 WannaCry Kill Switch",
"description": "",
"modified": "2024-01-13T06:01:05.467000",
"created": "2023-12-28T19:57:53.875000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"historical ssl",
"communicating",
"referrer",
"execution",
"tsara brashears",
"highly targeted",
"njrat",
"ransomware",
"heodo",
"tag count",
"thu aug",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"malicious url",
"blacklist https",
"united",
"firehol",
"maltiverse",
"cyber threat",
"control server",
"host",
"phishing",
"engineering",
"paypal",
"download",
"malware",
"nanocore rat",
"meterpreter",
"pony",
"facebook",
"stealer",
"redline stealer",
"dnspionage",
"mirai",
"nanocore",
"bradesco",
"emotet",
"cobalt strike",
"bank",
"zeus",
"zbot",
"suppobox",
"generic",
"site",
"cisco umbrella",
"alexa top",
"million",
"reverse dns",
"general full",
"url https",
"resource",
"protocol h2",
"security tls",
"software",
"get h2",
"hash",
"main",
"search live",
"api blog",
"docs pricing",
"december",
"hall render",
"advisory",
"brochure url",
"link url",
"linkedin link",
"facebook link",
"value",
"login",
"variables",
"modernizr",
"lsmeta function",
"lsoldgsqueue",
"de indicators",
"domains",
"hashes",
"copyright",
"gmbh version",
"no data",
"tld count",
"urls",
"count blacklist",
"heur",
"html",
"site top",
"malicious site",
"malware site",
"riskware",
"exploit",
"win64",
"unsafe",
"genkryptik",
"artemis",
"opencandy",
"agent",
"dropper",
"fakealert",
"acint",
"nircmd",
"swrort",
"downldr",
"systweak",
"behav",
"crack",
"tiggre",
"presenoker",
"filetour",
"cleaner",
"conduit",
"wacatac",
"mimikatz",
"redirector",
"deepscan",
"iframe",
"memscan",
"suspicious",
"magazine",
"applicunwnt",
"alexa",
"phish",
"win32.pdf.alien",
"freemake",
"webtoolbar",
"trojanspy",
"label",
"input",
"form",
"button",
"render",
"articles",
"column",
"brian",
"search",
"contact",
"span",
"accept",
"this",
"close",
"district",
"ultimate",
"ip address",
"blacklist",
"covid19",
"phishing chase",
"windows nt",
"khtml",
"gecko",
"veryhigh",
"aes256gcm",
"digicert global",
"g2 tls",
"rsa sha256",
"bypass",
"formbook",
"generic malware",
"cutwail",
"safe site",
"phishing site",
"team",
"tofsee",
"azorult",
"service",
"runescape",
"remcos",
"malicious",
"miner",
"hacktool",
"agenttesla",
"unknown",
"downloader",
"trojan",
"detplock",
"networm",
"cryptinject",
"beach research",
"rms",
"redline",
"brian sabey",
"hallrender.com",
"hallrender.com/attorney/brian-sabey",
"tulach",
"tulach.cc",
"mo.gov",
"safebae.org",
"civicalg.com",
"civicalg",
"passive dns",
"domain",
"registrar",
"scan endpoints",
"all octoseek",
"hostname",
"pulse pulses",
"date",
"next",
"computer",
"company limited",
"first",
"utc submissions",
"submitters",
"gti9158",
"gti9080l",
"gti9128v",
"summary iocs",
"graph community",
"namecheap inc",
"cloudflare",
"com laude",
"ltd dba",
"porkbun llc",
"ii llc",
"csc corporate",
"amazon02",
"google",
"cloudflarenet",
"akamaias",
"innova co",
"indonesia",
"level3",
"china telecom",
"mb setup",
"mb opera",
"mb qimage",
"mb iesettings",
"mb super",
"optimizer",
"premium",
"pattern match",
"file",
"ascii text",
"indicator",
"jpeg image",
"et tor",
"known tor",
"misc attack",
"relayrouter",
"general",
"hybrid",
"local",
"click",
"strings",
"class",
"generator",
"critical",
"error",
"traffic",
"tor known",
"exit",
"node tcp",
"tor relayrouter",
"spammer",
"tor exit",
"threats et",
"node udp",
"adware",
"quasar rat",
"installpack",
"xrat",
"fusioncore",
"union",
"raccoon",
"metastealer",
"xtrat",
"blacklist http",
"url http",
"hijacking",
"information",
"report spam",
"attorney",
"trojanx",
"zpevdo",
"vidar",
"agent tesla",
"nymaim",
"virut",
"occamy",
"iobit",
"sality",
"all search",
"otx octoseek",
"author avatar",
"role title",
"added active",
"related pulses",
"entries",
"indicator role",
"title added",
"active related",
"pulses url",
"pulses",
"ipv4",
"expiration",
"no expiration",
"iocs",
"create new",
"site safe",
"lovgate",
"unruy",
"patcher",
"nsis",
"installcore",
"adload",
"cve201711882",
"sonbokli",
"ubot",
"hsbc",
"uztuby",
"malicious host",
"microsoft",
"psexec",
"brontok",
"startpage",
"keygen",
"fareit",
"secrisk",
"floxif",
"threat roundup",
"c2 raccoon",
"march",
"critical risk",
"apple phone",
"unlocker",
"installer",
"laplasclipper",
"blister",
"june",
"name verdict",
"falcon sandbox",
"malware generic",
"tue dec",
"temp",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"twitter",
"seraph",
"bazaloader",
"media",
"security",
"technology",
"dns replication",
"virustotal",
"win32 exe",
"files",
"detections type",
"name",
"notepad",
"java",
"update checker",
"verisign",
"server",
"asia pacific",
"data",
"whois database",
"registrar abuse",
"apnic whois",
"apnic",
"icann whois",
"nanjing",
"cnnic",
"hackers",
"virus network",
"relacionada",
"cyberstalking",
"excel",
"macros sneaky",
"unauthorized",
"wannacry kill",
"attack",
"core",
"qakbot",
"lumma stealer",
"ransomexx",
"quasar",
"metro",
"copy",
"project",
"cnc server",
"proxy",
"ramnit",
"cl0p",
"inmortal",
"noname057",
"jul jan",
"fri jun",
"tag tag",
"failed_code_integrity_checks",
"python_initiated-connection",
"powershell_create_scheduled",
"creation_of_an_executable_by_an_executable",
"botnetwork",
"c2",
"apple hacking",
"government relations",
"abuse",
"download csv",
"json ip",
"linkid252669",
"adwaresig",
"suspected",
"filerepmalware",
"dapato",
"predator",
"fakeinstaller",
"spyrixkeylogger",
"bitminer",
"loadmoney",
"mediaget",
"softonic",
"encpk",
"qbot",
"kraddare",
"dllinject",
"driverpack",
"genpack",
"offercore",
"vitzo",
"babar",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"b body",
"sha256",
"headers",
"connection",
"pragma",
"team malware",
"binder",
"pykspa",
"feodo",
"mark",
"bomb",
"whois whois",
"whois parent",
"glupteba",
"setup stub",
"c2ae"
],
"references": [
"https://hallrender.com/attorney/brian-sabey",
"https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad",
"https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)",
"https://www.hallrender.com/attorney/brian-sabey/#breadcrumb",
"192.124.249.53:80",
"hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)",
"https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)",
"https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)",
"https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)",
"https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)",
"Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)",
"http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)",
"114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)",
"rp.dudaran2.com [routerlogin.net to safebae.org]",
"vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]",
"https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]",
"https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=",
"http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378",
"https://poemhunter.com/tsara-brashears/",
"https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]",
"http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)",
"https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd",
"government.westlaw.com",
"web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )",
"safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic",
"west-sca.duckdns.org",
"us-west-2.es.amazonaws.com (pslicorp)",
"hero9780.duckdns.org ( government.westlaw.com/house of mo)",
"https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)",
"http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)",
"www.hallrender.com (malware hosting)",
"https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"www.dead-speak.com",
"www42.jhonisdead.com",
"alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)",
"https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)",
"www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)",
"poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)",
"fakecelebporno.com",
"batchcourtexpressservicesqa.westlaw.com",
"batchpublicrecords.westlaw.com",
"apple-aqo.com (1 DNSPod.net)",
"http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)",
"c.oooooooooo.ga (c.apple.com cdn)",
"https://www.anyxxxtube.net/media/favicon/apple",
"init.ess.apple.com ( Code Script \u2022 MortalK)",
"34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)",
"000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)",
"https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]",
"https://www.hallrender.com/attorney/brian-sabey"
],
"public": 1,
"adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor",
"targeted_countries": [],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "WIN32.PDF.Alien",
"display_name": "WIN32.PDF.Alien",
"target": null
},
{
"id": "Freemake",
"display_name": "Freemake",
"target": null
},
{
"id": "Redirector",
"display_name": "Redirector",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "Behav",
"display_name": "Behav",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Beach Research",
"display_name": "Beach Research",
"target": null
},
{
"id": "RMS",
"display_name": "RMS",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
},
{
"id": "WIN32.PDF.ALIEN",
"display_name": "WIN32.PDF.ALIEN",
"target": null
},
{
"id": "ZeuS",
"display_name": "ZeuS",
"target": null
},
{
"id": "SuppoBox",
"display_name": "SuppoBox",
"target": null
},
{
"id": "Trojan:Win32/Wacatac",
"display_name": "Trojan:Win32/Wacatac",
"target": "/malware/Trojan:Win32/Wacatac"
},
{
"id": "ALF:Trojan:Win32/FormBook",
"display_name": "ALF:Trojan:Win32/FormBook",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "njRAT",
"display_name": "njRAT",
"target": null
},
{
"id": "Trojan:Win32/Tiggre",
"display_name": "Trojan:Win32/Tiggre",
"target": "/malware/Trojan:Win32/Tiggre"
},
{
"id": "Invoke-Mimikatz",
"display_name": "Invoke-Mimikatz",
"target": null
},
{
"id": "China Telecom",
"display_name": "China Telecom",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Sonbokli",
"display_name": "Sonbokli",
"target": null
},
{
"id": "Ubot",
"display_name": "Ubot",
"target": null
},
{
"id": "HSBC",
"display_name": "HSBC",
"target": null
},
{
"id": "Uztuby",
"display_name": "Uztuby",
"target": null
},
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Cl0p",
"display_name": "Cl0p",
"target": null
},
{
"id": "Inmortal",
"display_name": "Inmortal",
"target": null
},
{
"id": "Domains",
"display_name": "Domains",
"target": null
},
{
"id": "Vitzo",
"display_name": "Vitzo",
"target": null
},
{
"id": "Babar",
"display_name": "Babar",
"target": null
},
{
"id": "Qbot",
"display_name": "Qbot",
"target": null
},
{
"id": "WannaCry Kill Switch",
"display_name": "WannaCry Kill Switch",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1100",
"name": "Web Shell",
"display_name": "T1100 - Web Shell"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
}
],
"industries": [
"Health"
],
"TLP": "white",
"cloned_from": "657ab025b97f20f31bbfcd70",
"export_count": 522,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 2001,
"hostname": 3531,
"URL": 7519,
"FileHash-MD5": 2851,
"FileHash-SHA1": 1622,
"FileHash-SHA256": 5092,
"CVE": 24,
"email": 9,
"CIDR": 4
},
"indicator_count": 22653,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 226,
"modified_text": "827 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "657c045ef15bd06d27da1b08",
"name": "Resource Hijacking by attorney https://hallrender.com/attorney/brian-sabey",
"description": "",
"modified": "2024-01-13T06:01:05.467000",
"created": "2023-12-15T07:46:38.664000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"historical ssl",
"communicating",
"referrer",
"execution",
"tsara brashears",
"highly targeted",
"njrat",
"ransomware",
"heodo",
"tag count",
"thu aug",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"malicious url",
"blacklist https",
"united",
"firehol",
"maltiverse",
"cyber threat",
"control server",
"host",
"phishing",
"engineering",
"paypal",
"download",
"malware",
"nanocore rat",
"meterpreter",
"pony",
"facebook",
"stealer",
"redline stealer",
"dnspionage",
"mirai",
"nanocore",
"bradesco",
"emotet",
"cobalt strike",
"bank",
"zeus",
"zbot",
"suppobox",
"generic",
"site",
"cisco umbrella",
"alexa top",
"million",
"reverse dns",
"general full",
"url https",
"resource",
"protocol h2",
"security tls",
"software",
"get h2",
"hash",
"main",
"search live",
"api blog",
"docs pricing",
"december",
"hall render",
"advisory",
"brochure url",
"link url",
"linkedin link",
"facebook link",
"value",
"login",
"variables",
"modernizr",
"lsmeta function",
"lsoldgsqueue",
"de indicators",
"domains",
"hashes",
"copyright",
"gmbh version",
"no data",
"tld count",
"urls",
"count blacklist",
"heur",
"html",
"site top",
"malicious site",
"malware site",
"riskware",
"exploit",
"win64",
"unsafe",
"genkryptik",
"artemis",
"opencandy",
"agent",
"dropper",
"fakealert",
"acint",
"nircmd",
"swrort",
"downldr",
"systweak",
"behav",
"crack",
"tiggre",
"presenoker",
"filetour",
"cleaner",
"conduit",
"wacatac",
"mimikatz",
"redirector",
"deepscan",
"iframe",
"memscan",
"suspicious",
"magazine",
"applicunwnt",
"alexa",
"phish",
"win32.pdf.alien",
"freemake",
"webtoolbar",
"trojanspy",
"label",
"input",
"form",
"button",
"render",
"articles",
"column",
"brian",
"search",
"contact",
"span",
"accept",
"this",
"close",
"district",
"ultimate",
"ip address",
"blacklist",
"covid19",
"phishing chase",
"windows nt",
"khtml",
"gecko",
"veryhigh",
"aes256gcm",
"digicert global",
"g2 tls",
"rsa sha256",
"bypass",
"formbook",
"generic malware",
"cutwail",
"safe site",
"phishing site",
"team",
"tofsee",
"azorult",
"service",
"runescape",
"remcos",
"malicious",
"miner",
"hacktool",
"agenttesla",
"unknown",
"downloader",
"trojan",
"detplock",
"networm",
"cryptinject",
"beach research",
"rms",
"redline",
"brian sabey",
"hallrender.com",
"hallrender.com/attorney/brian-sabey",
"tulach",
"tulach.cc",
"mo.gov",
"safebae.org",
"civicalg.com",
"civicalg",
"passive dns",
"domain",
"registrar",
"scan endpoints",
"all octoseek",
"hostname",
"pulse pulses",
"date",
"next",
"computer",
"company limited",
"first",
"utc submissions",
"submitters",
"gti9158",
"gti9080l",
"gti9128v",
"summary iocs",
"graph community",
"namecheap inc",
"cloudflare",
"com laude",
"ltd dba",
"porkbun llc",
"ii llc",
"csc corporate",
"amazon02",
"google",
"cloudflarenet",
"akamaias",
"innova co",
"indonesia",
"level3",
"china telecom",
"mb setup",
"mb opera",
"mb qimage",
"mb iesettings",
"mb super",
"optimizer",
"premium",
"pattern match",
"file",
"ascii text",
"indicator",
"jpeg image",
"et tor",
"known tor",
"misc attack",
"relayrouter",
"general",
"hybrid",
"local",
"click",
"strings",
"class",
"generator",
"critical",
"error",
"traffic",
"tor known",
"exit",
"node tcp",
"tor relayrouter",
"spammer",
"tor exit",
"threats et",
"node udp",
"adware",
"quasar rat",
"installpack",
"xrat",
"fusioncore",
"union",
"raccoon",
"metastealer",
"xtrat",
"blacklist http",
"url http",
"hijacking",
"information",
"report spam",
"attorney",
"trojanx",
"zpevdo",
"vidar",
"agent tesla",
"nymaim",
"virut",
"occamy",
"iobit",
"sality",
"all search",
"otx octoseek",
"author avatar",
"role title",
"added active",
"related pulses",
"entries",
"indicator role",
"title added",
"active related",
"pulses url",
"pulses",
"ipv4",
"expiration",
"no expiration",
"iocs",
"create new",
"site safe",
"lovgate",
"unruy",
"patcher",
"nsis",
"installcore",
"adload",
"cve201711882",
"sonbokli",
"ubot",
"hsbc",
"uztuby",
"malicious host",
"microsoft",
"psexec",
"brontok",
"startpage",
"keygen",
"fareit",
"secrisk",
"floxif",
"threat roundup",
"c2 raccoon",
"march",
"critical risk",
"apple phone",
"unlocker",
"installer",
"laplasclipper",
"blister",
"june",
"name verdict",
"falcon sandbox",
"malware generic",
"tue dec",
"temp",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"twitter",
"seraph",
"bazaloader",
"media",
"security",
"technology",
"dns replication",
"virustotal",
"win32 exe",
"files",
"detections type",
"name",
"notepad",
"java",
"update checker",
"verisign",
"server",
"asia pacific",
"data",
"whois database",
"registrar abuse",
"apnic whois",
"apnic",
"icann whois",
"nanjing",
"cnnic",
"hackers",
"virus network",
"relacionada",
"cyberstalking",
"excel",
"macros sneaky",
"unauthorized",
"wannacry kill",
"attack",
"core",
"qakbot",
"lumma stealer",
"ransomexx",
"quasar",
"metro",
"copy",
"project",
"cnc server",
"proxy",
"ramnit",
"cl0p",
"inmortal",
"noname057",
"jul jan",
"fri jun",
"tag tag",
"failed_code_integrity_checks",
"python_initiated-connection",
"powershell_create_scheduled",
"creation_of_an_executable_by_an_executable",
"botnetwork",
"c2",
"apple hacking",
"government relations",
"abuse",
"download csv",
"json ip",
"linkid252669",
"adwaresig",
"suspected",
"filerepmalware",
"dapato",
"predator",
"fakeinstaller",
"spyrixkeylogger",
"bitminer",
"loadmoney",
"mediaget",
"softonic",
"encpk",
"qbot",
"kraddare",
"dllinject",
"driverpack",
"genpack",
"offercore",
"vitzo",
"babar",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"b body",
"sha256",
"headers",
"connection",
"pragma",
"team malware",
"binder",
"pykspa",
"feodo",
"mark",
"bomb",
"whois whois",
"whois parent",
"glupteba",
"setup stub",
"c2ae"
],
"references": [
"https://hallrender.com/attorney/brian-sabey",
"https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad",
"https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)",
"https://www.hallrender.com/attorney/brian-sabey/#breadcrumb",
"192.124.249.53:80",
"hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)",
"https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)",
"https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)",
"https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)",
"https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)",
"Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)",
"http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)",
"114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)",
"rp.dudaran2.com [routerlogin.net to safebae.org]",
"vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]",
"https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]",
"https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=",
"http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378",
"https://poemhunter.com/tsara-brashears/",
"https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]",
"http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)",
"https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd",
"government.westlaw.com",
"web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )",
"safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic",
"west-sca.duckdns.org",
"us-west-2.es.amazonaws.com (pslicorp)",
"hero9780.duckdns.org ( government.westlaw.com/house of mo)",
"https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)",
"http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)",
"www.hallrender.com (malware hosting)",
"https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"www.dead-speak.com",
"www42.jhonisdead.com",
"alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)",
"https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)",
"www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)",
"poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)",
"fakecelebporno.com",
"batchcourtexpressservicesqa.westlaw.com",
"batchpublicrecords.westlaw.com",
"apple-aqo.com (1 DNSPod.net)",
"http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)",
"c.oooooooooo.ga (c.apple.com cdn)",
"https://www.anyxxxtube.net/media/favicon/apple",
"init.ess.apple.com ( Code Script \u2022 MortalK)",
"34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)",
"000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)",
"https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]",
"https://www.hallrender.com/attorney/brian-sabey"
],
"public": 1,
"adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor",
"targeted_countries": [],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "WIN32.PDF.Alien",
"display_name": "WIN32.PDF.Alien",
"target": null
},
{
"id": "Freemake",
"display_name": "Freemake",
"target": null
},
{
"id": "Redirector",
"display_name": "Redirector",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "Behav",
"display_name": "Behav",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Beach Research",
"display_name": "Beach Research",
"target": null
},
{
"id": "RMS",
"display_name": "RMS",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
},
{
"id": "WIN32.PDF.ALIEN",
"display_name": "WIN32.PDF.ALIEN",
"target": null
},
{
"id": "ZeuS",
"display_name": "ZeuS",
"target": null
},
{
"id": "SuppoBox",
"display_name": "SuppoBox",
"target": null
},
{
"id": "Trojan:Win32/Wacatac",
"display_name": "Trojan:Win32/Wacatac",
"target": "/malware/Trojan:Win32/Wacatac"
},
{
"id": "ALF:Trojan:Win32/FormBook",
"display_name": "ALF:Trojan:Win32/FormBook",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "njRAT",
"display_name": "njRAT",
"target": null
},
{
"id": "Trojan:Win32/Tiggre",
"display_name": "Trojan:Win32/Tiggre",
"target": "/malware/Trojan:Win32/Tiggre"
},
{
"id": "Invoke-Mimikatz",
"display_name": "Invoke-Mimikatz",
"target": null
},
{
"id": "China Telecom",
"display_name": "China Telecom",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Sonbokli",
"display_name": "Sonbokli",
"target": null
},
{
"id": "Ubot",
"display_name": "Ubot",
"target": null
},
{
"id": "HSBC",
"display_name": "HSBC",
"target": null
},
{
"id": "Uztuby",
"display_name": "Uztuby",
"target": null
},
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Cl0p",
"display_name": "Cl0p",
"target": null
},
{
"id": "Inmortal",
"display_name": "Inmortal",
"target": null
},
{
"id": "Domains",
"display_name": "Domains",
"target": null
},
{
"id": "Vitzo",
"display_name": "Vitzo",
"target": null
},
{
"id": "Babar",
"display_name": "Babar",
"target": null
},
{
"id": "Qbot",
"display_name": "Qbot",
"target": null
},
{
"id": "WannaCry Kill Switch",
"display_name": "WannaCry Kill Switch",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1100",
"name": "Web Shell",
"display_name": "T1100 - Web Shell"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
}
],
"industries": [
"Health"
],
"TLP": "white",
"cloned_from": "657c03432f4f2997c7d3aff4",
"export_count": 508,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 2001,
"hostname": 3531,
"URL": 7519,
"FileHash-MD5": 2851,
"FileHash-SHA1": 1622,
"FileHash-SHA256": 5092,
"CVE": 24,
"email": 9,
"CIDR": 4
},
"indicator_count": 22653,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 230,
"modified_text": "827 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "657c03432f4f2997c7d3aff4",
"name": "CryptInject \u2022 Inmortal \u2022 Invoke-Mimikatz \u2022 WannaCry Kill Switch",
"description": "",
"modified": "2024-01-13T06:01:05.467000",
"created": "2023-12-15T07:41:55.972000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"historical ssl",
"communicating",
"referrer",
"execution",
"tsara brashears",
"highly targeted",
"njrat",
"ransomware",
"heodo",
"tag count",
"thu aug",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"malicious url",
"blacklist https",
"united",
"firehol",
"maltiverse",
"cyber threat",
"control server",
"host",
"phishing",
"engineering",
"paypal",
"download",
"malware",
"nanocore rat",
"meterpreter",
"pony",
"facebook",
"stealer",
"redline stealer",
"dnspionage",
"mirai",
"nanocore",
"bradesco",
"emotet",
"cobalt strike",
"bank",
"zeus",
"zbot",
"suppobox",
"generic",
"site",
"cisco umbrella",
"alexa top",
"million",
"reverse dns",
"general full",
"url https",
"resource",
"protocol h2",
"security tls",
"software",
"get h2",
"hash",
"main",
"search live",
"api blog",
"docs pricing",
"december",
"hall render",
"advisory",
"brochure url",
"link url",
"linkedin link",
"facebook link",
"value",
"login",
"variables",
"modernizr",
"lsmeta function",
"lsoldgsqueue",
"de indicators",
"domains",
"hashes",
"copyright",
"gmbh version",
"no data",
"tld count",
"urls",
"count blacklist",
"heur",
"html",
"site top",
"malicious site",
"malware site",
"riskware",
"exploit",
"win64",
"unsafe",
"genkryptik",
"artemis",
"opencandy",
"agent",
"dropper",
"fakealert",
"acint",
"nircmd",
"swrort",
"downldr",
"systweak",
"behav",
"crack",
"tiggre",
"presenoker",
"filetour",
"cleaner",
"conduit",
"wacatac",
"mimikatz",
"redirector",
"deepscan",
"iframe",
"memscan",
"suspicious",
"magazine",
"applicunwnt",
"alexa",
"phish",
"win32.pdf.alien",
"freemake",
"webtoolbar",
"trojanspy",
"label",
"input",
"form",
"button",
"render",
"articles",
"column",
"brian",
"search",
"contact",
"span",
"accept",
"this",
"close",
"district",
"ultimate",
"ip address",
"blacklist",
"covid19",
"phishing chase",
"windows nt",
"khtml",
"gecko",
"veryhigh",
"aes256gcm",
"digicert global",
"g2 tls",
"rsa sha256",
"bypass",
"formbook",
"generic malware",
"cutwail",
"safe site",
"phishing site",
"team",
"tofsee",
"azorult",
"service",
"runescape",
"remcos",
"malicious",
"miner",
"hacktool",
"agenttesla",
"unknown",
"downloader",
"trojan",
"detplock",
"networm",
"cryptinject",
"beach research",
"rms",
"redline",
"brian sabey",
"hallrender.com",
"hallrender.com/attorney/brian-sabey",
"tulach",
"tulach.cc",
"mo.gov",
"safebae.org",
"civicalg.com",
"civicalg",
"passive dns",
"domain",
"registrar",
"scan endpoints",
"all octoseek",
"hostname",
"pulse pulses",
"date",
"next",
"computer",
"company limited",
"first",
"utc submissions",
"submitters",
"gti9158",
"gti9080l",
"gti9128v",
"summary iocs",
"graph community",
"namecheap inc",
"cloudflare",
"com laude",
"ltd dba",
"porkbun llc",
"ii llc",
"csc corporate",
"amazon02",
"google",
"cloudflarenet",
"akamaias",
"innova co",
"indonesia",
"level3",
"china telecom",
"mb setup",
"mb opera",
"mb qimage",
"mb iesettings",
"mb super",
"optimizer",
"premium",
"pattern match",
"file",
"ascii text",
"indicator",
"jpeg image",
"et tor",
"known tor",
"misc attack",
"relayrouter",
"general",
"hybrid",
"local",
"click",
"strings",
"class",
"generator",
"critical",
"error",
"traffic",
"tor known",
"exit",
"node tcp",
"tor relayrouter",
"spammer",
"tor exit",
"threats et",
"node udp",
"adware",
"quasar rat",
"installpack",
"xrat",
"fusioncore",
"union",
"raccoon",
"metastealer",
"xtrat",
"blacklist http",
"url http",
"hijacking",
"information",
"report spam",
"attorney",
"trojanx",
"zpevdo",
"vidar",
"agent tesla",
"nymaim",
"virut",
"occamy",
"iobit",
"sality",
"all search",
"otx octoseek",
"author avatar",
"role title",
"added active",
"related pulses",
"entries",
"indicator role",
"title added",
"active related",
"pulses url",
"pulses",
"ipv4",
"expiration",
"no expiration",
"iocs",
"create new",
"site safe",
"lovgate",
"unruy",
"patcher",
"nsis",
"installcore",
"adload",
"cve201711882",
"sonbokli",
"ubot",
"hsbc",
"uztuby",
"malicious host",
"microsoft",
"psexec",
"brontok",
"startpage",
"keygen",
"fareit",
"secrisk",
"floxif",
"threat roundup",
"c2 raccoon",
"march",
"critical risk",
"apple phone",
"unlocker",
"installer",
"laplasclipper",
"blister",
"june",
"name verdict",
"falcon sandbox",
"malware generic",
"tue dec",
"temp",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"twitter",
"seraph",
"bazaloader",
"media",
"security",
"technology",
"dns replication",
"virustotal",
"win32 exe",
"files",
"detections type",
"name",
"notepad",
"java",
"update checker",
"verisign",
"server",
"asia pacific",
"data",
"whois database",
"registrar abuse",
"apnic whois",
"apnic",
"icann whois",
"nanjing",
"cnnic",
"hackers",
"virus network",
"relacionada",
"cyberstalking",
"excel",
"macros sneaky",
"unauthorized",
"wannacry kill",
"attack",
"core",
"qakbot",
"lumma stealer",
"ransomexx",
"quasar",
"metro",
"copy",
"project",
"cnc server",
"proxy",
"ramnit",
"cl0p",
"inmortal",
"noname057",
"jul jan",
"fri jun",
"tag tag",
"failed_code_integrity_checks",
"python_initiated-connection",
"powershell_create_scheduled",
"creation_of_an_executable_by_an_executable",
"botnetwork",
"c2",
"apple hacking",
"government relations",
"abuse",
"download csv",
"json ip",
"linkid252669",
"adwaresig",
"suspected",
"filerepmalware",
"dapato",
"predator",
"fakeinstaller",
"spyrixkeylogger",
"bitminer",
"loadmoney",
"mediaget",
"softonic",
"encpk",
"qbot",
"kraddare",
"dllinject",
"driverpack",
"genpack",
"offercore",
"vitzo",
"babar",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"b body",
"sha256",
"headers",
"connection",
"pragma",
"team malware",
"binder",
"pykspa",
"feodo",
"mark",
"bomb",
"whois whois",
"whois parent",
"glupteba",
"setup stub",
"c2ae"
],
"references": [
"https://hallrender.com/attorney/brian-sabey",
"https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad",
"https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)",
"https://www.hallrender.com/attorney/brian-sabey/#breadcrumb",
"192.124.249.53:80",
"hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)",
"https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)",
"https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)",
"https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)",
"https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)",
"Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)",
"http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)",
"114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)",
"rp.dudaran2.com [routerlogin.net to safebae.org]",
"vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]",
"https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]",
"https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=",
"http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378",
"https://poemhunter.com/tsara-brashears/",
"https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]",
"http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)",
"https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd",
"government.westlaw.com",
"web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )",
"safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic",
"west-sca.duckdns.org",
"us-west-2.es.amazonaws.com (pslicorp)",
"hero9780.duckdns.org ( government.westlaw.com/house of mo)",
"https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)",
"http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)",
"www.hallrender.com (malware hosting)",
"https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"www.dead-speak.com",
"www42.jhonisdead.com",
"alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)",
"https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)",
"www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)",
"poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)",
"fakecelebporno.com",
"batchcourtexpressservicesqa.westlaw.com",
"batchpublicrecords.westlaw.com",
"apple-aqo.com (1 DNSPod.net)",
"http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)",
"c.oooooooooo.ga (c.apple.com cdn)",
"https://www.anyxxxtube.net/media/favicon/apple",
"init.ess.apple.com ( Code Script \u2022 MortalK)",
"34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)",
"000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)",
"https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]",
"https://www.hallrender.com/attorney/brian-sabey"
],
"public": 1,
"adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor",
"targeted_countries": [],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "WIN32.PDF.Alien",
"display_name": "WIN32.PDF.Alien",
"target": null
},
{
"id": "Freemake",
"display_name": "Freemake",
"target": null
},
{
"id": "Redirector",
"display_name": "Redirector",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "Behav",
"display_name": "Behav",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Beach Research",
"display_name": "Beach Research",
"target": null
},
{
"id": "RMS",
"display_name": "RMS",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
},
{
"id": "WIN32.PDF.ALIEN",
"display_name": "WIN32.PDF.ALIEN",
"target": null
},
{
"id": "ZeuS",
"display_name": "ZeuS",
"target": null
},
{
"id": "SuppoBox",
"display_name": "SuppoBox",
"target": null
},
{
"id": "Trojan:Win32/Wacatac",
"display_name": "Trojan:Win32/Wacatac",
"target": "/malware/Trojan:Win32/Wacatac"
},
{
"id": "ALF:Trojan:Win32/FormBook",
"display_name": "ALF:Trojan:Win32/FormBook",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "njRAT",
"display_name": "njRAT",
"target": null
},
{
"id": "Trojan:Win32/Tiggre",
"display_name": "Trojan:Win32/Tiggre",
"target": "/malware/Trojan:Win32/Tiggre"
},
{
"id": "Invoke-Mimikatz",
"display_name": "Invoke-Mimikatz",
"target": null
},
{
"id": "China Telecom",
"display_name": "China Telecom",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Sonbokli",
"display_name": "Sonbokli",
"target": null
},
{
"id": "Ubot",
"display_name": "Ubot",
"target": null
},
{
"id": "HSBC",
"display_name": "HSBC",
"target": null
},
{
"id": "Uztuby",
"display_name": "Uztuby",
"target": null
},
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Cl0p",
"display_name": "Cl0p",
"target": null
},
{
"id": "Inmortal",
"display_name": "Inmortal",
"target": null
},
{
"id": "Domains",
"display_name": "Domains",
"target": null
},
{
"id": "Vitzo",
"display_name": "Vitzo",
"target": null
},
{
"id": "Babar",
"display_name": "Babar",
"target": null
},
{
"id": "Qbot",
"display_name": "Qbot",
"target": null
},
{
"id": "WannaCry Kill Switch",
"display_name": "WannaCry Kill Switch",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1100",
"name": "Web Shell",
"display_name": "T1100 - Web Shell"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
}
],
"industries": [
"Health"
],
"TLP": "white",
"cloned_from": "657ab025b97f20f31bbfcd70",
"export_count": 508,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 2001,
"hostname": 3531,
"URL": 7519,
"FileHash-MD5": 2851,
"FileHash-SHA1": 1622,
"FileHash-SHA256": 5092,
"CVE": 24,
"email": 9,
"CIDR": 4
},
"indicator_count": 22653,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 230,
"modified_text": "827 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "657aaff046e2083b423a39e2",
"name": "Inmortal Invoke-Mimikatz",
"description": "Attorney defending Jeffrey Scott Reimer DPT. Firm uses every possible tool to destroy, make life uncomfortable, threaten and cause harm to targets.\nPossible masquerading / DBA as attorney with such illegal behavior.\nMay have been hired to harass and...she is reported dead of suicide morning after reporting harassment. Missouri government is seen throughout as if hired by firm. If this is a true law firm , the corruption is mafia deep. \n\nI'm 24/7 followed. Hacked l, etc. \nVery expensive threat and deliver campaign. Verdict: Digital profile completely destroyed. Lives at risk.",
"modified": "2024-01-12T04:02:22.872000",
"created": "2023-12-14T07:34:08.701000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"historical ssl",
"communicating",
"referrer",
"execution",
"tsara brashears",
"highly targeted",
"njrat",
"ransomware",
"heodo",
"tag count",
"thu aug",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"malicious url",
"blacklist https",
"united",
"firehol",
"maltiverse",
"cyber threat",
"control server",
"host",
"phishing",
"engineering",
"paypal",
"download",
"malware",
"nanocore rat",
"meterpreter",
"pony",
"facebook",
"stealer",
"redline stealer",
"dnspionage",
"mirai",
"nanocore",
"bradesco",
"emotet",
"cobalt strike",
"bank",
"zeus",
"zbot",
"suppobox",
"generic",
"site",
"cisco umbrella",
"alexa top",
"million",
"reverse dns",
"general full",
"url https",
"resource",
"protocol h2",
"security tls",
"software",
"get h2",
"hash",
"main",
"search live",
"api blog",
"docs pricing",
"december",
"hall render",
"advisory",
"brochure url",
"link url",
"linkedin link",
"facebook link",
"value",
"login",
"variables",
"modernizr",
"lsmeta function",
"lsoldgsqueue",
"de indicators",
"domains",
"hashes",
"copyright",
"gmbh version",
"no data",
"tld count",
"urls",
"count blacklist",
"heur",
"html",
"site top",
"malicious site",
"malware site",
"riskware",
"exploit",
"win64",
"unsafe",
"genkryptik",
"artemis",
"opencandy",
"agent",
"dropper",
"fakealert",
"acint",
"nircmd",
"swrort",
"downldr",
"systweak",
"behav",
"crack",
"tiggre",
"presenoker",
"filetour",
"cleaner",
"conduit",
"wacatac",
"mimikatz",
"redirector",
"deepscan",
"iframe",
"memscan",
"suspicious",
"magazine",
"applicunwnt",
"alexa",
"phish",
"win32.pdf.alien",
"freemake",
"webtoolbar",
"trojanspy",
"label",
"input",
"form",
"button",
"render",
"articles",
"column",
"brian",
"search",
"contact",
"span",
"accept",
"this",
"close",
"district",
"ultimate",
"ip address",
"blacklist",
"covid19",
"phishing chase",
"windows nt",
"khtml",
"gecko",
"veryhigh",
"aes256gcm",
"digicert global",
"g2 tls",
"rsa sha256",
"bypass",
"formbook",
"generic malware",
"cutwail",
"safe site",
"phishing site",
"team",
"tofsee",
"azorult",
"service",
"runescape",
"remcos",
"malicious",
"miner",
"hacktool",
"agenttesla",
"unknown",
"downloader",
"trojan",
"detplock",
"networm",
"cryptinject",
"beach research",
"rms",
"redline",
"brian sabey",
"hallrender.com",
"hallrender.com/attorney/brian-sabey",
"tulach",
"tulach.cc",
"mo.gov",
"safebae.org",
"civicalg.com",
"civicalg",
"passive dns",
"domain",
"registrar",
"scan endpoints",
"all octoseek",
"hostname",
"pulse pulses",
"date",
"next",
"computer",
"company limited",
"first",
"utc submissions",
"submitters",
"gti9158",
"gti9080l",
"gti9128v",
"summary iocs",
"graph community",
"namecheap inc",
"cloudflare",
"com laude",
"ltd dba",
"porkbun llc",
"ii llc",
"csc corporate",
"amazon02",
"google",
"cloudflarenet",
"akamaias",
"innova co",
"indonesia",
"level3",
"china telecom",
"mb setup",
"mb opera",
"mb qimage",
"mb iesettings",
"mb super",
"optimizer",
"premium",
"pattern match",
"file",
"ascii text",
"indicator",
"jpeg image",
"et tor",
"known tor",
"misc attack",
"relayrouter",
"general",
"hybrid",
"local",
"click",
"strings",
"class",
"generator",
"critical",
"error",
"traffic",
"tor known",
"exit",
"node tcp",
"tor relayrouter",
"spammer",
"tor exit",
"threats et",
"node udp",
"adware",
"quasar rat",
"installpack",
"xrat",
"fusioncore",
"union",
"raccoon",
"metastealer",
"xtrat",
"blacklist http",
"url http",
"hijacking",
"information",
"report spam",
"attorney",
"trojanx",
"zpevdo",
"vidar",
"agent tesla",
"nymaim",
"virut",
"occamy",
"iobit",
"sality",
"all search",
"otx octoseek",
"author avatar",
"role title",
"added active",
"related pulses",
"entries",
"indicator role",
"title added",
"active related",
"pulses url",
"pulses",
"ipv4",
"expiration",
"no expiration",
"iocs",
"create new",
"site safe",
"lovgate",
"unruy",
"patcher",
"nsis",
"installcore",
"adload",
"cve201711882",
"sonbokli",
"ubot",
"hsbc",
"uztuby",
"malicious host",
"microsoft",
"psexec",
"brontok",
"startpage",
"keygen",
"fareit",
"secrisk",
"floxif",
"threat roundup",
"c2 raccoon",
"march",
"critical risk",
"apple phone",
"unlocker",
"installer",
"laplasclipper",
"blister",
"june",
"name verdict",
"falcon sandbox",
"malware generic",
"tue dec",
"temp",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"twitter",
"seraph",
"bazaloader",
"media",
"security",
"technology",
"dns replication",
"virustotal",
"win32 exe",
"files",
"detections type",
"name",
"notepad",
"java",
"update checker",
"verisign",
"server",
"asia pacific",
"data",
"whois database",
"registrar abuse",
"apnic whois",
"apnic",
"icann whois",
"nanjing",
"cnnic",
"hackers",
"virus network",
"relacionada",
"cyberstalking",
"excel",
"macros sneaky",
"unauthorized",
"wannacry kill",
"attack",
"core",
"qakbot",
"lumma stealer",
"ransomexx",
"quasar",
"metro",
"copy",
"project",
"cnc server",
"proxy",
"ramnit",
"cl0p",
"inmortal",
"noname057",
"jul jan",
"fri jun",
"tag tag",
"failed_code_integrity_checks",
"python_initiated-connection",
"powershell_create_scheduled",
"creation_of_an_executable_by_an_executable",
"botnetwork",
"c2",
"apple hacking",
"government relations",
"abuse",
"download csv",
"json ip",
"linkid252669",
"adwaresig",
"suspected",
"filerepmalware",
"dapato",
"predator",
"fakeinstaller",
"spyrixkeylogger",
"bitminer",
"loadmoney",
"mediaget",
"softonic",
"encpk",
"qbot",
"kraddare",
"dllinject",
"driverpack",
"genpack",
"offercore",
"vitzo",
"babar",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"b body",
"sha256",
"headers",
"connection",
"pragma",
"team malware",
"binder",
"pykspa",
"feodo",
"mark",
"bomb"
],
"references": [
"https://hallrender.com/attorney/brian-sabey",
"https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad",
"https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)",
"https://www.hallrender.com/attorney/brian-sabey/#breadcrumb",
"192.124.249.53:80",
"hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)",
"https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)",
"https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)",
"https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)",
"https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)",
"Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)",
"http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)",
"114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)",
"rp.dudaran2.com [routerlogin.net to safebae.org]",
"vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]",
"https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]",
"https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=",
"http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378",
"https://poemhunter.com/tsara-brashears/",
"https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]",
"http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)",
"https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd",
"government.westlaw.com",
"web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )",
"safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic",
"west-sca.duckdns.org",
"us-west-2.es.amazonaws.com (pslicorp)",
"hero9780.duckdns.org ( government.westlaw.com/house of mo)",
"https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)",
"http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)",
"www.hallrender.com (malware hosting)",
"https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"www.dead-speak.com",
"www42.jhonisdead.com",
"alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)",
"https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)",
"www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)",
"poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)",
"fakecelebporno.com",
"batchcourtexpressservicesqa.westlaw.com",
"batchpublicrecords.westlaw.com",
"apple-aqo.com (1 DNSPod.net)",
"http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)",
"c.oooooooooo.ga (c.apple.com cdn)",
"https://www.anyxxxtube.net/media/favicon/apple",
"init.ess.apple.com ( Code Script \u2022 MortalK)",
"34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)",
"000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)",
"https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]",
"https://www.hallrender.com/attorney/brian-sabey"
],
"public": 1,
"adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor",
"targeted_countries": [],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "WIN32.PDF.Alien",
"display_name": "WIN32.PDF.Alien",
"target": null
},
{
"id": "Freemake",
"display_name": "Freemake",
"target": null
},
{
"id": "Redirector",
"display_name": "Redirector",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "Behav",
"display_name": "Behav",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Beach Research",
"display_name": "Beach Research",
"target": null
},
{
"id": "RMS",
"display_name": "RMS",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
},
{
"id": "WIN32.PDF.ALIEN",
"display_name": "WIN32.PDF.ALIEN",
"target": null
},
{
"id": "ZeuS",
"display_name": "ZeuS",
"target": null
},
{
"id": "SuppoBox",
"display_name": "SuppoBox",
"target": null
},
{
"id": "Trojan:Win32/Wacatac",
"display_name": "Trojan:Win32/Wacatac",
"target": "/malware/Trojan:Win32/Wacatac"
},
{
"id": "ALF:Trojan:Win32/FormBook",
"display_name": "ALF:Trojan:Win32/FormBook",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "njRAT",
"display_name": "njRAT",
"target": null
},
{
"id": "Trojan:Win32/Tiggre",
"display_name": "Trojan:Win32/Tiggre",
"target": "/malware/Trojan:Win32/Tiggre"
},
{
"id": "Invoke-Mimikatz",
"display_name": "Invoke-Mimikatz",
"target": null
},
{
"id": "China Telecom",
"display_name": "China Telecom",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Sonbokli",
"display_name": "Sonbokli",
"target": null
},
{
"id": "Ubot",
"display_name": "Ubot",
"target": null
},
{
"id": "HSBC",
"display_name": "HSBC",
"target": null
},
{
"id": "Uztuby",
"display_name": "Uztuby",
"target": null
},
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Cl0p",
"display_name": "Cl0p",
"target": null
},
{
"id": "Inmortal",
"display_name": "Inmortal",
"target": null
},
{
"id": "Domains",
"display_name": "Domains",
"target": null
},
{
"id": "Vitzo",
"display_name": "Vitzo",
"target": null
},
{
"id": "Babar",
"display_name": "Babar",
"target": null
},
{
"id": "Qbot",
"display_name": "Qbot",
"target": null
},
{
"id": "WannaCry Kill Switch",
"display_name": "WannaCry Kill Switch",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1100",
"name": "Web Shell",
"display_name": "T1100 - Web Shell"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
}
],
"industries": [
"Health"
],
"TLP": "white",
"cloned_from": null,
"export_count": 438,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1995,
"hostname": 3222,
"URL": 7179,
"FileHash-MD5": 2749,
"FileHash-SHA1": 1538,
"FileHash-SHA256": 4661,
"CVE": 24,
"email": 9,
"CIDR": 4
},
"indicator_count": 21381,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 226,
"modified_text": "828 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6572622bba87d8d105a7259f",
"name": "Lazarus Group _ 192.229.211.108",
"description": "",
"modified": "2024-01-06T05:02:33.698000",
"created": "2023-12-08T00:24:11.801000",
"tags": [
"as15133 verizon",
"united",
"unknown",
"passive dns",
"scan endpoints",
"all octoseek",
"ipv4",
"pulse pulses",
"urls",
"files",
"trojandropper",
"body",
"orgtechhandle",
"orgid",
"w jefferson",
"blvd",
"city",
"los angeles",
"stateprov",
"postalcode",
"sawyer",
"kleinart",
"mtb dec",
"win32upatre dec",
"win32qqpass dec",
"entries",
"date hash",
"avast avg",
"name verdict",
"falcon sandbox",
"generic malware",
"tag count",
"wed sep",
"threat report",
"summary",
"sample",
"samples",
"detection list",
"blacklist",
"count blacklist",
"generic",
"noname057",
"csv behavior",
"text",
"win32 dll",
"win32 exe",
"javascript",
"office open",
"xml document",
"text iocs",
"mario",
"csv test",
"python",
"ip summary",
"text query16752",
"text edge",
"type name",
"services",
"net192",
"net1920000",
"cidr",
"nethandle",
"orgabusehandle",
"orgabusephone",
"as14153",
"contacted",
"ssl certificate",
"tsara brashears",
"whois whois",
"ransomware",
"apple ios",
"family",
"roots",
"lolkek",
"tzw variants",
"emotet",
"bluenoroff",
"lazarus",
"dark power",
"play ransomware",
"makop",
"attack",
"core",
"hacktool",
"chaos",
"ransomexx",
"quasar",
"njrat",
"installer",
"banker",
"keylogger",
"execution",
"ermac",
"metasploit",
"relic",
"monitoring",
"qakbot",
"thu nov",
"url summary",
"first",
"cobalt strike",
"strike cobalt",
"malicious url",
"tld count",
"sun sep",
"china cobalt",
"strike",
"cyber threat",
"maltiverse",
"malware site",
"malicious host",
"malware",
"host",
"phishing",
"team",
"exploit",
"mirai",
"pony",
"nanocore",
"bradesco",
"suppobox",
"laplasclipper",
"asyncrat",
"fakealert",
"ramnit",
"cisco umbrella",
"site",
"safe site",
"heur",
"malicious site",
"alexa top",
"million",
"phishing site",
"artemis",
"unsafe",
"riskware",
"bank",
"outbreak",
"dropper",
"trojanx",
"turla",
"installcore",
"acint",
"conduit",
"installpack",
"iobit",
"mediaget",
"crack",
"iframe",
"downldr",
"agent",
"presenoker",
"alexa",
"blacknet rat",
"stealer",
"unruy",
"cleaner",
"union",
"dbatloader",
"downloader",
"blocker",
"ransom",
"autoit",
"bladabindi",
"trojan",
"irata",
"azorult",
"service",
"runescape",
"facebook",
"download",
"genkryptik",
"opencandy",
"trojanspy",
"relacionada",
"referrer",
"formbook",
"blacklist http",
"control server",
"firehol",
"botnet command",
"http spammer",
"mail spammer",
"phishtank",
"dnspionage",
"betabot",
"wormx",
"redline stealer",
"solimba",
"zbot",
"webtoolbar",
"utc submissions",
"submitters",
"tot public",
"company limited",
"gandi sas",
"ovh sas",
"mb iesettings",
"mb acrotray",
"kb program",
"team alexa",
"quasar rat",
"spammer",
"team proxy",
"ip reputation",
"cins active",
"online fri",
"online sat",
"sat apr",
"temp",
"windir",
"kontakt",
"antivirus",
"sat jun",
"gmt0600",
"programdata",
"regexpandsz d",
"allusersprofile",
"soar",
"malicious",
"programfiles",
"sun jun",
"mbt",
"info api",
"http",
"redlinestealer",
"score integrate",
"siem",
"tencent",
"rc7 bypassed",
"mon jun",
"api sample",
"hybridanalysis",
"online sun",
"fri jun",
"tue apr",
"code",
"date",
"hackers",
"lumma stealer",
"ursnif",
"open"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Generic",
"display_name": "Generic",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "MBT",
"display_name": "MBT",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "65715b49b95c13605856d6d0",
"export_count": 234,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 882,
"FileHash-SHA1": 497,
"FileHash-SHA256": 3763,
"URL": 3088,
"hostname": 1203,
"CIDR": 2,
"domain": 680,
"CVE": 9,
"email": 13
},
"indicator_count": 10137,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 231,
"modified_text": "834 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65715b49b95c13605856d6d0",
"name": "Lazarus Group _ 192.229.211.108",
"description": "",
"modified": "2024-01-06T05:02:33.698000",
"created": "2023-12-07T05:42:33.281000",
"tags": [
"as15133 verizon",
"united",
"unknown",
"passive dns",
"scan endpoints",
"all octoseek",
"ipv4",
"pulse pulses",
"urls",
"files",
"trojandropper",
"body",
"orgtechhandle",
"orgid",
"w jefferson",
"blvd",
"city",
"los angeles",
"stateprov",
"postalcode",
"sawyer",
"kleinart",
"mtb dec",
"win32upatre dec",
"win32qqpass dec",
"entries",
"date hash",
"avast avg",
"name verdict",
"falcon sandbox",
"generic malware",
"tag count",
"wed sep",
"threat report",
"summary",
"sample",
"samples",
"detection list",
"blacklist",
"count blacklist",
"generic",
"noname057",
"csv behavior",
"text",
"win32 dll",
"win32 exe",
"javascript",
"office open",
"xml document",
"text iocs",
"mario",
"csv test",
"python",
"ip summary",
"text query16752",
"text edge",
"type name",
"services",
"net192",
"net1920000",
"cidr",
"nethandle",
"orgabusehandle",
"orgabusephone",
"as14153",
"contacted",
"ssl certificate",
"tsara brashears",
"whois whois",
"ransomware",
"apple ios",
"family",
"roots",
"lolkek",
"tzw variants",
"emotet",
"bluenoroff",
"lazarus",
"dark power",
"play ransomware",
"makop",
"attack",
"core",
"hacktool",
"chaos",
"ransomexx",
"quasar",
"njrat",
"installer",
"banker",
"keylogger",
"execution",
"ermac",
"metasploit",
"relic",
"monitoring",
"qakbot",
"thu nov",
"url summary",
"first",
"cobalt strike",
"strike cobalt",
"malicious url",
"tld count",
"sun sep",
"china cobalt",
"strike",
"cyber threat",
"maltiverse",
"malware site",
"malicious host",
"malware",
"host",
"phishing",
"team",
"exploit",
"mirai",
"pony",
"nanocore",
"bradesco",
"suppobox",
"laplasclipper",
"asyncrat",
"fakealert",
"ramnit",
"cisco umbrella",
"site",
"safe site",
"heur",
"malicious site",
"alexa top",
"million",
"phishing site",
"artemis",
"unsafe",
"riskware",
"bank",
"outbreak",
"dropper",
"trojanx",
"turla",
"installcore",
"acint",
"conduit",
"installpack",
"iobit",
"mediaget",
"crack",
"iframe",
"downldr",
"agent",
"presenoker",
"alexa",
"blacknet rat",
"stealer",
"unruy",
"cleaner",
"union",
"dbatloader",
"downloader",
"blocker",
"ransom",
"autoit",
"bladabindi",
"trojan",
"irata",
"azorult",
"service",
"runescape",
"facebook",
"download",
"genkryptik",
"opencandy",
"trojanspy",
"relacionada",
"referrer",
"formbook",
"blacklist http",
"control server",
"firehol",
"botnet command",
"http spammer",
"mail spammer",
"phishtank",
"dnspionage",
"betabot",
"wormx",
"redline stealer",
"solimba",
"zbot",
"webtoolbar",
"utc submissions",
"submitters",
"tot public",
"company limited",
"gandi sas",
"ovh sas",
"mb iesettings",
"mb acrotray",
"kb program",
"team alexa",
"quasar rat",
"spammer",
"team proxy",
"ip reputation",
"cins active",
"online fri",
"online sat",
"sat apr",
"temp",
"windir",
"kontakt",
"antivirus",
"sat jun",
"gmt0600",
"programdata",
"regexpandsz d",
"allusersprofile",
"soar",
"malicious",
"programfiles",
"sun jun",
"mbt",
"info api",
"http",
"redlinestealer",
"score integrate",
"siem",
"tencent",
"rc7 bypassed",
"mon jun",
"api sample",
"hybridanalysis",
"online sun",
"fri jun",
"tue apr",
"code",
"date",
"hackers",
"lumma stealer",
"ursnif",
"open"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Generic",
"display_name": "Generic",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "MBT",
"display_name": "MBT",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "65715ad29ac565164664960b",
"export_count": 210,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 882,
"FileHash-SHA1": 497,
"FileHash-SHA256": 3763,
"URL": 3088,
"hostname": 1203,
"CIDR": 2,
"domain": 680,
"CVE": 9,
"email": 13
},
"indicator_count": 10137,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 223,
"modified_text": "834 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65715ad29ac565164664960b",
"name": "InstallMate",
"description": "",
"modified": "2024-01-06T05:02:33.698000",
"created": "2023-12-07T05:40:34.888000",
"tags": [
"as15133 verizon",
"united",
"unknown",
"passive dns",
"scan endpoints",
"all octoseek",
"ipv4",
"pulse pulses",
"urls",
"files",
"trojandropper",
"body",
"orgtechhandle",
"orgid",
"w jefferson",
"blvd",
"city",
"los angeles",
"stateprov",
"postalcode",
"sawyer",
"kleinart",
"mtb dec",
"win32upatre dec",
"win32qqpass dec",
"entries",
"date hash",
"avast avg",
"name verdict",
"falcon sandbox",
"generic malware",
"tag count",
"wed sep",
"threat report",
"summary",
"sample",
"samples",
"detection list",
"blacklist",
"count blacklist",
"generic",
"noname057",
"csv behavior",
"text",
"win32 dll",
"win32 exe",
"javascript",
"office open",
"xml document",
"text iocs",
"mario",
"csv test",
"python",
"ip summary",
"text query16752",
"text edge",
"type name",
"services",
"net192",
"net1920000",
"cidr",
"nethandle",
"orgabusehandle",
"orgabusephone",
"as14153",
"contacted",
"ssl certificate",
"tsara brashears",
"whois whois",
"ransomware",
"apple ios",
"family",
"roots",
"lolkek",
"tzw variants",
"emotet",
"bluenoroff",
"lazarus",
"dark power",
"play ransomware",
"makop",
"attack",
"core",
"hacktool",
"chaos",
"ransomexx",
"quasar",
"njrat",
"installer",
"banker",
"keylogger",
"execution",
"ermac",
"metasploit",
"relic",
"monitoring",
"qakbot",
"thu nov",
"url summary",
"first",
"cobalt strike",
"strike cobalt",
"malicious url",
"tld count",
"sun sep",
"china cobalt",
"strike",
"cyber threat",
"maltiverse",
"malware site",
"malicious host",
"malware",
"host",
"phishing",
"team",
"exploit",
"mirai",
"pony",
"nanocore",
"bradesco",
"suppobox",
"laplasclipper",
"asyncrat",
"fakealert",
"ramnit",
"cisco umbrella",
"site",
"safe site",
"heur",
"malicious site",
"alexa top",
"million",
"phishing site",
"artemis",
"unsafe",
"riskware",
"bank",
"outbreak",
"dropper",
"trojanx",
"turla",
"installcore",
"acint",
"conduit",
"installpack",
"iobit",
"mediaget",
"crack",
"iframe",
"downldr",
"agent",
"presenoker",
"alexa",
"blacknet rat",
"stealer",
"unruy",
"cleaner",
"union",
"dbatloader",
"downloader",
"blocker",
"ransom",
"autoit",
"bladabindi",
"trojan",
"irata",
"azorult",
"service",
"runescape",
"facebook",
"download",
"genkryptik",
"opencandy",
"trojanspy",
"relacionada",
"referrer",
"formbook",
"blacklist http",
"control server",
"firehol",
"botnet command",
"http spammer",
"mail spammer",
"phishtank",
"dnspionage",
"betabot",
"wormx",
"redline stealer",
"solimba",
"zbot",
"webtoolbar",
"utc submissions",
"submitters",
"tot public",
"company limited",
"gandi sas",
"ovh sas",
"mb iesettings",
"mb acrotray",
"kb program",
"team alexa",
"quasar rat",
"spammer",
"team proxy",
"ip reputation",
"cins active",
"online fri",
"online sat",
"sat apr",
"temp",
"windir",
"kontakt",
"antivirus",
"sat jun",
"gmt0600",
"programdata",
"regexpandsz d",
"allusersprofile",
"soar",
"malicious",
"programfiles",
"sun jun",
"mbt",
"info api",
"http",
"redlinestealer",
"score integrate",
"siem",
"tencent",
"rc7 bypassed",
"mon jun",
"api sample",
"hybridanalysis",
"online sun",
"fri jun",
"tue apr",
"code",
"date",
"hackers",
"lumma stealer",
"ursnif",
"open"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Generic",
"display_name": "Generic",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "MBT",
"display_name": "MBT",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 210,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 882,
"FileHash-SHA1": 497,
"FileHash-SHA256": 3763,
"URL": 3088,
"hostname": 1203,
"CIDR": 2,
"domain": 680,
"CVE": 9,
"email": 13
},
"indicator_count": 10137,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 224,
"modified_text": "834 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "656aafce24b001cba328dcbc",
"name": "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335",
"description": "",
"modified": "2023-12-26T00:03:03.925000",
"created": "2023-12-02T04:17:18.188000",
"tags": [
"ssl certificate",
"contacted",
"threat roundup",
"whois record",
"communicating",
"subdomains",
"resolutions",
"june",
"july",
"october",
"august",
"noname057",
"generic malware",
"ice fog",
"tag count",
"thu nov",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"first",
"generic",
"detection list",
"blacklist http",
"cisco umbrella",
"site",
"heur",
"alexa top",
"safe site",
"million",
"malware",
"alexa",
"malware site",
"malicious site",
"unsafe",
"artemis",
"fakealert",
"exploit",
"opencandy",
"riskware",
"genkryptik",
"iframe",
"tiggre",
"presenoker",
"agent",
"conduit",
"wacatac",
"phishing",
"redline stealer",
"dropper",
"cobalt strike",
"acint",
"nircmd",
"swrort",
"downldr",
"systweak",
"behav",
"crack",
"filetour",
"cleaner",
"installpack",
"xrat",
"fusioncore",
"azorult",
"service",
"runescape",
"facebook",
"bank",
"download",
"blacknet rat",
"stealer",
"maltiverse",
"webtoolbar",
"trojanspy",
"united",
"engineering",
"cyber threat",
"phishing site",
"america",
"emotet",
"zbot",
"malicious",
"steam",
"team",
"indonesia",
"miner",
"ransomware",
"ramnit",
"pe resource",
"historical ssl",
"execution",
"hacktool",
"metasploit",
"relic",
"monitoring",
"android",
"skynet",
"et",
"anonymizer",
"trojanx",
"back",
"laplasclipper",
"win64",
"trojan",
"ghost rat",
"suppobox",
"asyncrat",
"union",
"samples",
"blacklist",
"malicious url",
"hostname",
"hostnames",
"tsara brashears",
"reinsurance",
"pinnacol insurance",
"industry and commerce",
"state",
"danger",
"warning",
"nr-data.net",
"apple",
"data.net",
"asp.net",
"domains",
"hashes",
"reverse dns",
"general full",
"resource",
"software",
"asn15169",
"google",
"url http",
"server",
"hash",
"get h2",
"main",
"cookie",
"thu dec",
"germany",
"frankfurt",
"netherlands",
"asn20446",
"highwinds3",
"page url",
"search live",
"api blog",
"docs pricing",
"tags",
"november",
"us summary",
"http",
"google safe",
"browsing",
"adware",
"xtrat",
"firehol",
"microsoft",
"control server",
"services",
"msil",
"hiloti",
"asn16509",
"amazon02",
"fastly",
"asn54113",
"prague",
"login",
"listen live",
"centura health",
"colorado jobs",
"eeo public",
"filing url",
"blacklist https",
"mimikatz",
"beach research",
"de indicators",
"copyright",
"gmbh version",
"follow",
"softcnapp",
"philadelphia",
"gamehack",
"value",
"line",
"variables",
"nreum",
"postrelease",
"url https",
"security tls",
"protocol h2",
"name value",
"scam",
"gesponsert url",
"outputldjh",
"oid2",
"uhis2",
"uh1200",
"uw1600",
"uah1200",
"uaw1600",
"ucd24",
"usd1",
"utz60",
"no data",
"coinminer",
"ip address",
"exchange",
"http attacker",
"states",
"jimburkedentistry",
"leder-family",
"adam lee",
"erika lee",
"malvertizing"
],
"references": [
"http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335",
"https://www.denverpost.com/2018/07/17/marijuana-workers-compensation/amp/ Source",
"http://jcsservices.in/gkqikjxn/index.php?pnz=jim@thejimburkefamily.com",
"http://www.burkedentistry.com/Quarryville-Dentist-and-Staff/1567",
"http://tracks.theleders.family",
"photos.theleders.family",
"http://45.159.189.105/bot/regex (tracks Tsara Brashears)",
"45.159.189.105 (CNC IP \u2022 Tracking Tsara Brashears)",
"http://mobtrack.trkclk.net",
"https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"nr-data.net",
"https://wallpapers-nature.com/%20tsara-brashears/urlscan-io",
"103.233.208.9 (CNC IP)",
"apex.jquery.com (scammer | works for who?)",
"api.useragentswitch.com",
"bam-cell.nr-data.net (Apple Private Data Collection | since found, result continuously modified)",
"dns.google (DNS client services - Doug Cole)",
"https://www.9and10news.com/2021/09/17/fbi-releases-update-on-suspicious-packages-left-at-att-stores/",
"https://api.openinstall.io/api/v2/android/otby76/init?certFinger=44:B4:38:61:15:B4:57:55:B5:BF:D1:6B:34:CC:60:72:DA:C7:40:CE&macAddress=6D:51:08:93:04:7B&serialNumber=&apiVersion=2.3.0&deviceId=&pkg=com.mobikok.ecoupon&version=8.1.0&installId=&androidId=91ed20d90734918e&versionCode=333\u00d7tamp=1684541379839",
"apple-dns.net",
"emails.redvue.com (apple DNS w/amvima)",
"142.250.180.4 (init.ess)",
"init.ess.apple.com (Highly malicious. Will infiltrate devices when exploited. Spyware)",
"freeimdatingsites.thomasdobo.eu",
"https://urlscan.io/result/07fe876e-8864-474f-8b32-ba2d50c9a242/#indicators",
"https://urlscan.io/domain/maxwam.tk",
"https://urlscan.io/result/e770a861-9818-4309-b31e-fd18510532a7/#indicators"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Generic",
"display_name": "Generic",
"target": null
},
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Beach Research",
"display_name": "Beach Research",
"target": null
},
{
"id": "GameHack",
"display_name": "GameHack",
"target": null
},
{
"id": "States",
"display_name": "States",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1123",
"name": "Audio Capture",
"display_name": "T1123 - Audio Capture"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "6562908e28e6cdc237fbf8db",
"export_count": 78,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1956,
"FileHash-SHA1": 867,
"FileHash-SHA256": 3751,
"URL": 10878,
"domain": 2914,
"hostname": 3520,
"CVE": 16
},
"indicator_count": 23902,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 226,
"modified_text": "845 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6562908e28e6cdc237fbf8db",
"name": "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335",
"description": "",
"modified": "2023-12-26T00:03:03.925000",
"created": "2023-11-26T00:25:50.529000",
"tags": [
"ssl certificate",
"contacted",
"threat roundup",
"whois record",
"communicating",
"subdomains",
"resolutions",
"june",
"july",
"october",
"august",
"noname057",
"generic malware",
"ice fog",
"tag count",
"thu nov",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"first",
"generic",
"detection list",
"blacklist http",
"cisco umbrella",
"site",
"heur",
"alexa top",
"safe site",
"million",
"malware",
"alexa",
"malware site",
"malicious site",
"unsafe",
"artemis",
"fakealert",
"exploit",
"opencandy",
"riskware",
"genkryptik",
"iframe",
"tiggre",
"presenoker",
"agent",
"conduit",
"wacatac",
"phishing",
"redline stealer",
"dropper",
"cobalt strike",
"acint",
"nircmd",
"swrort",
"downldr",
"systweak",
"behav",
"crack",
"filetour",
"cleaner",
"installpack",
"xrat",
"fusioncore",
"azorult",
"service",
"runescape",
"facebook",
"bank",
"download",
"blacknet rat",
"stealer",
"maltiverse",
"webtoolbar",
"trojanspy",
"united",
"engineering",
"cyber threat",
"phishing site",
"america",
"emotet",
"zbot",
"malicious",
"steam",
"team",
"indonesia",
"miner",
"ransomware",
"ramnit",
"pe resource",
"historical ssl",
"execution",
"hacktool",
"metasploit",
"relic",
"monitoring",
"android",
"skynet",
"et",
"anonymizer",
"trojanx",
"back",
"laplasclipper",
"win64",
"trojan",
"ghost rat",
"suppobox",
"asyncrat",
"union",
"samples",
"blacklist",
"malicious url",
"hostname",
"hostnames",
"tsara brashears",
"reinsurance",
"pinnacol insurance",
"industry and commerce",
"state",
"danger",
"warning",
"nr-data.net",
"apple",
"data.net",
"asp.net",
"domains",
"hashes",
"reverse dns",
"general full",
"resource",
"software",
"asn15169",
"google",
"url http",
"server",
"hash",
"get h2",
"main",
"cookie",
"thu dec",
"germany",
"frankfurt",
"netherlands",
"asn20446",
"highwinds3",
"page url",
"search live",
"api blog",
"docs pricing",
"tags",
"november",
"us summary",
"http",
"google safe",
"browsing",
"adware",
"xtrat",
"firehol",
"microsoft",
"control server",
"services",
"msil",
"hiloti",
"asn16509",
"amazon02",
"fastly",
"asn54113",
"prague",
"login",
"listen live",
"centura health",
"colorado jobs",
"eeo public",
"filing url",
"blacklist https",
"mimikatz",
"beach research",
"de indicators",
"copyright",
"gmbh version",
"follow",
"softcnapp",
"philadelphia",
"gamehack",
"value",
"line",
"variables",
"nreum",
"postrelease",
"url https",
"security tls",
"protocol h2",
"name value",
"scam",
"gesponsert url",
"outputldjh",
"oid2",
"uhis2",
"uh1200",
"uw1600",
"uah1200",
"uaw1600",
"ucd24",
"usd1",
"utz60",
"no data",
"coinminer",
"ip address",
"exchange",
"http attacker",
"states",
"jimburkedentistry",
"leder-family",
"adam lee",
"erika lee",
"malvertizing"
],
"references": [
"http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335",
"https://www.denverpost.com/2018/07/17/marijuana-workers-compensation/amp/ Source",
"http://jcsservices.in/gkqikjxn/index.php?pnz=jim@thejimburkefamily.com",
"http://www.burkedentistry.com/Quarryville-Dentist-and-Staff/1567",
"http://tracks.theleders.family",
"photos.theleders.family",
"http://45.159.189.105/bot/regex (tracks Tsara Brashears)",
"45.159.189.105 (CNC IP \u2022 Tracking Tsara Brashears)",
"http://mobtrack.trkclk.net",
"https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"nr-data.net",
"https://wallpapers-nature.com/%20tsara-brashears/urlscan-io",
"103.233.208.9 (CNC IP)",
"apex.jquery.com (scammer | works for who?)",
"api.useragentswitch.com",
"bam-cell.nr-data.net (Apple Private Data Collection | since found, result continuously modified)",
"dns.google (DNS client services - Doug Cole)",
"https://www.9and10news.com/2021/09/17/fbi-releases-update-on-suspicious-packages-left-at-att-stores/",
"https://api.openinstall.io/api/v2/android/otby76/init?certFinger=44:B4:38:61:15:B4:57:55:B5:BF:D1:6B:34:CC:60:72:DA:C7:40:CE&macAddress=6D:51:08:93:04:7B&serialNumber=&apiVersion=2.3.0&deviceId=&pkg=com.mobikok.ecoupon&version=8.1.0&installId=&androidId=91ed20d90734918e&versionCode=333\u00d7tamp=1684541379839",
"apple-dns.net",
"emails.redvue.com (apple DNS w/amvima)",
"142.250.180.4 (init.ess)",
"init.ess.apple.com (Highly malicious. Will infiltrate devices when exploited. Spyware)",
"freeimdatingsites.thomasdobo.eu",
"https://urlscan.io/result/07fe876e-8864-474f-8b32-ba2d50c9a242/#indicators",
"https://urlscan.io/domain/maxwam.tk",
"https://urlscan.io/result/e770a861-9818-4309-b31e-fd18510532a7/#indicators"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Generic",
"display_name": "Generic",
"target": null
},
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Beach Research",
"display_name": "Beach Research",
"target": null
},
{
"id": "GameHack",
"display_name": "GameHack",
"target": null
},
{
"id": "States",
"display_name": "States",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1123",
"name": "Audio Capture",
"display_name": "T1123 - Audio Capture"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 83,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1956,
"FileHash-SHA1": 867,
"FileHash-SHA256": 3751,
"URL": 10878,
"domain": 2914,
"hostname": 3520,
"CVE": 16
},
"indicator_count": 23902,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 220,
"modified_text": "845 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "655f6d7ac217661e4bc37f4d",
"name": "Qbot | Miscellaneous Attacks",
"description": "The following is a full list of links between malware and cyber-attackers, following a series of alerts from Phishtank, the UK-based cyber security firm, and the US government.",
"modified": "2023-12-23T07:03:55.171000",
"created": "2023-11-23T15:19:22.356000",
"tags": [
"pattern match",
"ascii text",
"file",
"jpeg image",
"exif standard",
"tiff image",
"png image",
"united",
"baseline",
"rgba",
"date",
"class",
"unknown",
"hybrid",
"accept",
"local",
"click",
"strings",
"generator",
"critical",
"error",
"firehol",
"detection list",
"ip address",
"blacklist",
"botnet command",
"control server",
"noname057",
"facebook",
"phishtank",
"blacklist http",
"organization",
"ssl certificate",
"whois record",
"contacted",
"historical ssl",
"n64xtx0vpihxzc",
"whois whois",
"qpyrn6pd http",
"referrer",
"execution",
"communicating",
"core",
"discord",
"hiddentear",
"metro",
"probe",
"ransomexx",
"quasar",
"asyncrat",
"bleachgap",
"formbook",
"nanocore",
"roblox",
"heur",
"cyber threat",
"engineering",
"malware",
"phishing",
"malicious site",
"phishing site",
"covid19",
"team",
"bank",
"cobalt strike",
"artemis",
"download",
"zbot",
"suppobox",
"service",
"downloader",
"virut",
"malicious",
"emotet",
"stealer",
"exploit",
"generic",
"dropper",
"unruy",
"agent",
"unsafe",
"ramnit",
"redline stealer",
"smsspy",
"bradesco",
"fakealert",
"qakbot",
"outbreak",
"qbot",
"bankerx",
"riskware",
"nimda",
"swrort",
"adwind",
"trojanx",
"crack",
"win64",
"squirrelwaffle",
"pony",
"binder",
"virustotal",
"azorult",
"zeus",
"nymaim",
"matsnu",
"simda",
"runescape",
"cutwail",
"dnspionage",
"redirector",
"fusioncore",
"iframe",
"killav",
"raccoon",
"daum",
"installcore",
"ransomware",
"cisco umbrella",
"site",
"safe site",
"alexa top",
"million",
"presenoker",
"downldr",
"alexa",
"applicunwnt",
"opencandy",
"cleaner",
"wacatac",
"xrat",
"xtrat",
"dbatloader",
"infy",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"keygen",
"fareit",
"secrisk",
"phish",
"deepscan",
"trojanspy",
"maltiverse",
"qpyrn6pd",
"spyware",
"injector",
"jul jan",
"tag count",
"tue jan",
"threat report",
"ip summary",
"url summary",
"summary",
"sample"
],
"references": [
"https://www.hybrid-analysis.com/sample/d4e0619008da0bf555fd1d9af2797eaed02c89512239cbdaf64c08e795bb9658",
"http://www.jamesbgriffinlaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/16132c66b562a3---dewubomojagorekijufuruni [ Malicious Plugins]",
"*otc.greatcall.com [Botnetwork]",
"https://www.norad.mil/ [ Modified by others| Parking Crew - is a Tracker]",
"https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Malware Server | iTunes path hacktool]",
"tulach.cc. [Malevolent | Modified description]",
"https://tulach.cc/ [phishing]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ ELF - Descriptions modified by others]",
"https://www.pornhub.com/video/search?search=tsara+brashears [NORAD.mil phone tracking. Description modified]",
"s3.amazonaws.com [Virut Tsara Brashears Botnetwork | Modified description]"
],
"public": 1,
"adversary": "Qbot",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Roblox",
"display_name": "Roblox",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "Tulach Malware",
"display_name": "Tulach Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1100",
"name": "Web Shell",
"display_name": "T1100 - Web Shell"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 82,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 897,
"FileHash-SHA1": 479,
"URL": 9847,
"domain": 2344,
"hostname": 2398,
"CVE": 22,
"FileHash-SHA256": 4712
},
"indicator_count": 20699,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 220,
"modified_text": "848 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "655f6d89b33758a190399f39",
"name": "Qbot | Miscellaneous Attacks",
"description": "The following is a full list of links between malware and cyber-attackers, following a series of alerts from Phishtank, the UK-based cyber security firm, and the US government.",
"modified": "2023-12-23T07:03:55.171000",
"created": "2023-11-23T15:19:37.838000",
"tags": [
"pattern match",
"ascii text",
"file",
"jpeg image",
"exif standard",
"tiff image",
"png image",
"united",
"baseline",
"rgba",
"date",
"class",
"unknown",
"hybrid",
"accept",
"local",
"click",
"strings",
"generator",
"critical",
"error",
"firehol",
"detection list",
"ip address",
"blacklist",
"botnet command",
"control server",
"noname057",
"facebook",
"phishtank",
"blacklist http",
"organization",
"ssl certificate",
"whois record",
"contacted",
"historical ssl",
"n64xtx0vpihxzc",
"whois whois",
"qpyrn6pd http",
"referrer",
"execution",
"communicating",
"core",
"discord",
"hiddentear",
"metro",
"probe",
"ransomexx",
"quasar",
"asyncrat",
"bleachgap",
"formbook",
"nanocore",
"roblox",
"heur",
"cyber threat",
"engineering",
"malware",
"phishing",
"malicious site",
"phishing site",
"covid19",
"team",
"bank",
"cobalt strike",
"artemis",
"download",
"zbot",
"suppobox",
"service",
"downloader",
"virut",
"malicious",
"emotet",
"stealer",
"exploit",
"generic",
"dropper",
"unruy",
"agent",
"unsafe",
"ramnit",
"redline stealer",
"smsspy",
"bradesco",
"fakealert",
"qakbot",
"outbreak",
"qbot",
"bankerx",
"riskware",
"nimda",
"swrort",
"adwind",
"trojanx",
"crack",
"win64",
"squirrelwaffle",
"pony",
"binder",
"virustotal",
"azorult",
"zeus",
"nymaim",
"matsnu",
"simda",
"runescape",
"cutwail",
"dnspionage",
"redirector",
"fusioncore",
"iframe",
"killav",
"raccoon",
"daum",
"installcore",
"ransomware",
"cisco umbrella",
"site",
"safe site",
"alexa top",
"million",
"presenoker",
"downldr",
"alexa",
"applicunwnt",
"opencandy",
"cleaner",
"wacatac",
"xrat",
"xtrat",
"dbatloader",
"infy",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"keygen",
"fareit",
"secrisk",
"phish",
"deepscan",
"trojanspy",
"maltiverse",
"qpyrn6pd",
"spyware",
"injector",
"jul jan",
"tag count",
"tue jan",
"threat report",
"ip summary",
"url summary",
"summary",
"sample"
],
"references": [
"https://www.hybrid-analysis.com/sample/d4e0619008da0bf555fd1d9af2797eaed02c89512239cbdaf64c08e795bb9658",
"http://www.jamesbgriffinlaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/16132c66b562a3---dewubomojagorekijufuruni [ Malicious Plugins]",
"*otc.greatcall.com [Botnetwork]",
"https://www.norad.mil/ [ Modified by others| Parking Crew - is a Tracker]",
"https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Malware Server | iTunes path hacktool]",
"tulach.cc. [Malevolent | Modified description]",
"https://tulach.cc/ [phishing]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ ELF - Descriptions modified by others]",
"https://www.pornhub.com/video/search?search=tsara+brashears [NORAD.mil phone tracking. Description modified]",
"s3.amazonaws.com [Virut Tsara Brashears Botnetwork | Modified description]"
],
"public": 1,
"adversary": "Qbot",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Roblox",
"display_name": "Roblox",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "Tulach Malware",
"display_name": "Tulach Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1100",
"name": "Web Shell",
"display_name": "T1100 - Web Shell"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 84,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 897,
"FileHash-SHA1": 479,
"URL": 9847,
"domain": 2344,
"hostname": 2398,
"CVE": 22,
"FileHash-SHA256": 4712
},
"indicator_count": 20699,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 220,
"modified_text": "848 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "655f6edffd3910161c2ad1a2",
"name": "D26A | DNSpionage| Qbot | Tulach Malaware | https://theanimallawfirm.com/ | FakeAlert",
"description": "",
"modified": "2023-12-23T07:03:55.171000",
"created": "2023-11-23T15:25:19.843000",
"tags": [
"pattern match",
"ascii text",
"file",
"jpeg image",
"exif standard",
"tiff image",
"png image",
"united",
"baseline",
"rgba",
"date",
"class",
"unknown",
"hybrid",
"accept",
"local",
"click",
"strings",
"generator",
"critical",
"error",
"firehol",
"detection list",
"ip address",
"blacklist",
"botnet command",
"control server",
"noname057",
"facebook",
"phishtank",
"blacklist http",
"organization",
"ssl certificate",
"whois record",
"contacted",
"historical ssl",
"n64xtx0vpihxzc",
"whois whois",
"qpyrn6pd http",
"referrer",
"execution",
"communicating",
"core",
"discord",
"hiddentear",
"metro",
"probe",
"ransomexx",
"quasar",
"asyncrat",
"bleachgap",
"formbook",
"nanocore",
"roblox",
"heur",
"cyber threat",
"engineering",
"malware",
"phishing",
"malicious site",
"phishing site",
"covid19",
"team",
"bank",
"cobalt strike",
"artemis",
"download",
"zbot",
"suppobox",
"service",
"downloader",
"virut",
"malicious",
"emotet",
"stealer",
"exploit",
"generic",
"dropper",
"unruy",
"agent",
"unsafe",
"ramnit",
"redline stealer",
"smsspy",
"bradesco",
"fakealert",
"qakbot",
"outbreak",
"qbot",
"bankerx",
"riskware",
"nimda",
"swrort",
"adwind",
"trojanx",
"crack",
"win64",
"squirrelwaffle",
"pony",
"binder",
"virustotal",
"azorult",
"zeus",
"nymaim",
"matsnu",
"simda",
"runescape",
"cutwail",
"dnspionage",
"redirector",
"fusioncore",
"iframe",
"killav",
"raccoon",
"daum",
"installcore",
"ransomware",
"cisco umbrella",
"site",
"safe site",
"alexa top",
"million",
"presenoker",
"downldr",
"alexa",
"applicunwnt",
"opencandy",
"cleaner",
"wacatac",
"xrat",
"xtrat",
"dbatloader",
"infy",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"keygen",
"fareit",
"secrisk",
"phish",
"deepscan",
"trojanspy",
"maltiverse",
"qpyrn6pd",
"spyware",
"injector",
"jul jan",
"tag count",
"tue jan",
"threat report",
"ip summary",
"url summary",
"summary",
"sample"
],
"references": [
"https://www.hybrid-analysis.com/sample/d4e0619008da0bf555fd1d9af2797eaed02c89512239cbdaf64c08e795bb9658",
"http://www.jamesbgriffinlaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/16132c66b562a3---dewubomojagorekijufuruni [ Malicious Plugins]",
"*otc.greatcall.com [Botnetwork]",
"https://www.norad.mil/ [ Modified by others| Parking Crew - is a Tracker]",
"https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Malware Server | iTunes path hacktool]",
"tulach.cc. [Malevolent | Modified description]",
"https://tulach.cc/ [phishing]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ ELF - Descriptions modified by others]",
"https://www.pornhub.com/video/search?search=tsara+brashears [NORAD.mil phone tracking. Description modified]",
"s3.amazonaws.com [Virut Tsara Brashears Botnetwork | Modified description]"
],
"public": 1,
"adversary": "Qbot",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Roblox",
"display_name": "Roblox",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "Tulach Malware",
"display_name": "Tulach Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1100",
"name": "Web Shell",
"display_name": "T1100 - Web Shell"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "655f6d89b33758a190399f39",
"export_count": 86,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 897,
"FileHash-SHA1": 479,
"URL": 9847,
"domain": 2344,
"hostname": 2398,
"CVE": 22,
"FileHash-SHA256": 4712
},
"indicator_count": 20699,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 225,
"modified_text": "848 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "655aef8a8cc2e0929f2aa5ea",
"name": "Python Initiated Connection | Spyware | Remote Attacks |",
"description": "",
"modified": "2023-12-18T23:03:18.732000",
"created": "2023-11-20T05:32:58.400000",
"tags": [
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"b body",
"sha256",
"contenttype",
"phpsessid",
"cisco umbrella",
"alexa top",
"million",
"safe site",
"site",
"whois record",
"ssl certificate",
"execution",
"dropped",
"whois whois",
"historical ssl",
"copy",
"tsara brashears",
"communicating",
"referrer",
"cobalt strike",
"hacktool",
"emotet",
"download",
"malware",
"malicious",
"critical",
"relic",
"monitoring",
"installer",
"android",
"agent tesla",
"et",
"october",
"contacted",
"threat roundup",
"january",
"cyberstalking",
"attack",
"icmp",
"banker",
"keylogger",
"google llc",
"gc abuse",
"orgid",
"direct",
"whois lookup",
"netrange",
"nethandle",
"net34",
"net340000",
"googl2",
"comment",
"gc",
"dns replication",
"date",
"domain",
"win32 exe",
"driver pro",
"files",
"detections type",
"name",
"optimizer pro",
"javascript",
"text",
"text ip",
"aacr",
"type name",
"email",
"email delivery",
"email fwd",
"delivery status",
"notification",
"name verdict",
"runtime process",
"sha1",
"size",
"localappdata",
"temp",
"prefetch8",
"unicode text",
"type data",
"programfiles",
"win64",
"hybrid",
"click",
"strings",
"youth",
"pe resource",
"apple private",
"data collection",
"hidden privacy",
"threats https",
"legal",
"amazon aws",
"wife happy",
"vhash",
"authentihash",
"ssdeep",
"file type",
"magic pe32",
"intel",
"ms windows",
"trid windows",
"os2 executable",
"compiler",
"delphi",
"sections",
"md5 code",
"data",
"children",
"file size",
"dropped files",
"google update",
"setup sha256",
"kb file"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "GC",
"display_name": "GC",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "655950034e6ae4650a6b02ce",
"export_count": 18,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 12901,
"hostname": 4445,
"domain": 3685,
"FileHash-MD5": 197,
"FileHash-SHA256": 5136,
"FileHash-SHA1": 170,
"CIDR": 1,
"email": 2,
"CVE": 4
},
"indicator_count": 26541,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 228,
"modified_text": "852 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "655950034e6ae4650a6b02ce",
"name": "Python Initiated Connection | Spyware | Remote Attacks | | Part 4",
"description": "Apple, Mac, iOS, phishing, frauds services, malware, trojan.allesgreh/trojan.allesgreh/respat, spyware, Google abuse, used to obsessively spy and stalk SA victim Tsara Brashears and possibly others. Python Initiated Connection, WScriptShell_Case_Anomaly.\nPulse: http://secure-appleid-com-uh2hdgo2m7pjuusohde19c8tqs.sssa79.com/\n[Concerning Pre populated content: A security alert has been sent to a secure Apple account in the US, but what exactly is it and what does it mean? and how did it end up in this post-mortem?\u2190((threat?))Let me tell you a]",
"modified": "2023-12-18T23:03:18.732000",
"created": "2023-11-19T00:00:03.258000",
"tags": [
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"b body",
"sha256",
"contenttype",
"phpsessid",
"cisco umbrella",
"alexa top",
"million",
"safe site",
"site",
"whois record",
"ssl certificate",
"execution",
"dropped",
"whois whois",
"historical ssl",
"copy",
"tsara brashears",
"communicating",
"referrer",
"cobalt strike",
"hacktool",
"emotet",
"download",
"malware",
"malicious",
"critical",
"relic",
"monitoring",
"installer",
"android",
"agent tesla",
"et",
"october",
"contacted",
"threat roundup",
"january",
"cyberstalking",
"attack",
"icmp",
"banker",
"keylogger",
"google llc",
"gc abuse",
"orgid",
"direct",
"whois lookup",
"netrange",
"nethandle",
"net34",
"net340000",
"googl2",
"comment",
"gc",
"dns replication",
"date",
"domain",
"win32 exe",
"driver pro",
"files",
"detections type",
"name",
"optimizer pro",
"javascript",
"text",
"text ip",
"aacr",
"type name",
"email",
"email delivery",
"email fwd",
"delivery status",
"notification",
"name verdict",
"runtime process",
"sha1",
"size",
"localappdata",
"temp",
"prefetch8",
"unicode text",
"type data",
"programfiles",
"win64",
"hybrid",
"click",
"strings",
"youth",
"pe resource",
"apple private",
"data collection",
"hidden privacy",
"threats https",
"legal",
"amazon aws",
"wife happy",
"vhash",
"authentihash",
"ssdeep",
"file type",
"magic pe32",
"intel",
"ms windows",
"trid windows",
"os2 executable",
"compiler",
"delphi",
"sections",
"md5 code",
"data",
"children",
"file size",
"dropped files",
"google update",
"setup sha256",
"kb file"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "GC",
"display_name": "GC",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 12901,
"hostname": 4445,
"domain": 3685,
"FileHash-MD5": 197,
"FileHash-SHA256": 5136,
"FileHash-SHA1": 170,
"CIDR": 1,
"email": 2,
"CVE": 4
},
"indicator_count": 26541,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 222,
"modified_text": "852 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "655907b9da2479892590b77a",
"name": "Apple iOS Spyware | Remote Attacks | Fraud Services | Part 3",
"description": "Apple, Mac, iOS, phishing, frauds, malware, spyware, Google abuse, used to obsessively spy and stalk SA victim Tsara Brashears and probably others. \nPulse: http://secure-appleid-com-uh2hdgo2m7pjuusohde19c8tqs.sssa79.com/\n[Concerning Pre populated content: A security alert has been sent to a secure Apple account in the US, but what exactly is it and what does it mean? and how did it end up in this post-mortem?\u2190((threat?))Let me tell you a]",
"modified": "2023-12-18T16:03:26.037000",
"created": "2023-11-18T18:51:37.411000",
"tags": [
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"b body",
"sha256",
"contenttype",
"phpsessid",
"cisco umbrella",
"alexa top",
"million",
"safe site",
"site",
"whois record",
"ssl certificate",
"execution",
"dropped",
"whois whois",
"historical ssl",
"copy",
"tsara brashears",
"communicating",
"referrer",
"cobalt strike",
"hacktool",
"emotet",
"download",
"malware",
"malicious",
"critical",
"relic",
"monitoring",
"installer",
"android",
"agent tesla",
"et"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "ET",
"display_name": "ET",
"target": null
}
],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8650,
"hostname": 3073,
"domain": 2708,
"FileHash-MD5": 118,
"FileHash-SHA256": 3552,
"FileHash-SHA1": 104
},
"indicator_count": 18205,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 218,
"modified_text": "852 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "655907b4d8c905f4475d8bcc",
"name": "Apple iOS Spyware | Remote Attacks | Fraud Services | Part 3",
"description": "Apple, Mac, iOS, phishing, frauds, malware, spyware, Google abuse, used to obsessively spy and stalk SA victim Tsara Brashears and probably others. \nPulse: http://secure-appleid-com-uh2hdgo2m7pjuusohde19c8tqs.sssa79.com/\n[Concerning Pre populated content: A security alert has been sent to a secure Apple account in the US, but what exactly is it and what does it mean? and how did it end up in this post-mortem?\u2190((threat?))Let me tell you a]",
"modified": "2023-12-18T16:03:26.037000",
"created": "2023-11-18T18:51:32.856000",
"tags": [
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"b body",
"sha256",
"contenttype",
"phpsessid",
"cisco umbrella",
"alexa top",
"million",
"safe site",
"site",
"whois record",
"ssl certificate",
"execution",
"dropped",
"whois whois",
"historical ssl",
"copy",
"tsara brashears",
"communicating",
"referrer",
"cobalt strike",
"hacktool",
"emotet",
"download",
"malware",
"malicious",
"critical",
"relic",
"monitoring",
"installer",
"android",
"agent tesla",
"et"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "ET",
"display_name": "ET",
"target": null
}
],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8650,
"hostname": 3073,
"domain": 2708,
"FileHash-MD5": 118,
"FileHash-SHA256": 3552,
"FileHash-SHA1": 104
},
"indicator_count": 18205,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 218,
"modified_text": "852 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "656aac25a8a2caaddf0d3b88",
"name": "https://myaccount.uscis.gov/",
"description": "",
"modified": "2023-12-16T15:00:49.451000",
"created": "2023-12-02T04:01:41.427000",
"tags": [
"whois record",
"ssl certificate",
"whois whois",
"communicating",
"referrer",
"ip address",
"contacted",
"pe resource",
"historical ssl",
"collections wow",
"cobalt",
"stealer",
"quasar",
"remcos",
"ursnif",
"fabookie",
"name verdict",
"exit",
"node tcp",
"traffic",
"united",
"et tor",
"known tor",
"relayrouter",
"anonymizer",
"tor known",
"tor relayrouter",
"cisco umbrella",
"site",
"safe site",
"heur",
"maltiverse",
"million",
"alexa top",
"unsafe",
"html",
"team",
"riskware",
"malware",
"phishing",
"union",
"bank",
"outbreak",
"downer",
"shell",
"mediamagnet",
"sality",
"swrort",
"adaptivebee",
"unruy",
"iobit",
"dropper",
"trojanx",
"artemis",
"installcore",
"webshell",
"exploit",
"crack",
"webtoolbar",
"detection list",
"blacklist http",
"september",
"threat roundup",
"execution",
"metro",
"formbook",
"kgs0",
"kls0",
"blacklist https",
"malicious site",
"malware site",
"phishing site",
"download",
"malicious",
"azorult",
"service",
"runescape",
"facebook",
"genkryptik",
"fuery",
"wacatac",
"alexa",
"dbatloader",
"nanocore rat",
"agent tesla",
"binder",
"dridex",
"hawkeye",
"small",
"netwire",
"trojan",
"redline stealer",
"lumma stealer",
"trojanspy",
"redline",
"lumma",
"tsara brashears",
"whois",
"asn owner",
"highly targeted",
"relacionada",
"lolkek",
"emotet",
"dark power",
"wiper",
"ransomware",
"cobalt strike",
"quasar rat",
"core",
"bitrat",
"hacktool",
"critical",
"copy",
"installer",
"meta",
"as15169 google",
"aaaa",
"a domains",
"videosdewebcams",
"search",
"passive dns",
"urls",
"record value",
"date",
"certificate",
"scan endpoints",
"all octoseek",
"pulse pulses",
"files"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Germany"
],
"malware_families": [
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
},
{
"id": "Lumma",
"display_name": "Lumma",
"target": null
}
],
"attack_ids": [
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "655652f6ddcbf952a599cded",
"export_count": 93,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 204,
"FileHash-SHA1": 182,
"FileHash-SHA256": 6268,
"URL": 13989,
"domain": 3229,
"hostname": 4412,
"CVE": 19,
"email": 3
},
"indicator_count": 28306,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 227,
"modified_text": "854 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65580c52bf98f256b6a01da6",
"name": "https://myaccount.uscis.gov/",
"description": "",
"modified": "2023-12-16T15:00:49.451000",
"created": "2023-11-18T00:58:58.944000",
"tags": [
"whois record",
"ssl certificate",
"whois whois",
"communicating",
"referrer",
"ip address",
"contacted",
"pe resource",
"historical ssl",
"collections wow",
"cobalt",
"stealer",
"quasar",
"remcos",
"ursnif",
"fabookie",
"name verdict",
"exit",
"node tcp",
"traffic",
"united",
"et tor",
"known tor",
"relayrouter",
"anonymizer",
"tor known",
"tor relayrouter",
"cisco umbrella",
"site",
"safe site",
"heur",
"maltiverse",
"million",
"alexa top",
"unsafe",
"html",
"team",
"riskware",
"malware",
"phishing",
"union",
"bank",
"outbreak",
"downer",
"shell",
"mediamagnet",
"sality",
"swrort",
"adaptivebee",
"unruy",
"iobit",
"dropper",
"trojanx",
"artemis",
"installcore",
"webshell",
"exploit",
"crack",
"webtoolbar",
"detection list",
"blacklist http",
"september",
"threat roundup",
"execution",
"metro",
"formbook",
"kgs0",
"kls0",
"blacklist https",
"malicious site",
"malware site",
"phishing site",
"download",
"malicious",
"azorult",
"service",
"runescape",
"facebook",
"genkryptik",
"fuery",
"wacatac",
"alexa",
"dbatloader",
"nanocore rat",
"agent tesla",
"binder",
"dridex",
"hawkeye",
"small",
"netwire",
"trojan",
"redline stealer",
"lumma stealer",
"trojanspy",
"redline",
"lumma",
"tsara brashears",
"whois",
"asn owner",
"highly targeted",
"relacionada",
"lolkek",
"emotet",
"dark power",
"wiper",
"ransomware",
"cobalt strike",
"quasar rat",
"core",
"bitrat",
"hacktool",
"critical",
"copy",
"installer",
"meta",
"as15169 google",
"aaaa",
"a domains",
"videosdewebcams",
"search",
"passive dns",
"urls",
"record value",
"date",
"certificate",
"scan endpoints",
"all octoseek",
"pulse pulses",
"files"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Germany"
],
"malware_families": [
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
},
{
"id": "Lumma",
"display_name": "Lumma",
"target": null
}
],
"attack_ids": [
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "655650c9b2be6cc930c92cf3",
"export_count": 101,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 204,
"FileHash-SHA1": 182,
"FileHash-SHA256": 6268,
"URL": 13989,
"domain": 3229,
"hostname": 4412,
"CVE": 19,
"email": 3
},
"indicator_count": 28306,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 226,
"modified_text": "854 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "655686e2c072557f03e9cba2",
"name": "https://myaccount.uscis.gov/ [pulse created by Octoseek]",
"description": "",
"modified": "2023-12-16T15:00:49.451000",
"created": "2023-11-16T21:17:22.087000",
"tags": [
"whois record",
"ssl certificate",
"whois whois",
"communicating",
"referrer",
"ip address",
"contacted",
"pe resource",
"historical ssl",
"collections wow",
"cobalt",
"stealer",
"quasar",
"remcos",
"ursnif",
"fabookie",
"name verdict",
"exit",
"node tcp",
"traffic",
"united",
"et tor",
"known tor",
"relayrouter",
"anonymizer",
"tor known",
"tor relayrouter",
"cisco umbrella",
"site",
"safe site",
"heur",
"maltiverse",
"million",
"alexa top",
"unsafe",
"html",
"team",
"riskware",
"malware",
"phishing",
"union",
"bank",
"outbreak",
"downer",
"shell",
"mediamagnet",
"sality",
"swrort",
"adaptivebee",
"unruy",
"iobit",
"dropper",
"trojanx",
"artemis",
"installcore",
"webshell",
"exploit",
"crack",
"webtoolbar",
"detection list",
"blacklist http",
"september",
"threat roundup",
"execution",
"metro",
"formbook",
"kgs0",
"kls0",
"blacklist https",
"malicious site",
"malware site",
"phishing site",
"download",
"malicious",
"azorult",
"service",
"runescape",
"facebook",
"genkryptik",
"fuery",
"wacatac",
"alexa",
"dbatloader",
"nanocore rat",
"agent tesla",
"binder",
"dridex",
"hawkeye",
"small",
"netwire",
"trojan",
"redline stealer",
"lumma stealer",
"trojanspy",
"redline",
"lumma",
"tsara brashears",
"whois",
"asn owner",
"highly targeted",
"relacionada",
"lolkek",
"emotet",
"dark power",
"wiper",
"ransomware",
"cobalt strike",
"quasar rat",
"core",
"bitrat",
"hacktool",
"critical",
"copy",
"installer",
"meta",
"as15169 google",
"aaaa",
"a domains",
"videosdewebcams",
"search",
"passive dns",
"urls",
"record value",
"date",
"certificate",
"scan endpoints",
"all octoseek",
"pulse pulses",
"files"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Germany"
],
"malware_families": [
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
},
{
"id": "Lumma",
"display_name": "Lumma",
"target": null
}
],
"attack_ids": [
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "655650c9b2be6cc930c92cf3",
"export_count": 102,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 204,
"FileHash-SHA1": 182,
"FileHash-SHA256": 6268,
"URL": 13989,
"domain": 3229,
"hostname": 4412,
"CVE": 19,
"email": 3
},
"indicator_count": 28306,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 225,
"modified_text": "854 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "655657ca2e402d4f98283de9",
"name": "https://myaccount.uscis.gov/ ",
"description": "",
"modified": "2023-12-16T15:00:49.451000",
"created": "2023-11-16T17:56:26.312000",
"tags": [
"whois record",
"ssl certificate",
"whois whois",
"communicating",
"referrer",
"ip address",
"contacted",
"pe resource",
"historical ssl",
"collections wow",
"cobalt",
"stealer",
"quasar",
"remcos",
"ursnif",
"fabookie",
"name verdict",
"exit",
"node tcp",
"traffic",
"united",
"et tor",
"known tor",
"relayrouter",
"anonymizer",
"tor known",
"tor relayrouter",
"cisco umbrella",
"site",
"safe site",
"heur",
"maltiverse",
"million",
"alexa top",
"unsafe",
"html",
"team",
"riskware",
"malware",
"phishing",
"union",
"bank",
"outbreak",
"downer",
"shell",
"mediamagnet",
"sality",
"swrort",
"adaptivebee",
"unruy",
"iobit",
"dropper",
"trojanx",
"artemis",
"installcore",
"webshell",
"exploit",
"crack",
"webtoolbar",
"detection list",
"blacklist http",
"september",
"threat roundup",
"execution",
"metro",
"formbook",
"kgs0",
"kls0",
"blacklist https",
"malicious site",
"malware site",
"phishing site",
"download",
"malicious",
"azorult",
"service",
"runescape",
"facebook",
"genkryptik",
"fuery",
"wacatac",
"alexa",
"dbatloader",
"nanocore rat",
"agent tesla",
"binder",
"dridex",
"hawkeye",
"small",
"netwire",
"trojan",
"redline stealer",
"lumma stealer",
"trojanspy",
"redline",
"lumma",
"tsara brashears",
"whois",
"asn owner",
"highly targeted",
"relacionada",
"lolkek",
"emotet",
"dark power",
"wiper",
"ransomware",
"cobalt strike",
"quasar rat",
"core",
"bitrat",
"hacktool",
"critical",
"copy",
"installer",
"meta",
"as15169 google",
"aaaa",
"a domains",
"videosdewebcams",
"search",
"passive dns",
"urls",
"record value",
"date",
"certificate",
"scan endpoints",
"all octoseek",
"pulse pulses",
"files"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Germany"
],
"malware_families": [
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
},
{
"id": "Lumma",
"display_name": "Lumma",
"target": null
}
],
"attack_ids": [
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "655650c9b2be6cc930c92cf3",
"export_count": 100,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 204,
"FileHash-SHA1": 182,
"FileHash-SHA256": 6268,
"URL": 13989,
"domain": 3229,
"hostname": 4412,
"CVE": 19,
"email": 3
},
"indicator_count": 28306,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 221,
"modified_text": "854 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65565477da453c46f05a6ac4",
"name": "BTW VirusTotal - \" interesting files written to disk during execution'",
"description": "",
"modified": "2023-12-16T15:00:49.451000",
"created": "2023-11-16T17:42:15.123000",
"tags": [
"whois record",
"ssl certificate",
"whois whois",
"communicating",
"referrer",
"ip address",
"contacted",
"pe resource",
"historical ssl",
"collections wow",
"cobalt",
"stealer",
"quasar",
"remcos",
"ursnif",
"fabookie",
"name verdict",
"exit",
"node tcp",
"traffic",
"united",
"et tor",
"known tor",
"relayrouter",
"anonymizer",
"tor known",
"tor relayrouter",
"cisco umbrella",
"site",
"safe site",
"heur",
"maltiverse",
"million",
"alexa top",
"unsafe",
"html",
"team",
"riskware",
"malware",
"phishing",
"union",
"bank",
"outbreak",
"downer",
"shell",
"mediamagnet",
"sality",
"swrort",
"adaptivebee",
"unruy",
"iobit",
"dropper",
"trojanx",
"artemis",
"installcore",
"webshell",
"exploit",
"crack",
"webtoolbar",
"detection list",
"blacklist http",
"september",
"threat roundup",
"execution",
"metro",
"formbook",
"kgs0",
"kls0",
"blacklist https",
"malicious site",
"malware site",
"phishing site",
"download",
"malicious",
"azorult",
"service",
"runescape",
"facebook",
"genkryptik",
"fuery",
"wacatac",
"alexa",
"dbatloader",
"nanocore rat",
"agent tesla",
"binder",
"dridex",
"hawkeye",
"small",
"netwire",
"trojan",
"redline stealer",
"lumma stealer",
"trojanspy",
"redline",
"lumma",
"tsara brashears",
"whois",
"asn owner",
"highly targeted",
"relacionada",
"lolkek",
"emotet",
"dark power",
"wiper",
"ransomware",
"cobalt strike",
"quasar rat",
"core",
"bitrat",
"hacktool",
"critical",
"copy",
"installer",
"meta",
"as15169 google",
"aaaa",
"a domains",
"videosdewebcams",
"search",
"passive dns",
"urls",
"record value",
"date",
"certificate",
"scan endpoints",
"all octoseek",
"pulse pulses",
"files"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Germany"
],
"malware_families": [
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
},
{
"id": "Lumma",
"display_name": "Lumma",
"target": null
}
],
"attack_ids": [
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "655650c9b2be6cc930c92cf3",
"export_count": 101,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 204,
"FileHash-SHA1": 182,
"FileHash-SHA256": 6268,
"URL": 13989,
"domain": 3229,
"hostname": 4412,
"CVE": 19,
"email": 3
},
"indicator_count": 28306,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 223,
"modified_text": "854 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "655652f6ddcbf952a599cded",
"name": "https://myaccount.uscis.gov/",
"description": "After Mark Montano Md reported alleged acts by Jeffrey Scott Reimer after receiving 'multiple' reports of him aggressively pursuing Brashears, she was contacted, told she violated the Patriot Act by Big O Tires?!! Received letters from the above and harassed for years. Colorado Workers compensation is so corrupt this may be my last post. She was immediately framed , blamed, porn smeared and stalked. Denied medical care , when received died on surgery table, revised and disabled. Even the mafia would tackle only the associates bringing undue negative attention to their own organization.",
"modified": "2023-12-16T15:00:49.451000",
"created": "2023-11-16T17:35:50.285000",
"tags": [
"whois record",
"ssl certificate",
"whois whois",
"communicating",
"referrer",
"ip address",
"contacted",
"pe resource",
"historical ssl",
"collections wow",
"cobalt",
"stealer",
"quasar",
"remcos",
"ursnif",
"fabookie",
"name verdict",
"exit",
"node tcp",
"traffic",
"united",
"et tor",
"known tor",
"relayrouter",
"anonymizer",
"tor known",
"tor relayrouter",
"cisco umbrella",
"site",
"safe site",
"heur",
"maltiverse",
"million",
"alexa top",
"unsafe",
"html",
"team",
"riskware",
"malware",
"phishing",
"union",
"bank",
"outbreak",
"downer",
"shell",
"mediamagnet",
"sality",
"swrort",
"adaptivebee",
"unruy",
"iobit",
"dropper",
"trojanx",
"artemis",
"installcore",
"webshell",
"exploit",
"crack",
"webtoolbar",
"detection list",
"blacklist http",
"september",
"threat roundup",
"execution",
"metro",
"formbook",
"kgs0",
"kls0",
"blacklist https",
"malicious site",
"malware site",
"phishing site",
"download",
"malicious",
"azorult",
"service",
"runescape",
"facebook",
"genkryptik",
"fuery",
"wacatac",
"alexa",
"dbatloader",
"nanocore rat",
"agent tesla",
"binder",
"dridex",
"hawkeye",
"small",
"netwire",
"trojan",
"redline stealer",
"lumma stealer",
"trojanspy",
"redline",
"lumma",
"tsara brashears",
"whois",
"asn owner",
"highly targeted",
"relacionada",
"lolkek",
"emotet",
"dark power",
"wiper",
"ransomware",
"cobalt strike",
"quasar rat",
"core",
"bitrat",
"hacktool",
"critical",
"copy",
"installer",
"meta",
"as15169 google",
"aaaa",
"a domains",
"videosdewebcams",
"search",
"passive dns",
"urls",
"record value",
"date",
"certificate",
"scan endpoints",
"all octoseek",
"pulse pulses",
"files"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Germany"
],
"malware_families": [
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
},
{
"id": "Lumma",
"display_name": "Lumma",
"target": null
}
],
"attack_ids": [
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 100,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 204,
"FileHash-SHA1": 182,
"FileHash-SHA256": 6268,
"URL": 13989,
"domain": 3229,
"hostname": 4412,
"CVE": 19,
"email": 3
},
"indicator_count": 28306,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 224,
"modified_text": "854 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "655650c9b2be6cc930c92cf3",
"name": "https://myaccount.uscis.gov/",
"description": "HOW!?!? My device was remotely logged into this account somehow.\nThis is egregious. Silence Threats. I have no connection to this but was contacted by a while ago. I don't know how or why a part of the government would attack a person with a TBI and C1 - S1 Spinal cord injury allegedly caused by Colorado physical therapist and protect him. Why is victim, tracked and unsafe, receiving death threats, monitored, denied medical care, stalked EVERYWHERE. \nEven felons aren't monitored for life. STOP.\nWill this get us killed. Do the right thing.\nGod bless America, purge the government.\nThe truth should set you fee not get you harmed.",
"modified": "2023-12-16T15:00:49.451000",
"created": "2023-11-16T17:26:33",
"tags": [
"whois record",
"ssl certificate",
"whois whois",
"communicating",
"referrer",
"ip address",
"contacted",
"pe resource",
"historical ssl",
"collections wow",
"cobalt",
"stealer",
"quasar",
"remcos",
"ursnif",
"fabookie",
"name verdict",
"exit",
"node tcp",
"traffic",
"united",
"et tor",
"known tor",
"relayrouter",
"anonymizer",
"tor known",
"tor relayrouter",
"cisco umbrella",
"site",
"safe site",
"heur",
"maltiverse",
"million",
"alexa top",
"unsafe",
"html",
"team",
"riskware",
"malware",
"phishing",
"union",
"bank",
"outbreak",
"downer",
"shell",
"mediamagnet",
"sality",
"swrort",
"adaptivebee",
"unruy",
"iobit",
"dropper",
"trojanx",
"artemis",
"installcore",
"webshell",
"exploit",
"crack",
"webtoolbar",
"detection list",
"blacklist http",
"september",
"threat roundup",
"execution",
"metro",
"formbook",
"kgs0",
"kls0",
"blacklist https",
"malicious site",
"malware site",
"phishing site",
"download",
"malicious",
"azorult",
"service",
"runescape",
"facebook",
"genkryptik",
"fuery",
"wacatac",
"alexa",
"dbatloader",
"nanocore rat",
"agent tesla",
"binder",
"dridex",
"hawkeye",
"small",
"netwire",
"trojan",
"redline stealer",
"lumma stealer",
"trojanspy",
"redline",
"lumma",
"tsara brashears",
"whois",
"asn owner",
"highly targeted",
"relacionada",
"lolkek",
"emotet",
"dark power",
"wiper",
"ransomware",
"cobalt strike",
"quasar rat",
"core",
"bitrat",
"hacktool",
"critical",
"copy",
"installer",
"meta",
"as15169 google",
"aaaa",
"a domains",
"videosdewebcams",
"search",
"passive dns",
"urls",
"record value",
"date",
"certificate",
"scan endpoints",
"all octoseek",
"pulse pulses",
"files"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Germany"
],
"malware_families": [
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
},
{
"id": "Lumma",
"display_name": "Lumma",
"target": null
}
],
"attack_ids": [
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 102,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 204,
"FileHash-SHA1": 182,
"FileHash-SHA256": 6268,
"URL": 13989,
"domain": 3229,
"hostname": 4412,
"CVE": 19,
"email": 3
},
"indicator_count": 28306,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 224,
"modified_text": "854 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6546d0120a7e479fecffe2b1",
"name": "Browser Malware Attack",
"description": "Attacking browser to identify researcher.\nCommand for critical failure/destruction: https://search.app.goo.gl/?ofl=https://lens.google&al=googleapp://lens?lens_data=KAw&apn=com.google.android.googlequicksearchbox&amv=301204913&isi=284815942&ius=googleapp&ibi=com.goog",
"modified": "2023-12-04T22:00:43.514000",
"created": "2023-11-04T23:13:21.883000",
"tags": [
"united",
"facebook",
"phishtank",
"detection list",
"ip address",
"blacklist",
"paypal",
"cisco umbrella",
"site",
"alexa top",
"safe site",
"million",
"malicious url",
"malware site",
"malicious site",
"malware",
"name verdict",
"falcon sandbox",
"reports no",
"speci",
"efr1",
"pattern match",
"file",
"web open",
"font format",
"truetype",
"indicator",
"windows nt",
"et tor",
"known tor",
"relayrouter",
"date",
"unknown",
"general",
"hybrid",
"local",
"stream",
"click",
"strings",
"class",
"generator",
"critical",
"error",
"self",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"kb body",
"sha256",
"phishing site",
"heur",
"cyber threat",
"unsafe",
"riskware",
"phishing",
"bank",
"service",
"artemis",
"team",
"xtrat",
"agent",
"xrat",
"filetour",
"exploit",
"conduit",
"opencandy",
"fusioncore",
"orkut",
"steam",
"genkryptik",
"runescape",
"presenoker",
"ramnit",
"msil",
"crack",
"tofsee",
"suppobox",
"malicious",
"simda",
"vawtrak",
"hotmail",
"generic",
"webtoolbar",
"hsbc",
"maltiverse",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"count blacklist",
"tag count",
"downldr",
"cleaner",
"iframe",
"wacatac",
"alexa",
"win64",
"swrort",
"installcore",
"azorult",
"download",
"blacknet rat",
"stealer",
"softcnapp",
"nircmd",
"unruy",
"patcher",
"adload",
"dropper",
"installpack",
"tiggre",
"gamehack",
"trojanspy",
"germany http",
"attacker",
"static engine",
"internet storm",
"center",
"passive dns",
"urls",
"scan endpoints",
"all search",
"otx scoreblue",
"url http",
"pulse pulses",
"http",
"related nids"
],
"references": [
"https://search.app.goo.gl/?ofl=https://lens.google&al=googleapp://lens?lens_data=KAw&apn=com.google.android.googlequicksearchbox&amv=301204913&isi=284815942&ius=googleapp&ibi=com.goog",
"object.prototype.hasownproperty.call",
"hasownproperty.call",
"a.default.meta.applestore.id",
"applestore.id",
"http://decafsmob.this.id",
"id.google.com",
"http://critical-system-failure7250.21ny35098453.com-bm3y-v806d9gk.cricket/",
"http://git.io/yBU2rg",
"critical-failure-alert2286.40ek97931491.com-4nj1ze3ivfwy.website",
"https://fairspin.io/?track_id=44698569&pid=1&geo=6252001&utm_source=bonafides&utm_medium=&utm_campaign=smarttds&utm_term=incorrect_param",
"http://tracking.3061331.corn10wuk.club",
"http://information.7174932.cakcuk.az/tracking/tracking.php?id=8459701&page=904",
"apps.apple.com/us/app/id$",
"t.name",
"http://e.id?e.id:e.id.getAttribute",
"location.search",
"https://dnsorangetel.dn2.n-helix.com",
"1080p-torrent.ml",
"states.app",
"dev-2.ernestatech.com",
"https://hybrid-analysis.com/sample/d26000dfe1137f05f9187996dc752a703000402fe9e35a8ea216e9215a34560d",
"209.85.145.113 [malware]",
"cdn.fuckporntube.com",
"www.search.app.goo.gl",
"apps.apple.com",
"http://www.youtube.com/gen_204?cplatform=tablet&c=android&cver=5.6.36&cos=Android&cosver=4.4.2&cbr=com.google.android.youtube&cbrv",
"https://coloradosprings.americanlisted.com/pets-animals/beautiful-ragdoll-kittens_31591993.html",
"globalworker1.sol.us",
"worker-m-tlcus1.sol.us"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Germany",
"Ireland",
"Singapore"
],
"malware_families": [
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "HSBC",
"display_name": "HSBC",
"target": null
},
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "GameHack",
"display_name": "GameHack",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
}
],
"attack_ids": [
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 33,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1015,
"hostname": 1309,
"FileHash-MD5": 466,
"FileHash-SHA1": 255,
"FileHash-SHA256": 3783,
"URL": 4001,
"CVE": 9,
"email": 3
},
"indicator_count": 10841,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 229,
"modified_text": "866 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6546cf78627adef6562a97aa",
"name": "Browser Malware Attack",
"description": "Attacking my browser to identify.\nCommand for critical failure/destruction: https://search.app.goo.gl/?ofl=https://lens.google&al=googleapp://lens?lens_data=KAw&apn=com.google.android.googlequicksearchbox&amv=301204913&isi=284815942&ius=googleapp&ibi=com.goog",
"modified": "2023-12-04T22:00:43.514000",
"created": "2023-11-04T23:10:48.676000",
"tags": [
"united",
"facebook",
"phishtank",
"detection list",
"ip address",
"blacklist",
"paypal",
"cisco umbrella",
"site",
"alexa top",
"safe site",
"million",
"malicious url",
"malware site",
"malicious site",
"malware",
"name verdict",
"falcon sandbox",
"reports no",
"speci",
"efr1",
"pattern match",
"file",
"web open",
"font format",
"truetype",
"indicator",
"windows nt",
"et tor",
"known tor",
"relayrouter",
"date",
"unknown",
"general",
"hybrid",
"local",
"stream",
"click",
"strings",
"class",
"generator",
"critical",
"error",
"self",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"kb body",
"sha256",
"phishing site",
"heur",
"cyber threat",
"unsafe",
"riskware",
"phishing",
"bank",
"service",
"artemis",
"team",
"xtrat",
"agent",
"xrat",
"filetour",
"exploit",
"conduit",
"opencandy",
"fusioncore",
"orkut",
"steam",
"genkryptik",
"runescape",
"presenoker",
"ramnit",
"msil",
"crack",
"tofsee",
"suppobox",
"malicious",
"simda",
"vawtrak",
"hotmail",
"generic",
"webtoolbar",
"hsbc",
"maltiverse",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"count blacklist",
"tag count",
"downldr",
"cleaner",
"iframe",
"wacatac",
"alexa",
"win64",
"swrort",
"installcore",
"azorult",
"download",
"blacknet rat",
"stealer",
"softcnapp",
"nircmd",
"unruy",
"patcher",
"adload",
"dropper",
"installpack",
"tiggre",
"gamehack",
"trojanspy",
"germany http",
"attacker",
"static engine",
"internet storm",
"center",
"passive dns",
"urls",
"scan endpoints",
"all search",
"otx scoreblue",
"url http",
"pulse pulses",
"http",
"related nids"
],
"references": [
"https://search.app.goo.gl/?ofl=https://lens.google&al=googleapp://lens?lens_data=KAw&apn=com.google.android.googlequicksearchbox&amv=301204913&isi=284815942&ius=googleapp&ibi=com.goog",
"object.prototype.hasownproperty.call",
"hasownproperty.call",
"a.default.meta.applestore.id",
"applestore.id",
"http://decafsmob.this.id",
"id.google.com",
"http://critical-system-failure7250.21ny35098453.com-bm3y-v806d9gk.cricket/",
"http://git.io/yBU2rg",
"critical-failure-alert2286.40ek97931491.com-4nj1ze3ivfwy.website",
"https://fairspin.io/?track_id=44698569&pid=1&geo=6252001&utm_source=bonafides&utm_medium=&utm_campaign=smarttds&utm_term=incorrect_param",
"http://tracking.3061331.corn10wuk.club",
"http://information.7174932.cakcuk.az/tracking/tracking.php?id=8459701&page=904",
"apps.apple.com/us/app/id$",
"t.name",
"http://e.id?e.id:e.id.getAttribute",
"location.search",
"https://dnsorangetel.dn2.n-helix.com",
"1080p-torrent.ml",
"states.app",
"dev-2.ernestatech.com",
"https://hybrid-analysis.com/sample/d26000dfe1137f05f9187996dc752a703000402fe9e35a8ea216e9215a34560d",
"209.85.145.113 [malware]",
"cdn.fuckporntube.com",
"www.search.app.goo.gl",
"apps.apple.com",
"http://www.youtube.com/gen_204?cplatform=tablet&c=android&cver=5.6.36&cos=Android&cosver=4.4.2&cbr=com.google.android.youtube&cbrv",
"https://coloradosprings.americanlisted.com/pets-animals/beautiful-ragdoll-kittens_31591993.html",
"globalworker1.sol.us",
"worker-m-tlcus1.sol.us"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Germany",
"Ireland",
"Singapore"
],
"malware_families": [
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "HSBC",
"display_name": "HSBC",
"target": null
},
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "GameHack",
"display_name": "GameHack",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
}
],
"attack_ids": [
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 25,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1015,
"hostname": 1309,
"FileHash-MD5": 466,
"FileHash-SHA1": 255,
"FileHash-SHA256": 3783,
"URL": 4001,
"CVE": 9,
"email": 3
},
"indicator_count": 10841,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 225,
"modified_text": "866 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"references": [
"hallplan.vm05.iveins.de",
"https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)",
"https://www.norad.mil/ [ Modified by others| Parking Crew - is a Tracker]",
"https://tulach.cc/ [phishing]",
"209.85.145.113 [malware]",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"http://45.159.189.105/bot/regex (tracks Tsara Brashears)",
"https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]",
"https://www.9and10news.com/2021/09/17/fbi-releases-update-on-suspicious-packages-left-at-att-stores/",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )",
"https://www.hallrender.com/attorney/brian-sabey",
"s3.amazonaws.com [Virut Tsara Brashears Botnetwork | Modified description]",
"https://urlscan.io/result/e770a861-9818-4309-b31e-fd18510532a7/#indicators",
"http://www.yayabay.com/forum/adclick.php?url=http%3a%2f%2fhkprice.info%2fpornstars%2f22466",
"https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)",
"zalo.me | href | Binary File | ATT&CK ID T1566.002",
"photos.theleders.family",
"vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]",
"114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)",
"Yara: Hangover_Smackdown_various , Hangover_Foler , Hangover_UpdateEx ,",
"wmsspacer.gif : 548f2d6f4d0d820c6c5ffbeffcbd7f0e73193e2932eefe542accc84762deec87",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://fairspin.io/?track_id=44698569&pid=1&geo=6252001&utm_source=bonafides&utm_medium=&utm_campaign=smarttds&utm_term=incorrect_param",
"http://git.io/yBU2rg",
"https://hyundaibariavungtau3s.com/wp-content/themes/flatsome/inc/extensions/flatsome-live-search/",
"Name : iveins.de Service : connect",
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"https://iptv.cameraddns.net/kodi/zips/plugin.video.iptvjson]",
"PE EXE UpdatesDll.dll : 69081ab853021bd28bf7fb1eb4eac3199623c8ed413589e6f3898806a15f0f23",
"cdn.fuckporntube.com",
"https://cdphe.colorado.gov/sexual-violence-prevention/sexual-violence-prevention-statistics-resources",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=",
"id.google.com",
"https://hyundaibariavungtau3s.com/vehicle/stargazer",
"object.prototype.hasownproperty.call",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://therahand.com",
"Palantir \u2022 NSO Group \u2022 Meta \u2022 Douglas County Sheriff \u2022 Palantir \u2022 Foundry \u2022 Therahand \u2022 Graphite \u2022 US .Government",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"http://jcsservices.in/gkqikjxn/index.php?pnz=jim@thejimburkefamily.com",
"http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)",
"http://e.id?e.id:e.id.getAttribute",
"45.159.189.105 (CNC IP \u2022 Tracking Tsara Brashears)",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"globalworker1.sol.us",
"https://urlscan.io/result/07fe876e-8864-474f-8b32-ba2d50c9a242/#indicators",
"https://www.hybrid-analysis.com/sample/d4e0619008da0bf555fd1d9af2797eaed02c89512239cbdaf64c08e795bb9658",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"Matches rule: skip20_sqllang_hook from ruleset skip20_sqllang_hook by Mathieu Tartare ",
"fakecelebporno.com",
"https://search.app.goo.gl/?ofl=https://lens.google&al=googleapp://lens?lens_data=KAw&apn=com.google.android.googlequicksearchbox&amv=301204913&isi=284815942&ius=googleapp&ibi=com.goog",
"https://hyundaibariavungtau3s.com/vehicle/new-hyundai-palisade",
"Related : Tsara Brashears Dead campaign | ET | Emotet Botnet | Injection",
"www.dead-speak.com",
"init.ess.apple.com ( Code Script \u2022 MortalK)",
"https://hyundaibariavungtau3s.com/vehicle/ioniq-5",
"https://foundry2-lbl.dvr.dn2.n-helix.com/",
"http://tracks.theleders.family",
"hasownproperty.call",
"a.default.meta.applestore.id",
"bam-cell.nr-data.net (Apple Private Data Collection | since found, result continuously modified)",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://poemhunter.com/tsara-brashears/",
"www.hallrender.com (malware hosting)",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities",
"https://feedback-pa.clients6.google.com/v1/survey/trigger/trigger_anonymous?key=AIzaSyD3LJeW4Q6gtdgJlyeFZUp-GhpIoc6EUeg",
"Israel : https://tollfreeforwarding.com/virtual-phone-number/israel/360 \u2022 siteassets.parastorage.com",
"Yara Detections : compromised_site_redirector_fromcharcode",
"batchpublicrecords.westlaw.com",
"http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)",
"https://hybrid-analysis.com/sample/489b309feb70c5267454229633f4eae3a98112498da2f78b1819ec343d938867/6951ab3dc7cfb38abf021a06",
"iamrobert.com Y.A.S.",
"http://critical-system-failure7250.21ny35098453.com-bm3y-v806d9gk.cricket/",
"Target agreed and complied with all lie detector measures.",
"Alerts: dead_host network_icmp nolookup_communication p2p_cnc",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"Search Engines \u2022 Browser Extensions | Google.com.? | Duck DNS",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"apple-dns.net",
"103.233.208.9 (CNC IP)",
"*otc.greatcall.com [Botnetwork]",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"apple-aqo.com (1 DNSPod.net)",
"YARA: DotNET_Reactor System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography System.Security.Cryptography ICryptoTransform",
"worker-m-tlcus1.sol.us",
"I am very upset. Whoever is doing this is sick.",
"http://www.mof.gov.cn.lxcvc.com/ \u2022 http://www.mohurd.gov.cn.lxcvc.com/ \u2022",
"IP\u2019s Contacted: 192.124.249.187",
"apps.apple.com/us/app/id$",
"34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"freeimdatingsites.thomasdobo.eu",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=",
"Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile",
"alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)",
"https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd",
"api.useragentswitch.com",
"192.124.249.53:80",
"https://hybrid-analysis.com/sample/d26000dfe1137f05f9187996dc752a703000402fe9e35a8ea216e9215a34560d",
"1080p-torrent.ml",
"applestore.id",
"https://www.pornhub.com/video/search?search=tsara+brashears [NORAD.mil phone tracking. Description modified]",
"http://www.opencandy.com/privacy \u2022 http://www.opencandy.com/privacy-policy. \u2022 license@opencandy.com \u2022",
"https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]",
"http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378",
"batchcourtexpressservicesqa.westlaw.com",
"t.name",
"https://www.anyxxxtube.net/media/favicon/apple",
"https://www.denverpost.com/2018/07/17/marijuana-workers-compensation/amp/ Source",
"https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)",
"http://decafsmob.this.id",
"192.124.249.187",
"https://hybrid-analysis.com/sample/fecd023f35b153f1c71353834588a545d312da5c78ec0bba9bc10d93c3490f5e",
"000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"www42.jhonisdead.com",
"phish-demo-poc.phish-demo-poc.redpacketsecurity.com \u2022 phish-demo-poc.redpacketsecurity.com",
"Sexual Assault against both Men and Women in the State of Colorado leads the nation. Great work!",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]",
"https://coloradosprings.americanlisted.com/pets-animals/beautiful-ragdoll-kittens_31591993.html",
"pcoptimizerpro.com \u2022 www.pcoptimizerpro.com",
"Yara: Mimikatz_Strings , Silence_malware_2 , EquationGroup_elgingamble , EquationGroup_cmsd",
"apex.jquery.com (scammer | works for who?)",
"anonsecbotnet.cameraddns.net \u2022 cameraddns.net \u2022 http://iptv.cameraddns.net/cotich/ \u2022 http://iptv.cameraddns.net/cotichC \u2022",
"ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,",
"Smart Assembly | https://github.com/red-gate/SmartAssembly-demo",
"https://api.openinstall.io/api/v2/android/otby76/init?certFinger=44:B4:38:61:15:B4:57:55:B5:BF:D1:6B:34:CC:60:72:DA:C7:40:CE&macAddress=6D:51:08:93:04:7B&serialNumber=&apiVersion=2.3.0&deviceId=&pkg=com.mobikok.ecoupon&version=8.1.0&installId=&androidId=91ed20d90734918e&versionCode=333\u00d7tamp=1684541379839",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"https://heavyfetish.com/search/CHEESE-PIZZA-porn/",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"Ransomware: message.htm.com",
"https://www.redpacketsecurity.com/coinbasecartel-ransomware-victim-cinvestav \u2022 evilginx.redpacketsecurity.com",
"BinBusyBox: 0x.un5t48l3.host",
"states.app",
"www.search.app.goo.gl",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ ELF - Descriptions modified by others]",
"Can the DoD no questions asked target a SA victim",
"Matches rule Adobe_XMP_Identifier from ruleset Adobe_XMP_Identifier by InQuest Labs",
"PSI | Planned Systems International https://www.plan-sys.com/cyber",
"https://asianleak.com/videos/8120/sg-cousin-showering-spy-cam",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic",
"Terse Unencrypted Request for Google - Likely Connectivity Check",
"https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)",
"https://www.searchw3.com/",
"https://hyundaibariavungtau3s.com/vehicle/new-hyundai-venue",
"Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint",
"Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/c7aa2b182b17cfb5efb3367e0bc7b36e7088ab43a8fb21a772a0f8f90b7329d9",
"https://delivery-mp-microsoft.dvrx.dn3.n-helix.com \u2022 https://dnsplay.dn2.n-helix.com",
"If someone is believed to be a threat they have right to due process.",
"https://dnss2.dn2.n-helix.com \u2022 https://dnssounib.dn2.n-helix.com/",
"https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)",
"init.ess.apple.com (Highly malicious. Will infiltrate devices when exploited. Spyware)",
"https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad",
"https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/",
"ASN: 213.202.211.188\u2022 0x.un5t48l3.host \u2022 srv1354.dedicated.server-hosting.expert Germany",
"web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"anonsecbotnet.cameraddns.net \u2022 http://anonsecbotnet.cameraddns.net \u2022 https://anonsecbotnet.cameraddns.net",
"https://hallrender.com/attorney/brian-sabey",
"government.westlaw.com",
"Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self",
"http://tracking.3061331.corn10wuk.club",
"Christopher P. \u2018Buzz\u2019 Ahmann \u2022 No Such Agency \u2022 Hall Render Brian Sabey via Therahand",
"Yara: EquationGroup_ebbshave , EquationGroup_eggbasket , EquationGroup_sambal",
"https://img.fkcdn.com/image/kg8avm80/mobile/j/f/9/apple-iphone-12-dummyapplefsn-200x200-imafwg8dkyh2zgrh.jpeg",
"us-west-2.es.amazonaws.com (pslicorp)",
"feedback-pa.clients6.google.com/v1/survey/trigger/",
"hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)",
"rp.dudaran2.com [routerlogin.net to safebae.org]",
"Masquerading as? : bitcoin-king.nsa.mx \u2022 cpcontacts.nsa.mx \u2022 vulkanslot-bet777.nsa.mx",
"https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Malware Server | iTunes path hacktool]",
"dev-2.ernestatech.com",
"critical-failure-alert2286.40ek97931491.com-4nj1ze3ivfwy.website",
"https://es.pornhat.com/models/the-sex-creator/",
"http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335",
"AS24961 MyLoc Managed IT AG",
"https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)",
"Colorado maintains a public-facing police misconduct database via the state's",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://meumundogay-com.sexogratis.page/locker",
"http://bjdclub.ru/out.phtml?www.skyxxxgals.info/feet-licking-porn/",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)",
"http://www.jamesbgriffinlaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/16132c66b562a3---dewubomojagorekijufuruni [ Malicious Plugins]",
"https://wallpapers-nature.com/%20tsara-brashears/urlscan-io",
"https://otx.alienvault.com/pulse/65b85faa9b8e3e1206d7f25c",
"nr-data.net",
"west-sca.duckdns.org",
"There is fear in silence or speaking out",
"poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"dns.google (DNS client services - Doug Cole)",
"https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )",
"http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)",
"http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)",
"location.search",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"cpcalendars.hyundaibariavungtau3s.com \u2022 cpcontacts.hyundaibariavungtau3s.com",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/d334c3220573f98da1a0eef13be9c8b0053447519b3a6ace3728bcffa10b99b6",
"Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]",
"http://www.youtube.com/gen_204?cplatform=tablet&c=android&cver=5.6.36&cos=Android&cosver=4.4.2&cbr=com.google.android.youtube&cbrv",
"https://otx.alienvault.com/indicator/cve/CVE-2025-11727",
"https://hyundaibariavungtau3s.com/vehicle/hyundai-custin",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Yara: HKTL_NATBypass_Dec22_1 , power_pe_injection , Mimikatz_Logfile",
"Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect",
"c.oooooooooo.ga (c.apple.com cdn)",
"http://information.7174932.cakcuk.az/tracking/tracking.php?id=8459701&page=904",
"Yara: Mimikatz_Logfile SID : * NTLM : Authentication Id : wdigest : Mimikatz_Strings sekurlsa::logonpasswords",
"https://www.hallrender.com/attorney/brian-sabey/#breadcrumb",
"drive.google.com/",
"Files",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin",
"http://mobtrack.trkclk.net",
"ceidg.gov.pl \u2022 https://www.csrc.gov.cn.lxcvc.com/ \u2022 www.alt.krasnopil-silrada.gov.ua",
"apps.apple.com",
"https://foundry2-lbl.dvr.dn2.n-helix.com/ \u2022 https://node8-serve.dvrx.dn3.n-helix.com \u2022 https://sfbambi-tel.dn2.n-helix.com \u2022 https://softlayer3.dn2.n-helix.com",
"http://pcoptimizerpro.com/eula.aspx \u2022 http://www.pcoptimizerpro.com/privacypolicy.aspx",
"www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/",
"142.250.180.4 (init.ess)",
"emails.redvue.com (apple DNS w/amvima)",
"tulach.cc. [Malevolent | Modified description]",
"https://dnsorangetel.dn2.n-helix.com",
"Yara: Hangover_Smackdown_Downloader , Hangover_Vacrhan_Downloader",
"Peace Officer Standards and Training (POST) Board website, available at post.coag.gov.",
"https://www.red-gate.com/products/smartassembly",
"https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)",
"Mirai: Yara Detections SUSP_ELF_LNX_UPX_Compressed_File , UPX , ELFHighEntropy , ElfUPX , elf_empty_sections",
"www.socialimages.reputationdatabase.com",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"hero9780.duckdns.org ( government.westlaw.com/house of mo)",
"https://account.helix.com/activate/start",
"http://www.burkedentistry.com/Quarryville-Dentist-and-Staff/1567",
"Yara : KINS_dropper , apt_win_mutex_apt1 , Hangover_Fuddol , Hangover_Tymtin_Degrab",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)",
"www.opencandy.com",
"https://urlscan.io/domain/maxwam.tk"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": [],
"unique_indicators": 0
},
"other": {
"adversary": [
"M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor",
"COINBASECARTEL",
"NSO Pegasus",
"Qbot"
],
"malware_families": [
"Malware",
"Zeus",
"Et",
"Win32:malware",
"Fakeav.for",
"Pua.optimizerpro/pcoptimizerpro",
"Win.virus.virlock-6804475-0",
"Beach research",
"Win.trojan.agent-306281",
"Trojan:msil/ranos.a",
"Uztuby",
"Unix.trojan.mirai-5607483-0",
"Win.packed.generic-9795615-0\t.",
"Suppobox",
"#lowfi:hstr:msil/obfuscator.deepsea",
"Win32:malob-db\\ [cryp]",
"Hsbc",
"Inmortal",
"Mirai",
"Qbot",
"Vitzo",
"Win.trojan.generic-9801687-0",
"Redline",
"Trojan:win32/wacatac",
"Virtool:msil/covent",
"Cve-2025-11727",
"Win.packed.msilperseus-9956592-0",
"Win.malware.bzub-6727003-0",
"Php.exploit.c99-27",
"Zbot",
"Lockbit",
"Trojan:msil/clipbanker",
"Trojan:win32/tiggre",
"Alf:backdoor:msil/noancooe.ka",
"Legacy.trojan.agent-37025",
"Babar",
"Nid",
"Alf:trojan:win32/formbook",
"Exploit:js/cve-2014-0322",
"Ubot",
"Elf:gafgyt-dz\\ [trj]",
"Elf:mirai-gh\\ [trj]",
"Win64:trojanx",
"Msil:agent-dq\\ [trj]",
"Redirector",
"Mbt",
"Cl0p",
"Roblox",
"Wannacry kill switch",
"Tulach",
"Njrat",
"Invoke-mimikatz",
"Domains",
"Ver",
"Virtool:win32/obfuscator.ki",
"Virtool:msil/covent.a",
"Win.trojan.nanocore-5",
"Other dangerous malware",
"Win.trojan.adinstall-2",
"Gc",
"Win.trojan.generic-6417450-0",
"Apnic",
"Pegasus",
"Maltiverse",
"States",
"Backdoor:msil/bladabindi.aj",
"Win32.pdf.alien",
"Alf:heraklezeval:pua:win32/ultradownloads",
"Kelihos",
"Atros.upk",
"Sonbokli",
"Trojan:win32/floxif.e",
"Emotet",
"Backdoor:msil/bladabindi.aj gc!",
"China telecom",
"Trojan:win32/tiggre!rfn",
"Gamehack",
"Psw.generic13",
"Rms",
"Win.dropper.njrat-10015886-0",
"Luhe.fiha.a",
"Webtoolbar",
"Lumma",
"Freemake",
"Generic",
"Backdoor:asp/chopper.f!dha",
"Other malware",
"Behav",
"Trojan:win32/pynamer!rfn",
"Tofsee",
"Win.packed.generic-9795615-0",
"Trojanspy",
"Tulach malware",
"Win.packed.fecn-7077459-0"
],
"industries": [
"Education",
"Health",
"Oil"
],
"unique_indicators": 229741
}
}
},
"false_positive": [],
"alexa": "http://www.alexa.com/siteinfo/docs.tw",
"whois": "http://whois.domaintools.com/docs.tw",
"domain": "docs.tw",
"hostname": "assets.md.docs.tw"
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 47,
"pulses": [
{
"id": "6951f52a5af00a9be445ad41",
"name": "Mirai - HoneyPot | Pegasus | Therahand HoneyPot Bot Network",
"description": "A HoneyPot Bot Network created to protect a criminal who worked for a company formerly known as Therahand Wellness. This company employed an unquestioned but admittedly guilty SA\u2019r. | Name tactics used in an attempt to draw in victims to leave truthful negative reviews about Jeffrey Reimer | The website is extremely malicious. NSO Pegasus & Palantir relationship.\n\nWhat a pity there is no work done in the state of Colorado to convict medical unprofessionals unless they are poor assistants , Latin, African American or , Native. | Colorado has a known race issue. \n\nColorado ranks poor for getting rape kits tested.\nPoor possibly outranking Baltimore,MD in police brutality. \nPoor at solving it attempting to solve crimes. Law enforcement literally collects paper, evidence and turns evidence away at times. \n\nThis system allows the actual criminal\nto track victim.\nIf he wants to be the victim of this crime against persons let him be. \n\n *Pegasus & Israel and 99% of all tags auto populated by OTX.",
"modified": "2026-01-28T02:03:16.337000",
"created": "2025-12-29T03:27:38.183000",
"tags": [
"no expiration",
"expiration",
"url http",
"url https",
"iocs",
"enter source",
"url or",
"name servers",
"a domains",
"accept encoding",
"urls",
"emails",
"servers",
"url add",
"http",
"files domain",
"files related",
"related tags",
"united",
"gmt contenttype",
"ipv4 add",
"url analysis",
"files",
"present dec",
"cname",
"virtool",
"cryp",
"ip address",
"trojan",
"win32",
"therahand",
"jeffrey reimer",
"reimer dpt",
"msie",
"chrome",
"unknown ns",
"unknown cname",
"record value",
"accept",
"encrypt",
"passive dns",
"moved",
"wp engine",
"meta",
"wordpress",
"pegasus",
"america flag",
"america asn",
"reverse dns",
"flag",
"bad traffic",
"et info",
"tls handshake",
"failure",
"analysis",
"tor analysis",
"dns requests",
"united states",
"hostname",
"pulse submit",
"domain",
"files ip",
"eva lisa",
"eva reimer",
"all ipv4",
"dynamic_content",
"fingerprinting",
"size",
"pattern match",
"mitre att",
"ck id",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"status",
"hostname add",
"evasion",
"proximity",
"pulse pulses",
"address",
"learn",
"adversaries",
"name tactics",
"suspicious",
"informative",
"defense evasion",
"command",
"initial access",
"spawns",
"present mar",
"present jun",
"title",
"windows nt",
"wow64",
"slcc2",
"media center",
"data recovery",
"ms windows",
"process32nextw",
"intel",
"pe32",
"format",
"mozilla",
"installcapital",
"generic",
"write",
"unknown",
"malware",
"next",
"installer",
"template",
"div div",
"request blocked",
"helvetica neue",
"helvetica segoe",
"ui arial",
"script script",
"pragma",
"port",
"destination",
"binbusybox",
"high",
"post",
"icmp traffic",
"dns query",
"newstatusurl",
"mirai",
"prefetch8",
"ck matrix",
"localappdata",
"info",
"ssl certificate",
"czech republic",
"prefetch1",
"prefetch2",
"israel israel",
"analysis tip",
"href",
"ascii text",
"null",
"refresh",
"span",
"iframe",
"error",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"beginstring",
"windir",
"openurl c",
"programfiles",
"related nids",
"files location",
"flag united",
"dynamicloader",
"medium",
"named pipe",
"win64",
"download",
"delphi",
"smartassembly",
"m. brian sabey",
"quasi government",
"no such agency",
"facebook",
"search",
"date",
"showing",
"ukraine",
"\u2018buzz\u2019",
"alex karp",
"peter theil",
"elon musk",
"ff d5",
"yara rule",
"ee fc",
"generic http",
"exe upload",
"f0 ff",
"eb e1",
"ff bb",
"show process",
"sha1",
"sub domain",
"show technique",
"network traffic",
"class",
"starfield",
"cyber crime",
"yara detections",
"top source",
"top destination",
"source source",
"filehash",
"sha256 add",
"av detections",
"ids detections",
"alerts",
"show",
"dock",
"execution",
"present feb",
"value",
"content type",
"mirai",
"sha256",
"body",
"gmt content",
"ddos",
"mtb sep",
"hosting",
"domain robot",
"expiration date",
"welcome",
"apple",
"christopher p. ahmann",
"tsara",
"monitored target",
"github https",
"github",
"smart assembly",
"red hat",
"hackers",
"google"
],
"references": [
"https://therahand.com",
"www.socialimages.reputationdatabase.com",
"Mirai: Yara Detections SUSP_ELF_LNX_UPX_Compressed_File , UPX , ELFHighEntropy , ElfUPX , elf_empty_sections",
"Alerts: dead_host network_icmp nolookup_communication p2p_cnc",
"Israel : https://tollfreeforwarding.com/virtual-phone-number/israel/360 \u2022 siteassets.parastorage.com",
"Palantir \u2022 NSO Group \u2022 Meta \u2022 Douglas County Sheriff \u2022 Palantir \u2022 Foundry \u2022 Therahand \u2022 Graphite \u2022 US .Government",
"Christopher P. \u2018Buzz\u2019 Ahmann \u2022 No Such Agency \u2022 Hall Render Brian Sabey via Therahand",
"https://hybrid-analysis.com/sample/489b309feb70c5267454229633f4eae3a98112498da2f78b1819ec343d938867/6951ab3dc7cfb38abf021a06",
"https://hybrid-analysis.com/sample/fecd023f35b153f1c71353834588a545d312da5c78ec0bba9bc10d93c3490f5e",
"https://hybrid-analysis.com/sample/fecd023f35b153f1c71353834588a545d312da5c78ec0bba9bc10d93c3490f5e",
"BinBusyBox: 0x.un5t48l3.host",
"ASN: 213.202.211.188\u2022 0x.un5t48l3.host \u2022 srv1354.dedicated.server-hosting.expert Germany",
"AS24961 MyLoc Managed IT AG",
"PSI | Planned Systems International https://www.plan-sys.com/cyber",
"Smart Assembly | https://github.com/red-gate/SmartAssembly-demo",
"https://www.red-gate.com/products/smartassembly",
"https://cdphe.colorado.gov/sexual-violence-prevention/sexual-violence-prevention-statistics-resources",
"Colorado maintains a public-facing police misconduct database via the state's",
"Peace Officer Standards and Training (POST) Board website, available at post.coag.gov.",
"Sexual Assault against both Men and Women in the State of Colorado leads the nation. Great work!"
],
"public": 1,
"adversary": "NSO Pegasus",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "FakeAV.FOR",
"display_name": "FakeAV.FOR",
"target": null
},
{
"id": "Win32:MalOb-DB\\ [Cryp]",
"display_name": "Win32:MalOb-DB\\ [Cryp]",
"target": null
},
{
"id": "Win.Trojan.Agent-306281",
"display_name": "Win.Trojan.Agent-306281",
"target": null
},
{
"id": "VirTool:Win32/Obfuscator.KI",
"display_name": "VirTool:Win32/Obfuscator.KI",
"target": "/malware/VirTool:Win32/Obfuscator.KI"
},
{
"id": "Win32:MalOb-DB\\ [Cryp]",
"display_name": "Win32:MalOb-DB\\ [Cryp]",
"target": null
},
{
"id": "ELF:Mirai-GH\\ [Trj]",
"display_name": "ELF:Mirai-GH\\ [Trj]",
"target": null
},
{
"id": "ELF:Gafgyt-DZ\\ [Trj]",
"display_name": "ELF:Gafgyt-DZ\\ [Trj]",
"target": null
},
{
"id": "Unix.Trojan.Mirai-5607483-0",
"display_name": "Unix.Trojan.Mirai-5607483-0",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1432",
"name": "Access Contact List",
"display_name": "T1432 - Access Contact List"
},
{
"id": "T1036.005",
"name": "Match Legitimate Name or Location",
"display_name": "T1036.005 - Match Legitimate Name or Location"
},
{
"id": "T1472",
"name": "Generate Fraudulent Advertising Revenue",
"display_name": "T1472 - Generate Fraudulent Advertising Revenue"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "TA0008",
"name": "Lateral Movement",
"display_name": "TA0008 - Lateral Movement"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 10,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 523,
"FileHash-SHA1": 402,
"FileHash-SHA256": 2165,
"URL": 4953,
"domain": 1118,
"hostname": 1951,
"email": 12,
"SSLCertFingerprint": 52,
"CVE": 2
},
"indicator_count": 11178,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "81 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2bb5d9ee8577ab5519f2c",
"name": "Meritshealth with DoD links? ",
"description": "",
"modified": "2026-01-13T00:05:56.401000",
"created": "2025-10-05T18:39:25.286000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68e2b14d83bb63502feac65e",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1365,
"URL": 11172,
"hostname": 2780,
"FileHash-MD5": 381,
"FileHash-SHA256": 4420,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 20486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "96 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2b14d83bb63502feac65e",
"name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.",
"description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?",
"modified": "2026-01-07T00:00:30.717000",
"created": "2025-10-05T17:56:29.109000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1328,
"URL": 9931,
"hostname": 2621,
"FileHash-MD5": 381,
"FileHash-SHA256": 4360,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 18989,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "102 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6935c92c5fc93fd873c6aa6d",
"name": "[COINBASECARTEL] - Ransomware Victim: Cinvestav - RedPacket Security | CVE-2025-11727 (New)",
"description": "Related to multiple exploits. Government Cyber Defense implications but shows as very legitimate looking masquerading. I am not positive and don\u2019t want to move to Belfast. Populated NSA [.] gov domains and subdomains (w/o no headers) lightly researched but does not assert a government identity. \n*New CVE-2025-11727",
"modified": "2026-01-06T18:04:02.620000",
"created": "2025-12-07T18:36:28.055000",
"tags": [
"memcommit",
"read c",
"t1082",
"cryptexportkey",
"invalid pointer",
"write",
"msil",
"malware",
"media",
"autorun",
"countries",
"united",
"america",
"high defense",
"evasion",
"t1055",
"ck technique",
"technique id",
"allocates",
"potential code",
"attempts",
"threatintel",
"dark web",
"coinbasecartel",
"ransomware",
"osint",
"tor",
"data breach",
"cinvestav",
"ai generated",
"ransomware leak",
"page",
"november",
"investigacin y",
"nacional",
"mexican",
"mexico",
"present nov",
"verdana",
"td tr",
"passive dns",
"ip address",
"urls",
"aaaa",
"present may",
"present oct",
"present jul",
"virtool",
"present sep",
"present jun",
"win32",
"default",
"unicode",
"png image",
"rgba",
"high",
"dock",
"execution",
"xport",
"unknown",
"data upload",
"extraction",
"will",
"data",
"name cloudflare",
"hostmaster name",
"org cloudflare",
"townsend st",
"city san",
"us creation",
"kelihos",
"ipv4",
"present dec",
"files",
"domain",
"search",
"hostname",
"verdict",
"location united",
"asn as16625",
"akamai",
"urls show",
"date checked",
"url hostname",
"server response",
"google safe",
"results nov",
"present aug",
"backdoor",
"msie",
"chrome",
"trojan",
"mtb aug",
"worm",
"cryp",
"junkpoly",
"twitter",
"trojandropper",
"title",
"germany unknown",
"ipv4 add",
"pulse pulses",
"hosting",
"reverse dns",
"cologne",
"search engine",
"gse compromised",
"redacted for",
"privacy admin",
"privacy tech",
"server",
"organization",
"street",
"city",
"stateprovince",
"postal code",
"country",
"resolver domain",
"cape sa",
"virustot",
"type pdf",
"name",
"lookups",
"email abuse",
"historical ssl",
"certificates",
"first",
"graph summary",
"cname",
"address",
"ip2location",
"bogon ip",
"admin",
"network",
"wifi password",
"ssid",
"demo",
"details",
"failed",
"include review",
"exclude sugges",
"onlv",
"x try",
"find s",
"typ url",
"url data",
"severity att",
"module load",
"icmp traffic",
"dns query",
"t1055 jseval",
"windows nt",
"port",
"entries",
"destination",
"medium",
"show",
"pecompact",
"june",
"service",
"next",
"xserver",
"encrypt",
"t1129",
"windows module",
"dlls",
"convention",
"windows native"
],
"references": [
"Search Engines \u2022 Browser Extensions | Google.com.? | Duck DNS",
"Related : Tsara Brashears Dead campaign | ET | Emotet Botnet | Injection",
"hallplan.vm05.iveins.de",
"https://otx.alienvault.com/pulse/65b85faa9b8e3e1206d7f25c",
"Masquerading as? : bitcoin-king.nsa.mx \u2022 cpcontacts.nsa.mx \u2022 vulkanslot-bet777.nsa.mx",
"Name : iveins.de Service : connect",
"https://www.redpacketsecurity.com/coinbasecartel-ransomware-victim-cinvestav \u2022 evilginx.redpacketsecurity.com",
"phish-demo-poc.phish-demo-poc.redpacketsecurity.com \u2022 phish-demo-poc.redpacketsecurity.com",
"https://otx.alienvault.com/indicator/cve/CVE-2025-11727"
],
"public": 1,
"adversary": "COINBASECARTEL",
"targeted_countries": [
"United States of America",
"Sweden",
"Bangladesh",
"Japan"
],
"malware_families": [
{
"id": "Trojan:Win32/Tiggre!rfn",
"display_name": "Trojan:Win32/Tiggre!rfn",
"target": "/malware/Trojan:Win32/Tiggre!rfn"
},
{
"id": "MSIL:Agent-DQ\\ [Trj]",
"display_name": "MSIL:Agent-DQ\\ [Trj]",
"target": null
},
{
"id": "VirTool:MSIL/Covent.A",
"display_name": "VirTool:MSIL/Covent.A",
"target": "/malware/VirTool:MSIL/Covent.A"
},
{
"id": "Trojan:Win32/Pynamer!rfn",
"display_name": "Trojan:Win32/Pynamer!rfn",
"target": "/malware/Trojan:Win32/Pynamer!rfn"
},
{
"id": "Win64:TrojanX",
"display_name": "Win64:TrojanX",
"target": null
},
{
"id": "VirTool:MSIL/Covent",
"display_name": "VirTool:MSIL/Covent",
"target": "/malware/VirTool:MSIL/Covent"
},
{
"id": "#Lowfi:HSTR:MSIL/Obfuscator.Deepsea",
"display_name": "#Lowfi:HSTR:MSIL/Obfuscator.Deepsea",
"target": null
},
{
"id": "Win32:Malware",
"display_name": "Win32:Malware",
"target": null
},
{
"id": "Kelihos",
"display_name": "Kelihos",
"target": null
},
{
"id": "CVE-2025-11727",
"display_name": "CVE-2025-11727",
"target": null
},
{
"id": "Exploit:JS/CVE-2014-0322",
"display_name": "Exploit:JS/CVE-2014-0322",
"target": "/malware/Exploit:JS/CVE-2014-0322"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1091",
"name": "Replication Through Removable Media",
"display_name": "T1091 - Replication Through Removable Media"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1098",
"name": "Account Manipulation",
"display_name": "T1098 - Account Manipulation"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1190",
"name": "Exploit Public-Facing Application",
"display_name": "T1190 - Exploit Public-Facing Application"
}
],
"industries": [
"Education"
],
"TLP": "white",
"cloned_from": null,
"export_count": 15,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 144,
"FileHash-SHA1": 117,
"FileHash-SHA256": 1746,
"URL": 5018,
"hostname": 1827,
"domain": 1072,
"CVE": 3,
"email": 2,
"SSLCertFingerprint": 9
},
"indicator_count": 9938,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "102 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "692d02f096f3ec8b5b507496",
"name": "Google Drive: Share Files Online with Secure Cloud Storage | Google Workspace",
"description": "nJRAT | Corrupted Google Drive sent to targets former device. Years long social engineering may have been involved. All\nIoC\u2019s Appears to involve years of social engineering. Google\ndrive service in question is a storage service based in Vietnam. | \n\nBotnet / Check-ins / Spyware / Cams. [Anon Sec Botnet subdomain name pulsed. Close directly related to zalo.me\nand tbtteams.com]\nRequires further research.\n\nThis pulse is a bit confusing due where and who it originated from.",
"modified": "2025-12-31T02:01:50.101000",
"created": "2025-12-01T02:52:32.483000",
"tags": [
"business",
"enterprise",
"drive",
"english",
"google drive",
"try drive",
"business small",
"workspace",
"sign",
"strong",
"find",
"life",
"tools",
"protect",
"cloud",
"simple",
"android",
"indonesia",
"video",
"mb download",
"shared may",
"shared",
"learn",
"drive drive",
"name date",
"javascript",
"dynamicloader",
"medium",
"minimal headers",
"high",
"observed get",
"get http",
"united",
"yara rule",
"http",
"write",
"guard",
"malware",
"read c",
"ms windows",
"intel",
"png image",
"rgba",
"pe32",
"get na",
"explorer",
"music",
"virlock",
"media",
"ho chi",
"minh city",
"viet nam",
"storage company",
"limited",
"google",
"address as",
"luutruso",
"cloudflar",
"domain",
"asn15169",
"asn56153",
"asn13335",
"cisco",
"umbrella rank",
"apex domain",
"url https",
"kb stylesheet",
"kb font",
"kb image",
"image",
"kb script",
"november",
"resource path",
"size",
"type mimetype",
"primary request",
"redirect chain",
"kb document",
"urls",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"defense evasion",
"spawns",
"t1590 gather",
"windir",
"openurl c",
"prefetch2",
"tor analysis",
"dns requests",
"domain address",
"rsdsq jfu",
"ollydbg ollydbg",
"wireshark",
"external",
"binary file",
"mitre att",
"ck matrix",
"aaaa",
"cong ty",
"co phan",
"code",
"province hcm",
"files",
"ip address",
"request",
"flag",
"country",
"contacted hosts",
"process details",
"link initial",
"t1480 execution",
"domains",
"moved",
"gmt content",
"all ipv4",
"url analysis",
"location viet",
"title",
"error",
"problem",
"url add",
"related nids",
"files location",
"flag united",
"development att",
"name server",
"markmonitor",
"localappdata",
"programfiles",
"edge",
"hyundai",
"social engineering",
".mil",
"hackers",
"phishing eml",
"summary",
"cisco umbrella",
"google safe",
"browsing",
"current dns",
"a record",
"ip information",
"ipasns ip",
"detail domain",
"domain tree",
"links apex",
"transfer",
"b script",
"b stylesheet",
"frame b830",
"b document",
"value",
"december",
"degurafregistry",
"gat object",
"jsl object",
"gapijstiming",
"iframe function",
"domainpath name",
"nid value",
"source level",
"files domain",
"files related",
"tags",
"related tags",
"virustotal",
"foundry",
"pulse otx",
"dark",
"vietnam",
"present aug",
"present nov",
"present jul",
"present sep",
"unknown aaaa",
"search",
"name servers",
"present oct",
"trojan",
"data upload",
"extraction",
"se https",
"include review",
"exclude sugges",
"find s",
"failed",
"typ don",
"faith",
"study",
"romeo\u2019s",
"juliettes",
"femme fatales",
"strategy",
"honey pot",
"honey traps",
"spy",
"helix",
"anons",
"passive dns",
"pulse pulses",
"files ip",
"address",
"location united",
"asn as400519",
"whois registrar",
"ms defender",
"files matching",
"number",
"sample analysis",
"hide samples",
"date hash",
"cameras",
"cams",
"spycam",
"botnet",
"vietnam",
"company limited",
"dnssec",
"status",
"india unknown",
"present may",
"espionage",
"hostname add",
"generic",
"cnc activity",
"backdoor",
"ipv4",
"anonsecbotnet",
"iptv"
],
"references": [
"drive.google.com/",
"https://foundry2-lbl.dvr.dn2.n-helix.com/",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/c7aa2b182b17cfb5efb3367e0bc7b36e7088ab43a8fb21a772a0f8f90b7329d9",
"zalo.me | href | Binary File | ATT&CK ID T1566.002",
"https://account.helix.com/activate/start",
"anonsecbotnet.cameraddns.net \u2022 cameraddns.net \u2022 http://iptv.cameraddns.net/cotich/ \u2022 http://iptv.cameraddns.net/cotichC \u2022",
"https://iptv.cameraddns.net/kodi/zips/plugin.video.iptvjson]",
"Terse Unencrypted Request for Google - Likely Connectivity Check",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/c7aa2b182b17cfb5efb3367e0bc7b36e7088ab43a8fb21a772a0f8f90b7329d9",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/d334c3220573f98da1a0eef13be9c8b0053447519b3a6ace3728bcffa10b99b6",
"cpcalendars.hyundaibariavungtau3s.com \u2022 cpcontacts.hyundaibariavungtau3s.com",
"https://hyundaibariavungtau3s.com/vehicle/stargazer",
"https://hyundaibariavungtau3s.com/vehicle/ioniq-5",
"https://hyundaibariavungtau3s.com/vehicle/new-hyundai-venue",
"https://hyundaibariavungtau3s.com/vehicle/new-hyundai-palisade",
"https://hyundaibariavungtau3s.com/vehicle/hyundai-custin",
"https://hyundaibariavungtau3s.com/wp-content/themes/flatsome/inc/extensions/flatsome-live-search/",
"https://delivery-mp-microsoft.dvrx.dn3.n-helix.com \u2022 https://dnsplay.dn2.n-helix.com",
"https://dnss2.dn2.n-helix.com \u2022 https://dnssounib.dn2.n-helix.com/",
"https://foundry2-lbl.dvr.dn2.n-helix.com/ \u2022 https://node8-serve.dvrx.dn3.n-helix.com \u2022 https://sfbambi-tel.dn2.n-helix.com \u2022 https://softlayer3.dn2.n-helix.com",
"http://bjdclub.ru/out.phtml?www.skyxxxgals.info/feet-licking-porn/",
"http://www.yayabay.com/forum/adclick.php?url=http%3a%2f%2fhkprice.info%2fpornstars%2f22466",
"https://asianleak.com/videos/8120/sg-cousin-showering-spy-cam",
"feedback-pa.clients6.google.com/v1/survey/trigger/",
"https://feedback-pa.clients6.google.com/v1/survey/trigger/trigger_anonymous?key=AIzaSyD3LJeW4Q6gtdgJlyeFZUp-GhpIoc6EUeg",
"anonsecbotnet.cameraddns.net \u2022 http://anonsecbotnet.cameraddns.net \u2022 https://anonsecbotnet.cameraddns.net"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Virus.Virlock-6804475-0",
"display_name": "Win.Virus.Virlock-6804475-0",
"target": null
},
{
"id": "Win.Malware.Bzub-6727003-0",
"display_name": "Win.Malware.Bzub-6727003-0",
"target": null
},
{
"id": "Win.Trojan.Generic-9801687-0",
"display_name": "Win.Trojan.Generic-9801687-0",
"target": null
},
{
"id": "NID",
"display_name": "NID",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Trojan:Win32/Floxif.E",
"display_name": "Trojan:Win32/Floxif.E",
"target": "/malware/Trojan:Win32/Floxif.E"
},
{
"id": "Win.Dropper.njRAT-10015886-0",
"display_name": "Win.Dropper.njRAT-10015886-0",
"target": null
},
{
"id": "Win.Packed.Generic-9795615-0",
"display_name": "Win.Packed.Generic-9795615-0",
"target": null
},
{
"id": "Backdoor:MSIL/Bladabindi.AJ GC!",
"display_name": "Backdoor:MSIL/Bladabindi.AJ GC!",
"target": "/malware/Backdoor:MSIL/Bladabindi.AJ GC!"
},
{
"id": "Win.Packed.Generic-9795615-0\t.",
"display_name": "Win.Packed.Generic-9795615-0\t.",
"target": null
},
{
"id": "Backdoor:MSIL/Bladabindi.AJ",
"display_name": "Backdoor:MSIL/Bladabindi.AJ",
"target": "/malware/Backdoor:MSIL/Bladabindi.AJ"
},
{
"id": "Win.Packed.Fecn-7077459-0",
"display_name": "Win.Packed.Fecn-7077459-0",
"target": null
},
{
"id": "Trojan:MSIL/Ranos.A",
"display_name": "Trojan:MSIL/Ranos.A",
"target": "/malware/Trojan:MSIL/Ranos.A"
},
{
"id": "Win.Trojan.Generic-6417450-0",
"display_name": "Win.Trojan.Generic-6417450-0",
"target": null
},
{
"id": "ALF:Backdoor:MSIL/Noancooe.KA",
"display_name": "ALF:Backdoor:MSIL/Noancooe.KA",
"target": null
},
{
"id": "Win.Packed.Msilperseus-9956592-0",
"display_name": "Win.Packed.Msilperseus-9956592-0",
"target": null
},
{
"id": "Trojan:MSIL/ClipBanker",
"display_name": "Trojan:MSIL/ClipBanker",
"target": "/malware/Trojan:MSIL/ClipBanker"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1194",
"name": "Spearphishing via Service",
"display_name": "T1194 - Spearphishing via Service"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1039",
"name": "Data from Network Shared Drive",
"display_name": "T1039 - Data from Network Shared Drive"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1444",
"name": "Masquerade as Legitimate Application",
"display_name": "T1444 - Masquerade as Legitimate Application"
},
{
"id": "T1567.002",
"name": "Exfiltration to Cloud Storage",
"display_name": "T1567.002 - Exfiltration to Cloud Storage"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1911,
"hostname": 714,
"FileHash-SHA256": 1304,
"FileHash-MD5": 159,
"FileHash-SHA1": 71,
"SSLCertFingerprint": 2,
"domain": 421,
"CVE": 1,
"email": 4
},
"indicator_count": 4587,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "109 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "690e8b773dc39921d88abd44",
"name": "Nanocore - Affected",
"description": "- wmsspacer.gif\n| Photography: WMSspacer.gif, |[wmstransparent.org,]\n* YARA Detections : \nDotNET_Reactor\nSystem.Security.Cryptography.AesCryptoServiceProvider\nSystem.Security.Cryptography\nSystem.Security.Cryptography ~\nI CryptoTransform |\n Wmsspacer, i.g.sg.js..png.com, on-screen.|",
"modified": "2025-12-07T23:02:29.645000",
"created": "2025-11-08T00:14:47.600000",
"tags": [
"hgnvastlaiz",
"read c",
"medium",
"rgba",
"memcommit",
"delete",
"png image",
"unicode",
"dock",
"execution",
"malware",
"crlf line",
"speichermedium",
"productversion",
"fileversion",
"engine dll",
"internalname",
"einstellungen",
"comodo ca",
"limited st",
"yara detections",
"next pe",
"eula",
"policy",
"direct",
"opencandy",
"suspicious_write_exe",
"network_icmp",
"process_martian",
"present jun",
"present jul",
"domain",
"united",
"ip address",
"unknown ns",
"ms windows",
"intel",
"verisign",
"time stamping",
"unknown",
"class",
"write",
"markus",
"temple",
"msie",
"windows nt",
"get http",
"lehash",
"av detections",
"ids detections",
"alerts",
"file score",
"low risk",
"compromised_site_redirector_fromcharcode",
"present aug",
"passive dns",
"all ipv4",
"urls",
"files",
"hosting",
"america flag",
"win32",
"ipv4 add",
"signed file, valid signature. revoked.",
"united states",
"pws",
"atros",
"fiha",
"search",
"entries",
"present oct",
"next associated",
"show",
"high",
"wow64",
"slcc2",
"next",
"domain add",
"poland",
"poland unknown",
"ipv4",
"location poland",
"poland asn",
"et policy",
"pe exe",
"dll windows",
"amazon s3",
"location united",
"associated urls",
"date checked",
"url hostname",
"server response",
"google safe",
"results feb",
"nanocore",
"url add",
"http",
"related nids",
"files location",
"flag united",
"malicious image",
"files domain",
"files related",
"pulses otx",
"related tags",
"resources whois",
"virustotal",
"present sep",
"status",
"present nov",
"present mar",
"trojan",
"script script",
"div div",
"link",
"a li",
"meta",
"sweden",
"invalid url",
"head title",
"title head",
"reference",
"bad request",
"server",
"netherlands",
"creation date",
"date",
"running server",
"ahmann",
"christopher",
"p",
"tam",
"legal",
"treece",
"alfrey",
"muscat",
"adversaries",
"cyber crime",
"quasi",
"government"
],
"references": [
"wmsspacer.gif : 548f2d6f4d0d820c6c5ffbeffcbd7f0e73193e2932eefe542accc84762deec87",
"ceidg.gov.pl \u2022 https://www.csrc.gov.cn.lxcvc.com/ \u2022 www.alt.krasnopil-silrada.gov.ua",
"http://www.mof.gov.cn.lxcvc.com/ \u2022 http://www.mohurd.gov.cn.lxcvc.com/ \u2022",
"www.opencandy.com",
"http://www.opencandy.com/privacy \u2022 http://www.opencandy.com/privacy-policy. \u2022 license@opencandy.com \u2022",
"Yara Detections : compromised_site_redirector_fromcharcode",
"Matches rule: skip20_sqllang_hook from ruleset skip20_sqllang_hook by Mathieu Tartare ",
"Matches rule Adobe_XMP_Identifier from ruleset Adobe_XMP_Identifier by InQuest Labs",
"http://pcoptimizerpro.com/eula.aspx \u2022 http://www.pcoptimizerpro.com/privacypolicy.aspx",
"pcoptimizerpro.com \u2022 www.pcoptimizerpro.com",
"PE EXE UpdatesDll.dll : 69081ab853021bd28bf7fb1eb4eac3199623c8ed413589e6f3898806a15f0f23",
"YARA: DotNET_Reactor System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography System.Security.Cryptography ICryptoTransform",
"https://img.fkcdn.com/image/kg8avm80/mobile/j/f/9/apple-iphone-12-dummyapplefsn-200x200-imafwg8dkyh2zgrh.jpeg",
"https://heavyfetish.com/search/CHEESE-PIZZA-porn/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Trojan.Nanocore-5",
"display_name": "Win.Trojan.Nanocore-5",
"target": null
},
{
"id": "Win.Trojan.Adinstall-2",
"display_name": "Win.Trojan.Adinstall-2",
"target": null
},
{
"id": "PSW.Generic13",
"display_name": "PSW.Generic13",
"target": null
},
{
"id": "Atros.UPK",
"display_name": "Atros.UPK",
"target": null
},
{
"id": "Luhe.Fiha.A",
"display_name": "Luhe.Fiha.A",
"target": null
},
{
"id": "Pua.Optimizerpro/PCOptimizerPro",
"display_name": "Pua.Optimizerpro/PCOptimizerPro",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1102",
"name": "Web Service",
"display_name": "T1102 - Web Service"
},
{
"id": "T1491.001",
"name": "Internal Defacement",
"display_name": "T1491.001 - Internal Defacement"
},
{
"id": "T1204.003",
"name": "Malicious Image",
"display_name": "T1204.003 - Malicious Image"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 12,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 753,
"FileHash-SHA1": 622,
"FileHash-SHA256": 4336,
"URL": 2448,
"domain": 300,
"hostname": 788,
"CVE": 1,
"email": 4
},
"indicator_count": 9252,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "132 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68f93b1cebf80f48450bd517",
"name": "Yuner - File deletion and Disk Wiping / Cyberstalking ",
"description": "",
"modified": "2025-11-21T18:02:11.054000",
"created": "2025-10-22T20:14:20.632000",
"tags": [
"server nginx",
"date fri",
"etag w",
"urls",
"passive dns",
"acceptranges",
"contentlength",
"date thu",
"gmt expires",
"server",
"code",
"link",
"script script",
"south africa",
"ipv4",
"files",
"location south",
"accept",
"present aug",
"certificate",
"hostname add",
"domain",
"files ip",
"unknown a",
"script urls",
"ip address",
"unknown soa",
"unknown ns",
"reverse dns",
"africa flag",
"asn as16637",
"dns resolutions",
"domains top",
"level",
"unique tld",
"related pulses",
"tags none",
"indicator facts",
"title",
"ipv4 add",
"opinion",
"netacea",
"lockbit",
"wannacry attack",
"nhs trusts",
"council",
"uk government",
"protect",
"cni safe",
"acls",
"praio",
"prink",
"prsc",
"prla",
"lg2en",
"cti98",
"search",
"seiko epson",
"corporation",
"arc file",
"malware",
"delete c",
"default",
"show",
"write",
"next",
"unknown",
"united",
"tlsv1",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"as15169",
"port",
"execution",
"dock",
"capture",
"persistence",
"yara detections",
"filehash",
"md5 add",
"pulse pulses",
"av detections",
"ids detections",
"alerts",
"analysis date",
"file score",
"low risk",
"cabinet archive",
"microsoft",
"read c",
"dynamicloader",
"medium",
"ltda me",
"high",
"write c",
"entries",
"checks",
"delphi",
"win32",
"url pulse",
"data upload",
"extraction",
"find suggested",
"type",
"domain hostname",
"url add",
"http",
"related nids",
"files location",
"ireland flag",
"files domain",
"chrome",
"ireland unknown",
"pulse submit",
"url analysis",
"body",
"date",
"status",
"name servers",
"creation date",
"expiration date",
"flag united",
"destination",
"systemdrive",
"html document",
"crlf line",
"updater",
"copy",
"unknown aaaa",
"moved",
"domain add",
"extri data",
"enter sc",
"extr include",
"review exclude",
"sugges",
"present jul",
"saudi arabia",
"present mar",
"present oct",
"present jun",
"present feb",
"present nov",
"present may",
"eeee",
"eeeeeee",
"eeeeee",
"eefe",
"ebeee",
"ee eme",
"eeheee",
"eeefee e",
"eeeee e",
"vmprotect",
"push",
"local",
"defender",
"regsetvalueexa",
"utf8 unicode"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Lockbit",
"display_name": "Lockbit",
"target": null
},
{
"id": "ALF:HeraklezEval:PUA:Win32/UltraDownloads",
"display_name": "ALF:HeraklezEval:PUA:Win32/UltraDownloads",
"target": null
},
{
"id": "Other Dangerous Malware",
"display_name": "Other Dangerous Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1199",
"name": "Trusted Relationship",
"display_name": "T1199 - Trusted Relationship"
},
{
"id": "T1561",
"name": "Disk Wipe",
"display_name": "T1561 - Disk Wipe"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
}
],
"industries": [
"Oil"
],
"TLP": "green",
"cloned_from": "68f9288e0d98f3b44c2cb90c",
"export_count": 12,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 648,
"hostname": 1604,
"FileHash-SHA256": 1826,
"URL": 4153,
"FileHash-MD5": 102,
"FileHash-SHA1": 60,
"SSLCertFingerprint": 18,
"CVE": 2,
"email": 5
},
"indicator_count": 8418,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "148 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68f9288e0d98f3b44c2cb90c",
"name": "Ultrasounds attack - South African criminal group-Denver, Vo affects critical infrastructure , Oil and public safety",
"description": "South African and Ethiopian crime group with Denver , Co presence is not only infiltrating infrastructure from banking to oil, they are human traffickers, hitmen and yes, I received this tip from team member Pheona who a \u2018sassa.gov.za\u2018 South African link recurrently as a top search suggestion in a \u2018targets\u2019 browser. The most frightening piece is that a name listed is of an Ethiopian man who attempted to force a very targeted victim to go somewhere with him,, be his girlfriend and did show up outside of her residence in a different City & County. He also knew the exact name of where she purchased specific items. If you can see this. Please help the best way you can. Something is incredibly wrong. [OTX auto populated Title: We can\u2019t rely on goodwill to protect our critical infrastructure - Help Net Security]",
"modified": "2025-11-21T18:02:11.054000",
"created": "2025-10-22T18:55:10.527000",
"tags": [
"server nginx",
"date fri",
"etag w",
"urls",
"passive dns",
"acceptranges",
"contentlength",
"date thu",
"gmt expires",
"server",
"code",
"link",
"script script",
"south africa",
"ipv4",
"files",
"location south",
"accept",
"present aug",
"certificate",
"hostname add",
"domain",
"files ip",
"unknown a",
"script urls",
"ip address",
"unknown soa",
"unknown ns",
"reverse dns",
"africa flag",
"asn as16637",
"dns resolutions",
"domains top",
"level",
"unique tld",
"related pulses",
"tags none",
"indicator facts",
"title",
"ipv4 add",
"opinion",
"netacea",
"lockbit",
"wannacry attack",
"nhs trusts",
"council",
"uk government",
"protect",
"cni safe",
"acls",
"praio",
"prink",
"prsc",
"prla",
"lg2en",
"cti98",
"search",
"seiko epson",
"corporation",
"arc file",
"malware",
"delete c",
"default",
"show",
"write",
"next",
"unknown",
"united",
"tlsv1",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"as15169",
"port",
"execution",
"dock",
"capture",
"persistence",
"yara detections",
"filehash",
"md5 add",
"pulse pulses",
"av detections",
"ids detections",
"alerts",
"analysis date",
"file score",
"low risk",
"cabinet archive",
"microsoft",
"read c",
"dynamicloader",
"medium",
"ltda me",
"high",
"write c",
"entries",
"checks",
"delphi",
"win32",
"url pulse",
"data upload",
"extraction",
"find suggested",
"type",
"domain hostname",
"url add",
"http",
"related nids",
"files location",
"ireland flag",
"files domain",
"chrome",
"ireland unknown",
"pulse submit",
"url analysis",
"body",
"date",
"status",
"name servers",
"creation date",
"expiration date",
"flag united",
"destination",
"systemdrive",
"html document",
"crlf line",
"updater",
"copy",
"unknown aaaa",
"moved",
"domain add",
"extri data",
"enter sc",
"extr include",
"review exclude",
"sugges",
"present jul",
"saudi arabia",
"present mar",
"present oct",
"present jun",
"present feb",
"present nov",
"present may",
"eeee",
"eeeeeee",
"eeeeee",
"eefe",
"ebeee",
"ee eme",
"eeheee",
"eeefee e",
"eeeee e",
"vmprotect",
"push",
"local",
"defender",
"regsetvalueexa",
"utf8 unicode"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Lockbit",
"display_name": "Lockbit",
"target": null
},
{
"id": "ALF:HeraklezEval:PUA:Win32/UltraDownloads",
"display_name": "ALF:HeraklezEval:PUA:Win32/UltraDownloads",
"target": null
},
{
"id": "Other Dangerous Malware",
"display_name": "Other Dangerous Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1199",
"name": "Trusted Relationship",
"display_name": "T1199 - Trusted Relationship"
},
{
"id": "T1561",
"name": "Disk Wipe",
"display_name": "T1561 - Disk Wipe"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
}
],
"industries": [
"Oil"
],
"TLP": "green",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 648,
"hostname": 1604,
"FileHash-SHA256": 1826,
"URL": 4153,
"FileHash-MD5": 102,
"FileHash-SHA1": 60,
"SSLCertFingerprint": 18,
"CVE": 2,
"email": 5
},
"indicator_count": 8418,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "148 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68d3caa9524bb6b5460615f3",
"name": "Legacy.Trojan affects threat researchers networks & portals and/or platforms",
"description": "Legacy.Trojan affects threat researchers networks & portals and/or platforms or via platforms as a medium.\n[otx auto populated: Adversaries may be able to gain access to a victim's network through a range of techniques, as well as using a variety of other techniques to evade detection and detection.]\n#honeypot #capture #advesaries #fireeye #github",
"modified": "2025-10-24T10:01:25.310000",
"created": "2025-09-24T10:40:40.987000",
"tags": [
"text drag",
"browse to",
"select file",
"or drop",
"yara detections",
"runlevel",
"av detections",
"ids detections",
"alerts",
"analysis date",
"inject",
"stncphpphp more",
"virustotal api",
"comments",
"related tags",
"passive dns",
"republic",
"ipv4 add",
"location korea",
"korea",
"asn as9318",
"dns resolutions",
"pulses otx",
"close",
"dynamicloader",
"backdoor",
"tgt session",
"reads",
"dynamic",
"write",
"chopper",
"pho exploit",
"backdoor",
"fireeye",
"low risk",
"drop",
"create snapshot",
"hangover_appinbot",
"kns dropper",
"self",
"md5 sha256",
"google safe",
"browsing",
"server response",
"response code",
"vary",
"mimikatz",
"silence malware",
"trojanagent",
"legacy",
"password",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"initial access",
"defense evasion",
"spawns",
"copy md5",
"copy sha1",
"copy sha256",
"selection",
"ascii text",
"crlf line",
"windir",
"openurl c",
"appearance code",
"password",
"urlhttps",
"username",
"flag",
"united",
"markmonitor",
"github",
"server",
"date",
"click",
"apt 1",
"high",
"read c",
"search",
"medium",
"show",
"windows",
"cmd c",
"ms windows",
"next",
"copy",
"ver",
"businesseconomy"
],
"references": [
"Files",
"Yara : KINS_dropper , apt_win_mutex_apt1 , Hangover_Fuddol , Hangover_Tymtin_Degrab",
"Yara: Hangover_Smackdown_various , Hangover_Foler , Hangover_UpdateEx ,",
"Yara: Hangover_Smackdown_Downloader , Hangover_Vacrhan_Downloader",
"Yara: HKTL_NATBypass_Dec22_1 , power_pe_injection , Mimikatz_Logfile",
"Yara: Mimikatz_Strings , Silence_malware_2 , EquationGroup_elgingamble , EquationGroup_cmsd",
"Yara: EquationGroup_ebbshave , EquationGroup_eggbasket , EquationGroup_sambal",
"Yara: Mimikatz_Logfile SID : * NTLM : Authentication Id : wdigest : Mimikatz_Strings sekurlsa::logonpasswords"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Ireland"
],
"malware_families": [
{
"id": "Php.Exploit.C99-27",
"display_name": "Php.Exploit.C99-27",
"target": null
},
{
"id": "Backdoor:ASP/Chopper.F!dha",
"display_name": "Backdoor:ASP/Chopper.F!dha",
"target": "/malware/Backdoor:ASP/Chopper.F!dha"
},
{
"id": "Legacy.Trojan.Agent-37025",
"display_name": "Legacy.Trojan.Agent-37025",
"target": null
},
{
"id": "Ver",
"display_name": "Ver",
"target": null
}
],
"attack_ids": [
{
"id": "T1110.001",
"name": "Password Guessing",
"display_name": "T1110.001 - Password Guessing"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1110",
"name": "Brute Force",
"display_name": "T1110 - Brute Force"
},
{
"id": "T1459",
"name": "Device Unlock Code Guessing or Brute Force",
"display_name": "T1459 - Device Unlock Code Guessing or Brute Force"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 87,
"FileHash-SHA1": 84,
"FileHash-SHA256": 1049,
"URL": 1688,
"hostname": 544,
"email": 5,
"domain": 292,
"CVE": 2
},
"indicator_count": 3751,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "176 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "685186035e5fb63846d29e45",
"name": "Regarding Minority Report 2.0 | Aggresive Remote device tracking (multiple) | Network Rat",
"description": "Abuse.\nWhy is so much of this in plain sight? .\nMalicious tactics abused by preemptive policing recently implemented by Tech Bros under current Trump administration.\nThee governing Cyber Defense / AI / Data collection firm. | foundry2-lbl.dvr.dn2.n-helix.com | \nhttp://foundry2-lbl.dvr.dn2.n-helix.com |\nhttps://foundry2-lbl.dvr.dn2.n-helix.com |\nhttps://nl.cyberriskalliance.com/assets/icons/twitter.png |\nhttps://axis.snxd.com/track/0\n| track.getbuilt.com | \nRelates to Denver female \u2018allegedly\u2019 injured \u2018in PT.\nA malicious prosecution case against alleged victim after a Detective brought \u2018MTI\u2019 case to controlled Denver DA was dismissed by judge. Injured victim paid a pathetic settlement; especially considering the seriousness of the response of the government. \nThis type\nof tracking silencing is critically dangerous. \nHosanna make no haste to rescue all\nof victims of civilian & victim targeting.\n*Crowdsourced",
"modified": "2025-07-17T14:01:34.245000",
"created": "2025-06-17T15:13:07.233000",
"tags": [
"body",
"cps https",
"location",
"urls server",
"cloudfront",
"united",
"unknown aaaa",
"search",
"digital press",
"moved",
"digital culture",
"ip address",
"creation date",
"record value",
"entries",
"date",
"meta",
"urls",
"http",
"passive dns",
"unique",
"pulse pulses",
"related nids",
"files location",
"flag united",
"showing",
"rich content",
"system",
"cdn amazon",
"amazons3 tls",
"certificate",
"redirects",
"ua9385760744",
"utc na",
"utc google",
"tag manager",
"gk4vnlmd3b9",
"server",
"amazon",
"net1832001",
"net18160001",
"address range",
"cidr",
"network name",
"allocation type",
"whois server",
"entity amazon4",
"handle",
"present mar",
"present feb",
"unknown cname",
"urls show",
"date checked",
"url hostname",
"server response",
"aaaa"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 48,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 2075,
"URL": 5471,
"hostname": 1531,
"domain": 1013,
"FileHash-MD5": 55,
"FileHash-SHA1": 53,
"CVE": 1,
"SSLCertFingerprint": 1,
"email": 1,
"CIDR": 2
},
"indicator_count": 10203,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "275 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "https://assets.md.docs.tw/",
"type": "URL"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "https://assets.md.docs.tw/",
"type": "URL",
"found": false,
"verdict": "clean",
"error": null
},
"from_cache": true,
"_cached_at": 1776586346.373054
}