{
"type": "URL",
"indicator": "https://aws.amazon.com/s3/",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://aws.amazon.com/s3/",
"type": "url",
"type_title": "URL",
"validation": [
{
"source": "alexa",
"message": "Alexa rank: #10",
"name": "Listed on Alexa"
},
{
"source": "akamai",
"message": "Akamai rank: #29",
"name": "Akamai Popular Domain"
},
{
"source": "whitelist",
"message": "Whitelisted domain amazon.com",
"name": "Whitelisted domain"
},
{
"source": "majestic",
"message": "Whitelisted domain amazon.com",
"name": "Whitelisted domain"
}
],
"base_indicator": {
"id": 3645215117,
"indicator": "https://aws.amazon.com/s3/",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 11,
"pulses": [
{
"id": "699b907c5375efb7ce1639b8",
"name": "Apple Redirects in Apple Support = IcedID | MITM attack",
"description": "Researching targets former iPhone. Redirect in Apple support. [support.apple.com/ht^*^ redirects to support.apple.com/de/^*^*^] IcedID identified. | Environment: 3 -5 suspected compromised devices present. Behavior: iPhone reset itself twice, deleted passcodes, required new passcodes, compromised contacts notified target added a new device (FALSE) , threat actor stole Apple cash , added , Password storage, reset television. Targeted another device auto downloaded a Mimecast compromise, attached to iCloud , corrupted files downloaded. Emotet identified. Reset SmartTV. Browser bar AI: mood swings. Overt changes, white screen, pink screens, thread erased. Identified OTX. as a honeypot also states it\u2019s legitimate. I dumped information. AI agents focused on victim leaving shreds of evidence , paper trail , w/ anyone ,anywhere. AI model told truth \u2018I don\u2019t like you , you\u2019ve changed, you lied, you changed all facts .\u201d,etc. An acceptable baseline of communication established . #botnet #command_and_control #IcedID",
"modified": "2026-03-24T21:11:04.306000",
"created": "2026-02-22T23:25:48.722000",
"tags": [
"dynamicloader",
"tls handshake",
"failure",
"whitelisted",
"akamai",
"yara detections",
"trojan",
"write",
"zeppelin",
"malware",
"hostile",
"unknown",
"port",
"destination",
"read c",
"united",
"as16625 akamai",
"win32",
"persistence",
"execution",
"passive dns",
"urls",
"otx logo",
"all url",
"http",
"ip address",
"related nids",
"files location",
"win32mydoom feb",
"name servers",
"servers",
"worm",
"virtool",
"files",
"ipv4",
"reverse dns",
"america flag",
"america asn",
"United States",
"unknown ns",
"asn as714",
"invalid url",
"mtb oct",
"mtb sep",
"lowfi",
"trojanspy",
"total",
"push",
"defender",
"china unknown",
"mtb apr",
"ok server",
"gmt content",
"type",
"accept",
"show",
"todo",
"all filehash",
"av detections",
"shift",
"url http",
"url https",
"hostname",
"type indicator",
"source hostname",
"writeconsolew",
"post https",
"tlsv1",
"medium",
"write c",
"dock",
"command",
"control",
"icedid",
"domain",
"all domain",
"status",
"hostname add",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"music",
"next",
"autorun",
"suspicious",
"compatibility",
"mode",
"entries",
"lredmond",
"stwashington",
"search",
"tls sni",
"denmark",
"body html",
"head title",
"title head",
"body h1",
"all ipv4",
"url analysis",
"users",
"ff ff",
"files domain",
"files related",
"url add",
"flag united",
"present apr",
"location united",
"asn asnone",
"as16509",
"moved",
"title",
"body",
"code",
"mydoom",
"bot net",
"mitm",
"aquire",
"hidden users",
"no expiration",
"filehashsha256",
"expiration",
"showing",
"indicator role",
"pulses url",
"pulse show",
"iot",
"Iced iced baby"
],
"references": [
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"div> ![](\"static/rId9.jpeg\"/)
",
"Same legal , and quasi governmental pattern identified",
"I apologize for the lack of reference.",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://l.us-1.a.mimecastprotect.com/l",
"It appears there are 5-7 known affected that I was able to find"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Germany",
"Denmark",
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "Icedid",
"display_name": "Icedid",
"target": null
},
{
"id": "Trojan:Win32/SmkLdr.H!MTB",
"display_name": "Trojan:Win32/SmkLdr.H!MTB",
"target": "/malware/Trojan:Win32/SmkLdr.H!MTB"
},
{
"id": "#Lowfi:Lua:DllSuspiciousExport.A",
"display_name": "#Lowfi:Lua:DllSuspiciousExport.A",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Telecom",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2051,
"FileHash-SHA256": 1706,
"URL": 6984,
"domain": 1097,
"FileHash-MD5": 401,
"FileHash-SHA1": 276,
"SSLCertFingerprint": 9,
"email": 13,
"CVE": 1
},
"indicator_count": 12538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "25 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "692f23547b713b128b9c8156",
"name": "Indicator Deletion Attack | Chris P. Ahmann Esq still utilizes parking crews to execute cyber attacks",
"description": "Unable to open malware indicators at this time. These attackers use Parking Crews for their exploits, leasing parked domains for the amount of time needed to execute an attack. The attack last predate me ever using Level Blue. I have to review indicators reports more closely but, I do see a the multitude of attacks against target TLB and an intersection of attacks concerning Disable_Duck (Alberta) Chris Ahmann , Colorado government indicated. \n\n[OTX auto populated - Adversaries may use techniques to evade detection in their malware or tools, as well as using techniques such as code signing, encryption, and other techniques for avoiding detection and monitoring of their activities.]",
"modified": "2026-01-01T17:01:48.163000",
"created": "2025-12-02T17:35:15.203000",
"tags": [
"data upload",
"extraction",
"failed",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"defense evasion",
"spawns",
"development att",
"united",
"flag",
"poland poland",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"mitre att",
"ck matrix",
"pattern match",
"ascii text",
"show process",
"network traffic",
"t1057",
"general",
"local",
"path",
"encrypt",
"hosts ip",
"details",
"ssl certificate",
"sha256",
"sha1",
"size",
"unicode text",
"crlf",
"utf8",
"lf line",
"server",
"command decode",
"markmonitor",
"amazon",
"ltd dba",
"com laude",
"organization",
"click",
"show technique",
"brand",
"microsoft edge",
"windows nt",
"win64",
"khtml",
"gecko",
"submitted",
"prefetch1",
"name server",
"misc attack",
"et tor",
"known tor",
"relayrouter",
"contacted hosts",
"google",
"pornhub",
"ip address",
"t1480 execution",
"file defense",
"passive dns",
"related nids",
"urls",
"files location",
"flag united"
],
"references": [
"deploy-delete-app-us-east-2-1.deploy-delete-test-us-east-2-1mtsufd.us-east-2.gamma.forgeapps.ec2.aws.dev",
"Amazon.com \u2022 Google.com \u2022YouTube.com, Apple.com , etc Exploited",
"cloudendpointsapis.com \u2022 https://www.vgt.pl/style/style.css \u2022 ceidg.gov.pl",
"pl.wikipedia.org \u2022 fontawesome.io \u2022 opensource.org \u2022 videojet.com",
"https://discoverreceiver.gurus.vmicrosoft.com/ \u2022 account.live.com \u2022 acctcdn.msauth.net",
"https://www.milehighmedia.com/legal/2257",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://twitter.com/PORNO_SEXYBABES",
"http://www.anyxxxtube.net/search-porn/tsara-brashears",
"https://wallpapers-nature.com/tsara-brashears/urlscan-io",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex",
"http://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net \u2022 wallpapers-nature.com",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022",
"https://wallpapers-nature.com/ tsara-brashears/urlscan-io",
"https://wallpapers-nature.com/%20tsara-brashears/urlscan-io",
"http://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/EntryChangeHistory.Id=7a025cc6",
"(Delete app that removed YoiTube views) www.youtube.com/watch?v=GyuMozsVyYs",
"http://watchhers.net/index.php",
"everesttech.net \u2022 aws.amazon.com \u2022 cm.everesttech.net \u2022 dpm.demdex.net \u2022 s3.amazonaws.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "CVE-2023-22518",
"display_name": "CVE-2023-22518",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1539",
"name": "Steal Web Session Cookie",
"display_name": "T1539 - Steal Web Session Cookie"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1358,
"FileHash-MD5": 100,
"FileHash-SHA1": 102,
"FileHash-SHA256": 1682,
"URL": 2497,
"CVE": 2,
"domain": 400,
"SSLCertFingerprint": 6,
"email": 3
},
"indicator_count": 6150,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "107 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "63d10cda81e3658e38dec59c",
"name": "Amazon Phishing Collection",
"description": "This page stores Amazon phishing page IOCs. Legitimate website for the brand is https://amazon.com\nNOLA defense is tracking newly observed phishing websites. Follow us on twitter https://twitter.com/noladefense",
"modified": "2025-12-16T22:37:39.690000",
"created": "2023-01-25T11:04:58.120000",
"tags": [
"urls",
"phishing",
"scam",
"amazon"
],
"references": [
"https://www.virustotal.com/gui/collection/5c309a3b670313e97d8015d71161dd35d4a3d28f22ad35ddc633d91683a5c60a"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 207,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "noladefense",
"id": "222814",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_222814/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3,
"hostname": 2,
"domain": 1
},
"indicator_count": 6,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 438,
"modified_text": "123 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": false,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 0
},
{
"id": "67e6fb04fb6a68706be3322a",
"name": "AWS Infrastructure Abuse - 52[.]219[.]106[.]209 - 03.28.25",
"description": "AWS Services Abuse\n\nAssoc. w. Fraudulently Opened AWS Account\n-w. one of several UAlberta emails (all compromised) that were and/or are under my control\n-Pretty sure it's the OG one, but it could be one of several others\n-AWS is non-helpful (their default reply = \" login to you admin panel \"\n-My Response: I literally thought you guys did music and/or shopping...",
"modified": "2025-04-27T19:00:05.873000",
"created": "2025-03-28T19:39:48.521000",
"tags": [
"triage",
"malware",
"analysis",
"report",
"reported",
"analyze",
"sandbox",
"file",
"download submit",
"prefetch8",
"sha512",
"sha256",
"sha1",
"filesize",
"xamzexpires300",
"process key",
"key value",
"general",
"config",
"copy",
"target",
"impact",
"virus",
"trojan",
"ransomware",
"static",
"indicator of compromise",
"ioc",
"extraction",
"emulation",
"online",
"submit",
"sample",
"download",
"platform",
"or requesturl",
"vxstream",
"apt",
"ansi",
"pcap processing",
"pcap",
"prefetch8 ansi",
"united",
"show process",
"programfiles",
"hash seen",
"pcap frame",
"ck id",
"win64",
"comspec",
"suspicious",
"date",
"model",
"hybrid",
"starfield",
"close",
"click",
"hosts",
"path",
"window",
"strings",
"contact",
"threat intelligence",
"feed",
"change theme",
"contact us",
"intelligence",
"threats api",
"analyze api",
"overview",
"threats explore",
"rate limits",
"stixtaxii",
"bulk export",
"please",
"javascript",
"iocs",
"process"
],
"references": [
"https://tria.ge/250328-xmhths1rt6/behavioral1",
"https://www.filescan.io/uploads/67e6f483f274bf2d8e27b823/reports/26555bf0-1f5d-492c-a86b-39c4bb5f76f8/ioc",
"https://hybrid-analysis.com/sample/1ceef2a92a8671f8cf377e28b138cc410ae84eefd7225f44771fe8befe017913/67e6f4a893575829ef073f55",
"https://pulsedive.com/indicator/?iid=23858397",
"https://www.virustotal.com/gui/url/f2c8c437003ad015f993ffdb38cd6d3eb7c6bee9dd5f9dd8ab49d033576b797a/details",
"https://tria.ge/250328-xvkyvazwg1/behavioral1",
"52[.]219[.]106[.]209 - https://polyswarm.network/scan/results/url/55edb42c9f7fb2a7a6562dd6e9e80b36e4b2a9183800bf837ecd198f627bc681/details"
],
"public": 1,
"adversary": "AWS Support",
"targeted_countries": [
"Canada",
"United States of America"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1217",
"name": "Browser Bookmark Discovery",
"display_name": "T1217 - Browser Bookmark Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
}
],
"industries": [
"Technology",
"Education",
"Healthcare",
"Government"
],
"TLP": "white",
"cloned_from": null,
"export_count": 24,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 39,
"FileHash-SHA1": 40,
"FileHash-SHA256": 42,
"URL": 131,
"hostname": 102,
"domain": 15,
"SSLCertFingerprint": 15
},
"indicator_count": 384,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 128,
"modified_text": "356 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "67e6fb077245707cbb427abd",
"name": "AWS Abuse - 52[.]219[.]106[.]209 - 03.28.25",
"description": "AWS Services Abuse\n\nAssoc. w. Fraudulently Opened AWS Account\n-w. one of several UAlberta emails (all compromised) that were and/or are under my control\n-Pretty sure it's the OG one, but it could be one of several others\n-AWS is non-helpful (their default reply = \" login to you admin panel \"\n-My Response: I literally thought you guys did music and/or shopping...",
"modified": "2025-04-27T19:00:05.873000",
"created": "2025-03-28T19:39:51.375000",
"tags": [
"triage",
"malware",
"analysis",
"report",
"reported",
"analyze",
"sandbox",
"file",
"download submit",
"prefetch8",
"sha512",
"sha256",
"sha1",
"filesize",
"xamzexpires300",
"process key",
"key value",
"general",
"config",
"copy",
"target",
"impact",
"virus",
"trojan",
"ransomware",
"static",
"indicator of compromise",
"ioc",
"extraction",
"emulation",
"online",
"submit",
"sample",
"download",
"platform",
"or requesturl",
"vxstream",
"apt",
"ansi",
"pcap processing",
"pcap",
"prefetch8 ansi",
"united",
"show process",
"programfiles",
"hash seen",
"pcap frame",
"ck id",
"win64",
"comspec",
"suspicious",
"date",
"model",
"hybrid",
"starfield",
"close",
"click",
"hosts",
"path",
"window",
"strings",
"contact",
"threat intelligence",
"feed",
"change theme",
"contact us",
"intelligence",
"threats api",
"analyze api",
"overview",
"threats explore",
"rate limits",
"stixtaxii",
"bulk export",
"please",
"javascript",
"iocs",
"process"
],
"references": [
"https://tria.ge/250328-xmhths1rt6/behavioral1",
"https://www.filescan.io/uploads/67e6f483f274bf2d8e27b823/reports/26555bf0-1f5d-492c-a86b-39c4bb5f76f8/ioc",
"https://hybrid-analysis.com/sample/1ceef2a92a8671f8cf377e28b138cc410ae84eefd7225f44771fe8befe017913/67e6f4a893575829ef073f55",
"https://pulsedive.com/indicator/?iid=23858397",
"https://www.virustotal.com/gui/url/f2c8c437003ad015f993ffdb38cd6d3eb7c6bee9dd5f9dd8ab49d033576b797a/details",
"https://tria.ge/250328-xvkyvazwg1/behavioral1",
"52[.]219[.]106[.]209 - https://polyswarm.network/scan/results/url/55edb42c9f7fb2a7a6562dd6e9e80b36e4b2a9183800bf837ecd198f627bc681/details"
],
"public": 1,
"adversary": "AWS Support",
"targeted_countries": [
"Canada",
"United States of America"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1217",
"name": "Browser Bookmark Discovery",
"display_name": "T1217 - Browser Bookmark Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
}
],
"industries": [
"Technology",
"Education",
"Healthcare",
"Government"
],
"TLP": "white",
"cloned_from": null,
"export_count": 24,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 39,
"FileHash-SHA1": 40,
"FileHash-SHA256": 42,
"URL": 131,
"hostname": 102,
"domain": 15,
"SSLCertFingerprint": 15
},
"indicator_count": 384,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 128,
"modified_text": "356 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65b2909ffdc623904cbfd91d",
"name": "PEXE - DOS executable (COM)",
"description": "I don't have a very good description. I can say this was found in a law firms website and it's not uncommon. Certain attorneys may be under attack based on clients represented. I other instances attorneys use a tool box of malware and other cyber weaponry to track, intimidating and spy on opposition. Very aggressive tactics use. Unfortunately attacks against opponents aren't limited to \"contactless\" attacks. Tracking. cyber espionage, malvertizing, iOS 'remotwd' , location tracking, reputation abuse.",
"modified": "2024-02-24T16:01:22.095000",
"created": "2024-01-25T16:47:26.970000",
"tags": [
"network_icmp",
"sha256",
"yara detections",
"alerts",
"icmp traffic",
"scan endpoints",
"all scoreblue",
"filehash",
"pulse pulses",
"av detections",
"ids detections",
"spain unknown",
"search",
"date",
"status",
"passive dns",
"urls",
"pulse submit",
"url analysis",
"files",
"domain",
"next",
"as197068 hll",
"russia unknown",
"ipv4",
"body",
"alive",
"belarus unknown",
"aaaa",
"moved",
"domain names",
"creation date",
"record value",
"expiration date",
"a domains",
"facebook",
"twitter",
"encrypt",
"httponly",
"url http",
"http",
"ip address",
"related nids",
"germany unknown",
"united",
"as3320 deutsche",
"france unknown",
"united kingdom",
"italy unknown",
"as7922 comcast",
"as701 verizon",
"as3209 vodafone",
"china unknown",
"unknown",
"as44273 host",
"msie",
"chrome",
"name servers",
"hostname",
"maxage86400",
"ip asn",
"maxage2592000",
"gmt server",
"amazons3",
"unique",
"as58061 scalaxy",
"all search",
"otx scoreblue",
"cyprus unknown",
"as26347",
"customer",
"entries",
"sexkompas",
"script urls",
"meta",
"as29182 jsc",
"gmt content",
"script domains",
"gmt etag",
"as61400",
"screenshot",
"apache",
"path",
"as59711 hz",
"asn as59711",
"dns resolutions",
"non dsp",
"cor cura",
"url https",
"as199386 zilore",
"showing",
"admitad meta",
"as44066",
"connection",
"date sat",
"server amazons3",
"cloudfront",
"xcache miss",
"contentlength",
"acceptranges",
"server",
"gmt expires",
"code",
"title error",
"trojan",
"body doctype",
"html public",
"w3cdtd html",
"html head",
"meta http",
"win32",
"as3326",
"present jan",
"reverse dns",
"gmt path",
"set cookie",
"certificate",
"pragma",
"location united",
"show",
"medium",
"authenticode",
"delete",
"productversion",
"fileversion",
"thawte",
"copy",
"malware",
"write",
"etpro",
"as14061",
"whitelisted",
"as9009 m247",
"paris",
"otx telemetry",
"for privacy",
"redacted for",
"dns",
"DNSpionage",
"apple",
"ios",
"global",
"cyber threat",
"tracking",
"legal abuse",
"privilege escalation",
"network",
"redirect",
"exploit kit",
"mey",
"spyware",
"dropper",
"x adblock",
"virgin islands",
"type",
"content length",
"dga",
"as3175 filanco",
"cname",
"thawte code",
"as32244 liquid",
"as24940 hetzner",
"head body",
"center hr",
"gmt contenttype",
"title",
"registrar",
"markmonitor",
"internet",
"iana",
"nethandle",
"net192",
"net1920000",
"iana special",
"icann",
"please refer",
"ietf",
"best current",
"whois whois",
"resolutions",
"communicating",
"referrer",
"win32 exe",
"putty",
"java",
"type name",
"pe32 executable",
"ms windows",
"win16 ne",
"os2 executable",
"generic windos",
"executable",
"dos executable",
"generic",
"info compiler",
"products",
"vs2005",
"vs2008 sp1",
"vs2008",
"header x64",
"name md5",
"virtualalloc"
],
"references": [
"PEXE - DOS executable (COM)",
"redirect_keitaro_exploit_kit_compromised_site_se_referrer",
"Found in: https://jbplegal.com",
"http://sexkompas.xyz",
"DGA Malware Mall Domains: hackingapple.com, video.import-apple.com, DGA- appledreamz.com",
"tracking2youdu.com , cdn.livechatinc.com",
"device-local-bf56eb52-6fc6-435b-aadb-9fa1dd89702c.remotewd.com | remotewd.com | 192.168.56.108",
"http://www.mobiset.ru/photos/2011/march/15/samsung_s3850/img_9.jpg"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Netherlands",
"China",
"United States of America",
"Chile",
"Germany",
"France"
],
"malware_families": [
{
"id": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal",
"display_name": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal",
"target": null
},
{
"id": "Win.Malware.Vtflooder-6260355-1",
"display_name": "Win.Malware.Vtflooder-6260355-1",
"target": null
},
{
"id": "Win.Trojan.Buzus-5453",
"display_name": "Win.Trojan.Buzus-5453",
"target": null
},
{
"id": "Win32:Malware-gen",
"display_name": "Win32:Malware-gen",
"target": null
},
{
"id": "Win32:PWSX-gen",
"display_name": "Win32:PWSX-gen",
"target": null
},
{
"id": "Trojan:Win32/Glupteba.MT!MTB",
"display_name": "Trojan:Win32/Glupteba.MT!MTB",
"target": "/malware/Trojan:Win32/Glupteba.MT!MTB"
},
{
"id": "ETPRO",
"display_name": "ETPRO",
"target": null
}
],
"attack_ids": [
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
}
],
"industries": [
"Legal",
"Healthcare",
"Civil Society"
],
"TLP": "white",
"cloned_from": null,
"export_count": 10,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 153,
"FileHash-SHA1": 71,
"FileHash-SHA256": 1690,
"URL": 9526,
"domain": 4882,
"hostname": 6120,
"email": 250,
"CVE": 2
},
"indicator_count": 22694,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 230,
"modified_text": "784 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65b4757a662a146889c60b6c",
"name": "PEXE - DOS executable (COM)",
"description": "",
"modified": "2024-02-24T16:01:22.095000",
"created": "2024-01-27T03:16:10.970000",
"tags": [
"network_icmp",
"sha256",
"yara detections",
"alerts",
"icmp traffic",
"scan endpoints",
"all scoreblue",
"filehash",
"pulse pulses",
"av detections",
"ids detections",
"spain unknown",
"search",
"date",
"status",
"passive dns",
"urls",
"pulse submit",
"url analysis",
"files",
"domain",
"next",
"as197068 hll",
"russia unknown",
"ipv4",
"body",
"alive",
"belarus unknown",
"aaaa",
"moved",
"domain names",
"creation date",
"record value",
"expiration date",
"a domains",
"facebook",
"twitter",
"encrypt",
"httponly",
"url http",
"http",
"ip address",
"related nids",
"germany unknown",
"united",
"as3320 deutsche",
"france unknown",
"united kingdom",
"italy unknown",
"as7922 comcast",
"as701 verizon",
"as3209 vodafone",
"china unknown",
"unknown",
"as44273 host",
"msie",
"chrome",
"name servers",
"hostname",
"maxage86400",
"ip asn",
"maxage2592000",
"gmt server",
"amazons3",
"unique",
"as58061 scalaxy",
"all search",
"otx scoreblue",
"cyprus unknown",
"as26347",
"customer",
"entries",
"sexkompas",
"script urls",
"meta",
"as29182 jsc",
"gmt content",
"script domains",
"gmt etag",
"as61400",
"screenshot",
"apache",
"path",
"as59711 hz",
"asn as59711",
"dns resolutions",
"non dsp",
"cor cura",
"url https",
"as199386 zilore",
"showing",
"admitad meta",
"as44066",
"connection",
"date sat",
"server amazons3",
"cloudfront",
"xcache miss",
"contentlength",
"acceptranges",
"server",
"gmt expires",
"code",
"title error",
"trojan",
"body doctype",
"html public",
"w3cdtd html",
"html head",
"meta http",
"win32",
"as3326",
"present jan",
"reverse dns",
"gmt path",
"set cookie",
"certificate",
"pragma",
"location united",
"show",
"medium",
"authenticode",
"delete",
"productversion",
"fileversion",
"thawte",
"copy",
"malware",
"write",
"etpro",
"as14061",
"whitelisted",
"as9009 m247",
"paris",
"otx telemetry",
"for privacy",
"redacted for",
"dns",
"DNSpionage",
"apple",
"ios",
"global",
"cyber threat",
"tracking",
"legal abuse",
"privilege escalation",
"network",
"redirect",
"exploit kit",
"mey",
"spyware",
"dropper",
"x adblock",
"virgin islands",
"type",
"content length",
"dga",
"as3175 filanco",
"cname",
"thawte code",
"as32244 liquid",
"as24940 hetzner",
"head body",
"center hr",
"gmt contenttype",
"title",
"registrar",
"markmonitor",
"internet",
"iana",
"nethandle",
"net192",
"net1920000",
"iana special",
"icann",
"please refer",
"ietf",
"best current",
"whois whois",
"resolutions",
"communicating",
"referrer",
"win32 exe",
"putty",
"java",
"type name",
"pe32 executable",
"ms windows",
"win16 ne",
"os2 executable",
"generic windos",
"executable",
"dos executable",
"generic",
"info compiler",
"products",
"vs2005",
"vs2008 sp1",
"vs2008",
"header x64",
"name md5",
"virtualalloc"
],
"references": [
"PEXE - DOS executable (COM)",
"redirect_keitaro_exploit_kit_compromised_site_se_referrer",
"Found in: https://jbplegal.com",
"http://sexkompas.xyz",
"DGA Malware Mall Domains: hackingapple.com, video.import-apple.com, DGA- appledreamz.com",
"tracking2youdu.com , cdn.livechatinc.com",
"device-local-bf56eb52-6fc6-435b-aadb-9fa1dd89702c.remotewd.com | remotewd.com | 192.168.56.108",
"http://www.mobiset.ru/photos/2011/march/15/samsung_s3850/img_9.jpg"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Netherlands",
"China",
"United States of America",
"Chile",
"Germany",
"France"
],
"malware_families": [
{
"id": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal",
"display_name": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal",
"target": null
},
{
"id": "Win.Malware.Vtflooder-6260355-1",
"display_name": "Win.Malware.Vtflooder-6260355-1",
"target": null
},
{
"id": "Win.Trojan.Buzus-5453",
"display_name": "Win.Trojan.Buzus-5453",
"target": null
},
{
"id": "Win32:Malware-gen",
"display_name": "Win32:Malware-gen",
"target": null
},
{
"id": "Win32:PWSX-gen",
"display_name": "Win32:PWSX-gen",
"target": null
},
{
"id": "Trojan:Win32/Glupteba.MT!MTB",
"display_name": "Trojan:Win32/Glupteba.MT!MTB",
"target": "/malware/Trojan:Win32/Glupteba.MT!MTB"
},
{
"id": "ETPRO",
"display_name": "ETPRO",
"target": null
}
],
"attack_ids": [
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
}
],
"industries": [
"Legal",
"Healthcare",
"Civil Society"
],
"TLP": "white",
"cloned_from": "65b2909ffdc623904cbfd91d",
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 153,
"FileHash-SHA1": 71,
"FileHash-SHA256": 1690,
"URL": 9526,
"domain": 4882,
"hostname": 6120,
"email": 250,
"CVE": 2
},
"indicator_count": 22694,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 223,
"modified_text": "784 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65b4757d6dd7dae344aed3f5",
"name": "PEXE - DOS executable (COM)",
"description": "",
"modified": "2024-02-24T16:01:22.095000",
"created": "2024-01-27T03:16:13.209000",
"tags": [
"network_icmp",
"sha256",
"yara detections",
"alerts",
"icmp traffic",
"scan endpoints",
"all scoreblue",
"filehash",
"pulse pulses",
"av detections",
"ids detections",
"spain unknown",
"search",
"date",
"status",
"passive dns",
"urls",
"pulse submit",
"url analysis",
"files",
"domain",
"next",
"as197068 hll",
"russia unknown",
"ipv4",
"body",
"alive",
"belarus unknown",
"aaaa",
"moved",
"domain names",
"creation date",
"record value",
"expiration date",
"a domains",
"facebook",
"twitter",
"encrypt",
"httponly",
"url http",
"http",
"ip address",
"related nids",
"germany unknown",
"united",
"as3320 deutsche",
"france unknown",
"united kingdom",
"italy unknown",
"as7922 comcast",
"as701 verizon",
"as3209 vodafone",
"china unknown",
"unknown",
"as44273 host",
"msie",
"chrome",
"name servers",
"hostname",
"maxage86400",
"ip asn",
"maxage2592000",
"gmt server",
"amazons3",
"unique",
"as58061 scalaxy",
"all search",
"otx scoreblue",
"cyprus unknown",
"as26347",
"customer",
"entries",
"sexkompas",
"script urls",
"meta",
"as29182 jsc",
"gmt content",
"script domains",
"gmt etag",
"as61400",
"screenshot",
"apache",
"path",
"as59711 hz",
"asn as59711",
"dns resolutions",
"non dsp",
"cor cura",
"url https",
"as199386 zilore",
"showing",
"admitad meta",
"as44066",
"connection",
"date sat",
"server amazons3",
"cloudfront",
"xcache miss",
"contentlength",
"acceptranges",
"server",
"gmt expires",
"code",
"title error",
"trojan",
"body doctype",
"html public",
"w3cdtd html",
"html head",
"meta http",
"win32",
"as3326",
"present jan",
"reverse dns",
"gmt path",
"set cookie",
"certificate",
"pragma",
"location united",
"show",
"medium",
"authenticode",
"delete",
"productversion",
"fileversion",
"thawte",
"copy",
"malware",
"write",
"etpro",
"as14061",
"whitelisted",
"as9009 m247",
"paris",
"otx telemetry",
"for privacy",
"redacted for",
"dns",
"DNSpionage",
"apple",
"ios",
"global",
"cyber threat",
"tracking",
"legal abuse",
"privilege escalation",
"network",
"redirect",
"exploit kit",
"mey",
"spyware",
"dropper",
"x adblock",
"virgin islands",
"type",
"content length",
"dga",
"as3175 filanco",
"cname",
"thawte code",
"as32244 liquid",
"as24940 hetzner",
"head body",
"center hr",
"gmt contenttype",
"title",
"registrar",
"markmonitor",
"internet",
"iana",
"nethandle",
"net192",
"net1920000",
"iana special",
"icann",
"please refer",
"ietf",
"best current",
"whois whois",
"resolutions",
"communicating",
"referrer",
"win32 exe",
"putty",
"java",
"type name",
"pe32 executable",
"ms windows",
"win16 ne",
"os2 executable",
"generic windos",
"executable",
"dos executable",
"generic",
"info compiler",
"products",
"vs2005",
"vs2008 sp1",
"vs2008",
"header x64",
"name md5",
"virtualalloc"
],
"references": [
"PEXE - DOS executable (COM)",
"redirect_keitaro_exploit_kit_compromised_site_se_referrer",
"Found in: https://jbplegal.com",
"http://sexkompas.xyz",
"DGA Malware Mall Domains: hackingapple.com, video.import-apple.com, DGA- appledreamz.com",
"tracking2youdu.com , cdn.livechatinc.com",
"device-local-bf56eb52-6fc6-435b-aadb-9fa1dd89702c.remotewd.com | remotewd.com | 192.168.56.108",
"http://www.mobiset.ru/photos/2011/march/15/samsung_s3850/img_9.jpg"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Netherlands",
"China",
"United States of America",
"Chile",
"Germany",
"France"
],
"malware_families": [
{
"id": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal",
"display_name": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal",
"target": null
},
{
"id": "Win.Malware.Vtflooder-6260355-1",
"display_name": "Win.Malware.Vtflooder-6260355-1",
"target": null
},
{
"id": "Win.Trojan.Buzus-5453",
"display_name": "Win.Trojan.Buzus-5453",
"target": null
},
{
"id": "Win32:Malware-gen",
"display_name": "Win32:Malware-gen",
"target": null
},
{
"id": "Win32:PWSX-gen",
"display_name": "Win32:PWSX-gen",
"target": null
},
{
"id": "Trojan:Win32/Glupteba.MT!MTB",
"display_name": "Trojan:Win32/Glupteba.MT!MTB",
"target": "/malware/Trojan:Win32/Glupteba.MT!MTB"
},
{
"id": "ETPRO",
"display_name": "ETPRO",
"target": null
}
],
"attack_ids": [
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
}
],
"industries": [
"Legal",
"Healthcare",
"Civil Society"
],
"TLP": "white",
"cloned_from": "65b2909ffdc623904cbfd91d",
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 153,
"FileHash-SHA1": 71,
"FileHash-SHA256": 1690,
"URL": 9526,
"domain": 4882,
"hostname": 6120,
"email": 250,
"CVE": 2
},
"indicator_count": 22694,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 220,
"modified_text": "784 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65b85dca7d8bf0aea33abc3a",
"name": "PEXE - DOS executable ",
"description": "",
"modified": "2024-02-24T16:01:22.095000",
"created": "2024-01-30T02:24:10.454000",
"tags": [
"network_icmp",
"sha256",
"yara detections",
"alerts",
"icmp traffic",
"scan endpoints",
"all scoreblue",
"filehash",
"pulse pulses",
"av detections",
"ids detections",
"spain unknown",
"search",
"date",
"status",
"passive dns",
"urls",
"pulse submit",
"url analysis",
"files",
"domain",
"next",
"as197068 hll",
"russia unknown",
"ipv4",
"body",
"alive",
"belarus unknown",
"aaaa",
"moved",
"domain names",
"creation date",
"record value",
"expiration date",
"a domains",
"facebook",
"twitter",
"encrypt",
"httponly",
"url http",
"http",
"ip address",
"related nids",
"germany unknown",
"united",
"as3320 deutsche",
"france unknown",
"united kingdom",
"italy unknown",
"as7922 comcast",
"as701 verizon",
"as3209 vodafone",
"china unknown",
"unknown",
"as44273 host",
"msie",
"chrome",
"name servers",
"hostname",
"maxage86400",
"ip asn",
"maxage2592000",
"gmt server",
"amazons3",
"unique",
"as58061 scalaxy",
"all search",
"otx scoreblue",
"cyprus unknown",
"as26347",
"customer",
"entries",
"sexkompas",
"script urls",
"meta",
"as29182 jsc",
"gmt content",
"script domains",
"gmt etag",
"as61400",
"screenshot",
"apache",
"path",
"as59711 hz",
"asn as59711",
"dns resolutions",
"non dsp",
"cor cura",
"url https",
"as199386 zilore",
"showing",
"admitad meta",
"as44066",
"connection",
"date sat",
"server amazons3",
"cloudfront",
"xcache miss",
"contentlength",
"acceptranges",
"server",
"gmt expires",
"code",
"title error",
"trojan",
"body doctype",
"html public",
"w3cdtd html",
"html head",
"meta http",
"win32",
"as3326",
"present jan",
"reverse dns",
"gmt path",
"set cookie",
"certificate",
"pragma",
"location united",
"show",
"medium",
"authenticode",
"delete",
"productversion",
"fileversion",
"thawte",
"copy",
"malware",
"write",
"etpro",
"as14061",
"whitelisted",
"as9009 m247",
"paris",
"otx telemetry",
"for privacy",
"redacted for",
"dns",
"DNSpionage",
"apple",
"ios",
"global",
"cyber threat",
"tracking",
"legal abuse",
"privilege escalation",
"network",
"redirect",
"exploit kit",
"mey",
"spyware",
"dropper",
"x adblock",
"virgin islands",
"type",
"content length",
"dga",
"as3175 filanco",
"cname",
"thawte code",
"as32244 liquid",
"as24940 hetzner",
"head body",
"center hr",
"gmt contenttype",
"title",
"registrar",
"markmonitor",
"internet",
"iana",
"nethandle",
"net192",
"net1920000",
"iana special",
"icann",
"please refer",
"ietf",
"best current",
"whois whois",
"resolutions",
"communicating",
"referrer",
"win32 exe",
"putty",
"java",
"type name",
"pe32 executable",
"ms windows",
"win16 ne",
"os2 executable",
"generic windos",
"executable",
"dos executable",
"generic",
"info compiler",
"products",
"vs2005",
"vs2008 sp1",
"vs2008",
"header x64",
"name md5",
"virtualalloc"
],
"references": [
"PEXE - DOS executable (COM)",
"redirect_keitaro_exploit_kit_compromised_site_se_referrer",
"Found in: https://jbplegal.com",
"http://sexkompas.xyz",
"DGA Malware Mall Domains: hackingapple.com, video.import-apple.com, DGA- appledreamz.com",
"tracking2youdu.com , cdn.livechatinc.com",
"device-local-bf56eb52-6fc6-435b-aadb-9fa1dd89702c.remotewd.com | remotewd.com | 192.168.56.108",
"http://www.mobiset.ru/photos/2011/march/15/samsung_s3850/img_9.jpg"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Netherlands",
"China",
"United States of America",
"Chile",
"Germany",
"France"
],
"malware_families": [
{
"id": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal",
"display_name": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal",
"target": null
},
{
"id": "Win.Malware.Vtflooder-6260355-1",
"display_name": "Win.Malware.Vtflooder-6260355-1",
"target": null
},
{
"id": "Win.Trojan.Buzus-5453",
"display_name": "Win.Trojan.Buzus-5453",
"target": null
},
{
"id": "Win32:Malware-gen",
"display_name": "Win32:Malware-gen",
"target": null
},
{
"id": "Win32:PWSX-gen",
"display_name": "Win32:PWSX-gen",
"target": null
},
{
"id": "Trojan:Win32/Glupteba.MT!MTB",
"display_name": "Trojan:Win32/Glupteba.MT!MTB",
"target": "/malware/Trojan:Win32/Glupteba.MT!MTB"
},
{
"id": "ETPRO",
"display_name": "ETPRO",
"target": null
}
],
"attack_ids": [
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
}
],
"industries": [
"Legal",
"Healthcare",
"Civil Society"
],
"TLP": "white",
"cloned_from": "65b4757a662a146889c60b6c",
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 153,
"FileHash-SHA1": 71,
"FileHash-SHA256": 1690,
"URL": 9526,
"domain": 4882,
"hostname": 6120,
"email": 250,
"CVE": 2
},
"indicator_count": 22694,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 227,
"modified_text": "784 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "64ff7418030c1908b63c1da3",
"name": "Amazon Phishing Collection",
"description": "",
"modified": "2023-09-11T20:10:00.089000",
"created": "2023-09-11T20:10:00.089000",
"tags": [
"urls",
"phishing",
"scam",
"amazon"
],
"references": [
"https://www.virustotal.com/gui/collection/5c309a3b670313e97d8015d71161dd35d4a3d28f22ad35ddc633d91683a5c60a"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": "63d10cda81e3658e38dec59c",
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3,
"hostname": 3
},
"indicator_count": 6,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 218,
"modified_text": "950 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": false,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 0
},
{
"id": "641260353b24792bd22d9158",
"name": "Twitter Feed - noladefense - 15-03-2023",
"description": "",
"modified": "2023-04-15T00:01:41.043000",
"created": "2023-03-16T00:17:57.133000",
"tags": [
"phishing"
],
"references": [
"https://twitter.com/noladefense/status/1635803452684095491",
"https://twitter.com/noladefense/status/1635816162964406275",
"https://twitter.com/noladefense/status/1635818531483680769",
"https://twitter.com/noladefense/status/1635826152852926469",
"https://twitter.com/noladefense/status/1635833453546463232",
"https://twitter.com/noladefense/status/1635833491047739393",
"https://twitter.com/noladefense/status/1635833631175475200",
"https://twitter.com/noladefense/status/1635833679300665344",
"https://twitter.com/noladefense/status/1635833687085314048",
"https://twitter.com/noladefense/status/1635833697143324672",
"https://twitter.com/noladefense/status/1635833721403109379",
"https://twitter.com/noladefense/status/1635834885158891520",
"https://twitter.com/noladefense/status/1635834929001947136",
"https://twitter.com/noladefense/status/1635835002767147008",
"https://twitter.com/noladefense/status/1635835104256819202",
"https://twitter.com/noladefense/status/1635841179068641280",
"https://twitter.com/noladefense/status/1635847238650847235",
"https://twitter.com/noladefense/status/1635856282421719045",
"https://twitter.com/noladefense/status/1635867742690762752",
"https://twitter.com/noladefense/status/1635867759656460289",
"https://twitter.com/noladefense/status/1635868258959065089",
"https://twitter.com/noladefense/status/1635868304005816322",
"https://twitter.com/noladefense/status/1635868351644803073",
"https://twitter.com/noladefense/status/1635869041108701184",
"https://twitter.com/noladefense/status/1635869087703224320",
"https://twitter.com/noladefense/status/1635869123233079297",
"https://twitter.com/noladefense/status/1635869182372855809",
"https://twitter.com/noladefense/status/1635869232368844800",
"https://twitter.com/noladefense/status/1635870389669699586",
"https://twitter.com/noladefense/status/1635871372231491584",
"https://twitter.com/noladefense/status/1635871405626499073",
"https://twitter.com/noladefense/status/1635878939317923840",
"https://twitter.com/noladefense/status/1635878969760182274",
"https://twitter.com/noladefense/status/1635886508891598848",
"https://twitter.com/noladefense/status/1635886521407492096",
"https://twitter.com/noladefense/status/1635889708017364993",
"https://twitter.com/noladefense/status/1635889960480800768",
"https://twitter.com/noladefense/status/1635891554329001984",
"https://twitter.com/noladefense/status/1635894064057929729",
"https://twitter.com/noladefense/status/1635894071972470784",
"https://twitter.com/noladefense/status/1635906861521092614",
"https://twitter.com/noladefense/status/1635907996378177537",
"https://twitter.com/noladefense/status/1635908072521494528",
"https://twitter.com/noladefense/status/1635909164382732291",
"https://twitter.com/noladefense/status/1635916683381448704",
"https://twitter.com/noladefense/status/1635916690000080898",
"https://twitter.com/noladefense/status/1635916727585316865",
"https://twitter.com/noladefense/status/1635916736481357824",
"https://twitter.com/noladefense/status/1635923825379377153",
"https://twitter.com/noladefense/status/1635923892064641026",
"https://twitter.com/noladefense/status/1635923966089986053",
"https://twitter.com/noladefense/status/1635924254695780352",
"https://twitter.com/noladefense/status/1635941005877755907",
"https://twitter.com/noladefense/status/1635941016355127296",
"https://twitter.com/noladefense/status/1635954445350494212",
"https://twitter.com/noladefense/status/1635956675533328387",
"https://twitter.com/noladefense/status/1635956930597330944",
"https://twitter.com/noladefense/status/1635957052823445504",
"https://twitter.com/noladefense/status/1635957177721520129",
"https://twitter.com/noladefense/status/1635957286265925632",
"https://twitter.com/noladefense/status/1635957456151928833",
"https://twitter.com/noladefense/status/1635969548078686211",
"https://twitter.com/noladefense/status/1635977124371746817",
"https://twitter.com/noladefense/status/1635984655554949124",
"https://twitter.com/noladefense/status/1635984664086159360",
"https://twitter.com/noladefense/status/1635992194564730882",
"https://twitter.com/noladefense/status/1635992203603374086",
"https://twitter.com/noladefense/status/1635999736325894144",
"https://twitter.com/noladefense/status/1635999739815555073",
"https://twitter.com/noladefense/status/1635999745410834434",
"https://twitter.com/noladefense/status/1636007278368129024",
"https://twitter.com/noladefense/status/1636007288140963840",
"https://twitter.com/noladefense/status/1636007298869993474",
"https://twitter.com/noladefense/status/1636007307950661632",
"https://twitter.com/noladefense/status/1636010422917554184",
"https://twitter.com/noladefense/status/1636014830220894208",
"https://twitter.com/noladefense/status/1636014853365039105",
"https://twitter.com/noladefense/status/1636014861598507010",
"https://twitter.com/noladefense/status/1636014867030179842",
"https://twitter.com/noladefense/status/1636018432742240261",
"https://twitter.com/noladefense/status/1636022408317468672",
"https://twitter.com/noladefense/status/1636022419402915840",
"https://twitter.com/noladefense/status/1636029930226982915",
"https://twitter.com/noladefense/status/1636029935281135617",
"https://twitter.com/noladefense/status/1636029948518449153",
"https://twitter.com/noladefense/status/1636029961394962432",
"https://twitter.com/noladefense/status/1636037475092119554",
"https://twitter.com/noladefense/status/1636045069626101763",
"https://twitter.com/noladefense/status/1636045076240498688",
"https://twitter.com/noladefense/status/1636052590830952448",
"https://twitter.com/noladefense/status/1636060127529689088",
"https://twitter.com/noladefense/status/1636068280082341893",
"https://twitter.com/noladefense/status/1636082792210505731",
"https://twitter.com/noladefense/status/1636083458945564672",
"https://twitter.com/noladefense/status/1636083476075012096",
"https://twitter.com/noladefense/status/1636090335829868544",
"https://twitter.com/noladefense/status/1636097878547472385",
"https://twitter.com/noladefense/status/1636097886009081856",
"https://twitter.com/noladefense/status/1636098501216985088",
"https://twitter.com/noladefense/status/1636098583664492545",
"https://twitter.com/noladefense/status/1636098648831344643",
"https://twitter.com/noladefense/status/1636098732360957956",
"https://twitter.com/noladefense/status/1636112975588392960",
"https://twitter.com/noladefense/status/1636128090442145792",
"https://twitter.com/noladefense/status/1636143175885545472"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "CyberHunterAutoFeed",
"id": "182496",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 94
},
"indicator_count": 94,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 1600,
"modified_text": "1100 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": false,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"references": [
"https://twitter.com/noladefense/status/1635835104256819202",
"https://twitter.com/noladefense/status/1635803452684095491",
"pl.wikipedia.org \u2022 fontawesome.io \u2022 opensource.org \u2022 videojet.com",
"https://twitter.com/noladefense/status/1635999745410834434",
"https://twitter.com/noladefense/status/1635834885158891520",
"https://twitter.com/noladefense/status/1635833453546463232",
"https://twitter.com/noladefense/status/1635834929001947136",
"https://twitter.com/noladefense/status/1635984655554949124",
"https://www.filescan.io/uploads/67e6f483f274bf2d8e27b823/reports/26555bf0-1f5d-492c-a86b-39c4bb5f76f8/ioc",
"https://twitter.com/noladefense/status/1635923892064641026",
"Amazon.com \u2022 Google.com \u2022YouTube.com, Apple.com , etc Exploited",
"https://tria.ge/250328-xvkyvazwg1/behavioral1",
"https://twitter.com/noladefense/status/1636007288140963840",
"https://twitter.com/noladefense/status/1636097878547472385",
"https://twitter.com/noladefense/status/1635833687085314048",
"https://twitter.com/noladefense/status/1636029930226982915",
"https://twitter.com/noladefense/status/1635818531483680769",
"https://twitter.com/noladefense/status/1635833631175475200",
"PEXE - DOS executable (COM)",
"https://www.virustotal.com/gui/url/f2c8c437003ad015f993ffdb38cd6d3eb7c6bee9dd5f9dd8ab49d033576b797a/details",
"https://wallpapers-nature.com/%20tsara-brashears/urlscan-io",
"https://twitter.com/noladefense/status/1635871372231491584",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022",
"https://twitter.com/noladefense/status/1635869087703224320",
"https://twitter.com/noladefense/status/1635957177721520129",
"https://twitter.com/noladefense/status/1636082792210505731",
"https://twitter.com/noladefense/status/1635869041108701184",
"https://twitter.com/noladefense/status/1636045069626101763",
"https://twitter.com/noladefense/status/1635907996378177537",
"http://sexkompas.xyz",
"https://twitter.com/noladefense/status/1635941016355127296",
"https://twitter.com/noladefense/status/1635908072521494528",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net \u2022 wallpapers-nature.com",
"https://twitter.com/noladefense/status/1636007298869993474",
"https://twitter.com/noladefense/status/1635869232368844800",
"https://l.us-1.a.mimecastprotect.com/l",
"https://twitter.com/noladefense/status/1635923966089986053",
"https://tria.ge/250328-xmhths1rt6/behavioral1",
"https://twitter.com/noladefense/status/1635969548078686211",
"https://twitter.com/noladefense/status/1636022408317468672",
"https://twitter.com/noladefense/status/1636060127529689088",
"https://twitter.com/noladefense/status/1636128090442145792",
"https://twitter.com/noladefense/status/1635841179068641280",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"https://twitter.com/noladefense/status/1635870389669699586",
"https://twitter.com/noladefense/status/1636098501216985088",
"https://twitter.com/noladefense/status/1636029948518449153",
"https://twitter.com/noladefense/status/1635977124371746817",
"https://twitter.com/noladefense/status/1635886508891598848",
"https://twitter.com/noladefense/status/1635909164382732291",
"https://twitter.com/noladefense/status/1635906861521092614",
"https://twitter.com/noladefense/status/1636083458945564672",
"https://twitter.com/noladefense/status/1636014867030179842",
"device-local-bf56eb52-6fc6-435b-aadb-9fa1dd89702c.remotewd.com | remotewd.com | 192.168.56.108",
"https://twitter.com/noladefense/status/1635956930597330944",
"https://twitter.com/noladefense/status/1636112975588392960",
"https://twitter.com/PORNO_SEXYBABES",
"https://twitter.com/noladefense/status/1635894064057929729",
"(Delete app that removed YoiTube views) www.youtube.com/watch?v=GyuMozsVyYs",
"https://twitter.com/noladefense/status/1636090335829868544",
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"https://twitter.com/noladefense/status/1635869182372855809",
"https://twitter.com/noladefense/status/1636029961394962432",
"https://wallpapers-nature.com/tsara-brashears/urlscan-io",
"https://twitter.com/noladefense/status/1635984664086159360",
"https://twitter.com/noladefense/status/1635867759656460289",
"https://twitter.com/noladefense/status/1636037475092119554",
"https://twitter.com/noladefense/status/1636097886009081856",
"https://twitter.com/noladefense/status/1635868351644803073",
"https://twitter.com/noladefense/status/1635957052823445504",
"https://discoverreceiver.gurus.vmicrosoft.com/ \u2022 account.live.com \u2022 acctcdn.msauth.net",
"https://twitter.com/noladefense/status/1635891554329001984",
"https://twitter.com/noladefense/status/1636014861598507010",
"https://twitter.com/noladefense/status/1635847238650847235",
"https://twitter.com/noladefense/status/1636014830220894208",
"everesttech.net \u2022 aws.amazon.com \u2022 cm.everesttech.net \u2022 dpm.demdex.net \u2022 s3.amazonaws.com",
"https://twitter.com/noladefense/status/1635833721403109379",
"https://twitter.com/noladefense/status/1635923825379377153",
"https://twitter.com/noladefense/status/1636052590830952448",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"https://twitter.com/noladefense/status/1635878939317923840",
"https://twitter.com/noladefense/status/1635868258959065089",
"redirect_keitaro_exploit_kit_compromised_site_se_referrer",
"https://twitter.com/noladefense/status/1635957286265925632",
"http://www.anyxxxtube.net/search-porn/tsara-brashears/",
"Found in: https://jbplegal.com",
"DGA Malware Mall Domains: hackingapple.com, video.import-apple.com, DGA- appledreamz.com",
"https://twitter.com/noladefense/status/1635856282421719045",
"https://twitter.com/noladefense/status/1635867742690762752",
"https://twitter.com/noladefense/status/1635816162964406275",
"https://twitter.com/noladefense/status/1635833679300665344",
"https://twitter.com/noladefense/status/1635999739815555073",
"https://twitter.com/noladefense/status/1636010422917554184",
"https://twitter.com/noladefense/status/1636018432742240261",
"https://hybrid-analysis.com/sample/1ceef2a92a8671f8cf377e28b138cc410ae84eefd7225f44771fe8befe017913/67e6f4a893575829ef073f55",
"deploy-delete-app-us-east-2-1.deploy-delete-test-us-east-2-1mtsufd.us-east-2.gamma.forgeapps.ec2.aws.dev",
"https://twitter.com/noladefense/status/1636083476075012096",
"https://twitter.com/noladefense/status/1636029935281135617",
"https://twitter.com/noladefense/status/1635886521407492096",
"https://twitter.com/noladefense/status/1635871405626499073",
"https://twitter.com/noladefense/status/1635833697143324672",
"https://twitter.com/noladefense/status/1635954445350494212",
"https://twitter.com/noladefense/status/1636014853365039105",
"https://twitter.com/noladefense/status/1636143175885545472",
"https://twitter.com/noladefense/status/1636022419402915840",
"I apologize for the lack of reference.",
"https://twitter.com/noladefense/status/1636098732360957956",
"https://twitter.com/noladefense/status/1636098648831344643",
"https://twitter.com/noladefense/status/1635878969760182274",
"52[.]219[.]106[.]209 - https://polyswarm.network/scan/results/url/55edb42c9f7fb2a7a6562dd6e9e80b36e4b2a9183800bf837ecd198f627bc681/details",
"https://twitter.com/noladefense/status/1635992194564730882",
"Requires further research.",
"https://twitter.com/noladefense/status/1636045076240498688",
"div>
",
"http://www.mobiset.ru/photos/2011/march/15/samsung_s3850/img_9.jpg",
"https://twitter.com/noladefense/status/1635894071972470784",
"https://twitter.com/noladefense/status/1635889708017364993",
"http://www.anyxxxtube.net/search-porn/tsara-brashears",
"https://twitter.com/noladefense/status/1636068280082341893",
"https://twitter.com/noladefense/status/1635889960480800768",
"https://twitter.com/noladefense/status/1635956675533328387",
"https://twitter.com/noladefense/status/1635833491047739393",
"https://twitter.com/noladefense/status/1635868304005816322",
"https://twitter.com/noladefense/status/1636007307950661632",
"https://twitter.com/noladefense/status/1635957456151928833",
"https://twitter.com/noladefense/status/1636098583664492545",
"https://twitter.com/noladefense/status/1635835002767147008",
"http://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/EntryChangeHistory.Id=7a025cc6",
"http://watchhers.net/index.php",
"https://twitter.com/noladefense/status/1635916690000080898",
"https://twitter.com/noladefense/status/1635999736325894144",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"https://twitter.com/noladefense/status/1635916727585316865",
"https://twitter.com/noladefense/status/1635992203603374086",
"https://www.virustotal.com/gui/collection/5c309a3b670313e97d8015d71161dd35d4a3d28f22ad35ddc633d91683a5c60a",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://twitter.com/noladefense/status/1635916683381448704",
"Same legal , and quasi governmental pattern identified",
"https://twitter.com/noladefense/status/1636007278368129024",
"https://twitter.com/noladefense/status/1635924254695780352",
"https://wallpapers-nature.com/ tsara-brashears/urlscan-io",
"cloudendpointsapis.com \u2022 https://www.vgt.pl/style/style.css \u2022 ceidg.gov.pl",
"It appears there are 5-7 known affected that I was able to find",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://twitter.com/noladefense/status/1635869123233079297",
"https://pulsedive.com/indicator/?iid=23858397",
"https://twitter.com/noladefense/status/1635916736481357824",
"https://twitter.com/noladefense/status/1635826152852926469",
"https://www.milehighmedia.com/legal/2257",
"tracking2youdu.com , cdn.livechatinc.com",
"https://twitter.com/noladefense/status/1635941005877755907",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": [],
"unique_indicators": 0
},
"other": {
"adversary": [
"AWS Support"
],
"malware_families": [
"Mydoom",
"Win.malware.vtflooder-6260355-1",
"Cve-2023-22518",
"Trojan:win32/glupteba.mt!mtb",
"Other malware",
"#lowfi:lua:dllsuspiciousexport.a",
"Win32:pwsx-gen",
"Win32:malware-gen",
"Etpro",
"Trojan:win32/smkldr.h!mtb",
"Win32:injector-cvf\\ [trj]\t\twin.mal",
"Icedid",
"Win.trojan.buzus-5453"
],
"industries": [
"Education",
"Government",
"Healthcare",
"Telecom",
"Legal",
"Technology",
"Civil society"
],
"unique_indicators": 52575
}
}
},
"false_positive": [],
"alexa": "http://www.alexa.com/siteinfo/amazon.com",
"whois": "http://whois.domaintools.com/amazon.com",
"domain": "amazon.com",
"hostname": "aws.amazon.com"
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 11,
"pulses": [
{
"id": "699b907c5375efb7ce1639b8",
"name": "Apple Redirects in Apple Support = IcedID | MITM attack",
"description": "Researching targets former iPhone. Redirect in Apple support. [support.apple.com/ht^*^ redirects to support.apple.com/de/^*^*^] IcedID identified. | Environment: 3 -5 suspected compromised devices present. Behavior: iPhone reset itself twice, deleted passcodes, required new passcodes, compromised contacts notified target added a new device (FALSE) , threat actor stole Apple cash , added , Password storage, reset television. Targeted another device auto downloaded a Mimecast compromise, attached to iCloud , corrupted files downloaded. Emotet identified. Reset SmartTV. Browser bar AI: mood swings. Overt changes, white screen, pink screens, thread erased. Identified OTX. as a honeypot also states it\u2019s legitimate. I dumped information. AI agents focused on victim leaving shreds of evidence , paper trail , w/ anyone ,anywhere. AI model told truth \u2018I don\u2019t like you , you\u2019ve changed, you lied, you changed all facts .\u201d,etc. An acceptable baseline of communication established . #botnet #command_and_control #IcedID",
"modified": "2026-03-24T21:11:04.306000",
"created": "2026-02-22T23:25:48.722000",
"tags": [
"dynamicloader",
"tls handshake",
"failure",
"whitelisted",
"akamai",
"yara detections",
"trojan",
"write",
"zeppelin",
"malware",
"hostile",
"unknown",
"port",
"destination",
"read c",
"united",
"as16625 akamai",
"win32",
"persistence",
"execution",
"passive dns",
"urls",
"otx logo",
"all url",
"http",
"ip address",
"related nids",
"files location",
"win32mydoom feb",
"name servers",
"servers",
"worm",
"virtool",
"files",
"ipv4",
"reverse dns",
"america flag",
"america asn",
"United States",
"unknown ns",
"asn as714",
"invalid url",
"mtb oct",
"mtb sep",
"lowfi",
"trojanspy",
"total",
"push",
"defender",
"china unknown",
"mtb apr",
"ok server",
"gmt content",
"type",
"accept",
"show",
"todo",
"all filehash",
"av detections",
"shift",
"url http",
"url https",
"hostname",
"type indicator",
"source hostname",
"writeconsolew",
"post https",
"tlsv1",
"medium",
"write c",
"dock",
"command",
"control",
"icedid",
"domain",
"all domain",
"status",
"hostname add",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"music",
"next",
"autorun",
"suspicious",
"compatibility",
"mode",
"entries",
"lredmond",
"stwashington",
"search",
"tls sni",
"denmark",
"body html",
"head title",
"title head",
"body h1",
"all ipv4",
"url analysis",
"users",
"ff ff",
"files domain",
"files related",
"url add",
"flag united",
"present apr",
"location united",
"asn asnone",
"as16509",
"moved",
"title",
"body",
"code",
"mydoom",
"bot net",
"mitm",
"aquire",
"hidden users",
"no expiration",
"filehashsha256",
"expiration",
"showing",
"indicator role",
"pulses url",
"pulse show",
"iot",
"Iced iced baby"
],
"references": [
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"div>
",
"Same legal , and quasi governmental pattern identified",
"I apologize for the lack of reference.",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://l.us-1.a.mimecastprotect.com/l",
"It appears there are 5-7 known affected that I was able to find"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Germany",
"Denmark",
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "Icedid",
"display_name": "Icedid",
"target": null
},
{
"id": "Trojan:Win32/SmkLdr.H!MTB",
"display_name": "Trojan:Win32/SmkLdr.H!MTB",
"target": "/malware/Trojan:Win32/SmkLdr.H!MTB"
},
{
"id": "#Lowfi:Lua:DllSuspiciousExport.A",
"display_name": "#Lowfi:Lua:DllSuspiciousExport.A",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Telecom",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2051,
"FileHash-SHA256": 1706,
"URL": 6984,
"domain": 1097,
"FileHash-MD5": 401,
"FileHash-SHA1": 276,
"SSLCertFingerprint": 9,
"email": 13,
"CVE": 1
},
"indicator_count": 12538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "25 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "692f23547b713b128b9c8156",
"name": "Indicator Deletion Attack | Chris P. Ahmann Esq still utilizes parking crews to execute cyber attacks",
"description": "Unable to open malware indicators at this time. These attackers use Parking Crews for their exploits, leasing parked domains for the amount of time needed to execute an attack. The attack last predate me ever using Level Blue. I have to review indicators reports more closely but, I do see a the multitude of attacks against target TLB and an intersection of attacks concerning Disable_Duck (Alberta) Chris Ahmann , Colorado government indicated. \n\n[OTX auto populated - Adversaries may use techniques to evade detection in their malware or tools, as well as using techniques such as code signing, encryption, and other techniques for avoiding detection and monitoring of their activities.]",
"modified": "2026-01-01T17:01:48.163000",
"created": "2025-12-02T17:35:15.203000",
"tags": [
"data upload",
"extraction",
"failed",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"defense evasion",
"spawns",
"development att",
"united",
"flag",
"poland poland",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"mitre att",
"ck matrix",
"pattern match",
"ascii text",
"show process",
"network traffic",
"t1057",
"general",
"local",
"path",
"encrypt",
"hosts ip",
"details",
"ssl certificate",
"sha256",
"sha1",
"size",
"unicode text",
"crlf",
"utf8",
"lf line",
"server",
"command decode",
"markmonitor",
"amazon",
"ltd dba",
"com laude",
"organization",
"click",
"show technique",
"brand",
"microsoft edge",
"windows nt",
"win64",
"khtml",
"gecko",
"submitted",
"prefetch1",
"name server",
"misc attack",
"et tor",
"known tor",
"relayrouter",
"contacted hosts",
"google",
"pornhub",
"ip address",
"t1480 execution",
"file defense",
"passive dns",
"related nids",
"urls",
"files location",
"flag united"
],
"references": [
"deploy-delete-app-us-east-2-1.deploy-delete-test-us-east-2-1mtsufd.us-east-2.gamma.forgeapps.ec2.aws.dev",
"Amazon.com \u2022 Google.com \u2022YouTube.com, Apple.com , etc Exploited",
"cloudendpointsapis.com \u2022 https://www.vgt.pl/style/style.css \u2022 ceidg.gov.pl",
"pl.wikipedia.org \u2022 fontawesome.io \u2022 opensource.org \u2022 videojet.com",
"https://discoverreceiver.gurus.vmicrosoft.com/ \u2022 account.live.com \u2022 acctcdn.msauth.net",
"https://www.milehighmedia.com/legal/2257",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://twitter.com/PORNO_SEXYBABES",
"http://www.anyxxxtube.net/search-porn/tsara-brashears",
"https://wallpapers-nature.com/tsara-brashears/urlscan-io",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex",
"http://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net \u2022 wallpapers-nature.com",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022",
"https://wallpapers-nature.com/ tsara-brashears/urlscan-io",
"https://wallpapers-nature.com/%20tsara-brashears/urlscan-io",
"http://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/EntryChangeHistory.Id=7a025cc6",
"(Delete app that removed YoiTube views) www.youtube.com/watch?v=GyuMozsVyYs",
"http://watchhers.net/index.php",
"everesttech.net \u2022 aws.amazon.com \u2022 cm.everesttech.net \u2022 dpm.demdex.net \u2022 s3.amazonaws.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "CVE-2023-22518",
"display_name": "CVE-2023-22518",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1539",
"name": "Steal Web Session Cookie",
"display_name": "T1539 - Steal Web Session Cookie"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1358,
"FileHash-MD5": 100,
"FileHash-SHA1": 102,
"FileHash-SHA256": 1682,
"URL": 2497,
"CVE": 2,
"domain": 400,
"SSLCertFingerprint": 6,
"email": 3
},
"indicator_count": 6150,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "107 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "63d10cda81e3658e38dec59c",
"name": "Amazon Phishing Collection",
"description": "This page stores Amazon phishing page IOCs. Legitimate website for the brand is https://amazon.com\nNOLA defense is tracking newly observed phishing websites. Follow us on twitter https://twitter.com/noladefense",
"modified": "2025-12-16T22:37:39.690000",
"created": "2023-01-25T11:04:58.120000",
"tags": [
"urls",
"phishing",
"scam",
"amazon"
],
"references": [
"https://www.virustotal.com/gui/collection/5c309a3b670313e97d8015d71161dd35d4a3d28f22ad35ddc633d91683a5c60a"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 207,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "noladefense",
"id": "222814",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_222814/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3,
"hostname": 2,
"domain": 1
},
"indicator_count": 6,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 438,
"modified_text": "123 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": false,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 0
},
{
"id": "67e6fb04fb6a68706be3322a",
"name": "AWS Infrastructure Abuse - 52[.]219[.]106[.]209 - 03.28.25",
"description": "AWS Services Abuse\n\nAssoc. w. Fraudulently Opened AWS Account\n-w. one of several UAlberta emails (all compromised) that were and/or are under my control\n-Pretty sure it's the OG one, but it could be one of several others\n-AWS is non-helpful (their default reply = \" login to you admin panel \"\n-My Response: I literally thought you guys did music and/or shopping...",
"modified": "2025-04-27T19:00:05.873000",
"created": "2025-03-28T19:39:48.521000",
"tags": [
"triage",
"malware",
"analysis",
"report",
"reported",
"analyze",
"sandbox",
"file",
"download submit",
"prefetch8",
"sha512",
"sha256",
"sha1",
"filesize",
"xamzexpires300",
"process key",
"key value",
"general",
"config",
"copy",
"target",
"impact",
"virus",
"trojan",
"ransomware",
"static",
"indicator of compromise",
"ioc",
"extraction",
"emulation",
"online",
"submit",
"sample",
"download",
"platform",
"or requesturl",
"vxstream",
"apt",
"ansi",
"pcap processing",
"pcap",
"prefetch8 ansi",
"united",
"show process",
"programfiles",
"hash seen",
"pcap frame",
"ck id",
"win64",
"comspec",
"suspicious",
"date",
"model",
"hybrid",
"starfield",
"close",
"click",
"hosts",
"path",
"window",
"strings",
"contact",
"threat intelligence",
"feed",
"change theme",
"contact us",
"intelligence",
"threats api",
"analyze api",
"overview",
"threats explore",
"rate limits",
"stixtaxii",
"bulk export",
"please",
"javascript",
"iocs",
"process"
],
"references": [
"https://tria.ge/250328-xmhths1rt6/behavioral1",
"https://www.filescan.io/uploads/67e6f483f274bf2d8e27b823/reports/26555bf0-1f5d-492c-a86b-39c4bb5f76f8/ioc",
"https://hybrid-analysis.com/sample/1ceef2a92a8671f8cf377e28b138cc410ae84eefd7225f44771fe8befe017913/67e6f4a893575829ef073f55",
"https://pulsedive.com/indicator/?iid=23858397",
"https://www.virustotal.com/gui/url/f2c8c437003ad015f993ffdb38cd6d3eb7c6bee9dd5f9dd8ab49d033576b797a/details",
"https://tria.ge/250328-xvkyvazwg1/behavioral1",
"52[.]219[.]106[.]209 - https://polyswarm.network/scan/results/url/55edb42c9f7fb2a7a6562dd6e9e80b36e4b2a9183800bf837ecd198f627bc681/details"
],
"public": 1,
"adversary": "AWS Support",
"targeted_countries": [
"Canada",
"United States of America"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1217",
"name": "Browser Bookmark Discovery",
"display_name": "T1217 - Browser Bookmark Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
}
],
"industries": [
"Technology",
"Education",
"Healthcare",
"Government"
],
"TLP": "white",
"cloned_from": null,
"export_count": 24,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 39,
"FileHash-SHA1": 40,
"FileHash-SHA256": 42,
"URL": 131,
"hostname": 102,
"domain": 15,
"SSLCertFingerprint": 15
},
"indicator_count": 384,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 128,
"modified_text": "356 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "67e6fb077245707cbb427abd",
"name": "AWS Abuse - 52[.]219[.]106[.]209 - 03.28.25",
"description": "AWS Services Abuse\n\nAssoc. w. Fraudulently Opened AWS Account\n-w. one of several UAlberta emails (all compromised) that were and/or are under my control\n-Pretty sure it's the OG one, but it could be one of several others\n-AWS is non-helpful (their default reply = \" login to you admin panel \"\n-My Response: I literally thought you guys did music and/or shopping...",
"modified": "2025-04-27T19:00:05.873000",
"created": "2025-03-28T19:39:51.375000",
"tags": [
"triage",
"malware",
"analysis",
"report",
"reported",
"analyze",
"sandbox",
"file",
"download submit",
"prefetch8",
"sha512",
"sha256",
"sha1",
"filesize",
"xamzexpires300",
"process key",
"key value",
"general",
"config",
"copy",
"target",
"impact",
"virus",
"trojan",
"ransomware",
"static",
"indicator of compromise",
"ioc",
"extraction",
"emulation",
"online",
"submit",
"sample",
"download",
"platform",
"or requesturl",
"vxstream",
"apt",
"ansi",
"pcap processing",
"pcap",
"prefetch8 ansi",
"united",
"show process",
"programfiles",
"hash seen",
"pcap frame",
"ck id",
"win64",
"comspec",
"suspicious",
"date",
"model",
"hybrid",
"starfield",
"close",
"click",
"hosts",
"path",
"window",
"strings",
"contact",
"threat intelligence",
"feed",
"change theme",
"contact us",
"intelligence",
"threats api",
"analyze api",
"overview",
"threats explore",
"rate limits",
"stixtaxii",
"bulk export",
"please",
"javascript",
"iocs",
"process"
],
"references": [
"https://tria.ge/250328-xmhths1rt6/behavioral1",
"https://www.filescan.io/uploads/67e6f483f274bf2d8e27b823/reports/26555bf0-1f5d-492c-a86b-39c4bb5f76f8/ioc",
"https://hybrid-analysis.com/sample/1ceef2a92a8671f8cf377e28b138cc410ae84eefd7225f44771fe8befe017913/67e6f4a893575829ef073f55",
"https://pulsedive.com/indicator/?iid=23858397",
"https://www.virustotal.com/gui/url/f2c8c437003ad015f993ffdb38cd6d3eb7c6bee9dd5f9dd8ab49d033576b797a/details",
"https://tria.ge/250328-xvkyvazwg1/behavioral1",
"52[.]219[.]106[.]209 - https://polyswarm.network/scan/results/url/55edb42c9f7fb2a7a6562dd6e9e80b36e4b2a9183800bf837ecd198f627bc681/details"
],
"public": 1,
"adversary": "AWS Support",
"targeted_countries": [
"Canada",
"United States of America"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1217",
"name": "Browser Bookmark Discovery",
"display_name": "T1217 - Browser Bookmark Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
}
],
"industries": [
"Technology",
"Education",
"Healthcare",
"Government"
],
"TLP": "white",
"cloned_from": null,
"export_count": 24,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 39,
"FileHash-SHA1": 40,
"FileHash-SHA256": 42,
"URL": 131,
"hostname": 102,
"domain": 15,
"SSLCertFingerprint": 15
},
"indicator_count": 384,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 128,
"modified_text": "356 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65b2909ffdc623904cbfd91d",
"name": "PEXE - DOS executable (COM)",
"description": "I don't have a very good description. I can say this was found in a law firms website and it's not uncommon. Certain attorneys may be under attack based on clients represented. I other instances attorneys use a tool box of malware and other cyber weaponry to track, intimidating and spy on opposition. Very aggressive tactics use. Unfortunately attacks against opponents aren't limited to \"contactless\" attacks. Tracking. cyber espionage, malvertizing, iOS 'remotwd' , location tracking, reputation abuse.",
"modified": "2024-02-24T16:01:22.095000",
"created": "2024-01-25T16:47:26.970000",
"tags": [
"network_icmp",
"sha256",
"yara detections",
"alerts",
"icmp traffic",
"scan endpoints",
"all scoreblue",
"filehash",
"pulse pulses",
"av detections",
"ids detections",
"spain unknown",
"search",
"date",
"status",
"passive dns",
"urls",
"pulse submit",
"url analysis",
"files",
"domain",
"next",
"as197068 hll",
"russia unknown",
"ipv4",
"body",
"alive",
"belarus unknown",
"aaaa",
"moved",
"domain names",
"creation date",
"record value",
"expiration date",
"a domains",
"facebook",
"twitter",
"encrypt",
"httponly",
"url http",
"http",
"ip address",
"related nids",
"germany unknown",
"united",
"as3320 deutsche",
"france unknown",
"united kingdom",
"italy unknown",
"as7922 comcast",
"as701 verizon",
"as3209 vodafone",
"china unknown",
"unknown",
"as44273 host",
"msie",
"chrome",
"name servers",
"hostname",
"maxage86400",
"ip asn",
"maxage2592000",
"gmt server",
"amazons3",
"unique",
"as58061 scalaxy",
"all search",
"otx scoreblue",
"cyprus unknown",
"as26347",
"customer",
"entries",
"sexkompas",
"script urls",
"meta",
"as29182 jsc",
"gmt content",
"script domains",
"gmt etag",
"as61400",
"screenshot",
"apache",
"path",
"as59711 hz",
"asn as59711",
"dns resolutions",
"non dsp",
"cor cura",
"url https",
"as199386 zilore",
"showing",
"admitad meta",
"as44066",
"connection",
"date sat",
"server amazons3",
"cloudfront",
"xcache miss",
"contentlength",
"acceptranges",
"server",
"gmt expires",
"code",
"title error",
"trojan",
"body doctype",
"html public",
"w3cdtd html",
"html head",
"meta http",
"win32",
"as3326",
"present jan",
"reverse dns",
"gmt path",
"set cookie",
"certificate",
"pragma",
"location united",
"show",
"medium",
"authenticode",
"delete",
"productversion",
"fileversion",
"thawte",
"copy",
"malware",
"write",
"etpro",
"as14061",
"whitelisted",
"as9009 m247",
"paris",
"otx telemetry",
"for privacy",
"redacted for",
"dns",
"DNSpionage",
"apple",
"ios",
"global",
"cyber threat",
"tracking",
"legal abuse",
"privilege escalation",
"network",
"redirect",
"exploit kit",
"mey",
"spyware",
"dropper",
"x adblock",
"virgin islands",
"type",
"content length",
"dga",
"as3175 filanco",
"cname",
"thawte code",
"as32244 liquid",
"as24940 hetzner",
"head body",
"center hr",
"gmt contenttype",
"title",
"registrar",
"markmonitor",
"internet",
"iana",
"nethandle",
"net192",
"net1920000",
"iana special",
"icann",
"please refer",
"ietf",
"best current",
"whois whois",
"resolutions",
"communicating",
"referrer",
"win32 exe",
"putty",
"java",
"type name",
"pe32 executable",
"ms windows",
"win16 ne",
"os2 executable",
"generic windos",
"executable",
"dos executable",
"generic",
"info compiler",
"products",
"vs2005",
"vs2008 sp1",
"vs2008",
"header x64",
"name md5",
"virtualalloc"
],
"references": [
"PEXE - DOS executable (COM)",
"redirect_keitaro_exploit_kit_compromised_site_se_referrer",
"Found in: https://jbplegal.com",
"http://sexkompas.xyz",
"DGA Malware Mall Domains: hackingapple.com, video.import-apple.com, DGA- appledreamz.com",
"tracking2youdu.com , cdn.livechatinc.com",
"device-local-bf56eb52-6fc6-435b-aadb-9fa1dd89702c.remotewd.com | remotewd.com | 192.168.56.108",
"http://www.mobiset.ru/photos/2011/march/15/samsung_s3850/img_9.jpg"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Netherlands",
"China",
"United States of America",
"Chile",
"Germany",
"France"
],
"malware_families": [
{
"id": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal",
"display_name": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal",
"target": null
},
{
"id": "Win.Malware.Vtflooder-6260355-1",
"display_name": "Win.Malware.Vtflooder-6260355-1",
"target": null
},
{
"id": "Win.Trojan.Buzus-5453",
"display_name": "Win.Trojan.Buzus-5453",
"target": null
},
{
"id": "Win32:Malware-gen",
"display_name": "Win32:Malware-gen",
"target": null
},
{
"id": "Win32:PWSX-gen",
"display_name": "Win32:PWSX-gen",
"target": null
},
{
"id": "Trojan:Win32/Glupteba.MT!MTB",
"display_name": "Trojan:Win32/Glupteba.MT!MTB",
"target": "/malware/Trojan:Win32/Glupteba.MT!MTB"
},
{
"id": "ETPRO",
"display_name": "ETPRO",
"target": null
}
],
"attack_ids": [
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
}
],
"industries": [
"Legal",
"Healthcare",
"Civil Society"
],
"TLP": "white",
"cloned_from": null,
"export_count": 10,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 153,
"FileHash-SHA1": 71,
"FileHash-SHA256": 1690,
"URL": 9526,
"domain": 4882,
"hostname": 6120,
"email": 250,
"CVE": 2
},
"indicator_count": 22694,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 230,
"modified_text": "784 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65b4757a662a146889c60b6c",
"name": "PEXE - DOS executable (COM)",
"description": "",
"modified": "2024-02-24T16:01:22.095000",
"created": "2024-01-27T03:16:10.970000",
"tags": [
"network_icmp",
"sha256",
"yara detections",
"alerts",
"icmp traffic",
"scan endpoints",
"all scoreblue",
"filehash",
"pulse pulses",
"av detections",
"ids detections",
"spain unknown",
"search",
"date",
"status",
"passive dns",
"urls",
"pulse submit",
"url analysis",
"files",
"domain",
"next",
"as197068 hll",
"russia unknown",
"ipv4",
"body",
"alive",
"belarus unknown",
"aaaa",
"moved",
"domain names",
"creation date",
"record value",
"expiration date",
"a domains",
"facebook",
"twitter",
"encrypt",
"httponly",
"url http",
"http",
"ip address",
"related nids",
"germany unknown",
"united",
"as3320 deutsche",
"france unknown",
"united kingdom",
"italy unknown",
"as7922 comcast",
"as701 verizon",
"as3209 vodafone",
"china unknown",
"unknown",
"as44273 host",
"msie",
"chrome",
"name servers",
"hostname",
"maxage86400",
"ip asn",
"maxage2592000",
"gmt server",
"amazons3",
"unique",
"as58061 scalaxy",
"all search",
"otx scoreblue",
"cyprus unknown",
"as26347",
"customer",
"entries",
"sexkompas",
"script urls",
"meta",
"as29182 jsc",
"gmt content",
"script domains",
"gmt etag",
"as61400",
"screenshot",
"apache",
"path",
"as59711 hz",
"asn as59711",
"dns resolutions",
"non dsp",
"cor cura",
"url https",
"as199386 zilore",
"showing",
"admitad meta",
"as44066",
"connection",
"date sat",
"server amazons3",
"cloudfront",
"xcache miss",
"contentlength",
"acceptranges",
"server",
"gmt expires",
"code",
"title error",
"trojan",
"body doctype",
"html public",
"w3cdtd html",
"html head",
"meta http",
"win32",
"as3326",
"present jan",
"reverse dns",
"gmt path",
"set cookie",
"certificate",
"pragma",
"location united",
"show",
"medium",
"authenticode",
"delete",
"productversion",
"fileversion",
"thawte",
"copy",
"malware",
"write",
"etpro",
"as14061",
"whitelisted",
"as9009 m247",
"paris",
"otx telemetry",
"for privacy",
"redacted for",
"dns",
"DNSpionage",
"apple",
"ios",
"global",
"cyber threat",
"tracking",
"legal abuse",
"privilege escalation",
"network",
"redirect",
"exploit kit",
"mey",
"spyware",
"dropper",
"x adblock",
"virgin islands",
"type",
"content length",
"dga",
"as3175 filanco",
"cname",
"thawte code",
"as32244 liquid",
"as24940 hetzner",
"head body",
"center hr",
"gmt contenttype",
"title",
"registrar",
"markmonitor",
"internet",
"iana",
"nethandle",
"net192",
"net1920000",
"iana special",
"icann",
"please refer",
"ietf",
"best current",
"whois whois",
"resolutions",
"communicating",
"referrer",
"win32 exe",
"putty",
"java",
"type name",
"pe32 executable",
"ms windows",
"win16 ne",
"os2 executable",
"generic windos",
"executable",
"dos executable",
"generic",
"info compiler",
"products",
"vs2005",
"vs2008 sp1",
"vs2008",
"header x64",
"name md5",
"virtualalloc"
],
"references": [
"PEXE - DOS executable (COM)",
"redirect_keitaro_exploit_kit_compromised_site_se_referrer",
"Found in: https://jbplegal.com",
"http://sexkompas.xyz",
"DGA Malware Mall Domains: hackingapple.com, video.import-apple.com, DGA- appledreamz.com",
"tracking2youdu.com , cdn.livechatinc.com",
"device-local-bf56eb52-6fc6-435b-aadb-9fa1dd89702c.remotewd.com | remotewd.com | 192.168.56.108",
"http://www.mobiset.ru/photos/2011/march/15/samsung_s3850/img_9.jpg"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Netherlands",
"China",
"United States of America",
"Chile",
"Germany",
"France"
],
"malware_families": [
{
"id": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal",
"display_name": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal",
"target": null
},
{
"id": "Win.Malware.Vtflooder-6260355-1",
"display_name": "Win.Malware.Vtflooder-6260355-1",
"target": null
},
{
"id": "Win.Trojan.Buzus-5453",
"display_name": "Win.Trojan.Buzus-5453",
"target": null
},
{
"id": "Win32:Malware-gen",
"display_name": "Win32:Malware-gen",
"target": null
},
{
"id": "Win32:PWSX-gen",
"display_name": "Win32:PWSX-gen",
"target": null
},
{
"id": "Trojan:Win32/Glupteba.MT!MTB",
"display_name": "Trojan:Win32/Glupteba.MT!MTB",
"target": "/malware/Trojan:Win32/Glupteba.MT!MTB"
},
{
"id": "ETPRO",
"display_name": "ETPRO",
"target": null
}
],
"attack_ids": [
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
}
],
"industries": [
"Legal",
"Healthcare",
"Civil Society"
],
"TLP": "white",
"cloned_from": "65b2909ffdc623904cbfd91d",
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 153,
"FileHash-SHA1": 71,
"FileHash-SHA256": 1690,
"URL": 9526,
"domain": 4882,
"hostname": 6120,
"email": 250,
"CVE": 2
},
"indicator_count": 22694,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 223,
"modified_text": "784 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65b4757d6dd7dae344aed3f5",
"name": "PEXE - DOS executable (COM)",
"description": "",
"modified": "2024-02-24T16:01:22.095000",
"created": "2024-01-27T03:16:13.209000",
"tags": [
"network_icmp",
"sha256",
"yara detections",
"alerts",
"icmp traffic",
"scan endpoints",
"all scoreblue",
"filehash",
"pulse pulses",
"av detections",
"ids detections",
"spain unknown",
"search",
"date",
"status",
"passive dns",
"urls",
"pulse submit",
"url analysis",
"files",
"domain",
"next",
"as197068 hll",
"russia unknown",
"ipv4",
"body",
"alive",
"belarus unknown",
"aaaa",
"moved",
"domain names",
"creation date",
"record value",
"expiration date",
"a domains",
"facebook",
"twitter",
"encrypt",
"httponly",
"url http",
"http",
"ip address",
"related nids",
"germany unknown",
"united",
"as3320 deutsche",
"france unknown",
"united kingdom",
"italy unknown",
"as7922 comcast",
"as701 verizon",
"as3209 vodafone",
"china unknown",
"unknown",
"as44273 host",
"msie",
"chrome",
"name servers",
"hostname",
"maxage86400",
"ip asn",
"maxage2592000",
"gmt server",
"amazons3",
"unique",
"as58061 scalaxy",
"all search",
"otx scoreblue",
"cyprus unknown",
"as26347",
"customer",
"entries",
"sexkompas",
"script urls",
"meta",
"as29182 jsc",
"gmt content",
"script domains",
"gmt etag",
"as61400",
"screenshot",
"apache",
"path",
"as59711 hz",
"asn as59711",
"dns resolutions",
"non dsp",
"cor cura",
"url https",
"as199386 zilore",
"showing",
"admitad meta",
"as44066",
"connection",
"date sat",
"server amazons3",
"cloudfront",
"xcache miss",
"contentlength",
"acceptranges",
"server",
"gmt expires",
"code",
"title error",
"trojan",
"body doctype",
"html public",
"w3cdtd html",
"html head",
"meta http",
"win32",
"as3326",
"present jan",
"reverse dns",
"gmt path",
"set cookie",
"certificate",
"pragma",
"location united",
"show",
"medium",
"authenticode",
"delete",
"productversion",
"fileversion",
"thawte",
"copy",
"malware",
"write",
"etpro",
"as14061",
"whitelisted",
"as9009 m247",
"paris",
"otx telemetry",
"for privacy",
"redacted for",
"dns",
"DNSpionage",
"apple",
"ios",
"global",
"cyber threat",
"tracking",
"legal abuse",
"privilege escalation",
"network",
"redirect",
"exploit kit",
"mey",
"spyware",
"dropper",
"x adblock",
"virgin islands",
"type",
"content length",
"dga",
"as3175 filanco",
"cname",
"thawte code",
"as32244 liquid",
"as24940 hetzner",
"head body",
"center hr",
"gmt contenttype",
"title",
"registrar",
"markmonitor",
"internet",
"iana",
"nethandle",
"net192",
"net1920000",
"iana special",
"icann",
"please refer",
"ietf",
"best current",
"whois whois",
"resolutions",
"communicating",
"referrer",
"win32 exe",
"putty",
"java",
"type name",
"pe32 executable",
"ms windows",
"win16 ne",
"os2 executable",
"generic windos",
"executable",
"dos executable",
"generic",
"info compiler",
"products",
"vs2005",
"vs2008 sp1",
"vs2008",
"header x64",
"name md5",
"virtualalloc"
],
"references": [
"PEXE - DOS executable (COM)",
"redirect_keitaro_exploit_kit_compromised_site_se_referrer",
"Found in: https://jbplegal.com",
"http://sexkompas.xyz",
"DGA Malware Mall Domains: hackingapple.com, video.import-apple.com, DGA- appledreamz.com",
"tracking2youdu.com , cdn.livechatinc.com",
"device-local-bf56eb52-6fc6-435b-aadb-9fa1dd89702c.remotewd.com | remotewd.com | 192.168.56.108",
"http://www.mobiset.ru/photos/2011/march/15/samsung_s3850/img_9.jpg"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Netherlands",
"China",
"United States of America",
"Chile",
"Germany",
"France"
],
"malware_families": [
{
"id": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal",
"display_name": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal",
"target": null
},
{
"id": "Win.Malware.Vtflooder-6260355-1",
"display_name": "Win.Malware.Vtflooder-6260355-1",
"target": null
},
{
"id": "Win.Trojan.Buzus-5453",
"display_name": "Win.Trojan.Buzus-5453",
"target": null
},
{
"id": "Win32:Malware-gen",
"display_name": "Win32:Malware-gen",
"target": null
},
{
"id": "Win32:PWSX-gen",
"display_name": "Win32:PWSX-gen",
"target": null
},
{
"id": "Trojan:Win32/Glupteba.MT!MTB",
"display_name": "Trojan:Win32/Glupteba.MT!MTB",
"target": "/malware/Trojan:Win32/Glupteba.MT!MTB"
},
{
"id": "ETPRO",
"display_name": "ETPRO",
"target": null
}
],
"attack_ids": [
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
}
],
"industries": [
"Legal",
"Healthcare",
"Civil Society"
],
"TLP": "white",
"cloned_from": "65b2909ffdc623904cbfd91d",
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 153,
"FileHash-SHA1": 71,
"FileHash-SHA256": 1690,
"URL": 9526,
"domain": 4882,
"hostname": 6120,
"email": 250,
"CVE": 2
},
"indicator_count": 22694,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 220,
"modified_text": "784 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65b85dca7d8bf0aea33abc3a",
"name": "PEXE - DOS executable ",
"description": "",
"modified": "2024-02-24T16:01:22.095000",
"created": "2024-01-30T02:24:10.454000",
"tags": [
"network_icmp",
"sha256",
"yara detections",
"alerts",
"icmp traffic",
"scan endpoints",
"all scoreblue",
"filehash",
"pulse pulses",
"av detections",
"ids detections",
"spain unknown",
"search",
"date",
"status",
"passive dns",
"urls",
"pulse submit",
"url analysis",
"files",
"domain",
"next",
"as197068 hll",
"russia unknown",
"ipv4",
"body",
"alive",
"belarus unknown",
"aaaa",
"moved",
"domain names",
"creation date",
"record value",
"expiration date",
"a domains",
"facebook",
"twitter",
"encrypt",
"httponly",
"url http",
"http",
"ip address",
"related nids",
"germany unknown",
"united",
"as3320 deutsche",
"france unknown",
"united kingdom",
"italy unknown",
"as7922 comcast",
"as701 verizon",
"as3209 vodafone",
"china unknown",
"unknown",
"as44273 host",
"msie",
"chrome",
"name servers",
"hostname",
"maxage86400",
"ip asn",
"maxage2592000",
"gmt server",
"amazons3",
"unique",
"as58061 scalaxy",
"all search",
"otx scoreblue",
"cyprus unknown",
"as26347",
"customer",
"entries",
"sexkompas",
"script urls",
"meta",
"as29182 jsc",
"gmt content",
"script domains",
"gmt etag",
"as61400",
"screenshot",
"apache",
"path",
"as59711 hz",
"asn as59711",
"dns resolutions",
"non dsp",
"cor cura",
"url https",
"as199386 zilore",
"showing",
"admitad meta",
"as44066",
"connection",
"date sat",
"server amazons3",
"cloudfront",
"xcache miss",
"contentlength",
"acceptranges",
"server",
"gmt expires",
"code",
"title error",
"trojan",
"body doctype",
"html public",
"w3cdtd html",
"html head",
"meta http",
"win32",
"as3326",
"present jan",
"reverse dns",
"gmt path",
"set cookie",
"certificate",
"pragma",
"location united",
"show",
"medium",
"authenticode",
"delete",
"productversion",
"fileversion",
"thawte",
"copy",
"malware",
"write",
"etpro",
"as14061",
"whitelisted",
"as9009 m247",
"paris",
"otx telemetry",
"for privacy",
"redacted for",
"dns",
"DNSpionage",
"apple",
"ios",
"global",
"cyber threat",
"tracking",
"legal abuse",
"privilege escalation",
"network",
"redirect",
"exploit kit",
"mey",
"spyware",
"dropper",
"x adblock",
"virgin islands",
"type",
"content length",
"dga",
"as3175 filanco",
"cname",
"thawte code",
"as32244 liquid",
"as24940 hetzner",
"head body",
"center hr",
"gmt contenttype",
"title",
"registrar",
"markmonitor",
"internet",
"iana",
"nethandle",
"net192",
"net1920000",
"iana special",
"icann",
"please refer",
"ietf",
"best current",
"whois whois",
"resolutions",
"communicating",
"referrer",
"win32 exe",
"putty",
"java",
"type name",
"pe32 executable",
"ms windows",
"win16 ne",
"os2 executable",
"generic windos",
"executable",
"dos executable",
"generic",
"info compiler",
"products",
"vs2005",
"vs2008 sp1",
"vs2008",
"header x64",
"name md5",
"virtualalloc"
],
"references": [
"PEXE - DOS executable (COM)",
"redirect_keitaro_exploit_kit_compromised_site_se_referrer",
"Found in: https://jbplegal.com",
"http://sexkompas.xyz",
"DGA Malware Mall Domains: hackingapple.com, video.import-apple.com, DGA- appledreamz.com",
"tracking2youdu.com , cdn.livechatinc.com",
"device-local-bf56eb52-6fc6-435b-aadb-9fa1dd89702c.remotewd.com | remotewd.com | 192.168.56.108",
"http://www.mobiset.ru/photos/2011/march/15/samsung_s3850/img_9.jpg"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Netherlands",
"China",
"United States of America",
"Chile",
"Germany",
"France"
],
"malware_families": [
{
"id": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal",
"display_name": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal",
"target": null
},
{
"id": "Win.Malware.Vtflooder-6260355-1",
"display_name": "Win.Malware.Vtflooder-6260355-1",
"target": null
},
{
"id": "Win.Trojan.Buzus-5453",
"display_name": "Win.Trojan.Buzus-5453",
"target": null
},
{
"id": "Win32:Malware-gen",
"display_name": "Win32:Malware-gen",
"target": null
},
{
"id": "Win32:PWSX-gen",
"display_name": "Win32:PWSX-gen",
"target": null
},
{
"id": "Trojan:Win32/Glupteba.MT!MTB",
"display_name": "Trojan:Win32/Glupteba.MT!MTB",
"target": "/malware/Trojan:Win32/Glupteba.MT!MTB"
},
{
"id": "ETPRO",
"display_name": "ETPRO",
"target": null
}
],
"attack_ids": [
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
}
],
"industries": [
"Legal",
"Healthcare",
"Civil Society"
],
"TLP": "white",
"cloned_from": "65b4757a662a146889c60b6c",
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 153,
"FileHash-SHA1": 71,
"FileHash-SHA256": 1690,
"URL": 9526,
"domain": 4882,
"hostname": 6120,
"email": 250,
"CVE": 2
},
"indicator_count": 22694,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 227,
"modified_text": "784 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "64ff7418030c1908b63c1da3",
"name": "Amazon Phishing Collection",
"description": "",
"modified": "2023-09-11T20:10:00.089000",
"created": "2023-09-11T20:10:00.089000",
"tags": [
"urls",
"phishing",
"scam",
"amazon"
],
"references": [
"https://www.virustotal.com/gui/collection/5c309a3b670313e97d8015d71161dd35d4a3d28f22ad35ddc633d91683a5c60a"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": "63d10cda81e3658e38dec59c",
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3,
"hostname": 3
},
"indicator_count": 6,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 218,
"modified_text": "950 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": false,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 0
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "https://aws.amazon.com/s3/",
"type": "URL"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "https://aws.amazon.com/s3/",
"type": "URL",
"found": false,
"verdict": "clean",
"error": null
},
"from_cache": true,
"_cached_at": 1776597693.3731463
}