{
"type": "URL",
"indicator": "https://beta.onemusic.ph",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://beta.onemusic.ph",
"type": "url",
"type_title": "URL",
"validation": [],
"base_indicator": {
"id": 3253666817,
"indicator": "https://beta.onemusic.ph",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 45,
"pulses": [
{
"id": "68e2bb5d9ee8577ab5519f2c",
"name": "Meritshealth with DoD links? ",
"description": "",
"modified": "2026-01-13T00:05:56.401000",
"created": "2025-10-05T18:39:25.286000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68e2b14d83bb63502feac65e",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1365,
"URL": 11172,
"hostname": 2780,
"FileHash-MD5": 381,
"FileHash-SHA256": 4420,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 20486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "96 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2b14d83bb63502feac65e",
"name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.",
"description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?",
"modified": "2026-01-07T00:00:30.717000",
"created": "2025-10-05T17:56:29.109000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1328,
"URL": 9931,
"hostname": 2621,
"FileHash-MD5": 381,
"FileHash-SHA256": 4360,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 18989,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "102 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2b9fd811ffc6684ba25f7",
"name": "Isolated DoD now DoW nodes - emotional commentary",
"description": "*https://www.sentient.industries/\n*trk.b.jackrogersusa.com\n*http://trk.southerntide.com/\nOTX is auto populating this pulse. Let\u2019s see\u2026",
"modified": "2025-11-04T18:01:18.650000",
"created": "2025-10-05T18:33:33.277000",
"tags": [
"united",
"present feb",
"present may",
"aaaa",
"present jul",
"passive dns",
"ip address",
"present dec",
"present sep",
"present jun",
"url https",
"url http",
"type indicator",
"role title",
"added active",
"related pulses",
"germany",
"taiwan",
"netherlands",
"china",
"search",
"copy md5",
"copy sha1",
"copy sha256",
"sha256",
"sha1",
"ascii text",
"size",
"pattern match",
"mitre att",
"ck id",
"null",
"refresh",
"body",
"span",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"error",
"tools",
"title",
"look",
"verify",
"restart",
"filehashmd5",
"hostname",
"filehashsha256",
"types of",
"indicator role",
"title added",
"active related",
"pulses url",
"ruby",
"jeffrey reimer",
"target",
"tsara",
"information",
"capture",
"gather victim",
"report spam",
"kill targets",
"created",
"starfield",
"show technique",
"date"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 1333,
"domain": 355,
"URL": 5874,
"hostname": 1066,
"FileHash-SHA1": 101,
"FileHash-MD5": 88,
"SSLCertFingerprint": 2
},
"indicator_count": 8819,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "166 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "682fb4c264a51bf88115b6d2",
"name": "allegro.pl/uzytkownik/adam_f. vgt.pl , sanselo.pl, bipadorno.pl",
"description": "https://www.virustotal.com/gui/file/db7d7637c8fa698616282e31b1541082751601b27a3e71ad18caf138451c346a/relations\nhttps://allegro.pl/uzytkownik/adam_f./ogrod-1532",
"modified": "2025-06-22T07:00:28.087000",
"created": "2025-05-22T23:35:30.122000",
"tags": [
"whasz"
],
"references": [
"https://allegro.pl/uzytkownik/adam_f./ogrod-1532",
"https://allegro.pl/uzytkownik/adam_f.?srsltid=AfmBOoqX6vYV4qDgCzkkJhmipZLDrarI5MuggstojVsohtfiSM_s0jdd&dd_referrer=https://www.google.com/"
],
"public": 1,
"adversary": "fac1ec40eea5a4fc05f17e019328e287.wirus",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Arek-BTC",
"id": "212764",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 163,
"FileHash-SHA1": 162,
"FileHash-SHA256": 1706,
"domain": 596,
"hostname": 1278,
"URL": 6163
},
"indicator_count": 10068,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 122,
"modified_text": "301 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65f27f90cb56df78929c01d4",
"name": "CO.gov/PEAK - Post Mail Social Engineering | M Brian Sabey and CBI",
"description": "",
"modified": "2024-09-24T14:02:17.711000",
"created": "2024-03-14T04:39:44.522000",
"tags": [
"united",
"command decode",
"suricata ipv4",
"mitre att",
"suricata udpv4",
"programfiles",
"ck id",
"show technique",
"ck matrix",
"windir",
"date",
"win64",
"hybrid",
"general",
"model",
"comspec",
"click",
"strings",
"contact",
"hostnames",
"urls http",
"samples",
"ssl certificate",
"whois record",
"historical ssl",
"resolutions",
"referrer",
"siblings",
"contacted",
"pe resource",
"communicating",
"subdomains",
"whois whois",
"copy",
"ursnif",
"qakbot",
"lumma stealer",
"ransomexx",
"quasar",
"ramnit",
"lskeyc",
"maxage31536000",
"http response",
"final url",
"ip address",
"status code",
"body length",
"b body",
"sha256",
"headers",
"detection list",
"blacklist",
"cisco umbrella",
"site",
"safe site",
"alexa top",
"million",
"team top",
"site top",
"site safe",
"heur",
"ccleaner",
"adware",
"downldr",
"union",
"bank",
"cve201711882",
"xrat",
"phishing",
"team",
"alexa",
"static engine",
"passive dns",
"unknown",
"title error",
"scan endpoints",
"all octoseek",
"ipv4",
"pulse submit",
"url analysis",
"urls",
"thu jul",
"fri dec",
"hybridanalysis",
"generic malware",
"malware",
"wed dec",
"free automated",
"service",
"thu dec",
"cidr",
"sun aug",
"ip sun",
"country code",
"system as",
"as16509",
"mon sep",
"registrant name",
"amazon",
"terry ave",
"code",
"as36081 state",
"pulse pulses",
"files",
"reverse dns",
"asnone united",
"moved",
"body",
"certificate",
"g2 tls",
"rsa sha256",
"search",
"showing",
"online sun",
"online sat",
"online",
"12345",
"as44273 host",
"status",
"for privacy",
"redacted for",
"cname",
"domain",
"nxdomain",
"ip related",
"creation date",
"servers",
"name servers",
"next",
"cloudfront x",
"sfo5 c1",
"a domains",
"nice botet",
"srellik",
"sreredrem",
"hit",
"men",
"man",
"women",
"spider",
"mail spammer",
"gov"
],
"references": [
"CO.gov/PEAK -Postal mail Spam. Urgent demand to login.",
"https://hybrid-analysis.com/sample/23e867fef441df664d0122961782722157df2bfb0d468c8804ffc850c0b6c875",
"Redirection chain: http://co.gov/peak | https://co.gov/peak | http://colorado.gov/peak | https://colorado.gov/peak | https://www.colorado.gov/peak",
"Redirection chain: https://coloradopeak.secure.force.com/ https://colorado.gov:443/peak | coloradopeak.secure.force.com | dns01.salesforce.com",
"Redirection chain: dns1.p06.nsone.net l ns1-204.azure-dns.com | ns1.google.com | ns1.msedge.net | peak.my.salesforce-sites.com |",
"Redirection chain: www.colorado.gov | salesforce-sites.com | peak.my.si (Malformed domain) www.bing.com",
"AS36081 State of Colorado General Government Computer: 165.127.10.10 | Location - LakeWood - CO - United States | Emails: isoc@state.co.us",
"AS Name: AS36081 State of Colorado General Government Computer AS Country Code: US AS Registry: arin AS : AS CIDR: 165.127.0.0/16",
"Registrant: State of Colorado General Government Computer Address: 690 Kipling St. Postal Code: 80215 Country Code: USA City: LakeWood State: CO",
"http://bundled.toolbar.google http://bundled.toolbar.google/http://toolbar.google. https://bundled.toolbar.google. https://bundled.toolbar.google/",
"Remotely accessing to targets devices: http://maps.co.gov/ | Maps & Calendar pop ups obfuscate targets screens. Pinging",
"http://6.no.me.malware.com | http://6.no.me.malware.com/download",
"Sexual Content Titles: http://analyticschecker.com/survey/sexynews24.js | http://sex.utub.com/ | http://wap.18.orgsex.utub.com/",
"https://ak.deephicy.net/?z=6118780&syncedCookie=true&rhd=false&rb=4Qar0ipdalmNR5Sicj8o7oK9WuZVXLChC0EcEUDBDY4n5ISECZrApfC-gjpDjsMLofKZlJaeh_gobm2lTLNRbwBynCFo6CRsgTd-gbOZKn6hkTMO15e_qN9jmE8T9QytmggiZaSD7Ys_RCMg-fY8kjd5ELPE8MLrz-t9Dm7bxqLgQ8U1SWuTcrT09Npw1M6dvd7WA_91bWtr2m-EiV0umKwr5ZDSUqAYTPVfrEmvFKmZ32EfwaKGnKgKEGYaQGvQe1ga-4TccFs5A6Kh-HLSeXuKYMPVlODFrOgLcCUQi81bKgkG7ceuo8sG_5o6_ilHG6krYsCSk8Qwzdpn5AnwWweNPG9uC3hYGroh8tnINyQkdEnWp7O38iOgkAxqQoYhttqKqq7Cf6P8l9y-w4NtLBEm6c_ASSKggtwrI11Jvee9YxytSZBVlA==&sfr=n",
"Co.gov: Autonomous System: AS16509 - Amazon.com, Inc. AS Country Code: US AS AS CIDR: 13.225.192.0/21 CIDR: 13.200.0.0/13 13.224.0.0/12 13.208.0.0/12",
"Registrant Information: Amazon Technologies Inc. Address: 410 Terry Ave N. Postal Code: H3A 2A6 Country Code: CA (Canada) City: Montreal State: WA",
"AS Registry: arin:aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com",
"Emails: aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com",
"AIG: Malicious CMS prefix -cmsportal.app.hurdman.org (key identifier/decoder)",
"Targeted espionage: cms.wavebrowser.co | https://cms.wavebrowser.co/ | http://t4tonly.com/cms/web-services/get-all-city.php",
"0-w5-cms.ultimate-guitar.com",
"Redirect Chain: https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/ K9p1aHVpkkzIn1S7Dakqexnw4nP6ZmG7kNifaOtuay4%3Ahttp%3A%2F%2Fjaegertracing.match-growth.alicloud-production.glintsintern.com%2F https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/",
"Redirect Chain: https://accounts.google.com/o/oauth2/auth?access_type=offline&approval_prompt=force&client_id=795490584532-smtoie0juhaj5tq9h07si1ekd4m6pvlr.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Foauth2-proxy.glintsintern.com%2Foauth2%2Fcallback&response_type=code&scope=openid+email+profile&state=",
"If you knew how you're wasting time and resources hacking a front facing archive with a 443:"
],
"public": 1,
"adversary": "Out For Blood",
"targeted_countries": [
"United States of America"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1534",
"name": "Internal Spearphishing",
"display_name": "T1534 - Internal Spearphishing"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1110",
"name": "Brute Force",
"display_name": "T1110 - Brute Force"
},
{
"id": "T1459",
"name": "Device Unlock Code Guessing or Brute Force",
"display_name": "T1459 - Device Unlock Code Guessing or Brute Force"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.002",
"name": "File Transfer Protocols",
"display_name": "T1071.002 - File Transfer Protocols"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1098",
"name": "Account Manipulation",
"display_name": "T1098 - Account Manipulation"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1107",
"name": "File Deletion",
"display_name": "T1107 - File Deletion"
},
{
"id": "T1578.003",
"name": "Delete Cloud Instance",
"display_name": "T1578.003 - Delete Cloud Instance"
},
{
"id": "T1415",
"name": "URL Scheme Hijacking",
"display_name": "T1415 - URL Scheme Hijacking"
},
{
"id": "T1003.008",
"name": "/etc/passwd and /etc/shadow",
"display_name": "T1003.008 - /etc/passwd and /etc/shadow"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
}
],
"industries": [
"Private Sector",
"Healthcare",
"Civil Society"
],
"TLP": "white",
"cloned_from": "65f2691bb1405f9a30cf46b6",
"export_count": 76,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6664,
"FileHash-MD5": 89,
"FileHash-SHA1": 82,
"FileHash-SHA256": 2523,
"domain": 1792,
"hostname": 1889,
"CVE": 2,
"CIDR": 19,
"email": 22
},
"indicator_count": 13082,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 227,
"modified_text": "572 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "652a901fe2dbea9024b3d614",
"name": "Black Tech",
"description": "Found in a malicious Apple iTunes link. Lists several independent artists. Music \"producer\" is potentially highly dependent on use of AI generated instrumentation and conception. Hacking seems to target a single target and associates.",
"modified": "2024-09-24T00:01:38.502000",
"created": "2023-10-14T12:57:03.183000",
"tags": [
"referrer",
"historical ssl",
"ssl certificate",
"whois record",
"whois ssl",
"whois",
"historical",
"siblings parent",
"network",
"number",
"label shanghai",
"blue cloud",
"ltd regional",
"apnic country",
"cn continent",
"algorithm",
"data",
"v3 serial",
"cus cndigicert",
"basic rsa",
"cn ca",
"g2 odigicert",
"inc validity",
"oshanghai blue",
"road",
"beijing country",
"beijing",
"please",
"apnic person",
"cn phone",
"whois lookup",
"bluecloud descr",
"shanghai blue",
"ltd descr",
"cnnic",
"whois lookups",
"updated date",
"apnic netname",
"beijing abusec",
"abuse cnniccn",
"liu registrant",
"country",
"dns replication",
"date",
"domain",
"first",
"blacklist https",
"heur",
"html",
"malware",
"alexa top",
"site",
"filerepmetagen",
"suspected",
"adware",
"cisco umbrella",
"malware site",
"win64",
"opencandy",
"cleaner",
"artemis",
"iframe",
"agent",
"unsafe",
"riskware",
"acint",
"nircmd",
"swrort",
"downldr",
"systweak",
"behav",
"crack",
"tiggre",
"genkryptik",
"exploit",
"presenoker",
"filetour",
"conduit",
"wacatac",
"softcnapp",
"xtrat",
"cve201711882",
"memscan",
"phishing",
"maltiverse",
"zbot",
"webtoolbar",
"trojanspy",
"million",
"united",
"phishing site",
"malicious site",
"proxy",
"firehol",
"detection list",
"ip address",
"blacklist",
"safe site",
"team",
"fusioncore",
"union",
"bank",
"outbreak",
"downer",
"shell",
"mediamagnet",
"sality",
"adaptivebee",
"unruy",
"iobit",
"dropper",
"trojanx",
"installcore",
"webshell",
"alexa",
"adposhel",
"installpack",
"xrat",
"azorult",
"service",
"runescape",
"facebook",
"download",
"gamehack",
"verdict",
"falcon sandbox",
"pattern match",
"show",
"file",
"indicator",
"ascii text",
"appdata",
"mitre att",
"et tor",
"known tor",
"severity",
"hybrid",
"general",
"misc attack",
"beginstring",
"script",
"relayrouter",
"exit",
"node traffic",
"null",
"error",
"unknown",
"span",
"body",
"refresh",
"class",
"critical",
"tools",
"look",
"verify",
"restart",
"click",
"strings",
"meta",
"anonymizer",
"team proxy",
"host",
"control server",
"meterpreter",
"dnspionage",
"filerepmalware",
"fakealert",
"pony",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"nanocore",
"keygen",
"fareit",
"secrisk",
"floxif",
"patcher",
"adload",
"webcompanion",
"seraph",
"downloader",
"generic",
"dapato",
"redline stealer",
"beach research",
"blacklist http",
"generic malware",
"fakedout threat",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"bundled",
"dropped",
"contacted",
"most malicious",
"server",
"parent parent"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "Behav",
"display_name": "Behav",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "GameHack",
"display_name": "GameHack",
"target": null
},
{
"id": "Beach Research",
"display_name": "Beach Research",
"target": null
},
{
"id": "Generic",
"display_name": "Generic",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 50,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2449,
"FileHash-SHA1": 217,
"FileHash-SHA256": 3441,
"URL": 2044,
"domain": 258,
"hostname": 1100,
"CIDR": 1,
"email": 4,
"CVE": 37
},
"indicator_count": 9551,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 224,
"modified_text": "572 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65f2691bb1405f9a30cf46b6",
"name": "CO.gov/PEAK - Postal Engineering | M Brian Sabey and CBI (mail)",
"description": "Target received urgent postal mail ,directed to login: \nCO.gov/PEAK | Disappointed so many reports have been modified. Logins OTX account are governmental.with insecure headers.\nHistoryKillerPro , RedHatDelete glintsintern.com oauth2-proxy.glintsintern.com \u2022 https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/ oauth2-proxy.glintsintern.com have attached to several OTX users.",
"modified": "2024-04-12T14:01:31.094000",
"created": "2024-03-14T03:03:55.928000",
"tags": [
"united",
"command decode",
"suricata ipv4",
"mitre att",
"suricata udpv4",
"programfiles",
"ck id",
"show technique",
"ck matrix",
"windir",
"date",
"win64",
"hybrid",
"general",
"model",
"comspec",
"click",
"strings",
"contact",
"hostnames",
"urls http",
"samples",
"ssl certificate",
"whois record",
"historical ssl",
"resolutions",
"referrer",
"siblings",
"contacted",
"pe resource",
"communicating",
"subdomains",
"whois whois",
"copy",
"ursnif",
"qakbot",
"lumma stealer",
"ransomexx",
"quasar",
"ramnit",
"lskeyc",
"maxage31536000",
"http response",
"final url",
"ip address",
"status code",
"body length",
"b body",
"sha256",
"headers",
"detection list",
"blacklist",
"cisco umbrella",
"site",
"safe site",
"alexa top",
"million",
"team top",
"site top",
"site safe",
"heur",
"ccleaner",
"adware",
"downldr",
"union",
"bank",
"cve201711882",
"xrat",
"phishing",
"team",
"alexa",
"static engine",
"passive dns",
"unknown",
"title error",
"scan endpoints",
"all octoseek",
"ipv4",
"pulse submit",
"url analysis",
"urls",
"thu jul",
"fri dec",
"hybridanalysis",
"generic malware",
"malware",
"wed dec",
"free automated",
"service",
"thu dec",
"cidr",
"sun aug",
"ip sun",
"country code",
"system as",
"as16509",
"mon sep",
"registrant name",
"amazon",
"terry ave",
"code",
"as36081 state",
"pulse pulses",
"files",
"reverse dns",
"asnone united",
"moved",
"body",
"certificate",
"g2 tls",
"rsa sha256",
"search",
"showing",
"online sun",
"online sat",
"online",
"12345",
"as44273 host",
"status",
"for privacy",
"redacted for",
"cname",
"domain",
"nxdomain",
"ip related",
"creation date",
"servers",
"name servers",
"next",
"cloudfront x",
"sfo5 c1",
"a domains",
"nice botet",
"srellik",
"sreredrem",
"hit",
"men",
"man",
"women",
"spider",
"mail spammer",
"gov"
],
"references": [
"CO.gov/PEAK -Postal mail Spam. Urgent demand to login.",
"https://hybrid-analysis.com/sample/23e867fef441df664d0122961782722157df2bfb0d468c8804ffc850c0b6c875",
"Redirection chain: http://co.gov/peak | https://co.gov/peak | http://colorado.gov/peak | https://colorado.gov/peak | https://www.colorado.gov/peak",
"Redirection chain: https://coloradopeak.secure.force.com/ https://colorado.gov:443/peak | coloradopeak.secure.force.com | dns01.salesforce.com",
"Redirection chain: dns1.p06.nsone.net l ns1-204.azure-dns.com | ns1.google.com | ns1.msedge.net | peak.my.salesforce-sites.com |",
"Redirection chain: www.colorado.gov | salesforce-sites.com | peak.my.si (Malformed domain) www.bing.com",
"AS36081 State of Colorado General Government Computer: 165.127.10.10 | Location - LakeWood - CO - United States | Emails: isoc@state.co.us",
"AS Name: AS36081 State of Colorado General Government Computer AS Country Code: US AS Registry: arin AS : AS CIDR: 165.127.0.0/16",
"Registrant: State of Colorado General Government Computer Address: 690 Kipling St. Postal Code: 80215 Country Code: USA City: LakeWood State: CO",
"http://bundled.toolbar.google http://bundled.toolbar.google/http://toolbar.google. https://bundled.toolbar.google. https://bundled.toolbar.google/",
"Remotely accessing to targets devices: http://maps.co.gov/ | Maps & Calendar pop ups obfuscate targets screens. Pinging",
"http://6.no.me.malware.com | http://6.no.me.malware.com/download",
"Sexual Content Titles: http://analyticschecker.com/survey/sexynews24.js | http://sex.utub.com/ | http://wap.18.orgsex.utub.com/",
"https://ak.deephicy.net/?z=6118780&syncedCookie=true&rhd=false&rb=4Qar0ipdalmNR5Sicj8o7oK9WuZVXLChC0EcEUDBDY4n5ISECZrApfC-gjpDjsMLofKZlJaeh_gobm2lTLNRbwBynCFo6CRsgTd-gbOZKn6hkTMO15e_qN9jmE8T9QytmggiZaSD7Ys_RCMg-fY8kjd5ELPE8MLrz-t9Dm7bxqLgQ8U1SWuTcrT09Npw1M6dvd7WA_91bWtr2m-EiV0umKwr5ZDSUqAYTPVfrEmvFKmZ32EfwaKGnKgKEGYaQGvQe1ga-4TccFs5A6Kh-HLSeXuKYMPVlODFrOgLcCUQi81bKgkG7ceuo8sG_5o6_ilHG6krYsCSk8Qwzdpn5AnwWweNPG9uC3hYGroh8tnINyQkdEnWp7O38iOgkAxqQoYhttqKqq7Cf6P8l9y-w4NtLBEm6c_ASSKggtwrI11Jvee9YxytSZBVlA==&sfr=n",
"Co.gov: Autonomous System: AS16509 - Amazon.com, Inc. AS Country Code: US AS AS CIDR: 13.225.192.0/21 CIDR: 13.200.0.0/13 13.224.0.0/12 13.208.0.0/12",
"Registrant Information: Amazon Technologies Inc. Address: 410 Terry Ave N. Postal Code: H3A 2A6 Country Code: CA (Canada) City: Montreal State: WA",
"AS Registry: arin:aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com",
"Emails: aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com",
"AIG: Malicious CMS prefix -cmsportal.app.hurdman.org (key identifier/decoder)",
"Targeted espionage: cms.wavebrowser.co | https://cms.wavebrowser.co/ | http://t4tonly.com/cms/web-services/get-all-city.php",
"0-w5-cms.ultimate-guitar.com",
"Redirect Chain: https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/ K9p1aHVpkkzIn1S7Dakqexnw4nP6ZmG7kNifaOtuay4%3Ahttp%3A%2F%2Fjaegertracing.match-growth.alicloud-production.glintsintern.com%2F https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/",
"Redirect Chain: https://accounts.google.com/o/oauth2/auth?access_type=offline&approval_prompt=force&client_id=795490584532-smtoie0juhaj5tq9h07si1ekd4m6pvlr.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Foauth2-proxy.glintsintern.com%2Foauth2%2Fcallback&response_type=code&scope=openid+email+profile&state=",
"If you knew how you're wasting time and resources hacking a front facing archive with a 443:"
],
"public": 1,
"adversary": "Out For Blood",
"targeted_countries": [
"United States of America"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1534",
"name": "Internal Spearphishing",
"display_name": "T1534 - Internal Spearphishing"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1110",
"name": "Brute Force",
"display_name": "T1110 - Brute Force"
},
{
"id": "T1459",
"name": "Device Unlock Code Guessing or Brute Force",
"display_name": "T1459 - Device Unlock Code Guessing or Brute Force"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.002",
"name": "File Transfer Protocols",
"display_name": "T1071.002 - File Transfer Protocols"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1098",
"name": "Account Manipulation",
"display_name": "T1098 - Account Manipulation"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1107",
"name": "File Deletion",
"display_name": "T1107 - File Deletion"
},
{
"id": "T1578.003",
"name": "Delete Cloud Instance",
"display_name": "T1578.003 - Delete Cloud Instance"
},
{
"id": "T1415",
"name": "URL Scheme Hijacking",
"display_name": "T1415 - URL Scheme Hijacking"
},
{
"id": "T1003.008",
"name": "/etc/passwd and /etc/shadow",
"display_name": "T1003.008 - /etc/passwd and /etc/shadow"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
}
],
"industries": [
"Private Sector",
"Healthcare",
"Civil Society"
],
"TLP": "white",
"cloned_from": null,
"export_count": 50,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6466,
"FileHash-MD5": 89,
"FileHash-SHA1": 82,
"FileHash-SHA256": 2406,
"domain": 1686,
"hostname": 1760,
"CVE": 2,
"CIDR": 4,
"email": 7
},
"indicator_count": 12502,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 220,
"modified_text": "737 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65cb4772c3d3ad1f7accc98a",
"name": "Ryuk Ransomware - workers.dev | https://house.mo.gov",
"description": "Ryuk is ransomware version attributed to the hacker group WIZARD SPIDER that has compromised governments, academia, healthcare, manufacturing, and technology organizations.\n\nInterestingly, this ransomware family carries a Japanese name from the anime movie Death Note. The name means \u201cgift of god.\u201d It seems an odd choice for ransomware since the targets lose data or money. From the hacker's perspective, however, it could be considered a gift of god.",
"modified": "2024-03-14T09:04:37.097000",
"created": "2024-02-13T10:41:53.179000",
"tags": [
"contacted",
"ssl certificate",
"contacted urls",
"whois record",
"whois whois",
"relacionada",
"execution",
"p2404",
"kgs0",
"kls0",
"lockbit",
"lolkek",
"emotet",
"phishing",
"ursnif",
"malware",
"core",
"ryuk ransomware",
"qakbot",
"makop",
"hacktool",
"chaos",
"ransomexx",
"temp",
"localappdata",
"pattern match",
"ascii text",
"json data",
"united",
"indicator",
"prefetch8",
"observed email",
"unicode text",
"date",
"hybrid",
"win64",
"general",
"click",
"strings",
"tsara brashears",
"suspicious",
"falcon",
"name verdict",
"reinsurance",
"scan endpoints",
"all octoseek",
"domain",
"pulse pulses",
"passive dns",
"urls",
"files",
"ip address",
"location united",
"asn as13335",
"title",
"gmt server",
"user agent",
"443 ma2592000",
"hostname",
"encrypt",
"script urls",
"t matrix",
"dch v",
"meta",
"trang ch",
"body",
"status",
"search",
"creation date",
"record value",
"domain name",
"litespeed",
"certificate",
"speed",
"next",
"unknown",
"ipv4",
"reverse dns",
"name servers",
"expiration date",
"showing",
"pulse submit",
"gandi sas",
"moved",
"emails",
"servers",
"error",
"russia unknown",
"as31483",
"as12768",
"as30943",
"united kingdom",
"as208722 yandex",
"cname",
"spyware",
"tracking",
"login"
],
"references": [
"workers.dev [extraction \u2022 GET request attack]",
"ddos.dnsnb8.net [command_and_control]",
"www.supernetforme.com [command_and_control]",
"https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html",
"http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing \u2022 python]",
"https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network \u2022 Data collection \u2022 phishing]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 virus network \u2022 Apple data collection ]",
"CVE: CVE-2023-23397",
"0-129-112027imap-intranet-pv-175-166.matomo.cloud",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption \u2022 unlocker]",
"https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://twitter.com/PORNO_SEXYBABES",
"sex-ukraine.net",
"http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg \u2022\t humani-teens.com",
"feedercontroller.webcrawlingeap-prod-co4.binginternal.com",
"accessoire-telephones.fr \u2022 bks-tv.ru [telecom] \u2022 coltel.ru [telecom] \u2022 ceptelefondata.com.tr [data collection \u2022 USA] ts-astra.ru [telecom] wifi.ru",
"nexus.b2btest.ertelecom.ru",
"Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k",
"Tracking: trackyouremails.com \u2022 https://adservice.google.com.uy/clk",
"http://micrologin.ogspy.net/track/dhl-information-contact.html"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "LockBit",
"display_name": "LockBit",
"target": null
},
{
"id": "LolKek",
"display_name": "LolKek",
"target": null
},
{
"id": "Makop",
"display_name": "Makop",
"target": null
},
{
"id": "QakBot",
"display_name": "QakBot",
"target": null
},
{
"id": "RansomEXX",
"display_name": "RansomEXX",
"target": null
},
{
"id": "Ursnif",
"display_name": "Ursnif",
"target": null
},
{
"id": "Ryuk Ransomware",
"display_name": "Ryuk Ransomware",
"target": null
},
{
"id": "Sabey",
"display_name": "Sabey",
"target": null
},
{
"id": "HallGrand",
"display_name": "HallGrand",
"target": null
},
{
"id": "HallRender",
"display_name": "HallRender",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1518.001",
"name": "Security Software Discovery",
"display_name": "T1518.001 - Security Software Discovery"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1491",
"name": "Defacement",
"display_name": "T1491 - Defacement"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 37,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 127,
"FileHash-SHA1": 125,
"FileHash-SHA256": 4862,
"hostname": 3571,
"URL": 10597,
"CVE": 3,
"domain": 3169,
"email": 7
},
"indicator_count": 22461,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 228,
"modified_text": "766 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65cb476d935dd560b4a3e938",
"name": "Ryuk Ransomware - workers.dev | https://house.mo.gov",
"description": "Ryuk is ransomware version attributed to the hacker group WIZARD SPIDER that has compromised governments, academia, healthcare, manufacturing, and technology organizations.\n\nInterestingly, this ransomware family carries a Japanese name from the anime movie Death Note. The name means \u201cgift of god.\u201d It seems an odd choice for ransomware since the targets lose data or money. From the hacker's perspective, however, it could be considered a gift of god.",
"modified": "2024-03-14T09:04:37.097000",
"created": "2024-02-13T10:41:49.380000",
"tags": [
"contacted",
"ssl certificate",
"contacted urls",
"whois record",
"whois whois",
"relacionada",
"execution",
"p2404",
"kgs0",
"kls0",
"lockbit",
"lolkek",
"emotet",
"phishing",
"ursnif",
"malware",
"core",
"ryuk ransomware",
"qakbot",
"makop",
"hacktool",
"chaos",
"ransomexx",
"temp",
"localappdata",
"pattern match",
"ascii text",
"json data",
"united",
"indicator",
"prefetch8",
"observed email",
"unicode text",
"date",
"hybrid",
"win64",
"general",
"click",
"strings",
"tsara brashears",
"suspicious",
"falcon",
"name verdict",
"reinsurance",
"scan endpoints",
"all octoseek",
"domain",
"pulse pulses",
"passive dns",
"urls",
"files",
"ip address",
"location united",
"asn as13335",
"title",
"gmt server",
"user agent",
"443 ma2592000",
"hostname",
"encrypt",
"script urls",
"t matrix",
"dch v",
"meta",
"trang ch",
"body",
"status",
"search",
"creation date",
"record value",
"domain name",
"litespeed",
"certificate",
"speed",
"next",
"unknown",
"ipv4",
"reverse dns",
"name servers",
"expiration date",
"showing",
"pulse submit",
"gandi sas",
"moved",
"emails",
"servers",
"error",
"russia unknown",
"as31483",
"as12768",
"as30943",
"united kingdom",
"as208722 yandex",
"cname",
"spyware",
"tracking",
"login"
],
"references": [
"workers.dev [extraction \u2022 GET request attack]",
"ddos.dnsnb8.net [command_and_control]",
"www.supernetforme.com [command_and_control]",
"https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html",
"http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing \u2022 python]",
"https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network \u2022 Data collection \u2022 phishing]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 virus network \u2022 Apple data collection ]",
"CVE: CVE-2023-23397",
"0-129-112027imap-intranet-pv-175-166.matomo.cloud",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption \u2022 unlocker]",
"https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://twitter.com/PORNO_SEXYBABES",
"sex-ukraine.net",
"http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg \u2022\t humani-teens.com",
"feedercontroller.webcrawlingeap-prod-co4.binginternal.com",
"accessoire-telephones.fr \u2022 bks-tv.ru [telecom] \u2022 coltel.ru [telecom] \u2022 ceptelefondata.com.tr [data collection \u2022 USA] ts-astra.ru [telecom] wifi.ru",
"nexus.b2btest.ertelecom.ru",
"Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k",
"Tracking: trackyouremails.com \u2022 https://adservice.google.com.uy/clk",
"http://micrologin.ogspy.net/track/dhl-information-contact.html"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "LockBit",
"display_name": "LockBit",
"target": null
},
{
"id": "LolKek",
"display_name": "LolKek",
"target": null
},
{
"id": "Makop",
"display_name": "Makop",
"target": null
},
{
"id": "QakBot",
"display_name": "QakBot",
"target": null
},
{
"id": "RansomEXX",
"display_name": "RansomEXX",
"target": null
},
{
"id": "Ursnif",
"display_name": "Ursnif",
"target": null
},
{
"id": "Ryuk Ransomware",
"display_name": "Ryuk Ransomware",
"target": null
},
{
"id": "Sabey",
"display_name": "Sabey",
"target": null
},
{
"id": "HallGrand",
"display_name": "HallGrand",
"target": null
},
{
"id": "HallRender",
"display_name": "HallRender",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1518.001",
"name": "Security Software Discovery",
"display_name": "T1518.001 - Security Software Discovery"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1491",
"name": "Defacement",
"display_name": "T1491 - Defacement"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 22,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 127,
"FileHash-SHA1": 125,
"FileHash-SHA256": 4862,
"hostname": 3571,
"URL": 10597,
"CVE": 3,
"domain": 3169,
"email": 7
},
"indicator_count": 22461,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 222,
"modified_text": "766 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65cb476d0566c2d07e474df5",
"name": "Ryuk Ransomware - workers.dev | https://house.mo.gov",
"description": "Ryuk is ransomware version attributed to the hacker group WIZARD SPIDER that has compromised governments, academia, healthcare, manufacturing, and technology organizations.\n\nInterestingly, this ransomware family carries a Japanese name from the anime movie Death Note. The name means \u201cgift of god.\u201d It seems an odd choice for ransomware since the targets lose data or money. From the hacker's perspective, however, it could be considered a gift of god.",
"modified": "2024-03-14T09:04:37.097000",
"created": "2024-02-13T10:41:49.140000",
"tags": [
"contacted",
"ssl certificate",
"contacted urls",
"whois record",
"whois whois",
"relacionada",
"execution",
"p2404",
"kgs0",
"kls0",
"lockbit",
"lolkek",
"emotet",
"phishing",
"ursnif",
"malware",
"core",
"ryuk ransomware",
"qakbot",
"makop",
"hacktool",
"chaos",
"ransomexx",
"temp",
"localappdata",
"pattern match",
"ascii text",
"json data",
"united",
"indicator",
"prefetch8",
"observed email",
"unicode text",
"date",
"hybrid",
"win64",
"general",
"click",
"strings",
"tsara brashears",
"suspicious",
"falcon",
"name verdict",
"reinsurance",
"scan endpoints",
"all octoseek",
"domain",
"pulse pulses",
"passive dns",
"urls",
"files",
"ip address",
"location united",
"asn as13335",
"title",
"gmt server",
"user agent",
"443 ma2592000",
"hostname",
"encrypt",
"script urls",
"t matrix",
"dch v",
"meta",
"trang ch",
"body",
"status",
"search",
"creation date",
"record value",
"domain name",
"litespeed",
"certificate",
"speed",
"next",
"unknown",
"ipv4",
"reverse dns",
"name servers",
"expiration date",
"showing",
"pulse submit",
"gandi sas",
"moved",
"emails",
"servers",
"error",
"russia unknown",
"as31483",
"as12768",
"as30943",
"united kingdom",
"as208722 yandex",
"cname",
"spyware",
"tracking",
"login"
],
"references": [
"workers.dev [extraction \u2022 GET request attack]",
"ddos.dnsnb8.net [command_and_control]",
"www.supernetforme.com [command_and_control]",
"https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html",
"http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing \u2022 python]",
"https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network \u2022 Data collection \u2022 phishing]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 virus network \u2022 Apple data collection ]",
"CVE: CVE-2023-23397",
"0-129-112027imap-intranet-pv-175-166.matomo.cloud",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption \u2022 unlocker]",
"https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://twitter.com/PORNO_SEXYBABES",
"sex-ukraine.net",
"http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg \u2022\t humani-teens.com",
"feedercontroller.webcrawlingeap-prod-co4.binginternal.com",
"accessoire-telephones.fr \u2022 bks-tv.ru [telecom] \u2022 coltel.ru [telecom] \u2022 ceptelefondata.com.tr [data collection \u2022 USA] ts-astra.ru [telecom] wifi.ru",
"nexus.b2btest.ertelecom.ru",
"Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k",
"Tracking: trackyouremails.com \u2022 https://adservice.google.com.uy/clk",
"http://micrologin.ogspy.net/track/dhl-information-contact.html"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "LockBit",
"display_name": "LockBit",
"target": null
},
{
"id": "LolKek",
"display_name": "LolKek",
"target": null
},
{
"id": "Makop",
"display_name": "Makop",
"target": null
},
{
"id": "QakBot",
"display_name": "QakBot",
"target": null
},
{
"id": "RansomEXX",
"display_name": "RansomEXX",
"target": null
},
{
"id": "Ursnif",
"display_name": "Ursnif",
"target": null
},
{
"id": "Ryuk Ransomware",
"display_name": "Ryuk Ransomware",
"target": null
},
{
"id": "Sabey",
"display_name": "Sabey",
"target": null
},
{
"id": "HallGrand",
"display_name": "HallGrand",
"target": null
},
{
"id": "HallRender",
"display_name": "HallRender",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1518.001",
"name": "Security Software Discovery",
"display_name": "T1518.001 - Security Software Discovery"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1491",
"name": "Defacement",
"display_name": "T1491 - Defacement"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 22,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 127,
"FileHash-SHA1": 125,
"FileHash-SHA256": 4862,
"hostname": 3571,
"URL": 10597,
"CVE": 3,
"domain": 3169,
"email": 7
},
"indicator_count": 22461,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 222,
"modified_text": "766 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65cb4768b06f4da2fba5959b",
"name": "Ryuk Ransomware - workers.dev | https://house.mo.gov",
"description": "Ryuk is ransomware version attributed to the hacker group WIZARD SPIDER that has compromised governments, academia, healthcare, manufacturing, and technology organizations.\n\nInterestingly, this ransomware family carries a Japanese name from the anime movie Death Note. The name means \u201cgift of god.\u201d It seems an odd choice for ransomware since the targets lose data or money. From the hacker's perspective, however, it could be considered a gift of god.",
"modified": "2024-03-14T09:04:37.097000",
"created": "2024-02-13T10:41:44.270000",
"tags": [
"contacted",
"ssl certificate",
"contacted urls",
"whois record",
"whois whois",
"relacionada",
"execution",
"p2404",
"kgs0",
"kls0",
"lockbit",
"lolkek",
"emotet",
"phishing",
"ursnif",
"malware",
"core",
"ryuk ransomware",
"qakbot",
"makop",
"hacktool",
"chaos",
"ransomexx",
"temp",
"localappdata",
"pattern match",
"ascii text",
"json data",
"united",
"indicator",
"prefetch8",
"observed email",
"unicode text",
"date",
"hybrid",
"win64",
"general",
"click",
"strings",
"tsara brashears",
"suspicious",
"falcon",
"name verdict",
"reinsurance",
"scan endpoints",
"all octoseek",
"domain",
"pulse pulses",
"passive dns",
"urls",
"files",
"ip address",
"location united",
"asn as13335",
"title",
"gmt server",
"user agent",
"443 ma2592000",
"hostname",
"encrypt",
"script urls",
"t matrix",
"dch v",
"meta",
"trang ch",
"body",
"status",
"search",
"creation date",
"record value",
"domain name",
"litespeed",
"certificate",
"speed",
"next",
"unknown",
"ipv4",
"reverse dns",
"name servers",
"expiration date",
"showing",
"pulse submit",
"gandi sas",
"moved",
"emails",
"servers",
"error",
"russia unknown",
"as31483",
"as12768",
"as30943",
"united kingdom",
"as208722 yandex",
"cname",
"spyware",
"tracking",
"login"
],
"references": [
"workers.dev [extraction \u2022 GET request attack]",
"ddos.dnsnb8.net [command_and_control]",
"www.supernetforme.com [command_and_control]",
"https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html",
"http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing \u2022 python]",
"https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network \u2022 Data collection \u2022 phishing]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 virus network \u2022 Apple data collection ]",
"CVE: CVE-2023-23397",
"0-129-112027imap-intranet-pv-175-166.matomo.cloud",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption \u2022 unlocker]",
"https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://twitter.com/PORNO_SEXYBABES",
"sex-ukraine.net",
"http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg \u2022\t humani-teens.com",
"feedercontroller.webcrawlingeap-prod-co4.binginternal.com",
"accessoire-telephones.fr \u2022 bks-tv.ru [telecom] \u2022 coltel.ru [telecom] \u2022 ceptelefondata.com.tr [data collection \u2022 USA] ts-astra.ru [telecom] wifi.ru",
"nexus.b2btest.ertelecom.ru",
"Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k",
"Tracking: trackyouremails.com \u2022 https://adservice.google.com.uy/clk",
"http://micrologin.ogspy.net/track/dhl-information-contact.html"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "LockBit",
"display_name": "LockBit",
"target": null
},
{
"id": "LolKek",
"display_name": "LolKek",
"target": null
},
{
"id": "Makop",
"display_name": "Makop",
"target": null
},
{
"id": "QakBot",
"display_name": "QakBot",
"target": null
},
{
"id": "RansomEXX",
"display_name": "RansomEXX",
"target": null
},
{
"id": "Ursnif",
"display_name": "Ursnif",
"target": null
},
{
"id": "Ryuk Ransomware",
"display_name": "Ryuk Ransomware",
"target": null
},
{
"id": "Sabey",
"display_name": "Sabey",
"target": null
},
{
"id": "HallGrand",
"display_name": "HallGrand",
"target": null
},
{
"id": "HallRender",
"display_name": "HallRender",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1518.001",
"name": "Security Software Discovery",
"display_name": "T1518.001 - Security Software Discovery"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1491",
"name": "Defacement",
"display_name": "T1491 - Defacement"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 26,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 127,
"FileHash-SHA1": 125,
"FileHash-SHA256": 4862,
"hostname": 3571,
"URL": 10597,
"CVE": 3,
"domain": 3169,
"email": 7
},
"indicator_count": 22461,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 226,
"modified_text": "766 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "659b0fd1ac7cb4d83834db1f",
"name": "Botnet Command and Control Server | Malware Distribution Site",
"description": "",
"modified": "2024-02-06T20:02:52.205000",
"created": "2024-01-07T20:55:45.006000",
"tags": [
"passive dns",
"urls",
"scan endpoints",
"all octoseek",
"url http",
"pulse pulses",
"http",
"ip address",
"related nids",
"files location",
"http response",
"final url",
"status code",
"body",
"httponly",
"ssl certificate",
"historical ssl",
"whois record",
"parent referrer",
"whois whois",
"communicating",
"contacted",
"contacted urls",
"bundled",
"pe resource",
"dropped",
"army",
"machinename",
"execution",
"referrer",
"malware distribution site",
"phishing dropbox",
"evasive",
"banker",
"dde",
"dridex",
"exploit",
"dyre",
"dyreza",
"ransomware",
"mydoom",
"backdoor",
"svg",
"phising",
"locky",
"e-mail provider phishing",
"spear phishing",
"retefe",
"defacement",
"phishing development bank of singapore",
"banjori",
"suppobox",
"zeus",
"pony",
"solar",
"ransomware locky distribution site",
"nymaim",
"shade",
"troldesh",
"tvrat",
"zbot",
"elocky",
"wisdomeyes",
"kryptic",
"sinkhole",
"exploit",
"worm",
"backdoor",
"injector",
"botnet command and control server",
"unknown",
"domain",
"creation date",
"search",
"date",
"hostname",
"next",
"all search",
"otx octoseek",
"united",
"as13335",
"ipv4",
"pulse submit",
"url analysis",
"iocs",
"ioc search",
"new ioc",
"teams api",
"contact",
"files",
"nxdomain",
"win32",
"meta",
"wabot",
"gmt contenttype",
"dnssec",
"name",
"win32 exe",
"detections file",
"file size",
"kb file",
"domains",
"registrar",
"markmonitor inc",
"status",
"susp",
"expiration date",
"name servers",
"domain related",
"entries",
"johnnsabey",
"m. brian sabey",
"mark sabey",
"sabey data center",
"utah",
"http method",
"http requests",
"connect http",
"get dns",
"resolutions",
"ip traffic",
"problems",
"alienvault part",
"kgs0",
"kls0",
"schema abuse",
"sneaky server",
"iframe",
"apple",
"data collection"
],
"references": [
"http://security.didici.cc/cve"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "virus.virlock/nabucur",
"display_name": "virus.virlock/nabucur",
"target": null
},
{
"id": "Virut",
"display_name": "Virut",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
},
{
"id": "Locky",
"display_name": "Locky",
"target": null
},
{
"id": "Defacement",
"display_name": "Defacement",
"target": null
},
{
"id": "Banjori",
"display_name": "Banjori",
"target": null
},
{
"id": "Trojan.AvsEtecer",
"display_name": "Trojan.AvsEtecer",
"target": null
},
{
"id": "SuppoBox",
"display_name": "SuppoBox",
"target": null
},
{
"id": "ZeuS",
"display_name": "ZeuS",
"target": null
},
{
"id": "Pony",
"display_name": "Pony",
"target": null
},
{
"id": "Solar",
"display_name": "Solar",
"target": null
},
{
"id": "Nymaim",
"display_name": "Nymaim",
"target": null
},
{
"id": "TV RAT",
"display_name": "TV RAT",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "Dyre",
"display_name": "Dyre",
"target": null
},
{
"id": "ELocky",
"display_name": "ELocky",
"target": null
},
{
"id": "Dridex",
"display_name": "Dridex",
"target": null
},
{
"id": "Locky (Decryptor)",
"display_name": "Locky (Decryptor)",
"target": null
},
{
"id": "Ransomware",
"display_name": "Ransomware",
"target": null
},
{
"id": "Trojan.WisdomEyes.16070401.9500",
"display_name": "Trojan.WisdomEyes.16070401.9500",
"target": null
},
{
"id": "Gen:Variant.Strictor",
"display_name": "Gen:Variant.Strictor",
"target": null
},
{
"id": "Adware.BrowseFox",
"display_name": "Adware.BrowseFox",
"target": null
},
{
"id": "W32.eHeur",
"display_name": "W32.eHeur",
"target": null
},
{
"id": "MSIL_Kryptik.P.gen",
"display_name": "MSIL_Kryptik.P.gen",
"target": null
},
{
"id": "pykspa_v2_fake",
"display_name": "pykspa_v2_fake",
"target": null
},
{
"id": "Worm:Win32/Pykspa",
"display_name": "Worm:Win32/Pykspa",
"target": "/malware/Worm:Win32/Pykspa"
},
{
"id": "Pykspa",
"display_name": "Pykspa",
"target": null
},
{
"id": "TEL:Exploit:Win32/Sinkers",
"display_name": "TEL:Exploit:Win32/Sinkers",
"target": null
},
{
"id": "Sabey",
"display_name": "Sabey",
"target": null
},
{
"id": "HallRender",
"display_name": "HallRender",
"target": null
}
],
"attack_ids": [
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1059.002",
"name": "AppleScript",
"display_name": "T1059.002 - AppleScript"
},
{
"id": "T1491",
"name": "Defacement",
"display_name": "T1491 - Defacement"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1594",
"name": "Search Victim-Owned Websites",
"display_name": "T1594 - Search Victim-Owned Websites"
},
{
"id": "T1593.002",
"name": "Search Engines",
"display_name": "T1593.002 - Search Engines"
},
{
"id": "T1574.008",
"name": "Path Interception by Search Order Hijacking",
"display_name": "T1574.008 - Path Interception by Search Order Hijacking"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "TA0009",
"name": "Collection",
"display_name": "TA0009 - Collection"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 35,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 231,
"FileHash-SHA256": 3121,
"URL": 4225,
"domain": 1725,
"hostname": 1416,
"FileHash-SHA1": 225,
"CVE": 2,
"email": 3
},
"indicator_count": 10948,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 222,
"modified_text": "803 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65a48ab7cd0bd218b17ccf6c",
"name": "Botnet Command and Control Server | Malware",
"description": "",
"modified": "2024-02-06T20:02:52.205000",
"created": "2024-01-15T01:30:31.655000",
"tags": [
"passive dns",
"urls",
"scan endpoints",
"all octoseek",
"url http",
"pulse pulses",
"http",
"ip address",
"related nids",
"files location",
"http response",
"final url",
"status code",
"body",
"httponly",
"ssl certificate",
"historical ssl",
"whois record",
"parent referrer",
"whois whois",
"communicating",
"contacted",
"contacted urls",
"bundled",
"pe resource",
"dropped",
"army",
"machinename",
"execution",
"referrer",
"malware distribution site",
"phishing dropbox",
"evasive",
"banker",
"dde",
"dridex",
"exploit",
"dyre",
"dyreza",
"ransomware",
"mydoom",
"backdoor",
"svg",
"phising",
"locky",
"e-mail provider phishing",
"spear phishing",
"retefe",
"defacement",
"phishing development bank of singapore",
"banjori",
"suppobox",
"zeus",
"pony",
"solar",
"ransomware locky distribution site",
"nymaim",
"shade",
"troldesh",
"tvrat",
"zbot",
"elocky",
"wisdomeyes",
"kryptic",
"sinkhole",
"exploit",
"worm",
"backdoor",
"injector",
"botnet command and control server",
"unknown",
"domain",
"creation date",
"search",
"date",
"hostname",
"next",
"all search",
"otx octoseek",
"united",
"as13335",
"ipv4",
"pulse submit",
"url analysis",
"iocs",
"ioc search",
"new ioc",
"teams api",
"contact",
"files",
"nxdomain",
"win32",
"meta",
"wabot",
"gmt contenttype",
"dnssec",
"name",
"win32 exe",
"detections file",
"file size",
"kb file",
"domains",
"registrar",
"markmonitor inc",
"status",
"susp",
"expiration date",
"name servers",
"domain related",
"entries",
"johnnsabey",
"m. brian sabey",
"mark sabey",
"sabey data center",
"utah",
"http method",
"http requests",
"connect http",
"get dns",
"resolutions",
"ip traffic",
"problems",
"alienvault part",
"kgs0",
"kls0",
"schema abuse",
"sneaky server",
"iframe",
"apple",
"data collection"
],
"references": [
"http://security.didici.cc/cve"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "virus.virlock/nabucur",
"display_name": "virus.virlock/nabucur",
"target": null
},
{
"id": "Virut",
"display_name": "Virut",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
},
{
"id": "Locky",
"display_name": "Locky",
"target": null
},
{
"id": "Defacement",
"display_name": "Defacement",
"target": null
},
{
"id": "Banjori",
"display_name": "Banjori",
"target": null
},
{
"id": "Trojan.AvsEtecer",
"display_name": "Trojan.AvsEtecer",
"target": null
},
{
"id": "SuppoBox",
"display_name": "SuppoBox",
"target": null
},
{
"id": "ZeuS",
"display_name": "ZeuS",
"target": null
},
{
"id": "Pony",
"display_name": "Pony",
"target": null
},
{
"id": "Solar",
"display_name": "Solar",
"target": null
},
{
"id": "Nymaim",
"display_name": "Nymaim",
"target": null
},
{
"id": "TV RAT",
"display_name": "TV RAT",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "Dyre",
"display_name": "Dyre",
"target": null
},
{
"id": "ELocky",
"display_name": "ELocky",
"target": null
},
{
"id": "Dridex",
"display_name": "Dridex",
"target": null
},
{
"id": "Locky (Decryptor)",
"display_name": "Locky (Decryptor)",
"target": null
},
{
"id": "Ransomware",
"display_name": "Ransomware",
"target": null
},
{
"id": "Trojan.WisdomEyes.16070401.9500",
"display_name": "Trojan.WisdomEyes.16070401.9500",
"target": null
},
{
"id": "Gen:Variant.Strictor",
"display_name": "Gen:Variant.Strictor",
"target": null
},
{
"id": "Adware.BrowseFox",
"display_name": "Adware.BrowseFox",
"target": null
},
{
"id": "W32.eHeur",
"display_name": "W32.eHeur",
"target": null
},
{
"id": "MSIL_Kryptik.P.gen",
"display_name": "MSIL_Kryptik.P.gen",
"target": null
},
{
"id": "pykspa_v2_fake",
"display_name": "pykspa_v2_fake",
"target": null
},
{
"id": "Worm:Win32/Pykspa",
"display_name": "Worm:Win32/Pykspa",
"target": "/malware/Worm:Win32/Pykspa"
},
{
"id": "Pykspa",
"display_name": "Pykspa",
"target": null
},
{
"id": "TEL:Exploit:Win32/Sinkers",
"display_name": "TEL:Exploit:Win32/Sinkers",
"target": null
},
{
"id": "Sabey",
"display_name": "Sabey",
"target": null
},
{
"id": "HallRender",
"display_name": "HallRender",
"target": null
}
],
"attack_ids": [
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1059.002",
"name": "AppleScript",
"display_name": "T1059.002 - AppleScript"
},
{
"id": "T1491",
"name": "Defacement",
"display_name": "T1491 - Defacement"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1594",
"name": "Search Victim-Owned Websites",
"display_name": "T1594 - Search Victim-Owned Websites"
},
{
"id": "T1593.002",
"name": "Search Engines",
"display_name": "T1593.002 - Search Engines"
},
{
"id": "T1574.008",
"name": "Path Interception by Search Order Hijacking",
"display_name": "T1574.008 - Path Interception by Search Order Hijacking"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "TA0009",
"name": "Collection",
"display_name": "TA0009 - Collection"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "659b0fd1ac7cb4d83834db1f",
"export_count": 25,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 231,
"FileHash-SHA256": 3121,
"URL": 4225,
"domain": 1725,
"hostname": 1416,
"FileHash-SHA1": 225,
"CVE": 2,
"email": 3
},
"indicator_count": 10948,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 228,
"modified_text": "803 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65944b9812ea52ab41c0259d",
"name": "Mirai Apple Attack +",
"description": "",
"modified": "2024-01-29T03:01:29.910000",
"created": "2024-01-02T17:44:56.709000",
"tags": [
"whois record",
"ssl certificate",
"contacted",
"whois whois",
"historical ssl",
"referrer",
"communicating",
"resolutions",
"apple",
"collections",
"core",
"stealer",
"execution",
"ratel",
"suspicious",
"threat",
"paste",
"iocs",
"hostnames",
"urls https",
"windir",
"json data",
"localappdata",
"ascii text",
"unicode text",
"pattern match",
"file",
"indicator",
"mitre att",
"path",
"factory",
"hybrid",
"general",
"memcommit",
"regsetvalueexa",
"regdword",
"t1055",
"high",
"regbinary",
"dynamic dns",
"regsetvalueexw",
"regsz",
"medium",
"win32",
"malware",
"copy",
"capture",
"name servers",
"creation date",
"servers",
"passive dns",
"urls",
"domain",
"search",
"expiration date",
"scan endpoints",
"all scoreblue",
"date",
"next",
"applenoc",
"showing",
"status",
"united",
"as44273 host",
"unknown",
"all search",
"otx scoreblue",
"aaaa",
"as54113",
"privacy inc",
"customer",
"asnone united",
"entries",
"pulse pulses",
"dga",
"redacted for",
"as20940",
"body",
"for privacy",
"ipv4",
"files",
"location united",
"america asn",
"as54252",
"type name",
"dns replication",
"iana",
"whois lookup",
"ipv4 address",
"ripe ncc",
"afrinic",
"africa",
"apnic",
"asia pacific",
"arin",
"lacnic",
"elf executable",
"sysv",
"linux",
"elf wgetboat",
"contacted urls",
"red team",
"tsara brashears",
"apple phone",
"unlocker",
"fakedout threat",
"hostname",
"samples",
"mirai",
"ph elf",
"telefonica de",
"elf collection",
"llwn",
"text",
"gp practice",
"oracle",
"apple ios",
"password",
"threat network",
"kgs0",
"kls0",
"hacktool",
"probe",
"malicious"
],
"references": [
"https://www.rmvictimlaw.org/about-us/board-directors/hazel-heckers",
"https://hybrid-analysis.com/sample/1f75fd5ec731cc5b1f338a5f7f44b42c9f1988214c373bf582d766934399b525",
"https://twitter.com/PORNO_SEXYBABES",
"IPv4 199.59.243.224 and IPv4 67.21.93.249 - command_and_control",
"103.246.145.111 phishing",
"nr-data.net | Apple Private Data collection",
"BitRAT CnC: File Hash SHA256 23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706",
"00000000.apple.com | remote SIM Swap",
"https://otx.alienvault.com/indicator/file/23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706#:~:text=%C3%97",
"103.246.145.111 - scanning host",
"https://app-portal.wsgc.com/saml20/idp/sso?SAMLRequest=jZFBb8IwDIX/SpR70zS0sEa0iA1NQ2IagrLDLlNII4jWJl2cwvj3qyhI7IJ2tPzs9/x5PPmpK3RQDrQ1GY4IxUgZaUttdhneFM/BA57kYxB1xRo+bf3erNR3q8CjbtAA7zsZbp3hVoAGbkStgHvJ19PXBWeE8sZZb6WtMJoCKOc7qydroK2VWyt30FJtVosM771vgIfhETTZCvkF3roTkXtnjZaVIqBk67Q/hUICRrMugzbCn3NfR0XTBI11XlTkCDtJpK3Dc0Ia6rIJASxG81mGP0dpOYqGVEZxGYkk3iaDVMZMKipGMR0kSScDaNXcgBfGZ5hRNghoGrC4YIzTlNMhidPkA6Pl5bhHbXpo90hsexHwl6JYBsu3dYHR+xV+J8AX1Pzs7m4Z318srmBx/m+M4/DWK7+Uf7+c/wI=&RelayState=AcE8QCtmc3hl5id4ZjN8p",
"https://www.virustotal.com/en/domain/sipa.be (GoodCop - BadCop 404 error. This may have been a dorkingbeauty graph or collection. There seems to be several VT users experiencing similar issues w/overlap",
"https://ms13p01if-qufw21344001.ms.if.apple.com:8083/",
"https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 (Apple remote hacktool that enter via Apple media)",
"usw2-platform-dmchat-avengers-prod-ext.apple.com",
"https://otx.alienvault.com/indicator/hostname/00000000.apple.com#:~:text=%C3%97",
"Malware Hosting * Spyware: http://141.98.6.249/boat.arm7, http://141.98.6.249/boat.ppc , http://141.98.6.249/boat.x86"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "RATel",
"display_name": "RATel",
"target": null
},
{
"id": "trojan.mirai/genericrxui",
"display_name": "trojan.mirai/genericrxui",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1588",
"name": "Obtain Capabilities",
"display_name": "T1588 - Obtain Capabilities"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "658f967a4fc7ebe8021b9382",
"export_count": 26,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 578,
"FileHash-SHA1": 521,
"FileHash-SHA256": 6392,
"URL": 5741,
"domain": 2243,
"hostname": 1536,
"SSLCertFingerprint": 2,
"email": 8,
"CVE": 1
},
"indicator_count": 17022,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 223,
"modified_text": "811 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "659127f3265ec6306b607faa",
"name": "Mirai Apple Attack +",
"description": "",
"modified": "2024-01-29T03:01:29.910000",
"created": "2023-12-31T08:36:03.380000",
"tags": [
"whois record",
"ssl certificate",
"contacted",
"whois whois",
"historical ssl",
"referrer",
"communicating",
"resolutions",
"apple",
"collections",
"core",
"stealer",
"execution",
"ratel",
"suspicious",
"threat",
"paste",
"iocs",
"hostnames",
"urls https",
"windir",
"json data",
"localappdata",
"ascii text",
"unicode text",
"pattern match",
"file",
"indicator",
"mitre att",
"path",
"factory",
"hybrid",
"general",
"memcommit",
"regsetvalueexa",
"regdword",
"t1055",
"high",
"regbinary",
"dynamic dns",
"regsetvalueexw",
"regsz",
"medium",
"win32",
"malware",
"copy",
"capture",
"name servers",
"creation date",
"servers",
"passive dns",
"urls",
"domain",
"search",
"expiration date",
"scan endpoints",
"all scoreblue",
"date",
"next",
"applenoc",
"showing",
"status",
"united",
"as44273 host",
"unknown",
"all search",
"otx scoreblue",
"aaaa",
"as54113",
"privacy inc",
"customer",
"asnone united",
"entries",
"pulse pulses",
"dga",
"redacted for",
"as20940",
"body",
"for privacy",
"ipv4",
"files",
"location united",
"america asn",
"as54252",
"type name",
"dns replication",
"iana",
"whois lookup",
"ipv4 address",
"ripe ncc",
"afrinic",
"africa",
"apnic",
"asia pacific",
"arin",
"lacnic",
"elf executable",
"sysv",
"linux",
"elf wgetboat",
"contacted urls",
"red team",
"tsara brashears",
"apple phone",
"unlocker",
"fakedout threat",
"hostname",
"samples",
"mirai",
"ph elf",
"telefonica de",
"elf collection",
"llwn",
"text",
"gp practice",
"oracle",
"apple ios",
"password",
"threat network",
"kgs0",
"kls0",
"hacktool",
"probe",
"malicious"
],
"references": [
"https://www.rmvictimlaw.org/about-us/board-directors/hazel-heckers",
"https://hybrid-analysis.com/sample/1f75fd5ec731cc5b1f338a5f7f44b42c9f1988214c373bf582d766934399b525",
"https://twitter.com/PORNO_SEXYBABES",
"IPv4 199.59.243.224 and IPv4 67.21.93.249 - command_and_control",
"103.246.145.111 phishing",
"nr-data.net | Apple Private Data collection",
"BitRAT CnC: File Hash SHA256 23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706",
"00000000.apple.com | remote SIM Swap",
"https://otx.alienvault.com/indicator/file/23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706#:~:text=%C3%97",
"103.246.145.111 - scanning host",
"https://app-portal.wsgc.com/saml20/idp/sso?SAMLRequest=jZFBb8IwDIX/SpR70zS0sEa0iA1NQ2IagrLDLlNII4jWJl2cwvj3qyhI7IJ2tPzs9/x5PPmpK3RQDrQ1GY4IxUgZaUttdhneFM/BA57kYxB1xRo+bf3erNR3q8CjbtAA7zsZbp3hVoAGbkStgHvJ19PXBWeE8sZZb6WtMJoCKOc7qydroK2VWyt30FJtVosM771vgIfhETTZCvkF3roTkXtnjZaVIqBk67Q/hUICRrMugzbCn3NfR0XTBI11XlTkCDtJpK3Dc0Ia6rIJASxG81mGP0dpOYqGVEZxGYkk3iaDVMZMKipGMR0kSScDaNXcgBfGZ5hRNghoGrC4YIzTlNMhidPkA6Pl5bhHbXpo90hsexHwl6JYBsu3dYHR+xV+J8AX1Pzs7m4Z318srmBx/m+M4/DWK7+Uf7+c/wI=&RelayState=AcE8QCtmc3hl5id4ZjN8p",
"https://www.virustotal.com/en/domain/sipa.be (GoodCop - BadCop 404 error. This may have been a dorkingbeauty graph or collection. There seems to be several VT users experiencing similar issues w/overlap",
"https://ms13p01if-qufw21344001.ms.if.apple.com:8083/",
"https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 (Apple remote hacktool that enter via Apple media)",
"usw2-platform-dmchat-avengers-prod-ext.apple.com",
"https://otx.alienvault.com/indicator/hostname/00000000.apple.com#:~:text=%C3%97",
"Malware Hosting * Spyware: http://141.98.6.249/boat.arm7, http://141.98.6.249/boat.ppc , http://141.98.6.249/boat.x86"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "RATel",
"display_name": "RATel",
"target": null
},
{
"id": "trojan.mirai/genericrxui",
"display_name": "trojan.mirai/genericrxui",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1588",
"name": "Obtain Capabilities",
"display_name": "T1588 - Obtain Capabilities"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "658f967a4fc7ebe8021b9382",
"export_count": 30,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 578,
"FileHash-SHA1": 521,
"FileHash-SHA256": 6392,
"URL": 5741,
"domain": 2243,
"hostname": 1536,
"SSLCertFingerprint": 2,
"email": 8,
"CVE": 1
},
"indicator_count": 17022,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 222,
"modified_text": "811 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "658f967a4fc7ebe8021b9382",
"name": "Mirai Apple Attack +",
"description": "This is hard to make sense of. All calls, clicks on a DGA Domain masquerading as desired service, lands you on the radar of a faux service where in turn bad actors attack everything. Target, remotely hack, follow, smear your life, same victim auto populates 79%, no hunt for assaulter.\n I'm assuming to see it one must 1st be in a Botnet. We keep seeing the same targets but no preparator. \nShe said \"Life was busy, life was good; full of health and hope. Then one sunny October day... I'm still grateful but what happened my body, thoughts and the world around me? Where's God? Am I a criminally responsible for getting attacked?\"",
"modified": "2024-01-29T03:01:29.910000",
"created": "2023-12-30T04:03:06.598000",
"tags": [
"whois record",
"ssl certificate",
"contacted",
"whois whois",
"historical ssl",
"referrer",
"communicating",
"resolutions",
"apple",
"collections",
"core",
"stealer",
"execution",
"ratel",
"suspicious",
"threat",
"paste",
"iocs",
"hostnames",
"urls https",
"windir",
"json data",
"localappdata",
"ascii text",
"unicode text",
"pattern match",
"file",
"indicator",
"mitre att",
"path",
"factory",
"hybrid",
"general",
"memcommit",
"regsetvalueexa",
"regdword",
"t1055",
"high",
"regbinary",
"dynamic dns",
"regsetvalueexw",
"regsz",
"medium",
"win32",
"malware",
"copy",
"capture",
"name servers",
"creation date",
"servers",
"passive dns",
"urls",
"domain",
"search",
"expiration date",
"scan endpoints",
"all scoreblue",
"date",
"next",
"applenoc",
"showing",
"status",
"united",
"as44273 host",
"unknown",
"all search",
"otx scoreblue",
"aaaa",
"as54113",
"privacy inc",
"customer",
"asnone united",
"entries",
"pulse pulses",
"dga",
"redacted for",
"as20940",
"body",
"for privacy",
"ipv4",
"files",
"location united",
"america asn",
"as54252",
"type name",
"dns replication",
"iana",
"whois lookup",
"ipv4 address",
"ripe ncc",
"afrinic",
"africa",
"apnic",
"asia pacific",
"arin",
"lacnic",
"elf executable",
"sysv",
"linux",
"elf wgetboat",
"contacted urls",
"red team",
"tsara brashears",
"apple phone",
"unlocker",
"fakedout threat",
"hostname",
"samples",
"mirai",
"ph elf",
"telefonica de",
"elf collection",
"llwn",
"text",
"gp practice",
"oracle",
"apple ios",
"password",
"threat network",
"kgs0",
"kls0",
"hacktool",
"probe",
"malicious"
],
"references": [
"https://www.rmvictimlaw.org/about-us/board-directors/hazel-heckers",
"https://hybrid-analysis.com/sample/1f75fd5ec731cc5b1f338a5f7f44b42c9f1988214c373bf582d766934399b525",
"https://twitter.com/PORNO_SEXYBABES",
"IPv4 199.59.243.224 and IPv4 67.21.93.249 - command_and_control",
"103.246.145.111 phishing",
"nr-data.net | Apple Private Data collection",
"BitRAT CnC: File Hash SHA256 23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706",
"00000000.apple.com | remote SIM Swap",
"https://otx.alienvault.com/indicator/file/23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706#:~:text=%C3%97",
"103.246.145.111 - scanning host",
"https://app-portal.wsgc.com/saml20/idp/sso?SAMLRequest=jZFBb8IwDIX/SpR70zS0sEa0iA1NQ2IagrLDLlNII4jWJl2cwvj3qyhI7IJ2tPzs9/x5PPmpK3RQDrQ1GY4IxUgZaUttdhneFM/BA57kYxB1xRo+bf3erNR3q8CjbtAA7zsZbp3hVoAGbkStgHvJ19PXBWeE8sZZb6WtMJoCKOc7qydroK2VWyt30FJtVosM771vgIfhETTZCvkF3roTkXtnjZaVIqBk67Q/hUICRrMugzbCn3NfR0XTBI11XlTkCDtJpK3Dc0Ia6rIJASxG81mGP0dpOYqGVEZxGYkk3iaDVMZMKipGMR0kSScDaNXcgBfGZ5hRNghoGrC4YIzTlNMhidPkA6Pl5bhHbXpo90hsexHwl6JYBsu3dYHR+xV+J8AX1Pzs7m4Z318srmBx/m+M4/DWK7+Uf7+c/wI=&RelayState=AcE8QCtmc3hl5id4ZjN8p",
"https://www.virustotal.com/en/domain/sipa.be (GoodCop - BadCop 404 error. This may have been a dorkingbeauty graph or collection. There seems to be several VT users experiencing similar issues w/overlap",
"https://ms13p01if-qufw21344001.ms.if.apple.com:8083/",
"https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 (Apple remote hacktool that enter via Apple media)",
"usw2-platform-dmchat-avengers-prod-ext.apple.com",
"https://otx.alienvault.com/indicator/hostname/00000000.apple.com#:~:text=%C3%97",
"Malware Hosting * Spyware: http://141.98.6.249/boat.arm7, http://141.98.6.249/boat.ppc , http://141.98.6.249/boat.x86"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "RATel",
"display_name": "RATel",
"target": null
},
{
"id": "trojan.mirai/genericrxui",
"display_name": "trojan.mirai/genericrxui",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1588",
"name": "Obtain Capabilities",
"display_name": "T1588 - Obtain Capabilities"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 26,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 578,
"FileHash-SHA1": 521,
"FileHash-SHA256": 6392,
"URL": 5741,
"domain": 2243,
"hostname": 1536,
"SSLCertFingerprint": 2,
"email": 8,
"CVE": 1
},
"indicator_count": 17022,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 229,
"modified_text": "811 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6581d83e20634ac0d58ceca9",
"name": "Witchetty Cyber Espionage| BlueShell | Capture Wi-Fi password [Octoseek]",
"description": "",
"modified": "2024-01-17T23:03:40.729000",
"created": "2023-12-19T17:51:58.995000",
"tags": [
"contacted",
"ssl certificate",
"group",
"toolset",
"attacks",
"governments",
"middle east",
"dalbit",
"march",
"witchetty",
"blueshell",
"execution",
"lockbit",
"malware",
"backdoor",
"tsara brashears",
"octoseek",
"steganographic technique",
"proxylogon",
"lookback",
"lookingfrog",
"anonfiles",
"publishing",
"music",
"torrent",
"critical",
"hallrender",
"ttp",
"uae",
"protection",
"macmalware",
"linux malware",
"apple",
"proxyshell",
"x4",
"zero trust",
"youtube",
"safebae",
"rallypoint",
"poemhunter",
"eazy client",
"africa",
"united states",
"ta410",
"second stage",
"Capture Wi-Fi password",
"password stealer",
"whois whois",
"agent tesla",
"love",
"mirai",
"satacom",
"miner",
"dtrack",
"nebula",
"cobalt strike",
"nanocore",
"core",
"hacktool"
],
"references": [
"EaZy Client.exe via qbittorrent.exe via AnonFiles origin RallyPoint",
"https://malpedia.caad.fkie.fraunhofer.de/details/win.blueshell",
"discord.com",
"api.anonfiles.com",
"checkip.dyndns.org",
"checkip.dyndns.com",
"DNS Query for Anonfiles.com Domain",
"INDICATOR SUSPICIOUS_EXE_WirelessNetReccon",
"INDICATOR SUSPICIOUS_EXE_CC_Regex",
"DNS Query for Anonfiles.com Domain",
"Traffic 13.107.4.52:80 (TCP)",
"MALWARE_Win_StormKitty",
"qbittorrent.exe",
"EaZy Client.exe",
"https://www.virustotal.com/gui/file/00047e1c8b4f336c86ed4ef148741c0d7658a0fd1107597acd4f22e5851e24ef/community"
],
"public": 1,
"adversary": "Witchetty APT Group",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Witchetty",
"display_name": "Witchetty",
"target": null
},
{
"id": "BlueShell",
"display_name": "BlueShell",
"target": null
},
{
"id": "Lokbit",
"display_name": "Lokbit",
"target": null
},
{
"id": "Mac.Malware",
"display_name": "Mac.Malware",
"target": null
},
{
"id": "trojan.msil/stealer",
"display_name": "trojan.msil/stealer",
"target": null
}
],
"attack_ids": [
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "TA0006",
"name": "Credential Access",
"display_name": "TA0006 - Credential Access"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "TA0034",
"name": "Impact",
"display_name": "TA0034 - Impact"
},
{
"id": "TA0040",
"name": "Impact",
"display_name": "TA0040 - Impact"
},
{
"id": "TA0007",
"name": "Discovery",
"display_name": "TA0007 - Discovery"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "6580d422fb57aab8e21c1f39",
"export_count": 37,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 1541,
"URL": 3782,
"domain": 1067,
"hostname": 1297,
"FileHash-MD5": 110,
"FileHash-SHA1": 110,
"CVE": 3
},
"indicator_count": 7910,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 226,
"modified_text": "823 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6581d83bfd115be1f92d75a9",
"name": "Witchetty Cyber Espionage| BlueShell | Capture Wi-Fi password [Octoseek]",
"description": "",
"modified": "2024-01-17T23:03:40.729000",
"created": "2023-12-19T17:51:55.338000",
"tags": [
"contacted",
"ssl certificate",
"group",
"toolset",
"attacks",
"governments",
"middle east",
"dalbit",
"march",
"witchetty",
"blueshell",
"execution",
"lockbit",
"malware",
"backdoor",
"tsara brashears",
"octoseek",
"steganographic technique",
"proxylogon",
"lookback",
"lookingfrog",
"anonfiles",
"publishing",
"music",
"torrent",
"critical",
"hallrender",
"ttp",
"uae",
"protection",
"macmalware",
"linux malware",
"apple",
"proxyshell",
"x4",
"zero trust",
"youtube",
"safebae",
"rallypoint",
"poemhunter",
"eazy client",
"africa",
"united states",
"ta410",
"second stage",
"Capture Wi-Fi password",
"password stealer",
"whois whois",
"agent tesla",
"love",
"mirai",
"satacom",
"miner",
"dtrack",
"nebula",
"cobalt strike",
"nanocore",
"core",
"hacktool"
],
"references": [
"EaZy Client.exe via qbittorrent.exe via AnonFiles origin RallyPoint",
"https://malpedia.caad.fkie.fraunhofer.de/details/win.blueshell",
"discord.com",
"api.anonfiles.com",
"checkip.dyndns.org",
"checkip.dyndns.com",
"DNS Query for Anonfiles.com Domain",
"INDICATOR SUSPICIOUS_EXE_WirelessNetReccon",
"INDICATOR SUSPICIOUS_EXE_CC_Regex",
"DNS Query for Anonfiles.com Domain",
"Traffic 13.107.4.52:80 (TCP)",
"MALWARE_Win_StormKitty",
"qbittorrent.exe",
"EaZy Client.exe",
"https://www.virustotal.com/gui/file/00047e1c8b4f336c86ed4ef148741c0d7658a0fd1107597acd4f22e5851e24ef/community"
],
"public": 1,
"adversary": "Witchetty APT Group",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Witchetty",
"display_name": "Witchetty",
"target": null
},
{
"id": "BlueShell",
"display_name": "BlueShell",
"target": null
},
{
"id": "Lokbit",
"display_name": "Lokbit",
"target": null
},
{
"id": "Mac.Malware",
"display_name": "Mac.Malware",
"target": null
},
{
"id": "trojan.msil/stealer",
"display_name": "trojan.msil/stealer",
"target": null
}
],
"attack_ids": [
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "TA0006",
"name": "Credential Access",
"display_name": "TA0006 - Credential Access"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "TA0034",
"name": "Impact",
"display_name": "TA0034 - Impact"
},
{
"id": "TA0040",
"name": "Impact",
"display_name": "TA0040 - Impact"
},
{
"id": "TA0007",
"name": "Discovery",
"display_name": "TA0007 - Discovery"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "6580d422fb57aab8e21c1f39",
"export_count": 36,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 1541,
"URL": 3782,
"domain": 1067,
"hostname": 1297,
"FileHash-MD5": 110,
"FileHash-SHA1": 110,
"CVE": 3
},
"indicator_count": 7910,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 226,
"modified_text": "823 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6580d422fb57aab8e21c1f39",
"name": "Witchetty Cyber Espionage| BlueShell | Capture Wi-Fi password",
"description": "Deeply hidden inRallypoint.com. \nWitchetty cyber espionage: Witchetty's activity was characterized by the use of two pieces of malware, a first-stage backdoor known as X4 and a second-stage payload.\n\nBlueShell is a backdoor malware developed in Go language, published on Github, and it supports Windows, Linux, and \nDalbit APT Group targets vulnerable servers to breach information including internal data from companies or encrypts files may demand money.",
"modified": "2024-01-17T23:03:40.729000",
"created": "2023-12-18T23:22:10.482000",
"tags": [
"contacted",
"ssl certificate",
"group",
"toolset",
"attacks",
"governments",
"middle east",
"dalbit",
"march",
"witchetty",
"blueshell",
"execution",
"lockbit",
"malware",
"backdoor",
"tsara brashears",
"octoseek",
"steganographic technique",
"proxylogon",
"lookback",
"lookingfrog",
"anonfiles",
"publishing",
"music",
"torrent",
"critical",
"hallrender",
"ttp",
"uae",
"protection",
"macmalware",
"linux malware",
"apple",
"proxyshell",
"x4",
"zero trust",
"youtube",
"safebae",
"rallypoint",
"poemhunter",
"eazy client",
"africa",
"united states",
"ta410",
"second stage",
"Capture Wi-Fi password",
"password stealer",
"whois whois",
"agent tesla",
"love",
"mirai",
"satacom",
"miner",
"dtrack",
"nebula",
"cobalt strike",
"nanocore",
"core",
"hacktool"
],
"references": [
"EaZy Client.exe via qbittorrent.exe via AnonFiles origin RallyPoint",
"https://malpedia.caad.fkie.fraunhofer.de/details/win.blueshell",
"discord.com",
"api.anonfiles.com",
"checkip.dyndns.org",
"checkip.dyndns.com",
"DNS Query for Anonfiles.com Domain",
"INDICATOR SUSPICIOUS_EXE_WirelessNetReccon",
"INDICATOR SUSPICIOUS_EXE_CC_Regex",
"DNS Query for Anonfiles.com Domain",
"Traffic 13.107.4.52:80 (TCP)",
"MALWARE_Win_StormKitty",
"qbittorrent.exe",
"EaZy Client.exe",
"https://www.virustotal.com/gui/file/00047e1c8b4f336c86ed4ef148741c0d7658a0fd1107597acd4f22e5851e24ef/community"
],
"public": 1,
"adversary": "Witchetty APT Group",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Witchetty",
"display_name": "Witchetty",
"target": null
},
{
"id": "BlueShell",
"display_name": "BlueShell",
"target": null
},
{
"id": "Lokbit",
"display_name": "Lokbit",
"target": null
},
{
"id": "Mac.Malware",
"display_name": "Mac.Malware",
"target": null
},
{
"id": "trojan.msil/stealer",
"display_name": "trojan.msil/stealer",
"target": null
}
],
"attack_ids": [
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "TA0006",
"name": "Credential Access",
"display_name": "TA0006 - Credential Access"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "TA0034",
"name": "Impact",
"display_name": "TA0034 - Impact"
},
{
"id": "TA0040",
"name": "Impact",
"display_name": "TA0040 - Impact"
},
{
"id": "TA0007",
"name": "Discovery",
"display_name": "TA0007 - Discovery"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 32,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 1541,
"URL": 3782,
"domain": 1067,
"hostname": 1297,
"FileHash-MD5": 110,
"FileHash-SHA1": 110,
"CVE": 3
},
"indicator_count": 7910,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 220,
"modified_text": "823 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "655bd8cdff0012b85a94364f",
"name": "Raven",
"description": "Source: WITHU4EVER.com \nDeepScan , browser modifier, password cracker, C2",
"modified": "2023-12-20T21:03:27.869000",
"created": "2023-11-20T22:08:13.877000",
"tags": [
"ssl certificate",
"whois record",
"historical ssl",
"whois whois",
"tsara brashears",
"referrer",
"kgs0",
"kls0",
"apple ios",
"critical risk",
"attack",
"hacktool",
"installer",
"search live",
"api blog",
"docs pricing",
"login",
"november",
"de indicators",
"domains",
"hashes",
"copyright",
"gmbh version",
"value",
"variables",
"userrecovery",
"raven",
"cookies",
"reverse dns",
"software",
"resource hash",
"general full",
"url https",
"frankfurt",
"main",
"germany",
"asn20940",
"akamaiasn1",
"windows nt",
"win64",
"khtml",
"gecko",
"europeberlin",
"aes256gcm",
"no data",
"tag count",
"threat report",
"summary",
"sample",
"samples",
"detection list",
"blacklist",
"count blacklist",
"tag tag",
"blacklist http",
"cisco umbrella",
"heur",
"site",
"site top",
"html",
"safe site",
"site safe",
"maltiverse",
"alexa top",
"million",
"unsafe",
"malware",
"riskware",
"dropper",
"team",
"union",
"outbreak",
"downer",
"shell",
"mediamagnet",
"sality",
"swrort",
"adaptivebee",
"unruy",
"iobit",
"trojanx",
"artemis",
"installcore",
"webshell",
"exploit",
"crack",
"cve201711882",
"auslogics",
"deepscan",
"genpack",
"phish",
"phishing",
"bank",
"first",
"trojanclicker",
"bnr",
"webtoolbar",
"trojanspy",
"tsara brashears",
"contacted",
"sides with",
"amadey bot",
"excel",
"macros ursnif",
"sneaky server",
"replacement",
"unauthorized",
"black basta",
"devoted high",
"core",
"emotet",
"cowardly lion group",
"sabey tooth group",
"cp",
"cyber",
"diat",
"infostealer",
"password"
],
"references": [
"https://www.hybrid-analysis.com/sample/393a851d6948e2a5d0d70ce884b3e0b4b9287b5d089671cac229ed63b42f0dba",
"https://urlscan.io/result/9feaa404-2c53-480d-8571-542121740809/#indicators",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 Phishing",
"http://45.159.189.105/bot/regex \u2022 Tracking Tsara Brashears Botnetwork",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022 Password Cracker",
"nr-data.net \u2022 Apple Private Data Collection",
"www.supernetforme.com \u2022 CNC",
"103.224.212.219 \u2022 CNC",
"45.159.189.105 \u2022 CNC",
"Resource: WithU4ever.com"
],
"public": 1,
"adversary": "[Unnamed group]",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "TrojanClicker",
"display_name": "TrojanClicker",
"target": null
},
{
"id": "BNR",
"display_name": "BNR",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "IceFog",
"display_name": "IceFog",
"target": null
},
{
"id": "Sabey Tooth",
"display_name": "Sabey Tooth",
"target": null
},
{
"id": "IObit",
"display_name": "IObit",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Unruy",
"display_name": "Unruy",
"target": null
},
{
"id": "Swrort Stager",
"display_name": "Swrort Stager",
"target": null
},
{
"id": "TrojanClicker.",
"display_name": "TrojanClicker.",
"target": null
},
{
"id": "Sality",
"display_name": "Sality",
"target": null
},
{
"id": "Artemis",
"display_name": "Artemis",
"target": null
},
{
"id": "InstallCore",
"display_name": "InstallCore",
"target": null
},
{
"id": "Crack",
"display_name": "Crack",
"target": null
},
{
"id": "PWS:Win32/Raven",
"display_name": "PWS:Win32/Raven",
"target": "/malware/PWS:Win32/Raven"
},
{
"id": "MediaMagnet",
"display_name": "MediaMagnet",
"target": null
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1059.003",
"name": "Windows Command Shell",
"display_name": "T1059.003 - Windows Command Shell"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 24,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1243,
"URL": 4176,
"FileHash-MD5": 63,
"FileHash-SHA1": 24,
"FileHash-SHA256": 1386,
"domain": 518,
"CIDR": 1,
"CVE": 11,
"email": 1
},
"indicator_count": 7423,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 221,
"modified_text": "851 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "655bd8cfe894eabbe8ef2bc5",
"name": "Raven",
"description": "Source: WITHU4EVER.com \nDeepScan , browser modifier, password cracker, C2",
"modified": "2023-12-20T21:03:27.869000",
"created": "2023-11-20T22:08:15.066000",
"tags": [
"ssl certificate",
"whois record",
"historical ssl",
"whois whois",
"tsara brashears",
"referrer",
"kgs0",
"kls0",
"apple ios",
"critical risk",
"attack",
"hacktool",
"installer",
"search live",
"api blog",
"docs pricing",
"login",
"november",
"de indicators",
"domains",
"hashes",
"copyright",
"gmbh version",
"value",
"variables",
"userrecovery",
"raven",
"cookies",
"reverse dns",
"software",
"resource hash",
"general full",
"url https",
"frankfurt",
"main",
"germany",
"asn20940",
"akamaiasn1",
"windows nt",
"win64",
"khtml",
"gecko",
"europeberlin",
"aes256gcm",
"no data",
"tag count",
"threat report",
"summary",
"sample",
"samples",
"detection list",
"blacklist",
"count blacklist",
"tag tag",
"blacklist http",
"cisco umbrella",
"heur",
"site",
"site top",
"html",
"safe site",
"site safe",
"maltiverse",
"alexa top",
"million",
"unsafe",
"malware",
"riskware",
"dropper",
"team",
"union",
"outbreak",
"downer",
"shell",
"mediamagnet",
"sality",
"swrort",
"adaptivebee",
"unruy",
"iobit",
"trojanx",
"artemis",
"installcore",
"webshell",
"exploit",
"crack",
"cve201711882",
"auslogics",
"deepscan",
"genpack",
"phish",
"phishing",
"bank",
"first",
"trojanclicker",
"bnr",
"webtoolbar",
"trojanspy",
"tsara brashears",
"contacted",
"sides with",
"amadey bot",
"excel",
"macros ursnif",
"sneaky server",
"replacement",
"unauthorized",
"black basta",
"devoted high",
"core",
"emotet",
"cowardly lion group",
"sabey tooth group",
"cp",
"cyber",
"diat",
"infostealer",
"password"
],
"references": [
"https://www.hybrid-analysis.com/sample/393a851d6948e2a5d0d70ce884b3e0b4b9287b5d089671cac229ed63b42f0dba",
"https://urlscan.io/result/9feaa404-2c53-480d-8571-542121740809/#indicators",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 Phishing",
"http://45.159.189.105/bot/regex \u2022 Tracking Tsara Brashears Botnetwork",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022 Password Cracker",
"nr-data.net \u2022 Apple Private Data Collection",
"www.supernetforme.com \u2022 CNC",
"103.224.212.219 \u2022 CNC",
"45.159.189.105 \u2022 CNC",
"Resource: WithU4ever.com"
],
"public": 1,
"adversary": "[Unnamed group]",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "TrojanClicker",
"display_name": "TrojanClicker",
"target": null
},
{
"id": "BNR",
"display_name": "BNR",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "IceFog",
"display_name": "IceFog",
"target": null
},
{
"id": "Sabey Tooth",
"display_name": "Sabey Tooth",
"target": null
},
{
"id": "IObit",
"display_name": "IObit",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Unruy",
"display_name": "Unruy",
"target": null
},
{
"id": "Swrort Stager",
"display_name": "Swrort Stager",
"target": null
},
{
"id": "TrojanClicker.",
"display_name": "TrojanClicker.",
"target": null
},
{
"id": "Sality",
"display_name": "Sality",
"target": null
},
{
"id": "Artemis",
"display_name": "Artemis",
"target": null
},
{
"id": "InstallCore",
"display_name": "InstallCore",
"target": null
},
{
"id": "Crack",
"display_name": "Crack",
"target": null
},
{
"id": "PWS:Win32/Raven",
"display_name": "PWS:Win32/Raven",
"target": "/malware/PWS:Win32/Raven"
},
{
"id": "MediaMagnet",
"display_name": "MediaMagnet",
"target": null
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1059.003",
"name": "Windows Command Shell",
"display_name": "T1059.003 - Windows Command Shell"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 24,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1243,
"URL": 4176,
"FileHash-MD5": 63,
"FileHash-SHA1": 24,
"FileHash-SHA256": 1386,
"domain": 518,
"CIDR": 1,
"CVE": 11,
"email": 1
},
"indicator_count": 7423,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 220,
"modified_text": "851 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6570a975e2a76dd4ddaec80a",
"name": "Remote Access attack | Agent Tesla | C2 | BatLoader | C2 | Dridex",
"description": "",
"modified": "2023-12-06T17:03:49.269000",
"created": "2023-12-06T17:03:49.269000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 16,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 8,
"FileHash-SHA256": 2173,
"domain": 584,
"hostname": 1707,
"URL": 4145,
"FileHash-SHA1": 545,
"FileHash-MD5": 1071
},
"indicator_count": 10233,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 111,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6570a9123acb8410d1158f8a",
"name": "DNSpionage",
"description": "",
"modified": "2023-12-06T17:02:10.861000",
"created": "2023-12-06T17:02:10.861000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 10,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 27,
"FileHash-SHA256": 3307,
"hostname": 1083,
"FileHash-MD5": 2420,
"FileHash-SHA1": 189,
"domain": 255,
"URL": 1933,
"CIDR": 1,
"email": 4
},
"indicator_count": 9219,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 110,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6570a90bc683765a535061dc",
"name": "27 CVE Talley | GameHack l Beach Research",
"description": "",
"modified": "2023-12-06T17:02:03.119000",
"created": "2023-12-06T17:02:03.119000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 27,
"FileHash-SHA256": 3307,
"hostname": 1083,
"FileHash-MD5": 2420,
"FileHash-SHA1": 189,
"domain": 255,
"URL": 1933,
"CIDR": 1,
"email": 4
},
"indicator_count": 9219,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 110,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6570a903fc0836f148fa45c9",
"name": "Oshanghai Blue",
"description": "",
"modified": "2023-12-06T17:01:55.465000",
"created": "2023-12-06T17:01:55.465000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 10,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 27,
"FileHash-SHA256": 3307,
"hostname": 1083,
"FileHash-MD5": 2420,
"FileHash-SHA1": 189,
"domain": 255,
"URL": 1933,
"CIDR": 1,
"email": 4
},
"indicator_count": 9219,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6570a8fb83452e1699674c37",
"name": "Black Tech",
"description": "",
"modified": "2023-12-06T17:01:47.488000",
"created": "2023-12-06T17:01:47.488000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 10,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 27,
"FileHash-SHA256": 3307,
"hostname": 1083,
"FileHash-MD5": 2420,
"FileHash-SHA1": 189,
"domain": 255,
"URL": 1933,
"CIDR": 1,
"email": 4
},
"indicator_count": 9219,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "657092f9499206cd87c73969",
"name": "iphone",
"description": "",
"modified": "2023-12-06T15:27:53.981000",
"created": "2023-12-06T15:27:53.981000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 1768,
"hostname": 808,
"domain": 306,
"URL": 1938,
"FileHash-SHA1": 1
},
"indicator_count": 4821,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "657080e2831409d23c8d24a5",
"name": "iMessages.app 03.01.2022",
"description": "",
"modified": "2023-12-06T14:10:42.459000",
"created": "2023-12-06T14:10:42.459000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 1768,
"hostname": 808,
"domain": 306,
"URL": 1937,
"FileHash-SHA1": 1
},
"indicator_count": 4820,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "657080c91dad41198eb749f7",
"name": "Hartintercivic.com",
"description": "",
"modified": "2023-12-06T14:10:17.112000",
"created": "2023-12-06T14:10:17.112000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 1257,
"domain": 421,
"hostname": 1050,
"URL": 2321,
"FileHash-MD5": 1,
"FileHash-SHA1": 14
},
"indicator_count": 5064,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "657080a3b9d26b3fb0e6762f",
"name": "DianeTrautman.com ~ former Harris County Clerk, Texas (2019 - 2020)",
"description": "",
"modified": "2023-12-06T14:09:39.170000",
"created": "2023-12-06T14:09:39.170000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 871,
"domain": 259,
"hostname": 567,
"URL": 1052,
"FileHash-MD5": 2,
"FileHash-SHA1": 1
},
"indicator_count": 2752,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6570804add74469eac78106c",
"name": "AngelPonce.com ~ Harris County Elections ADA Coordinator",
"description": "",
"modified": "2023-12-06T14:08:10.512000",
"created": "2023-12-06T14:08:10.512000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 1148,
"domain": 286,
"hostname": 706,
"URL": 1406,
"email": 1,
"FileHash-SHA1": 5
},
"indicator_count": 3552,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65707eb53b9a631d2b0c4648",
"name": "dns down chain",
"description": "",
"modified": "2023-12-06T14:01:25.924000",
"created": "2023-12-06T14:01:25.924000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 771,
"hostname": 232,
"domain": 146,
"URL": 517
},
"indicator_count": 1666,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "652c33c45c1f1566c4b8c6a2",
"name": "Remote Access attack | Agent Tesla | C2 | BatLoader | C2 | Dridex",
"description": "https://login.live.com/oauth20_remoteconnect.srf\nInvalid CRDS Token\nI suffered quite an attack on my devices. My personal experience, phone service changed, embedding., privilege escalation adversaries, remote probe, obvious unauthorized microsoft usage multiple logins. embedded phone service apps, injected, unknown apps, dumping. connect/shared/ tethered to other clouds, apps devices, decrypted phone., cookies turned off after attack, no Google, other search engine access, passwords compromised malicious Google sorry index w/Azorult. I am targeted. Usual suspects\nPrior: 'D241 connect test was successful messages'. Wifi and cellular issues.\nAftermath, Zombie devices. C2. Calls don't connect, keyloggers, etc",
"modified": "2023-11-14T17:01:45.019000",
"created": "2023-10-15T18:47:32.354000",
"tags": [
"whois record",
"historical ssl",
"ssl certificate",
"communicating",
"referrer",
"united",
"mail spammer",
"detection list",
"ip address",
"blacklist",
"possiblecerber",
"outlook",
"covid19",
"artemis",
"unsafe",
"cisco umbrella",
"site",
"safe site",
"phishing site",
"malicious site",
"malware",
"malware site",
"alexa top",
"million",
"phishingms",
"exploit",
"live",
"blacklist https",
"javascript",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"kb body",
"sha256",
"headers",
"p3p cp",
"pragma",
"whois whois",
"contacted",
"threat network",
"pe resource",
"uatrue url",
"typepv",
"probe",
"execution",
"core",
"emotet",
"remcos",
"nokoyawa",
"asyncrat",
"heur",
"anonymizer",
"firehol",
"trojanx",
"agent",
"riskware",
"trojan",
"binder",
"small",
"downloader",
"hupigon",
"crypt",
"cobalt strike",
"union",
"team",
"agent tesla",
"malicious",
"fakealert",
"dbatloader",
"stealer",
"nanocore rat",
"formbook",
"dropper",
"dridex",
"hawkeye",
"netwire",
"download",
"opencandy",
"bladabindi",
"phishing",
"bank",
"alexa",
"trojanspy",
"maltiverse",
"uatrue",
"processorx86",
"langen",
"generic malware",
"fakedout threat",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"injected",
"mitre",
"attack",
"cybercrime",
"Suspicious.Save",
"dns server",
"scanning ip's",
"Backdoor.Remcos",
"Threats200220200050",
"IOC_19052020",
"behaves like emotet"
],
"references": [
"https://login.live.com/oauth20_remoteconnect.srf"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"France"
],
"malware_families": [
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "Dridex",
"display_name": "Dridex",
"target": null
},
{
"id": "Agent Tesla - S0331",
"display_name": "Agent Tesla - S0331",
"target": null
},
{
"id": "HawkEye Keylogger",
"display_name": "HawkEye Keylogger",
"target": null
},
{
"id": "Suspicious.Save",
"display_name": "Suspicious.Save",
"target": null
},
{
"id": "Application.Generic",
"display_name": "Application.Generic",
"target": null
},
{
"id": "Backdoor.RemoteManipulator",
"display_name": "Backdoor.RemoteManipulator",
"target": null
},
{
"id": "Gen:Heur.Ransom.HiddenTears",
"display_name": "Gen:Heur.Ransom.HiddenTears",
"target": null
},
{
"id": "XOR.DDoS",
"display_name": "XOR.DDoS",
"target": null
},
{
"id": "Backdoor.Remcos",
"display_name": "Backdoor.Remcos",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1593.002",
"name": "Search Engines",
"display_name": "T1593.002 - Search Engines"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 34,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1071,
"FileHash-SHA1": 545,
"FileHash-SHA256": 2173,
"domain": 584,
"hostname": 1707,
"URL": 4145,
"CVE": 8
},
"indicator_count": 10233,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 228,
"modified_text": "887 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "653f1c989df5416bd0ff3d38",
"name": "Remote Access attack | Agent Tesla | C2 | BatLoader | C2 | Dridex",
"description": "",
"modified": "2023-11-14T17:01:45.019000",
"created": "2023-10-30T03:01:44.846000",
"tags": [
"whois record",
"historical ssl",
"ssl certificate",
"communicating",
"referrer",
"united",
"mail spammer",
"detection list",
"ip address",
"blacklist",
"possiblecerber",
"outlook",
"covid19",
"artemis",
"unsafe",
"cisco umbrella",
"site",
"safe site",
"phishing site",
"malicious site",
"malware",
"malware site",
"alexa top",
"million",
"phishingms",
"exploit",
"live",
"blacklist https",
"javascript",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"kb body",
"sha256",
"headers",
"p3p cp",
"pragma",
"whois whois",
"contacted",
"threat network",
"pe resource",
"uatrue url",
"typepv",
"probe",
"execution",
"core",
"emotet",
"remcos",
"nokoyawa",
"asyncrat",
"heur",
"anonymizer",
"firehol",
"trojanx",
"agent",
"riskware",
"trojan",
"binder",
"small",
"downloader",
"hupigon",
"crypt",
"cobalt strike",
"union",
"team",
"agent tesla",
"malicious",
"fakealert",
"dbatloader",
"stealer",
"nanocore rat",
"formbook",
"dropper",
"dridex",
"hawkeye",
"netwire",
"download",
"opencandy",
"bladabindi",
"phishing",
"bank",
"alexa",
"trojanspy",
"maltiverse",
"uatrue",
"processorx86",
"langen",
"generic malware",
"fakedout threat",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"injected",
"mitre",
"attack",
"cybercrime",
"Suspicious.Save",
"dns server",
"scanning ip's",
"Backdoor.Remcos",
"Threats200220200050",
"IOC_19052020",
"behaves like emotet"
],
"references": [
"https://login.live.com/oauth20_remoteconnect.srf"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"France"
],
"malware_families": [
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "Dridex",
"display_name": "Dridex",
"target": null
},
{
"id": "Agent Tesla - S0331",
"display_name": "Agent Tesla - S0331",
"target": null
},
{
"id": "HawkEye Keylogger",
"display_name": "HawkEye Keylogger",
"target": null
},
{
"id": "Suspicious.Save",
"display_name": "Suspicious.Save",
"target": null
},
{
"id": "Application.Generic",
"display_name": "Application.Generic",
"target": null
},
{
"id": "Backdoor.RemoteManipulator",
"display_name": "Backdoor.RemoteManipulator",
"target": null
},
{
"id": "Gen:Heur.Ransom.HiddenTears",
"display_name": "Gen:Heur.Ransom.HiddenTears",
"target": null
},
{
"id": "XOR.DDoS",
"display_name": "XOR.DDoS",
"target": null
},
{
"id": "Backdoor.Remcos",
"display_name": "Backdoor.Remcos",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1593.002",
"name": "Search Engines",
"display_name": "T1593.002 - Search Engines"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "652c33c45c1f1566c4b8c6a2",
"export_count": 22,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1071,
"FileHash-SHA1": 545,
"FileHash-SHA256": 2173,
"domain": 584,
"hostname": 1707,
"URL": 4145,
"CVE": 8
},
"indicator_count": 10233,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 219,
"modified_text": "887 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "653f19afc40e663452f60260",
"name": "DNSpionage",
"description": "",
"modified": "2023-11-13T12:00:59.446000",
"created": "2023-10-30T02:49:19.586000",
"tags": [
"referrer",
"historical ssl",
"ssl certificate",
"whois record",
"whois ssl",
"whois",
"historical",
"siblings parent",
"network",
"number",
"label shanghai",
"blue cloud",
"ltd regional",
"apnic country",
"cn continent",
"algorithm",
"data",
"v3 serial",
"cus cndigicert",
"basic rsa",
"cn ca",
"g2 odigicert",
"inc validity",
"oshanghai blue",
"road",
"beijing country",
"beijing",
"please",
"apnic person",
"cn phone",
"whois lookup",
"bluecloud descr",
"shanghai blue",
"ltd descr",
"cnnic",
"whois lookups",
"updated date",
"apnic netname",
"beijing abusec",
"abuse cnniccn",
"liu registrant",
"country",
"dns replication",
"date",
"domain",
"first",
"blacklist https",
"heur",
"html",
"malware",
"alexa top",
"site",
"filerepmetagen",
"suspected",
"adware",
"cisco umbrella",
"malware site",
"win64",
"opencandy",
"cleaner",
"artemis",
"iframe",
"agent",
"unsafe",
"riskware",
"acint",
"nircmd",
"swrort",
"downldr",
"systweak",
"behav",
"crack",
"tiggre",
"genkryptik",
"exploit",
"presenoker",
"filetour",
"conduit",
"wacatac",
"softcnapp",
"xtrat",
"cve201711882",
"memscan",
"phishing",
"maltiverse",
"zbot",
"webtoolbar",
"trojanspy",
"million",
"united",
"phishing site",
"malicious site",
"proxy",
"firehol",
"detection list",
"ip address",
"blacklist",
"safe site",
"team",
"fusioncore",
"union",
"bank",
"outbreak",
"downer",
"shell",
"mediamagnet",
"sality",
"adaptivebee",
"unruy",
"iobit",
"dropper",
"trojanx",
"installcore",
"webshell",
"alexa",
"adposhel",
"installpack",
"xrat",
"azorult",
"service",
"runescape",
"facebook",
"download",
"gamehack",
"verdict",
"falcon sandbox",
"pattern match",
"show",
"file",
"indicator",
"ascii text",
"appdata",
"mitre att",
"et tor",
"known tor",
"severity",
"hybrid",
"general",
"misc attack",
"beginstring",
"script",
"relayrouter",
"exit",
"node traffic",
"null",
"error",
"unknown",
"span",
"body",
"refresh",
"class",
"critical",
"tools",
"look",
"verify",
"restart",
"click",
"strings",
"meta",
"anonymizer",
"team proxy",
"host",
"control server",
"meterpreter",
"dnspionage",
"filerepmalware",
"fakealert",
"pony",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"nanocore",
"keygen",
"fareit",
"secrisk",
"floxif",
"patcher",
"adload",
"webcompanion",
"seraph",
"downloader",
"generic",
"dapato",
"redline stealer",
"beach research",
"blacklist http",
"generic malware",
"fakedout threat",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"bundled",
"dropped",
"contacted",
"most malicious",
"server",
"parent parent"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "Behav",
"display_name": "Behav",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "GameHack",
"display_name": "GameHack",
"target": null
},
{
"id": "Beach Research",
"display_name": "Beach Research",
"target": null
},
{
"id": "Generic",
"display_name": "Generic",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "652a9637ba159a3febc414c4",
"export_count": 25,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2420,
"FileHash-SHA1": 189,
"FileHash-SHA256": 3307,
"URL": 1933,
"domain": 255,
"hostname": 1083,
"CIDR": 1,
"email": 4,
"CVE": 27
},
"indicator_count": 9219,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 219,
"modified_text": "888 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "652a9637ba159a3febc414c4",
"name": "DNSpionage",
"description": "",
"modified": "2023-11-13T12:00:59.446000",
"created": "2023-10-14T13:23:03.558000",
"tags": [
"referrer",
"historical ssl",
"ssl certificate",
"whois record",
"whois ssl",
"whois",
"historical",
"siblings parent",
"network",
"number",
"label shanghai",
"blue cloud",
"ltd regional",
"apnic country",
"cn continent",
"algorithm",
"data",
"v3 serial",
"cus cndigicert",
"basic rsa",
"cn ca",
"g2 odigicert",
"inc validity",
"oshanghai blue",
"road",
"beijing country",
"beijing",
"please",
"apnic person",
"cn phone",
"whois lookup",
"bluecloud descr",
"shanghai blue",
"ltd descr",
"cnnic",
"whois lookups",
"updated date",
"apnic netname",
"beijing abusec",
"abuse cnniccn",
"liu registrant",
"country",
"dns replication",
"date",
"domain",
"first",
"blacklist https",
"heur",
"html",
"malware",
"alexa top",
"site",
"filerepmetagen",
"suspected",
"adware",
"cisco umbrella",
"malware site",
"win64",
"opencandy",
"cleaner",
"artemis",
"iframe",
"agent",
"unsafe",
"riskware",
"acint",
"nircmd",
"swrort",
"downldr",
"systweak",
"behav",
"crack",
"tiggre",
"genkryptik",
"exploit",
"presenoker",
"filetour",
"conduit",
"wacatac",
"softcnapp",
"xtrat",
"cve201711882",
"memscan",
"phishing",
"maltiverse",
"zbot",
"webtoolbar",
"trojanspy",
"million",
"united",
"phishing site",
"malicious site",
"proxy",
"firehol",
"detection list",
"ip address",
"blacklist",
"safe site",
"team",
"fusioncore",
"union",
"bank",
"outbreak",
"downer",
"shell",
"mediamagnet",
"sality",
"adaptivebee",
"unruy",
"iobit",
"dropper",
"trojanx",
"installcore",
"webshell",
"alexa",
"adposhel",
"installpack",
"xrat",
"azorult",
"service",
"runescape",
"facebook",
"download",
"gamehack",
"verdict",
"falcon sandbox",
"pattern match",
"show",
"file",
"indicator",
"ascii text",
"appdata",
"mitre att",
"et tor",
"known tor",
"severity",
"hybrid",
"general",
"misc attack",
"beginstring",
"script",
"relayrouter",
"exit",
"node traffic",
"null",
"error",
"unknown",
"span",
"body",
"refresh",
"class",
"critical",
"tools",
"look",
"verify",
"restart",
"click",
"strings",
"meta",
"anonymizer",
"team proxy",
"host",
"control server",
"meterpreter",
"dnspionage",
"filerepmalware",
"fakealert",
"pony",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"nanocore",
"keygen",
"fareit",
"secrisk",
"floxif",
"patcher",
"adload",
"webcompanion",
"seraph",
"downloader",
"generic",
"dapato",
"redline stealer",
"beach research",
"blacklist http",
"generic malware",
"fakedout threat",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"bundled",
"dropped",
"contacted",
"most malicious",
"server",
"parent parent"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "Behav",
"display_name": "Behav",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "GameHack",
"display_name": "GameHack",
"target": null
},
{
"id": "Beach Research",
"display_name": "Beach Research",
"target": null
},
{
"id": "Generic",
"display_name": "Generic",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "652a9441becbdf690c095816",
"export_count": 34,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2420,
"FileHash-SHA1": 189,
"FileHash-SHA256": 3307,
"URL": 1933,
"domain": 255,
"hostname": 1083,
"CIDR": 1,
"email": 4,
"CVE": 27
},
"indicator_count": 9219,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 224,
"modified_text": "888 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "652a9441becbdf690c095816",
"name": "27 CVE Talley | GameHack l Beach Research",
"description": "",
"modified": "2023-11-13T12:00:59.446000",
"created": "2023-10-14T13:14:41.530000",
"tags": [
"referrer",
"historical ssl",
"ssl certificate",
"whois record",
"whois ssl",
"whois",
"historical",
"siblings parent",
"network",
"number",
"label shanghai",
"blue cloud",
"ltd regional",
"apnic country",
"cn continent",
"algorithm",
"data",
"v3 serial",
"cus cndigicert",
"basic rsa",
"cn ca",
"g2 odigicert",
"inc validity",
"oshanghai blue",
"road",
"beijing country",
"beijing",
"please",
"apnic person",
"cn phone",
"whois lookup",
"bluecloud descr",
"shanghai blue",
"ltd descr",
"cnnic",
"whois lookups",
"updated date",
"apnic netname",
"beijing abusec",
"abuse cnniccn",
"liu registrant",
"country",
"dns replication",
"date",
"domain",
"first",
"blacklist https",
"heur",
"html",
"malware",
"alexa top",
"site",
"filerepmetagen",
"suspected",
"adware",
"cisco umbrella",
"malware site",
"win64",
"opencandy",
"cleaner",
"artemis",
"iframe",
"agent",
"unsafe",
"riskware",
"acint",
"nircmd",
"swrort",
"downldr",
"systweak",
"behav",
"crack",
"tiggre",
"genkryptik",
"exploit",
"presenoker",
"filetour",
"conduit",
"wacatac",
"softcnapp",
"xtrat",
"cve201711882",
"memscan",
"phishing",
"maltiverse",
"zbot",
"webtoolbar",
"trojanspy",
"million",
"united",
"phishing site",
"malicious site",
"proxy",
"firehol",
"detection list",
"ip address",
"blacklist",
"safe site",
"team",
"fusioncore",
"union",
"bank",
"outbreak",
"downer",
"shell",
"mediamagnet",
"sality",
"adaptivebee",
"unruy",
"iobit",
"dropper",
"trojanx",
"installcore",
"webshell",
"alexa",
"adposhel",
"installpack",
"xrat",
"azorult",
"service",
"runescape",
"facebook",
"download",
"gamehack",
"verdict",
"falcon sandbox",
"pattern match",
"show",
"file",
"indicator",
"ascii text",
"appdata",
"mitre att",
"et tor",
"known tor",
"severity",
"hybrid",
"general",
"misc attack",
"beginstring",
"script",
"relayrouter",
"exit",
"node traffic",
"null",
"error",
"unknown",
"span",
"body",
"refresh",
"class",
"critical",
"tools",
"look",
"verify",
"restart",
"click",
"strings",
"meta",
"anonymizer",
"team proxy",
"host",
"control server",
"meterpreter",
"dnspionage",
"filerepmalware",
"fakealert",
"pony",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"nanocore",
"keygen",
"fareit",
"secrisk",
"floxif",
"patcher",
"adload",
"webcompanion",
"seraph",
"downloader",
"generic",
"dapato",
"redline stealer",
"beach research",
"blacklist http",
"generic malware",
"fakedout threat",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"bundled",
"dropped",
"contacted",
"most malicious",
"server",
"parent parent"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "Behav",
"display_name": "Behav",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "GameHack",
"display_name": "GameHack",
"target": null
},
{
"id": "Beach Research",
"display_name": "Beach Research",
"target": null
},
{
"id": "Generic",
"display_name": "Generic",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "652a901fe2dbea9024b3d614",
"export_count": 34,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2420,
"FileHash-SHA1": 189,
"FileHash-SHA256": 3307,
"URL": 1933,
"domain": 255,
"hostname": 1083,
"CIDR": 1,
"email": 4,
"CVE": 27
},
"indicator_count": 9219,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 225,
"modified_text": "888 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "652a913f48809612f1bd7deb",
"name": "Oshanghai Blue ",
"description": "",
"modified": "2023-11-13T12:00:59.446000",
"created": "2023-10-14T13:01:51.164000",
"tags": [
"referrer",
"historical ssl",
"ssl certificate",
"whois record",
"whois ssl",
"whois",
"historical",
"siblings parent",
"network",
"number",
"label shanghai",
"blue cloud",
"ltd regional",
"apnic country",
"cn continent",
"algorithm",
"data",
"v3 serial",
"cus cndigicert",
"basic rsa",
"cn ca",
"g2 odigicert",
"inc validity",
"oshanghai blue",
"road",
"beijing country",
"beijing",
"please",
"apnic person",
"cn phone",
"whois lookup",
"bluecloud descr",
"shanghai blue",
"ltd descr",
"cnnic",
"whois lookups",
"updated date",
"apnic netname",
"beijing abusec",
"abuse cnniccn",
"liu registrant",
"country",
"dns replication",
"date",
"domain",
"first",
"blacklist https",
"heur",
"html",
"malware",
"alexa top",
"site",
"filerepmetagen",
"suspected",
"adware",
"cisco umbrella",
"malware site",
"win64",
"opencandy",
"cleaner",
"artemis",
"iframe",
"agent",
"unsafe",
"riskware",
"acint",
"nircmd",
"swrort",
"downldr",
"systweak",
"behav",
"crack",
"tiggre",
"genkryptik",
"exploit",
"presenoker",
"filetour",
"conduit",
"wacatac",
"softcnapp",
"xtrat",
"cve201711882",
"memscan",
"phishing",
"maltiverse",
"zbot",
"webtoolbar",
"trojanspy",
"million",
"united",
"phishing site",
"malicious site",
"proxy",
"firehol",
"detection list",
"ip address",
"blacklist",
"safe site",
"team",
"fusioncore",
"union",
"bank",
"outbreak",
"downer",
"shell",
"mediamagnet",
"sality",
"adaptivebee",
"unruy",
"iobit",
"dropper",
"trojanx",
"installcore",
"webshell",
"alexa",
"adposhel",
"installpack",
"xrat",
"azorult",
"service",
"runescape",
"facebook",
"download",
"gamehack",
"verdict",
"falcon sandbox",
"pattern match",
"show",
"file",
"indicator",
"ascii text",
"appdata",
"mitre att",
"et tor",
"known tor",
"severity",
"hybrid",
"general",
"misc attack",
"beginstring",
"script",
"relayrouter",
"exit",
"node traffic",
"null",
"error",
"unknown",
"span",
"body",
"refresh",
"class",
"critical",
"tools",
"look",
"verify",
"restart",
"click",
"strings",
"meta",
"anonymizer",
"team proxy",
"host",
"control server",
"meterpreter",
"dnspionage",
"filerepmalware",
"fakealert",
"pony",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"nanocore",
"keygen",
"fareit",
"secrisk",
"floxif",
"patcher",
"adload",
"webcompanion",
"seraph",
"downloader",
"generic",
"dapato",
"redline stealer",
"beach research",
"blacklist http",
"generic malware",
"fakedout threat",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"bundled",
"dropped",
"contacted",
"most malicious",
"server",
"parent parent"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "Behav",
"display_name": "Behav",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "GameHack",
"display_name": "GameHack",
"target": null
},
{
"id": "Beach Research",
"display_name": "Beach Research",
"target": null
},
{
"id": "Generic",
"display_name": "Generic",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "652a901fe2dbea9024b3d614",
"export_count": 32,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2420,
"FileHash-SHA1": 189,
"FileHash-SHA256": 3307,
"URL": 1933,
"domain": 255,
"hostname": 1083,
"CIDR": 1,
"email": 4,
"CVE": 27
},
"indicator_count": 9219,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 224,
"modified_text": "888 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "645ce286ade95dca84a5a3f5",
"name": "pegasustools com - vt collection",
"description": "CVE' s 1999-0016, 2011-1889, 2014-8730",
"modified": "2023-05-11T12:41:42.133000",
"created": "2023-05-11T12:41:42.133000",
"tags": [
"key identifier",
"x509v3 subject",
"v3 serial",
"number",
"issuer",
"cus cnamazon",
"m01 oamazon",
"validity",
"subject public",
"key info",
"pegasustools.com",
"CVE-1999-0016",
"CVE-2011-1889",
"CVE-2014-8730"
],
"references": [
"https://www.virustotal.com/gui/domain/www.pegasustools.com/details",
"g2f1c5daf02f94f4e938ce683b5a9d0bad55b53a75f7b4db58a65bb4a4faf1771.json"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Exploit:Win32/CVE-1999-0016",
"display_name": "Exploit:Win32/CVE-1999-0016",
"target": "/malware/Exploit:Win32/CVE-1999-0016"
},
{
"id": "CVE-2011-1889",
"display_name": "CVE-2011-1889",
"target": null
},
{
"id": "CVE-2014-8730",
"display_name": "CVE-2014-8730",
"target": null
}
],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 13,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "callmeDoris",
"id": "205385",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 329,
"hostname": 169,
"FileHash-SHA256": 326,
"domain": 24,
"IPv4": 80,
"FileHash-MD5": 25,
"FileHash-SHA1": 25
},
"indicator_count": 978,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 93,
"modified_text": "1074 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6342b2b087554c9d5209b50b",
"name": "iphone",
"description": "",
"modified": "2022-11-09T00:03:32.403000",
"created": "2022-10-09T11:38:24.078000",
"tags": [],
"references": [
"iMessages.app"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": "622775d4f2c38a89fdd0128a",
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Lazzo115",
"id": "210949",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 306,
"URL": 1938,
"hostname": 808,
"FileHash-SHA256": 1768,
"FileHash-SHA1": 1
},
"indicator_count": 4821,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 8,
"modified_text": "1257 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "622775d4f2c38a89fdd0128a",
"name": "iMessages.app 03.01.2022",
"description": "",
"modified": "2022-04-07T00:04:02.553000",
"created": "2022-03-08T15:27:16.349000",
"tags": [],
"references": [
"iMessages.app"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Kailula4",
"id": "131997",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 306,
"URL": 1937,
"hostname": 808,
"FileHash-SHA256": 1768,
"FileHash-SHA1": 1
},
"indicator_count": 4820,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 408,
"modified_text": "1473 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6221adc07c22ac848aa20c0b",
"name": "AngelPonce.com ~ Harris County Elections ADA Coordinator",
"description": "",
"modified": "2022-04-07T00:04:02.553000",
"created": "2022-03-04T06:12:16.443000",
"tags": [
"whois record",
"ssl certificate",
"whois",
"date",
"tucows domains",
"cloudflare",
"server",
"dns replication",
"subdomains",
"whois lookups",
"registrant",
"iana id",
"registrar url",
"aaaa",
"algorithm",
"key identifier",
"x509v3 subject",
"dns records",
"record type",
"ttl value",
"data",
"v3 serial",
"data redacted",
"code",
"registrant fax",
"registrar abuse",
"whois lookup",
"admin city"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Government"
],
"TLP": "white",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Kailula4",
"id": "131997",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 706,
"URL": 1406,
"FileHash-SHA256": 1148,
"domain": 286,
"email": 1,
"FileHash-SHA1": 5
},
"indicator_count": 3552,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 406,
"modified_text": "1473 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "62271c27d501f2e4c04ec869",
"name": "Hartintercivic.com",
"description": "",
"modified": "2022-04-06T00:02:16.312000",
"created": "2022-03-08T09:04:39.837000",
"tags": [],
"references": [
"HARTINTERCIVIC.pdf"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Kailula4",
"id": "131997",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1050,
"URL": 2321,
"FileHash-SHA256": 1257,
"domain": 421,
"FileHash-MD5": 1,
"FileHash-SHA1": 14
},
"indicator_count": 5064,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 409,
"modified_text": "1474 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "622631688a3eb4bf2d5969dd",
"name": "DianeTrautman.com ~ former Harris County Clerk, Texas (2019 - 2020)",
"description": "",
"modified": "2022-04-06T00:02:16.312000",
"created": "2022-03-07T16:23:04.024000",
"tags": [],
"references": [
"DianeTrautman.com.pdf"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Kailula4",
"id": "131997",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1052,
"domain": 259,
"hostname": 567,
"FileHash-SHA256": 871,
"FileHash-MD5": 2,
"FileHash-SHA1": 1
},
"indicator_count": 2752,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 407,
"modified_text": "1474 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6212f18f730330a0de8d6fe2",
"name": "dns down chain",
"description": "",
"modified": "2022-03-23T00:02:04.887000",
"created": "2022-02-21T01:57:35.603000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "dorkingbeauty1",
"id": "80137",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 232,
"URL": 517,
"FileHash-SHA256": 771,
"domain": 146
},
"indicator_count": 1666,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 393,
"modified_text": "1488 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"references": [
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"103.246.145.111 - scanning host",
"45.159.189.105 \u2022 CNC",
"If someone is believed to be a threat they have right to due process.",
"https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 (Apple remote hacktool that enter via Apple media)",
"https://malpedia.caad.fkie.fraunhofer.de/details/win.blueshell",
"Redirection chain: http://co.gov/peak | https://co.gov/peak | http://colorado.gov/peak | https://colorado.gov/peak | https://www.colorado.gov/peak",
"Targeted espionage: cms.wavebrowser.co | https://cms.wavebrowser.co/ | http://t4tonly.com/cms/web-services/get-all-city.php",
"AS Registry: arin:aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com",
"qbittorrent.exe",
"sex-ukraine.net",
"nr-data.net \u2022 Apple Private Data Collection",
"http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg \u2022\t humani-teens.com",
"https://urlscan.io/result/9feaa404-2c53-480d-8571-542121740809/#indicators",
"Registrant Information: Amazon Technologies Inc. Address: 410 Terry Ave N. Postal Code: H3A 2A6 Country Code: CA (Canada) City: Montreal State: WA",
"There is fear in silence or speaking out",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"AIG: Malicious CMS prefix -cmsportal.app.hurdman.org (key identifier/decoder)",
"INDICATOR SUSPICIOUS_EXE_CC_Regex",
"https://es.pornhat.com/models/the-sex-creator/",
"Co.gov: Autonomous System: AS16509 - Amazon.com, Inc. AS Country Code: US AS AS CIDR: 13.225.192.0/21 CIDR: 13.200.0.0/13 13.224.0.0/12 13.208.0.0/12",
"0-w5-cms.ultimate-guitar.com",
"https://twitter.com/PORNO_SEXYBABES",
"Resource: WithU4ever.com",
"103.224.212.219 \u2022 CNC",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k",
"iamrobert.com Y.A.S.",
"Redirect Chain: https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/ K9p1aHVpkkzIn1S7Dakqexnw4nP6ZmG7kNifaOtuay4%3Ahttp%3A%2F%2Fjaegertracing.match-growth.alicloud-production.glintsintern.com%2F https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/",
"iMessages.app",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"AS Name: AS36081 State of Colorado General Government Computer AS Country Code: US AS Registry: arin AS : AS CIDR: 165.127.0.0/16",
"CO.gov/PEAK -Postal mail Spam. Urgent demand to login.",
"Tracking: trackyouremails.com \u2022 https://adservice.google.com.uy/clk",
"https://hybrid-analysis.com/sample/1f75fd5ec731cc5b1f338a5f7f44b42c9f1988214c373bf582d766934399b525",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"http://bundled.toolbar.google http://bundled.toolbar.google/http://toolbar.google. https://bundled.toolbar.google. https://bundled.toolbar.google/",
"nr-data.net | Apple Private Data collection",
"Sexual Content Titles: http://analyticschecker.com/survey/sexynews24.js | http://sex.utub.com/ | http://wap.18.orgsex.utub.com/",
"https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 Phishing",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"nexus.b2btest.ertelecom.ru",
"api.anonfiles.com",
"http://45.159.189.105/bot/regex \u2022 Tracking Tsara Brashears Botnetwork",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 virus network \u2022 Apple data collection ]",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption \u2022 unlocker]",
"http://6.no.me.malware.com | http://6.no.me.malware.com/download",
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"Redirection chain: dns1.p06.nsone.net l ns1-204.azure-dns.com | ns1.google.com | ns1.msedge.net | peak.my.salesforce-sites.com |",
"https://otx.alienvault.com/indicator/hostname/00000000.apple.com#:~:text=%C3%97",
"Traffic 13.107.4.52:80 (TCP)",
"CVE: CVE-2023-23397",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"www.supernetforme.com [command_and_control]",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"00000000.apple.com | remote SIM Swap",
"feedercontroller.webcrawlingeap-prod-co4.binginternal.com",
"Target agreed and complied with all lie detector measures.",
"checkip.dyndns.org",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"www.supernetforme.com \u2022 CNC",
"https://otx.alienvault.com/indicator/file/23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706#:~:text=%C3%97",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"I am very upset. Whoever is doing this is sick.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.rmvictimlaw.org/about-us/board-directors/hazel-heckers",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"EaZy Client.exe via qbittorrent.exe via AnonFiles origin RallyPoint",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"BitRAT CnC: File Hash SHA256 23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706",
"https://hybrid-analysis.com/sample/23e867fef441df664d0122961782722157df2bfb0d468c8804ffc850c0b6c875",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"EaZy Client.exe",
"https://login.live.com/oauth20_remoteconnect.srf",
"https://app-portal.wsgc.com/saml20/idp/sso?SAMLRequest=jZFBb8IwDIX/SpR70zS0sEa0iA1NQ2IagrLDLlNII4jWJl2cwvj3qyhI7IJ2tPzs9/x5PPmpK3RQDrQ1GY4IxUgZaUttdhneFM/BA57kYxB1xRo+bf3erNR3q8CjbtAA7zsZbp3hVoAGbkStgHvJ19PXBWeE8sZZb6WtMJoCKOc7qydroK2VWyt30FJtVosM771vgIfhETTZCvkF3roTkXtnjZaVIqBk67Q/hUICRrMugzbCn3NfR0XTBI11XlTkCDtJpK3Dc0Ia6rIJASxG81mGP0dpOYqGVEZxGYkk3iaDVMZMKipGMR0kSScDaNXcgBfGZ5hRNghoGrC4YIzTlNMhidPkA6Pl5bhHbXpo90hsexHwl6JYBsu3dYHR+xV+J8AX1Pzs7m4Z318srmBx/m+M4/DWK7+Uf7+c/wI=&RelayState=AcE8QCtmc3hl5id4ZjN8p",
"AS36081 State of Colorado General Government Computer: 165.127.10.10 | Location - LakeWood - CO - United States | Emails: isoc@state.co.us",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"HARTINTERCIVIC.pdf",
"INDICATOR SUSPICIOUS_EXE_WirelessNetReccon",
"Redirect Chain: https://accounts.google.com/o/oauth2/auth?access_type=offline&approval_prompt=force&client_id=795490584532-smtoie0juhaj5tq9h07si1ekd4m6pvlr.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Foauth2-proxy.glintsintern.com%2Foauth2%2Fcallback&response_type=code&scope=openid+email+profile&state=",
"usw2-platform-dmchat-avengers-prod-ext.apple.com",
"https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network \u2022 Data collection \u2022 phishing]",
"DNS Query for Anonfiles.com Domain",
"If you knew how you're wasting time and resources hacking a front facing archive with a 443:",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022 Password Cracker",
"DianeTrautman.com.pdf",
"Registrant: State of Colorado General Government Computer Address: 690 Kipling St. Postal Code: 80215 Country Code: USA City: LakeWood State: CO",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"https://www.hybrid-analysis.com/sample/393a851d6948e2a5d0d70ce884b3e0b4b9287b5d089671cac229ed63b42f0dba",
"https://www.virustotal.com/gui/domain/www.pegasustools.com/details",
"https://www.virustotal.com/gui/file/00047e1c8b4f336c86ed4ef148741c0d7658a0fd1107597acd4f22e5851e24ef/community",
"Redirection chain: www.colorado.gov | salesforce-sites.com | peak.my.si (Malformed domain) www.bing.com",
"Malware Hosting * Spyware: http://141.98.6.249/boat.arm7, http://141.98.6.249/boat.ppc , http://141.98.6.249/boat.x86",
"http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing \u2022 python]",
"http://micrologin.ogspy.net/track/dhl-information-contact.html",
"https://meumundogay-com.sexogratis.page/locker",
"Remotely accessing to targets devices: http://maps.co.gov/ | Maps & Calendar pop ups obfuscate targets screens. Pinging",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"Can the DoD no questions asked target a SA victim",
"http://security.didici.cc/cve",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www.virustotal.com/en/domain/sipa.be (GoodCop - BadCop 404 error. This may have been a dorkingbeauty graph or collection. There seems to be several VT users experiencing similar issues w/overlap",
"https://ms13p01if-qufw21344001.ms.if.apple.com:8083/",
"accessoire-telephones.fr \u2022 bks-tv.ru [telecom] \u2022 coltel.ru [telecom] \u2022 ceptelefondata.com.tr [data collection \u2022 USA] ts-astra.ru [telecom] wifi.ru",
"Redirection chain: https://coloradopeak.secure.force.com/ https://colorado.gov:443/peak | coloradopeak.secure.force.com | dns01.salesforce.com",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"ddos.dnsnb8.net [command_and_control]",
"Emails: aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com",
"https://allegro.pl/uzytkownik/adam_f./ogrod-1532",
"103.246.145.111 phishing",
"IPv4 199.59.243.224 and IPv4 67.21.93.249 - command_and_control",
"https://ak.deephicy.net/?z=6118780&syncedCookie=true&rhd=false&rb=4Qar0ipdalmNR5Sicj8o7oK9WuZVXLChC0EcEUDBDY4n5ISECZrApfC-gjpDjsMLofKZlJaeh_gobm2lTLNRbwBynCFo6CRsgTd-gbOZKn6hkTMO15e_qN9jmE8T9QytmggiZaSD7Ys_RCMg-fY8kjd5ELPE8MLrz-t9Dm7bxqLgQ8U1SWuTcrT09Npw1M6dvd7WA_91bWtr2m-EiV0umKwr5ZDSUqAYTPVfrEmvFKmZ32EfwaKGnKgKEGYaQGvQe1ga-4TccFs5A6Kh-HLSeXuKYMPVlODFrOgLcCUQi81bKgkG7ceuo8sG_5o6_ilHG6krYsCSk8Qwzdpn5AnwWweNPG9uC3hYGroh8tnINyQkdEnWp7O38iOgkAxqQoYhttqKqq7Cf6P8l9y-w4NtLBEm6c_ASSKggtwrI11Jvee9YxytSZBVlA==&sfr=n",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"0-129-112027imap-intranet-pv-175-166.matomo.cloud",
"discord.com",
"https://allegro.pl/uzytkownik/adam_f.?srsltid=AfmBOoqX6vYV4qDgCzkkJhmipZLDrarI5MuggstojVsohtfiSM_s0jdd&dd_referrer=https://www.google.com/",
"workers.dev [extraction \u2022 GET request attack]",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"g2f1c5daf02f94f4e938ce683b5a9d0bad55b53a75f7b4db58a65bb4a4faf1771.json",
"https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html",
"MALWARE_Win_StormKitty",
"checkip.dyndns.com"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": [],
"unique_indicators": 0
},
"other": {
"adversary": [
"Out For Blood",
"Witchetty APT Group",
"[Unnamed group]",
"fac1ec40eea5a4fc05f17e019328e287.wirus"
],
"malware_families": [
"Application.generic",
"Virut",
"Elocky",
"Hawkeye keylogger",
"Cve-2014-8730",
"Lockbit",
"Crack",
"Maltiverse",
"Icefog",
"Beach research",
"Virus.virlock/nabucur",
"Msil_kryptik.p.gen",
"Ryuk ransomware",
"Mydoom",
"Lokbit",
"Bnr",
"Adware.browsefox",
"Gen:variant.strictor",
"Cve-2011-1889",
"Xor.ddos",
"Dyre",
"Locky (decryptor)",
"Hacktool",
"Unruy",
"Behav",
"Agent tesla - s0331",
"Suspicious.save",
"Suppobox",
"Hallrender",
"Zeus",
"Generic",
"Banjori",
"Trojanclicker",
"Backdoor.remcos",
"Artemis",
"Ransomware",
"Worm:win32/pykspa",
"Pykspa_v2_fake",
"Pony",
"Gen:heur.ransom.hiddentears",
"Ursnif",
"Trojanclicker.",
"Mac.malware",
"Gamehack",
"Malware",
"Apnic",
"Nymaim",
"Mediamagnet",
"Defacement",
"Pykspa",
"Trojan.wisdomeyes.16070401.9500",
"Zbot",
"Blueshell",
"Ratel",
"Sabey",
"Backdoor.remotemanipulator",
"Hallgrand",
"Sality",
"Tv rat",
"Emotet",
"Trojan.avsetecer",
"Webtoolbar",
"Installcore",
"Ransomexx",
"Witchetty",
"W32.eheur",
"Exploit:win32/cve-1999-0016",
"Tel:exploit:win32/sinkers",
"Qakbot",
"Makop",
"Trojan.msil/stealer",
"Pws:win32/raven",
"Swrort stager",
"Dridex",
"Iobit",
"Trojanspy",
"Lolkek",
"Locky",
"Trojan.mirai/genericrxui",
"Solar",
"Sabey tooth"
],
"industries": [
"Civil society",
"Healthcare",
"Private sector",
"Government"
],
"unique_indicators": 139874
}
}
},
"false_positive": [],
"alexa": "http://www.alexa.com/siteinfo/onemusic.ph",
"whois": "http://whois.domaintools.com/onemusic.ph",
"domain": "onemusic.ph",
"hostname": "beta.onemusic.ph"
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 45,
"pulses": [
{
"id": "68e2bb5d9ee8577ab5519f2c",
"name": "Meritshealth with DoD links? ",
"description": "",
"modified": "2026-01-13T00:05:56.401000",
"created": "2025-10-05T18:39:25.286000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68e2b14d83bb63502feac65e",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1365,
"URL": 11172,
"hostname": 2780,
"FileHash-MD5": 381,
"FileHash-SHA256": 4420,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 20486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "96 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2b14d83bb63502feac65e",
"name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.",
"description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?",
"modified": "2026-01-07T00:00:30.717000",
"created": "2025-10-05T17:56:29.109000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1328,
"URL": 9931,
"hostname": 2621,
"FileHash-MD5": 381,
"FileHash-SHA256": 4360,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 18989,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "102 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2b9fd811ffc6684ba25f7",
"name": "Isolated DoD now DoW nodes - emotional commentary",
"description": "*https://www.sentient.industries/\n*trk.b.jackrogersusa.com\n*http://trk.southerntide.com/\nOTX is auto populating this pulse. Let\u2019s see\u2026",
"modified": "2025-11-04T18:01:18.650000",
"created": "2025-10-05T18:33:33.277000",
"tags": [
"united",
"present feb",
"present may",
"aaaa",
"present jul",
"passive dns",
"ip address",
"present dec",
"present sep",
"present jun",
"url https",
"url http",
"type indicator",
"role title",
"added active",
"related pulses",
"germany",
"taiwan",
"netherlands",
"china",
"search",
"copy md5",
"copy sha1",
"copy sha256",
"sha256",
"sha1",
"ascii text",
"size",
"pattern match",
"mitre att",
"ck id",
"null",
"refresh",
"body",
"span",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"error",
"tools",
"title",
"look",
"verify",
"restart",
"filehashmd5",
"hostname",
"filehashsha256",
"types of",
"indicator role",
"title added",
"active related",
"pulses url",
"ruby",
"jeffrey reimer",
"target",
"tsara",
"information",
"capture",
"gather victim",
"report spam",
"kill targets",
"created",
"starfield",
"show technique",
"date"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 1333,
"domain": 355,
"URL": 5874,
"hostname": 1066,
"FileHash-SHA1": 101,
"FileHash-MD5": 88,
"SSLCertFingerprint": 2
},
"indicator_count": 8819,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "166 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "682fb4c264a51bf88115b6d2",
"name": "allegro.pl/uzytkownik/adam_f. vgt.pl , sanselo.pl, bipadorno.pl",
"description": "https://www.virustotal.com/gui/file/db7d7637c8fa698616282e31b1541082751601b27a3e71ad18caf138451c346a/relations\nhttps://allegro.pl/uzytkownik/adam_f./ogrod-1532",
"modified": "2025-06-22T07:00:28.087000",
"created": "2025-05-22T23:35:30.122000",
"tags": [
"whasz"
],
"references": [
"https://allegro.pl/uzytkownik/adam_f./ogrod-1532",
"https://allegro.pl/uzytkownik/adam_f.?srsltid=AfmBOoqX6vYV4qDgCzkkJhmipZLDrarI5MuggstojVsohtfiSM_s0jdd&dd_referrer=https://www.google.com/"
],
"public": 1,
"adversary": "fac1ec40eea5a4fc05f17e019328e287.wirus",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Arek-BTC",
"id": "212764",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 163,
"FileHash-SHA1": 162,
"FileHash-SHA256": 1706,
"domain": 596,
"hostname": 1278,
"URL": 6163
},
"indicator_count": 10068,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 122,
"modified_text": "301 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65f27f90cb56df78929c01d4",
"name": "CO.gov/PEAK - Post Mail Social Engineering | M Brian Sabey and CBI",
"description": "",
"modified": "2024-09-24T14:02:17.711000",
"created": "2024-03-14T04:39:44.522000",
"tags": [
"united",
"command decode",
"suricata ipv4",
"mitre att",
"suricata udpv4",
"programfiles",
"ck id",
"show technique",
"ck matrix",
"windir",
"date",
"win64",
"hybrid",
"general",
"model",
"comspec",
"click",
"strings",
"contact",
"hostnames",
"urls http",
"samples",
"ssl certificate",
"whois record",
"historical ssl",
"resolutions",
"referrer",
"siblings",
"contacted",
"pe resource",
"communicating",
"subdomains",
"whois whois",
"copy",
"ursnif",
"qakbot",
"lumma stealer",
"ransomexx",
"quasar",
"ramnit",
"lskeyc",
"maxage31536000",
"http response",
"final url",
"ip address",
"status code",
"body length",
"b body",
"sha256",
"headers",
"detection list",
"blacklist",
"cisco umbrella",
"site",
"safe site",
"alexa top",
"million",
"team top",
"site top",
"site safe",
"heur",
"ccleaner",
"adware",
"downldr",
"union",
"bank",
"cve201711882",
"xrat",
"phishing",
"team",
"alexa",
"static engine",
"passive dns",
"unknown",
"title error",
"scan endpoints",
"all octoseek",
"ipv4",
"pulse submit",
"url analysis",
"urls",
"thu jul",
"fri dec",
"hybridanalysis",
"generic malware",
"malware",
"wed dec",
"free automated",
"service",
"thu dec",
"cidr",
"sun aug",
"ip sun",
"country code",
"system as",
"as16509",
"mon sep",
"registrant name",
"amazon",
"terry ave",
"code",
"as36081 state",
"pulse pulses",
"files",
"reverse dns",
"asnone united",
"moved",
"body",
"certificate",
"g2 tls",
"rsa sha256",
"search",
"showing",
"online sun",
"online sat",
"online",
"12345",
"as44273 host",
"status",
"for privacy",
"redacted for",
"cname",
"domain",
"nxdomain",
"ip related",
"creation date",
"servers",
"name servers",
"next",
"cloudfront x",
"sfo5 c1",
"a domains",
"nice botet",
"srellik",
"sreredrem",
"hit",
"men",
"man",
"women",
"spider",
"mail spammer",
"gov"
],
"references": [
"CO.gov/PEAK -Postal mail Spam. Urgent demand to login.",
"https://hybrid-analysis.com/sample/23e867fef441df664d0122961782722157df2bfb0d468c8804ffc850c0b6c875",
"Redirection chain: http://co.gov/peak | https://co.gov/peak | http://colorado.gov/peak | https://colorado.gov/peak | https://www.colorado.gov/peak",
"Redirection chain: https://coloradopeak.secure.force.com/ https://colorado.gov:443/peak | coloradopeak.secure.force.com | dns01.salesforce.com",
"Redirection chain: dns1.p06.nsone.net l ns1-204.azure-dns.com | ns1.google.com | ns1.msedge.net | peak.my.salesforce-sites.com |",
"Redirection chain: www.colorado.gov | salesforce-sites.com | peak.my.si (Malformed domain) www.bing.com",
"AS36081 State of Colorado General Government Computer: 165.127.10.10 | Location - LakeWood - CO - United States | Emails: isoc@state.co.us",
"AS Name: AS36081 State of Colorado General Government Computer AS Country Code: US AS Registry: arin AS : AS CIDR: 165.127.0.0/16",
"Registrant: State of Colorado General Government Computer Address: 690 Kipling St. Postal Code: 80215 Country Code: USA City: LakeWood State: CO",
"http://bundled.toolbar.google http://bundled.toolbar.google/http://toolbar.google. https://bundled.toolbar.google. https://bundled.toolbar.google/",
"Remotely accessing to targets devices: http://maps.co.gov/ | Maps & Calendar pop ups obfuscate targets screens. Pinging",
"http://6.no.me.malware.com | http://6.no.me.malware.com/download",
"Sexual Content Titles: http://analyticschecker.com/survey/sexynews24.js | http://sex.utub.com/ | http://wap.18.orgsex.utub.com/",
"https://ak.deephicy.net/?z=6118780&syncedCookie=true&rhd=false&rb=4Qar0ipdalmNR5Sicj8o7oK9WuZVXLChC0EcEUDBDY4n5ISECZrApfC-gjpDjsMLofKZlJaeh_gobm2lTLNRbwBynCFo6CRsgTd-gbOZKn6hkTMO15e_qN9jmE8T9QytmggiZaSD7Ys_RCMg-fY8kjd5ELPE8MLrz-t9Dm7bxqLgQ8U1SWuTcrT09Npw1M6dvd7WA_91bWtr2m-EiV0umKwr5ZDSUqAYTPVfrEmvFKmZ32EfwaKGnKgKEGYaQGvQe1ga-4TccFs5A6Kh-HLSeXuKYMPVlODFrOgLcCUQi81bKgkG7ceuo8sG_5o6_ilHG6krYsCSk8Qwzdpn5AnwWweNPG9uC3hYGroh8tnINyQkdEnWp7O38iOgkAxqQoYhttqKqq7Cf6P8l9y-w4NtLBEm6c_ASSKggtwrI11Jvee9YxytSZBVlA==&sfr=n",
"Co.gov: Autonomous System: AS16509 - Amazon.com, Inc. AS Country Code: US AS AS CIDR: 13.225.192.0/21 CIDR: 13.200.0.0/13 13.224.0.0/12 13.208.0.0/12",
"Registrant Information: Amazon Technologies Inc. Address: 410 Terry Ave N. Postal Code: H3A 2A6 Country Code: CA (Canada) City: Montreal State: WA",
"AS Registry: arin:aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com",
"Emails: aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com",
"AIG: Malicious CMS prefix -cmsportal.app.hurdman.org (key identifier/decoder)",
"Targeted espionage: cms.wavebrowser.co | https://cms.wavebrowser.co/ | http://t4tonly.com/cms/web-services/get-all-city.php",
"0-w5-cms.ultimate-guitar.com",
"Redirect Chain: https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/ K9p1aHVpkkzIn1S7Dakqexnw4nP6ZmG7kNifaOtuay4%3Ahttp%3A%2F%2Fjaegertracing.match-growth.alicloud-production.glintsintern.com%2F https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/",
"Redirect Chain: https://accounts.google.com/o/oauth2/auth?access_type=offline&approval_prompt=force&client_id=795490584532-smtoie0juhaj5tq9h07si1ekd4m6pvlr.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Foauth2-proxy.glintsintern.com%2Foauth2%2Fcallback&response_type=code&scope=openid+email+profile&state=",
"If you knew how you're wasting time and resources hacking a front facing archive with a 443:"
],
"public": 1,
"adversary": "Out For Blood",
"targeted_countries": [
"United States of America"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1534",
"name": "Internal Spearphishing",
"display_name": "T1534 - Internal Spearphishing"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1110",
"name": "Brute Force",
"display_name": "T1110 - Brute Force"
},
{
"id": "T1459",
"name": "Device Unlock Code Guessing or Brute Force",
"display_name": "T1459 - Device Unlock Code Guessing or Brute Force"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.002",
"name": "File Transfer Protocols",
"display_name": "T1071.002 - File Transfer Protocols"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1098",
"name": "Account Manipulation",
"display_name": "T1098 - Account Manipulation"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1107",
"name": "File Deletion",
"display_name": "T1107 - File Deletion"
},
{
"id": "T1578.003",
"name": "Delete Cloud Instance",
"display_name": "T1578.003 - Delete Cloud Instance"
},
{
"id": "T1415",
"name": "URL Scheme Hijacking",
"display_name": "T1415 - URL Scheme Hijacking"
},
{
"id": "T1003.008",
"name": "/etc/passwd and /etc/shadow",
"display_name": "T1003.008 - /etc/passwd and /etc/shadow"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
}
],
"industries": [
"Private Sector",
"Healthcare",
"Civil Society"
],
"TLP": "white",
"cloned_from": "65f2691bb1405f9a30cf46b6",
"export_count": 76,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6664,
"FileHash-MD5": 89,
"FileHash-SHA1": 82,
"FileHash-SHA256": 2523,
"domain": 1792,
"hostname": 1889,
"CVE": 2,
"CIDR": 19,
"email": 22
},
"indicator_count": 13082,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 227,
"modified_text": "572 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "652a901fe2dbea9024b3d614",
"name": "Black Tech",
"description": "Found in a malicious Apple iTunes link. Lists several independent artists. Music \"producer\" is potentially highly dependent on use of AI generated instrumentation and conception. Hacking seems to target a single target and associates.",
"modified": "2024-09-24T00:01:38.502000",
"created": "2023-10-14T12:57:03.183000",
"tags": [
"referrer",
"historical ssl",
"ssl certificate",
"whois record",
"whois ssl",
"whois",
"historical",
"siblings parent",
"network",
"number",
"label shanghai",
"blue cloud",
"ltd regional",
"apnic country",
"cn continent",
"algorithm",
"data",
"v3 serial",
"cus cndigicert",
"basic rsa",
"cn ca",
"g2 odigicert",
"inc validity",
"oshanghai blue",
"road",
"beijing country",
"beijing",
"please",
"apnic person",
"cn phone",
"whois lookup",
"bluecloud descr",
"shanghai blue",
"ltd descr",
"cnnic",
"whois lookups",
"updated date",
"apnic netname",
"beijing abusec",
"abuse cnniccn",
"liu registrant",
"country",
"dns replication",
"date",
"domain",
"first",
"blacklist https",
"heur",
"html",
"malware",
"alexa top",
"site",
"filerepmetagen",
"suspected",
"adware",
"cisco umbrella",
"malware site",
"win64",
"opencandy",
"cleaner",
"artemis",
"iframe",
"agent",
"unsafe",
"riskware",
"acint",
"nircmd",
"swrort",
"downldr",
"systweak",
"behav",
"crack",
"tiggre",
"genkryptik",
"exploit",
"presenoker",
"filetour",
"conduit",
"wacatac",
"softcnapp",
"xtrat",
"cve201711882",
"memscan",
"phishing",
"maltiverse",
"zbot",
"webtoolbar",
"trojanspy",
"million",
"united",
"phishing site",
"malicious site",
"proxy",
"firehol",
"detection list",
"ip address",
"blacklist",
"safe site",
"team",
"fusioncore",
"union",
"bank",
"outbreak",
"downer",
"shell",
"mediamagnet",
"sality",
"adaptivebee",
"unruy",
"iobit",
"dropper",
"trojanx",
"installcore",
"webshell",
"alexa",
"adposhel",
"installpack",
"xrat",
"azorult",
"service",
"runescape",
"facebook",
"download",
"gamehack",
"verdict",
"falcon sandbox",
"pattern match",
"show",
"file",
"indicator",
"ascii text",
"appdata",
"mitre att",
"et tor",
"known tor",
"severity",
"hybrid",
"general",
"misc attack",
"beginstring",
"script",
"relayrouter",
"exit",
"node traffic",
"null",
"error",
"unknown",
"span",
"body",
"refresh",
"class",
"critical",
"tools",
"look",
"verify",
"restart",
"click",
"strings",
"meta",
"anonymizer",
"team proxy",
"host",
"control server",
"meterpreter",
"dnspionage",
"filerepmalware",
"fakealert",
"pony",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"nanocore",
"keygen",
"fareit",
"secrisk",
"floxif",
"patcher",
"adload",
"webcompanion",
"seraph",
"downloader",
"generic",
"dapato",
"redline stealer",
"beach research",
"blacklist http",
"generic malware",
"fakedout threat",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"bundled",
"dropped",
"contacted",
"most malicious",
"server",
"parent parent"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "Behav",
"display_name": "Behav",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "GameHack",
"display_name": "GameHack",
"target": null
},
{
"id": "Beach Research",
"display_name": "Beach Research",
"target": null
},
{
"id": "Generic",
"display_name": "Generic",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 50,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2449,
"FileHash-SHA1": 217,
"FileHash-SHA256": 3441,
"URL": 2044,
"domain": 258,
"hostname": 1100,
"CIDR": 1,
"email": 4,
"CVE": 37
},
"indicator_count": 9551,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 224,
"modified_text": "572 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65f2691bb1405f9a30cf46b6",
"name": "CO.gov/PEAK - Postal Engineering | M Brian Sabey and CBI (mail)",
"description": "Target received urgent postal mail ,directed to login: \nCO.gov/PEAK | Disappointed so many reports have been modified. Logins OTX account are governmental.with insecure headers.\nHistoryKillerPro , RedHatDelete glintsintern.com oauth2-proxy.glintsintern.com \u2022 https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/ oauth2-proxy.glintsintern.com have attached to several OTX users.",
"modified": "2024-04-12T14:01:31.094000",
"created": "2024-03-14T03:03:55.928000",
"tags": [
"united",
"command decode",
"suricata ipv4",
"mitre att",
"suricata udpv4",
"programfiles",
"ck id",
"show technique",
"ck matrix",
"windir",
"date",
"win64",
"hybrid",
"general",
"model",
"comspec",
"click",
"strings",
"contact",
"hostnames",
"urls http",
"samples",
"ssl certificate",
"whois record",
"historical ssl",
"resolutions",
"referrer",
"siblings",
"contacted",
"pe resource",
"communicating",
"subdomains",
"whois whois",
"copy",
"ursnif",
"qakbot",
"lumma stealer",
"ransomexx",
"quasar",
"ramnit",
"lskeyc",
"maxage31536000",
"http response",
"final url",
"ip address",
"status code",
"body length",
"b body",
"sha256",
"headers",
"detection list",
"blacklist",
"cisco umbrella",
"site",
"safe site",
"alexa top",
"million",
"team top",
"site top",
"site safe",
"heur",
"ccleaner",
"adware",
"downldr",
"union",
"bank",
"cve201711882",
"xrat",
"phishing",
"team",
"alexa",
"static engine",
"passive dns",
"unknown",
"title error",
"scan endpoints",
"all octoseek",
"ipv4",
"pulse submit",
"url analysis",
"urls",
"thu jul",
"fri dec",
"hybridanalysis",
"generic malware",
"malware",
"wed dec",
"free automated",
"service",
"thu dec",
"cidr",
"sun aug",
"ip sun",
"country code",
"system as",
"as16509",
"mon sep",
"registrant name",
"amazon",
"terry ave",
"code",
"as36081 state",
"pulse pulses",
"files",
"reverse dns",
"asnone united",
"moved",
"body",
"certificate",
"g2 tls",
"rsa sha256",
"search",
"showing",
"online sun",
"online sat",
"online",
"12345",
"as44273 host",
"status",
"for privacy",
"redacted for",
"cname",
"domain",
"nxdomain",
"ip related",
"creation date",
"servers",
"name servers",
"next",
"cloudfront x",
"sfo5 c1",
"a domains",
"nice botet",
"srellik",
"sreredrem",
"hit",
"men",
"man",
"women",
"spider",
"mail spammer",
"gov"
],
"references": [
"CO.gov/PEAK -Postal mail Spam. Urgent demand to login.",
"https://hybrid-analysis.com/sample/23e867fef441df664d0122961782722157df2bfb0d468c8804ffc850c0b6c875",
"Redirection chain: http://co.gov/peak | https://co.gov/peak | http://colorado.gov/peak | https://colorado.gov/peak | https://www.colorado.gov/peak",
"Redirection chain: https://coloradopeak.secure.force.com/ https://colorado.gov:443/peak | coloradopeak.secure.force.com | dns01.salesforce.com",
"Redirection chain: dns1.p06.nsone.net l ns1-204.azure-dns.com | ns1.google.com | ns1.msedge.net | peak.my.salesforce-sites.com |",
"Redirection chain: www.colorado.gov | salesforce-sites.com | peak.my.si (Malformed domain) www.bing.com",
"AS36081 State of Colorado General Government Computer: 165.127.10.10 | Location - LakeWood - CO - United States | Emails: isoc@state.co.us",
"AS Name: AS36081 State of Colorado General Government Computer AS Country Code: US AS Registry: arin AS : AS CIDR: 165.127.0.0/16",
"Registrant: State of Colorado General Government Computer Address: 690 Kipling St. Postal Code: 80215 Country Code: USA City: LakeWood State: CO",
"http://bundled.toolbar.google http://bundled.toolbar.google/http://toolbar.google. https://bundled.toolbar.google. https://bundled.toolbar.google/",
"Remotely accessing to targets devices: http://maps.co.gov/ | Maps & Calendar pop ups obfuscate targets screens. Pinging",
"http://6.no.me.malware.com | http://6.no.me.malware.com/download",
"Sexual Content Titles: http://analyticschecker.com/survey/sexynews24.js | http://sex.utub.com/ | http://wap.18.orgsex.utub.com/",
"https://ak.deephicy.net/?z=6118780&syncedCookie=true&rhd=false&rb=4Qar0ipdalmNR5Sicj8o7oK9WuZVXLChC0EcEUDBDY4n5ISECZrApfC-gjpDjsMLofKZlJaeh_gobm2lTLNRbwBynCFo6CRsgTd-gbOZKn6hkTMO15e_qN9jmE8T9QytmggiZaSD7Ys_RCMg-fY8kjd5ELPE8MLrz-t9Dm7bxqLgQ8U1SWuTcrT09Npw1M6dvd7WA_91bWtr2m-EiV0umKwr5ZDSUqAYTPVfrEmvFKmZ32EfwaKGnKgKEGYaQGvQe1ga-4TccFs5A6Kh-HLSeXuKYMPVlODFrOgLcCUQi81bKgkG7ceuo8sG_5o6_ilHG6krYsCSk8Qwzdpn5AnwWweNPG9uC3hYGroh8tnINyQkdEnWp7O38iOgkAxqQoYhttqKqq7Cf6P8l9y-w4NtLBEm6c_ASSKggtwrI11Jvee9YxytSZBVlA==&sfr=n",
"Co.gov: Autonomous System: AS16509 - Amazon.com, Inc. AS Country Code: US AS AS CIDR: 13.225.192.0/21 CIDR: 13.200.0.0/13 13.224.0.0/12 13.208.0.0/12",
"Registrant Information: Amazon Technologies Inc. Address: 410 Terry Ave N. Postal Code: H3A 2A6 Country Code: CA (Canada) City: Montreal State: WA",
"AS Registry: arin:aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com",
"Emails: aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com",
"AIG: Malicious CMS prefix -cmsportal.app.hurdman.org (key identifier/decoder)",
"Targeted espionage: cms.wavebrowser.co | https://cms.wavebrowser.co/ | http://t4tonly.com/cms/web-services/get-all-city.php",
"0-w5-cms.ultimate-guitar.com",
"Redirect Chain: https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/ K9p1aHVpkkzIn1S7Dakqexnw4nP6ZmG7kNifaOtuay4%3Ahttp%3A%2F%2Fjaegertracing.match-growth.alicloud-production.glintsintern.com%2F https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/",
"Redirect Chain: https://accounts.google.com/o/oauth2/auth?access_type=offline&approval_prompt=force&client_id=795490584532-smtoie0juhaj5tq9h07si1ekd4m6pvlr.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Foauth2-proxy.glintsintern.com%2Foauth2%2Fcallback&response_type=code&scope=openid+email+profile&state=",
"If you knew how you're wasting time and resources hacking a front facing archive with a 443:"
],
"public": 1,
"adversary": "Out For Blood",
"targeted_countries": [
"United States of America"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1534",
"name": "Internal Spearphishing",
"display_name": "T1534 - Internal Spearphishing"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1110",
"name": "Brute Force",
"display_name": "T1110 - Brute Force"
},
{
"id": "T1459",
"name": "Device Unlock Code Guessing or Brute Force",
"display_name": "T1459 - Device Unlock Code Guessing or Brute Force"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.002",
"name": "File Transfer Protocols",
"display_name": "T1071.002 - File Transfer Protocols"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1098",
"name": "Account Manipulation",
"display_name": "T1098 - Account Manipulation"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1107",
"name": "File Deletion",
"display_name": "T1107 - File Deletion"
},
{
"id": "T1578.003",
"name": "Delete Cloud Instance",
"display_name": "T1578.003 - Delete Cloud Instance"
},
{
"id": "T1415",
"name": "URL Scheme Hijacking",
"display_name": "T1415 - URL Scheme Hijacking"
},
{
"id": "T1003.008",
"name": "/etc/passwd and /etc/shadow",
"display_name": "T1003.008 - /etc/passwd and /etc/shadow"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
}
],
"industries": [
"Private Sector",
"Healthcare",
"Civil Society"
],
"TLP": "white",
"cloned_from": null,
"export_count": 50,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6466,
"FileHash-MD5": 89,
"FileHash-SHA1": 82,
"FileHash-SHA256": 2406,
"domain": 1686,
"hostname": 1760,
"CVE": 2,
"CIDR": 4,
"email": 7
},
"indicator_count": 12502,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 220,
"modified_text": "737 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65cb4772c3d3ad1f7accc98a",
"name": "Ryuk Ransomware - workers.dev | https://house.mo.gov",
"description": "Ryuk is ransomware version attributed to the hacker group WIZARD SPIDER that has compromised governments, academia, healthcare, manufacturing, and technology organizations.\n\nInterestingly, this ransomware family carries a Japanese name from the anime movie Death Note. The name means \u201cgift of god.\u201d It seems an odd choice for ransomware since the targets lose data or money. From the hacker's perspective, however, it could be considered a gift of god.",
"modified": "2024-03-14T09:04:37.097000",
"created": "2024-02-13T10:41:53.179000",
"tags": [
"contacted",
"ssl certificate",
"contacted urls",
"whois record",
"whois whois",
"relacionada",
"execution",
"p2404",
"kgs0",
"kls0",
"lockbit",
"lolkek",
"emotet",
"phishing",
"ursnif",
"malware",
"core",
"ryuk ransomware",
"qakbot",
"makop",
"hacktool",
"chaos",
"ransomexx",
"temp",
"localappdata",
"pattern match",
"ascii text",
"json data",
"united",
"indicator",
"prefetch8",
"observed email",
"unicode text",
"date",
"hybrid",
"win64",
"general",
"click",
"strings",
"tsara brashears",
"suspicious",
"falcon",
"name verdict",
"reinsurance",
"scan endpoints",
"all octoseek",
"domain",
"pulse pulses",
"passive dns",
"urls",
"files",
"ip address",
"location united",
"asn as13335",
"title",
"gmt server",
"user agent",
"443 ma2592000",
"hostname",
"encrypt",
"script urls",
"t matrix",
"dch v",
"meta",
"trang ch",
"body",
"status",
"search",
"creation date",
"record value",
"domain name",
"litespeed",
"certificate",
"speed",
"next",
"unknown",
"ipv4",
"reverse dns",
"name servers",
"expiration date",
"showing",
"pulse submit",
"gandi sas",
"moved",
"emails",
"servers",
"error",
"russia unknown",
"as31483",
"as12768",
"as30943",
"united kingdom",
"as208722 yandex",
"cname",
"spyware",
"tracking",
"login"
],
"references": [
"workers.dev [extraction \u2022 GET request attack]",
"ddos.dnsnb8.net [command_and_control]",
"www.supernetforme.com [command_and_control]",
"https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html",
"http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing \u2022 python]",
"https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network \u2022 Data collection \u2022 phishing]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 virus network \u2022 Apple data collection ]",
"CVE: CVE-2023-23397",
"0-129-112027imap-intranet-pv-175-166.matomo.cloud",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption \u2022 unlocker]",
"https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://twitter.com/PORNO_SEXYBABES",
"sex-ukraine.net",
"http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg \u2022\t humani-teens.com",
"feedercontroller.webcrawlingeap-prod-co4.binginternal.com",
"accessoire-telephones.fr \u2022 bks-tv.ru [telecom] \u2022 coltel.ru [telecom] \u2022 ceptelefondata.com.tr [data collection \u2022 USA] ts-astra.ru [telecom] wifi.ru",
"nexus.b2btest.ertelecom.ru",
"Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k",
"Tracking: trackyouremails.com \u2022 https://adservice.google.com.uy/clk",
"http://micrologin.ogspy.net/track/dhl-information-contact.html"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "LockBit",
"display_name": "LockBit",
"target": null
},
{
"id": "LolKek",
"display_name": "LolKek",
"target": null
},
{
"id": "Makop",
"display_name": "Makop",
"target": null
},
{
"id": "QakBot",
"display_name": "QakBot",
"target": null
},
{
"id": "RansomEXX",
"display_name": "RansomEXX",
"target": null
},
{
"id": "Ursnif",
"display_name": "Ursnif",
"target": null
},
{
"id": "Ryuk Ransomware",
"display_name": "Ryuk Ransomware",
"target": null
},
{
"id": "Sabey",
"display_name": "Sabey",
"target": null
},
{
"id": "HallGrand",
"display_name": "HallGrand",
"target": null
},
{
"id": "HallRender",
"display_name": "HallRender",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1518.001",
"name": "Security Software Discovery",
"display_name": "T1518.001 - Security Software Discovery"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1491",
"name": "Defacement",
"display_name": "T1491 - Defacement"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 37,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 127,
"FileHash-SHA1": 125,
"FileHash-SHA256": 4862,
"hostname": 3571,
"URL": 10597,
"CVE": 3,
"domain": 3169,
"email": 7
},
"indicator_count": 22461,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 228,
"modified_text": "766 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65cb476d935dd560b4a3e938",
"name": "Ryuk Ransomware - workers.dev | https://house.mo.gov",
"description": "Ryuk is ransomware version attributed to the hacker group WIZARD SPIDER that has compromised governments, academia, healthcare, manufacturing, and technology organizations.\n\nInterestingly, this ransomware family carries a Japanese name from the anime movie Death Note. The name means \u201cgift of god.\u201d It seems an odd choice for ransomware since the targets lose data or money. From the hacker's perspective, however, it could be considered a gift of god.",
"modified": "2024-03-14T09:04:37.097000",
"created": "2024-02-13T10:41:49.380000",
"tags": [
"contacted",
"ssl certificate",
"contacted urls",
"whois record",
"whois whois",
"relacionada",
"execution",
"p2404",
"kgs0",
"kls0",
"lockbit",
"lolkek",
"emotet",
"phishing",
"ursnif",
"malware",
"core",
"ryuk ransomware",
"qakbot",
"makop",
"hacktool",
"chaos",
"ransomexx",
"temp",
"localappdata",
"pattern match",
"ascii text",
"json data",
"united",
"indicator",
"prefetch8",
"observed email",
"unicode text",
"date",
"hybrid",
"win64",
"general",
"click",
"strings",
"tsara brashears",
"suspicious",
"falcon",
"name verdict",
"reinsurance",
"scan endpoints",
"all octoseek",
"domain",
"pulse pulses",
"passive dns",
"urls",
"files",
"ip address",
"location united",
"asn as13335",
"title",
"gmt server",
"user agent",
"443 ma2592000",
"hostname",
"encrypt",
"script urls",
"t matrix",
"dch v",
"meta",
"trang ch",
"body",
"status",
"search",
"creation date",
"record value",
"domain name",
"litespeed",
"certificate",
"speed",
"next",
"unknown",
"ipv4",
"reverse dns",
"name servers",
"expiration date",
"showing",
"pulse submit",
"gandi sas",
"moved",
"emails",
"servers",
"error",
"russia unknown",
"as31483",
"as12768",
"as30943",
"united kingdom",
"as208722 yandex",
"cname",
"spyware",
"tracking",
"login"
],
"references": [
"workers.dev [extraction \u2022 GET request attack]",
"ddos.dnsnb8.net [command_and_control]",
"www.supernetforme.com [command_and_control]",
"https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html",
"http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing \u2022 python]",
"https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network \u2022 Data collection \u2022 phishing]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 virus network \u2022 Apple data collection ]",
"CVE: CVE-2023-23397",
"0-129-112027imap-intranet-pv-175-166.matomo.cloud",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption \u2022 unlocker]",
"https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://twitter.com/PORNO_SEXYBABES",
"sex-ukraine.net",
"http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg \u2022\t humani-teens.com",
"feedercontroller.webcrawlingeap-prod-co4.binginternal.com",
"accessoire-telephones.fr \u2022 bks-tv.ru [telecom] \u2022 coltel.ru [telecom] \u2022 ceptelefondata.com.tr [data collection \u2022 USA] ts-astra.ru [telecom] wifi.ru",
"nexus.b2btest.ertelecom.ru",
"Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k",
"Tracking: trackyouremails.com \u2022 https://adservice.google.com.uy/clk",
"http://micrologin.ogspy.net/track/dhl-information-contact.html"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "LockBit",
"display_name": "LockBit",
"target": null
},
{
"id": "LolKek",
"display_name": "LolKek",
"target": null
},
{
"id": "Makop",
"display_name": "Makop",
"target": null
},
{
"id": "QakBot",
"display_name": "QakBot",
"target": null
},
{
"id": "RansomEXX",
"display_name": "RansomEXX",
"target": null
},
{
"id": "Ursnif",
"display_name": "Ursnif",
"target": null
},
{
"id": "Ryuk Ransomware",
"display_name": "Ryuk Ransomware",
"target": null
},
{
"id": "Sabey",
"display_name": "Sabey",
"target": null
},
{
"id": "HallGrand",
"display_name": "HallGrand",
"target": null
},
{
"id": "HallRender",
"display_name": "HallRender",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1518.001",
"name": "Security Software Discovery",
"display_name": "T1518.001 - Security Software Discovery"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1491",
"name": "Defacement",
"display_name": "T1491 - Defacement"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 22,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 127,
"FileHash-SHA1": 125,
"FileHash-SHA256": 4862,
"hostname": 3571,
"URL": 10597,
"CVE": 3,
"domain": 3169,
"email": 7
},
"indicator_count": 22461,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 222,
"modified_text": "766 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65cb476d0566c2d07e474df5",
"name": "Ryuk Ransomware - workers.dev | https://house.mo.gov",
"description": "Ryuk is ransomware version attributed to the hacker group WIZARD SPIDER that has compromised governments, academia, healthcare, manufacturing, and technology organizations.\n\nInterestingly, this ransomware family carries a Japanese name from the anime movie Death Note. The name means \u201cgift of god.\u201d It seems an odd choice for ransomware since the targets lose data or money. From the hacker's perspective, however, it could be considered a gift of god.",
"modified": "2024-03-14T09:04:37.097000",
"created": "2024-02-13T10:41:49.140000",
"tags": [
"contacted",
"ssl certificate",
"contacted urls",
"whois record",
"whois whois",
"relacionada",
"execution",
"p2404",
"kgs0",
"kls0",
"lockbit",
"lolkek",
"emotet",
"phishing",
"ursnif",
"malware",
"core",
"ryuk ransomware",
"qakbot",
"makop",
"hacktool",
"chaos",
"ransomexx",
"temp",
"localappdata",
"pattern match",
"ascii text",
"json data",
"united",
"indicator",
"prefetch8",
"observed email",
"unicode text",
"date",
"hybrid",
"win64",
"general",
"click",
"strings",
"tsara brashears",
"suspicious",
"falcon",
"name verdict",
"reinsurance",
"scan endpoints",
"all octoseek",
"domain",
"pulse pulses",
"passive dns",
"urls",
"files",
"ip address",
"location united",
"asn as13335",
"title",
"gmt server",
"user agent",
"443 ma2592000",
"hostname",
"encrypt",
"script urls",
"t matrix",
"dch v",
"meta",
"trang ch",
"body",
"status",
"search",
"creation date",
"record value",
"domain name",
"litespeed",
"certificate",
"speed",
"next",
"unknown",
"ipv4",
"reverse dns",
"name servers",
"expiration date",
"showing",
"pulse submit",
"gandi sas",
"moved",
"emails",
"servers",
"error",
"russia unknown",
"as31483",
"as12768",
"as30943",
"united kingdom",
"as208722 yandex",
"cname",
"spyware",
"tracking",
"login"
],
"references": [
"workers.dev [extraction \u2022 GET request attack]",
"ddos.dnsnb8.net [command_and_control]",
"www.supernetforme.com [command_and_control]",
"https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html",
"http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing \u2022 python]",
"https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network \u2022 Data collection \u2022 phishing]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 virus network \u2022 Apple data collection ]",
"CVE: CVE-2023-23397",
"0-129-112027imap-intranet-pv-175-166.matomo.cloud",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption \u2022 unlocker]",
"https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://twitter.com/PORNO_SEXYBABES",
"sex-ukraine.net",
"http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg \u2022\t humani-teens.com",
"feedercontroller.webcrawlingeap-prod-co4.binginternal.com",
"accessoire-telephones.fr \u2022 bks-tv.ru [telecom] \u2022 coltel.ru [telecom] \u2022 ceptelefondata.com.tr [data collection \u2022 USA] ts-astra.ru [telecom] wifi.ru",
"nexus.b2btest.ertelecom.ru",
"Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k",
"Tracking: trackyouremails.com \u2022 https://adservice.google.com.uy/clk",
"http://micrologin.ogspy.net/track/dhl-information-contact.html"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "LockBit",
"display_name": "LockBit",
"target": null
},
{
"id": "LolKek",
"display_name": "LolKek",
"target": null
},
{
"id": "Makop",
"display_name": "Makop",
"target": null
},
{
"id": "QakBot",
"display_name": "QakBot",
"target": null
},
{
"id": "RansomEXX",
"display_name": "RansomEXX",
"target": null
},
{
"id": "Ursnif",
"display_name": "Ursnif",
"target": null
},
{
"id": "Ryuk Ransomware",
"display_name": "Ryuk Ransomware",
"target": null
},
{
"id": "Sabey",
"display_name": "Sabey",
"target": null
},
{
"id": "HallGrand",
"display_name": "HallGrand",
"target": null
},
{
"id": "HallRender",
"display_name": "HallRender",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1518.001",
"name": "Security Software Discovery",
"display_name": "T1518.001 - Security Software Discovery"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1491",
"name": "Defacement",
"display_name": "T1491 - Defacement"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 22,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 127,
"FileHash-SHA1": 125,
"FileHash-SHA256": 4862,
"hostname": 3571,
"URL": 10597,
"CVE": 3,
"domain": 3169,
"email": 7
},
"indicator_count": 22461,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 222,
"modified_text": "766 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "https://beta.onemusic.ph",
"type": "URL"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "https://beta.onemusic.ph",
"type": "URL",
"found": false,
"verdict": "clean",
"error": null
},
"from_cache": true,
"_cached_at": 1776641568.827875
}