{ "type": "URL", "indicator": "https://blackfriday.puntronic.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://blackfriday.puntronic.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 2855438097, "indicator": "https://blackfriday.puntronic.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 26, "pulses": [ { "id": "65f27f90cb56df78929c01d4", "name": "CO.gov/PEAK - Post Mail Social Engineering | M Brian Sabey and CBI", "description": "", "modified": "2024-09-24T14:02:17.711000", "created": "2024-03-14T04:39:44.522000", "tags": [ "united", "command decode", "suricata ipv4", "mitre att", "suricata udpv4", "programfiles", "ck id", "show technique", "ck matrix", "windir", "date", "win64", "hybrid", "general", "model", "comspec", "click", "strings", "contact", "hostnames", "urls http", "samples", "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "siblings", "contacted", "pe resource", "communicating", "subdomains", "whois whois", "copy", "ursnif", "qakbot", "lumma stealer", "ransomexx", "quasar", "ramnit", "lskeyc", "maxage31536000", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "headers", "detection list", "blacklist", "cisco umbrella", "site", "safe site", "alexa top", "million", "team top", "site top", "site safe", "heur", "ccleaner", "adware", "downldr", "union", "bank", "cve201711882", "xrat", "phishing", "team", "alexa", "static engine", "passive dns", "unknown", "title error", "scan endpoints", "all octoseek", "ipv4", "pulse submit", "url analysis", "urls", "thu jul", "fri dec", "hybridanalysis", "generic malware", "malware", "wed dec", "free automated", "service", "thu dec", "cidr", "sun aug", "ip sun", "country code", "system as", "as16509", "mon sep", "registrant name", "amazon", "terry ave", "code", "as36081 state", "pulse pulses", "files", "reverse dns", "asnone united", "moved", "body", "certificate", "g2 tls", "rsa sha256", "search", "showing", "online sun", "online sat", "online", "12345", "as44273 host", "status", "for privacy", "redacted for", "cname", "domain", "nxdomain", "ip related", "creation date", "servers", "name servers", "next", "cloudfront x", "sfo5 c1", "a domains", "nice botet", "srellik", "sreredrem", "hit", "men", "man", "women", "spider", "mail spammer", "gov" ], "references": [ "CO.gov/PEAK -Postal mail Spam. Urgent demand to login.", "https://hybrid-analysis.com/sample/23e867fef441df664d0122961782722157df2bfb0d468c8804ffc850c0b6c875", "Redirection chain: http://co.gov/peak | https://co.gov/peak | http://colorado.gov/peak | https://colorado.gov/peak | https://www.colorado.gov/peak", "Redirection chain: https://coloradopeak.secure.force.com/ https://colorado.gov:443/peak | coloradopeak.secure.force.com | dns01.salesforce.com", "Redirection chain: dns1.p06.nsone.net l ns1-204.azure-dns.com | ns1.google.com | ns1.msedge.net | peak.my.salesforce-sites.com |", "Redirection chain: www.colorado.gov | salesforce-sites.com | peak.my.si (Malformed domain) www.bing.com", "AS36081 State of Colorado General Government Computer: 165.127.10.10 | Location - LakeWood - CO - United States | Emails: isoc@state.co.us", "AS Name: AS36081 State of Colorado General Government Computer AS Country Code: US AS Registry: arin AS : AS CIDR: 165.127.0.0/16", "Registrant: State of Colorado General Government Computer Address: 690 Kipling St. Postal Code: 80215 Country Code: USA City: LakeWood State: CO", "http://bundled.toolbar.google http://bundled.toolbar.google/http://toolbar.google. https://bundled.toolbar.google. https://bundled.toolbar.google/", "Remotely accessing to targets devices: http://maps.co.gov/ | Maps & Calendar pop ups obfuscate targets screens. Pinging", "http://6.no.me.malware.com | http://6.no.me.malware.com/download", "Sexual Content Titles: http://analyticschecker.com/survey/sexynews24.js | http://sex.utub.com/ | http://wap.18.orgsex.utub.com/", "https://ak.deephicy.net/?z=6118780&syncedCookie=true&rhd=false&rb=4Qar0ipdalmNR5Sicj8o7oK9WuZVXLChC0EcEUDBDY4n5ISECZrApfC-gjpDjsMLofKZlJaeh_gobm2lTLNRbwBynCFo6CRsgTd-gbOZKn6hkTMO15e_qN9jmE8T9QytmggiZaSD7Ys_RCMg-fY8kjd5ELPE8MLrz-t9Dm7bxqLgQ8U1SWuTcrT09Npw1M6dvd7WA_91bWtr2m-EiV0umKwr5ZDSUqAYTPVfrEmvFKmZ32EfwaKGnKgKEGYaQGvQe1ga-4TccFs5A6Kh-HLSeXuKYMPVlODFrOgLcCUQi81bKgkG7ceuo8sG_5o6_ilHG6krYsCSk8Qwzdpn5AnwWweNPG9uC3hYGroh8tnINyQkdEnWp7O38iOgkAxqQoYhttqKqq7Cf6P8l9y-w4NtLBEm6c_ASSKggtwrI11Jvee9YxytSZBVlA==&sfr=n", "Co.gov: Autonomous System: AS16509 - Amazon.com, Inc. AS Country Code: US AS AS CIDR: 13.225.192.0/21 CIDR: 13.200.0.0/13 13.224.0.0/12 13.208.0.0/12", "Registrant Information: Amazon Technologies Inc. Address: 410 Terry Ave N. Postal Code: H3A 2A6 Country Code: CA (Canada) City: Montreal State: WA", "AS Registry: arin:aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "Emails: aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "AIG: Malicious CMS prefix -cmsportal.app.hurdman.org (key identifier/decoder)", "Targeted espionage: cms.wavebrowser.co | https://cms.wavebrowser.co/ | http://t4tonly.com/cms/web-services/get-all-city.php", "0-w5-cms.ultimate-guitar.com", "Redirect Chain: https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/ K9p1aHVpkkzIn1S7Dakqexnw4nP6ZmG7kNifaOtuay4%3Ahttp%3A%2F%2Fjaegertracing.match-growth.alicloud-production.glintsintern.com%2F https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/", "Redirect Chain: https://accounts.google.com/o/oauth2/auth?access_type=offline&approval_prompt=force&client_id=795490584532-smtoie0juhaj5tq9h07si1ekd4m6pvlr.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Foauth2-proxy.glintsintern.com%2Foauth2%2Fcallback&response_type=code&scope=openid+email+profile&state=", "If you knew how you're wasting time and resources hacking a front facing archive with a 443:" ], "public": 1, "adversary": "Out For Blood", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1578.003", "name": "Delete Cloud Instance", "display_name": "T1578.003 - Delete Cloud Instance" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" } ], "industries": [ "Private Sector", "Healthcare", "Civil Society" ], "TLP": "white", "cloned_from": "65f2691bb1405f9a30cf46b6", "export_count": 76, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6664, "FileHash-MD5": 89, "FileHash-SHA1": 82, "FileHash-SHA256": 2523, "domain": 1792, "hostname": 1889, "CVE": 2, "CIDR": 19, "email": 22 }, "indicator_count": 13082, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "572 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65f2691bb1405f9a30cf46b6", "name": "CO.gov/PEAK - Postal Engineering | M Brian Sabey and CBI (mail)", "description": "Target received urgent postal mail ,directed to login: \nCO.gov/PEAK | Disappointed so many reports have been modified. Logins OTX account are governmental.with insecure headers.\nHistoryKillerPro , RedHatDelete glintsintern.com oauth2-proxy.glintsintern.com \u2022 https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/ oauth2-proxy.glintsintern.com have attached to several OTX users.", "modified": "2024-04-12T14:01:31.094000", "created": "2024-03-14T03:03:55.928000", "tags": [ "united", "command decode", "suricata ipv4", "mitre att", "suricata udpv4", "programfiles", "ck id", "show technique", "ck matrix", "windir", "date", "win64", "hybrid", "general", "model", "comspec", "click", "strings", "contact", "hostnames", "urls http", "samples", "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "siblings", "contacted", "pe resource", "communicating", "subdomains", "whois whois", "copy", "ursnif", "qakbot", "lumma stealer", "ransomexx", "quasar", "ramnit", "lskeyc", "maxage31536000", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "headers", "detection list", "blacklist", "cisco umbrella", "site", "safe site", "alexa top", "million", "team top", "site top", "site safe", "heur", "ccleaner", "adware", "downldr", "union", "bank", "cve201711882", "xrat", "phishing", "team", "alexa", "static engine", "passive dns", "unknown", "title error", "scan endpoints", "all octoseek", "ipv4", "pulse submit", "url analysis", "urls", "thu jul", "fri dec", "hybridanalysis", "generic malware", "malware", "wed dec", "free automated", "service", "thu dec", "cidr", "sun aug", "ip sun", "country code", "system as", "as16509", "mon sep", "registrant name", "amazon", "terry ave", "code", "as36081 state", "pulse pulses", "files", "reverse dns", "asnone united", "moved", "body", "certificate", "g2 tls", "rsa sha256", "search", "showing", "online sun", "online sat", "online", "12345", "as44273 host", "status", "for privacy", "redacted for", "cname", "domain", "nxdomain", "ip related", "creation date", "servers", "name servers", "next", "cloudfront x", "sfo5 c1", "a domains", "nice botet", "srellik", "sreredrem", "hit", "men", "man", "women", "spider", "mail spammer", "gov" ], "references": [ "CO.gov/PEAK -Postal mail Spam. Urgent demand to login.", "https://hybrid-analysis.com/sample/23e867fef441df664d0122961782722157df2bfb0d468c8804ffc850c0b6c875", "Redirection chain: http://co.gov/peak | https://co.gov/peak | http://colorado.gov/peak | https://colorado.gov/peak | https://www.colorado.gov/peak", "Redirection chain: https://coloradopeak.secure.force.com/ https://colorado.gov:443/peak | coloradopeak.secure.force.com | dns01.salesforce.com", "Redirection chain: dns1.p06.nsone.net l ns1-204.azure-dns.com | ns1.google.com | ns1.msedge.net | peak.my.salesforce-sites.com |", "Redirection chain: www.colorado.gov | salesforce-sites.com | peak.my.si (Malformed domain) www.bing.com", "AS36081 State of Colorado General Government Computer: 165.127.10.10 | Location - LakeWood - CO - United States | Emails: isoc@state.co.us", "AS Name: AS36081 State of Colorado General Government Computer AS Country Code: US AS Registry: arin AS : AS CIDR: 165.127.0.0/16", "Registrant: State of Colorado General Government Computer Address: 690 Kipling St. Postal Code: 80215 Country Code: USA City: LakeWood State: CO", "http://bundled.toolbar.google http://bundled.toolbar.google/http://toolbar.google. https://bundled.toolbar.google. https://bundled.toolbar.google/", "Remotely accessing to targets devices: http://maps.co.gov/ | Maps & Calendar pop ups obfuscate targets screens. Pinging", "http://6.no.me.malware.com | http://6.no.me.malware.com/download", "Sexual Content Titles: http://analyticschecker.com/survey/sexynews24.js | http://sex.utub.com/ | http://wap.18.orgsex.utub.com/", "https://ak.deephicy.net/?z=6118780&syncedCookie=true&rhd=false&rb=4Qar0ipdalmNR5Sicj8o7oK9WuZVXLChC0EcEUDBDY4n5ISECZrApfC-gjpDjsMLofKZlJaeh_gobm2lTLNRbwBynCFo6CRsgTd-gbOZKn6hkTMO15e_qN9jmE8T9QytmggiZaSD7Ys_RCMg-fY8kjd5ELPE8MLrz-t9Dm7bxqLgQ8U1SWuTcrT09Npw1M6dvd7WA_91bWtr2m-EiV0umKwr5ZDSUqAYTPVfrEmvFKmZ32EfwaKGnKgKEGYaQGvQe1ga-4TccFs5A6Kh-HLSeXuKYMPVlODFrOgLcCUQi81bKgkG7ceuo8sG_5o6_ilHG6krYsCSk8Qwzdpn5AnwWweNPG9uC3hYGroh8tnINyQkdEnWp7O38iOgkAxqQoYhttqKqq7Cf6P8l9y-w4NtLBEm6c_ASSKggtwrI11Jvee9YxytSZBVlA==&sfr=n", "Co.gov: Autonomous System: AS16509 - Amazon.com, Inc. AS Country Code: US AS AS CIDR: 13.225.192.0/21 CIDR: 13.200.0.0/13 13.224.0.0/12 13.208.0.0/12", "Registrant Information: Amazon Technologies Inc. Address: 410 Terry Ave N. Postal Code: H3A 2A6 Country Code: CA (Canada) City: Montreal State: WA", "AS Registry: arin:aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "Emails: aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "AIG: Malicious CMS prefix -cmsportal.app.hurdman.org (key identifier/decoder)", "Targeted espionage: cms.wavebrowser.co | https://cms.wavebrowser.co/ | http://t4tonly.com/cms/web-services/get-all-city.php", "0-w5-cms.ultimate-guitar.com", "Redirect Chain: https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/ K9p1aHVpkkzIn1S7Dakqexnw4nP6ZmG7kNifaOtuay4%3Ahttp%3A%2F%2Fjaegertracing.match-growth.alicloud-production.glintsintern.com%2F https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/", "Redirect Chain: https://accounts.google.com/o/oauth2/auth?access_type=offline&approval_prompt=force&client_id=795490584532-smtoie0juhaj5tq9h07si1ekd4m6pvlr.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Foauth2-proxy.glintsintern.com%2Foauth2%2Fcallback&response_type=code&scope=openid+email+profile&state=", "If you knew how you're wasting time and resources hacking a front facing archive with a 443:" ], "public": 1, "adversary": "Out For Blood", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1578.003", "name": "Delete Cloud Instance", "display_name": "T1578.003 - Delete Cloud Instance" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" } ], "industries": [ "Private Sector", "Healthcare", "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 50, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6466, "FileHash-MD5": 89, "FileHash-SHA1": 82, "FileHash-SHA256": 2406, "domain": 1686, "hostname": 1760, "CVE": 2, "CIDR": 4, "email": 7 }, "indicator_count": 12502, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "737 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6585b18d61efd8798827c12a", "name": "Potential Poodle Attack against a server | Injection | Threat Network", "description": "", "modified": "2024-01-21T15:01:52.390000", "created": "2023-12-22T15:55:57.639000", "tags": [ "whois record", "ssl certificate", "threat roundup", "december", "whois whois", "historical ssl", "referrer", "problems", "november", "tsara brashears", "startpage", "core", "hacktool", "vhash", "authentihash", "imphash", "rich pe", "ssdeep", "file type", "win32 dll", "magic pe32", "intel", "ms windows", "compiler", "no data", "tag count", "ioc search", "new ioc", "teams api", "contact", "search", "iocs", "sample summary", "as54113", "united", "xamzexpires300", "unknown", "a domains", "passive dns", "entries", "github pages", "request id", "sea x", "virtool", "accept", "cache", "hit x", "date hash", "avast avg", "files show", "execution", "contacted", "threat analyzer", "threat", "paste", "hostnames", "urls http", "noname057", "generic malware", "threat report", "ip summary", "url summary", "summary", "generic", "inject", "!#AddsCopyToStartup", "SLF:Exploit:Win32/UACPathBypass.A", "SSL excessive fatal alerts (possible POODLE attack against serve", "injector", "185.199.108.133", "malware infection", "link", "name servers", "date", "title", "urls", "domain robot", "for privacy", "redacted for", "expiration date", "emotet", "upx", "msil", "trojan", "malware", "apple", "data collection", "privilege escalation", "evasive", "show", "scan endpoints", "all octoseek", "filehash", "pulse pulses", "av detections", "ids detections", "yara detections", "copy", "threat network", "service modification", "target", "targeting an individual", "cybercrime", "fraud services", "attack", "africa", "libel", "password cracker", "ios" ], "references": [ "frostwire-5.3.9.windows.exe", "185.199.108.133", "cdn-185-199-108-133.github.com", "AS : AS16509 Amazon.com, Inc", "SRC URL : http://dl.frostwire.com/frostwire/5.3.9/frostwire-5.3.9.windows.exe", "IP : 54.192.29.164", "https://otx.alienvault.com/indicator/ip/185.199.108.133", "Malware Hosting: IPv4 185.199.108.133, 185.199.109.133, 185.199.110.133, 185.199.111.133", "YARA Rules", "Matches rule Windows_API_Function from ruleset Windows_API_Function by InQuest Labs", "Matches rule Adobe_XMP_Identifier from ruleset Adobe_XMP_Identifier by InQuest Labs", "Matches rule UPX from ruleset UPX by kevoreilly", "REFERENCE: https://goo.gl/hXbwiV", "RULE_LINK: https://valhalla.nextron-systems.com/info/rule/SUSP_JS_Command", "More information: https://www.nextron-systems.com/notes-on-virustotal-matches/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term= [Mobile transactional with ads/ malicious]", "https://otx.alienvault.com/indicator/url/https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Walker | Apple Password Cracker]", "http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [Apple exploit]", "www.pornhub.com [New Relic | nr-data.net | Apple Private Data Collection]", "www.anyxxxtube.net", "https://otx.alienvault.com/indicator/url/https://www.bleepingcomputer.com/forums/t/268006/wormmalware-that-kills-run-system-restore-regedit/ [ phishing attack directed towards Tsara Brashears]", "phishing-campaign-cloudstation-eu-west-98.githubusercontent.com [phishing]", "louisianarooflawyers.com [phishing| songculture.com redirect , compromised by threat actors]", "103.246.145.111 [malware]", "x.ss2.us", "nr-data.net [Apple Private Data Collection]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Magic", "display_name": "Magic", "target": null }, { "id": "Multios.Coinminer.Miner-6781728-2", "display_name": "Multios.Coinminer.Miner-6781728-2", "target": null }, { "id": "Win32/Ispen BADNEWS Fake User-Agent", "display_name": "Win32/Ispen BADNEWS Fake User-Agent", "target": null }, { "id": "Babulya/CollectorStealer User-Agent", "display_name": "Babulya/CollectorStealer User-Agent", "target": null }, { "id": "Win.Malware.Generic-9820446-0", "display_name": "Win.Malware.Generic-9820446-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "VirTool:MSIL/Obfuscator.BV", "display_name": "VirTool:MSIL/Obfuscator.BV", "target": "/malware/VirTool:MSIL/Obfuscator.BV" }, { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "ALF:HSTR:HackTool:ExtremeInjector.S01", "display_name": "ALF:HSTR:HackTool:ExtremeInjector.S01", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/AgentTesla!rfn", "display_name": "ALF:HeraklezEval:Trojan:Win32/AgentTesla!rfn", "target": null }, { "id": "!#HSTR:Win32/Spectorsoft", "display_name": "!#HSTR:Win32/Spectorsoft", "target": "/malware/!#HSTR:Win32/Spectorsoft" }, { "id": "ALF:Base64EncodeFunctionMonitorW", "display_name": "ALF:Base64EncodeFunctionMonitorW", "target": null }, { "id": "185.199.108.133.Malware_Host", "display_name": "185.199.108.133.Malware_Host", "target": null }, { "id": "adware.opencandy", "display_name": "adware.opencandy", "target": null }, { "id": "Malvertizing", "display_name": "Malvertizing", "target": null } ], "attack_ids": [ { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1872, "FileHash-SHA1": 1140, "FileHash-SHA256": 2367, "URL": 1969, "domain": 327, "hostname": 1025, "email": 1 }, "indicator_count": 8701, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "819 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6585b183175afafb5e3bfff5", "name": "Potential Poodle Attack against a server | Injection | Threat Network", "description": "", "modified": "2024-01-21T15:01:52.390000", "created": "2023-12-22T15:55:47.977000", "tags": [ "whois record", "ssl certificate", "threat roundup", "december", "whois whois", "historical ssl", "referrer", "problems", "november", "tsara brashears", "startpage", "core", "hacktool", "vhash", "authentihash", "imphash", "rich pe", "ssdeep", "file type", "win32 dll", "magic pe32", "intel", "ms windows", "compiler", "no data", "tag count", "ioc search", "new ioc", "teams api", "contact", "search", "iocs", "sample summary", "as54113", "united", "xamzexpires300", "unknown", "a domains", "passive dns", "entries", "github pages", "request id", "sea x", "virtool", "accept", "cache", "hit x", "date hash", "avast avg", "files show", "execution", "contacted", "threat analyzer", "threat", "paste", "hostnames", "urls http", "noname057", "generic malware", "threat report", "ip summary", "url summary", "summary", "generic", "inject", "!#AddsCopyToStartup", "SLF:Exploit:Win32/UACPathBypass.A", "SSL excessive fatal alerts (possible POODLE attack against serve", "injector", "185.199.108.133", "malware infection", "link", "name servers", "date", "title", "urls", "domain robot", "for privacy", "redacted for", "expiration date", "emotet", "upx", "msil", "trojan", "malware", "apple", "data collection", "privilege escalation", "evasive", "show", "scan endpoints", "all octoseek", "filehash", "pulse pulses", "av detections", "ids detections", "yara detections", "copy", "threat network", "service modification", "target", "targeting an individual", "cybercrime", "fraud services", "attack", "africa", "libel", "password cracker", "ios" ], "references": [ "frostwire-5.3.9.windows.exe", "185.199.108.133", "cdn-185-199-108-133.github.com", "AS : AS16509 Amazon.com, Inc", "SRC URL : http://dl.frostwire.com/frostwire/5.3.9/frostwire-5.3.9.windows.exe", "IP : 54.192.29.164", "https://otx.alienvault.com/indicator/ip/185.199.108.133", "Malware Hosting: IPv4 185.199.108.133, 185.199.109.133, 185.199.110.133, 185.199.111.133", "YARA Rules", "Matches rule Windows_API_Function from ruleset Windows_API_Function by InQuest Labs", "Matches rule Adobe_XMP_Identifier from ruleset Adobe_XMP_Identifier by InQuest Labs", "Matches rule UPX from ruleset UPX by kevoreilly", "REFERENCE: https://goo.gl/hXbwiV", "RULE_LINK: https://valhalla.nextron-systems.com/info/rule/SUSP_JS_Command", "More information: https://www.nextron-systems.com/notes-on-virustotal-matches/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term= [Mobile transactional with ads/ malicious]", "https://otx.alienvault.com/indicator/url/https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Walker | Apple Password Cracker]", "http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [Apple exploit]", "www.pornhub.com [New Relic | nr-data.net | Apple Private Data Collection]", "www.anyxxxtube.net", "https://otx.alienvault.com/indicator/url/https://www.bleepingcomputer.com/forums/t/268006/wormmalware-that-kills-run-system-restore-regedit/ [ phishing attack directed towards Tsara Brashears]", "phishing-campaign-cloudstation-eu-west-98.githubusercontent.com [phishing]", "louisianarooflawyers.com [phishing| songculture.com redirect , compromised by threat actors]", "103.246.145.111 [malware]", "x.ss2.us", "nr-data.net [Apple Private Data Collection]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Magic", "display_name": "Magic", "target": null }, { "id": "Multios.Coinminer.Miner-6781728-2", "display_name": "Multios.Coinminer.Miner-6781728-2", "target": null }, { "id": "Win32/Ispen BADNEWS Fake User-Agent", "display_name": "Win32/Ispen BADNEWS Fake User-Agent", "target": null }, { "id": "Babulya/CollectorStealer User-Agent", "display_name": "Babulya/CollectorStealer User-Agent", "target": null }, { "id": "Win.Malware.Generic-9820446-0", "display_name": "Win.Malware.Generic-9820446-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "VirTool:MSIL/Obfuscator.BV", "display_name": "VirTool:MSIL/Obfuscator.BV", "target": "/malware/VirTool:MSIL/Obfuscator.BV" }, { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "ALF:HSTR:HackTool:ExtremeInjector.S01", "display_name": "ALF:HSTR:HackTool:ExtremeInjector.S01", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/AgentTesla!rfn", "display_name": "ALF:HeraklezEval:Trojan:Win32/AgentTesla!rfn", "target": null }, { "id": "!#HSTR:Win32/Spectorsoft", "display_name": "!#HSTR:Win32/Spectorsoft", "target": "/malware/!#HSTR:Win32/Spectorsoft" }, { "id": "ALF:Base64EncodeFunctionMonitorW", "display_name": "ALF:Base64EncodeFunctionMonitorW", "target": null }, { "id": "185.199.108.133.Malware_Host", "display_name": "185.199.108.133.Malware_Host", "target": null }, { "id": "adware.opencandy", "display_name": "adware.opencandy", "target": null }, { "id": "Malvertizing", "display_name": "Malvertizing", "target": null } ], "attack_ids": [ { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1872, "FileHash-SHA1": 1140, "FileHash-SHA256": 2367, "URL": 1969, "domain": 327, "hostname": 1025, "email": 1 }, "indicator_count": 8701, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "819 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a819664c2499fc2adc79", "name": "BLOG | cloak-and-dagger | Page 4 of 8", "description": "", "modified": "2023-12-06T16:58:01.198000", "created": "2023-12-06T16:58:01.198000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "FileHash-SHA256": 1664, "FileHash-MD5": 367, "FileHash-SHA1": 237, "domain": 1950, "URL": 6466, "hostname": 2346, "email": 1 }, "indicator_count": 13035, "is_author": false, "is_subscribing": null, "subscriber_count": 112, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65708e178755574d9812e4c9", "name": "Followed lead to brechlerinsurance.com", "description": "", "modified": "2023-12-06T15:07:03.528000", "created": "2023-12-06T15:07:03.528000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-SHA256": 1329, "domain": 2068, "hostname": 4185, "URL": 12454, "email": 1, "FileHash-MD5": 3, "FileHash-SHA1": 1 }, "indicator_count": 20043, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570897ecb6cec4777625431", "name": "www.routerlogin.net", "description": "", "modified": "2023-12-06T14:47:26.604000", "created": "2023-12-06T14:47:26.604000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1532, "domain": 2033, "URL": 11153, "hostname": 2800, "FileHash-SHA1": 5, "email": 3, "FileHash-MD5": 6 }, "indicator_count": 17532, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570805953274b32ec1f981b", "name": "Votebuilder.com", "description": "", "modified": "2023-12-06T14:08:25.588000", "created": "2023-12-06T14:08:25.588000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 869, "domain": 834, "URL": 4755, "hostname": 1559, "CIDR": 2, "FileHash-MD5": 10 }, "indicator_count": 8029, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570800373899fd03e2e49db", "name": "Democrats.org", "description": "", "modified": "2023-12-06T14:06:59.250000", "created": "2023-12-06T14:06:59.250000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3114, "domain": 3501, "hostname": 3860, "URL": 17938, "FileHash-MD5": 2, "FileHash-SHA1": 10 }, "indicator_count": 28425, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65707f519ef27fa72eb62598", "name": "CambridgeAnalytica.org", "description": "", "modified": "2023-12-06T14:04:01.301000", "created": "2023-12-06T14:04:01.301000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 335, "URL": 13379, "hostname": 2501, "domain": 1501, "FileHash-SHA1": 15 }, "indicator_count": 17731, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65707ebe574a02ae26493904", "name": "Votebuilder.com Pt. 2", "description": "", "modified": "2023-12-06T14:01:34.792000", "created": "2023-12-06T14:01:34.792000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 354, "hostname": 1355, "URL": 3284, "domain": 814, "email": 3, "FileHash-MD5": 1, "FileHash-SHA1": 3 }, "indicator_count": 5814, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65707d8251e635c843c1f5b8", "name": "Asurion.com", "description": "", "modified": "2023-12-06T13:56:18.534000", "created": "2023-12-06T13:56:18.534000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 805, "hostname": 2031, "URL": 7728, "domain": 1064, "FileHash-MD5": 4, "FileHash-SHA1": 4, "email": 2 }, "indicator_count": 11638, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65707c9df9c33dd5983b366a", "name": "TrueCar.com", "description": "", "modified": "2023-12-06T13:52:29.953000", "created": "2023-12-06T13:52:29.953000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1156, "domain": 4253, "hostname": 4203, "URL": 17071, "FileHash-MD5": 13, "FileHash-SHA1": 5, "email": 1 }, "indicator_count": 26702, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f15cbb17119f3334c0c57", "name": "BLOG | cloak-and-dagger | Page 4 of 8", "description": "", "modified": "2023-11-07T01:01:57.592000", "created": "2023-10-30T02:32:43.922000", "tags": [ "ssl certificate", "whois record", "historical ssl", "threat roundup", "whois whois", "october", "referrer", "resolutions", "december", "september", "hacktool", "united", "anonymizer", "firehol", "microsoft", "phishing site", "malware site", "paypal", "latam", "phishing", "malicious site", "myetherwallet", "heur", "malware", "zeus", "zbot", "facebook", "artemis", "bank", "bradesco", "riskware", "download", "telecom", "dropper", "emotet", "formbook", "cisco umbrella", "site", "safe site", "blacklist https", "generic malware", "detection list", "blacklist", "generic", "pe resource", "contacted", "red team", "whois", "execution", "skynet", "u4e0b", "falcon sandbox", "flag", "date", "server", "name server", "markmonitor", "domain address", "gandi sas", "mesh digital", "vimeo", "static engine", "alexa top", "million", "adwarex", "alexa", "xrat", "downldr", "presenoker", "maltiverse", "ocidmy01rz", "runtime process", "copy md5", "sha1", "copy sha1", "copy sha256" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" } ], "industries": [], "TLP": "green", "cloned_from": "652214c652025febf66cde33", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 367, "FileHash-SHA1": 237, "FileHash-SHA256": 1664, "URL": 6466, "domain": 1950, "hostname": 2346, "CVE": 4, "email": 1 }, "indicator_count": 13035, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "895 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "652214c652025febf66cde33", "name": "BLOG | cloak-and-dagger | Page 4 of 8", "description": "C2 | scanning_host | Malicious|", "modified": "2023-11-07T01:01:57.592000", "created": "2023-10-08T02:32:38.609000", "tags": [ "ssl certificate", "whois record", "historical ssl", "threat roundup", "whois whois", "october", "referrer", "resolutions", "december", "september", "hacktool", "united", "anonymizer", "firehol", "microsoft", "phishing site", "malware site", "paypal", "latam", "phishing", "malicious site", "myetherwallet", "heur", "malware", "zeus", "zbot", "facebook", "artemis", "bank", "bradesco", "riskware", "download", "telecom", "dropper", "emotet", "formbook", "cisco umbrella", "site", "safe site", "blacklist https", "generic malware", "detection list", "blacklist", "generic", "pe resource", "contacted", "red team", "whois", "execution", "skynet", "u4e0b", "falcon sandbox", "flag", "date", "server", "name server", "markmonitor", "domain address", "gandi sas", "mesh digital", "vimeo", "static engine", "alexa top", "million", "adwarex", "alexa", "xrat", "downldr", "presenoker", "maltiverse", "ocidmy01rz", "runtime process", "copy md5", "sha1", "copy sha1", "copy sha256" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 367, "FileHash-SHA1": 237, "FileHash-SHA256": 1664, "URL": 6466, "domain": 1950, "hostname": 2346, "CVE": 4, "email": 1 }, "indicator_count": 13035, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "895 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "628077c330f33dfd254e5a8b", "name": "Followed lead to brechlerinsurance.com", "description": "", "modified": "2022-06-13T00:00:32.864000", "created": "2022-05-15T03:47:15.835000", "tags": [ "bomboraconsent", "gdpr", "ccpa", "date", "nthis", "array", "typeof e", "typeerror", "class", "image", "typeof symbol", "afsh", "copyright", "rights reserved", "comscore", "typeof o", "uspapi", "null", "s271733878", "secure hash", "algorithm", "sha1", "a1732584193", "1518500249", "imgurl", "oiqfpsjs", "script", "iframe", "oiqaddpagecat", "inte", "oiqdotag", "track", "regexp", "pseudo", "child", "typeof b", "error", "sufeffxa0", "attr", "void", "udc66udc67", "ud83d", "ufe0f", "ud83e", "udc68udc69", "udfcbudfcc", "u2640u2642", "uddb0uddb3", "udd74udd75", "wpbruiserclient", "browserinfo", "mozinnerscreenx", "xmlhttprequest", "activexobject", "bf7e56f2f3", "zpbcat", "zcluidkrs", "promise", "boolean", "verification", "object", "reflect", "typeof proxy", "demo", "shareaholic", "sfunction", "bearer", "patch", "accept", "function", "symbol", "weakmap", "dataview", "typeof module", "cfunction", "event", "afunction", "efunction", "mfunction", "binnerheightc", "number", "string", "trackevent", "click", "uint8array", "gtmng3vqql", "classes", "path", "code", "typeof r", "function code", "typeof n", "angular", "angularjs", "ember", "meteor", "zepto", "jquery", "vd", "utmb", "firefox", "shockwave flash", "utma", "utmz", "ieproto", "typeof", "widgetrootqa", "driftconductor", "addcookiedomain", "hubspot", "typeof t", "quora pixel", "4294967295", "uint32array", "viewcontent", "infinity", "register domain names", "domain registration", "business web hosting services", "web hosting provider", "business email accounts", "web site hosting", "domain name registration", "ecommerce hosting services", "buy domains", "bulk domain search", "domain name search", "domain hosting", "registrations", "websites", "whois", "registrar", "registry", "domainpeople", "domain name", "registration", "year discount", "web hosting", "us whois", "us contact", "lookup alerts", "support login", "call" ], "references": [ "https://domainpeople.com", "xfe-URL-Domainpeople.com-stix2-2.1-export.json", "xfe-URL-shareaholic.com-stix2-2.1-export.json", "https://js.hubspot.com/analytics/1652585100000/210895.js", "https://js.driftt.com/include/1652585100000/mezhk4858hn8.js", "https://bam.nr-data.net/1/f37cf8a208?a=1772678&v=1216.487a282&to=dlwNQEdeWVgHSxlDV1JWEBtdXlhR&rst=1074&ck=1&ref=https://www.shareaholic.com/&ap=9&be=11&fe=795&dc=37&af=err,xhr,stn,ins&perf=%7B%22timing%22:%7B%22of%22:1652584962293,%22n%22:0,%22f%22:0,%22dn%22:0,%22dne%22:0,%22c%22:0,%22s%22:0,%22ce%22:0,%22rq%22:0,%22rp%22:0,%22rpe%22:0,%22dl%22:6,%22di%22:37,%22ds%22:37,%22de%22:45,%22dc%22:636,%22l%22:793,%22le%22:796%7D,%22navigation%22:%7B%22ty%22:2%7D%7D&fcp=123&jsonp=NREUM.setToken", "https://js-agent.newrelic.com/nr-1216.min.js", "https://js-na1.hs-scripts.com/210895.js", "https://www.googletagmanager.com/gtm.js?id=GTM-NG3VQQL", "https://dsms0mj1bbhn4.cloudfront.net/assets/pages-afd7ed46648f01def74df6e4c245da53bde609b863bf63ff94a87154f2f82de0.js", "https://dsms0mj1bbhn4.cloudfront.net/webpack/vendors~header~related-content~share-buttons~site-settings~user-settings~yarpp-header~yarpp-sites~ya~7d559390-c92fe44d0731743b2d8e.js", "https://dsms0mj1bbhn4.cloudfront.net/webpack/default~header~related-content~share-buttons~site-settings~user-settings~yarpp-header~yarpp-sites~ya~2fbcff42-06fb1418b4e0c0383855.js", "https://dsms0mj1bbhn4.cloudfront.net/ui-header/loader.js", "https://de.tynt.com/deb/v2?id=sh!sh&dn=AFSH&cc=1&r=", "http://www.brechlerinsurance.com/?gdbc-client=3.1.25-1652585170383", "http://www.brechlerinsurance.com/wwblcms/wp-includes/js/wp-emoji-release.min.js?ver=479aaeefa13948f8aa1a2479d7a751df", "http://www.brechlerinsurance.com/wwblcms/wp-includes/js/jquery/jquery.js?ver=1.12.4", "https://partner.shareaholic.com/partners.js?location=http%3A%2F%2Fwww.brechlerinsurance.com%2F&cl=en-US&id_sync=19da2f0f-8191-4a73-b27d-e95f97e9a686&minify=1&pvs=1&site=d016349f31f268b5ce94fa8e70f6eddd", "https://px.owneriq.net/stas/s/sholic.js", "https://i.simpli.fi/dpx.js?cid=66112&m=0&sifi_tuid=37830&referrer=http%3A%2F%2Fwww.brechlerinsurance.com%2F", "https://sb.scorecardresearch.com/beacon.js", "https://cdn.tynt.com/afsh.js", "xfe-URL-ml314.com-stix2-2.1-export.json", "xfe-URL-bombora.com-stix2-2.1-export.json", "xfe-URL-Owneriq.net-stix2-2.1-export.json" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "BomboraConsent", "display_name": "BomboraConsent", "target": null }, { "id": "Vd", "display_name": "Vd", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "adjadex1@gmail.com", "id": "187163", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 4185, "URL": 12454, "FileHash-SHA256": 1329, "CVE": 2, "domain": 2068, "email": 1, "FileHash-MD5": 3, "FileHash-SHA1": 1 }, "indicator_count": 20043, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "1407 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62374741ab73c46ec3078320", "name": "voip ham radio dstar", "description": "", "modified": "2022-04-19T00:01:05.210000", "created": "2022-03-20T15:24:49.672000", "tags": [ "domain related" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 450, "hostname": 768, "URL": 3685, "domain": 351 }, "indicator_count": 5254, "is_author": false, "is_subscribing": null, "subscriber_count": 392, "modified_text": "1462 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6235e08a628e6c19d898f05c", "name": "www.routerlogin.net", "description": "", "modified": "2022-04-18T00:07:16.048000", "created": "2022-03-19T13:54:18.436000", "tags": [ "code", "server", "san jose", "date", "key identifier", "algorithm", "email", "registrar url", "registry domain", "registry expiry", "win32 exe", "win32 dll", "dos exe", "android", "librouter", "network capture", "thinclient", "setup", "type name", "referring", "technology", "dns replication", "security", "registrar abuse", "comodo valkyrie", "verdict mobile", "rank value", "ingestion time", "cisco umbrella", "dns records", "record type", "nreum", "httponly", "netgear router", "submission", "expirestue", "path", "netgear twitter", "router login", "nr agent", "Ransomware", "WannaCry" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Ransomware.WannaCry-9856297-0", "display_name": "Win.Ransomware.WannaCry-9856297-0", "target": null }, { "id": "Win32:Dracur-D\\ [Cryp]", "display_name": "Win32:Dracur-D\\ [Cryp]", "target": null }, { "id": "Worm:Win32/Krol.A", "display_name": "Worm:Win32/Krol.A", "target": "/malware/Worm:Win32/Krol.A" } ], "attack_ids": [], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1532, "domain": 2033, "hostname": 2800, "URL": 11153, "email": 3, "FileHash-MD5": 6, "FileHash-SHA1": 5 }, "indicator_count": 17532, "is_author": false, "is_subscribing": null, "subscriber_count": 414, "modified_text": "1463 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6221c71f88d90939c45bbddb", "name": "Votebuilder.com", "description": "", "modified": "2022-04-08T00:05:40.239000", "created": "2022-03-04T08:00:31.017000", "tags": [], "references": [ "votebuilder3df.pdf", "votebuilder2df.pdf", "votebuilder5df.pdf", "votebuilder7df.pdf", "votebuilder.com apidf.pdf", "Votebuilder.com.pdf", "votebuilder4df.pdf", "votebuilder6df.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 869, "hostname": 1559, "URL": 4755, "CIDR": 2, "FileHash-MD5": 10, "domain": 834 }, "indicator_count": 8029, "is_author": false, "is_subscribing": null, "subscriber_count": 407, "modified_text": "1473 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6220c81aaf6fddde0116569a", "name": "Democrats.org", "description": "", "modified": "2022-04-02T00:04:50.405000", "created": "2022-03-03T13:52:26.328000", "tags": [ "date", "dns replication" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 17938, "hostname": 3860, "domain": 3501, "FileHash-SHA256": 3114, "FileHash-MD5": 2, "FileHash-SHA1": 10 }, "indicator_count": 28425, "is_author": false, "is_subscribing": null, "subscriber_count": 408, "modified_text": "1479 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "621927dd57ee9ed86aeb9cb4", "name": "CambridgeAnalytica.org", "description": "", "modified": "2022-03-27T00:00:39.057000", "created": "2022-02-25T19:02:53.023000", "tags": [ "win32 exe", "scott hanselman", "win32 dll", "llc creation", "date", "passive dns", "subdomains", "detections type", "name", "rich text", "format", "music", "first" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 13379, "hostname": 2501, "domain": 1501, "FileHash-SHA256": 335, "FileHash-SHA1": 15 }, "indicator_count": 17731, "is_author": false, "is_subscribing": null, "subscriber_count": 406, "modified_text": "1485 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6213e4164e5b9af2726c7a21", "name": "Votebuilder.com Pt. 2", "description": "", "modified": "2022-03-23T00:02:04.887000", "created": "2022-02-21T19:12:22.711000", "tags": [ "csc corporate", "domains", "subdomains", "detections type", "name", "lookups", "registrant", "historical ssl", "graph summary", "algorithm", "sophos", "comodo valkyrie", "verdict", "ranks rank", "value ingestion", "time statvoo", "utc alexa", "utc cisco", "umbrella", "server", "domain status", "date", "registrar abuse", "country", "postal code", "contact phone", "registrar url", "code", "ssl certificate", "whois record", "whois" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3284, "hostname": 1355, "domain": 814, "FileHash-SHA256": 354, "email": 3, "FileHash-MD5": 1, "FileHash-SHA1": 3 }, "indicator_count": 5814, "is_author": false, "is_subscribing": null, "subscriber_count": 406, "modified_text": "1489 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "620d08a477f11b4221bfb402", "name": "inforcloudesuite", "description": "", "modified": "2022-03-18T00:04:44.902000", "created": "2022-02-16T14:22:28.691000", "tags": [ "psiusa", "domain robot", "graph summary", "win32 exe", "server", "redacted for", "privacy tech", "privacy admin", "date", "country", "organization", "postal code", "stateprovince", "domain status", "umbrella", "code", "submission", "sophos", "comodo valkyrie", "verdict", "history first", "analysis", "utc http", "response final", "url http" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3986, "domain": 560, "FileHash-SHA256": 652, "hostname": 1596, "email": 1 }, "indicator_count": 6795, "is_author": false, "is_subscribing": null, "subscriber_count": 407, "modified_text": "1494 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "620d08807af9ce9e3847a0ec", "name": "Inforcloudsuite.com", "description": "", "modified": "2022-03-18T00:04:44.902000", "created": "2022-02-16T14:21:52.273000", "tags": [ "psiusa", "domain robot", "graph summary", "win32 exe", "server", "redacted for", "privacy tech", "privacy admin", "date", "country", "organization", "postal code", "stateprovince", "domain status", "umbrella", "code", "submission", "sophos", "comodo valkyrie", "verdict", "history first", "analysis", "utc http", "response final", "url http" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1051, "URL": 2727, "domain": 438, "FileHash-SHA256": 113, "email": 1 }, "indicator_count": 4330, "is_author": false, "is_subscribing": null, "subscriber_count": 406, "modified_text": "1494 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "61f2cadaf1967e1400a2273a", "name": "Asurion.com", "description": "", "modified": "2022-02-26T00:02:44.767000", "created": "2022-01-27T16:39:54.550000", "tags": [ "technology", "date", "security", "csc corporate", "domains", "code", "llc registrar", "iana id", "server", "registrar abuse", "registrant", "tech email", "admin country", "algorithm", "key identifier", "x509v3 subject", "v3 serial", "number", "issuer", "cus cnentrust", "l1k oentrust", "entrust", "validity", "info", "first", "whois record", "ssl certificate" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 805, "URL": 7728, "hostname": 2031, "domain": 1064, "FileHash-MD5": 4, "FileHash-SHA1": 4, "email": 2 }, "indicator_count": 11638, "is_author": false, "is_subscribing": null, "subscriber_count": 407, "modified_text": "1514 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "61e2733e9e57250b5725ab5a", "name": "TrueCar.com", "description": "", "modified": "2022-02-14T00:00:26.279000", "created": "2022-01-15T07:09:50.416000", "tags": [ "android", "win32 exe", "key identifier", "win32 dll", "x509v3 subject", "server", "date", "registrar abuse", "algorithm", "markmonitor", "format", "impact", "first", "text", "email", "type name", "portable", "adguard premium", "usus", "mozilla firefox", "technology", "microsoft", "security", "subdomains", "threatseeker", "sophos", "comodo valkyrie", "verdict mobile", "rank value", "ingestion time", "statvoo", "cisco umbrella", "dns records", "record type", "ttl value", "msms94514764", "data", "v3 serial", "number", "issuer", "cus cnamazon", "validity", "subject public", "key info", "key algorithm", "domain status", "contact phone", "registrar", "ca creation", "dnssec", "domain name", "us registrant", "links https", "path", "submission", "httponly", "expiressat", "samesitelax", "details links", "vehicles comodo", "history first", "analysis" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 17071, "hostname": 4203, "FileHash-SHA256": 1156, "domain": 4253, "FileHash-MD5": 13, "FileHash-SHA1": 5, "email": 1 }, "indicator_count": 26702, "is_author": false, "is_subscribing": null, "subscriber_count": 412, "modified_text": "1526 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "cdn-185-199-108-133.github.com", "http://bundled.toolbar.google http://bundled.toolbar.google/http://toolbar.google. https://bundled.toolbar.google. https://bundled.toolbar.google/", "Sexual Content Titles: http://analyticschecker.com/survey/sexynews24.js | http://sex.utub.com/ | http://wap.18.orgsex.utub.com/", "https://hybrid-analysis.com/sample/23e867fef441df664d0122961782722157df2bfb0d468c8804ffc850c0b6c875", "http://www.brechlerinsurance.com/wwblcms/wp-includes/js/jquery/jquery.js?ver=1.12.4", "IP : 54.192.29.164", "Matches rule UPX from ruleset UPX by kevoreilly", "http://www.brechlerinsurance.com/wwblcms/wp-includes/js/wp-emoji-release.min.js?ver=479aaeefa13948f8aa1a2479d7a751df", "Matches rule Windows_API_Function from ruleset Windows_API_Function by InQuest Labs", "More information: https://www.nextron-systems.com/notes-on-virustotal-matches/", "phishing-campaign-cloudstation-eu-west-98.githubusercontent.com [phishing]", "https://www.googletagmanager.com/gtm.js?id=GTM-NG3VQQL", "votebuilder6df.pdf", "Registrant Information: Amazon Technologies Inc. Address: 410 Terry Ave N. Postal Code: H3A 2A6 Country Code: CA (Canada) City: Montreal State: WA", "AIG: Malicious CMS prefix -cmsportal.app.hurdman.org (key identifier/decoder)", "frostwire-5.3.9.windows.exe", "YARA Rules", "louisianarooflawyers.com [phishing| songculture.com redirect , compromised by threat actors]", "https://partner.shareaholic.com/partners.js?location=http%3A%2F%2Fwww.brechlerinsurance.com%2F&cl=en-US&id_sync=19da2f0f-8191-4a73-b27d-e95f97e9a686&minify=1&pvs=1&site=d016349f31f268b5ce94fa8e70f6eddd", "Redirection chain: http://co.gov/peak | https://co.gov/peak | http://colorado.gov/peak | https://colorado.gov/peak | https://www.colorado.gov/peak", "https://dsms0mj1bbhn4.cloudfront.net/webpack/vendors~header~related-content~share-buttons~site-settings~user-settings~yarpp-header~yarpp-sites~ya~7d559390-c92fe44d0731743b2d8e.js", "Targeted espionage: cms.wavebrowser.co | https://cms.wavebrowser.co/ | http://t4tonly.com/cms/web-services/get-all-city.php", "xfe-URL-ml314.com-stix2-2.1-export.json", "votebuilder4df.pdf", "https://dsms0mj1bbhn4.cloudfront.net/ui-header/loader.js", "Redirection chain: www.colorado.gov | salesforce-sites.com | peak.my.si (Malformed domain) www.bing.com", "https://otx.alienvault.com/indicator/url/https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Walker | Apple Password Cracker]", "RULE_LINK: https://valhalla.nextron-systems.com/info/rule/SUSP_JS_Command", "AS36081 State of Colorado General Government Computer: 165.127.10.10 | Location - LakeWood - CO - United States | Emails: isoc@state.co.us", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "https://bam.nr-data.net/1/f37cf8a208?a=1772678&v=1216.487a282&to=dlwNQEdeWVgHSxlDV1JWEBtdXlhR&rst=1074&ck=1&ref=https://www.shareaholic.com/&ap=9&be=11&fe=795&dc=37&af=err,xhr,stn,ins&perf=%7B%22timing%22:%7B%22of%22:1652584962293,%22n%22:0,%22f%22:0,%22dn%22:0,%22dne%22:0,%22c%22:0,%22s%22:0,%22ce%22:0,%22rq%22:0,%22rp%22:0,%22rpe%22:0,%22dl%22:6,%22di%22:37,%22ds%22:37,%22de%22:45,%22dc%22:636,%22l%22:793,%22le%22:796%7D,%22navigation%22:%7B%22ty%22:2%7D%7D&fcp=123&jsonp=NREUM.setToken", "xfe-URL-Owneriq.net-stix2-2.1-export.json", "votebuilder3df.pdf", "xfe-URL-shareaholic.com-stix2-2.1-export.json", "xfe-URL-Domainpeople.com-stix2-2.1-export.json", "Redirect Chain: https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/ K9p1aHVpkkzIn1S7Dakqexnw4nP6ZmG7kNifaOtuay4%3Ahttp%3A%2F%2Fjaegertracing.match-growth.alicloud-production.glintsintern.com%2F https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/", "Malware Hosting: IPv4 185.199.108.133, 185.199.109.133, 185.199.110.133, 185.199.111.133", "REFERENCE: https://goo.gl/hXbwiV", "https://px.owneriq.net/stas/s/sholic.js", "Registrant: State of Colorado General Government Computer Address: 690 Kipling St. Postal Code: 80215 Country Code: USA City: LakeWood State: CO", "103.246.145.111 [malware]", "https://dsms0mj1bbhn4.cloudfront.net/webpack/default~header~related-content~share-buttons~site-settings~user-settings~yarpp-header~yarpp-sites~ya~2fbcff42-06fb1418b4e0c0383855.js", "https://sb.scorecardresearch.com/beacon.js", "https://i.simpli.fi/dpx.js?cid=66112&m=0&sifi_tuid=37830&referrer=http%3A%2F%2Fwww.brechlerinsurance.com%2F", "SRC URL : http://dl.frostwire.com/frostwire/5.3.9/frostwire-5.3.9.windows.exe", "xfe-URL-bombora.com-stix2-2.1-export.json", "Redirect Chain: https://accounts.google.com/o/oauth2/auth?access_type=offline&approval_prompt=force&client_id=795490584532-smtoie0juhaj5tq9h07si1ekd4m6pvlr.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Foauth2-proxy.glintsintern.com%2Foauth2%2Fcallback&response_type=code&scope=openid+email+profile&state=", "votebuilder2df.pdf", "AS : AS16509 Amazon.com, Inc", "Remotely accessing to targets devices: http://maps.co.gov/ | Maps & Calendar pop ups obfuscate targets screens. Pinging", "185.199.108.133", "Matches rule Adobe_XMP_Identifier from ruleset Adobe_XMP_Identifier by InQuest Labs", "https://otx.alienvault.com/indicator/ip/185.199.108.133", "https://dsms0mj1bbhn4.cloudfront.net/assets/pages-afd7ed46648f01def74df6e4c245da53bde609b863bf63ff94a87154f2f82de0.js", "www.anyxxxtube.net", "AS Name: AS36081 State of Colorado General Government Computer AS Country Code: US AS Registry: arin AS : AS CIDR: 165.127.0.0/16", "https://ak.deephicy.net/?z=6118780&syncedCookie=true&rhd=false&rb=4Qar0ipdalmNR5Sicj8o7oK9WuZVXLChC0EcEUDBDY4n5ISECZrApfC-gjpDjsMLofKZlJaeh_gobm2lTLNRbwBynCFo6CRsgTd-gbOZKn6hkTMO15e_qN9jmE8T9QytmggiZaSD7Ys_RCMg-fY8kjd5ELPE8MLrz-t9Dm7bxqLgQ8U1SWuTcrT09Npw1M6dvd7WA_91bWtr2m-EiV0umKwr5ZDSUqAYTPVfrEmvFKmZ32EfwaKGnKgKEGYaQGvQe1ga-4TccFs5A6Kh-HLSeXuKYMPVlODFrOgLcCUQi81bKgkG7ceuo8sG_5o6_ilHG6krYsCSk8Qwzdpn5AnwWweNPG9uC3hYGroh8tnINyQkdEnWp7O38iOgkAxqQoYhttqKqq7Cf6P8l9y-w4NtLBEm6c_ASSKggtwrI11Jvee9YxytSZBVlA==&sfr=n", "0-w5-cms.ultimate-guitar.com", "https://otx.alienvault.com/indicator/url/https://www.bleepingcomputer.com/forums/t/268006/wormmalware-that-kills-run-system-restore-regedit/ [ phishing attack directed towards Tsara Brashears]", "http://6.no.me.malware.com | http://6.no.me.malware.com/download", "https://js.driftt.com/include/1652585100000/mezhk4858hn8.js", "Redirection chain: https://coloradopeak.secure.force.com/ https://colorado.gov:443/peak | coloradopeak.secure.force.com | dns01.salesforce.com", "votebuilder.com apidf.pdf", "https://js.hubspot.com/analytics/1652585100000/210895.js", "https://js-agent.newrelic.com/nr-1216.min.js", "CO.gov/PEAK -Postal mail Spam. Urgent demand to login.", "http://www.brechlerinsurance.com/?gdbc-client=3.1.25-1652585170383", "www.pornhub.com [New Relic | nr-data.net | Apple Private Data Collection]", "If you knew how you're wasting time and resources hacking a front facing archive with a 443:", "https://domainpeople.com", "nr-data.net [Apple Private Data Collection]", "Redirection chain: dns1.p06.nsone.net l ns1-204.azure-dns.com | ns1.google.com | ns1.msedge.net | peak.my.salesforce-sites.com |", "http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [Apple exploit]", "https://cdn.tynt.com/afsh.js", "x.ss2.us", "Votebuilder.com.pdf", "AS Registry: arin:aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term= [Mobile transactional with ads/ malicious]", "https://de.tynt.com/deb/v2?id=sh!sh&dn=AFSH&cc=1&r=", "Co.gov: Autonomous System: AS16509 - Amazon.com, Inc. AS Country Code: US AS AS CIDR: 13.225.192.0/21 CIDR: 13.200.0.0/13 13.224.0.0/12 13.208.0.0/12", "votebuilder5df.pdf", "votebuilder7df.pdf", "Emails: aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "https://js-na1.hs-scripts.com/210895.js" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Out For Blood" ], "malware_families": [ "Generic", "Hacktool", "Worm:win32/autorun!atmn", "Magic", "Virtool:msil/obfuscator.bv", "Win.malware.generic-9820446-0", "Win.ransomware.wannacry-9856297-0", "Maltiverse", "Win.trojan.emotet-9850453-0", "Malvertizing", "Babulya/collectorstealer user-agent", "185.199.108.133.malware_host", "Vd", "Bomboraconsent", "Multios.coinminer.miner-6781728-2", "Win32:dracur-d\\ [cryp]", "Adware.opencandy", "Alf:hstr:hacktool:extremeinjector.s01", "Alf:heraklezeval:trojan:win32/agenttesla!rfn", "Worm:win32/krol.a", "Win32/ispen badnews fake user-agent", "Virtool", "Alf:base64encodefunctionmonitorw", "Emotet", "!#hstr:win32/spectorsoft" ], "industries": [ "Private sector", "Civil society", "Healthcare", "Technology", "Telecommunications" ], "unique_indicators": 152939 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/puntronic.com", "whois": "http://whois.domaintools.com/puntronic.com", "domain": "puntronic.com", "hostname": "blackfriday.puntronic.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 26, "pulses": [ { "id": "65f27f90cb56df78929c01d4", "name": "CO.gov/PEAK - Post Mail Social Engineering | M Brian Sabey and CBI", "description": "", "modified": "2024-09-24T14:02:17.711000", "created": "2024-03-14T04:39:44.522000", "tags": [ "united", "command decode", "suricata ipv4", "mitre att", "suricata udpv4", "programfiles", "ck id", "show technique", "ck matrix", "windir", "date", "win64", "hybrid", "general", "model", "comspec", "click", "strings", "contact", "hostnames", "urls http", "samples", "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "siblings", "contacted", "pe resource", "communicating", "subdomains", "whois whois", "copy", "ursnif", "qakbot", "lumma stealer", "ransomexx", "quasar", "ramnit", "lskeyc", "maxage31536000", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "headers", "detection list", "blacklist", "cisco umbrella", "site", "safe site", "alexa top", "million", "team top", "site top", "site safe", "heur", "ccleaner", "adware", "downldr", "union", "bank", "cve201711882", "xrat", "phishing", "team", "alexa", "static engine", "passive dns", "unknown", "title error", "scan endpoints", "all octoseek", "ipv4", "pulse submit", "url analysis", "urls", "thu jul", "fri dec", "hybridanalysis", "generic malware", "malware", "wed dec", "free automated", "service", "thu dec", "cidr", "sun aug", "ip sun", "country code", "system as", "as16509", "mon sep", "registrant name", "amazon", "terry ave", "code", "as36081 state", "pulse pulses", "files", "reverse dns", "asnone united", "moved", "body", "certificate", "g2 tls", "rsa sha256", "search", "showing", "online sun", "online sat", "online", "12345", "as44273 host", "status", "for privacy", "redacted for", "cname", "domain", "nxdomain", "ip related", "creation date", "servers", "name servers", "next", "cloudfront x", "sfo5 c1", "a domains", "nice botet", "srellik", "sreredrem", "hit", "men", "man", "women", "spider", "mail spammer", "gov" ], "references": [ "CO.gov/PEAK -Postal mail Spam. Urgent demand to login.", "https://hybrid-analysis.com/sample/23e867fef441df664d0122961782722157df2bfb0d468c8804ffc850c0b6c875", "Redirection chain: http://co.gov/peak | https://co.gov/peak | http://colorado.gov/peak | https://colorado.gov/peak | https://www.colorado.gov/peak", "Redirection chain: https://coloradopeak.secure.force.com/ https://colorado.gov:443/peak | coloradopeak.secure.force.com | dns01.salesforce.com", "Redirection chain: dns1.p06.nsone.net l ns1-204.azure-dns.com | ns1.google.com | ns1.msedge.net | peak.my.salesforce-sites.com |", "Redirection chain: www.colorado.gov | salesforce-sites.com | peak.my.si (Malformed domain) www.bing.com", "AS36081 State of Colorado General Government Computer: 165.127.10.10 | Location - LakeWood - CO - United States | Emails: isoc@state.co.us", "AS Name: AS36081 State of Colorado General Government Computer AS Country Code: US AS Registry: arin AS : AS CIDR: 165.127.0.0/16", "Registrant: State of Colorado General Government Computer Address: 690 Kipling St. Postal Code: 80215 Country Code: USA City: LakeWood State: CO", "http://bundled.toolbar.google http://bundled.toolbar.google/http://toolbar.google. https://bundled.toolbar.google. https://bundled.toolbar.google/", "Remotely accessing to targets devices: http://maps.co.gov/ | Maps & Calendar pop ups obfuscate targets screens. Pinging", "http://6.no.me.malware.com | http://6.no.me.malware.com/download", "Sexual Content Titles: http://analyticschecker.com/survey/sexynews24.js | http://sex.utub.com/ | http://wap.18.orgsex.utub.com/", "https://ak.deephicy.net/?z=6118780&syncedCookie=true&rhd=false&rb=4Qar0ipdalmNR5Sicj8o7oK9WuZVXLChC0EcEUDBDY4n5ISECZrApfC-gjpDjsMLofKZlJaeh_gobm2lTLNRbwBynCFo6CRsgTd-gbOZKn6hkTMO15e_qN9jmE8T9QytmggiZaSD7Ys_RCMg-fY8kjd5ELPE8MLrz-t9Dm7bxqLgQ8U1SWuTcrT09Npw1M6dvd7WA_91bWtr2m-EiV0umKwr5ZDSUqAYTPVfrEmvFKmZ32EfwaKGnKgKEGYaQGvQe1ga-4TccFs5A6Kh-HLSeXuKYMPVlODFrOgLcCUQi81bKgkG7ceuo8sG_5o6_ilHG6krYsCSk8Qwzdpn5AnwWweNPG9uC3hYGroh8tnINyQkdEnWp7O38iOgkAxqQoYhttqKqq7Cf6P8l9y-w4NtLBEm6c_ASSKggtwrI11Jvee9YxytSZBVlA==&sfr=n", "Co.gov: Autonomous System: AS16509 - Amazon.com, Inc. AS Country Code: US AS AS CIDR: 13.225.192.0/21 CIDR: 13.200.0.0/13 13.224.0.0/12 13.208.0.0/12", "Registrant Information: Amazon Technologies Inc. Address: 410 Terry Ave N. Postal Code: H3A 2A6 Country Code: CA (Canada) City: Montreal State: WA", "AS Registry: arin:aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "Emails: aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "AIG: Malicious CMS prefix -cmsportal.app.hurdman.org (key identifier/decoder)", "Targeted espionage: cms.wavebrowser.co | https://cms.wavebrowser.co/ | http://t4tonly.com/cms/web-services/get-all-city.php", "0-w5-cms.ultimate-guitar.com", "Redirect Chain: https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/ K9p1aHVpkkzIn1S7Dakqexnw4nP6ZmG7kNifaOtuay4%3Ahttp%3A%2F%2Fjaegertracing.match-growth.alicloud-production.glintsintern.com%2F https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/", "Redirect Chain: https://accounts.google.com/o/oauth2/auth?access_type=offline&approval_prompt=force&client_id=795490584532-smtoie0juhaj5tq9h07si1ekd4m6pvlr.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Foauth2-proxy.glintsintern.com%2Foauth2%2Fcallback&response_type=code&scope=openid+email+profile&state=", "If you knew how you're wasting time and resources hacking a front facing archive with a 443:" ], "public": 1, "adversary": "Out For Blood", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1578.003", "name": "Delete Cloud Instance", "display_name": "T1578.003 - Delete Cloud Instance" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" } ], "industries": [ "Private Sector", "Healthcare", "Civil Society" ], "TLP": "white", "cloned_from": "65f2691bb1405f9a30cf46b6", "export_count": 76, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6664, "FileHash-MD5": 89, "FileHash-SHA1": 82, "FileHash-SHA256": 2523, "domain": 1792, "hostname": 1889, "CVE": 2, "CIDR": 19, "email": 22 }, "indicator_count": 13082, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "572 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65f2691bb1405f9a30cf46b6", "name": "CO.gov/PEAK - Postal Engineering | M Brian Sabey and CBI (mail)", "description": "Target received urgent postal mail ,directed to login: \nCO.gov/PEAK | Disappointed so many reports have been modified. Logins OTX account are governmental.with insecure headers.\nHistoryKillerPro , RedHatDelete glintsintern.com oauth2-proxy.glintsintern.com \u2022 https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/ oauth2-proxy.glintsintern.com have attached to several OTX users.", "modified": "2024-04-12T14:01:31.094000", "created": "2024-03-14T03:03:55.928000", "tags": [ "united", "command decode", "suricata ipv4", "mitre att", "suricata udpv4", "programfiles", "ck id", "show technique", "ck matrix", "windir", "date", "win64", "hybrid", "general", "model", "comspec", "click", "strings", "contact", "hostnames", "urls http", "samples", "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "siblings", "contacted", "pe resource", "communicating", "subdomains", "whois whois", "copy", "ursnif", "qakbot", "lumma stealer", "ransomexx", "quasar", "ramnit", "lskeyc", "maxage31536000", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "headers", "detection list", "blacklist", "cisco umbrella", "site", "safe site", "alexa top", "million", "team top", "site top", "site safe", "heur", "ccleaner", "adware", "downldr", "union", "bank", "cve201711882", "xrat", "phishing", "team", "alexa", "static engine", "passive dns", "unknown", "title error", "scan endpoints", "all octoseek", "ipv4", "pulse submit", "url analysis", "urls", "thu jul", "fri dec", "hybridanalysis", "generic malware", "malware", "wed dec", "free automated", "service", "thu dec", "cidr", "sun aug", "ip sun", "country code", "system as", "as16509", "mon sep", "registrant name", "amazon", "terry ave", "code", "as36081 state", "pulse pulses", "files", "reverse dns", "asnone united", "moved", "body", "certificate", "g2 tls", "rsa sha256", "search", "showing", "online sun", "online sat", "online", "12345", "as44273 host", "status", "for privacy", "redacted for", "cname", "domain", "nxdomain", "ip related", "creation date", "servers", "name servers", "next", "cloudfront x", "sfo5 c1", "a domains", "nice botet", "srellik", "sreredrem", "hit", "men", "man", "women", "spider", "mail spammer", "gov" ], "references": [ "CO.gov/PEAK -Postal mail Spam. Urgent demand to login.", "https://hybrid-analysis.com/sample/23e867fef441df664d0122961782722157df2bfb0d468c8804ffc850c0b6c875", "Redirection chain: http://co.gov/peak | https://co.gov/peak | http://colorado.gov/peak | https://colorado.gov/peak | https://www.colorado.gov/peak", "Redirection chain: https://coloradopeak.secure.force.com/ https://colorado.gov:443/peak | coloradopeak.secure.force.com | dns01.salesforce.com", "Redirection chain: dns1.p06.nsone.net l ns1-204.azure-dns.com | ns1.google.com | ns1.msedge.net | peak.my.salesforce-sites.com |", "Redirection chain: www.colorado.gov | salesforce-sites.com | peak.my.si (Malformed domain) www.bing.com", "AS36081 State of Colorado General Government Computer: 165.127.10.10 | Location - LakeWood - CO - United States | Emails: isoc@state.co.us", "AS Name: AS36081 State of Colorado General Government Computer AS Country Code: US AS Registry: arin AS : AS CIDR: 165.127.0.0/16", "Registrant: State of Colorado General Government Computer Address: 690 Kipling St. Postal Code: 80215 Country Code: USA City: LakeWood State: CO", "http://bundled.toolbar.google http://bundled.toolbar.google/http://toolbar.google. https://bundled.toolbar.google. https://bundled.toolbar.google/", "Remotely accessing to targets devices: http://maps.co.gov/ | Maps & Calendar pop ups obfuscate targets screens. Pinging", "http://6.no.me.malware.com | http://6.no.me.malware.com/download", "Sexual Content Titles: http://analyticschecker.com/survey/sexynews24.js | http://sex.utub.com/ | http://wap.18.orgsex.utub.com/", "https://ak.deephicy.net/?z=6118780&syncedCookie=true&rhd=false&rb=4Qar0ipdalmNR5Sicj8o7oK9WuZVXLChC0EcEUDBDY4n5ISECZrApfC-gjpDjsMLofKZlJaeh_gobm2lTLNRbwBynCFo6CRsgTd-gbOZKn6hkTMO15e_qN9jmE8T9QytmggiZaSD7Ys_RCMg-fY8kjd5ELPE8MLrz-t9Dm7bxqLgQ8U1SWuTcrT09Npw1M6dvd7WA_91bWtr2m-EiV0umKwr5ZDSUqAYTPVfrEmvFKmZ32EfwaKGnKgKEGYaQGvQe1ga-4TccFs5A6Kh-HLSeXuKYMPVlODFrOgLcCUQi81bKgkG7ceuo8sG_5o6_ilHG6krYsCSk8Qwzdpn5AnwWweNPG9uC3hYGroh8tnINyQkdEnWp7O38iOgkAxqQoYhttqKqq7Cf6P8l9y-w4NtLBEm6c_ASSKggtwrI11Jvee9YxytSZBVlA==&sfr=n", "Co.gov: Autonomous System: AS16509 - Amazon.com, Inc. AS Country Code: US AS AS CIDR: 13.225.192.0/21 CIDR: 13.200.0.0/13 13.224.0.0/12 13.208.0.0/12", "Registrant Information: Amazon Technologies Inc. Address: 410 Terry Ave N. Postal Code: H3A 2A6 Country Code: CA (Canada) City: Montreal State: WA", "AS Registry: arin:aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "Emails: aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "AIG: Malicious CMS prefix -cmsportal.app.hurdman.org (key identifier/decoder)", "Targeted espionage: cms.wavebrowser.co | https://cms.wavebrowser.co/ | http://t4tonly.com/cms/web-services/get-all-city.php", "0-w5-cms.ultimate-guitar.com", "Redirect Chain: https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/ K9p1aHVpkkzIn1S7Dakqexnw4nP6ZmG7kNifaOtuay4%3Ahttp%3A%2F%2Fjaegertracing.match-growth.alicloud-production.glintsintern.com%2F https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/", "Redirect Chain: https://accounts.google.com/o/oauth2/auth?access_type=offline&approval_prompt=force&client_id=795490584532-smtoie0juhaj5tq9h07si1ekd4m6pvlr.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Foauth2-proxy.glintsintern.com%2Foauth2%2Fcallback&response_type=code&scope=openid+email+profile&state=", "If you knew how you're wasting time and resources hacking a front facing archive with a 443:" ], "public": 1, "adversary": "Out For Blood", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1578.003", "name": "Delete Cloud Instance", "display_name": "T1578.003 - Delete Cloud Instance" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" } ], "industries": [ "Private Sector", "Healthcare", "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 50, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6466, "FileHash-MD5": 89, "FileHash-SHA1": 82, "FileHash-SHA256": 2406, "domain": 1686, "hostname": 1760, "CVE": 2, "CIDR": 4, "email": 7 }, "indicator_count": 12502, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "737 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6585b18d61efd8798827c12a", "name": "Potential Poodle Attack against a server | Injection | Threat Network", "description": "", "modified": "2024-01-21T15:01:52.390000", "created": "2023-12-22T15:55:57.639000", "tags": [ "whois record", "ssl certificate", "threat roundup", "december", "whois whois", "historical ssl", "referrer", "problems", "november", "tsara brashears", "startpage", "core", "hacktool", "vhash", "authentihash", "imphash", "rich pe", "ssdeep", "file type", "win32 dll", "magic pe32", "intel", "ms windows", "compiler", "no data", "tag count", "ioc search", "new ioc", "teams api", "contact", "search", "iocs", "sample summary", "as54113", "united", "xamzexpires300", "unknown", "a domains", "passive dns", "entries", "github pages", "request id", "sea x", "virtool", "accept", "cache", "hit x", "date hash", "avast avg", "files show", "execution", "contacted", "threat analyzer", "threat", "paste", "hostnames", "urls http", "noname057", "generic malware", "threat report", "ip summary", "url summary", "summary", "generic", "inject", "!#AddsCopyToStartup", "SLF:Exploit:Win32/UACPathBypass.A", "SSL excessive fatal alerts (possible POODLE attack against serve", "injector", "185.199.108.133", "malware infection", "link", "name servers", "date", "title", "urls", "domain robot", "for privacy", "redacted for", "expiration date", "emotet", "upx", "msil", "trojan", "malware", "apple", "data collection", "privilege escalation", "evasive", "show", "scan endpoints", "all octoseek", "filehash", "pulse pulses", "av detections", "ids detections", "yara detections", "copy", "threat network", "service modification", "target", "targeting an individual", "cybercrime", "fraud services", "attack", "africa", "libel", "password cracker", "ios" ], "references": [ "frostwire-5.3.9.windows.exe", "185.199.108.133", "cdn-185-199-108-133.github.com", "AS : AS16509 Amazon.com, Inc", "SRC URL : http://dl.frostwire.com/frostwire/5.3.9/frostwire-5.3.9.windows.exe", "IP : 54.192.29.164", "https://otx.alienvault.com/indicator/ip/185.199.108.133", "Malware Hosting: IPv4 185.199.108.133, 185.199.109.133, 185.199.110.133, 185.199.111.133", "YARA Rules", "Matches rule Windows_API_Function from ruleset Windows_API_Function by InQuest Labs", "Matches rule Adobe_XMP_Identifier from ruleset Adobe_XMP_Identifier by InQuest Labs", "Matches rule UPX from ruleset UPX by kevoreilly", "REFERENCE: https://goo.gl/hXbwiV", "RULE_LINK: https://valhalla.nextron-systems.com/info/rule/SUSP_JS_Command", "More information: https://www.nextron-systems.com/notes-on-virustotal-matches/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term= [Mobile transactional with ads/ malicious]", "https://otx.alienvault.com/indicator/url/https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Walker | Apple Password Cracker]", "http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [Apple exploit]", "www.pornhub.com [New Relic | nr-data.net | Apple Private Data Collection]", "www.anyxxxtube.net", "https://otx.alienvault.com/indicator/url/https://www.bleepingcomputer.com/forums/t/268006/wormmalware-that-kills-run-system-restore-regedit/ [ phishing attack directed towards Tsara Brashears]", "phishing-campaign-cloudstation-eu-west-98.githubusercontent.com [phishing]", "louisianarooflawyers.com [phishing| songculture.com redirect , compromised by threat actors]", "103.246.145.111 [malware]", "x.ss2.us", "nr-data.net [Apple Private Data Collection]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Magic", "display_name": "Magic", "target": null }, { "id": "Multios.Coinminer.Miner-6781728-2", "display_name": "Multios.Coinminer.Miner-6781728-2", "target": null }, { "id": "Win32/Ispen BADNEWS Fake User-Agent", "display_name": "Win32/Ispen BADNEWS Fake User-Agent", "target": null }, { "id": "Babulya/CollectorStealer User-Agent", "display_name": "Babulya/CollectorStealer User-Agent", "target": null }, { "id": "Win.Malware.Generic-9820446-0", "display_name": "Win.Malware.Generic-9820446-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "VirTool:MSIL/Obfuscator.BV", "display_name": "VirTool:MSIL/Obfuscator.BV", "target": "/malware/VirTool:MSIL/Obfuscator.BV" }, { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "ALF:HSTR:HackTool:ExtremeInjector.S01", "display_name": "ALF:HSTR:HackTool:ExtremeInjector.S01", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/AgentTesla!rfn", "display_name": "ALF:HeraklezEval:Trojan:Win32/AgentTesla!rfn", "target": null }, { "id": "!#HSTR:Win32/Spectorsoft", "display_name": "!#HSTR:Win32/Spectorsoft", "target": "/malware/!#HSTR:Win32/Spectorsoft" }, { "id": "ALF:Base64EncodeFunctionMonitorW", "display_name": "ALF:Base64EncodeFunctionMonitorW", "target": null }, { "id": "185.199.108.133.Malware_Host", "display_name": "185.199.108.133.Malware_Host", "target": null }, { "id": "adware.opencandy", "display_name": "adware.opencandy", "target": null }, { "id": "Malvertizing", "display_name": "Malvertizing", "target": null } ], "attack_ids": [ { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1872, "FileHash-SHA1": 1140, "FileHash-SHA256": 2367, "URL": 1969, "domain": 327, "hostname": 1025, "email": 1 }, "indicator_count": 8701, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "819 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6585b183175afafb5e3bfff5", "name": "Potential Poodle Attack against a server | Injection | Threat Network", "description": "", "modified": "2024-01-21T15:01:52.390000", "created": "2023-12-22T15:55:47.977000", "tags": [ "whois record", "ssl certificate", "threat roundup", "december", "whois whois", "historical ssl", "referrer", "problems", "november", "tsara brashears", "startpage", "core", "hacktool", "vhash", "authentihash", "imphash", "rich pe", "ssdeep", "file type", "win32 dll", "magic pe32", "intel", "ms windows", "compiler", "no data", "tag count", "ioc search", "new ioc", "teams api", "contact", "search", "iocs", "sample summary", "as54113", "united", "xamzexpires300", "unknown", "a domains", "passive dns", "entries", "github pages", "request id", "sea x", "virtool", "accept", "cache", "hit x", "date hash", "avast avg", "files show", "execution", "contacted", "threat analyzer", "threat", "paste", "hostnames", "urls http", "noname057", "generic malware", "threat report", "ip summary", "url summary", "summary", "generic", "inject", "!#AddsCopyToStartup", "SLF:Exploit:Win32/UACPathBypass.A", "SSL excessive fatal alerts (possible POODLE attack against serve", "injector", "185.199.108.133", "malware infection", "link", "name servers", "date", "title", "urls", "domain robot", "for privacy", "redacted for", "expiration date", "emotet", "upx", "msil", "trojan", "malware", "apple", "data collection", "privilege escalation", "evasive", "show", "scan endpoints", "all octoseek", "filehash", "pulse pulses", "av detections", "ids detections", "yara detections", "copy", "threat network", "service modification", "target", "targeting an individual", "cybercrime", "fraud services", "attack", "africa", "libel", "password cracker", "ios" ], "references": [ "frostwire-5.3.9.windows.exe", "185.199.108.133", "cdn-185-199-108-133.github.com", "AS : AS16509 Amazon.com, Inc", "SRC URL : http://dl.frostwire.com/frostwire/5.3.9/frostwire-5.3.9.windows.exe", "IP : 54.192.29.164", "https://otx.alienvault.com/indicator/ip/185.199.108.133", "Malware Hosting: IPv4 185.199.108.133, 185.199.109.133, 185.199.110.133, 185.199.111.133", "YARA Rules", "Matches rule Windows_API_Function from ruleset Windows_API_Function by InQuest Labs", "Matches rule Adobe_XMP_Identifier from ruleset Adobe_XMP_Identifier by InQuest Labs", "Matches rule UPX from ruleset UPX by kevoreilly", "REFERENCE: https://goo.gl/hXbwiV", "RULE_LINK: https://valhalla.nextron-systems.com/info/rule/SUSP_JS_Command", "More information: https://www.nextron-systems.com/notes-on-virustotal-matches/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term= [Mobile transactional with ads/ malicious]", "https://otx.alienvault.com/indicator/url/https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Walker | Apple Password Cracker]", "http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [Apple exploit]", "www.pornhub.com [New Relic | nr-data.net | Apple Private Data Collection]", "www.anyxxxtube.net", "https://otx.alienvault.com/indicator/url/https://www.bleepingcomputer.com/forums/t/268006/wormmalware-that-kills-run-system-restore-regedit/ [ phishing attack directed towards Tsara Brashears]", "phishing-campaign-cloudstation-eu-west-98.githubusercontent.com [phishing]", "louisianarooflawyers.com [phishing| songculture.com redirect , compromised by threat actors]", "103.246.145.111 [malware]", "x.ss2.us", "nr-data.net [Apple Private Data Collection]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Magic", "display_name": "Magic", "target": null }, { "id": "Multios.Coinminer.Miner-6781728-2", "display_name": "Multios.Coinminer.Miner-6781728-2", "target": null }, { "id": "Win32/Ispen BADNEWS Fake User-Agent", "display_name": "Win32/Ispen BADNEWS Fake User-Agent", "target": null }, { "id": "Babulya/CollectorStealer User-Agent", "display_name": "Babulya/CollectorStealer User-Agent", "target": null }, { "id": "Win.Malware.Generic-9820446-0", "display_name": "Win.Malware.Generic-9820446-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "VirTool:MSIL/Obfuscator.BV", "display_name": "VirTool:MSIL/Obfuscator.BV", "target": "/malware/VirTool:MSIL/Obfuscator.BV" }, { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "ALF:HSTR:HackTool:ExtremeInjector.S01", "display_name": "ALF:HSTR:HackTool:ExtremeInjector.S01", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/AgentTesla!rfn", "display_name": "ALF:HeraklezEval:Trojan:Win32/AgentTesla!rfn", "target": null }, { "id": "!#HSTR:Win32/Spectorsoft", "display_name": "!#HSTR:Win32/Spectorsoft", "target": "/malware/!#HSTR:Win32/Spectorsoft" }, { "id": "ALF:Base64EncodeFunctionMonitorW", "display_name": "ALF:Base64EncodeFunctionMonitorW", "target": null }, { "id": "185.199.108.133.Malware_Host", "display_name": "185.199.108.133.Malware_Host", "target": null }, { "id": "adware.opencandy", "display_name": "adware.opencandy", "target": null }, { "id": "Malvertizing", "display_name": "Malvertizing", "target": null } ], "attack_ids": [ { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1872, "FileHash-SHA1": 1140, "FileHash-SHA256": 2367, "URL": 1969, "domain": 327, "hostname": 1025, "email": 1 }, "indicator_count": 8701, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "819 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a819664c2499fc2adc79", "name": "BLOG | cloak-and-dagger | Page 4 of 8", "description": "", "modified": "2023-12-06T16:58:01.198000", "created": "2023-12-06T16:58:01.198000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "FileHash-SHA256": 1664, "FileHash-MD5": 367, "FileHash-SHA1": 237, "domain": 1950, "URL": 6466, "hostname": 2346, "email": 1 }, "indicator_count": 13035, "is_author": false, "is_subscribing": null, "subscriber_count": 112, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65708e178755574d9812e4c9", "name": "Followed lead to brechlerinsurance.com", "description": "", "modified": "2023-12-06T15:07:03.528000", "created": "2023-12-06T15:07:03.528000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-SHA256": 1329, "domain": 2068, "hostname": 4185, "URL": 12454, "email": 1, "FileHash-MD5": 3, "FileHash-SHA1": 1 }, "indicator_count": 20043, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570897ecb6cec4777625431", "name": "www.routerlogin.net", "description": "", "modified": "2023-12-06T14:47:26.604000", "created": "2023-12-06T14:47:26.604000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1532, "domain": 2033, "URL": 11153, "hostname": 2800, "FileHash-SHA1": 5, "email": 3, "FileHash-MD5": 6 }, "indicator_count": 17532, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570805953274b32ec1f981b", "name": "Votebuilder.com", "description": "", "modified": "2023-12-06T14:08:25.588000", "created": "2023-12-06T14:08:25.588000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 869, "domain": 834, "URL": 4755, "hostname": 1559, "CIDR": 2, "FileHash-MD5": 10 }, "indicator_count": 8029, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570800373899fd03e2e49db", "name": "Democrats.org", "description": "", "modified": "2023-12-06T14:06:59.250000", "created": "2023-12-06T14:06:59.250000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3114, "domain": 3501, "hostname": 3860, "URL": 17938, "FileHash-MD5": 2, "FileHash-SHA1": 10 }, "indicator_count": 28425, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65707f519ef27fa72eb62598", "name": "CambridgeAnalytica.org", "description": "", "modified": "2023-12-06T14:04:01.301000", "created": "2023-12-06T14:04:01.301000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 335, "URL": 13379, "hostname": 2501, "domain": 1501, "FileHash-SHA1": 15 }, "indicator_count": 17731, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://blackfriday.puntronic.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://blackfriday.puntronic.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776682263.7709045 }