{ "type": "URL", "indicator": "https://chrome.google.com/webstore", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://chrome.google.com/webstore", "type": "url", "type_title": "URL", "validation": [ { "source": "alexa", "message": "Alexa rank: #1", "name": "Listed on Alexa" }, { "source": "akamai", "message": "Akamai rank: #3", "name": "Akamai Popular Domain" }, { "source": "whitelist", "message": "Whitelisted domain google.com", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain google.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 3537763692, "indicator": "https://chrome.google.com/webstore", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 42, "pulses": [ { "id": "69d8a665177b8f64c7ce5fca", "name": "LibraryLoader \u2022 Samuel Tulach | Abuse of malicious sssets engineered by DevOp & Security Researcher", "description": "Samuel Tulach is involved in various projects related to government work, particularly in areas like DevSecOps and app modernization. \nOverview of Samuel Tulach's \"uploader.exe\"\nThe file \"uploader.exe\" created by Samuel Tulach has been identified as malicious by several security engines. This classification indicates that the file poses a potential threat to users' systems.\nSecurity Engine Flags. Several security engines have flagged \"uploader.exe\" as malicious.\nSecureAge APEX\tMalicious\nSentinelOne\tMalicious\nImplications of Malicious Flags\nPotential Risks: Files flagged as malicious can lead to various security issues, including data theft, unauthorized access, or system damage.\nRecommended Actions: Users should avoid downloading or executing this file. If already downloaded, it is advisable to delete it and run a full system scan using reputable antivirus software.", "modified": "2026-04-10T07:27:33.587000", "created": "2026-04-10T07:27:33.587000", "tags": [ "x vercel", "united", "america", "germany malware", "family", "ck ids", "packing", "tulach", "ocsp", "extraction", "data upload", "enter sc", "extra data", "include review", "exclude sugges", "find s", "failed", "typ no", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "initial access", "defense evasion", "pattern match", "mitre att", "ascii text", "span", "title", "meta", "path", "april", "hybrid", "general", "local", "encrypt", "click", "strings", "main", "footer", "pcsb", "naga", "magda", "no expiration", "url https", "domain", "github pages", "a domains", "passive dns", "mtb jan", "class", "sea x", "accept encoding", "trojanspy", "accept", "otx logo", "all ipv4", "urls", "files", "america flag", "space", "ck matrix", "handle", "winvmaddress", "cdecl crashpad", "null", "software", "comment", "entity", "internal", "blank", "magic", "infinity", "first", "valentine", "error", "webview", "front", "patched", "root", "tristate", "libraryloader", "packing t1045", "icmp traffic", "memcommit", "pe section", "low software", "pe resource", "filehash", "win32", "malware", "write", "backdoor", "present apr", "lowfi", "aaaa", "lowfijavazkm", "x.com", "dynamicloader", "crlf line", "unicode text", "utf8", "ee fc", "ff d5", "yara rule", "f0 ff", "eb e1", "unknown", "trojan", "zeppelin", "autorun", "united states", "china unknown", "div div", "ip address", "record value", "samuel tulach", "czechia unknown", "italy unknown", "gmt server", "all domain", "next associated", "reverse dns", "location czech", "all filehash", "md5 add", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "file type", "telfhash", "virustotal api", "vendor finding", "notes clamav", "files matching", "number", "t1045", "search", "directui", "element", "medium", "classinfobase", "value", "write c", "hwndhost", "sapeav12", "worm", "explorer", "insert", "movie", "mtb apr", "mtb mar", "trojandropper", "displayname", "windows", "high", "delete c", "tofsee", "stream", "push", "url http", "c mar", "virtool", "c jan", "c dec", "toolbar", "ransom", "article", "windows nt", "gmtvia", "html", "bad traffic", "et info", "tls handshake", "belgium", "present dec", "present feb", "intel", "elf upx", "medium risk", "info", "moved", "hostname add", "whois registrar", "media", "delphi", "guard", "code", "devsecops", "github", "github internet", "archive samuel", "tulach", "government work", "key areas", "devops process", "security engine", "flags", "apex malicious", "implications", "malicious flags", "potential risks", "name servers", "apple id", "script urls", "show process", "secure", "win64", "khtml", "gecko", "programfiles", "cookie", "comspec", "model", "june", "spawns", "id name", "malicious", "gui", "anti cheats", "game tech", "c++" ], "references": [ "https://nextcloud.tulach.cc/ \u2022 https://nextcloud.tulach.cc/", "bleepingcomputer.com \u2022 CliffsNotes", "x.com - Malware Packed", "nr-data.net \u2022 www.youtube.com", "Alerts network_icmp allocates_rwx packer_entropy pe_features pe_unknown_resource_name Related Pulses", "https://www.youtube.com/youtubei/v1/log_event?alt=json&key=AIzaSyAO_FJ2SlqU8Q4STEHLGCilw_Y9_11qcW8", "discord.com \u2022 discord.gg", "api.item.yixun.com", "Unix.Trojan.Mirai-9441505-0 Yara Detections is__elf \u2022 217.11.249.145", "Domains Contacted: fenbushijujuefuwu.com", "angryblackwomyn.com", "https://medium.com/the-pink/how-a-white-womans-anger-makes-her-racism-spill-out-563853905a42", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/41ad1d349716b3e62f914c0907323ae8e0a37198d237a02d71a0d5e05ffaa727", "https://www.forpsi.com domain forpsi.com\t Domain asp.net", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "www.youtube.com/watch?v=GyuMozsVyYs (why would targets channel be controlled by Tulach)", "https://x.com/Atlassian__;JS8!!J7H9jp7aFkU!OInVM0IrDSAR1lXf8KzR9vKsmEOVrBkg1M6QqughgO13mcAOawaxDaclQnhkyp3JvPbgCZX33l1xnRdvb4OxVqJcCz2cn9HcSw", "x.com \u2022 https://x.com/BastionMediaFR/status/2042194819397673290", "cdn777.pussyporn.pro \u2022 https://tubepornstars.co/ \u2022 porneramix.xyz", "porneramix.xyz \u2022 porntubner.online \u2022 pornhubhd.shop", "https://api.w.org/ \u2022 api.w.org", "remote.poc-2.com \u2022 https://otx.alienvault.com/indicator/url/https://tulach.cc/assets/img/ogp.png", "https://assets.msn.com/bundles/v1/edgeChromium/latest/svg-assets-Twitter.b90ee19de735e00fb4a0.js", "developer.x.com \u2022 https://twitter.com/githubstatus", "https://twitter.com/juvlarN", "appleid.cdn-apple.com", "https://static.digitecgalaxus.ch/Files/communication/app-download-badges/apple_email_rasterized_2x/fr.png", "Samuel Tulach , an engineer writes about game security, Unity engine, and anti-cheat systems on his blog at tulach.cc", "Mr. Tulach \u2022 known for his work in cybersecurity, particularly in reverse engineering & malware analysis", "\"uploader.exe\" created by Samuel Tulach has been identified as malicious by several security engines", "Due to Samuel Tulach\u2019s good reputation , assume his assets are being abused by threat actors targeting", "I haven\u2019t yet concluded why Tulach.cc is deeply interwoven in a malicious media campaign", "Samuel Tulach\u2019s assets have been tightly connected to M. Brian Sabey, Esq", "The next pulse will show Apple IoC\u2019s related to Tulach.cc" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "LibraryLoader", "display_name": "LibraryLoader", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/Azorult.FW!rfn", "display_name": "ALF:HeraklezEval:Trojan:Win32/Azorult.FW!rfn", "target": null }, { "id": "Win.Packed.Botx-10021462-0", "display_name": "Win.Packed.Botx-10021462-0", "target": null }, { "id": "Win.Malware.Cymt-10023133-0", "display_name": "Win.Malware.Cymt-10023133-0", "target": null }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "Win.Trojan.VBGeneric-6735875-0", "display_name": "Win.Trojan.VBGeneric-6735875-0", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Win.Malware.Generickdz-9937235-0", "display_name": "Win.Malware.Generickdz-9937235-0", "target": null }, { "id": "Win.Malware.Razy-6979265-0", "display_name": "Win.Malware.Razy-6979265-0", "target": null }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" }, { "id": "TrojanSpy:Win32/Nivdort.DE", "display_name": "TrojanSpy:Win32/Nivdort.DE", "target": "/malware/TrojanSpy:Win32/Nivdort.DE" }, { "id": "SLF:Win32/Elenquay.A", "display_name": "SLF:Win32/Elenquay.A", "target": "/malware/SLF:Win32/Elenquay.A" }, { "id": "Win.Dropper.QuasarRAT-10023124-0", "display_name": "Win.Dropper.QuasarRAT-10023124-0", "target": null }, { "id": "Win.Trojan.Zegost-9769410-0", "display_name": "Win.Trojan.Zegost-9769410-0", "target": null }, { "id": "ALF:HSTR:VirTool:Win32/Obfuscator!PECancer", "display_name": "ALF:HSTR:VirTool:Win32/Obfuscator!PECancer", "target": null }, { "id": "Win.Malware.Moonlight-9919383-0", "display_name": "Win.Malware.Moonlight-9919383-0", "target": null }, { "id": "Worm:Win32/Lightmoon.H", "display_name": "Worm:Win32/Lightmoon.H", "target": "/malware/Worm:Win32/Lightmoon.H" }, { "id": "Backdoor:Win32/Tofsee.", "display_name": "Backdoor:Win32/Tofsee.", "target": "/malware/Backdoor:Win32/Tofsee." }, { "id": "#LowfiJavaZKM", "display_name": "#LowfiJavaZKM", "target": null }, { "id": "Win.Malware.Swisyn-7610494-0", "display_name": "Win.Malware.Swisyn-7610494-0", "target": null }, { "id": "PWS:Win32/Ymacco.AA50", "display_name": "PWS:Win32/Ymacco.AA50", "target": "/malware/PWS:Win32/Ymacco.AA50" }, { "id": "Win.Packed.Stealerc-10017074-0", "display_name": "Win.Packed.Stealerc-10017074-0", "target": null }, { "id": "#Lowfi:Win32/AutoIt", "display_name": "#Lowfi:Win32/AutoIt", "target": "/malware/#Lowfi:Win32/AutoIt" }, { "id": "Html.Trojan.Ascii212_44_64_202-1", "display_name": "Html.Trojan.Ascii212_44_64_202-1", "target": null }, { "id": "ALFPER:HSTR:WizremURL.A1", "display_name": "ALFPER:HSTR:WizremURL.A1", "target": null }, { "id": "Win.Malware.Jaik-9968280-0", "display_name": "Win.Malware.Jaik-9968280-0", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Win.Malware.Jaik-9968280-0", "display_name": "Win.Malware.Jaik-9968280-0", "target": null }, { "id": "Win.Packer.pkr_ce1a-9980177-0", "display_name": "Win.Packer.pkr_ce1a-9980177-0", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Win.Malware.Midie-6847893-0", "display_name": "Win.Malware.Midie-6847893-0", "target": null }, { "id": "TrojanDropper:Win32/Muldrop.V!MTB", "display_name": "TrojanDropper:Win32/Muldrop.V!MTB", "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB" }, { "id": "Win.Malware.Aauto-9839281-0", "display_name": "Win.Malware.Aauto-9839281-0", "target": null }, { "id": "Win.Trojan.Agent-1371484", "display_name": "Win.Trojan.Agent-1371484", "target": null }, { "id": "SLFPER:SoftwareBundler:Win32/ICLoader.A", "display_name": "SLFPER:SoftwareBundler:Win32/ICLoader.A", "target": null }, { "id": "ALF:Trojan:Win32/Cassini_412f60c8!ibt", "display_name": "ALF:Trojan:Win32/Cassini_412f60c8!ibt", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Win.Packed.Generic-9967832-0", "display_name": "Win.Packed.Generic-9967832-0", "target": null }, { "id": "Win.Trojan.Barys-10005825-0", "display_name": "Win.Trojan.Barys-10005825-0", "target": null }, { "id": "Unix.Trojan.Mirai-9441505-0", "display_name": "Unix.Trojan.Mirai-9441505-0", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2710, "domain": 1227, "hostname": 1206, "FileHash-SHA256": 3867, "IPv4": 318, "FileHash-MD5": 593, "FileHash-SHA1": 459, "IPv6": 1, "SSLCertFingerprint": 19, "email": 20, "CVE": 1 }, "indicator_count": 10421, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d4ddf1680e25f8a35479af", "name": "VirusTotal report\n for atom.exe", "description": "i have a iphone.", "modified": "2026-04-07T10:36:51.092000", "created": "2026-04-07T10:35:29.819000", "tags": [ "file type", "ascii", "json", "ms windows", "pe file", "ascii text", "utf8", "sqlite version", "openpgp secret", "file", "code", "persistence", "fraud", "next", "windows sandbox", "calls process", "has permission", "mitre attack", "network info", "accesses", "overview", "zenbox android", "verdict", "guest system", "ultimate file", "info file", "cloud", "calls clear" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/07f7d05d67f46df46aa037ae72dbdb01b4c793b0efa97b3b606eb7c804bc9ac8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775557919&Signature=NmXnt5UXEu97u6S%2Fl1pR8Dj1wOV48%2BMQtA7itY%2FDaMxeTZKYWQG8Sc1yQ8Anau89lP6pFBfYLFKcZlXLyh0lxedEOnLubJoX%2FPdHFRwhsnXHKf9Paue%2FYfp2f3Xa3eCtAdjiZ%2FYtizogath35T7lFE%2FyYG10vWJI%2FID8Xpk55duyBuJFvI5UISNatR%2BriUlSjGvUurWgm62dXOPlBxRQvwk1ndbIS79tzUBzFcGe7A3RnhURjWI1", "https://vtbehaviour.commondatastorage.googleapis.com/dbd82852eb5958675f889c452fc71bae5cce8ddad596bd15d2a4a6700739f741_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775558174&Signature=SmpbnWta3giCZS997kqTvAF%2BZOmsy8guJi08oXMRbv9twEwYq0zHV5x5EgkJeE1uK593UWjmIyGGPmZZAznd5G9GmDLWpTBpm6AalirZIWVXEGKYqWW%2FcXP6AP4kPvUKQffGRRra22oorMkIGVUd4OSbUBHzjeXYtzRalcJNh00ErxP2ckokNZ%2BA6k7O42Vano2SrEQ6QXeQ%2BVWhBicFEaYV3BEDA%2Fn%2BNlMqbe6dzaU%", "https://vtbehaviour.commondatastorage.googleapis.com/00497722a5a78f54380688c2f4e13f3ef6ae5ba3179e181842bc5f293931d249_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775558242&Signature=xZKVbPHnvq1qTJXNwiztrGD6NGaXqXZy2F7iZE8F8ZA5SQ2b0AHWfcMuFzBPL4S56%2Br1mdkSivnRKw4PtqmKSlmum59RFVyQrmIK25bmB%2FhGIdrtS0FEJHREeu2idOIA89pmPV7lOHS%2B%2BYVZ8CGGt7LqRG1WFqYY%2FsUuOmWwLyVT%2F8O9trgNAEO49TvZ9ce8AC5yY9pOagSk46K9CfKH%2BRUtwl1lKVpVFcS8P9OO0VKPNZJEs7AiA%2F", "https://vtbehaviour.commondatastorage.googleapis.com/d5bf2e0581ad7dca4e49e58e379107bf01ab36ae8e0900692e5782bfe7e86aba_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775558351&Signature=y1XPW6XWHz4cFiInU2H1MRXTtywNvzuP6qP%2BVIkFaZMsxldmbqUekc%2Fp3b1VId4O3UC3ckTmGqsRuznTxQLfWOOnxRXlD4QK4HFzPpTpKHXqWlrtdznOpHY%2Bv7wTzMzremLNFsxERoSd3zbAhEhirVop5Px%2BL937P9ywZuKM2DctbhUyiBzYXg%2FMjeVExwS%2FNlP8Sn%2BCx5tVuOIsiQoaZM%2FLak%2BsYPZVGDXZZn" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1429", "name": "Capture Audio", "display_name": "T1429 - Capture Audio" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 20, "FileHash-SHA1": 19, "FileHash-SHA256": 165, "IPv4": 12, "URL": 101, "domain": 9, "hostname": 37 }, "indicator_count": 363, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "12 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d4ddf1828f3eeb138474ef", "name": "VirusTotal report\n for atom.exe", "description": "i have a iphone.", "modified": "2026-04-07T10:35:29.004000", "created": "2026-04-07T10:35:29.004000", "tags": [ "file type", "ascii", "json", "ms windows", "pe file", "ascii text", "utf8", "sqlite version", "openpgp secret", "file", "code", "persistence", "fraud", "next", "windows sandbox", "calls process", "has permission", "mitre attack", "network info", "accesses", "overview", "zenbox android", "verdict", "guest system", "ultimate file", "info file", "cloud", "calls clear" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/07f7d05d67f46df46aa037ae72dbdb01b4c793b0efa97b3b606eb7c804bc9ac8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775557919&Signature=NmXnt5UXEu97u6S%2Fl1pR8Dj1wOV48%2BMQtA7itY%2FDaMxeTZKYWQG8Sc1yQ8Anau89lP6pFBfYLFKcZlXLyh0lxedEOnLubJoX%2FPdHFRwhsnXHKf9Paue%2FYfp2f3Xa3eCtAdjiZ%2FYtizogath35T7lFE%2FyYG10vWJI%2FID8Xpk55duyBuJFvI5UISNatR%2BriUlSjGvUurWgm62dXOPlBxRQvwk1ndbIS79tzUBzFcGe7A3RnhURjWI1", "https://vtbehaviour.commondatastorage.googleapis.com/dbd82852eb5958675f889c452fc71bae5cce8ddad596bd15d2a4a6700739f741_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775558174&Signature=SmpbnWta3giCZS997kqTvAF%2BZOmsy8guJi08oXMRbv9twEwYq0zHV5x5EgkJeE1uK593UWjmIyGGPmZZAznd5G9GmDLWpTBpm6AalirZIWVXEGKYqWW%2FcXP6AP4kPvUKQffGRRra22oorMkIGVUd4OSbUBHzjeXYtzRalcJNh00ErxP2ckokNZ%2BA6k7O42Vano2SrEQ6QXeQ%2BVWhBicFEaYV3BEDA%2Fn%2BNlMqbe6dzaU%", "https://vtbehaviour.commondatastorage.googleapis.com/00497722a5a78f54380688c2f4e13f3ef6ae5ba3179e181842bc5f293931d249_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775558242&Signature=xZKVbPHnvq1qTJXNwiztrGD6NGaXqXZy2F7iZE8F8ZA5SQ2b0AHWfcMuFzBPL4S56%2Br1mdkSivnRKw4PtqmKSlmum59RFVyQrmIK25bmB%2FhGIdrtS0FEJHREeu2idOIA89pmPV7lOHS%2B%2BYVZ8CGGt7LqRG1WFqYY%2FsUuOmWwLyVT%2F8O9trgNAEO49TvZ9ce8AC5yY9pOagSk46K9CfKH%2BRUtwl1lKVpVFcS8P9OO0VKPNZJEs7AiA%2F", "https://vtbehaviour.commondatastorage.googleapis.com/d5bf2e0581ad7dca4e49e58e379107bf01ab36ae8e0900692e5782bfe7e86aba_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775558351&Signature=y1XPW6XWHz4cFiInU2H1MRXTtywNvzuP6qP%2BVIkFaZMsxldmbqUekc%2Fp3b1VId4O3UC3ckTmGqsRuznTxQLfWOOnxRXlD4QK4HFzPpTpKHXqWlrtdznOpHY%2Bv7wTzMzremLNFsxERoSd3zbAhEhirVop5Px%2BL937P9ywZuKM2DctbhUyiBzYXg%2FMjeVExwS%2FNlP8Sn%2BCx5tVuOIsiQoaZM%2FLak%2BsYPZVGDXZZn" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1429", "name": "Capture Audio", "display_name": "T1429 - Capture Audio" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 20, "FileHash-SHA1": 19, "FileHash-SHA256": 165, "IPv4": 11, "URL": 101, "domain": 9, "hostname": 37 }, "indicator_count": 362, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "12 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6709ad372568d7810af2e480", "name": "https://rcmp[.]ca/en/alberta // rcmp[.]ca // rcmp-grc[.]gc[.]ca - 12.06.25", "description": "Alberta RCMP\nhttps://rcmp[.]ca/en/alberta // rcmp[.]ca // rcmp-grc[.]gc[.]ca", "modified": "2026-01-05T22:04:46.025000", "created": "2024-10-11T22:56:55.968000", "tags": [ "entity", "RCMP", "Alberta", "EPS", "Edmonton Police Services", "RCMP AB", "CrimeStoppers AB" ], "references": [ "https://www.virustotal.com/graph/embed/g69422d071856425cb7ef01a90232cae9aef9af2362ad45db8fc83caabe618606?theme=dark", "https://www.virustotal.com/gui/collection/22cbfd4f1a868301f4f66c5914ab66d63695118f829e90ede0c8450876d4dd13/iocs", "https://urlquery.net/report/54993e5a-9b3f-4eef-a219-6ed529b4ea66", "https://www.filescan.io/uploads/6775f8d1108e6fdea94ba637/reports/ba88f2c2-96e9-4106-9b93-4f7fa7f1519a/overview", "https://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee", "https://www.virustotal.com/gui/collection/malpedia_win_tofsee/summary", "https://viz.greynoise.io/analysis/ade7d4f8-0bf7-4582-9a91-f7b26c0bb9f7", "", "https://rcmp[.]ca/en/alberta", "https://www.virustotal.com/gui/collection/22cbfd4f1a868301f4f66c5914ab66d63695118f829e90ede0c8450876d4dd13", "https://www.hybrid-analysis.com/sample/32fee8f77b43f62e89c2156fd15a6fa350beff81429a6bc7984c0e54fe608f2a/67e0baae85aff10b880edd20", "https://www.hybrid-analysis.com/sample/32fee8f77b43f62e89c2156fd15a6fa350beff81429a6bc7984c0e54fe608f2a" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "", "Government", "Telecommunications", "Education", "Technology", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 4, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 764, "FileHash-SHA1": 760, "FileHash-SHA256": 4062, "domain": 378, "hostname": 1808, "URL": 886, "SSLCertFingerprint": 18, "email": 10, "CVE": 1 }, "indicator_count": 8687, "is_author": false, "is_subscribing": null, "subscriber_count": 135, "modified_text": "104 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66eb3ef6d765187a437767e4", "name": "Hijacked 'Operation Endgame' Tofsee Ransomware", "description": "This a project. A target has been put into different Operations: Project Hilo, Project Helix, Operation Endgame, The NSO Cellebrite Pegasus hit list. These are real and very serious serious threat. Severe Cyber issues made their way to her infected devices as well as the devices of family members. Death threats continue to come in. Several DoD IP addresses found in a PDF. It's unresearched at this time,, DoD via BGP HE has been questionable considering use gateway abuse by SWIPPER. \n\nStill no authority can confirm victim is a suspect. Must be a crazy high to help Jeffrey Scott Reiner PT. DPT get away with assault in such a ridiculous manner. Court report posted online by Trellis (BS) is of course a falsified , vulnerability filled 'made you click' document.. Faldif0, empty docmpty doc, citing it was refreshed in 2023. \nThere is no doubt these masqueraders mean to intimidate, humiliate, isolate & harm target. These people are not in China. False attribution is likely. Attack is disseminates from USA.", "modified": "2024-10-18T20:04:41.836000", "created": "2024-09-18T20:58:30.691000", "tags": [ "as8075", "united", "pid425870621", "tid700443057", "tpid425870621", "slot1", "mascore2", "bcnt1", "unid88000705", "nct1", "date", "china", "china unknown", "passive dns", "body xml", "error code", "requestid", "hostid ec", "server", "gmt content", "type", "registry", "intel", "ms windows", "show", "entries", "search", "high", "pe32", "high process", "injection t1055", "salicode", "worm", "copy", "tools", "service", "write", "win32", "persistence", "execution", "april", "urls", "http", "unique", "scan endpoints", "all scoreblue", "url http", "pulse pulses", "ip address", "related nids", "code", "as54113", "unknown", "body", "fastly error", "please", "sea p", "msil", "accept", "aaaa", "nxdomain", "whitelisted", "as15169 google", "status", "as44273 host", "as46691", "domain", "url https", "files location", "info", "script urls", "path max", "age86400 set", "cookie", "script domains", "javascript", "script script", "trojanspy", "cname", "emails", "servers", "all search", "related pulses", "file samples", "files matching", "creation date", "germany unknown", "yara detections", "filehash", "av detections", "ids detections", "alerts", "analysis date", "file score", "meta", "home welcome", "write c", "delete c", "query", "local", "hostname", "a domains", "lowfi", "content type", "record value", "suite", "showing", "asnone united", "as29873", "ipv4", "pulse submit", "url analysis", "files", "pe32 executable", "potential scan", "0pgtwhu", "t1045", "port", "infection", "recon", "malware", "june", "delphi", "taobao network", "as45102 alibaba", "as4812 china", "next", "expiration date", "name servers", "dynamicloader", "dynamic", "sha256", "dynamic link", "library exe", "adobe", "incorporated", "read", "yara rule", "delete", "binary file", "push", "malicious", "july", "iocs", "levelbluelabs", "jeff4son", "adversaries", "registry run", "flow t1574", "dll sideloading", "boot", "logon autostart", "execution t1547", "keys", "startup folder", "t1497 may", "encryption", "catalog tree", "analysis ob0001", "virtual machine", "detection b0009", "check registry", "analysis ob0002", "executable code", "stack strings", "control ob0004", "get http", "http requests", "dns resolutions", "ip traffic", "pattern domains", "memory pattern", "urls http", "request", "response", "connection", "trojan", "otx scoreblue", "windows", "embeddedwb", "medium", "shellexecuteexw", "msie", "windows nt", "displayname", "tofsee", "hashes", "vhash", "authentihash", "ssdeep", "win32 exe", "magic pe32", "trid win32", "library", "read c", "file guard", "rtversion", "langchinese", "legalcopyright", "reserved", "ransom", "moved", "media", "ascii text", "default", "upack", "mike", "contacted", "x87xe1x1d", "regsetvalueexa", "x95xd3xa4", "regbinary", "x84xa8xe8i", "x8dxb7xb7", "hx88x9ax1e", "mx81xd1r", "x92xac", "xc2x84", "stream", "swipper", "pdfcreator.sf.net", "botnet", "black mercedes", "please forgive me", "therahand thouroughhand" ], "references": [ "Project Endgame - pegausintel.com -Unsjre if related to NSO Group", "Antivirus Detections: ALF:HeraklezEval:Rogue:Win32/FakeRean", "Yara Detections: compromised_site_redirector_fromcharcode , Cabinet_Archive , SFX_CAB", "Alerts: infostealer_cookies persistence_autorun recon_programs recon_fingerprint removes_zoneid_ads anomalous_deletefile", "P\u2019s Contacted: 93.184.221.240 3.33.130.190 | Domains Contacted: counterslocal.com", "compromised_site_redirector_fromcharcode fromCharCode", "Interesting Strings: http://www.interoperabilitybridges.com/wmp http://crbug.com/40902 http://crbug.com/516527", "Interesting Strings: http://service.real.com/realplayer/security/02062012_player/en/", "Interesting Strings: https://support.google.com/chrome/?p=plugin_pdf", "https://support.google.com/chrome/?p=plugin_quicktime https://chrome.google.com/", "Interesting Strings: http://schema.org/GovernmentOrganization https://support.google.com/chrome/?p=plugin_java https://crbug.com/593166", "Pdf.Phishing.TtraffRobotInstall-7605656-0 00004feb58be42ba1bd506ea89f90c5e1d83e6e1fb84841931949a454b0bb539", "Antivirus Detections Cryp_Xed-12 , Mal/Generic-S , Packed/Upack Yara Detections Upackv039finalDwing , UpackV037Dwing", "https://pin.it/ | https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Worm:Win32/Macoute.A", "display_name": "Worm:Win32/Macoute.A", "target": "/malware/Worm:Win32/Macoute.A" }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "ALF:HeraklezEval:Rogue:Win32/FakeRean", "display_name": "ALF:HeraklezEval:Rogue:Win32/FakeRean", "target": null }, { "id": "Worm:Win32/Fesber.A", "display_name": "Worm:Win32/Fesber.A", "target": "/malware/Worm:Win32/Fesber.A" }, { "id": "Ransom:Win32/Eniqma.A", "display_name": "Ransom:Win32/Eniqma.A", "target": "/malware/Ransom:Win32/Eniqma.A" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "UpackV037Dwing", "display_name": "UpackV037Dwing", "target": null }, { "id": "Cryp_Xed-12", "display_name": "Cryp_Xed-12", "target": null }, { "id": "Mal/Generic-S", "display_name": "Mal/Generic-S", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1493, "FileHash-SHA1": 1393, "FileHash-SHA256": 5881, "URL": 1495, "domain": 1947, "hostname": 1360, "email": 18, "CVE": 1 }, "indicator_count": 13588, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "548 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a4885e735b9e8ba94805bc", "name": "Apple | Worm:Win32/Benjamin | thebrotherssabey.com", "description": "", "modified": "2024-09-05T06:51:42.608000", "created": "2024-01-15T01:20:30.730000", "tags": [ "execution", "whois record", "contacted", "ssl certificate", "whois whois", "contacted urls", "copy", "historical ssl", "referrer", "urls url", "icmp", "malicious", "installer", "problems", "collections", "report", "phishing", "service tool", "greatness", "threat network", "emotet", "magniber", "startpage", "attack", "banker", "keylogger", "namecheap inc", "com laude", "ltd dba", "cloudflare", "porkbun llc", "ii llc", "csc corporate", "domains", "computer", "company limited", "first", "cloudflarenet", "google", "amazon02", "akamaias", "telecom italia", "utc submissions", "microsoftcorpas", "indonesia", "beijing gu", "appleaustin", "sucurisec", "amazonaes", "limited", "tsara brashears", "pornhub", "thebrotherssabey", "then brothers sabey", "brian sabey", "apple", "icloud", "apple engineering", "soc", "hacker", "teams", "malvertizing", "cyberthreat", "cyber crime", "data", "v3 serial", "number", "cgb stgreater", "ecc domain", "server ca", "subject public", "key info", "key algorithm", "ec oid", "remote", "remote attacker", "benjamin", "worm", "trojan", "win32", "trojanspy", "ransomware", "command and control", "cnc", "c2", "stealer", "password", "apple unlocker", "pornographers", "cyber stalking", "revenge rat", "masquerading", "scanning host", "phishing", "dns", "network", "cobalt strike", "mitre attack", "metro hacker", "t-mobile hacker", "stalker", "social engineering", "et", "torrent trecker", "view", "duckdns", "blackhat", "data center", "tracking", "illegal", "malware scripting", "malware spreader", "network rat", "multiple botnetworks" ], "references": [ "https://thebrotherssabey.wordpress.com/", "acam-mdn.apple.com", "beacons.bcp.gvt.com", "cpcontacts.webcamara.online", "http://dreamsofspanking.com/scene/item/rosie-backlash-caning?utm_campaign=apr15", "http://ti.hicloudcam.com", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://search.app.goo.gl/?ofl", "Worm:Win32/Benjamin", "FileHash-SHA256\t00000254e6344d34a1e4ef157cb01d8b7efa65c22c996f9dfe85e7482c6c86ab", "FileHash-MD5\ted5c771224fbd6f9b2c0cf1e8cce09b5", "FileHash-SHA1\tf336b50f5cca2ddc0341e2c4001b419a830d27a5", "applemusic-spotlight.myunidays.com", "nr-data.net", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4", "blackhat.store", "api.telegram.org", "cobaltstrike4.tk | https://cobaltstrike4.tk:8443/include/template/isx.php" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Worm:Win32/Benjamin", "display_name": "Worm:Win32/Benjamin", "target": "/malware/Worm:Win32/Benjamin" }, { "id": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "display_name": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Silk", "display_name": "Silk", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "65a429795adf468b427a3c8b", "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2469, "URL": 6038, "FileHash-MD5": 169, "FileHash-SHA1": 157, "FileHash-SHA256": 3922, "CIDR": 2, "hostname": 2787, "email": 2, "CVE": 1 }, "indicator_count": 15547, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "591 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b85faa9b8e3e1206d7f25c", "name": "Tsara Brashears Dead campaign | ET | Emotet Botnet | Injection ", "description": "", "modified": "2024-06-15T04:39:29.943000", "created": "2024-01-30T02:32:10.210000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls http", "ssl certificate", "whois record", "historical ssl", "whois whois", "apple ios", "contacted", "tsara brashears", "whois", "resolutions", "password", "hacktool", "crypto", "execution", "emotet", "installer", "banker", "keylogger", "critical", "copy", "content reputation", "et", "submission", "comodo valkyrie", "verdict", "bitdefender", "history first", "analysis", "utc http", "response final", "url http", "search", "entries", "passive dns", "urls", "record value", "unknown", "united", "gmt content", "dynamic report", "0 report", "date", "accept", "name servers", "scan endpoints", "all octoseek", "pulse pulses", "http", "ip address", "related nids", "files location", "http response", "final url", "serving ip", "address", "ipv4", "files", "location china", "asn as45090", "dns resolutions", "twitter", "log id", "gmtn", "tls web", "encrypt", "ca issuers", "f20b201c", "b467295d", "b2931e3f", "false", "as15169 google", "domain", "msie", "windows nt", "wow64", "slcc2", "media center", "create c", "write c", "read c", "medium", "next", "dock", "write", "persistence", "delete c", "path", "xport", "default", "years ago", "modified", "created", "email", "active created", "white", "filehash", "memcommit", "tlsv1", "show", "win32", "malware", "get na", "systemroot", "starizona", "lscottsdale", "creation date", "emails", "domain name", "showing", "pulse submit", "amazon", "server ca", "b535", "tulach", "hallrender", "hallgrand", "briansabey", "brian sabey", "mark", "mark brian sabey", "mark sabey", "cybercrime", "cyber stalking", "botnet", "evader", "hacker", "targeting" ], "references": [ "http://www.dvd-game-new-releases.info/skin/tsara-brashears-dead.akp", "dvd-game-new-releases.info", "1.116.217.151 [Cobalt Strike]", "https://www.myminiweb.com/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "http://alohatube.xyz/search/tsara-brashears", "vtbehaviour.commondatastorage.googleapis.com", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://tulach.cc/", "ns3.hallgrandsale.ru" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" } ], "industries": [], "TLP": "white", "cloned_from": "659719b77c383c73c05208a9", "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 13324, "FileHash-MD5": 718, "FileHash-SHA1": 617, "FileHash-SHA256": 5761, "domain": 3503, "hostname": 4475, "CVE": 1, "email": 3, "SSLCertFingerprint": 11 }, "indicator_count": 28413, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "673 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c6fca34accf64ef651846b", "name": "Skynet: Malware outbreak hits https://www.healthonecares.com/ network ", "description": "", "modified": "2024-03-11T01:03:58.799000", "created": "2024-02-10T04:33:39.687000", "tags": [ "threat", "paste", "iocs", "hostnames", "urls https", "samples", "ip summary", "url summary", "summary", "sample", "detection list", "blacklist", "generic malware", "cisco umbrella", "heur", "site", "safe site", "malware", "alexa top", "million", "malware site", "phishing site", "malicious site", "iframe", "acint", "crack", "conduit", "unsafe", "artemis", "team", "nircmd", "exploit", "wacatac", "phishing", "unruy", "alexa", "outbreak", "installcore", "iobit", "dropper", "mediaget", "zpevdo", "installpack", "zbot", "qakbot", "opencandy", "swrort", "downldr", "systweak", "behav", "tiggre", "genkryptik", "presenoker", "agent", "filetour", "cleaner", "rostpay", "union", "bank", "live", "win64", "xtrat", "psexec", "occamy", "brontok", "startpage", "nanocore", "keygen", "fareit", "secrisk", "fakealert", "webtoolbar", "trojanspy", "united", "malicious host", "control server", "cobalt strike", "squirrelwaffle", "pony", "binder", "suppobox", "virut", "ramnit", "formbook", "azorult", "simda", "nymaim", "malicious", "cve201711882", "download", "virustotal", "facebook", "service", "tag count", "tld count", "sun jan", "urls", "blacklist http", "contacted", "whois record", "ssl certificate", "execution", "resolutions", "referrer", "communicating", "historical ssl", "dropped", "redline stealer", "nanocore rat", "skynet", "njrat", "ransomware" ], "references": [ "https://www.healthonecares.com/locations/presbyterian-st-lukes-medical-center" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Swrort", "display_name": "Swrort", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "XTRat", "display_name": "XTRat", "target": null }, { "id": "ZBot", "display_name": "ZBot", "target": null }, { "id": "Zpevdo", "display_name": "Zpevdo", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "Squirrelwaffle", "display_name": "Squirrelwaffle", "target": null }, { "id": "SysTweak", "display_name": "SysTweak", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Brontok", "display_name": "Brontok", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null }, { "id": "Filetour", "display_name": "Filetour", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Simba", "display_name": "Simba", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Crack", "display_name": "Crack", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "green", "cloned_from": "65c6d66e70fdd3792838b5f8", "export_count": 78, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1409, "FileHash-SHA1": 772, "FileHash-SHA256": 787, "URL": 81, "domain": 27, "hostname": 135, "CVE": 18 }, "indicator_count": 3229, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "769 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c6d66e70fdd3792838b5f8", "name": "Skynet: Malware outbreak hits https://www.healthonecares.com/", "description": "Skynet: a Tor-powered trojan with DDoS, Bitcoin mining and Banking ...", "modified": "2024-03-11T01:03:58.799000", "created": "2024-02-10T01:50:38.758000", "tags": [ "threat", "paste", "iocs", "hostnames", "urls https", "samples", "ip summary", "url summary", "summary", "sample", "detection list", "blacklist", "generic malware", "cisco umbrella", "heur", "site", "safe site", "malware", "alexa top", "million", "malware site", "phishing site", "malicious site", "iframe", "acint", "crack", "conduit", "unsafe", "artemis", "team", "nircmd", "exploit", "wacatac", "phishing", "unruy", "alexa", "outbreak", "installcore", "iobit", "dropper", "mediaget", "zpevdo", "installpack", "zbot", "qakbot", "opencandy", "swrort", "downldr", "systweak", "behav", "tiggre", "genkryptik", "presenoker", "agent", "filetour", "cleaner", "rostpay", "union", "bank", "live", "win64", "xtrat", "psexec", "occamy", "brontok", "startpage", "nanocore", "keygen", "fareit", "secrisk", "fakealert", "webtoolbar", "trojanspy", "united", "malicious host", "control server", "cobalt strike", "squirrelwaffle", "pony", "binder", "suppobox", "virut", "ramnit", "formbook", "azorult", "simda", "nymaim", "malicious", "cve201711882", "download", "virustotal", "facebook", "service", "tag count", "tld count", "sun jan", "urls", "blacklist http", "contacted", "whois record", "ssl certificate", "execution", "resolutions", "referrer", "communicating", "historical ssl", "dropped", "redline stealer", "nanocore rat", "skynet", "njrat", "ransomware" ], "references": [ "https://www.healthonecares.com/locations/presbyterian-st-lukes-medical-center" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Swrort", "display_name": "Swrort", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "XTRat", "display_name": "XTRat", "target": null }, { "id": "ZBot", "display_name": "ZBot", "target": null }, { "id": "Zpevdo", "display_name": "Zpevdo", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "Squirrelwaffle", "display_name": "Squirrelwaffle", "target": null }, { "id": "SysTweak", "display_name": "SysTweak", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Brontok", "display_name": "Brontok", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null }, { "id": "Filetour", "display_name": "Filetour", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Simba", "display_name": "Simba", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Crack", "display_name": "Crack", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 79, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1409, "FileHash-SHA1": 772, "FileHash-SHA256": 787, "URL": 81, "domain": 27, "hostname": 135, "CVE": 18 }, "indicator_count": 3229, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "769 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c9717b0c7c783e1a390fc5", "name": "Report Spam Author avatar Skynet: Malware outbreak hits https://www.healthonecares.com/", "description": "", "modified": "2024-03-11T01:03:58.799000", "created": "2024-02-12T01:16:43.494000", "tags": [ "threat", "paste", "iocs", "hostnames", "urls https", "samples", "ip summary", "url summary", "summary", "sample", "detection list", "blacklist", "generic malware", "cisco umbrella", "heur", "site", "safe site", "malware", "alexa top", "million", "malware site", "phishing site", "malicious site", "iframe", "acint", "crack", "conduit", "unsafe", "artemis", "team", "nircmd", "exploit", "wacatac", "phishing", "unruy", "alexa", "outbreak", "installcore", "iobit", "dropper", "mediaget", "zpevdo", "installpack", "zbot", "qakbot", "opencandy", "swrort", "downldr", "systweak", "behav", "tiggre", "genkryptik", "presenoker", "agent", "filetour", "cleaner", "rostpay", "union", "bank", "live", "win64", "xtrat", "psexec", "occamy", "brontok", "startpage", "nanocore", "keygen", "fareit", "secrisk", "fakealert", "webtoolbar", "trojanspy", "united", "malicious host", "control server", "cobalt strike", "squirrelwaffle", "pony", "binder", "suppobox", "virut", "ramnit", "formbook", "azorult", "simda", "nymaim", "malicious", "cve201711882", "download", "virustotal", "facebook", "service", "tag count", "tld count", "sun jan", "urls", "blacklist http", "contacted", "whois record", "ssl certificate", "execution", "resolutions", "referrer", "communicating", "historical ssl", "dropped", "redline stealer", "nanocore rat", "skynet", "njrat", "ransomware" ], "references": [ "https://www.healthonecares.com/locations/presbyterian-st-lukes-medical-center" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Swrort", "display_name": "Swrort", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "XTRat", "display_name": "XTRat", "target": null }, { "id": "ZBot", "display_name": "ZBot", "target": null }, { "id": "Zpevdo", "display_name": "Zpevdo", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "Squirrelwaffle", "display_name": "Squirrelwaffle", "target": null }, { "id": "SysTweak", "display_name": "SysTweak", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Brontok", "display_name": "Brontok", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null }, { "id": "Filetour", "display_name": "Filetour", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Simba", "display_name": "Simba", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Crack", "display_name": "Crack", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "green", "cloned_from": "65c6d66e70fdd3792838b5f8", "export_count": 73, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1409, "FileHash-SHA1": 772, "FileHash-SHA256": 787, "URL": 81, "domain": 27, "hostname": 135, "CVE": 18 }, "indicator_count": 3229, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "769 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65bbe07f0780cef1c48ccae4", "name": "access.blackbagtech.com", "description": "innovative forensic acquisition, triage, and analysis software for Windows, Android, iPhone/iPad, and Mac OS X devices.\nIn this instance Pegasus was deployed against the survivor of hungry, injurious SA against Brashears; allegedly assaulted by PT Jeffrey Reimer in AMS Concentra/Select Physical Therapy in Denver, Co. Rather than investigate DPT Reimer, law enforcement launched attack against victim ( SCI/TBI). Brashears was threatened by Mark Montana MD, lawyer and Workers Compensation doctor. Denied care, equally aggressive Montano wage effort to ensure silence and wides bid for Douglas County, Colorado Coroner election. Fraud, framing, death threats ensued. Montano threatened Brashears with his alleged best friend Tony Spurlock, promising a battle against her Court documented. \nBrashears is in danger.", "modified": "2024-03-02T17:02:51.870000", "created": "2024-02-01T18:18:39.156000", "tags": [ "ssl certificate", "whois record", "pegasus", "cellbrite", "targets sa", "survivor", "blackbag", "relations apple", "mdm hacking", "communicating", "execution", "contacted", "quasar", "kgs0", "malware", "core", "hacktool", "ransomexx", "azorult", "emotet", "remcos", "agent tesla", "grandoreiro", "targeting tsara brashears", "delphi programming", "access", "local law enforcement", "quasi case", "framing", "jeffrey reimer dpt 'reported' assaulter", "state and governments cover white offender jeffrey reimer", "indian mix brashears physically attacked often followed", "death threats", "alienvault results removed from search results", "brashears tagged in adult content - not removed", "brashears blacklisted", "reimer promoted", "false criminal records created about brashears", "brashears family identity theft", "judge sided with brashears", "brashears given less than $10000 by Brian sabey", "brian sabey constant contact ) threats", "brashears stalked", "reimer protected and hidden", "pegasus technology disallows victim to report to regulatory boar", "aig", "industry and commerce", "danger", "rob neill drives brashears off road", "brashears further injured", "neill positively identified - no charges", "malvertizing", "botnet", "fraud apple support chats", "falsified medical records", "denied healthcare", "hydrocephalus not disclosed", "permanent damage", "corruption", "burg simpson corruption", "Denver trial attorneys tell brashears statute is 6 years in colo", "da informs brashears no statute", "brashears denied disability benefits for years", "remember george floyd? brashears survived that injury", "brashears cannot digest food", "brashears can't toilet", "jeffrey reimer was reported early", "brashears bullied to return to PT due to workers compensation ru", "montano threatened brashears with breaking the law if not return", "reimer recorded", "recordings stored online", "recordings retrieved by bgp", "bryan counts made aware of recordings", "recordings demanded", "america?", "advocates ensure the rights of others", "make others aware", "who else is unheard.", "non stop harassment", "constant car bomb threats", "brashears unable to properly articulate", "nothing new", "assaulted by man demanding phone", "no charges", "Brian sabey brings case to silence brashears", "sabey motions dismissed", "pegasus involves malicious actions by humans", "pegasus attackers do kill", "pegasus attackers make in person contact", "overly large campaign", "private investigators tailed stalkers. became afraid when learni", "discrimination", "hacking", "tracking", "car hacking", "apple", "android overlay", "network rats", "brashears denied vocational rehab twice", "brashears unhirable due to online profile", "employer rightfully consider brashears attack a risk to others", "group hacked intermountain healthcare", "group hacked uchealth colorado", "group hacked esurance" ], "references": [ "access.blackbagtech.com", "The only thing necessary for the triumph of evil is for good men to do nothing.\u201d" ], "public": 1, "adversary": "NSO Group", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 87, "FileHash-SHA1": 78, "FileHash-SHA256": 2075, "URL": 2696, "domain": 710, "hostname": 827, "CVE": 1 }, "indicator_count": 6474, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "778 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65afcb842689eb776c0737e5", "name": "Maui Ransomware", "description": "", "modified": "2024-02-17T23:00:21.788000", "created": "2024-01-23T14:21:56.725000", "tags": [ "first", "algorithm", "v3 serial", "number", "issuer", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "namecheap", "server", "registrar abuse", "code", "namecheap inc", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "win32 exe", "win32 dll", "type name", "user", "dns replication", "description", "utc submissions", "submitters", "cloudflarenet", "summary iocs", "community https", "urls", "amazonaes", "china telecom", "sector", "export", "cloud", "mb opera", "mb iesettings", "kb acrotray", "installer", "samplepath", "ssl certificate", "whois record", "tsara brashears", "apple ios", "p2404", "malware", "apple", "password", "critical risk", "password bypass", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "emotet", "tulach", "tulach.cc", "united", "heur", "team", "firehol", "malware site", "cyber threat", "malicious site", "phishing", "phishing site", "malicious", "downer", "artemis", "dnspionage", "kuaizip", "fusioncore", "softcnapp", "downloader", "trojan", "zbot", "cisco umbrella", "site", "safe site", "alexa top", "million", "maltiverse", "phishtank", "bank", "unsafe", "riskware", "alexa", "service", "facebook", "presenoker", "agent", "stealer", "phish", "union", "azorult", "runescape", "generic", "crack", "dapato", "iframe", "downldr", "vidar", "raccoon", "remcos", "miner", "agenttesla", "unknown", "detplock", "networm", "win64", "trickbot", "telecom", "media", "webtoolbar", "trojanspy", "no data", "tag count", "tld count", "ip summary", "url summary", "summary", "detection list", "blacklist https", "pattern match", "samuel tulach", "file", "localappdata", "ascii text", "title", "windows", "hyperv", "span", "mitre att", "meta", "path", "light", "dark", "vmprotect", "main", "footer", "body", "class", "hybrid", "accept", "local", "click", "strings", "error", "script", "form", "root ca", "textarea", "github", "input", "trust", "general", "june", "threat roundup", "july", "whois whois", "collection", "august", "lolkek", "ransomware", "ursnif", "lockbit", "chaos", "quasar", "april", "quasar rat", "dark power", "swisyn", "wiper", "cobalt strike", "attack", "bitrat", "formbook", "qakbot", "ransomexx", "gootloader", "maui ransomware", "Cobalt Strike", "physical threat", "target", "contacted circa 10.23.2023-" ], "references": [ "tulach.cc [Adversarial Malware Attack Source]", "http://1.116.132.182/weblogic_CVE_2020_2551.jar", "init-p01st.push.apple.com", "newrelic.se [Apple Collection]", "apple-dns.net. [Apple email collection]", "apple.com [=vaccine.com / negative http or https - insecure, malicious]", "nr-data.net [ Hidden private Apple data collection]", "http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]", "www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]", "https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter", "114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]", "mobile.twitter.com [titled hashtag Daisy Coleman]", "http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]", "12 CVE exploits posted in 'scoreblue' CVE tally", "Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "Above Assurant link. [ Hidden privacy threats,,Transactional campaign", "https://pin.it/ [SQLi Dumper]", "https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt", "msftconnecttest.com", "ncsi-geo.trafficmanager.net =analytics.tresensa.com", "https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]", "104.200.22.130 Command and Control", "aig.com", "https://github-cloud.s3.amazonaws.com [DNS prefetch]", "fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]", "103.224.212.34 scanning_host", "0-1.duckdns.org [malicious]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Daisy Coleman", "display_name": "Daisy Coleman", "target": null }, { "id": "Twitter Malware", "display_name": "Twitter Malware", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "CVE JAR", "display_name": "CVE JAR", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "TrickBot - S0266", "display_name": "TrickBot - S0266", "target": null }, { "id": "Death Bitches", "display_name": "Death Bitches", "target": null }, { "id": "Bit RAT", "display_name": "Bit RAT", "target": null }, { "id": "Swisyn", "display_name": "Swisyn", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Fusioncore", "display_name": "Fusioncore", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Raccoon", "display_name": "Raccoon", "target": null }, { "id": "Crack", "display_name": "Crack", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "Apple Malware", "display_name": "Apple Malware", "target": null }, { "id": "FonePaw", "display_name": "FonePaw", "target": null }, { "id": "Amazon AES", "display_name": "Amazon AES", "target": null }, { "id": "Facebook HT", "display_name": "Facebook HT", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla - S0331", "display_name": "Agent Tesla - S0331", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "Dapato", "display_name": "Dapato", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "DNSpionage", "display_name": "DNSpionage", "target": null }, { "id": "Trojan:Win32/Detplock", "display_name": "Trojan:Win32/Detplock", "target": "/malware/Trojan:Win32/Detplock" }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "PwndLocker", "display_name": "PwndLocker", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" } ], "industries": [], "TLP": "green", "cloned_from": "65aab8eb55243c504a2cb4c0", "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 641, "domain": 2470, "FileHash-MD5": 656, "FileHash-SHA256": 8634, "hostname": 2629, "email": 4, "URL": 5605, "CVE": 12 }, "indicator_count": 20651, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "792 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65aab8eb55243c504a2cb4c0", "name": "Maui Ransomware", "description": "", "modified": "2024-02-17T23:00:21.788000", "created": "2024-01-19T18:01:15.365000", "tags": [ "first", "algorithm", "v3 serial", "number", "issuer", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "namecheap", "server", "registrar abuse", "code", "namecheap inc", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "win32 exe", "win32 dll", "type name", "user", "dns replication", "description", "utc submissions", "submitters", "cloudflarenet", "summary iocs", "community https", "urls", "amazonaes", "china telecom", "sector", "export", "cloud", "mb opera", "mb iesettings", "kb acrotray", "installer", "samplepath", "ssl certificate", "whois record", "tsara brashears", "apple ios", "p2404", "malware", "apple", "password", "critical risk", "password bypass", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "emotet", "tulach", "tulach.cc", "united", "heur", "team", "firehol", "malware site", "cyber threat", "malicious site", "phishing", "phishing site", "malicious", "downer", "artemis", "dnspionage", "kuaizip", "fusioncore", "softcnapp", "downloader", "trojan", "zbot", "cisco umbrella", "site", "safe site", "alexa top", "million", "maltiverse", "phishtank", "bank", "unsafe", "riskware", "alexa", "service", "facebook", "presenoker", "agent", "stealer", "phish", "union", "azorult", "runescape", "generic", "crack", "dapato", "iframe", "downldr", "vidar", "raccoon", "remcos", "miner", "agenttesla", "unknown", "detplock", "networm", "win64", "trickbot", "telecom", "media", "webtoolbar", "trojanspy", "no data", "tag count", "tld count", "ip summary", "url summary", "summary", "detection list", "blacklist https", "pattern match", "samuel tulach", "file", "localappdata", "ascii text", "title", "windows", "hyperv", "span", "mitre att", "meta", "path", "light", "dark", "vmprotect", "main", "footer", "body", "class", "hybrid", "accept", "local", "click", "strings", "error", "script", "form", "root ca", "textarea", "github", "input", "trust", "general", "june", "threat roundup", "july", "whois whois", "collection", "august", "lolkek", "ransomware", "ursnif", "lockbit", "chaos", "quasar", "april", "quasar rat", "dark power", "swisyn", "wiper", "cobalt strike", "attack", "bitrat", "formbook", "qakbot", "ransomexx", "gootloader", "maui ransomware", "Cobalt Strike", "physical threat", "target", "contacted circa 10.23.2023-" ], "references": [ "tulach.cc [Adversarial Malware Attack Source]", "http://1.116.132.182/weblogic_CVE_2020_2551.jar", "init-p01st.push.apple.com", "newrelic.se [Apple Collection]", "apple-dns.net. [Apple email collection]", "apple.com [=vaccine.com / negative http or https - insecure, malicious]", "nr-data.net [ Hidden private Apple data collection]", "http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]", "www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]", "https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter", "114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]", "mobile.twitter.com [titled hashtag Daisy Coleman]", "http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]", "12 CVE exploits posted in 'scoreblue' CVE tally", "Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "Above Assurant link. [ Hidden privacy threats,,Transactional campaign", "https://pin.it/ [SQLi Dumper]", "https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt", "msftconnecttest.com", "ncsi-geo.trafficmanager.net =analytics.tresensa.com", "https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]", "104.200.22.130 Command and Control", "aig.com", "https://github-cloud.s3.amazonaws.com [DNS prefetch]", "fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]", "103.224.212.34 scanning_host", "0-1.duckdns.org [malicious]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Daisy Coleman", "display_name": "Daisy Coleman", "target": null }, { "id": "Twitter Malware", "display_name": "Twitter Malware", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "CVE JAR", "display_name": "CVE JAR", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "TrickBot - S0266", "display_name": "TrickBot - S0266", "target": null }, { "id": "Death Bitches", "display_name": "Death Bitches", "target": null }, { "id": "Bit RAT", "display_name": "Bit RAT", "target": null }, { "id": "Swisyn", "display_name": "Swisyn", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Fusioncore", "display_name": "Fusioncore", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Raccoon", "display_name": "Raccoon", "target": null }, { "id": "Crack", "display_name": "Crack", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "Apple Malware", "display_name": "Apple Malware", "target": null }, { "id": "FonePaw", "display_name": "FonePaw", "target": null }, { "id": "Amazon AES", "display_name": "Amazon AES", "target": null }, { "id": "Facebook HT", "display_name": "Facebook HT", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla - S0331", "display_name": "Agent Tesla - S0331", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "Dapato", "display_name": "Dapato", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "DNSpionage", "display_name": "DNSpionage", "target": null }, { "id": "Trojan:Win32/Detplock", "display_name": "Trojan:Win32/Detplock", "target": "/malware/Trojan:Win32/Detplock" }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "PwndLocker", "display_name": "PwndLocker", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" } ], "industries": [], "TLP": "green", "cloned_from": "65a9b4296442cc8db50a264f", "export_count": 44, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 641, "domain": 2470, "FileHash-MD5": 656, "FileHash-SHA256": 8634, "hostname": 2629, "email": 4, "URL": 5605, "CVE": 12 }, "indicator_count": 20651, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "792 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a9b87d2d435bdad9ce80a3", "name": "Racoon Stealer ", "description": "", "modified": "2024-02-17T23:00:21.788000", "created": "2024-01-18T23:47:09.818000", "tags": [ "first", "algorithm", "v3 serial", "number", "issuer", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "namecheap", "server", "registrar abuse", "code", "namecheap inc", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "win32 exe", "win32 dll", "type name", "user", "dns replication", "description", "utc submissions", "submitters", "cloudflarenet", "summary iocs", "community https", "urls", "amazonaes", "china telecom", "sector", "export", "cloud", "mb opera", "mb iesettings", "kb acrotray", "installer", "samplepath", "ssl certificate", "whois record", "tsara brashears", "apple ios", "p2404", "malware", "apple", "password", "critical risk", "password bypass", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "emotet", "tulach", "tulach.cc", "united", "heur", "team", "firehol", "malware site", "cyber threat", "malicious site", "phishing", "phishing site", "malicious", "downer", "artemis", "dnspionage", "kuaizip", "fusioncore", "softcnapp", "downloader", "trojan", "zbot", "cisco umbrella", "site", "safe site", "alexa top", "million", "maltiverse", "phishtank", "bank", "unsafe", "riskware", "alexa", "service", "facebook", "presenoker", "agent", "stealer", "phish", "union", "azorult", "runescape", "generic", "crack", "dapato", "iframe", "downldr", "vidar", "raccoon", "remcos", "miner", "agenttesla", "unknown", "detplock", "networm", "win64", "trickbot", "telecom", "media", "webtoolbar", "trojanspy", "no data", "tag count", "tld count", "ip summary", "url summary", "summary", "detection list", "blacklist https", "pattern match", "samuel tulach", "file", "localappdata", "ascii text", "title", "windows", "hyperv", "span", "mitre att", "meta", "path", "light", "dark", "vmprotect", "main", "footer", "body", "class", "hybrid", "accept", "local", "click", "strings", "error", "script", "form", "root ca", "textarea", "github", "input", "trust", "general", "june", "threat roundup", "july", "whois whois", "collection", "august", "lolkek", "ransomware", "ursnif", "lockbit", "chaos", "quasar", "april", "quasar rat", "dark power", "swisyn", "wiper", "cobalt strike", "attack", "bitrat", "formbook", "qakbot", "ransomexx", "gootloader", "maui ransomware", "Cobalt Strike", "physical threat", "target", "contacted circa 10.23.2023-" ], "references": [ "tulach.cc [Adversarial Malware Attack Source]", "http://1.116.132.182/weblogic_CVE_2020_2551.jar", "init-p01st.push.apple.com", "newrelic.se [Apple Collection]", "apple-dns.net. [Apple email collection]", "apple.com [=vaccine.com / negative http or https - insecure, malicious]", "nr-data.net [ Hidden private Apple data collection]", "http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]", "www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]", "https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter", "114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]", "mobile.twitter.com [titled hashtag Daisy Coleman]", "http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]", "12 CVE exploits posted in 'scoreblue' CVE tally", "Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "Above Assurant link. [ Hidden privacy threats,,Transactional campaign", "https://pin.it/ [SQLi Dumper]", "https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt", "msftconnecttest.com", "ncsi-geo.trafficmanager.net =analytics.tresensa.com", "https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]", "104.200.22.130 Command and Control", "aig.com", "https://github-cloud.s3.amazonaws.com [DNS prefetch]", "fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]", "103.224.212.34 scanning_host", "0-1.duckdns.org [malicious]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Daisy Coleman", "display_name": "Daisy Coleman", "target": null }, { "id": "Twitter Malware", "display_name": "Twitter Malware", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "CVE JAR", "display_name": "CVE JAR", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "TrickBot - S0266", "display_name": "TrickBot - S0266", "target": null }, { "id": "Death Bitches", "display_name": "Death Bitches", "target": null }, { "id": "Bit RAT", "display_name": "Bit RAT", "target": null }, { "id": "Swisyn", "display_name": "Swisyn", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Fusioncore", "display_name": "Fusioncore", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Raccoon", "display_name": "Raccoon", "target": null }, { "id": "Crack", "display_name": "Crack", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "Apple Malware", "display_name": "Apple Malware", "target": null }, { "id": "FonePaw", "display_name": "FonePaw", "target": null }, { "id": "Amazon AES", "display_name": "Amazon AES", "target": null }, { "id": "Facebook HT", "display_name": "Facebook HT", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla - S0331", "display_name": "Agent Tesla - S0331", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "Dapato", "display_name": "Dapato", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "DNSpionage", "display_name": "DNSpionage", "target": null }, { "id": "Trojan:Win32/Detplock", "display_name": "Trojan:Win32/Detplock", "target": "/malware/Trojan:Win32/Detplock" }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "PwndLocker", "display_name": "PwndLocker", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" } ], "industries": [], "TLP": "green", "cloned_from": "65a9b4296442cc8db50a264f", "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 641, "domain": 2470, "FileHash-MD5": 656, "FileHash-SHA256": 8634, "hostname": 2629, "email": 4, "URL": 5605, "CVE": 12 }, "indicator_count": 20651, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "792 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a9b4296442cc8db50a264f", "name": "Maui Ransomware ", "description": "", "modified": "2024-02-17T23:00:21.788000", "created": "2024-01-18T23:28:41.569000", "tags": [ "first", "algorithm", "v3 serial", "number", "issuer", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "namecheap", "server", "registrar abuse", "code", "namecheap inc", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "win32 exe", "win32 dll", "type name", "user", "dns replication", "description", "utc submissions", "submitters", "cloudflarenet", "summary iocs", "community https", "urls", "amazonaes", "china telecom", "sector", "export", "cloud", "mb opera", "mb iesettings", "kb acrotray", "installer", "samplepath", "ssl certificate", "whois record", "tsara brashears", "apple ios", "p2404", "malware", "apple", "password", "critical risk", "password bypass", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "emotet", "tulach", "tulach.cc", "united", "heur", "team", "firehol", "malware site", "cyber threat", "malicious site", "phishing", "phishing site", "malicious", "downer", "artemis", "dnspionage", "kuaizip", "fusioncore", "softcnapp", "downloader", "trojan", "zbot", "cisco umbrella", "site", "safe site", "alexa top", "million", "maltiverse", "phishtank", "bank", "unsafe", "riskware", "alexa", "service", "facebook", "presenoker", "agent", "stealer", "phish", "union", "azorult", "runescape", "generic", "crack", "dapato", "iframe", "downldr", "vidar", "raccoon", "remcos", "miner", "agenttesla", "unknown", "detplock", "networm", "win64", "trickbot", "telecom", "media", "webtoolbar", "trojanspy", "no data", "tag count", "tld count", "ip summary", "url summary", "summary", "detection list", "blacklist https", "pattern match", "samuel tulach", "file", "localappdata", "ascii text", "title", "windows", "hyperv", "span", "mitre att", "meta", "path", "light", "dark", "vmprotect", "main", "footer", "body", "class", "hybrid", "accept", "local", "click", "strings", "error", "script", "form", "root ca", "textarea", "github", "input", "trust", "general", "june", "threat roundup", "july", "whois whois", "collection", "august", "lolkek", "ransomware", "ursnif", "lockbit", "chaos", "quasar", "april", "quasar rat", "dark power", "swisyn", "wiper", "cobalt strike", "attack", "bitrat", "formbook", "qakbot", "ransomexx", "gootloader", "maui ransomware", "Cobalt Strike", "physical threat", "target", "contacted circa 10.23.2023-" ], "references": [ "tulach.cc [Adversarial Malware Attack Source]", "http://1.116.132.182/weblogic_CVE_2020_2551.jar", "init-p01st.push.apple.com", "newrelic.se [Apple Collection]", "apple-dns.net. [Apple email collection]", "apple.com [=vaccine.com / negative http or https - insecure, malicious]", "nr-data.net [ Hidden private Apple data collection]", "http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]", "www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]", "https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter", "114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]", "mobile.twitter.com [titled hashtag Daisy Coleman]", "http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]", "12 CVE exploits posted in 'scoreblue' CVE tally", "Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "Above Assurant link. [ Hidden privacy threats,,Transactional campaign", "https://pin.it/ [SQLi Dumper]", "https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt", "msftconnecttest.com", "ncsi-geo.trafficmanager.net =analytics.tresensa.com", "https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]", "104.200.22.130 Command and Control", "aig.com", "https://github-cloud.s3.amazonaws.com [DNS prefetch]", "fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]", "103.224.212.34 scanning_host", "0-1.duckdns.org [malicious]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Daisy Coleman", "display_name": "Daisy Coleman", "target": null }, { "id": "Twitter Malware", "display_name": "Twitter Malware", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "CVE JAR", "display_name": "CVE JAR", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "TrickBot - S0266", "display_name": "TrickBot - S0266", "target": null }, { "id": "Death Bitches", "display_name": "Death Bitches", "target": null }, { "id": "Bit RAT", "display_name": "Bit RAT", "target": null }, { "id": "Swisyn", "display_name": "Swisyn", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Fusioncore", "display_name": "Fusioncore", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Raccoon", "display_name": "Raccoon", "target": null }, { "id": "Crack", "display_name": "Crack", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "Apple Malware", "display_name": "Apple Malware", "target": null }, { "id": "FonePaw", "display_name": "FonePaw", "target": null }, { "id": "Amazon AES", "display_name": "Amazon AES", "target": null }, { "id": "Facebook HT", "display_name": "Facebook HT", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla - S0331", "display_name": "Agent Tesla - S0331", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "Dapato", "display_name": "Dapato", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "DNSpionage", "display_name": "DNSpionage", "target": null }, { "id": "Trojan:Win32/Detplock", "display_name": "Trojan:Win32/Detplock", "target": "/malware/Trojan:Win32/Detplock" }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "PwndLocker", "display_name": "PwndLocker", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" } ], "industries": [], "TLP": "green", "cloned_from": "653977171f690fb9ab978bf3", "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 641, "domain": 2470, "FileHash-MD5": 656, "FileHash-SHA256": 8634, "hostname": 2629, "email": 4, "URL": 5605, "CVE": 12 }, "indicator_count": 20651, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "792 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a429795adf468b427a3c8b", "name": "Apple | Worm:Win32/Benjamin | thebrotherssabey.com", "description": "Retaliation. Brian Sabey representing as an attorney and many other occupations contacted and socially engineered target. Uncertain of true name. Contacted 'alleged' SA assault victim. Made claims of representing a Jeffrey Scott Reimer DPT' alleged 'S' Assaulter. Substantiated claims made with the twist of 'victim consented'. Mark Brian Sbabeys claims dismissed. Continues to hack, harass, intimidate target in every possible way. Hacking, monitoring, service, modification, phone contact, malicious texting, in person monitoring via colleagues, hacks into medical and medical billing centers, sells/leaks targets data on dark web. Removed targets name from most pulses via remote device access. Self whitelist. Everything he does is illegal.\n\nTarget not important enough to law enforcement.", "modified": "2024-02-13T17:04:19.437000", "created": "2024-01-14T18:35:37.757000", "tags": [ "execution", "whois record", "contacted", "ssl certificate", "whois whois", "contacted urls", "copy", "historical ssl", "referrer", "urls url", "icmp", "malicious", "installer", "problems", "collections", "report", "phishing", "service tool", "greatness", "threat network", "emotet", "magniber", "startpage", "attack", "banker", "keylogger", "namecheap inc", "com laude", "ltd dba", "cloudflare", "porkbun llc", "ii llc", "csc corporate", "domains", "computer", "company limited", "first", "cloudflarenet", "google", "amazon02", "akamaias", "telecom italia", "utc submissions", "microsoftcorpas", "indonesia", "beijing gu", "appleaustin", "sucurisec", "amazonaes", "limited", "tsara brashears", "pornhub", "thebrotherssabey", "then brothers sabey", "brian sabey", "apple", "icloud", "apple engineering", "soc", "hacker", "teams", "malvertizing", "cyberthreat", "cyber crime", "data", "v3 serial", "number", "cgb stgreater", "ecc domain", "server ca", "subject public", "key info", "key algorithm", "ec oid", "remote", "remote attacker", "benjamin", "worm", "trojan", "win32", "trojanspy", "ransomware", "command and control", "cnc", "c2", "stealer", "password", "apple unlocker", "pornographers", "cyber stalking", "revenge rat", "masquerading", "scanning host", "phishing", "dns", "network", "cobalt strike", "mitre attack", "metro hacker", "t-mobile hacker", "stalker", "social engineering", "et", "torrent trecker", "view", "duckdns", "blackhat", "data center", "tracking", "illegal", "malware scripting", "malware spreader", "network rat", "multiple botnetworks" ], "references": [ "https://thebrotherssabey.wordpress.com/", "acam-mdn.apple.com", "beacons.bcp.gvt.com", "cpcontacts.webcamara.online", "http://dreamsofspanking.com/scene/item/rosie-backlash-caning?utm_campaign=apr15", "http://ti.hicloudcam.com", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://search.app.goo.gl/?ofl", "Worm:Win32/Benjamin", "FileHash-SHA256\t00000254e6344d34a1e4ef157cb01d8b7efa65c22c996f9dfe85e7482c6c86ab", "FileHash-MD5\ted5c771224fbd6f9b2c0cf1e8cce09b5", "FileHash-SHA1\tf336b50f5cca2ddc0341e2c4001b419a830d27a5", "applemusic-spotlight.myunidays.com", "nr-data.net", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4", "blackhat.store", "api.telegram.org", "cobaltstrike4.tk | https://cobaltstrike4.tk:8443/include/template/isx.php" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Worm:Win32/Benjamin", "display_name": "Worm:Win32/Benjamin", "target": "/malware/Worm:Win32/Benjamin" }, { "id": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "display_name": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Silk", "display_name": "Silk", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2462, "URL": 5950, "FileHash-MD5": 168, "FileHash-SHA1": 156, "FileHash-SHA256": 3901, "CIDR": 2, "hostname": 2766, "email": 2, "CVE": 1 }, "indicator_count": 15408, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "796 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659ba25b4f50a9e080a3a4c8", "name": ".............", "description": "", "modified": "2024-02-07T06:03:52.243000", "created": "2024-01-08T07:20:59.564000", "tags": [ "whois record", "ssl certificate", "communicating", "historical ssl", "referrer", "resolutions", "whois whois", "subdomains", "domains", "siblings", "hashes files", "name verdict", "falcon sandbox", "pattern match", "temp", "localappdata", "ascii text", "json data", "observed email", "unicode text", "sqlite version", "html document", "crlf line", "general", "hybrid", "slug" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 1204, "domain": 232, "hostname": 452, "URL": 1491, "SSLCertFingerprint": 2, "email": 36 }, "indicator_count": 3437, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "802 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65bc13594cf21dbe00b94807", "name": "Tsara Brashears Dead campaign | ET | Emotet Botnet | Injection", "description": "", "modified": "2024-02-03T19:04:07.916000", "created": "2024-02-01T21:55:37.581000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls http", "ssl certificate", "whois record", "historical ssl", "whois whois", "apple ios", "contacted", "tsara brashears", "whois", "resolutions", "password", "hacktool", "crypto", "execution", "emotet", "installer", "banker", "keylogger", "critical", "copy", "content reputation", "et", "submission", "comodo valkyrie", "verdict", "bitdefender", "history first", "analysis", "utc http", "response final", "url http", "search", "entries", "passive dns", "urls", "record value", "unknown", "united", "gmt content", "dynamic report", "0 report", "date", "accept", "name servers", "scan endpoints", "all octoseek", "pulse pulses", "http", "ip address", "related nids", "files location", "http response", "final url", "serving ip", "address", "ipv4", "files", "location china", "asn as45090", "dns resolutions", "twitter", "log id", "gmtn", "tls web", "encrypt", "ca issuers", "f20b201c", "b467295d", "b2931e3f", "false", "as15169 google", "domain", "msie", "windows nt", "wow64", "slcc2", "media center", "create c", "write c", "read c", "medium", "next", "dock", "write", "persistence", "delete c", "path", "xport", "default", "years ago", "modified", "created", "email", "active created", "white", "filehash", "memcommit", "tlsv1", "show", "win32", "malware", "get na", "systemroot", "starizona", "lscottsdale", "creation date", "emails", "domain name", "showing", "pulse submit", "amazon", "server ca", "b535", "tulach", "hallrender", "hallgrand", "briansabey", "brian sabey", "mark", "mark brian sabey", "mark sabey", "cybercrime", "cyber stalking", "botnet", "evader", "hacker", "targeting" ], "references": [ "http://www.dvd-game-new-releases.info/skin/tsara-brashears-dead.akp", "dvd-game-new-releases.info", "1.116.217.151 [Cobalt Strike]", "https://www.myminiweb.com/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "http://alohatube.xyz/search/tsara-brashears", "vtbehaviour.commondatastorage.googleapis.com", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://tulach.cc/", "ns3.hallgrandsale.ru" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" } ], "industries": [], "TLP": "white", "cloned_from": "65b85faa9b8e3e1206d7f25c", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 13324, "FileHash-MD5": 718, "FileHash-SHA1": 617, "FileHash-SHA256": 5761, "domain": 3501, "hostname": 4475, "CVE": 1, "email": 3, "SSLCertFingerprint": 11 }, "indicator_count": 28411, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "806 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a7e6e042a968005f7a5552", "name": "Content Reputation | ET | Botnet | Targeting", "description": "", "modified": "2024-02-03T19:04:07.916000", "created": "2024-01-17T14:40:32.084000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls http", "ssl certificate", "whois record", "historical ssl", "whois whois", "apple ios", "contacted", "tsara brashears", "whois", "resolutions", "password", "hacktool", "crypto", "execution", "emotet", "installer", "banker", "keylogger", "critical", "copy", "content reputation", "et", "submission", "comodo valkyrie", "verdict", "bitdefender", "history first", "analysis", "utc http", "response final", "url http", "search", "entries", "passive dns", "urls", "record value", "unknown", "united", "gmt content", "dynamic report", "0 report", "date", "accept", "name servers", "scan endpoints", "all octoseek", "pulse pulses", "http", "ip address", "related nids", "files location", "http response", "final url", "serving ip", "address", "ipv4", "files", "location china", "asn as45090", "dns resolutions", "twitter", "log id", "gmtn", "tls web", "encrypt", "ca issuers", "f20b201c", "b467295d", "b2931e3f", "false", "as15169 google", "domain", "msie", "windows nt", "wow64", "slcc2", "media center", "create c", "write c", "read c", "medium", "next", "dock", "write", "persistence", "delete c", "path", "xport", "default", "years ago", "modified", "created", "email", "active created", "white", "filehash", "memcommit", "tlsv1", "show", "win32", "malware", "get na", "systemroot", "starizona", "lscottsdale", "creation date", "emails", "domain name", "showing", "pulse submit", "amazon", "server ca", "b535", "tulach", "hallrender", "hallgrand", "briansabey", "brian sabey", "mark", "mark brian sabey", "mark sabey", "cybercrime", "cyber stalking", "botnet", "evader", "hacker", "targeting" ], "references": [ "http://www.dvd-game-new-releases.info/skin/tsara-brashears-dead.akp", "dvd-game-new-releases.info", "1.116.217.151 [Cobalt Strike]", "https://www.myminiweb.com/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "http://alohatube.xyz/search/tsara-brashears", "vtbehaviour.commondatastorage.googleapis.com", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://tulach.cc/", "ns3.hallgrandsale.ru" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" } ], "industries": [], "TLP": "white", "cloned_from": "659719b77c383c73c05208a9", "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 13324, "FileHash-MD5": 718, "FileHash-SHA1": 617, "FileHash-SHA256": 5761, "domain": 3501, "hostname": 4475, "CVE": 1, "email": 3, "SSLCertFingerprint": 11 }, "indicator_count": 28411, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "806 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659719b77c383c73c05208a9", "name": "Content Reputation | ET | Botnet | Targeting", "description": "http://www.dvd-game-new-releases.info/skin/tsara-brashears-dead.akp", "modified": "2024-02-03T19:04:07.916000", "created": "2024-01-04T20:48:55.431000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls http", "ssl certificate", "whois record", "historical ssl", "whois whois", "apple ios", "contacted", "tsara brashears", "whois", "resolutions", "password", "hacktool", "crypto", "execution", "emotet", "installer", "banker", "keylogger", "critical", "copy", "content reputation", "et", "submission", "comodo valkyrie", "verdict", "bitdefender", "history first", "analysis", "utc http", "response final", "url http", "search", "entries", "passive dns", "urls", "record value", "unknown", "united", "gmt content", "dynamic report", "0 report", "date", "accept", "name servers", "scan endpoints", "all octoseek", "pulse pulses", "http", "ip address", "related nids", "files location", "http response", "final url", "serving ip", "address", "ipv4", "files", "location china", "asn as45090", "dns resolutions", "twitter", "log id", "gmtn", "tls web", "encrypt", "ca issuers", "f20b201c", "b467295d", "b2931e3f", "false", "as15169 google", "domain", "msie", "windows nt", "wow64", "slcc2", "media center", "create c", "write c", "read c", "medium", "next", "dock", "write", "persistence", "delete c", "path", "xport", "default", "years ago", "modified", "created", "email", "active created", "white", "filehash", "memcommit", "tlsv1", "show", "win32", "malware", "get na", "systemroot", "starizona", "lscottsdale", "creation date", "emails", "domain name", "showing", "pulse submit", "amazon", "server ca", "b535", "tulach", "hallrender", "hallgrand", "briansabey", "brian sabey", "mark", "mark brian sabey", "mark sabey", "cybercrime", "cyber stalking", "botnet", "evader", "hacker", "targeting" ], "references": [ "http://www.dvd-game-new-releases.info/skin/tsara-brashears-dead.akp", "dvd-game-new-releases.info", "1.116.217.151 [Cobalt Strike]", "https://www.myminiweb.com/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "http://alohatube.xyz/search/tsara-brashears", "vtbehaviour.commondatastorage.googleapis.com", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://tulach.cc/", "ns3.hallgrandsale.ru" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 13324, "FileHash-MD5": 718, "FileHash-SHA1": 617, "FileHash-SHA256": 5761, "domain": 3501, "hostname": 4475, "CVE": 1, "email": 3, "SSLCertFingerprint": 11 }, "indicator_count": 28411, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "806 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6588588d4b9eb5c3530caabf", "name": "Ghost RAT | Apple Domain Robot | Cherry Creek, Colorado Retail", "description": "", "modified": "2024-01-23T17:03:33.038000", "created": "2023-12-24T16:13:01.574000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64d1e650a97b0611cf796551", "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 28182, "FileHash-MD5": 4761, "FileHash-SHA1": 3109, "FileHash-SHA256": 10324, "domain": 3628, "hostname": 9624, "email": 90, "CIDR": 8, "CVE": 42 }, "indicator_count": 59768, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "817 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6590f9011e57040b2717c99c", "name": "https://neca.omeclk.com/portal/wts/uc^cn^ejkaejsaBeyk7-^Oa", "description": "", "modified": "2023-12-31T05:15:45.262000", "created": "2023-12-31T05:15:45.262000", "tags": [ "ssl certificate", "threat roundup", "contacted", "execution", "august", "march", "whois record", "contacted urls", "malware", "copy", "april", "crypto", "alive", "malicious", "ducktail", "ransomware", "dead", "skynet", "chinese", "october", "roundup", "february", "goldfinder", "sibot", "hacktool", "metro", "goldmax", "installer", "awful", "open", "android", "banker", "keylogger", "united", "maltiverse", "mail spammer", "phishing site", "cyber threat", "engineering", "emotet", "phishing", "spammer", "firehol", "bank", "azorult", "team", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "installcore", "nymaim", "suppobox", "download", "looquer", "domains", "cisco umbrella", "site", "heur", "alexa top", "million", "safe site", "adware", "malware site", "malicious site", "artemis", "opencandy", "riskware", "tofsee", "gandcrab", "trojanx", "trojan", "generic", "bankerx", "service", "runescape", "facebook", "exploit", "agent", "mimikatz", "unsafe", "alexa", "union", "webtoolbar", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist https", "dsp1", "noname057", "tag count", "sample", "samples", "blacklist", "tsara brashears", "alohatube", "trojan", "scanning_host", "Botnet", "malvertizing", "abuse", "cyber stalking", "defacement", "adult content", "threats", "silencing", "harassment", "target", "aig", "workers compensation", "severe", "attack", "hacking", "yixun tool", "spyware", "malware", "evasion", "malicious", "private investigator", "legal entities", "insurance company", "remote attack", "colorado", "tulach", "Attack origin: United States", "apple", "ios", "victim", "allegations", "assault", "revenge", "retaliation", "libel", "monitoring", "tracking", "pegatech", "bam.nr-data.net", "bam", "nr-data.net", "matrix", "data.net", "asp.net", "apple private data collection", "norad.mil", "norad tracker", "b.scope", "command_and_control", "pornhub", "alohatube", "sweetheart videos", "users voice", "interfacing", "social engineering", "BankerX", "law enforcement aware, complacent or complicit?", "NSA tool Tulach malaware", "metro tmobile", "AS 10975 (NET-AIG) US", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus ou", "entrust", "oentrust", "l1k validity", "cus stnew", "group", "info", "domain status", "server", "date", "registrar abuse", "new york", "postal code", "contact phone", "registrar url", "csc corporate", "code", "microsoft", "win32 exe", "files", "detections type", "name", "confed", "network", "label netaig", "registry arin", "country us", "continent na", "whois lookup", "no match", "google", "dns replication", "domain", "type name", "pine street", "whois database", "email", "registrar iana", "icann whois", "contact", "form", "tech", "iana id", "tech email", "admin country", "CVE-2017-0147", "CVE-2018-0802", "CVE-2017-17215", "CVE-2016-7255", "CVE-2017-11882", "CVE-2017-8570" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Singapore" ], "malware_families": [ { "id": "Chinese", "display_name": "Chinese", "target": null }, { "id": "Looquer", "display_name": "Looquer", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Mimikatz", "display_name": "Mimikatz", "target": null }, { "id": "HiddenTear", "display_name": "HiddenTear", "target": null }, { "id": "Neurovt", "display_name": "Neurovt", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" }, { "id": "Yixun", "display_name": "Yixun", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "GoldMax - S0588", "display_name": "GoldMax - S0588", "target": null }, { "id": "DUCKTAIL", "display_name": "DUCKTAIL", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "GandCrab", "display_name": "GandCrab", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Raccoon Stealer", "display_name": "Raccoon Stealer", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "FireHOL", "display_name": "FireHOL", "target": null }, { "id": "HackTool.BruteForce", "display_name": "HackTool.BruteForce", "target": null }, { "id": "HackTool.CheatEngine", "display_name": "HackTool.CheatEngine", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "NanoCore", "display_name": "NanoCore", "target": null }, { "id": "Immortal Stealer", "display_name": "Immortal Stealer", "target": null }, { "id": "WebToolBar", "display_name": "WebToolBar", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1497.002", "name": "User Activity Based Checks", "display_name": "T1497.002 - User Activity Based Checks" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "T1523", "name": "Evade Analysis Environment", "display_name": "T1523 - Evade Analysis Environment" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1134.001", "name": "Token Impersonation/Theft", "display_name": "T1134.001 - Token Impersonation/Theft" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "6590f8f3b192d56e80294c13", "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5239, "FileHash-MD5": 929, "FileHash-SHA1": 500, "FileHash-SHA256": 3566, "domain": 1230, "hostname": 2051, "CVE": 6, "email": 5, "CIDR": 1 }, "indicator_count": 13527, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "840 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6590f8f3b192d56e80294c13", "name": "Aig.com Pegasus attack+ https://neca.omeclk.com/portal/wts/uc^cn^ejkaejsaBeyk7-^Oa", "description": "", "modified": "2023-12-31T05:15:31.645000", "created": "2023-12-31T05:15:31.645000", "tags": [ "ssl certificate", "threat roundup", "contacted", "execution", "august", "march", "whois record", "contacted urls", "malware", "copy", "april", "crypto", "alive", "malicious", "ducktail", "ransomware", "dead", "skynet", "chinese", "october", "roundup", "february", "goldfinder", "sibot", "hacktool", "metro", "goldmax", "installer", "awful", "open", "android", "banker", "keylogger", "united", "maltiverse", "mail spammer", "phishing site", "cyber threat", "engineering", "emotet", "phishing", "spammer", "firehol", "bank", "azorult", "team", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "installcore", "nymaim", "suppobox", "download", "looquer", "domains", "cisco umbrella", "site", "heur", "alexa top", "million", "safe site", "adware", "malware site", "malicious site", "artemis", "opencandy", "riskware", "tofsee", "gandcrab", "trojanx", "trojan", "generic", "bankerx", "service", "runescape", "facebook", "exploit", "agent", "mimikatz", "unsafe", "alexa", "union", "webtoolbar", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist https", "dsp1", "noname057", "tag count", "sample", "samples", "blacklist", "tsara brashears", "alohatube", "trojan", "scanning_host", "Botnet", "malvertizing", "abuse", "cyber stalking", "defacement", "adult content", "threats", "silencing", "harassment", "target", "aig", "workers compensation", "severe", "attack", "hacking", "yixun tool", "spyware", "malware", "evasion", "malicious", "private investigator", "legal entities", "insurance company", "remote attack", "colorado", "tulach", "Attack origin: United States", "apple", "ios", "victim", "allegations", "assault", "revenge", "retaliation", "libel", "monitoring", "tracking", "pegatech", "bam.nr-data.net", "bam", "nr-data.net", "matrix", "data.net", "asp.net", "apple private data collection", "norad.mil", "norad tracker", "b.scope", "command_and_control", "pornhub", "alohatube", "sweetheart videos", "users voice", "interfacing", "social engineering", "BankerX", "law enforcement aware, complacent or complicit?", "NSA tool Tulach malaware", "metro tmobile", "AS 10975 (NET-AIG) US", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus ou", "entrust", "oentrust", "l1k validity", "cus stnew", "group", "info", "domain status", "server", "date", "registrar abuse", "new york", "postal code", "contact phone", "registrar url", "csc corporate", "code", "microsoft", "win32 exe", "files", "detections type", "name", "confed", "network", "label netaig", "registry arin", "country us", "continent na", "whois lookup", "no match", "google", "dns replication", "domain", "type name", "pine street", "whois database", "email", "registrar iana", "icann whois", "contact", "form", "tech", "iana id", "tech email", "admin country", "CVE-2017-0147", "CVE-2018-0802", "CVE-2017-17215", "CVE-2016-7255", "CVE-2017-11882", "CVE-2017-8570" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Singapore" ], "malware_families": [ { "id": "Chinese", "display_name": "Chinese", "target": null }, { "id": "Looquer", "display_name": "Looquer", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Mimikatz", "display_name": "Mimikatz", "target": null }, { "id": "HiddenTear", "display_name": "HiddenTear", "target": null }, { "id": "Neurovt", "display_name": "Neurovt", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" }, { "id": "Yixun", "display_name": "Yixun", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "GoldMax - S0588", "display_name": "GoldMax - S0588", "target": null }, { "id": "DUCKTAIL", "display_name": "DUCKTAIL", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "GandCrab", "display_name": "GandCrab", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Raccoon Stealer", "display_name": "Raccoon Stealer", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "FireHOL", "display_name": "FireHOL", "target": null }, { "id": "HackTool.BruteForce", "display_name": "HackTool.BruteForce", "target": null }, { "id": "HackTool.CheatEngine", "display_name": "HackTool.CheatEngine", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "NanoCore", "display_name": "NanoCore", "target": null }, { "id": "Immortal Stealer", "display_name": "Immortal Stealer", "target": null }, { "id": "WebToolBar", "display_name": "WebToolBar", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1497.002", "name": "User Activity Based Checks", "display_name": "T1497.002 - User Activity Based Checks" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "T1523", "name": "Evade Analysis Environment", "display_name": "T1523 - Evade Analysis Environment" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1134.001", "name": "Token Impersonation/Theft", "display_name": "T1134.001 - Token Impersonation/Theft" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "653f21878bcd05f7d594ff86", "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5239, "FileHash-MD5": 929, "FileHash-SHA1": 500, "FileHash-SHA256": 3566, "domain": 1230, "hostname": 2051, "CVE": 6, "email": 5, "CIDR": 1 }, "indicator_count": 13527, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "840 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6558126013aef7ce80968842", "name": "PuffStealer", "description": "", "modified": "2023-12-09T03:01:57.989000", "created": "2023-11-18T01:24:48.887000", "tags": [ "ssl certificate", "historical ssl", "communicating", "contacted", "resolutions", "whois record", "whois whois", "whois parent", "whois siblings", "skynet", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "safe site", "million", "team", "microsoft", "back", "download", "phishing", "union", "bank", "malicious site", "blacklist http", "exit", "traffic", "node tcp", "tor known", "tor relayrouter", "et tor", "known tor", "relayrouter", "anonymizer", "spammer", "malware", "dropped", "unlocker", "http", "critical risk", "redline stealer", "core", "hacktool", "execution", "type win32", "exe size", "first seen", "file name", "avast win32", "win32", "avg win32", "fortinet", "vitro", "mb first", "rmndrp", "clean mx", "undetected dns8", "undetected vx", "sophos", "vault", "zdb zeus", "cmc threat", "snort ip", "feodo tracker", "cybereason", "send bug", "pe yandex", "no data", "tag count", "count blacklist", "tag tag", "algorithm", "v3 serial", "number", "issuer", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "key identifier", "first", "seen", "valid", "no na", "no no", "ip security", "cndst root", "ca x3", "ca id", "research group", "cnisrg root", "no expired", "mozilla", "android", "malicious red team", "tsara brashears", "cyber stalking", "malvertizing", "invasion of privacy", "threat", "adult content", "apple", "iphone unlocker", "android", "exploited spyware", "malware host", "brute force", "revenge-rat", "banker", "evasive", "domain", "redline", "stealer", "phishing", "ramnit", "unreliable subdomains", "dridex", "gating", "msil", "rat", "loki", "network", "hacking", "sinkhole", "azorult", "c2", "historicalandnew", "targeted attack", "puffstealer", "rultazo", "lokibot", "loki pws", "burkina", "banker,dde,dridex,exploit", "banker,dridex,evasive", "trickbot", "ransomware,torrentlocker", "exploit_source", "blacknet", "FileRepMalware", "linux agent", "blacknet", "ios", "phishing paypal", "tagging", "defacement", "hit", "bounty", "phishing site", "malware site", "malware download", "endangerment", "Malicious domain - SANS Internet Storm Center", "evasive,msil,rat,revenge-rat", "prism_setting", "prism_object", "static engine", "social engineering", "jansky", "worm", "network rat", "networm", "Loki Password Stealer (PWS)", "South Carolina Federal Credit Union phishing", "darkweb", "yandex", "redirectors", "blacknet threats", "phishing,ransomware,sinkhole", "wanacrypt0r,wannacry,wcry", "tor c++", "tor c++ client", "python user", "js user", "hacker", "hijacker", "heur", "maltiverse", "alexa top", "exploit", "riskware", "unsafe", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "artemis", "installcore", "webshell", "crack", "webtoolbar", "search live", "api blog", "docs pricing", "november", "de indicators", "domains", "hashes", "__convergedlogin_pcustomizationloader_44b450e8d543eb53930d", "malicious url", "financial", "blacknet rat", "azorult", "stealer", "deep scan", "blacklist https", "referrer", "collections kp", "incident ip", "sneaky server", "replacement", "unauthorized", "emotet", "noname057", "generic malware", "engineering", "cyber threat", "facebook", "paypal", "dropbox", "united", "america", "banking", "wells fargo", "steam", "twitter", "sliver", "daum", "swift", "runescape", "betabot", "district", "iframe", "alexa", "downldr", "agent", "presenoker", "bladabindi", "live", "conduit", "pony", "covid19", "malicious", "cobalt strike", "suppobox", "ramnit", "meterpreter", "virut", "njrat", "pykspa", "asyncrat", "downloader", "fakealert", "binder", "virustotal", "formbook", "necurs", "trojan", "msil", "hiloti", "vawtrak", "simda", "kraken", "solimba", "icedid", "redirector", "suspic", "amadey", "raccoon", "nanocore rat", "revenge rat", "genkryptik", "fuery", "wacatac", "service", "cloudeye", "tinba", "domaiq", "ave maria", "zeus", "ransomware", "zbot", "generic", "trojanspy", "states", "inmortal", "locky", "strike", "china cobalt", "keybase", "cutwail", "citadel", "radamant", "kovter", "bradesco", "nymaim", "amonetize", "bondat", "ghost rat", "vjw0rm", "bandoo", "matsnu", "dnspionage", "darkgate", "vidar", "keylogger", "remcos", "agenttesla", "detplock", "win64", "smokeloader", "agent tesla", "kgs0", "kls0", "urls", "type name", "dns replication", "date", "domain", "win32 exe", "files", "detections type", "name", "drpsuinstaller", "vdfsurfs", "opera", "icwrmind", "notepad", "installer", "miner", "unknown", "networm", "houdini", "quasar rat", "gamehack", "dbatloader", "qakbot", "ursnif", "CVE-2005-1790", "CVE-2009-3672", "CVE-2010-3962", "CVE-2012-3993", "CVE-2014-6332", "CVE-2017-11882", "CVE-2020-0601", "CVE-2020-0674", "hallrender.com", "brian sabey", "insurance", "botnetwork", "botmaster", "command_and_control", "CVE-2021-27065", "CVE-2021-40444", "CVE-2023-4966", "CVE-2017-0199", "CVE-2018-4893", "CVE-2010-3333", "CVE-2015-1641", "CVE-2017-0147", "CVE-2017-8570", "CVE-2018-0802", "CVE-2018-8373", "CVE-2017-8759", "CVE-2018-8453", "CVE-2014-3153", "CVE-2015-1650", "CVE-2017-0143", "CVE-2017-8464", "Icefog", "Delf.NBX", "$WebWatson", "Gen:Heur.Ransom.HiddenTears", "mobilekey.pw", "bitbucket.org", "Anomalous.100%", "malware distribution site", "gootkit", "edsaid", "rightsaided", "betabot", "cobaltstrike4.tk", "mas.to", "BehavesLike.YahLover", "srdvd16010404", "languageenu", "buildno", "channelisales", "vendorname2581", "osregion", "device", "systemlocale", "majorver16", "quasar", "find", "lockbit", "chaos", "ransomexx", "grandoreiro", "evilnum", "banker" ], "references": [ "https://hybrid-analysis.com/sample/6765f47ea77c8274c8e4973ed95aedf59e75998c62f6029e23c58cdf36ed85ba/654afdbdc621e7037801cce7", "20.99.186.246 exploit source", "fp2e7a.wpc.2be4.phicdn.net", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (phishing, ELF, Prism.exe found)", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (password cracker)", "http://182.22.25.124:7878/182.22.25.124:443 (malicious dropper)", "init.ess.apple.com (malicious code script)", "https://www.pornhub.com/video/search?search=tsara+brashears (Malicious PW cracker | stylebk.css stylesheets - not found )", "https://urlscan.io/result/a328d9ff-fb49-4078-960d-a757fd41404f/#indicators", "VirusTotal Link: https://www.virustotal.com/gui/ip-address/20.99.186.246/detection", "Abuse IPDB Link: https://www.abuseipdb.com/check/20.99.186.246", "IPv4 45.12.253.72. command_and_control", "Hostname: ddos.dnsnb8.net command_and_control", "IPv4 95.213.186.51 command_and_control", "Hostname: www.supernetforme.com command_and_control", "IPv4 103.224.182.246 command_and_control", "IPv4 72.251.233.245 command_and_control", "IPv4 63.251.106.25 command_and_control", "IPv4 45.15.156.208 command_and_control", "IPv4 104.247.81.51 command_and_control", "http://ambisexual.phone-sex-blogs.com/http:/ambisexual.phone-sex-blogs.com/images/thumbnails/pic118.jpg (phishing)", "https://downloaddevtools.ir/ (phishing)", "happylifehappywife.com", "apples.encryptedwork.com (Interesting in the blacknet)", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635. (iOS unlocker and hijacker)", "https://www.anyxxxtube.net/media/favicon/apple (password cracker and iOS hijacker)", "https://www.apple.com/shop/browse/open/country_selector (exploit)", "www.norad.mil (federal tracking tool used by attorneys, law firms, and private investigators 'licensed or unlicensed') hi!", "http://init-p01st.push.apple.com/bag (malicious web creator)", "opencve.djgummikuh.de (CVE dispensary)", "Maltiverse Research Team", "URLscan.io", "Deep Research", "Hybrid Analysis", "URLhaus Abuse.ch", "Cyber Threat Coalition", "ThreatFox Abuse.ch" ], "public": 1, "adversary": "Lucky Mouse APT27 | NoName057(16) | Unnamed", "targeted_countries": [ "United States of America", "France", "Spain" ], "malware_families": [ { "id": "Feodo", "display_name": "Feodo", "target": null }, { "id": "Dridex", "display_name": "Dridex", "target": null }, { "id": "Redline Stealer", "display_name": "Redline Stealer", "target": null }, { "id": "Ramnit.N", "display_name": "Ramnit.N", "target": null }, { "id": "Loki Bot", "display_name": "Loki Bot", "target": null }, { "id": "Loki Password Stealer (PWS)", "display_name": "Loki Password Stealer (PWS)", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Zbd Zeus", "display_name": "Zbd Zeus", "target": null }, { "id": "Trojan:MSIL/Burkina", "display_name": "Trojan:MSIL/Burkina", "target": "/malware/Trojan:MSIL/Burkina" }, { "id": "Generic.TrickBot.1", "display_name": "Generic.TrickBot.1", "target": null }, { "id": "Exploit.CVE", "display_name": "Exploit.CVE", "target": null }, { "id": "Injector.IS.gen", "display_name": "Injector.IS.gen", "target": null }, { "id": "Gen:Variant.Razy", "display_name": "Gen:Variant.Razy", "target": null }, { "id": "Trojan.Androm.Gen", "display_name": "Trojan.Androm.Gen", "target": null }, { "id": "HEUR:Trojan.Linux.Agent", "display_name": "HEUR:Trojan.Linux.Agent", "target": null }, { "id": "BScope.Trojan", "display_name": "BScope.Trojan", "target": null }, { "id": "VBA.Downloader", "display_name": "VBA.Downloader", "target": null }, { "id": "Trojan.Notifier", "display_name": "Trojan.Notifier", "target": null }, { "id": "HEUR:Trojan.MSOffice.Alien", "display_name": "HEUR:Trojan.MSOffice.Alien", "target": null }, { "id": "Unsafe.AI_Score_100%", "display_name": "Unsafe.AI_Score_100%", "target": null }, { "id": "Gen:Variant.Johnnie", "display_name": "Gen:Variant.Johnnie", "target": null }, { "id": "DangerousObject.Multi", "display_name": "DangerousObject.Multi", "target": null }, { "id": "Trojan:Python/Downldr", "display_name": "Trojan:Python/Downldr", "target": "/malware/Trojan:Python/Downldr" }, { "id": "Trojan:Linux/Downldr", "display_name": "Trojan:Linux/Downldr", "target": "/malware/Trojan:Linux/Downldr" }, { "id": "Trojan:VBA/Downldr", "display_name": "Trojan:VBA/Downldr", "target": "/malware/Trojan:VBA/Downldr" }, { "id": "TrojanDownloader:Linux/Downldr", "display_name": "TrojanDownloader:Linux/Downldr", "target": "/malware/TrojanDownloader:Linux/Downldr" }, { "id": "Kryptik.FPH.gen", "display_name": "Kryptik.FPH.gen", "target": null }, { "id": "TROJ_FRS.VSNTFK19", "display_name": "TROJ_FRS.VSNTFK19", "target": null }, { "id": "Trojan.Ransom.GenericKD", "display_name": "Trojan.Ransom.GenericKD", "target": null }, { "id": "Phish.JAT", "display_name": "Phish.JAT", "target": null }, { "id": "Phishing.HTML", "display_name": "Phishing.HTML", "target": null }, { "id": "Generic.ASMalwS", "display_name": "Generic.ASMalwS", "target": null }, { "id": "Phish.AB", "display_name": "Phish.AB", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "ml.Generic", "display_name": "ml.Generic", "target": null }, { "id": "Xegumumune.8596c22f", "display_name": "Xegumumune.8596c22f", "target": null }, { "id": "Generic.Malware.SMYB", "display_name": "Generic.Malware.SMYB", "target": null }, { "id": "malicious.moderate.ml", "display_name": "malicious.moderate.ml", "target": null }, { "id": "Agent.NBAE", "display_name": "Agent.NBAE", "target": null }, { "id": "AGEN.1045227", "display_name": "AGEN.1045227", "target": null }, { "id": "Riskware.Agent", "display_name": "Riskware.Agent", "target": null }, { "id": "Gen:Variant.Cerbu", "display_name": "Gen:Variant.Cerbu", "target": null }, { "id": "IL:Trojan.MSILZilla", "display_name": "IL:Trojan.MSILZilla", "target": null }, { "id": "Dropped:Generic.Ransom.DMR", "display_name": "Dropped:Generic.Ransom.DMR", "target": null }, { "id": "Delf.NBX", "display_name": "Delf.NBX", "target": null }, { "id": "malicious.f01f67", "display_name": "malicious.f01f67", "target": null }, { "id": "AGEN.1144657", "display_name": "AGEN.1144657", "target": null }, { "id": "Trojan.Heur", "display_name": "Trojan.Heur", "target": null }, { "id": "Trojan.Malware.300983", "display_name": "Trojan.Malware.300983", "target": null }, { "id": "SdBot.CAOC", "display_name": "SdBot.CAOC", "target": null }, { "id": "Trojan.DelShad", "display_name": "Trojan.DelShad", "target": null }, { "id": "Exploit CVE-2017-11882", "display_name": "Exploit CVE-2017-11882", "target": null }, { "id": "GameHack.NL", "display_name": "GameHack.NL", "target": null }, { "id": "JS:Trojan.HideLink", "display_name": "JS:Trojan.HideLink", "target": null }, { "id": "Script.Agent", "display_name": "Script.Agent", "target": null }, { "id": "Macro.Agent", "display_name": "Macro.Agent", "target": null }, { "id": "Macro.Downloader.AMIP", "display_name": "Macro.Downloader.AMIP", "target": null }, { "id": "Trojan.VBA", "display_name": "Trojan.VBA", "target": null }, { "id": "HEUR.VBA.Trojan", "display_name": "HEUR.VBA.Trojan", "target": null }, { "id": "VB.EmoooDldr.10", "display_name": "VB.EmoooDldr.10", "target": null }, { "id": "VB:Trojan.Valyria", "display_name": "VB:Trojan.Valyria", "target": null }, { "id": "OpenSubtitles.A", "display_name": "OpenSubtitles.A", "target": null }, { "id": "VB.EmoDldr.4", "display_name": "VB.EmoDldr.4", "target": null }, { "id": "Packed-GV", "display_name": "Packed-GV", "target": null }, { "id": "Adware.InstallMonetizer", "display_name": "Adware.InstallMonetizer", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "HW32.Packed", "display_name": "HW32.Packed", "target": null }, { "id": "Zpevdo.B", "display_name": "Zpevdo.B", "target": null }, { "id": "Presenoker", "display_name": "Presenoker", "target": null }, { "id": "SGeneric", "display_name": "SGeneric", "target": null }, { "id": "GameHack.DOM", "display_name": "GameHack.DOM", "target": null }, { "id": "BehavesLike.Ransom", "display_name": "BehavesLike.Ransom", "target": null }, { "id": "CIL.StupidCryptor", "display_name": "CIL.StupidCryptor", "target": null }, { "id": "Gen:Heur.Ransom.MSIL", "display_name": "Gen:Heur.Ransom.MSIL", "target": null }, { "id": "Black.Gen2", "display_name": "Black.Gen2", "target": null }, { "id": "GameHack.CRS", "display_name": "GameHack.CRS", "target": null }, { "id": "Trojan.HTML.PHISH", "display_name": "Trojan.HTML.PHISH", "target": null }, { "id": "Gen:Heur.MSIL.Inject", "display_name": "Gen:Heur.MSIL.Inject", "target": null }, { "id": "Program.Unwanted", "display_name": "Program.Unwanted", "target": null }, { "id": "HEUR/QVM42.3.72EB.Malware", "display_name": "HEUR/QVM42.3.72EB.Malware", "target": null }, { "id": "suspicious.low.ml", "display_name": "suspicious.low.ml", "target": null }, { "id": "JS:Trojan.Cryxos", "display_name": "JS:Trojan.Cryxos", "target": null }, { "id": "Suspicious_GEN.F47V0520", "display_name": "Suspicious_GEN.F47V0520", "target": null }, { "id": "Dropper.Trojan.Generic", "display_name": "Dropper.Trojan.Generic", "target": null }, { "id": "Trojan.TrickBot", "display_name": "Trojan.TrickBot", "target": null }, { "id": "Malware.Tk.Generic", "display_name": "Malware.Tk.Generic", "target": null }, { "id": "TrojanSpy.Java", "display_name": "TrojanSpy.Java", "target": null }, { "id": "Riskware.NetFilter", "display_name": "Riskware.NetFilter", "target": null }, { "id": "RiskWare.Crack", "display_name": "RiskWare.Crack", "target": null }, { "id": "BehavesLike.Exploit", "display_name": "BehavesLike.Exploit", "target": null }, { "id": "Gen:NN.ZemsilF.34128", "display_name": "Gen:NN.ZemsilF.34128", "target": null }, { "id": "Wacapew.C", "display_name": "Wacapew.C", "target": null }, { "id": "Trojan.Malware.121218", "display_name": "Trojan.Malware.121218", "target": null }, { "id": "RiskWare.HackTool.Agent", "display_name": "RiskWare.HackTool.Agent", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Trojan.Generic", "display_name": "Trojan.Generic", "target": null }, { "id": "W32.Trojan", "display_name": "W32.Trojan", "target": null }, { "id": "BScope.Riskware", "display_name": "BScope.Riskware", "target": null }, { "id": "Gen:Variant.Bulz", "display_name": "Gen:Variant.Bulz", "target": null }, { "id": "Ransom:Win32/CVE-2017-0147", "display_name": "Ransom:Win32/CVE-2017-0147", "target": "/malware/Ransom:Win32/CVE-2017-0147" }, { "id": "Virus.Ramnit", "display_name": "Virus.Ramnit", "target": null }, { "id": "Virus.Virut", "display_name": "Virus.Virut", "target": null }, { "id": "Adware.KuziTui", "display_name": "Adware.KuziTui", "target": null }, { "id": "AGEN.1141126", "display_name": "AGEN.1141126", "target": null }, { "id": "W32.AIDetect", "display_name": "W32.AIDetect", "target": null }, { "id": "Trojan.Python", "display_name": "Trojan.Python", "target": null }, { "id": "W32.AIDetectVM", "display_name": "W32.AIDetectVM", "target": null }, { "id": "Suspicious.Save", "display_name": "Suspicious.Save", "target": null }, { "id": "Adware.Downware", "display_name": "Adware.Downware", "target": null }, { "id": "Ransom.Win64.Wacatac.oa", "display_name": "Ransom.Win64.Wacatac.oa", "target": null }, { "id": "OpenSubtitles.A", "display_name": "OpenSubtitles.A", "target": null }, { "id": "VB.EmoDldr.4", "display_name": "VB.EmoDldr.4", "target": null }, { "id": "Gen:Variant.Midie", "display_name": "Gen:Variant.Midie", "target": null }, { "id": "HEUR/QVM41.2.DA9B.Malware", "display_name": "HEUR/QVM41.2.DA9B.Malware", "target": null }, { "id": "Gen:Variant.Sirefef", "display_name": "Gen:Variant.Sirefef", "target": null }, { "id": "Macro.Trojan.Dropperd", "display_name": "Macro.Trojan.Dropperd", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Gen:Variant.Ursu", "display_name": "Gen:Variant.Ursu", "target": null }, { "id": "Redcap.rlhse", "display_name": "Redcap.rlhse", "target": null }, { "id": "Trojan.Trickster", "display_name": "Trojan.Trickster", "target": null }, { "id": "HTML_REDIR.SMR", "display_name": "HTML_REDIR.SMR", "target": null }, { "id": "TROJ_FRS.VSNTFK19", "display_name": "TROJ_FRS.VSNTFK19", "target": null }, { "id": "Hoax.JS.Phish", "display_name": "Hoax.JS.Phish", "target": null }, { "id": "JS:Iframe", "display_name": "JS:Iframe", "target": null }, { "id": "Application.SQLCrack", "display_name": "Application.SQLCrack", "target": null }, { "id": "susp.lnk", "display_name": "susp.lnk", "target": null }, { "id": "QVM201.0.B70B.Malware", "display_name": "QVM201.0.B70B.Malware", "target": null }, { "id": "Immortal Stealer", "display_name": "Immortal Stealer", "target": null }, { "id": "WebMonitor RAT", "display_name": "WebMonitor RAT", "target": null }, { "id": "Tor - S0183", "display_name": "Tor - S0183", "target": null }, { "id": "WannaCry", "display_name": "WannaCry", "target": null }, { "id": "WannaCryptor", "display_name": "WannaCryptor", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "DeepScan:Generic.Ransom.GandCrab5", "display_name": "DeepScan:Generic.Ransom.GandCrab5", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "States", "display_name": "States", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Locky", "display_name": "Locky", "target": null }, { "id": "Delf.NBX", "display_name": "Delf.NBX", "target": null }, { "id": "Gen:NN.ZexaF.32515", "display_name": "Gen:NN.ZexaF.32515", "target": null }, { "id": "FileRepMalware", "display_name": "FileRepMalware", "target": null }, { "id": "Gen:Variant.MSILPerseus", "display_name": "Gen:Variant.MSILPerseus", "target": null }, { "id": "Icefog", "display_name": "Icefog", "target": null }, { "id": "$WebWatson", "display_name": "$WebWatson", "target": null }, { "id": "Agent.AIK.gen", "display_name": "Agent.AIK.gen", "target": null }, { "id": "Agent.AIK.genCIL.StupidCryptor", "display_name": "Agent.AIK.genCIL.StupidCryptor", "target": null }, { "id": "Agent.YPEZ", "display_name": "Agent.YPEZ", "target": null }, { "id": "Application.InnovativSol", "display_name": "Application.InnovativSol", "target": null }, { "id": "Agent.ASO", "display_name": "Agent.ASO", "target": null }, { "id": "S-b748adc5", "display_name": "S-b748adc5", "target": null }, { "id": "W32.eHeur", "display_name": "W32.eHeur", "target": null }, { "id": "Kryptik.GUCB", "display_name": "Kryptik.GUCB", "target": null }, { "id": "AgentTesla", "display_name": "AgentTesla", "target": null }, { "id": "Autoit.bimwt", "display_name": "Autoit.bimwt", "target": null }, { "id": "HEUR:Trojan.OLE2.Alien", "display_name": "HEUR:Trojan.OLE2.Alien", "target": null }, { "id": "AGEN.1038489", "display_name": "AGEN.1038489", "target": null }, { "id": "Gen:Variant.Ser.Strictor", "display_name": "Gen:Variant.Ser.Strictor", "target": null }, { "id": "Packed.Themida.Gen", "display_name": "Packed.Themida.Gen", "target": null }, { "id": "AGEN.1043164", "display_name": "AGEN.1043164", "target": null }, { "id": "TrickBot - S0266", "display_name": "TrickBot - S0266", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Trojan.PornoAsset", "display_name": "Trojan.PornoAsset", "target": null }, { "id": "Ransom.Win64.PORNOASSET.SM1", "display_name": "Ransom.Win64.PORNOASSET.SM1", "target": null }, { "id": "Gen:Variant.Ulise", "display_name": "Gen:Variant.Ulise", "target": null }, { "id": "Trojan.Win64", "display_name": "Trojan.Win64", "target": null }, { "id": "Dropper.Trojan.Agent", "display_name": "Dropper.Trojan.Agent", "target": null }, { "id": "Heur.BZC.YAX.Pantera.10", "display_name": "Heur.BZC.YAX.Pantera.10", "target": null }, { "id": "malicious.high.ml", "display_name": "malicious.high.ml", "target": null }, { "id": "CVE-2015-1650", "display_name": "CVE-2015-1650", "target": null }, { "id": "Worm.Win64.AutoRun", "display_name": "Worm.Win64.AutoRun", "target": null }, { "id": "AIT.Heur.Cottonmouth.8.78F19BD7", "display_name": "AIT.Heur.Cottonmouth.8.78F19BD7", "target": null }, { "id": "Gen:Variant.Mikey", "display_name": "Gen:Variant.Mikey", "target": null }, { "id": "Trojan.Agent", "display_name": "Trojan.Agent", "target": null }, { "id": "Pua.Gen", "display_name": "Pua.Gen", "target": null }, { "id": "Trojan.Downloader.Generic", "display_name": "Trojan.Downloader.Generic", "target": null }, { "id": "Suspected of Trojan.Downloader.gen", "display_name": "Suspected of Trojan.Downloader.gen", "target": null }, { "id": "HEUR:RemoteAdmin.Generic", "display_name": "HEUR:RemoteAdmin.Generic", "target": null }, { "id": "Gen:Heur.Ransom.HiddenTears", "display_name": "Gen:Heur.Ransom.HiddenTears", "target": null }, { "id": "Nemucod.A", "display_name": "Nemucod.A", "target": null }, { "id": "Backdoor.Hupigon", "display_name": "Backdoor.Hupigon", "target": null }, { "id": "Trojan.Starter JS.Iframe", "display_name": "Trojan.Starter JS.Iframe", "target": null }, { "id": "fake ,promethiumm ,strongpity", "display_name": "fake ,promethiumm ,strongpity", "target": null }, { "id": "PUA.Reg1staid", "display_name": "PUA.Reg1staid", "target": null }, { "id": "Malware.Heur_Generic.A", "display_name": "Malware.Heur_Generic.A", "target": null }, { "id": "Bladabindi.Q", "display_name": "Bladabindi.Q", "target": null }, { "id": "W32.eHeur", "display_name": "W32.eHeur", "target": null }, { "id": "malicious.6e0700", "display_name": "malicious.6e0700", "target": null }, { "id": "Trojan.Inject", "display_name": "Trojan.Inject", "target": null }, { "id": "TSGeneric", "display_name": "TSGeneric", "target": null }, { "id": "RedCap.vneda", "display_name": "RedCap.vneda", "target": null }, { "id": "Trojan.Indiloadz", "display_name": "Trojan.Indiloadz", "target": null }, { "id": "Trojan.Ekstak", "display_name": "Trojan.Ekstak", "target": null }, { "id": "staticrr.paleokits.net", "display_name": "staticrr.paleokits.net", "target": null }, { "id": "MSIL.Downloader", "display_name": "MSIL.Downloader", "target": null }, { "id": "Trojan.Autoruns.GenericKDS", "display_name": "Trojan.Autoruns.GenericKDS", "target": null }, { "id": "MSIL.Trojan.BSE", "display_name": "MSIL.Trojan.BSE", "target": null }, { "id": "Adload.AD81", "display_name": "Adload.AD81", "target": null }, { "id": "Packed.Asprotect", "display_name": "Packed.Asprotect", "target": null }, { "id": "Gen:NN.ZemsilF.34062", "display_name": "Gen:NN.ZemsilF.34062", "target": null }, { "id": "Evo", "display_name": "Evo", "target": null }, { "id": "Agent.pwc", "display_name": "Agent.pwc", "target": null }, { "id": "RiskTool.Phpw", "display_name": "RiskTool.Phpw", "target": null }, { "id": "Gen:Variant.Symmi", "display_name": "Gen:Variant.Symmi", "target": null }, { "id": "Trojan.PWS", "display_name": "Trojan.PWS", "target": null }, { "id": "Generic.BitCoinMiner.3", "display_name": "Generic.BitCoinMiner.3", "target": null }, { "id": "Trojan.Tasker", "display_name": "Trojan.Tasker", "target": null }, { "id": "Gen:NN", "display_name": "Gen:NN", "target": null }, { "id": "Downloader.CertutilURLCache", "display_name": "Downloader.CertutilURLCache", "target": null }, { "id": "Elf", "display_name": "Elf", "target": null }, { "id": "Gen:Heur.MSIL.Androm", "display_name": "Gen:Heur.MSIL.Androm", "target": null }, { "id": "Kryptik.NRD", "display_name": "Kryptik.NRD", "target": null }, { "id": "Riskware", "display_name": "Riskware", "target": null }, { "id": "Kuluoz.B.gen", "display_name": "Kuluoz.B.gen", "target": null }, { "id": "Gen:Variant.RevengeRat", "display_name": "Gen:Variant.RevengeRat", "target": null }, { "id": "Gen:Variant.Mikey", "display_name": "Gen:Variant.Mikey", "target": null }, { "id": "VB.Chronos.7", "display_name": "VB.Chronos.7", "target": null }, { "id": "Kryptik.NOE", "display_name": "Kryptik.NOE", "target": null }, { "id": "HEUR:WebToolbar.Generic", "display_name": "HEUR:WebToolbar.Generic", "target": null }, { "id": "Gen:Variant.Barys", "display_name": "Gen:Variant.Barys", "target": null }, { "id": "Backdoor.Xtreme", "display_name": "Backdoor.Xtreme", "target": null }, { "id": "Trojan.MSIL", "display_name": "Trojan.MSIL", "target": null }, { "id": "Gen:Variant.Graftor", "display_name": "Gen:Variant.Graftor", "target": null }, { "id": "Backdoor.Agent", "display_name": "Backdoor.Agent", "target": null }, { "id": "Unsafe", "display_name": "Unsafe", "target": null }, { "id": "Trojan.PHP.Agent", "display_name": "Trojan.PHP.Agent", "target": null }, { "id": "Trojan.Agent", "display_name": "Trojan.Agent", "target": null }, { "id": "HEUR:Exploit.Generic", "display_name": "HEUR:Exploit.Generic", "target": null }, { "id": "Ransom_WCRY.SMALYM", "display_name": "Ransom_WCRY.SMALYM", "target": null }, { "id": "Ransom_WCRY.SMJ", "display_name": "Ransom_WCRY.SMJ", "target": null }, { "id": "Auslogics", "display_name": "Auslogics", "target": null }, { "id": "Gen:Variant.Jaiko", "display_name": "Gen:Variant.Jaiko", "target": null }, { "id": "Exploit.W32.Agent", "display_name": "Exploit.W32.Agent", "target": null }, { "id": "Trojan.Cud.Gen", "display_name": "Trojan.Cud.Gen", "target": null }, { "id": "Trojan.DOC.Downloader", "display_name": "Trojan.DOC.Downloader", "target": null }, { "id": "Backdoor.MSIL.Agent", "display_name": "Backdoor.MSIL.Agent", "target": null }, { "id": "Gen:Trojan.Heur2.LPTbHW@W64.HfsAutoB", "display_name": "Gen:Trojan.Heur2.LPTbHW@W64.HfsAutoB", "target": null }, { "id": "Gen:Variant.Kazy", "display_name": "Gen:Variant.Kazy", "target": null }, { "id": "Gen:Variant.Zusy", "display_name": "Gen:Variant.Zusy", "target": null }, { "id": "Ransom.WannaCrypt", "display_name": "Ransom.WannaCrypt", "target": null }, { "id": "Generic.ServStart.A", "display_name": "Generic.ServStart.A", "target": null }, { "id": "Trojan.Wanna", "display_name": "Trojan.Wanna", "target": null }, { "id": "Generic.MSIL.Bladabindi", "display_name": "Generic.MSIL.Bladabindi", "target": null }, { "id": "TROJ_GEN.R002C0OG518", "display_name": "TROJ_GEN.R002C0OG518", "target": null }, { "id": "Trojan.Chapak", "display_name": "Trojan.Chapak", "target": null }, { "id": "Indiloadz.BB", "display_name": "Indiloadz.BB", "target": null }, { "id": "BehavBehavesLike.PUPXBI", "display_name": "BehavBehavesLike.PUPXBI", "target": null }, { "id": "DeepScan:Generic.SpyAgent.6", "display_name": "DeepScan:Generic.SpyAgent.6", "target": null }, { "id": "Python.KeyLogger", "display_name": "Python.KeyLogger", "target": null }, { "id": "GameHack.CRS", "display_name": "GameHack.CRS", "target": null }, { "id": "Generic.MSIL.PasswordStealer", "display_name": "Generic.MSIL.PasswordStealer", "target": null }, { "id": "PSW.Agent", "display_name": "PSW.Agent", "target": null }, { "id": "malicious.8c45ba", "display_name": "malicious.8c45ba", "target": null }, { "id": "Dropper.Binder", "display_name": "Dropper.Binder", "target": null }, { "id": "Constructor.MSIL", "display_name": "Constructor.MSIL", "target": null }, { "id": "Linux.Agent", "display_name": "Linux.Agent", "target": null }, { "id": "Virus.3DMax.Script", "display_name": "Virus.3DMax.Script", "target": null }, { "id": "ScrInject.B", "display_name": "ScrInject.B", "target": null }, { "id": "Trojan.WisdomEyes.16070401.9500", "display_name": "Trojan.WisdomEyes.16070401.9500", "target": null }, { "id": "Application.SearchProtect", "display_name": "Application.SearchProtect", "target": null }, { "id": "JS:Trojan.Clicker", "display_name": "JS:Trojan.Clicker", "target": null }, { "id": "Faceliker.A", "display_name": "Faceliker.A", "target": null }, { "id": "JS:Trojan.JS.Faceliker", "display_name": "JS:Trojan.JS.Faceliker", "target": null }, { "id": "Constructor.MSIL Linux.Agent", "display_name": "Constructor.MSIL Linux.Agent", "target": null }, { "id": "PowerShell.Trojan", "display_name": "PowerShell.Trojan", "target": null }, { "id": "HTML:Script", "display_name": "HTML:Script", "target": null }, { "id": "ScrInject.B", "display_name": "ScrInject.B", "target": null }, { "id": "W32.AIDetectVM", "display_name": "W32.AIDetectVM", "target": null }, { "id": "HackTool.CheatEngine", "display_name": "HackTool.CheatEngine", "target": null }, { "id": "Injector.CLDS", "display_name": "Injector.CLDS", "target": null }, { "id": "VB.Downloader.2", "display_name": "VB.Downloader.2", "target": null }, { "id": "malicious.3e78cc", "display_name": "malicious.3e78cc", "target": null }, { "id": "malicious.d800d6", "display_name": "malicious.d800d6", "target": null }, { "id": "VB.PwShell.2", "display_name": "VB.PwShell.2", "target": null }, { "id": "Backdoor.RBot", "display_name": "Backdoor.RBot", "target": null }, { "id": "malicious.71b1a8", "display_name": "malicious.71b1a8", "target": null }, { "id": "TrojanSpy.KeyLogger", "display_name": "TrojanSpy.KeyLogger", "target": null }, { "id": "Injector.JDO", "display_name": "Injector.JDO", "target": null }, { "id": "Heur.Msword.Gen", "display_name": "Heur.Msword.Gen", "target": null }, { "id": "PSW.Discord", "display_name": "PSW.Discord", "target": null }, { "id": "Packed.VMProtect", "display_name": "Packed.VMProtect", "target": null }, { "id": "HEUR:AdWare.StartSurf", "display_name": "HEUR:AdWare.StartSurf", "target": null }, { "id": "Gen:Heur.NoobyProtect", "display_name": "Gen:Heur.NoobyProtect", "target": null }, { "id": "CIL.HeapOverride", "display_name": "CIL.HeapOverride", "target": null }, { "id": "HEUR:Trojan.Tasker", "display_name": "HEUR:Trojan.Tasker", "target": null }, { "id": "XLM.Trojan.Abracadabra.27", "display_name": "XLM.Trojan.Abracadabra.27", "target": null }, { "id": "HEUR:Backdoor.MSIL.NanoBot", "display_name": "HEUR:Backdoor.MSIL.NanoBot", "target": null }, { "id": "Trojan.PSW.Mimikatz", "display_name": "Trojan.PSW.Mimikatz", "target": null }, { "id": "TrojanSpy.Python", "display_name": "TrojanSpy.Python", "target": null }, { "id": "Trojan.Ole2.Vbs", "display_name": "Trojan.Ole2.Vbs", "target": null }, { "id": "Exploit.MSOffice", "display_name": "Exploit.MSOffice", "target": null }, { "id": "DeepScan:Generic.Ransom.AmnesiaE", "display_name": "DeepScan:Generic.Ransom.AmnesiaE", "target": null }, { "id": "Wacatac.D6", "display_name": "Wacatac.D6", "target": null }, { "id": "Backdoor.Androm", "display_name": "Backdoor.Androm", "target": null }, { "id": "Packed.NetSeal", "display_name": "Packed.NetSeal", "target": null }, { "id": "Trojan.MSIL.Injector", "display_name": "Trojan.MSIL.Injector", "target": null }, { "id": "Trojan.PWS.Agent", "display_name": "Trojan.PWS.Agent", "target": null }, { "id": "TScope.Trojan", "display_name": "TScope.Trojan", "target": null }, { "id": "PSW.Stealer", "display_name": "PSW.Stealer", "target": null }, { "id": "Trojan.PackedNET", "display_name": "Trojan.PackedNET", "target": null }, { "id": "Trojan.Java", "display_name": "Trojan.Java", "target": null }, { "id": "MalwareX", "display_name": "MalwareX", "target": null }, { "id": "Trojan.PSW.Python", "display_name": "Trojan.PSW.Python", "target": null }, { "id": "malicious.11abfc", "display_name": "malicious.11abfc", "target": null }, { "id": "Generic.ASMalwS", "display_name": "Generic.ASMalwS", "target": null }, { "id": "HEUR:Trojan.MSIL.Tasker", "display_name": "HEUR:Trojan.MSIL.Tasker", "target": null }, { "id": "PossibleThreat.PALLAS", "display_name": "PossibleThreat.PALLAS", "target": null }, { "id": "Backdoor.Poison", "display_name": "Backdoor.Poison", "target": null }, { "id": "Generic.MSIL.LimeRAT", "display_name": "Generic.MSIL.LimeRAT", "target": null }, { "id": "PWS-FCZZ", "display_name": "PWS-FCZZ", "target": null }, { "id": "Trojan.Script", "display_name": "Trojan.Script", "target": null }, { "id": "Gen:Heur.MSIL.Inject", "display_name": "Gen:Heur.MSIL.Inject", "target": null }, { "id": "Trojan.PWS.Growtopia", "display_name": "Trojan.PWS.Growtopia", "target": null }, { "id": "Spyware.Bobik", "display_name": "Spyware.Bobik", "target": null }, { "id": "HackTool.BruteForce", "display_name": "HackTool.BruteForce", "target": null }, { "id": "Hack.Patcher", "display_name": "Hack.Patcher", "target": null }, { "id": "PWS.p", "display_name": "PWS.p", "target": null }, { "id": "Suppobox", "display_name": "Suppobox", "target": null }, { "id": "index.php", "display_name": "index.php", "target": null }, { "id": "Packed.VMProtect", "display_name": "Packed.VMProtect", "target": null }, { "id": "SmokeLoader", "display_name": "SmokeLoader", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "SNH:Script [Dropper]", "display_name": "SNH:Script [Dropper]", "target": null }, { "id": "HEUR:Trojan.MSOffice.SAgent", "display_name": "HEUR:Trojan.MSOffice.SAgent", "target": null }, { "id": "Script.INF", "display_name": "Script.INF", "target": null }, { "id": "JS:Trojan.JS.Likejack", "display_name": "JS:Trojan.JS.Likejack", "target": null }, { "id": "SNH:Script [Dropper]", "display_name": "SNH:Script [Dropper]", "target": null }, { "id": "Trojan.JS.Agent", "display_name": "Trojan.JS.Agent", "target": null }, { "id": "APT Notes", "display_name": "APT Notes", "target": null }, { "id": "susp.rtf.objupdate", "display_name": "susp.rtf.objupdate", "target": null }, { "id": "RedCap.zoohz", "display_name": "RedCap.zoohz", "target": null }, { "id": "Trojan.Tasker", "display_name": "Trojan.Tasker", "target": null }, { "id": "virus.office.qexvmc", "display_name": "virus.office.qexvmc", "target": null }, { "id": "Trojan.KillProc", "display_name": "Trojan.KillProc", "target": null }, { "id": "Generic.MSIL.GrwtpStealer.1", "display_name": "Generic.MSIL.GrwtpStealer.1", "target": null }, { "id": "Suspicious.Cloud", "display_name": "Suspicious.Cloud", "target": null }, { "id": "PowerShell.DownLoader", "display_name": "PowerShell.DownLoader", "target": null }, { "id": "Downldr.gen", "display_name": "Downldr.gen", "target": null }, { "id": "AGEN.1030939", "display_name": "AGEN.1030939", "target": null }, { "id": "HackTool.Binder", "display_name": "HackTool.Binder", "target": null }, { "id": "Trojan.Inject", "display_name": "Trojan.Inject", "target": null }, { "id": "Dldr.Agent", "display_name": "Dldr.Agent", "target": null }, { "id": "Dropper.MSIL", "display_name": "Dropper.MSIL", "target": null }, { "id": "Trojan.VBKryjetor", "display_name": "Trojan.VBKryjetor", "target": null }, { "id": "PWSX", "display_name": "PWSX", "target": null }, { "id": "VB:Trojan.VBA.Agent", "display_name": "VB:Trojan.VBA.Agent", "target": null }, { "id": "HEUR:Trojan.MSOffice.Stratos", "display_name": "HEUR:Trojan.MSOffice.Stratos", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0029", "name": "Privilege Escalation", "display_name": "TA0029 - Privilege Escalation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1450", "name": "Exploit SS7 to Track Device Location", "display_name": "T1450 - Exploit SS7 to Track Device Location" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1412", "name": "Capture SMS Messages", "display_name": "T1412 - Capture SMS Messages" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "green", "cloned_from": "654c5970817e6bf8b0e5b5ff", "export_count": 334, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1184, "FileHash-SHA1": 949, "FileHash-SHA256": 3712, "URL": 2925, "domain": 627, "hostname": 1319, "CVE": 26, "email": 8, "CIDR": 2 }, "indicator_count": 10752, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "862 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "654d29ff31857aafba0358e1", "name": "Lucky Mouse APT27 | Feodo Tracker | Malicious Tor Server | Apple iOS", "description": "", "modified": "2023-12-09T03:01:57.989000", "created": "2023-11-09T18:50:39.675000", "tags": [ "ssl certificate", "historical ssl", "communicating", "contacted", "resolutions", "whois record", "whois whois", "whois parent", "whois siblings", "skynet", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "safe site", "million", "team", "microsoft", "back", "download", "phishing", "union", "bank", "malicious site", "blacklist http", "exit", "traffic", "node tcp", "tor known", "tor relayrouter", "et tor", "known tor", "relayrouter", "anonymizer", "spammer", "malware", "dropped", "unlocker", "http", "critical risk", "redline stealer", "core", "hacktool", "execution", "type win32", "exe size", "first seen", "file name", "avast win32", "win32", "avg win32", "fortinet", "vitro", "mb first", "rmndrp", "clean mx", "undetected dns8", "undetected vx", "sophos", "vault", "zdb zeus", "cmc threat", "snort ip", "feodo tracker", "cybereason", "send bug", "pe yandex", "no data", "tag count", "count blacklist", "tag tag", "algorithm", "v3 serial", "number", "issuer", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "key identifier", "first", "seen", "valid", "no na", "no no", "ip security", "cndst root", "ca x3", "ca id", "research group", "cnisrg root", "no expired", "mozilla", "android", "malicious red team", "tsara brashears", "cyber stalking", "malvertizing", "invasion of privacy", "threat", "adult content", "apple", "iphone unlocker", "android", "exploited spyware", "malware host", "brute force", "revenge-rat", "banker", "evasive", "domain", "redline", "stealer", "phishing", "ramnit", "unreliable subdomains", "dridex", "gating", "msil", "rat", "loki", "network", "hacking", "sinkhole", "azorult", "c2", "historicalandnew", "targeted attack", "puffstealer", "rultazo", "lokibot", "loki pws", "burkina", "banker,dde,dridex,exploit", "banker,dridex,evasive", "trickbot", "ransomware,torrentlocker", "exploit_source", "blacknet", "FileRepMalware", "linux agent", "blacknet", "ios", "phishing paypal", "tagging", "defacement", "hit", "bounty", "phishing site", "malware site", "malware download", "endangerment", "Malicious domain - SANS Internet Storm Center", "evasive,msil,rat,revenge-rat", "prism_setting", "prism_object", "static engine", "social engineering", "jansky", "worm", "network rat", "networm", "Loki Password Stealer (PWS)", "South Carolina Federal Credit Union phishing", "darkweb", "yandex", "redirectors", "blacknet threats", "phishing,ransomware,sinkhole", "wanacrypt0r,wannacry,wcry", "tor c++", "tor c++ client", "python user", "js user", "hacker", "hijacker", "heur", "maltiverse", "alexa top", "exploit", "riskware", "unsafe", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "artemis", "installcore", "webshell", "crack", "webtoolbar", "search live", "api blog", "docs pricing", "november", "de indicators", "domains", "hashes", "__convergedlogin_pcustomizationloader_44b450e8d543eb53930d", "malicious url", "financial", "blacknet rat", "azorult", "stealer", "deep scan", "blacklist https", "referrer", "collections kp", "incident ip", "sneaky server", "replacement", "unauthorized", "emotet", "noname057", "generic malware", "engineering", "cyber threat", "facebook", "paypal", "dropbox", "united", "america", "banking", "wells fargo", "steam", "twitter", "sliver", "daum", "swift", "runescape", "betabot", "district", "iframe", "alexa", "downldr", "agent", "presenoker", "bladabindi", "live", "conduit", "pony", "covid19", "malicious", "cobalt strike", "suppobox", "ramnit", "meterpreter", "virut", "njrat", "pykspa", "asyncrat", "downloader", "fakealert", "binder", "virustotal", "formbook", "necurs", "trojan", "msil", "hiloti", "vawtrak", "simda", "kraken", "solimba", "icedid", "redirector", "suspic", "amadey", "raccoon", "nanocore rat", "revenge rat", "genkryptik", "fuery", "wacatac", "service", "cloudeye", "tinba", "domaiq", "ave maria", "zeus", "ransomware", "zbot", "generic", "trojanspy", "states", "inmortal", "locky", "strike", "china cobalt", "keybase", "cutwail", "citadel", "radamant", "kovter", "bradesco", "nymaim", "amonetize", "bondat", "ghost rat", "vjw0rm", "bandoo", "matsnu", "dnspionage", "darkgate", "vidar", "keylogger", "remcos", "agenttesla", "detplock", "win64", "smokeloader", "agent tesla", "kgs0", "kls0", "urls", "type name", "dns replication", "date", "domain", "win32 exe", "files", "detections type", "name", "drpsuinstaller", "vdfsurfs", "opera", "icwrmind", "notepad", "installer", "miner", "unknown", "networm", "houdini", "quasar rat", "gamehack", "dbatloader", "qakbot", "ursnif", "CVE-2005-1790", "CVE-2009-3672", "CVE-2010-3962", "CVE-2012-3993", "CVE-2014-6332", "CVE-2017-11882", "CVE-2020-0601", "CVE-2020-0674", "hallrender.com", "brian sabey", "insurance", "botnetwork", "botmaster", "command_and_control", "CVE-2021-27065", "CVE-2021-40444", "CVE-2023-4966", "CVE-2017-0199", "CVE-2018-4893", "CVE-2010-3333", "CVE-2015-1641", "CVE-2017-0147", "CVE-2017-8570", "CVE-2018-0802", "CVE-2018-8373", "CVE-2017-8759", "CVE-2018-8453", "CVE-2014-3153", "CVE-2015-1650", "CVE-2017-0143", "CVE-2017-8464", "Icefog", "Delf.NBX", "$WebWatson", "Gen:Heur.Ransom.HiddenTears", "mobilekey.pw", "bitbucket.org", "Anomalous.100%", "malware distribution site", "gootkit", "edsaid", "rightsaided", "betabot", "cobaltstrike4.tk", "mas.to", "BehavesLike.YahLover", "srdvd16010404", "languageenu", "buildno", "channelisales", "vendorname2581", "osregion", "device", "systemlocale", "majorver16", "quasar", "find", "lockbit", "chaos", "ransomexx", "grandoreiro", "evilnum", "banker" ], "references": [ "https://hybrid-analysis.com/sample/6765f47ea77c8274c8e4973ed95aedf59e75998c62f6029e23c58cdf36ed85ba/654afdbdc621e7037801cce7", "20.99.186.246 exploit source", "fp2e7a.wpc.2be4.phicdn.net", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (phishing, ELF, Prism.exe found)", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (password cracker)", "http://182.22.25.124:7878/182.22.25.124:443 (malicious dropper)", "init.ess.apple.com (malicious code script)", "https://www.pornhub.com/video/search?search=tsara+brashears (Malicious PW cracker | stylebk.css stylesheets - not found )", "https://urlscan.io/result/a328d9ff-fb49-4078-960d-a757fd41404f/#indicators", "VirusTotal Link: https://www.virustotal.com/gui/ip-address/20.99.186.246/detection", "Abuse IPDB Link: https://www.abuseipdb.com/check/20.99.186.246", "IPv4 45.12.253.72. command_and_control", "Hostname: ddos.dnsnb8.net command_and_control", "IPv4 95.213.186.51 command_and_control", "Hostname: www.supernetforme.com command_and_control", "IPv4 103.224.182.246 command_and_control", "IPv4 72.251.233.245 command_and_control", "IPv4 63.251.106.25 command_and_control", "IPv4 45.15.156.208 command_and_control", "IPv4 104.247.81.51 command_and_control", "http://ambisexual.phone-sex-blogs.com/http:/ambisexual.phone-sex-blogs.com/images/thumbnails/pic118.jpg (phishing)", "https://downloaddevtools.ir/ (phishing)", "happylifehappywife.com", "apples.encryptedwork.com (Interesting in the blacknet)", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635. (iOS unlocker and hijacker)", "https://www.anyxxxtube.net/media/favicon/apple (password cracker and iOS hijacker)", "https://www.apple.com/shop/browse/open/country_selector (exploit)", "www.norad.mil (federal tracking tool used by attorneys, law firms, and private investigators 'licensed or unlicensed') hi!", "http://init-p01st.push.apple.com/bag (malicious web creator)", "opencve.djgummikuh.de (CVE dispensary)", "Maltiverse Research Team", "URLscan.io", "Deep Research", "Hybrid Analysis", "URLhaus Abuse.ch", "Cyber Threat Coalition", "ThreatFox Abuse.ch" ], "public": 1, "adversary": "Lucky Mouse APT27 | NoName057(16) | Unnamed", "targeted_countries": [ "United States of America", "France", "Spain" ], "malware_families": [ { "id": "Feodo", "display_name": "Feodo", "target": null }, { "id": "Dridex", "display_name": "Dridex", "target": null }, { "id": "Redline Stealer", "display_name": "Redline Stealer", "target": null }, { "id": "Ramnit.N", "display_name": "Ramnit.N", "target": null }, { "id": "Loki Bot", "display_name": "Loki Bot", "target": null }, { "id": "Loki Password Stealer (PWS)", "display_name": "Loki Password Stealer (PWS)", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Zbd Zeus", "display_name": "Zbd Zeus", "target": null }, { "id": "Trojan:MSIL/Burkina", "display_name": "Trojan:MSIL/Burkina", "target": "/malware/Trojan:MSIL/Burkina" }, { "id": "Generic.TrickBot.1", "display_name": "Generic.TrickBot.1", "target": null }, { "id": "Exploit.CVE", "display_name": "Exploit.CVE", "target": null }, { "id": "Injector.IS.gen", "display_name": "Injector.IS.gen", "target": null }, { "id": "Gen:Variant.Razy", "display_name": "Gen:Variant.Razy", "target": null }, { "id": "Trojan.Androm.Gen", "display_name": "Trojan.Androm.Gen", "target": null }, { "id": "HEUR:Trojan.Linux.Agent", "display_name": "HEUR:Trojan.Linux.Agent", "target": null }, { "id": "BScope.Trojan", "display_name": "BScope.Trojan", "target": null }, { "id": "VBA.Downloader", "display_name": "VBA.Downloader", "target": null }, { "id": "Trojan.Notifier", "display_name": "Trojan.Notifier", "target": null }, { "id": "HEUR:Trojan.MSOffice.Alien", "display_name": "HEUR:Trojan.MSOffice.Alien", "target": null }, { "id": "Unsafe.AI_Score_100%", "display_name": "Unsafe.AI_Score_100%", "target": null }, { "id": "Gen:Variant.Johnnie", "display_name": "Gen:Variant.Johnnie", "target": null }, { "id": "DangerousObject.Multi", "display_name": "DangerousObject.Multi", "target": null }, { "id": "Trojan:Python/Downldr", "display_name": "Trojan:Python/Downldr", "target": "/malware/Trojan:Python/Downldr" }, { "id": "Trojan:Linux/Downldr", "display_name": "Trojan:Linux/Downldr", "target": "/malware/Trojan:Linux/Downldr" }, { "id": "Trojan:VBA/Downldr", "display_name": "Trojan:VBA/Downldr", "target": "/malware/Trojan:VBA/Downldr" }, { "id": "TrojanDownloader:Linux/Downldr", "display_name": "TrojanDownloader:Linux/Downldr", "target": "/malware/TrojanDownloader:Linux/Downldr" }, { "id": "Kryptik.FPH.gen", "display_name": "Kryptik.FPH.gen", "target": null }, { "id": "TROJ_FRS.VSNTFK19", "display_name": "TROJ_FRS.VSNTFK19", "target": null }, { "id": "Trojan.Ransom.GenericKD", "display_name": "Trojan.Ransom.GenericKD", "target": null }, { "id": "Phish.JAT", "display_name": "Phish.JAT", "target": null }, { "id": "Phishing.HTML", "display_name": "Phishing.HTML", "target": null }, { "id": "Generic.ASMalwS", "display_name": "Generic.ASMalwS", "target": null }, { "id": "Phish.AB", "display_name": "Phish.AB", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "ml.Generic", "display_name": "ml.Generic", "target": null }, { "id": "Xegumumune.8596c22f", "display_name": "Xegumumune.8596c22f", "target": null }, { "id": "Generic.Malware.SMYB", "display_name": "Generic.Malware.SMYB", "target": null }, { "id": "malicious.moderate.ml", "display_name": "malicious.moderate.ml", "target": null }, { "id": "Agent.NBAE", "display_name": "Agent.NBAE", "target": null }, { "id": "AGEN.1045227", "display_name": "AGEN.1045227", "target": null }, { "id": "Riskware.Agent", "display_name": "Riskware.Agent", "target": null }, { "id": "Gen:Variant.Cerbu", "display_name": "Gen:Variant.Cerbu", "target": null }, { "id": "IL:Trojan.MSILZilla", "display_name": "IL:Trojan.MSILZilla", "target": null }, { "id": "Dropped:Generic.Ransom.DMR", "display_name": "Dropped:Generic.Ransom.DMR", "target": null }, { "id": "Delf.NBX", "display_name": "Delf.NBX", "target": null }, { "id": "malicious.f01f67", "display_name": "malicious.f01f67", "target": null }, { "id": "AGEN.1144657", "display_name": "AGEN.1144657", "target": null }, { "id": "Trojan.Heur", "display_name": "Trojan.Heur", "target": null }, { "id": "Trojan.Malware.300983", "display_name": "Trojan.Malware.300983", "target": null }, { "id": "SdBot.CAOC", "display_name": "SdBot.CAOC", "target": null }, { "id": "Trojan.DelShad", "display_name": "Trojan.DelShad", "target": null }, { "id": "Exploit CVE-2017-11882", "display_name": "Exploit CVE-2017-11882", "target": null }, { "id": "GameHack.NL", "display_name": "GameHack.NL", "target": null }, { "id": "JS:Trojan.HideLink", "display_name": "JS:Trojan.HideLink", "target": null }, { "id": "Script.Agent", "display_name": "Script.Agent", "target": null }, { "id": "Macro.Agent", "display_name": "Macro.Agent", "target": null }, { "id": "Macro.Downloader.AMIP", "display_name": "Macro.Downloader.AMIP", "target": null }, { "id": "Trojan.VBA", "display_name": "Trojan.VBA", "target": null }, { "id": "HEUR.VBA.Trojan", "display_name": "HEUR.VBA.Trojan", "target": null }, { "id": "VB.EmoooDldr.10", "display_name": "VB.EmoooDldr.10", "target": null }, { "id": "VB:Trojan.Valyria", "display_name": "VB:Trojan.Valyria", "target": null }, { "id": "OpenSubtitles.A", "display_name": "OpenSubtitles.A", "target": null }, { "id": "VB.EmoDldr.4", "display_name": "VB.EmoDldr.4", "target": null }, { "id": "Packed-GV", "display_name": "Packed-GV", "target": null }, { "id": "Adware.InstallMonetizer", "display_name": "Adware.InstallMonetizer", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "HW32.Packed", "display_name": "HW32.Packed", "target": null }, { "id": "Zpevdo.B", "display_name": "Zpevdo.B", "target": null }, { "id": "Presenoker", "display_name": "Presenoker", "target": null }, { "id": "SGeneric", "display_name": "SGeneric", "target": null }, { "id": "GameHack.DOM", "display_name": "GameHack.DOM", "target": null }, { "id": "BehavesLike.Ransom", "display_name": "BehavesLike.Ransom", "target": null }, { "id": "CIL.StupidCryptor", "display_name": "CIL.StupidCryptor", "target": null }, { "id": "Gen:Heur.Ransom.MSIL", "display_name": "Gen:Heur.Ransom.MSIL", "target": null }, { "id": "Black.Gen2", "display_name": "Black.Gen2", "target": null }, { "id": "GameHack.CRS", "display_name": "GameHack.CRS", "target": null }, { "id": "Trojan.HTML.PHISH", "display_name": "Trojan.HTML.PHISH", "target": null }, { "id": "Gen:Heur.MSIL.Inject", "display_name": "Gen:Heur.MSIL.Inject", "target": null }, { "id": "Program.Unwanted", "display_name": "Program.Unwanted", "target": null }, { "id": "HEUR/QVM42.3.72EB.Malware", "display_name": "HEUR/QVM42.3.72EB.Malware", "target": null }, { "id": "suspicious.low.ml", "display_name": "suspicious.low.ml", "target": null }, { "id": "JS:Trojan.Cryxos", "display_name": "JS:Trojan.Cryxos", "target": null }, { "id": "Suspicious_GEN.F47V0520", "display_name": "Suspicious_GEN.F47V0520", "target": null }, { "id": "Dropper.Trojan.Generic", "display_name": "Dropper.Trojan.Generic", "target": null }, { "id": "Trojan.TrickBot", "display_name": "Trojan.TrickBot", "target": null }, { "id": "Malware.Tk.Generic", "display_name": "Malware.Tk.Generic", "target": null }, { "id": "TrojanSpy.Java", "display_name": "TrojanSpy.Java", "target": null }, { "id": "Riskware.NetFilter", "display_name": "Riskware.NetFilter", "target": null }, { "id": "RiskWare.Crack", "display_name": "RiskWare.Crack", "target": null }, { "id": "BehavesLike.Exploit", "display_name": "BehavesLike.Exploit", "target": null }, { "id": "Gen:NN.ZemsilF.34128", "display_name": "Gen:NN.ZemsilF.34128", "target": null }, { "id": "Wacapew.C", "display_name": "Wacapew.C", "target": null }, { "id": "Trojan.Malware.121218", "display_name": "Trojan.Malware.121218", "target": null }, { "id": "RiskWare.HackTool.Agent", "display_name": "RiskWare.HackTool.Agent", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Trojan.Generic", "display_name": "Trojan.Generic", "target": null }, { "id": "W32.Trojan", "display_name": "W32.Trojan", "target": null }, { "id": "BScope.Riskware", "display_name": "BScope.Riskware", "target": null }, { "id": "Gen:Variant.Bulz", "display_name": "Gen:Variant.Bulz", "target": null }, { "id": "Ransom:Win32/CVE-2017-0147", "display_name": "Ransom:Win32/CVE-2017-0147", "target": "/malware/Ransom:Win32/CVE-2017-0147" }, { "id": "Virus.Ramnit", "display_name": "Virus.Ramnit", "target": null }, { "id": "Virus.Virut", "display_name": "Virus.Virut", "target": null }, { "id": "Adware.KuziTui", "display_name": "Adware.KuziTui", "target": null }, { "id": "AGEN.1141126", "display_name": "AGEN.1141126", "target": null }, { "id": "W32.AIDetect", "display_name": "W32.AIDetect", "target": null }, { "id": "Trojan.Python", "display_name": "Trojan.Python", "target": null }, { "id": "W32.AIDetectVM", "display_name": "W32.AIDetectVM", "target": null }, { "id": "Suspicious.Save", "display_name": "Suspicious.Save", "target": null }, { "id": "Adware.Downware", "display_name": "Adware.Downware", "target": null }, { "id": "Ransom.Win64.Wacatac.oa", "display_name": "Ransom.Win64.Wacatac.oa", "target": null }, { "id": "OpenSubtitles.A", "display_name": "OpenSubtitles.A", "target": null }, { "id": "VB.EmoDldr.4", "display_name": "VB.EmoDldr.4", "target": null }, { "id": "Gen:Variant.Midie", "display_name": "Gen:Variant.Midie", "target": null }, { "id": "HEUR/QVM41.2.DA9B.Malware", "display_name": "HEUR/QVM41.2.DA9B.Malware", "target": null }, { "id": "Gen:Variant.Sirefef", "display_name": "Gen:Variant.Sirefef", "target": null }, { "id": "Macro.Trojan.Dropperd", "display_name": "Macro.Trojan.Dropperd", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Gen:Variant.Ursu", "display_name": "Gen:Variant.Ursu", "target": null }, { "id": "Redcap.rlhse", "display_name": "Redcap.rlhse", "target": null }, { "id": "Trojan.Trickster", "display_name": "Trojan.Trickster", "target": null }, { "id": "HTML_REDIR.SMR", "display_name": "HTML_REDIR.SMR", "target": null }, { "id": "TROJ_FRS.VSNTFK19", "display_name": "TROJ_FRS.VSNTFK19", "target": null }, { "id": "Hoax.JS.Phish", "display_name": "Hoax.JS.Phish", "target": null }, { "id": "JS:Iframe", "display_name": "JS:Iframe", "target": null }, { "id": "Application.SQLCrack", "display_name": "Application.SQLCrack", "target": null }, { "id": "susp.lnk", "display_name": "susp.lnk", "target": null }, { "id": "QVM201.0.B70B.Malware", "display_name": "QVM201.0.B70B.Malware", "target": null }, { "id": "Immortal Stealer", "display_name": "Immortal Stealer", "target": null }, { "id": "WebMonitor RAT", "display_name": "WebMonitor RAT", "target": null }, { "id": "Tor - S0183", "display_name": "Tor - S0183", "target": null }, { "id": "WannaCry", "display_name": "WannaCry", "target": null }, { "id": "WannaCryptor", "display_name": "WannaCryptor", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "DeepScan:Generic.Ransom.GandCrab5", "display_name": "DeepScan:Generic.Ransom.GandCrab5", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "States", "display_name": "States", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Locky", "display_name": "Locky", "target": null }, { "id": "Delf.NBX", "display_name": "Delf.NBX", "target": null }, { "id": "Gen:NN.ZexaF.32515", "display_name": "Gen:NN.ZexaF.32515", "target": null }, { "id": "FileRepMalware", "display_name": "FileRepMalware", "target": null }, { "id": "Gen:Variant.MSILPerseus", "display_name": "Gen:Variant.MSILPerseus", "target": null }, { "id": "Icefog", "display_name": "Icefog", "target": null }, { "id": "$WebWatson", "display_name": "$WebWatson", "target": null }, { "id": "Agent.AIK.gen", "display_name": "Agent.AIK.gen", "target": null }, { "id": "Agent.AIK.genCIL.StupidCryptor", "display_name": "Agent.AIK.genCIL.StupidCryptor", "target": null }, { "id": "Agent.YPEZ", "display_name": "Agent.YPEZ", "target": null }, { "id": "Application.InnovativSol", "display_name": "Application.InnovativSol", "target": null }, { "id": "Agent.ASO", "display_name": "Agent.ASO", "target": null }, { "id": "S-b748adc5", "display_name": "S-b748adc5", "target": null }, { "id": "W32.eHeur", "display_name": "W32.eHeur", "target": null }, { "id": "Kryptik.GUCB", "display_name": "Kryptik.GUCB", "target": null }, { "id": "AgentTesla", "display_name": "AgentTesla", "target": null }, { "id": "Autoit.bimwt", "display_name": "Autoit.bimwt", "target": null }, { "id": "HEUR:Trojan.OLE2.Alien", "display_name": "HEUR:Trojan.OLE2.Alien", "target": null }, { "id": "AGEN.1038489", "display_name": "AGEN.1038489", "target": null }, { "id": "Gen:Variant.Ser.Strictor", "display_name": "Gen:Variant.Ser.Strictor", "target": null }, { "id": "Packed.Themida.Gen", "display_name": "Packed.Themida.Gen", "target": null }, { "id": "AGEN.1043164", "display_name": "AGEN.1043164", "target": null }, { "id": "TrickBot - S0266", "display_name": "TrickBot - S0266", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Trojan.PornoAsset", "display_name": "Trojan.PornoAsset", "target": null }, { "id": "Ransom.Win64.PORNOASSET.SM1", "display_name": "Ransom.Win64.PORNOASSET.SM1", "target": null }, { "id": "Gen:Variant.Ulise", "display_name": "Gen:Variant.Ulise", "target": null }, { "id": "Trojan.Win64", "display_name": "Trojan.Win64", "target": null }, { "id": "Dropper.Trojan.Agent", "display_name": "Dropper.Trojan.Agent", "target": null }, { "id": "Heur.BZC.YAX.Pantera.10", "display_name": "Heur.BZC.YAX.Pantera.10", "target": null }, { "id": "malicious.high.ml", "display_name": "malicious.high.ml", "target": null }, { "id": "CVE-2015-1650", "display_name": "CVE-2015-1650", "target": null }, { "id": "Worm.Win64.AutoRun", "display_name": "Worm.Win64.AutoRun", "target": null }, { "id": "AIT.Heur.Cottonmouth.8.78F19BD7", "display_name": "AIT.Heur.Cottonmouth.8.78F19BD7", "target": null }, { "id": "Gen:Variant.Mikey", "display_name": "Gen:Variant.Mikey", "target": null }, { "id": "Trojan.Agent", "display_name": "Trojan.Agent", "target": null }, { "id": "Pua.Gen", "display_name": "Pua.Gen", "target": null }, { "id": "Trojan.Downloader.Generic", "display_name": "Trojan.Downloader.Generic", "target": null }, { "id": "Suspected of Trojan.Downloader.gen", "display_name": "Suspected of Trojan.Downloader.gen", "target": null }, { "id": "HEUR:RemoteAdmin.Generic", "display_name": "HEUR:RemoteAdmin.Generic", "target": null }, { "id": "Gen:Heur.Ransom.HiddenTears", "display_name": "Gen:Heur.Ransom.HiddenTears", "target": null }, { "id": "Nemucod.A", "display_name": "Nemucod.A", "target": null }, { "id": "Backdoor.Hupigon", "display_name": "Backdoor.Hupigon", "target": null }, { "id": "Trojan.Starter JS.Iframe", "display_name": "Trojan.Starter JS.Iframe", "target": null }, { "id": "fake ,promethiumm ,strongpity", "display_name": "fake ,promethiumm ,strongpity", "target": null }, { "id": "PUA.Reg1staid", "display_name": "PUA.Reg1staid", "target": null }, { "id": "Malware.Heur_Generic.A", "display_name": "Malware.Heur_Generic.A", "target": null }, { "id": "Bladabindi.Q", "display_name": "Bladabindi.Q", "target": null }, { "id": "W32.eHeur", "display_name": "W32.eHeur", "target": null }, { "id": "malicious.6e0700", "display_name": "malicious.6e0700", "target": null }, { "id": "Trojan.Inject", "display_name": "Trojan.Inject", "target": null }, { "id": "TSGeneric", "display_name": "TSGeneric", "target": null }, { "id": "RedCap.vneda", "display_name": "RedCap.vneda", "target": null }, { "id": "Trojan.Indiloadz", "display_name": "Trojan.Indiloadz", "target": null }, { "id": "Trojan.Ekstak", "display_name": "Trojan.Ekstak", "target": null }, { "id": "staticrr.paleokits.net", "display_name": "staticrr.paleokits.net", "target": null }, { "id": "MSIL.Downloader", "display_name": "MSIL.Downloader", "target": null }, { "id": "Trojan.Autoruns.GenericKDS", "display_name": "Trojan.Autoruns.GenericKDS", "target": null }, { "id": "MSIL.Trojan.BSE", "display_name": "MSIL.Trojan.BSE", "target": null }, { "id": "Adload.AD81", "display_name": "Adload.AD81", "target": null }, { "id": "Packed.Asprotect", "display_name": "Packed.Asprotect", "target": null }, { "id": "Gen:NN.ZemsilF.34062", "display_name": "Gen:NN.ZemsilF.34062", "target": null }, { "id": "Evo", "display_name": "Evo", "target": null }, { "id": "Agent.pwc", "display_name": "Agent.pwc", "target": null }, { "id": "RiskTool.Phpw", "display_name": "RiskTool.Phpw", "target": null }, { "id": "Gen:Variant.Symmi", "display_name": "Gen:Variant.Symmi", "target": null }, { "id": "Trojan.PWS", "display_name": "Trojan.PWS", "target": null }, { "id": "Generic.BitCoinMiner.3", "display_name": "Generic.BitCoinMiner.3", "target": null }, { "id": "Trojan.Tasker", "display_name": "Trojan.Tasker", "target": null }, { "id": "Gen:NN", "display_name": "Gen:NN", "target": null }, { "id": "Downloader.CertutilURLCache", "display_name": "Downloader.CertutilURLCache", "target": null }, { "id": "Elf", "display_name": "Elf", "target": null }, { "id": "Gen:Heur.MSIL.Androm", "display_name": "Gen:Heur.MSIL.Androm", "target": null }, { "id": "Kryptik.NRD", "display_name": "Kryptik.NRD", "target": null }, { "id": "Riskware", "display_name": "Riskware", "target": null }, { "id": "Kuluoz.B.gen", "display_name": "Kuluoz.B.gen", "target": null }, { "id": "Gen:Variant.RevengeRat", "display_name": "Gen:Variant.RevengeRat", "target": null }, { "id": "Gen:Variant.Mikey", "display_name": "Gen:Variant.Mikey", "target": null }, { "id": "VB.Chronos.7", "display_name": "VB.Chronos.7", "target": null }, { "id": "Kryptik.NOE", "display_name": "Kryptik.NOE", "target": null }, { "id": "HEUR:WebToolbar.Generic", "display_name": "HEUR:WebToolbar.Generic", "target": null }, { "id": "Gen:Variant.Barys", "display_name": "Gen:Variant.Barys", "target": null }, { "id": "Backdoor.Xtreme", "display_name": "Backdoor.Xtreme", "target": null }, { "id": "Trojan.MSIL", "display_name": "Trojan.MSIL", "target": null }, { "id": "Gen:Variant.Graftor", "display_name": "Gen:Variant.Graftor", "target": null }, { "id": "Backdoor.Agent", "display_name": "Backdoor.Agent", "target": null }, { "id": "Unsafe", "display_name": "Unsafe", "target": null }, { "id": "Trojan.PHP.Agent", "display_name": "Trojan.PHP.Agent", "target": null }, { "id": "Trojan.Agent", "display_name": "Trojan.Agent", "target": null }, { "id": "HEUR:Exploit.Generic", "display_name": "HEUR:Exploit.Generic", "target": null }, { "id": "Ransom_WCRY.SMALYM", "display_name": "Ransom_WCRY.SMALYM", "target": null }, { "id": "Ransom_WCRY.SMJ", "display_name": "Ransom_WCRY.SMJ", "target": null }, { "id": "Auslogics", "display_name": "Auslogics", "target": null }, { "id": "Gen:Variant.Jaiko", "display_name": "Gen:Variant.Jaiko", "target": null }, { "id": "Exploit.W32.Agent", "display_name": "Exploit.W32.Agent", "target": null }, { "id": "Trojan.Cud.Gen", "display_name": "Trojan.Cud.Gen", "target": null }, { "id": "Trojan.DOC.Downloader", "display_name": "Trojan.DOC.Downloader", "target": null }, { "id": "Backdoor.MSIL.Agent", "display_name": "Backdoor.MSIL.Agent", "target": null }, { "id": "Gen:Trojan.Heur2.LPTbHW@W64.HfsAutoB", "display_name": "Gen:Trojan.Heur2.LPTbHW@W64.HfsAutoB", "target": null }, { "id": "Gen:Variant.Kazy", "display_name": "Gen:Variant.Kazy", "target": null }, { "id": "Gen:Variant.Zusy", "display_name": "Gen:Variant.Zusy", "target": null }, { "id": "Ransom.WannaCrypt", "display_name": "Ransom.WannaCrypt", "target": null }, { "id": "Generic.ServStart.A", "display_name": "Generic.ServStart.A", "target": null }, { "id": "Trojan.Wanna", "display_name": "Trojan.Wanna", "target": null }, { "id": "Generic.MSIL.Bladabindi", "display_name": "Generic.MSIL.Bladabindi", "target": null }, { "id": "TROJ_GEN.R002C0OG518", "display_name": "TROJ_GEN.R002C0OG518", "target": null }, { "id": "Trojan.Chapak", "display_name": "Trojan.Chapak", "target": null }, { "id": "Indiloadz.BB", "display_name": "Indiloadz.BB", "target": null }, { "id": "BehavBehavesLike.PUPXBI", "display_name": "BehavBehavesLike.PUPXBI", "target": null }, { "id": "DeepScan:Generic.SpyAgent.6", "display_name": "DeepScan:Generic.SpyAgent.6", "target": null }, { "id": "Python.KeyLogger", "display_name": "Python.KeyLogger", "target": null }, { "id": "GameHack.CRS", "display_name": "GameHack.CRS", "target": null }, { "id": "Generic.MSIL.PasswordStealer", "display_name": "Generic.MSIL.PasswordStealer", "target": null }, { "id": "PSW.Agent", "display_name": "PSW.Agent", "target": null }, { "id": "malicious.8c45ba", "display_name": "malicious.8c45ba", "target": null }, { "id": "Dropper.Binder", "display_name": "Dropper.Binder", "target": null }, { "id": "Constructor.MSIL", "display_name": "Constructor.MSIL", "target": null }, { "id": "Linux.Agent", "display_name": "Linux.Agent", "target": null }, { "id": "Virus.3DMax.Script", "display_name": "Virus.3DMax.Script", "target": null }, { "id": "ScrInject.B", "display_name": "ScrInject.B", "target": null }, { "id": "Trojan.WisdomEyes.16070401.9500", "display_name": "Trojan.WisdomEyes.16070401.9500", "target": null }, { "id": "Application.SearchProtect", "display_name": "Application.SearchProtect", "target": null }, { "id": "JS:Trojan.Clicker", "display_name": "JS:Trojan.Clicker", "target": null }, { "id": "Faceliker.A", "display_name": "Faceliker.A", "target": null }, { "id": "JS:Trojan.JS.Faceliker", "display_name": "JS:Trojan.JS.Faceliker", "target": null }, { "id": "Constructor.MSIL Linux.Agent", "display_name": "Constructor.MSIL Linux.Agent", "target": null }, { "id": "PowerShell.Trojan", "display_name": "PowerShell.Trojan", "target": null }, { "id": "HTML:Script", "display_name": "HTML:Script", "target": null }, { "id": "ScrInject.B", "display_name": "ScrInject.B", "target": null }, { "id": "W32.AIDetectVM", "display_name": "W32.AIDetectVM", "target": null }, { "id": "HackTool.CheatEngine", "display_name": "HackTool.CheatEngine", "target": null }, { "id": "Injector.CLDS", "display_name": "Injector.CLDS", "target": null }, { "id": "VB.Downloader.2", "display_name": "VB.Downloader.2", "target": null }, { "id": "malicious.3e78cc", "display_name": "malicious.3e78cc", "target": null }, { "id": "malicious.d800d6", "display_name": "malicious.d800d6", "target": null }, { "id": "VB.PwShell.2", "display_name": "VB.PwShell.2", "target": null }, { "id": "Backdoor.RBot", "display_name": "Backdoor.RBot", "target": null }, { "id": "malicious.71b1a8", "display_name": "malicious.71b1a8", "target": null }, { "id": "TrojanSpy.KeyLogger", "display_name": "TrojanSpy.KeyLogger", "target": null }, { "id": "Injector.JDO", "display_name": "Injector.JDO", "target": null }, { "id": "Heur.Msword.Gen", "display_name": "Heur.Msword.Gen", "target": null }, { "id": "PSW.Discord", "display_name": "PSW.Discord", "target": null }, { "id": "Packed.VMProtect", "display_name": "Packed.VMProtect", "target": null }, { "id": "HEUR:AdWare.StartSurf", "display_name": "HEUR:AdWare.StartSurf", "target": null }, { "id": "Gen:Heur.NoobyProtect", "display_name": "Gen:Heur.NoobyProtect", "target": null }, { "id": "CIL.HeapOverride", "display_name": "CIL.HeapOverride", "target": null }, { "id": "HEUR:Trojan.Tasker", "display_name": "HEUR:Trojan.Tasker", "target": null }, { "id": "XLM.Trojan.Abracadabra.27", "display_name": "XLM.Trojan.Abracadabra.27", "target": null }, { "id": "HEUR:Backdoor.MSIL.NanoBot", "display_name": "HEUR:Backdoor.MSIL.NanoBot", "target": null }, { "id": "Trojan.PSW.Mimikatz", "display_name": "Trojan.PSW.Mimikatz", "target": null }, { "id": "TrojanSpy.Python", "display_name": "TrojanSpy.Python", "target": null }, { "id": "Trojan.Ole2.Vbs", "display_name": "Trojan.Ole2.Vbs", "target": null }, { "id": "Exploit.MSOffice", "display_name": "Exploit.MSOffice", "target": null }, { "id": "DeepScan:Generic.Ransom.AmnesiaE", "display_name": "DeepScan:Generic.Ransom.AmnesiaE", "target": null }, { "id": "Wacatac.D6", "display_name": "Wacatac.D6", "target": null }, { "id": "Backdoor.Androm", "display_name": "Backdoor.Androm", "target": null }, { "id": "Packed.NetSeal", "display_name": "Packed.NetSeal", "target": null }, { "id": "Trojan.MSIL.Injector", "display_name": "Trojan.MSIL.Injector", "target": null }, { "id": "Trojan.PWS.Agent", "display_name": "Trojan.PWS.Agent", "target": null }, { "id": "TScope.Trojan", "display_name": "TScope.Trojan", "target": null }, { "id": "PSW.Stealer", "display_name": "PSW.Stealer", "target": null }, { "id": "Trojan.PackedNET", "display_name": "Trojan.PackedNET", "target": null }, { "id": "Trojan.Java", "display_name": "Trojan.Java", "target": null }, { "id": "MalwareX", "display_name": "MalwareX", "target": null }, { "id": "Trojan.PSW.Python", "display_name": "Trojan.PSW.Python", "target": null }, { "id": "malicious.11abfc", "display_name": "malicious.11abfc", "target": null }, { "id": "Generic.ASMalwS", "display_name": "Generic.ASMalwS", "target": null }, { "id": "HEUR:Trojan.MSIL.Tasker", "display_name": "HEUR:Trojan.MSIL.Tasker", "target": null }, { "id": "PossibleThreat.PALLAS", "display_name": "PossibleThreat.PALLAS", "target": null }, { "id": "Backdoor.Poison", "display_name": "Backdoor.Poison", "target": null }, { "id": "Generic.MSIL.LimeRAT", "display_name": "Generic.MSIL.LimeRAT", "target": null }, { "id": "PWS-FCZZ", "display_name": "PWS-FCZZ", "target": null }, { "id": "Trojan.Script", "display_name": "Trojan.Script", "target": null }, { "id": "Gen:Heur.MSIL.Inject", "display_name": "Gen:Heur.MSIL.Inject", "target": null }, { "id": "Trojan.PWS.Growtopia", "display_name": "Trojan.PWS.Growtopia", "target": null }, { "id": "Spyware.Bobik", "display_name": "Spyware.Bobik", "target": null }, { "id": "HackTool.BruteForce", "display_name": "HackTool.BruteForce", "target": null }, { "id": "Hack.Patcher", "display_name": "Hack.Patcher", "target": null }, { "id": "PWS.p", "display_name": "PWS.p", "target": null }, { "id": "Suppobox", "display_name": "Suppobox", "target": null }, { "id": "index.php", "display_name": "index.php", "target": null }, { "id": "Packed.VMProtect", "display_name": "Packed.VMProtect", "target": null }, { "id": "SmokeLoader", "display_name": "SmokeLoader", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "SNH:Script [Dropper]", "display_name": "SNH:Script [Dropper]", "target": null }, { "id": "HEUR:Trojan.MSOffice.SAgent", "display_name": "HEUR:Trojan.MSOffice.SAgent", "target": null }, { "id": "Script.INF", "display_name": "Script.INF", "target": null }, { "id": "JS:Trojan.JS.Likejack", "display_name": "JS:Trojan.JS.Likejack", "target": null }, { "id": "SNH:Script [Dropper]", "display_name": "SNH:Script [Dropper]", "target": null }, { "id": "Trojan.JS.Agent", "display_name": "Trojan.JS.Agent", "target": null }, { "id": "APT Notes", "display_name": "APT Notes", "target": null }, { "id": "susp.rtf.objupdate", "display_name": "susp.rtf.objupdate", "target": null }, { "id": "RedCap.zoohz", "display_name": "RedCap.zoohz", "target": null }, { "id": "Trojan.Tasker", "display_name": "Trojan.Tasker", "target": null }, { "id": "virus.office.qexvmc", "display_name": "virus.office.qexvmc", "target": null }, { "id": "Trojan.KillProc", "display_name": "Trojan.KillProc", "target": null }, { "id": "Generic.MSIL.GrwtpStealer.1", "display_name": "Generic.MSIL.GrwtpStealer.1", "target": null }, { "id": "Suspicious.Cloud", "display_name": "Suspicious.Cloud", "target": null }, { "id": "PowerShell.DownLoader", "display_name": "PowerShell.DownLoader", "target": null }, { "id": "Downldr.gen", "display_name": "Downldr.gen", "target": null }, { "id": "AGEN.1030939", "display_name": "AGEN.1030939", "target": null }, { "id": "HackTool.Binder", "display_name": "HackTool.Binder", "target": null }, { "id": "Trojan.Inject", "display_name": "Trojan.Inject", "target": null }, { "id": "Dldr.Agent", "display_name": "Dldr.Agent", "target": null }, { "id": "Dropper.MSIL", "display_name": "Dropper.MSIL", "target": null }, { "id": "Trojan.VBKryjetor", "display_name": "Trojan.VBKryjetor", "target": null }, { "id": "PWSX", "display_name": "PWSX", "target": null }, { "id": "VB:Trojan.VBA.Agent", "display_name": "VB:Trojan.VBA.Agent", "target": null }, { "id": "HEUR:Trojan.MSOffice.Stratos", "display_name": "HEUR:Trojan.MSOffice.Stratos", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0029", "name": "Privilege Escalation", "display_name": "TA0029 - Privilege Escalation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1450", "name": "Exploit SS7 to Track Device Location", "display_name": "T1450 - Exploit SS7 to Track Device Location" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1412", "name": "Capture SMS Messages", "display_name": "T1412 - Capture SMS Messages" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "green", "cloned_from": "654c597a4a45c8d84f0b15c1", "export_count": 341, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1184, "FileHash-SHA1": 949, "FileHash-SHA256": 3712, "URL": 2925, "domain": 627, "hostname": 1319, "CVE": 26, "email": 8, "CIDR": 2 }, "indicator_count": 10752, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "862 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "654c606d74f82e547c77ad89", "name": "Ransom.Win64.PORNOASSET.SM1 | DeepScan:Generic.Ransom.GandCrab5", "description": "Ransom.Win64.PORNOASSET.SM1 DeepScan:Generic.Ransom.GandCrab5\nBlackNET RAT $WebWatson\nAuto generated results from a variety of tools.", "modified": "2023-12-09T03:01:57.989000", "created": "2023-11-09T04:30:37.089000", "tags": [ "ssl certificate", "historical ssl", "communicating", "contacted", "resolutions", "whois record", "whois whois", "whois parent", "whois siblings", "skynet", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "safe site", "million", "team", "microsoft", "back", "download", "phishing", "union", "bank", "malicious site", "blacklist http", "exit", "traffic", "node tcp", "tor known", "tor relayrouter", "et tor", "known tor", "relayrouter", "anonymizer", "spammer", "malware", "dropped", "unlocker", "http", "critical risk", "redline stealer", "core", "hacktool", "execution", "type win32", "exe size", "first seen", "file name", "avast win32", "win32", "avg win32", "fortinet", "vitro", "mb first", "rmndrp", "clean mx", "undetected dns8", "undetected vx", "sophos", "vault", "zdb zeus", "cmc threat", "snort ip", "feodo tracker", "cybereason", "send bug", "pe yandex", "no data", "tag count", "count blacklist", "tag tag", "algorithm", "v3 serial", "number", "issuer", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "key identifier", "first", "seen", "valid", "no na", "no no", "ip security", "cndst root", "ca x3", "ca id", "research group", "cnisrg root", "no expired", "mozilla", "android", "malicious red team", "tsara brashears", "cyber stalking", "malvertizing", "invasion of privacy", "threat", "adult content", "apple", "iphone unlocker", "android", "exploited spyware", "malware host", "brute force", "revenge-rat", "banker", "evasive", "domain", "redline", "stealer", "phishing", "ramnit", "unreliable subdomains", "dridex", "gating", "msil", "rat", "loki", "network", "hacking", "sinkhole", "azorult", "c2", "historicalandnew", "targeted attack", "puffstealer", "rultazo", "lokibot", "loki pws", "burkina", "banker,dde,dridex,exploit", "banker,dridex,evasive", "trickbot", "ransomware,torrentlocker", "exploit_source", "blacknet", "FileRepMalware", "linux agent", "blacknet", "ios", "phishing paypal", "tagging", "defacement", "hit", "bounty", "phishing site", "malware site", "malware download", "endangerment", "Malicious domain - SANS Internet Storm Center", "evasive,msil,rat,revenge-rat", "prism_setting", "prism_object", "static engine", "social engineering", "jansky", "worm", "network rat", "networm", "Loki Password Stealer (PWS)", "South Carolina Federal Credit Union phishing", "darkweb", "yandex", "redirectors", "blacknet threats", "phishing,ransomware,sinkhole", "wanacrypt0r,wannacry,wcry", "tor c++", "tor c++ client", "python user", "js user", "hacker", "hijacker", "heur", "maltiverse", "alexa top", "exploit", "riskware", "unsafe", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "artemis", "installcore", "webshell", "crack", "webtoolbar", "search live", "api blog", "docs pricing", "november", "de indicators", "domains", "hashes", "__convergedlogin_pcustomizationloader_44b450e8d543eb53930d", "malicious url", "financial", "blacknet rat", "azorult", "stealer", "deep scan", "blacklist https", "referrer", "collections kp", "incident ip", "sneaky server", "replacement", "unauthorized", "emotet", "noname057", "generic malware", "engineering", "cyber threat", "facebook", "paypal", "dropbox", "united", "america", "banking", "wells fargo", "steam", "twitter", "sliver", "daum", "swift", "runescape", "betabot", "district", "iframe", "alexa", "downldr", "agent", "presenoker", "bladabindi", "live", "conduit", "pony", "covid19", "malicious", "cobalt strike", "suppobox", "ramnit", "meterpreter", "virut", "njrat", "pykspa", "asyncrat", "downloader", "fakealert", "binder", "virustotal", "formbook", "necurs", "trojan", "msil", "hiloti", "vawtrak", "simda", "kraken", "solimba", "icedid", "redirector", "suspic", "amadey", "raccoon", "nanocore rat", "revenge rat", "genkryptik", "fuery", "wacatac", "service", "cloudeye", "tinba", "domaiq", "ave maria", "zeus", "ransomware", "zbot", "generic", "trojanspy", "states", "inmortal", "locky", "strike", "china cobalt", "keybase", "cutwail", "citadel", "radamant", "kovter", "bradesco", "nymaim", "amonetize", "bondat", "ghost rat", "vjw0rm", "bandoo", "matsnu", "dnspionage", "darkgate", "vidar", "keylogger", "remcos", "agenttesla", "detplock", "win64", "smokeloader", "agent tesla", "kgs0", "kls0", "urls", "type name", "dns replication", "date", "domain", "win32 exe", "files", "detections type", "name", "drpsuinstaller", "vdfsurfs", "opera", "icwrmind", "notepad", "installer", "miner", "unknown", "networm", "houdini", "quasar rat", "gamehack", "dbatloader", "qakbot", "ursnif", "CVE-2005-1790", "CVE-2009-3672", "CVE-2010-3962", "CVE-2012-3993", "CVE-2014-6332", "CVE-2017-11882", "CVE-2020-0601", "CVE-2020-0674", "hallrender.com", "brian sabey", "insurance", "botnetwork", "botmaster", "command_and_control", "CVE-2021-27065", "CVE-2021-40444", "CVE-2023-4966", "CVE-2017-0199", "CVE-2018-4893", "CVE-2010-3333", "CVE-2015-1641", "CVE-2017-0147", "CVE-2017-8570", "CVE-2018-0802", "CVE-2018-8373", "CVE-2017-8759", "CVE-2018-8453", "CVE-2014-3153", "CVE-2015-1650", "CVE-2017-0143", "CVE-2017-8464", "Icefog", "Delf.NBX", "$WebWatson", "Gen:Heur.Ransom.HiddenTears", "mobilekey.pw", "bitbucket.org", "Anomalous.100%", "malware distribution site", "gootkit", "edsaid", "rightsaided", "betabot", "cobaltstrike4.tk", "mas.to", "BehavesLike.YahLover", "srdvd16010404", "languageenu", "buildno", "channelisales", "vendorname2581", "osregion", "device", "systemlocale", "majorver16", "quasar", "find", "lockbit", "chaos", "ransomexx", "grandoreiro", "evilnum", "banker" ], "references": [ "https://hybrid-analysis.com/sample/6765f47ea77c8274c8e4973ed95aedf59e75998c62f6029e23c58cdf36ed85ba/654afdbdc621e7037801cce7", "20.99.186.246 exploit source", "fp2e7a.wpc.2be4.phicdn.net", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (phishing, ELF, Prism.exe found)", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (password cracker)", "http://182.22.25.124:7878/182.22.25.124:443 (malicious dropper)", "init.ess.apple.com (malicious code script)", "https://www.pornhub.com/video/search?search=tsara+brashears (Malicious PW cracker | stylebk.css stylesheets - not found )", "https://urlscan.io/result/a328d9ff-fb49-4078-960d-a757fd41404f/#indicators", "VirusTotal Link: https://www.virustotal.com/gui/ip-address/20.99.186.246/detection", "Abuse IPDB Link: https://www.abuseipdb.com/check/20.99.186.246", "IPv4 45.12.253.72. command_and_control", "Hostname: ddos.dnsnb8.net command_and_control", "IPv4 95.213.186.51 command_and_control", "Hostname: www.supernetforme.com command_and_control", "IPv4 103.224.182.246 command_and_control", "IPv4 72.251.233.245 command_and_control", "IPv4 63.251.106.25 command_and_control", "IPv4 45.15.156.208 command_and_control", "IPv4 104.247.81.51 command_and_control", "http://ambisexual.phone-sex-blogs.com/http:/ambisexual.phone-sex-blogs.com/images/thumbnails/pic118.jpg (phishing)", "https://downloaddevtools.ir/ (phishing)", "happylifehappywife.com", "apples.encryptedwork.com (Interesting in the blacknet)", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635. (iOS unlocker and hijacker)", "https://www.anyxxxtube.net/media/favicon/apple (password cracker and iOS hijacker)", "https://www.apple.com/shop/browse/open/country_selector (exploit)", "www.norad.mil (federal tracking tool used by attorneys, law firms, and private investigators 'licensed or unlicensed') hi!", "http://init-p01st.push.apple.com/bag (malicious web creator)", "opencve.djgummikuh.de (CVE dispensary)", "Maltiverse Research Team", "URLscan.io", "Deep Research", "Hybrid Analysis", "URLhaus Abuse.ch", "Cyber Threat Coalition", "ThreatFox Abuse.ch" ], "public": 1, "adversary": "Lucky Mouse APT27 | NoName057(16) | Unnamed", "targeted_countries": [ "United States of America", "France", "Spain" ], "malware_families": [ { "id": "Feodo", "display_name": "Feodo", "target": null }, { "id": "Dridex", "display_name": "Dridex", "target": null }, { "id": "Redline Stealer", "display_name": "Redline Stealer", "target": null }, { "id": "Ramnit.N", "display_name": "Ramnit.N", "target": null }, { "id": "Loki Bot", "display_name": "Loki Bot", "target": null }, { "id": "Loki Password Stealer (PWS)", "display_name": "Loki Password Stealer (PWS)", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Zbd Zeus", "display_name": "Zbd Zeus", "target": null }, { "id": "Trojan:MSIL/Burkina", "display_name": "Trojan:MSIL/Burkina", "target": "/malware/Trojan:MSIL/Burkina" }, { "id": "Generic.TrickBot.1", "display_name": "Generic.TrickBot.1", "target": null }, { "id": "Exploit.CVE", "display_name": "Exploit.CVE", "target": null }, { "id": "Injector.IS.gen", "display_name": "Injector.IS.gen", "target": null }, { "id": "Gen:Variant.Razy", "display_name": "Gen:Variant.Razy", "target": null }, { "id": "Trojan.Androm.Gen", "display_name": "Trojan.Androm.Gen", "target": null }, { "id": "HEUR:Trojan.Linux.Agent", "display_name": "HEUR:Trojan.Linux.Agent", "target": null }, { "id": "BScope.Trojan", "display_name": "BScope.Trojan", "target": null }, { "id": "VBA.Downloader", "display_name": "VBA.Downloader", "target": null }, { "id": "Trojan.Notifier", "display_name": "Trojan.Notifier", "target": null }, { "id": "HEUR:Trojan.MSOffice.Alien", "display_name": "HEUR:Trojan.MSOffice.Alien", "target": null }, { "id": "Unsafe.AI_Score_100%", "display_name": "Unsafe.AI_Score_100%", "target": null }, { "id": "Gen:Variant.Johnnie", "display_name": "Gen:Variant.Johnnie", "target": null }, { "id": "DangerousObject.Multi", "display_name": "DangerousObject.Multi", "target": null }, { "id": "Trojan:Python/Downldr", "display_name": "Trojan:Python/Downldr", "target": "/malware/Trojan:Python/Downldr" }, { "id": "Trojan:Linux/Downldr", "display_name": "Trojan:Linux/Downldr", "target": "/malware/Trojan:Linux/Downldr" }, { "id": "Trojan:VBA/Downldr", "display_name": "Trojan:VBA/Downldr", "target": "/malware/Trojan:VBA/Downldr" }, { "id": "TrojanDownloader:Linux/Downldr", "display_name": "TrojanDownloader:Linux/Downldr", "target": "/malware/TrojanDownloader:Linux/Downldr" }, { "id": "Kryptik.FPH.gen", "display_name": "Kryptik.FPH.gen", "target": null }, { "id": "TROJ_FRS.VSNTFK19", "display_name": "TROJ_FRS.VSNTFK19", "target": null }, { "id": "Trojan.Ransom.GenericKD", "display_name": "Trojan.Ransom.GenericKD", "target": null }, { "id": "Phish.JAT", "display_name": "Phish.JAT", "target": null }, { "id": "Phishing.HTML", "display_name": "Phishing.HTML", "target": null }, { "id": "Generic.ASMalwS", "display_name": "Generic.ASMalwS", "target": null }, { "id": "Phish.AB", "display_name": "Phish.AB", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "ml.Generic", "display_name": "ml.Generic", "target": null }, { "id": "Xegumumune.8596c22f", "display_name": "Xegumumune.8596c22f", "target": null }, { "id": "Generic.Malware.SMYB", "display_name": "Generic.Malware.SMYB", "target": null }, { "id": "malicious.moderate.ml", "display_name": "malicious.moderate.ml", "target": null }, { "id": "Agent.NBAE", "display_name": "Agent.NBAE", "target": null }, { "id": "AGEN.1045227", "display_name": "AGEN.1045227", "target": null }, { "id": "Riskware.Agent", "display_name": "Riskware.Agent", "target": null }, { "id": "Gen:Variant.Cerbu", "display_name": "Gen:Variant.Cerbu", "target": null }, { "id": "IL:Trojan.MSILZilla", "display_name": "IL:Trojan.MSILZilla", "target": null }, { "id": "Dropped:Generic.Ransom.DMR", "display_name": "Dropped:Generic.Ransom.DMR", "target": null }, { "id": "Delf.NBX", "display_name": "Delf.NBX", "target": null }, { "id": "malicious.f01f67", "display_name": "malicious.f01f67", "target": null }, { "id": "AGEN.1144657", "display_name": "AGEN.1144657", "target": null }, { "id": "Trojan.Heur", "display_name": "Trojan.Heur", "target": null }, { "id": "Trojan.Malware.300983", "display_name": "Trojan.Malware.300983", "target": null }, { "id": "SdBot.CAOC", "display_name": "SdBot.CAOC", "target": null }, { "id": "Trojan.DelShad", "display_name": "Trojan.DelShad", "target": null }, { "id": "Exploit CVE-2017-11882", "display_name": "Exploit CVE-2017-11882", "target": null }, { "id": "GameHack.NL", "display_name": "GameHack.NL", "target": null }, { "id": "JS:Trojan.HideLink", "display_name": "JS:Trojan.HideLink", "target": null }, { "id": "Script.Agent", "display_name": "Script.Agent", "target": null }, { "id": "Macro.Agent", "display_name": "Macro.Agent", "target": null }, { "id": "Macro.Downloader.AMIP", "display_name": "Macro.Downloader.AMIP", "target": null }, { "id": "Trojan.VBA", "display_name": "Trojan.VBA", "target": null }, { "id": "HEUR.VBA.Trojan", "display_name": "HEUR.VBA.Trojan", "target": null }, { "id": "VB.EmoooDldr.10", "display_name": "VB.EmoooDldr.10", "target": null }, { "id": "VB:Trojan.Valyria", "display_name": "VB:Trojan.Valyria", "target": null }, { "id": "OpenSubtitles.A", "display_name": "OpenSubtitles.A", "target": null }, { "id": "VB.EmoDldr.4", "display_name": "VB.EmoDldr.4", "target": null }, { "id": "Packed-GV", "display_name": "Packed-GV", "target": null }, { "id": "Adware.InstallMonetizer", "display_name": "Adware.InstallMonetizer", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "HW32.Packed", "display_name": "HW32.Packed", "target": null }, { "id": "Zpevdo.B", "display_name": "Zpevdo.B", "target": null }, { "id": "Presenoker", "display_name": "Presenoker", "target": null }, { "id": "SGeneric", "display_name": "SGeneric", "target": null }, { "id": "GameHack.DOM", "display_name": "GameHack.DOM", "target": null }, { "id": "BehavesLike.Ransom", "display_name": "BehavesLike.Ransom", "target": null }, { "id": "CIL.StupidCryptor", "display_name": "CIL.StupidCryptor", "target": null }, { "id": "Gen:Heur.Ransom.MSIL", "display_name": "Gen:Heur.Ransom.MSIL", "target": null }, { "id": "Black.Gen2", "display_name": "Black.Gen2", "target": null }, { "id": "GameHack.CRS", "display_name": "GameHack.CRS", "target": null }, { "id": "Trojan.HTML.PHISH", "display_name": "Trojan.HTML.PHISH", "target": null }, { "id": "Gen:Heur.MSIL.Inject", "display_name": "Gen:Heur.MSIL.Inject", "target": null }, { "id": "Program.Unwanted", "display_name": "Program.Unwanted", "target": null }, { "id": "HEUR/QVM42.3.72EB.Malware", "display_name": "HEUR/QVM42.3.72EB.Malware", "target": null }, { "id": "suspicious.low.ml", "display_name": "suspicious.low.ml", "target": null }, { "id": "JS:Trojan.Cryxos", "display_name": "JS:Trojan.Cryxos", "target": null }, { "id": "Suspicious_GEN.F47V0520", "display_name": "Suspicious_GEN.F47V0520", "target": null }, { "id": "Dropper.Trojan.Generic", "display_name": "Dropper.Trojan.Generic", "target": null }, { "id": "Trojan.TrickBot", "display_name": "Trojan.TrickBot", "target": null }, { "id": "Malware.Tk.Generic", "display_name": "Malware.Tk.Generic", "target": null }, { "id": "TrojanSpy.Java", "display_name": "TrojanSpy.Java", "target": null }, { "id": "Riskware.NetFilter", "display_name": "Riskware.NetFilter", "target": null }, { "id": "RiskWare.Crack", "display_name": "RiskWare.Crack", "target": null }, { "id": "BehavesLike.Exploit", "display_name": "BehavesLike.Exploit", "target": null }, { "id": "Gen:NN.ZemsilF.34128", "display_name": "Gen:NN.ZemsilF.34128", "target": null }, { "id": "Wacapew.C", "display_name": "Wacapew.C", "target": null }, { "id": "Trojan.Malware.121218", "display_name": "Trojan.Malware.121218", "target": null }, { "id": "RiskWare.HackTool.Agent", "display_name": "RiskWare.HackTool.Agent", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Trojan.Generic", "display_name": "Trojan.Generic", "target": null }, { "id": "W32.Trojan", "display_name": "W32.Trojan", "target": null }, { "id": "BScope.Riskware", "display_name": "BScope.Riskware", "target": null }, { "id": "Gen:Variant.Bulz", "display_name": "Gen:Variant.Bulz", "target": null }, { "id": "Ransom:Win32/CVE-2017-0147", "display_name": "Ransom:Win32/CVE-2017-0147", "target": "/malware/Ransom:Win32/CVE-2017-0147" }, { "id": "Virus.Ramnit", "display_name": "Virus.Ramnit", "target": null }, { "id": "Virus.Virut", "display_name": "Virus.Virut", "target": null }, { "id": "Adware.KuziTui", "display_name": "Adware.KuziTui", "target": null }, { "id": "AGEN.1141126", "display_name": "AGEN.1141126", "target": null }, { "id": "W32.AIDetect", "display_name": "W32.AIDetect", "target": null }, { "id": "Trojan.Python", "display_name": "Trojan.Python", "target": null }, { "id": "W32.AIDetectVM", "display_name": "W32.AIDetectVM", "target": null }, { "id": "Suspicious.Save", "display_name": "Suspicious.Save", "target": null }, { "id": "Adware.Downware", "display_name": "Adware.Downware", "target": null }, { "id": "Ransom.Win64.Wacatac.oa", "display_name": "Ransom.Win64.Wacatac.oa", "target": null }, { "id": "OpenSubtitles.A", "display_name": "OpenSubtitles.A", "target": null }, { "id": "VB.EmoDldr.4", "display_name": "VB.EmoDldr.4", "target": null }, { "id": "Gen:Variant.Midie", "display_name": "Gen:Variant.Midie", "target": null }, { "id": "HEUR/QVM41.2.DA9B.Malware", "display_name": "HEUR/QVM41.2.DA9B.Malware", "target": null }, { "id": "Gen:Variant.Sirefef", "display_name": "Gen:Variant.Sirefef", "target": null }, { "id": "Macro.Trojan.Dropperd", "display_name": "Macro.Trojan.Dropperd", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Gen:Variant.Ursu", "display_name": "Gen:Variant.Ursu", "target": null }, { "id": "Redcap.rlhse", "display_name": "Redcap.rlhse", "target": null }, { "id": "Trojan.Trickster", "display_name": "Trojan.Trickster", "target": null }, { "id": "HTML_REDIR.SMR", "display_name": "HTML_REDIR.SMR", "target": null }, { "id": "TROJ_FRS.VSNTFK19", "display_name": "TROJ_FRS.VSNTFK19", "target": null }, { "id": "Hoax.JS.Phish", "display_name": "Hoax.JS.Phish", "target": null }, { "id": "JS:Iframe", "display_name": "JS:Iframe", "target": null }, { "id": "Application.SQLCrack", "display_name": "Application.SQLCrack", "target": null }, { "id": "susp.lnk", "display_name": "susp.lnk", "target": null }, { "id": "QVM201.0.B70B.Malware", "display_name": "QVM201.0.B70B.Malware", "target": null }, { "id": "Immortal Stealer", "display_name": "Immortal Stealer", "target": null }, { "id": "WebMonitor RAT", "display_name": "WebMonitor RAT", "target": null }, { "id": "Tor - S0183", "display_name": "Tor - S0183", "target": null }, { "id": "WannaCry", "display_name": "WannaCry", "target": null }, { "id": "WannaCryptor", "display_name": "WannaCryptor", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "DeepScan:Generic.Ransom.GandCrab5", "display_name": "DeepScan:Generic.Ransom.GandCrab5", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "States", "display_name": "States", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Locky", "display_name": "Locky", "target": null }, { "id": "Delf.NBX", "display_name": "Delf.NBX", "target": null }, { "id": "Gen:NN.ZexaF.32515", "display_name": "Gen:NN.ZexaF.32515", "target": null }, { "id": "FileRepMalware", "display_name": "FileRepMalware", "target": null }, { "id": "Gen:Variant.MSILPerseus", "display_name": "Gen:Variant.MSILPerseus", "target": null }, { "id": "Icefog", "display_name": "Icefog", "target": null }, { "id": "$WebWatson", "display_name": "$WebWatson", "target": null }, { "id": "Agent.AIK.gen", "display_name": "Agent.AIK.gen", "target": null }, { "id": "Agent.AIK.genCIL.StupidCryptor", "display_name": "Agent.AIK.genCIL.StupidCryptor", "target": null }, { "id": "Agent.YPEZ", "display_name": "Agent.YPEZ", "target": null }, { "id": "Application.InnovativSol", "display_name": "Application.InnovativSol", "target": null }, { "id": "Agent.ASO", "display_name": "Agent.ASO", "target": null }, { "id": "S-b748adc5", "display_name": "S-b748adc5", "target": null }, { "id": "W32.eHeur", "display_name": "W32.eHeur", "target": null }, { "id": "Kryptik.GUCB", "display_name": "Kryptik.GUCB", "target": null }, { "id": "AgentTesla", "display_name": "AgentTesla", "target": null }, { "id": "Autoit.bimwt", "display_name": "Autoit.bimwt", "target": null }, { "id": "HEUR:Trojan.OLE2.Alien", "display_name": "HEUR:Trojan.OLE2.Alien", "target": null }, { "id": "AGEN.1038489", "display_name": "AGEN.1038489", "target": null }, { "id": "Gen:Variant.Ser.Strictor", "display_name": "Gen:Variant.Ser.Strictor", "target": null }, { "id": "Packed.Themida.Gen", "display_name": "Packed.Themida.Gen", "target": null }, { "id": "AGEN.1043164", "display_name": "AGEN.1043164", "target": null }, { "id": "TrickBot - S0266", "display_name": "TrickBot - S0266", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Trojan.PornoAsset", "display_name": "Trojan.PornoAsset", "target": null }, { "id": "Ransom.Win64.PORNOASSET.SM1", "display_name": "Ransom.Win64.PORNOASSET.SM1", "target": null }, { "id": "Gen:Variant.Ulise", "display_name": "Gen:Variant.Ulise", "target": null }, { "id": "Trojan.Win64", "display_name": "Trojan.Win64", "target": null }, { "id": "Dropper.Trojan.Agent", "display_name": "Dropper.Trojan.Agent", "target": null }, { "id": "Heur.BZC.YAX.Pantera.10", "display_name": "Heur.BZC.YAX.Pantera.10", "target": null }, { "id": "malicious.high.ml", "display_name": "malicious.high.ml", "target": null }, { "id": "CVE-2015-1650", "display_name": "CVE-2015-1650", "target": null }, { "id": "Worm.Win64.AutoRun", "display_name": "Worm.Win64.AutoRun", "target": null }, { "id": "AIT.Heur.Cottonmouth.8.78F19BD7", "display_name": "AIT.Heur.Cottonmouth.8.78F19BD7", "target": null }, { "id": "Gen:Variant.Mikey", "display_name": "Gen:Variant.Mikey", "target": null }, { "id": "Trojan.Agent", "display_name": "Trojan.Agent", "target": null }, { "id": "Pua.Gen", "display_name": "Pua.Gen", "target": null }, { "id": "Trojan.Downloader.Generic", "display_name": "Trojan.Downloader.Generic", "target": null }, { "id": "Suspected of Trojan.Downloader.gen", "display_name": "Suspected of Trojan.Downloader.gen", "target": null }, { "id": "HEUR:RemoteAdmin.Generic", "display_name": "HEUR:RemoteAdmin.Generic", "target": null }, { "id": "Gen:Heur.Ransom.HiddenTears", "display_name": "Gen:Heur.Ransom.HiddenTears", "target": null }, { "id": "Nemucod.A", "display_name": "Nemucod.A", "target": null }, { "id": "Backdoor.Hupigon", "display_name": "Backdoor.Hupigon", "target": null }, { "id": "Trojan.Starter JS.Iframe", "display_name": "Trojan.Starter JS.Iframe", "target": null }, { "id": "fake ,promethiumm ,strongpity", "display_name": "fake ,promethiumm ,strongpity", "target": null }, { "id": "PUA.Reg1staid", "display_name": "PUA.Reg1staid", "target": null }, { "id": "Malware.Heur_Generic.A", "display_name": "Malware.Heur_Generic.A", "target": null }, { "id": "Bladabindi.Q", "display_name": "Bladabindi.Q", "target": null }, { "id": "W32.eHeur", "display_name": "W32.eHeur", "target": null }, { "id": "malicious.6e0700", "display_name": "malicious.6e0700", "target": null }, { "id": "Trojan.Inject", "display_name": "Trojan.Inject", "target": null }, { "id": "TSGeneric", "display_name": "TSGeneric", "target": null }, { "id": "RedCap.vneda", "display_name": "RedCap.vneda", "target": null }, { "id": "Trojan.Indiloadz", "display_name": "Trojan.Indiloadz", "target": null }, { "id": "Trojan.Ekstak", "display_name": "Trojan.Ekstak", "target": null }, { "id": "staticrr.paleokits.net", "display_name": "staticrr.paleokits.net", "target": null }, { "id": "MSIL.Downloader", "display_name": "MSIL.Downloader", "target": null }, { "id": "Trojan.Autoruns.GenericKDS", "display_name": "Trojan.Autoruns.GenericKDS", "target": null }, { "id": "MSIL.Trojan.BSE", "display_name": "MSIL.Trojan.BSE", "target": null }, { "id": "Adload.AD81", "display_name": "Adload.AD81", "target": null }, { "id": "Packed.Asprotect", "display_name": "Packed.Asprotect", "target": null }, { "id": "Gen:NN.ZemsilF.34062", "display_name": "Gen:NN.ZemsilF.34062", "target": null }, { "id": "Evo", "display_name": "Evo", "target": null }, { "id": "Agent.pwc", "display_name": "Agent.pwc", "target": null }, { "id": "RiskTool.Phpw", "display_name": "RiskTool.Phpw", "target": null }, { "id": "Gen:Variant.Symmi", "display_name": "Gen:Variant.Symmi", "target": null }, { "id": "Trojan.PWS", "display_name": "Trojan.PWS", "target": null }, { "id": "Generic.BitCoinMiner.3", "display_name": "Generic.BitCoinMiner.3", "target": null }, { "id": "Trojan.Tasker", "display_name": "Trojan.Tasker", "target": null }, { "id": "Gen:NN", "display_name": "Gen:NN", "target": null }, { "id": "Downloader.CertutilURLCache", "display_name": "Downloader.CertutilURLCache", "target": null }, { "id": "Elf", "display_name": "Elf", "target": null }, { "id": "Gen:Heur.MSIL.Androm", "display_name": "Gen:Heur.MSIL.Androm", "target": null }, { "id": "Kryptik.NRD", "display_name": "Kryptik.NRD", "target": null }, { "id": "Riskware", "display_name": "Riskware", "target": null }, { "id": "Kuluoz.B.gen", "display_name": "Kuluoz.B.gen", "target": null }, { "id": "Gen:Variant.RevengeRat", "display_name": "Gen:Variant.RevengeRat", "target": null }, { "id": "Gen:Variant.Mikey", "display_name": "Gen:Variant.Mikey", "target": null }, { "id": "VB.Chronos.7", "display_name": "VB.Chronos.7", "target": null }, { "id": "Kryptik.NOE", "display_name": "Kryptik.NOE", "target": null }, { "id": "HEUR:WebToolbar.Generic", "display_name": "HEUR:WebToolbar.Generic", "target": null }, { "id": "Gen:Variant.Barys", "display_name": "Gen:Variant.Barys", "target": null }, { "id": "Backdoor.Xtreme", "display_name": "Backdoor.Xtreme", "target": null }, { "id": "Trojan.MSIL", "display_name": "Trojan.MSIL", "target": null }, { "id": "Gen:Variant.Graftor", "display_name": "Gen:Variant.Graftor", "target": null }, { "id": "Backdoor.Agent", "display_name": "Backdoor.Agent", "target": null }, { "id": "Unsafe", "display_name": "Unsafe", "target": null }, { "id": "Trojan.PHP.Agent", "display_name": "Trojan.PHP.Agent", "target": null }, { "id": "Trojan.Agent", "display_name": "Trojan.Agent", "target": null }, { "id": "HEUR:Exploit.Generic", "display_name": "HEUR:Exploit.Generic", "target": null }, { "id": "Ransom_WCRY.SMALYM", "display_name": "Ransom_WCRY.SMALYM", "target": null }, { "id": "Ransom_WCRY.SMJ", "display_name": "Ransom_WCRY.SMJ", "target": null }, { "id": "Auslogics", "display_name": "Auslogics", "target": null }, { "id": "Gen:Variant.Jaiko", "display_name": "Gen:Variant.Jaiko", "target": null }, { "id": "Exploit.W32.Agent", "display_name": "Exploit.W32.Agent", "target": null }, { "id": "Trojan.Cud.Gen", "display_name": "Trojan.Cud.Gen", "target": null }, { "id": "Trojan.DOC.Downloader", "display_name": "Trojan.DOC.Downloader", "target": null }, { "id": "Backdoor.MSIL.Agent", "display_name": "Backdoor.MSIL.Agent", "target": null }, { "id": "Gen:Trojan.Heur2.LPTbHW@W64.HfsAutoB", "display_name": "Gen:Trojan.Heur2.LPTbHW@W64.HfsAutoB", "target": null }, { "id": "Gen:Variant.Kazy", "display_name": "Gen:Variant.Kazy", "target": null }, { "id": "Gen:Variant.Zusy", "display_name": "Gen:Variant.Zusy", "target": null }, { "id": "Ransom.WannaCrypt", "display_name": "Ransom.WannaCrypt", "target": null }, { "id": "Generic.ServStart.A", "display_name": "Generic.ServStart.A", "target": null }, { "id": "Trojan.Wanna", "display_name": "Trojan.Wanna", "target": null }, { "id": "Generic.MSIL.Bladabindi", "display_name": "Generic.MSIL.Bladabindi", "target": null }, { "id": "TROJ_GEN.R002C0OG518", "display_name": "TROJ_GEN.R002C0OG518", "target": null }, { "id": "Trojan.Chapak", "display_name": "Trojan.Chapak", "target": null }, { "id": "Indiloadz.BB", "display_name": "Indiloadz.BB", "target": null }, { "id": "BehavBehavesLike.PUPXBI", "display_name": "BehavBehavesLike.PUPXBI", "target": null }, { "id": "DeepScan:Generic.SpyAgent.6", "display_name": "DeepScan:Generic.SpyAgent.6", "target": null }, { "id": "Python.KeyLogger", "display_name": "Python.KeyLogger", "target": null }, { "id": "GameHack.CRS", "display_name": "GameHack.CRS", "target": null }, { "id": "Generic.MSIL.PasswordStealer", "display_name": "Generic.MSIL.PasswordStealer", "target": null }, { "id": "PSW.Agent", "display_name": "PSW.Agent", "target": null }, { "id": "malicious.8c45ba", "display_name": "malicious.8c45ba", "target": null }, { "id": "Dropper.Binder", "display_name": "Dropper.Binder", "target": null }, { "id": "Constructor.MSIL", "display_name": "Constructor.MSIL", "target": null }, { "id": "Linux.Agent", "display_name": "Linux.Agent", "target": null }, { "id": "Virus.3DMax.Script", "display_name": "Virus.3DMax.Script", "target": null }, { "id": "ScrInject.B", "display_name": "ScrInject.B", "target": null }, { "id": "Trojan.WisdomEyes.16070401.9500", "display_name": "Trojan.WisdomEyes.16070401.9500", "target": null }, { "id": "Application.SearchProtect", "display_name": "Application.SearchProtect", "target": null }, { "id": "JS:Trojan.Clicker", "display_name": "JS:Trojan.Clicker", "target": null }, { "id": "Faceliker.A", "display_name": "Faceliker.A", "target": null }, { "id": "JS:Trojan.JS.Faceliker", "display_name": "JS:Trojan.JS.Faceliker", "target": null }, { "id": "Constructor.MSIL Linux.Agent", "display_name": "Constructor.MSIL Linux.Agent", "target": null }, { "id": "PowerShell.Trojan", "display_name": "PowerShell.Trojan", "target": null }, { "id": "HTML:Script", "display_name": "HTML:Script", "target": null }, { "id": "ScrInject.B", "display_name": "ScrInject.B", "target": null }, { "id": "W32.AIDetectVM", "display_name": "W32.AIDetectVM", "target": null }, { "id": "HackTool.CheatEngine", "display_name": "HackTool.CheatEngine", "target": null }, { "id": "Injector.CLDS", "display_name": "Injector.CLDS", "target": null }, { "id": "VB.Downloader.2", "display_name": "VB.Downloader.2", "target": null }, { "id": "malicious.3e78cc", "display_name": "malicious.3e78cc", "target": null }, { "id": "malicious.d800d6", "display_name": "malicious.d800d6", "target": null }, { "id": "VB.PwShell.2", "display_name": "VB.PwShell.2", "target": null }, { "id": "Backdoor.RBot", "display_name": "Backdoor.RBot", "target": null }, { "id": "malicious.71b1a8", "display_name": "malicious.71b1a8", "target": null }, { "id": "TrojanSpy.KeyLogger", "display_name": "TrojanSpy.KeyLogger", "target": null }, { "id": "Injector.JDO", "display_name": "Injector.JDO", "target": null }, { "id": "Heur.Msword.Gen", "display_name": "Heur.Msword.Gen", "target": null }, { "id": "PSW.Discord", "display_name": "PSW.Discord", "target": null }, { "id": "Packed.VMProtect", "display_name": "Packed.VMProtect", "target": null }, { "id": "HEUR:AdWare.StartSurf", "display_name": "HEUR:AdWare.StartSurf", "target": null }, { "id": "Gen:Heur.NoobyProtect", "display_name": "Gen:Heur.NoobyProtect", "target": null }, { "id": "CIL.HeapOverride", "display_name": "CIL.HeapOverride", "target": null }, { "id": "HEUR:Trojan.Tasker", "display_name": "HEUR:Trojan.Tasker", "target": null }, { "id": "XLM.Trojan.Abracadabra.27", "display_name": "XLM.Trojan.Abracadabra.27", "target": null }, { "id": "HEUR:Backdoor.MSIL.NanoBot", "display_name": "HEUR:Backdoor.MSIL.NanoBot", "target": null }, { "id": "Trojan.PSW.Mimikatz", "display_name": "Trojan.PSW.Mimikatz", "target": null }, { "id": "TrojanSpy.Python", "display_name": "TrojanSpy.Python", "target": null }, { "id": "Trojan.Ole2.Vbs", "display_name": "Trojan.Ole2.Vbs", "target": null }, { "id": "Exploit.MSOffice", "display_name": "Exploit.MSOffice", "target": null }, { "id": "DeepScan:Generic.Ransom.AmnesiaE", "display_name": "DeepScan:Generic.Ransom.AmnesiaE", "target": null }, { "id": "Wacatac.D6", "display_name": "Wacatac.D6", "target": null }, { "id": "Backdoor.Androm", "display_name": "Backdoor.Androm", "target": null }, { "id": "Packed.NetSeal", "display_name": "Packed.NetSeal", "target": null }, { "id": "Trojan.MSIL.Injector", "display_name": "Trojan.MSIL.Injector", "target": null }, { "id": "Trojan.PWS.Agent", "display_name": "Trojan.PWS.Agent", "target": null }, { "id": "TScope.Trojan", "display_name": "TScope.Trojan", "target": null }, { "id": "PSW.Stealer", "display_name": "PSW.Stealer", "target": null }, { "id": "Trojan.PackedNET", "display_name": "Trojan.PackedNET", "target": null }, { "id": "Trojan.Java", "display_name": "Trojan.Java", "target": null }, { "id": "MalwareX", "display_name": "MalwareX", "target": null }, { "id": "Trojan.PSW.Python", "display_name": "Trojan.PSW.Python", "target": null }, { "id": "malicious.11abfc", "display_name": "malicious.11abfc", "target": null }, { "id": "Generic.ASMalwS", "display_name": "Generic.ASMalwS", "target": null }, { "id": "HEUR:Trojan.MSIL.Tasker", "display_name": "HEUR:Trojan.MSIL.Tasker", "target": null }, { "id": "PossibleThreat.PALLAS", "display_name": "PossibleThreat.PALLAS", "target": null }, { "id": "Backdoor.Poison", "display_name": "Backdoor.Poison", "target": null }, { "id": "Generic.MSIL.LimeRAT", "display_name": "Generic.MSIL.LimeRAT", "target": null }, { "id": "PWS-FCZZ", "display_name": "PWS-FCZZ", "target": null }, { "id": "Trojan.Script", "display_name": "Trojan.Script", "target": null }, { "id": "Gen:Heur.MSIL.Inject", "display_name": "Gen:Heur.MSIL.Inject", "target": null }, { "id": "Trojan.PWS.Growtopia", "display_name": "Trojan.PWS.Growtopia", "target": null }, { "id": "Spyware.Bobik", "display_name": "Spyware.Bobik", "target": null }, { "id": "HackTool.BruteForce", "display_name": "HackTool.BruteForce", "target": null }, { "id": "Hack.Patcher", "display_name": "Hack.Patcher", "target": null }, { "id": "PWS.p", "display_name": "PWS.p", "target": null }, { "id": "Suppobox", "display_name": "Suppobox", "target": null }, { "id": "index.php", "display_name": "index.php", "target": null }, { "id": "Packed.VMProtect", "display_name": "Packed.VMProtect", "target": null }, { "id": "SmokeLoader", "display_name": "SmokeLoader", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "SNH:Script [Dropper]", "display_name": "SNH:Script [Dropper]", "target": null }, { "id": "HEUR:Trojan.MSOffice.SAgent", "display_name": "HEUR:Trojan.MSOffice.SAgent", "target": null }, { "id": "Script.INF", "display_name": "Script.INF", "target": null }, { "id": "JS:Trojan.JS.Likejack", "display_name": "JS:Trojan.JS.Likejack", "target": null }, { "id": "SNH:Script [Dropper]", "display_name": "SNH:Script [Dropper]", "target": null }, { "id": "Trojan.JS.Agent", "display_name": "Trojan.JS.Agent", "target": null }, { "id": "APT Notes", "display_name": "APT Notes", "target": null }, { "id": "susp.rtf.objupdate", "display_name": "susp.rtf.objupdate", "target": null }, { "id": "RedCap.zoohz", "display_name": "RedCap.zoohz", "target": null }, { "id": "Trojan.Tasker", "display_name": "Trojan.Tasker", "target": null }, { "id": "virus.office.qexvmc", "display_name": "virus.office.qexvmc", "target": null }, { "id": "Trojan.KillProc", "display_name": "Trojan.KillProc", "target": null }, { "id": "Generic.MSIL.GrwtpStealer.1", "display_name": "Generic.MSIL.GrwtpStealer.1", "target": null }, { "id": "Suspicious.Cloud", "display_name": "Suspicious.Cloud", "target": null }, { "id": "PowerShell.DownLoader", "display_name": "PowerShell.DownLoader", "target": null }, { "id": "Downldr.gen", "display_name": "Downldr.gen", "target": null }, { "id": "AGEN.1030939", "display_name": "AGEN.1030939", "target": null }, { "id": "HackTool.Binder", "display_name": "HackTool.Binder", "target": null }, { "id": "Trojan.Inject", "display_name": "Trojan.Inject", "target": null }, { "id": "Dldr.Agent", "display_name": "Dldr.Agent", "target": null }, { "id": "Dropper.MSIL", "display_name": "Dropper.MSIL", "target": null }, { "id": "Trojan.VBKryjetor", "display_name": "Trojan.VBKryjetor", "target": null }, { "id": "PWSX", "display_name": "PWSX", "target": null }, { "id": "VB:Trojan.VBA.Agent", "display_name": "VB:Trojan.VBA.Agent", "target": null }, { "id": "HEUR:Trojan.MSOffice.Stratos", "display_name": "HEUR:Trojan.MSOffice.Stratos", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0029", "name": "Privilege Escalation", "display_name": "TA0029 - Privilege Escalation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1450", "name": "Exploit SS7 to Track Device Location", "display_name": "T1450 - Exploit SS7 to Track Device Location" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1412", "name": "Capture SMS Messages", "display_name": "T1412 - Capture SMS Messages" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 338, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1184, "FileHash-SHA1": 949, "FileHash-SHA256": 3712, "URL": 2925, "domain": 627, "hostname": 1319, "CVE": 26, "email": 8, "CIDR": 2 }, "indicator_count": 10752, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "862 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "654c597a4a45c8d84f0b15c1", "name": "Lucky Mouse APT27 | Feodo Tracker | Malicious Tor Server | Apple iOS", "description": "Darkside 2020 Ecosystem .BEware\nMalicious Tor server. Link found in pulse created prior. \nMalvertizing target: Tsara Brashears\nRevenge Porn.\nThere may me others. Malicious Apple activities, locating, CVE exploits, unlocking, hijacker, service transfer, spyware, malicious full auth, tracking, endless. Seems to originate from a law firm that goes to far to defend clients and silence alleged victims. \nSome State allow the same privileges and tools the federal government to insurance, workers compensation, investigators and insurance company law firms for investigations. \nFear tactics they seem willing to back up. I was approached and asked about my cyber knowledge by strangers. I am followed now for using a tool properly.\nALL terms auto populated from various tools from various tools used including, State, Brian Sabey, cyber stalking. Perhaps he's made contact with target. Danger!", "modified": "2023-12-09T03:01:57.989000", "created": "2023-11-09T04:00:58.166000", "tags": [ "ssl certificate", "historical ssl", "communicating", "contacted", "resolutions", "whois record", "whois whois", "whois parent", "whois siblings", "skynet", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "safe site", "million", "team", "microsoft", "back", "download", "phishing", "union", "bank", "malicious site", "blacklist http", "exit", "traffic", "node tcp", "tor known", "tor relayrouter", "et tor", "known tor", "relayrouter", "anonymizer", "spammer", "malware", "dropped", "unlocker", "http", "critical risk", "redline stealer", "core", "hacktool", "execution", "type win32", "exe size", "first seen", "file name", "avast win32", "win32", "avg win32", "fortinet", "vitro", "mb first", "rmndrp", "clean mx", "undetected dns8", "undetected vx", "sophos", "vault", "zdb zeus", "cmc threat", "snort ip", "feodo tracker", "cybereason", "send bug", "pe yandex", "no data", "tag count", "count blacklist", "tag tag", "algorithm", "v3 serial", "number", "issuer", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "key identifier", "first", "seen", "valid", "no na", "no no", "ip security", "cndst root", "ca x3", "ca id", "research group", "cnisrg root", "no expired", "mozilla", "android", "malicious red team", "tsara brashears", "cyber stalking", "malvertizing", "invasion of privacy", "threat", "adult content", "apple", "iphone unlocker", "android", "exploited spyware", "malware host", "brute force", "revenge-rat", "banker", "evasive", "domain", "redline", "stealer", "phishing", "ramnit", "unreliable subdomains", "dridex", "gating", "msil", "rat", "loki", "network", "hacking", "sinkhole", "azorult", "c2", "historicalandnew", "targeted attack", "puffstealer", "rultazo", "lokibot", "loki pws", "burkina", "banker,dde,dridex,exploit", "banker,dridex,evasive", "trickbot", "ransomware,torrentlocker", "exploit_source", "blacknet", "FileRepMalware", "linux agent", "blacknet", "ios", "phishing paypal", "tagging", "defacement", "hit", "bounty", "phishing site", "malware site", "malware download", "endangerment", "Malicious domain - SANS Internet Storm Center", "evasive,msil,rat,revenge-rat", "prism_setting", "prism_object", "static engine", "social engineering", "jansky", "worm", "network rat", "networm", "Loki Password Stealer (PWS)", "South Carolina Federal Credit Union phishing", "darkweb", "yandex", "redirectors", "blacknet threats", "phishing,ransomware,sinkhole", "wanacrypt0r,wannacry,wcry", "tor c++", "tor c++ client", "python user", "js user", "hacker", "hijacker", "heur", "maltiverse", "alexa top", "exploit", "riskware", "unsafe", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "artemis", "installcore", "webshell", "crack", "webtoolbar", "search live", "api blog", "docs pricing", "november", "de indicators", "domains", "hashes", "__convergedlogin_pcustomizationloader_44b450e8d543eb53930d", "malicious url", "financial", "blacknet rat", "azorult", "stealer", "deep scan", "blacklist https", "referrer", "collections kp", "incident ip", "sneaky server", "replacement", "unauthorized", "emotet", "noname057", "generic malware", "engineering", "cyber threat", "facebook", "paypal", "dropbox", "united", "america", "banking", "wells fargo", "steam", "twitter", "sliver", "daum", "swift", "runescape", "betabot", "district", "iframe", "alexa", "downldr", "agent", "presenoker", "bladabindi", "live", "conduit", "pony", "covid19", "malicious", "cobalt strike", "suppobox", "ramnit", "meterpreter", "virut", "njrat", "pykspa", "asyncrat", "downloader", "fakealert", "binder", "virustotal", "formbook", "necurs", "trojan", "msil", "hiloti", "vawtrak", "simda", "kraken", "solimba", "icedid", "redirector", "suspic", "amadey", "raccoon", "nanocore rat", "revenge rat", "genkryptik", "fuery", "wacatac", "service", "cloudeye", "tinba", "domaiq", "ave maria", "zeus", "ransomware", "zbot", "generic", "trojanspy", "states", "inmortal", "locky", "strike", "china cobalt", "keybase", "cutwail", "citadel", "radamant", "kovter", "bradesco", "nymaim", "amonetize", "bondat", "ghost rat", "vjw0rm", "bandoo", "matsnu", "dnspionage", "darkgate", "vidar", "keylogger", "remcos", "agenttesla", "detplock", "win64", "smokeloader", "agent tesla", "kgs0", "kls0", "urls", "type name", "dns replication", "date", "domain", "win32 exe", "files", "detections type", "name", "drpsuinstaller", "vdfsurfs", "opera", "icwrmind", "notepad", "installer", "miner", "unknown", "networm", "houdini", "quasar rat", "gamehack", "dbatloader", "qakbot", "ursnif", "CVE-2005-1790", "CVE-2009-3672", "CVE-2010-3962", "CVE-2012-3993", "CVE-2014-6332", "CVE-2017-11882", "CVE-2020-0601", "CVE-2020-0674", "hallrender.com", "brian sabey", "insurance", "botnetwork", "botmaster", "command_and_control", "CVE-2021-27065", "CVE-2021-40444", "CVE-2023-4966", "CVE-2017-0199", "CVE-2018-4893", "CVE-2010-3333", "CVE-2015-1641", "CVE-2017-0147", "CVE-2017-8570", "CVE-2018-0802", "CVE-2018-8373", "CVE-2017-8759", "CVE-2018-8453", "CVE-2014-3153", "CVE-2015-1650", "CVE-2017-0143", "CVE-2017-8464", "Icefog", "Delf.NBX", "$WebWatson", "Gen:Heur.Ransom.HiddenTears", "mobilekey.pw", "bitbucket.org", "Anomalous.100%", "malware distribution site", "gootkit", "edsaid", "rightsaided", "betabot", "cobaltstrike4.tk", "mas.to", "BehavesLike.YahLover", "srdvd16010404", "languageenu", "buildno", "channelisales", "vendorname2581", "osregion", "device", "systemlocale", "majorver16", "quasar", "find", "lockbit", "chaos", "ransomexx", "grandoreiro", "evilnum", "banker" ], "references": [ "https://hybrid-analysis.com/sample/6765f47ea77c8274c8e4973ed95aedf59e75998c62f6029e23c58cdf36ed85ba/654afdbdc621e7037801cce7", "20.99.186.246 exploit source", "fp2e7a.wpc.2be4.phicdn.net", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (phishing, ELF, Prism.exe found)", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (password cracker)", "http://182.22.25.124:7878/182.22.25.124:443 (malicious dropper)", "init.ess.apple.com (malicious code script)", "https://www.pornhub.com/video/search?search=tsara+brashears (Malicious PW cracker | stylebk.css stylesheets - not found )", "https://urlscan.io/result/a328d9ff-fb49-4078-960d-a757fd41404f/#indicators", "VirusTotal Link: https://www.virustotal.com/gui/ip-address/20.99.186.246/detection", "Abuse IPDB Link: https://www.abuseipdb.com/check/20.99.186.246", "IPv4 45.12.253.72. command_and_control", "Hostname: ddos.dnsnb8.net command_and_control", "IPv4 95.213.186.51 command_and_control", "Hostname: www.supernetforme.com command_and_control", "IPv4 103.224.182.246 command_and_control", "IPv4 72.251.233.245 command_and_control", "IPv4 63.251.106.25 command_and_control", "IPv4 45.15.156.208 command_and_control", "IPv4 104.247.81.51 command_and_control", "http://ambisexual.phone-sex-blogs.com/http:/ambisexual.phone-sex-blogs.com/images/thumbnails/pic118.jpg (phishing)", "https://downloaddevtools.ir/ (phishing)", "happylifehappywife.com", "apples.encryptedwork.com (Interesting in the blacknet)", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635. (iOS unlocker and hijacker)", "https://www.anyxxxtube.net/media/favicon/apple (password cracker and iOS hijacker)", "https://www.apple.com/shop/browse/open/country_selector (exploit)", "www.norad.mil (federal tracking tool used by attorneys, law firms, and private investigators 'licensed or unlicensed') hi!", "http://init-p01st.push.apple.com/bag (malicious web creator)", "opencve.djgummikuh.de (CVE dispensary)", "Maltiverse Research Team", "URLscan.io", "Deep Research", "Hybrid Analysis", "URLhaus Abuse.ch", "Cyber Threat Coalition", "ThreatFox Abuse.ch" ], "public": 1, "adversary": "Lucky Mouse APT27 | NoName057(16) | Unnamed", "targeted_countries": [ "United States of America", "France", "Spain" ], "malware_families": [ { "id": "Feodo", "display_name": "Feodo", "target": null }, { "id": "Dridex", "display_name": "Dridex", "target": null }, { "id": "Redline Stealer", "display_name": "Redline Stealer", "target": null }, { "id": "Ramnit.N", "display_name": "Ramnit.N", "target": null }, { "id": "Loki Bot", "display_name": "Loki Bot", "target": null }, { "id": "Loki Password Stealer (PWS)", "display_name": "Loki Password Stealer (PWS)", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Zbd Zeus", "display_name": "Zbd Zeus", "target": null }, { "id": "Trojan:MSIL/Burkina", "display_name": "Trojan:MSIL/Burkina", "target": "/malware/Trojan:MSIL/Burkina" }, { "id": "Generic.TrickBot.1", "display_name": "Generic.TrickBot.1", "target": null }, { "id": "Exploit.CVE", "display_name": "Exploit.CVE", "target": null }, { "id": "Injector.IS.gen", "display_name": "Injector.IS.gen", "target": null }, { "id": "Gen:Variant.Razy", "display_name": "Gen:Variant.Razy", "target": null }, { "id": "Trojan.Androm.Gen", "display_name": "Trojan.Androm.Gen", "target": null }, { "id": "HEUR:Trojan.Linux.Agent", "display_name": "HEUR:Trojan.Linux.Agent", "target": null }, { "id": "BScope.Trojan", "display_name": "BScope.Trojan", "target": null }, { "id": "VBA.Downloader", "display_name": "VBA.Downloader", "target": null }, { "id": "Trojan.Notifier", "display_name": "Trojan.Notifier", "target": null }, { "id": "HEUR:Trojan.MSOffice.Alien", "display_name": "HEUR:Trojan.MSOffice.Alien", "target": null }, { "id": "Unsafe.AI_Score_100%", "display_name": "Unsafe.AI_Score_100%", "target": null }, { "id": "Gen:Variant.Johnnie", "display_name": "Gen:Variant.Johnnie", "target": null }, { "id": "DangerousObject.Multi", "display_name": "DangerousObject.Multi", "target": null }, { "id": "Trojan:Python/Downldr", "display_name": "Trojan:Python/Downldr", "target": "/malware/Trojan:Python/Downldr" }, { "id": "Trojan:Linux/Downldr", "display_name": "Trojan:Linux/Downldr", "target": "/malware/Trojan:Linux/Downldr" }, { "id": "Trojan:VBA/Downldr", "display_name": "Trojan:VBA/Downldr", "target": "/malware/Trojan:VBA/Downldr" }, { "id": "TrojanDownloader:Linux/Downldr", "display_name": "TrojanDownloader:Linux/Downldr", "target": "/malware/TrojanDownloader:Linux/Downldr" }, { "id": "Kryptik.FPH.gen", "display_name": "Kryptik.FPH.gen", "target": null }, { "id": "TROJ_FRS.VSNTFK19", "display_name": "TROJ_FRS.VSNTFK19", "target": null }, { "id": "Trojan.Ransom.GenericKD", "display_name": "Trojan.Ransom.GenericKD", "target": null }, { "id": "Phish.JAT", "display_name": "Phish.JAT", "target": null }, { "id": "Phishing.HTML", "display_name": "Phishing.HTML", "target": null }, { "id": "Generic.ASMalwS", "display_name": "Generic.ASMalwS", "target": null }, { "id": "Phish.AB", "display_name": "Phish.AB", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "ml.Generic", "display_name": "ml.Generic", "target": null }, { "id": "Xegumumune.8596c22f", "display_name": "Xegumumune.8596c22f", "target": null }, { "id": "Generic.Malware.SMYB", "display_name": "Generic.Malware.SMYB", "target": null }, { "id": "malicious.moderate.ml", "display_name": "malicious.moderate.ml", "target": null }, { "id": "Agent.NBAE", "display_name": "Agent.NBAE", "target": null }, { "id": "AGEN.1045227", "display_name": "AGEN.1045227", "target": null }, { "id": "Riskware.Agent", "display_name": "Riskware.Agent", "target": null }, { "id": "Gen:Variant.Cerbu", "display_name": "Gen:Variant.Cerbu", "target": null }, { "id": "IL:Trojan.MSILZilla", "display_name": "IL:Trojan.MSILZilla", "target": null }, { "id": "Dropped:Generic.Ransom.DMR", "display_name": "Dropped:Generic.Ransom.DMR", "target": null }, { "id": "Delf.NBX", "display_name": "Delf.NBX", "target": null }, { "id": "malicious.f01f67", "display_name": "malicious.f01f67", "target": null }, { "id": "AGEN.1144657", "display_name": "AGEN.1144657", "target": null }, { "id": "Trojan.Heur", "display_name": "Trojan.Heur", "target": null }, { "id": "Trojan.Malware.300983", "display_name": "Trojan.Malware.300983", "target": null }, { "id": "SdBot.CAOC", "display_name": "SdBot.CAOC", "target": null }, { "id": "Trojan.DelShad", "display_name": "Trojan.DelShad", "target": null }, { "id": "Exploit CVE-2017-11882", "display_name": "Exploit CVE-2017-11882", "target": null }, { "id": "GameHack.NL", "display_name": "GameHack.NL", "target": null }, { "id": "JS:Trojan.HideLink", "display_name": "JS:Trojan.HideLink", "target": null }, { "id": "Script.Agent", "display_name": "Script.Agent", "target": null }, { "id": "Macro.Agent", "display_name": "Macro.Agent", "target": null }, { "id": "Macro.Downloader.AMIP", "display_name": "Macro.Downloader.AMIP", "target": null }, { "id": "Trojan.VBA", "display_name": "Trojan.VBA", "target": null }, { "id": "HEUR.VBA.Trojan", "display_name": "HEUR.VBA.Trojan", "target": null }, { "id": "VB.EmoooDldr.10", "display_name": "VB.EmoooDldr.10", "target": null }, { "id": "VB:Trojan.Valyria", "display_name": "VB:Trojan.Valyria", "target": null }, { "id": "OpenSubtitles.A", "display_name": "OpenSubtitles.A", "target": null }, { "id": "VB.EmoDldr.4", "display_name": "VB.EmoDldr.4", "target": null }, { "id": "Packed-GV", "display_name": "Packed-GV", "target": null }, { "id": "Adware.InstallMonetizer", "display_name": "Adware.InstallMonetizer", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "HW32.Packed", "display_name": "HW32.Packed", "target": null }, { "id": "Zpevdo.B", "display_name": "Zpevdo.B", "target": null }, { "id": "Presenoker", "display_name": "Presenoker", "target": null }, { "id": "SGeneric", "display_name": "SGeneric", "target": null }, { "id": "GameHack.DOM", "display_name": "GameHack.DOM", "target": null }, { "id": "BehavesLike.Ransom", "display_name": "BehavesLike.Ransom", "target": null }, { "id": "CIL.StupidCryptor", "display_name": "CIL.StupidCryptor", "target": null }, { "id": "Gen:Heur.Ransom.MSIL", "display_name": "Gen:Heur.Ransom.MSIL", "target": null }, { "id": "Black.Gen2", "display_name": "Black.Gen2", "target": null }, { "id": "GameHack.CRS", "display_name": "GameHack.CRS", "target": null }, { "id": "Trojan.HTML.PHISH", "display_name": "Trojan.HTML.PHISH", "target": null }, { "id": "Gen:Heur.MSIL.Inject", "display_name": "Gen:Heur.MSIL.Inject", "target": null }, { "id": "Program.Unwanted", "display_name": "Program.Unwanted", "target": null }, { "id": "HEUR/QVM42.3.72EB.Malware", "display_name": "HEUR/QVM42.3.72EB.Malware", "target": null }, { "id": "suspicious.low.ml", "display_name": "suspicious.low.ml", "target": null }, { "id": "JS:Trojan.Cryxos", "display_name": "JS:Trojan.Cryxos", "target": null }, { "id": "Suspicious_GEN.F47V0520", "display_name": "Suspicious_GEN.F47V0520", "target": null }, { "id": "Dropper.Trojan.Generic", "display_name": "Dropper.Trojan.Generic", "target": null }, { "id": "Trojan.TrickBot", "display_name": "Trojan.TrickBot", "target": null }, { "id": "Malware.Tk.Generic", "display_name": "Malware.Tk.Generic", "target": null }, { "id": "TrojanSpy.Java", "display_name": "TrojanSpy.Java", "target": null }, { "id": "Riskware.NetFilter", "display_name": "Riskware.NetFilter", "target": null }, { "id": "RiskWare.Crack", "display_name": "RiskWare.Crack", "target": null }, { "id": "BehavesLike.Exploit", "display_name": "BehavesLike.Exploit", "target": null }, { "id": "Gen:NN.ZemsilF.34128", "display_name": "Gen:NN.ZemsilF.34128", "target": null }, { "id": "Wacapew.C", "display_name": "Wacapew.C", "target": null }, { "id": "Trojan.Malware.121218", "display_name": "Trojan.Malware.121218", "target": null }, { "id": "RiskWare.HackTool.Agent", "display_name": "RiskWare.HackTool.Agent", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Trojan.Generic", "display_name": "Trojan.Generic", "target": null }, { "id": "W32.Trojan", "display_name": "W32.Trojan", "target": null }, { "id": "BScope.Riskware", "display_name": "BScope.Riskware", "target": null }, { "id": "Gen:Variant.Bulz", "display_name": "Gen:Variant.Bulz", "target": null }, { "id": "Ransom:Win32/CVE-2017-0147", "display_name": "Ransom:Win32/CVE-2017-0147", "target": "/malware/Ransom:Win32/CVE-2017-0147" }, { "id": "Virus.Ramnit", "display_name": "Virus.Ramnit", "target": null }, { "id": "Virus.Virut", "display_name": "Virus.Virut", "target": null }, { "id": "Adware.KuziTui", "display_name": "Adware.KuziTui", "target": null }, { "id": "AGEN.1141126", "display_name": "AGEN.1141126", "target": null }, { "id": "W32.AIDetect", "display_name": "W32.AIDetect", "target": null }, { "id": "Trojan.Python", "display_name": "Trojan.Python", "target": null }, { "id": "W32.AIDetectVM", "display_name": "W32.AIDetectVM", "target": null }, { "id": "Suspicious.Save", "display_name": "Suspicious.Save", "target": null }, { "id": "Adware.Downware", "display_name": "Adware.Downware", "target": null }, { "id": "Ransom.Win64.Wacatac.oa", "display_name": "Ransom.Win64.Wacatac.oa", "target": null }, { "id": "OpenSubtitles.A", "display_name": "OpenSubtitles.A", "target": null }, { "id": "VB.EmoDldr.4", "display_name": "VB.EmoDldr.4", "target": null }, { "id": "Gen:Variant.Midie", "display_name": "Gen:Variant.Midie", "target": null }, { "id": "HEUR/QVM41.2.DA9B.Malware", "display_name": "HEUR/QVM41.2.DA9B.Malware", "target": null }, { "id": "Gen:Variant.Sirefef", "display_name": "Gen:Variant.Sirefef", "target": null }, { "id": "Macro.Trojan.Dropperd", "display_name": "Macro.Trojan.Dropperd", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Gen:Variant.Ursu", "display_name": "Gen:Variant.Ursu", "target": null }, { "id": "Redcap.rlhse", "display_name": "Redcap.rlhse", "target": null }, { "id": "Trojan.Trickster", "display_name": "Trojan.Trickster", "target": null }, { "id": "HTML_REDIR.SMR", "display_name": "HTML_REDIR.SMR", "target": null }, { "id": "TROJ_FRS.VSNTFK19", "display_name": "TROJ_FRS.VSNTFK19", "target": null }, { "id": "Hoax.JS.Phish", "display_name": "Hoax.JS.Phish", "target": null }, { "id": "JS:Iframe", "display_name": "JS:Iframe", "target": null }, { "id": "Application.SQLCrack", "display_name": "Application.SQLCrack", "target": null }, { "id": "susp.lnk", "display_name": "susp.lnk", "target": null }, { "id": "QVM201.0.B70B.Malware", "display_name": "QVM201.0.B70B.Malware", "target": null }, { "id": "Immortal Stealer", "display_name": "Immortal Stealer", "target": null }, { "id": "WebMonitor RAT", "display_name": "WebMonitor RAT", "target": null }, { "id": "Tor - S0183", "display_name": "Tor - S0183", "target": null }, { "id": "WannaCry", "display_name": "WannaCry", "target": null }, { "id": "WannaCryptor", "display_name": "WannaCryptor", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "DeepScan:Generic.Ransom.GandCrab5", "display_name": "DeepScan:Generic.Ransom.GandCrab5", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "States", "display_name": "States", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Locky", "display_name": "Locky", "target": null }, { "id": "Delf.NBX", "display_name": "Delf.NBX", "target": null }, { "id": "Gen:NN.ZexaF.32515", "display_name": "Gen:NN.ZexaF.32515", "target": null }, { "id": "FileRepMalware", "display_name": "FileRepMalware", "target": null }, { "id": "Gen:Variant.MSILPerseus", "display_name": "Gen:Variant.MSILPerseus", "target": null }, { "id": "Icefog", "display_name": "Icefog", "target": null }, { "id": "$WebWatson", "display_name": "$WebWatson", "target": null }, { "id": "Agent.AIK.gen", "display_name": "Agent.AIK.gen", "target": null }, { "id": "Agent.AIK.genCIL.StupidCryptor", "display_name": "Agent.AIK.genCIL.StupidCryptor", "target": null }, { "id": "Agent.YPEZ", "display_name": "Agent.YPEZ", "target": null }, { "id": "Application.InnovativSol", "display_name": "Application.InnovativSol", "target": null }, { "id": "Agent.ASO", "display_name": "Agent.ASO", "target": null }, { "id": "S-b748adc5", "display_name": "S-b748adc5", "target": null }, { "id": "W32.eHeur", "display_name": "W32.eHeur", "target": null }, { "id": "Kryptik.GUCB", "display_name": "Kryptik.GUCB", "target": null }, { "id": "AgentTesla", "display_name": "AgentTesla", "target": null }, { "id": "Autoit.bimwt", "display_name": "Autoit.bimwt", "target": null }, { "id": "HEUR:Trojan.OLE2.Alien", "display_name": "HEUR:Trojan.OLE2.Alien", "target": null }, { "id": "AGEN.1038489", "display_name": "AGEN.1038489", "target": null }, { "id": "Gen:Variant.Ser.Strictor", "display_name": "Gen:Variant.Ser.Strictor", "target": null }, { "id": "Packed.Themida.Gen", "display_name": "Packed.Themida.Gen", "target": null }, { "id": "AGEN.1043164", "display_name": "AGEN.1043164", "target": null }, { "id": "TrickBot - S0266", "display_name": "TrickBot - S0266", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Trojan.PornoAsset", "display_name": "Trojan.PornoAsset", "target": null }, { "id": "Ransom.Win64.PORNOASSET.SM1", "display_name": "Ransom.Win64.PORNOASSET.SM1", "target": null }, { "id": "Gen:Variant.Ulise", "display_name": "Gen:Variant.Ulise", "target": null }, { "id": "Trojan.Win64", "display_name": "Trojan.Win64", "target": null }, { "id": "Dropper.Trojan.Agent", "display_name": "Dropper.Trojan.Agent", "target": null }, { "id": "Heur.BZC.YAX.Pantera.10", "display_name": "Heur.BZC.YAX.Pantera.10", "target": null }, { "id": "malicious.high.ml", "display_name": "malicious.high.ml", "target": null }, { "id": "CVE-2015-1650", "display_name": "CVE-2015-1650", "target": null }, { "id": "Worm.Win64.AutoRun", "display_name": "Worm.Win64.AutoRun", "target": null }, { "id": "AIT.Heur.Cottonmouth.8.78F19BD7", "display_name": "AIT.Heur.Cottonmouth.8.78F19BD7", "target": null }, { "id": "Gen:Variant.Mikey", "display_name": "Gen:Variant.Mikey", "target": null }, { "id": "Trojan.Agent", "display_name": "Trojan.Agent", "target": null }, { "id": "Pua.Gen", "display_name": "Pua.Gen", "target": null }, { "id": "Trojan.Downloader.Generic", "display_name": "Trojan.Downloader.Generic", "target": null }, { "id": "Suspected of Trojan.Downloader.gen", "display_name": "Suspected of Trojan.Downloader.gen", "target": null }, { "id": "HEUR:RemoteAdmin.Generic", "display_name": "HEUR:RemoteAdmin.Generic", "target": null }, { "id": "Gen:Heur.Ransom.HiddenTears", "display_name": "Gen:Heur.Ransom.HiddenTears", "target": null }, { "id": "Nemucod.A", "display_name": "Nemucod.A", "target": null }, { "id": "Backdoor.Hupigon", "display_name": "Backdoor.Hupigon", "target": null }, { "id": "Trojan.Starter JS.Iframe", "display_name": "Trojan.Starter JS.Iframe", "target": null }, { "id": "fake ,promethiumm ,strongpity", "display_name": "fake ,promethiumm ,strongpity", "target": null }, { "id": "PUA.Reg1staid", "display_name": "PUA.Reg1staid", "target": null }, { "id": "Malware.Heur_Generic.A", "display_name": "Malware.Heur_Generic.A", "target": null }, { "id": "Bladabindi.Q", "display_name": "Bladabindi.Q", "target": null }, { "id": "W32.eHeur", "display_name": "W32.eHeur", "target": null }, { "id": "malicious.6e0700", "display_name": "malicious.6e0700", "target": null }, { "id": "Trojan.Inject", "display_name": "Trojan.Inject", "target": null }, { "id": "TSGeneric", "display_name": "TSGeneric", "target": null }, { "id": "RedCap.vneda", "display_name": "RedCap.vneda", "target": null }, { "id": "Trojan.Indiloadz", "display_name": "Trojan.Indiloadz", "target": null }, { "id": "Trojan.Ekstak", "display_name": "Trojan.Ekstak", "target": null }, { "id": "staticrr.paleokits.net", "display_name": "staticrr.paleokits.net", "target": null }, { "id": "MSIL.Downloader", "display_name": "MSIL.Downloader", "target": null }, { "id": "Trojan.Autoruns.GenericKDS", "display_name": "Trojan.Autoruns.GenericKDS", "target": null }, { "id": "MSIL.Trojan.BSE", "display_name": "MSIL.Trojan.BSE", "target": null }, { "id": "Adload.AD81", "display_name": "Adload.AD81", "target": null }, { "id": "Packed.Asprotect", "display_name": "Packed.Asprotect", "target": null }, { "id": "Gen:NN.ZemsilF.34062", "display_name": "Gen:NN.ZemsilF.34062", "target": null }, { "id": "Evo", "display_name": "Evo", "target": null }, { "id": "Agent.pwc", "display_name": "Agent.pwc", "target": null }, { "id": "RiskTool.Phpw", "display_name": "RiskTool.Phpw", "target": null }, { "id": "Gen:Variant.Symmi", "display_name": "Gen:Variant.Symmi", "target": null }, { "id": "Trojan.PWS", "display_name": "Trojan.PWS", "target": null }, { "id": "Generic.BitCoinMiner.3", "display_name": "Generic.BitCoinMiner.3", "target": null }, { "id": "Trojan.Tasker", "display_name": "Trojan.Tasker", "target": null }, { "id": "Gen:NN", "display_name": "Gen:NN", "target": null }, { "id": "Downloader.CertutilURLCache", "display_name": "Downloader.CertutilURLCache", "target": null }, { "id": "Elf", "display_name": "Elf", "target": null }, { "id": "Gen:Heur.MSIL.Androm", "display_name": "Gen:Heur.MSIL.Androm", "target": null }, { "id": "Kryptik.NRD", "display_name": "Kryptik.NRD", "target": null }, { "id": "Riskware", "display_name": "Riskware", "target": null }, { "id": "Kuluoz.B.gen", "display_name": "Kuluoz.B.gen", "target": null }, { "id": "Gen:Variant.RevengeRat", "display_name": "Gen:Variant.RevengeRat", "target": null }, { "id": "Gen:Variant.Mikey", "display_name": "Gen:Variant.Mikey", "target": null }, { "id": "VB.Chronos.7", "display_name": "VB.Chronos.7", "target": null }, { "id": "Kryptik.NOE", "display_name": "Kryptik.NOE", "target": null }, { "id": "HEUR:WebToolbar.Generic", "display_name": "HEUR:WebToolbar.Generic", "target": null }, { "id": "Gen:Variant.Barys", "display_name": "Gen:Variant.Barys", "target": null }, { "id": "Backdoor.Xtreme", "display_name": "Backdoor.Xtreme", "target": null }, { "id": "Trojan.MSIL", "display_name": "Trojan.MSIL", "target": null }, { "id": "Gen:Variant.Graftor", "display_name": "Gen:Variant.Graftor", "target": null }, { "id": "Backdoor.Agent", "display_name": "Backdoor.Agent", "target": null }, { "id": "Unsafe", "display_name": "Unsafe", "target": null }, { "id": "Trojan.PHP.Agent", "display_name": "Trojan.PHP.Agent", "target": null }, { "id": "Trojan.Agent", "display_name": "Trojan.Agent", "target": null }, { "id": "HEUR:Exploit.Generic", "display_name": "HEUR:Exploit.Generic", "target": null }, { "id": "Ransom_WCRY.SMALYM", "display_name": "Ransom_WCRY.SMALYM", "target": null }, { "id": "Ransom_WCRY.SMJ", "display_name": "Ransom_WCRY.SMJ", "target": null }, { "id": "Auslogics", "display_name": "Auslogics", "target": null }, { "id": "Gen:Variant.Jaiko", "display_name": "Gen:Variant.Jaiko", "target": null }, { "id": "Exploit.W32.Agent", "display_name": "Exploit.W32.Agent", "target": null }, { "id": "Trojan.Cud.Gen", "display_name": "Trojan.Cud.Gen", "target": null }, { "id": "Trojan.DOC.Downloader", "display_name": "Trojan.DOC.Downloader", "target": null }, { "id": "Backdoor.MSIL.Agent", "display_name": "Backdoor.MSIL.Agent", "target": null }, { "id": "Gen:Trojan.Heur2.LPTbHW@W64.HfsAutoB", "display_name": "Gen:Trojan.Heur2.LPTbHW@W64.HfsAutoB", "target": null }, { "id": "Gen:Variant.Kazy", "display_name": "Gen:Variant.Kazy", "target": null }, { "id": "Gen:Variant.Zusy", "display_name": "Gen:Variant.Zusy", "target": null }, { "id": "Ransom.WannaCrypt", "display_name": "Ransom.WannaCrypt", "target": null }, { "id": "Generic.ServStart.A", "display_name": "Generic.ServStart.A", "target": null }, { "id": "Trojan.Wanna", "display_name": "Trojan.Wanna", "target": null }, { "id": "Generic.MSIL.Bladabindi", "display_name": "Generic.MSIL.Bladabindi", "target": null }, { "id": "TROJ_GEN.R002C0OG518", "display_name": "TROJ_GEN.R002C0OG518", "target": null }, { "id": "Trojan.Chapak", "display_name": "Trojan.Chapak", "target": null }, { "id": "Indiloadz.BB", "display_name": "Indiloadz.BB", "target": null }, { "id": "BehavBehavesLike.PUPXBI", "display_name": "BehavBehavesLike.PUPXBI", "target": null }, { "id": "DeepScan:Generic.SpyAgent.6", "display_name": "DeepScan:Generic.SpyAgent.6", "target": null }, { "id": "Python.KeyLogger", "display_name": "Python.KeyLogger", "target": null }, { "id": "GameHack.CRS", "display_name": "GameHack.CRS", "target": null }, { "id": "Generic.MSIL.PasswordStealer", "display_name": "Generic.MSIL.PasswordStealer", "target": null }, { "id": "PSW.Agent", "display_name": "PSW.Agent", "target": null }, { "id": "malicious.8c45ba", "display_name": "malicious.8c45ba", "target": null }, { "id": "Dropper.Binder", "display_name": "Dropper.Binder", "target": null }, { "id": "Constructor.MSIL", "display_name": "Constructor.MSIL", "target": null }, { "id": "Linux.Agent", "display_name": "Linux.Agent", "target": null }, { "id": "Virus.3DMax.Script", "display_name": "Virus.3DMax.Script", "target": null }, { "id": "ScrInject.B", "display_name": "ScrInject.B", "target": null }, { "id": "Trojan.WisdomEyes.16070401.9500", "display_name": "Trojan.WisdomEyes.16070401.9500", "target": null }, { "id": "Application.SearchProtect", "display_name": "Application.SearchProtect", "target": null }, { "id": "JS:Trojan.Clicker", "display_name": "JS:Trojan.Clicker", "target": null }, { "id": "Faceliker.A", "display_name": "Faceliker.A", "target": null }, { "id": "JS:Trojan.JS.Faceliker", "display_name": "JS:Trojan.JS.Faceliker", "target": null }, { "id": "Constructor.MSIL Linux.Agent", "display_name": "Constructor.MSIL Linux.Agent", "target": null }, { "id": "PowerShell.Trojan", "display_name": "PowerShell.Trojan", "target": null }, { "id": "HTML:Script", "display_name": "HTML:Script", "target": null }, { "id": "ScrInject.B", "display_name": "ScrInject.B", "target": null }, { "id": "W32.AIDetectVM", "display_name": "W32.AIDetectVM", "target": null }, { "id": "HackTool.CheatEngine", "display_name": "HackTool.CheatEngine", "target": null }, { "id": "Injector.CLDS", "display_name": "Injector.CLDS", "target": null }, { "id": "VB.Downloader.2", "display_name": "VB.Downloader.2", "target": null }, { "id": "malicious.3e78cc", "display_name": "malicious.3e78cc", "target": null }, { "id": "malicious.d800d6", "display_name": "malicious.d800d6", "target": null }, { "id": "VB.PwShell.2", "display_name": "VB.PwShell.2", "target": null }, { "id": "Backdoor.RBot", "display_name": "Backdoor.RBot", "target": null }, { "id": "malicious.71b1a8", "display_name": "malicious.71b1a8", "target": null }, { "id": "TrojanSpy.KeyLogger", "display_name": "TrojanSpy.KeyLogger", "target": null }, { "id": "Injector.JDO", "display_name": "Injector.JDO", "target": null }, { "id": "Heur.Msword.Gen", "display_name": "Heur.Msword.Gen", "target": null }, { "id": "PSW.Discord", "display_name": "PSW.Discord", "target": null }, { "id": "Packed.VMProtect", "display_name": "Packed.VMProtect", "target": null }, { "id": "HEUR:AdWare.StartSurf", "display_name": "HEUR:AdWare.StartSurf", "target": null }, { "id": "Gen:Heur.NoobyProtect", "display_name": "Gen:Heur.NoobyProtect", "target": null }, { "id": "CIL.HeapOverride", "display_name": "CIL.HeapOverride", "target": null }, { "id": "HEUR:Trojan.Tasker", "display_name": "HEUR:Trojan.Tasker", "target": null }, { "id": "XLM.Trojan.Abracadabra.27", "display_name": "XLM.Trojan.Abracadabra.27", "target": null }, { "id": "HEUR:Backdoor.MSIL.NanoBot", "display_name": "HEUR:Backdoor.MSIL.NanoBot", "target": null }, { "id": "Trojan.PSW.Mimikatz", "display_name": "Trojan.PSW.Mimikatz", "target": null }, { "id": "TrojanSpy.Python", "display_name": "TrojanSpy.Python", "target": null }, { "id": "Trojan.Ole2.Vbs", "display_name": "Trojan.Ole2.Vbs", "target": null }, { "id": "Exploit.MSOffice", "display_name": "Exploit.MSOffice", "target": null }, { "id": "DeepScan:Generic.Ransom.AmnesiaE", "display_name": "DeepScan:Generic.Ransom.AmnesiaE", "target": null }, { "id": "Wacatac.D6", "display_name": "Wacatac.D6", "target": null }, { "id": "Backdoor.Androm", "display_name": "Backdoor.Androm", "target": null }, { "id": "Packed.NetSeal", "display_name": "Packed.NetSeal", "target": null }, { "id": "Trojan.MSIL.Injector", "display_name": "Trojan.MSIL.Injector", "target": null }, { "id": "Trojan.PWS.Agent", "display_name": "Trojan.PWS.Agent", "target": null }, { "id": "TScope.Trojan", "display_name": "TScope.Trojan", "target": null }, { "id": "PSW.Stealer", "display_name": "PSW.Stealer", "target": null }, { "id": "Trojan.PackedNET", "display_name": "Trojan.PackedNET", "target": null }, { "id": "Trojan.Java", "display_name": "Trojan.Java", "target": null }, { "id": "MalwareX", "display_name": "MalwareX", "target": null }, { "id": "Trojan.PSW.Python", "display_name": "Trojan.PSW.Python", "target": null }, { "id": "malicious.11abfc", "display_name": "malicious.11abfc", "target": null }, { "id": "Generic.ASMalwS", "display_name": "Generic.ASMalwS", "target": null }, { "id": "HEUR:Trojan.MSIL.Tasker", "display_name": "HEUR:Trojan.MSIL.Tasker", "target": null }, { "id": "PossibleThreat.PALLAS", "display_name": "PossibleThreat.PALLAS", "target": null }, { "id": "Backdoor.Poison", "display_name": "Backdoor.Poison", "target": null }, { "id": "Generic.MSIL.LimeRAT", "display_name": "Generic.MSIL.LimeRAT", "target": null }, { "id": "PWS-FCZZ", "display_name": "PWS-FCZZ", "target": null }, { "id": "Trojan.Script", "display_name": "Trojan.Script", "target": null }, { "id": "Gen:Heur.MSIL.Inject", "display_name": "Gen:Heur.MSIL.Inject", "target": null }, { "id": "Trojan.PWS.Growtopia", "display_name": "Trojan.PWS.Growtopia", "target": null }, { "id": "Spyware.Bobik", "display_name": "Spyware.Bobik", "target": null }, { "id": "HackTool.BruteForce", "display_name": "HackTool.BruteForce", "target": null }, { "id": "Hack.Patcher", "display_name": "Hack.Patcher", "target": null }, { "id": "PWS.p", "display_name": "PWS.p", "target": null }, { "id": "Suppobox", "display_name": "Suppobox", "target": null }, { "id": "index.php", "display_name": "index.php", "target": null }, { "id": "Packed.VMProtect", "display_name": "Packed.VMProtect", "target": null }, { "id": "SmokeLoader", "display_name": "SmokeLoader", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "SNH:Script [Dropper]", "display_name": "SNH:Script [Dropper]", "target": null }, { "id": "HEUR:Trojan.MSOffice.SAgent", "display_name": "HEUR:Trojan.MSOffice.SAgent", "target": null }, { "id": "Script.INF", "display_name": "Script.INF", "target": null }, { "id": "JS:Trojan.JS.Likejack", "display_name": "JS:Trojan.JS.Likejack", "target": null }, { "id": "SNH:Script [Dropper]", "display_name": "SNH:Script [Dropper]", "target": null }, { "id": "Trojan.JS.Agent", "display_name": "Trojan.JS.Agent", "target": null }, { "id": "APT Notes", "display_name": "APT Notes", "target": null }, { "id": "susp.rtf.objupdate", "display_name": "susp.rtf.objupdate", "target": null }, { "id": "RedCap.zoohz", "display_name": "RedCap.zoohz", "target": null }, { "id": "Trojan.Tasker", "display_name": "Trojan.Tasker", "target": null }, { "id": "virus.office.qexvmc", "display_name": "virus.office.qexvmc", "target": null }, { "id": "Trojan.KillProc", "display_name": "Trojan.KillProc", "target": null }, { "id": "Generic.MSIL.GrwtpStealer.1", "display_name": "Generic.MSIL.GrwtpStealer.1", "target": null }, { "id": "Suspicious.Cloud", "display_name": "Suspicious.Cloud", "target": null }, { "id": "PowerShell.DownLoader", "display_name": "PowerShell.DownLoader", "target": null }, { "id": "Downldr.gen", "display_name": "Downldr.gen", "target": null }, { "id": "AGEN.1030939", "display_name": "AGEN.1030939", "target": null }, { "id": "HackTool.Binder", "display_name": "HackTool.Binder", "target": null }, { "id": "Trojan.Inject", "display_name": "Trojan.Inject", "target": null }, { "id": "Dldr.Agent", "display_name": "Dldr.Agent", "target": null }, { "id": "Dropper.MSIL", "display_name": "Dropper.MSIL", "target": null }, { "id": "Trojan.VBKryjetor", "display_name": "Trojan.VBKryjetor", "target": null }, { "id": "PWSX", "display_name": "PWSX", "target": null }, { "id": "VB:Trojan.VBA.Agent", "display_name": "VB:Trojan.VBA.Agent", "target": null }, { "id": "HEUR:Trojan.MSOffice.Stratos", "display_name": "HEUR:Trojan.MSOffice.Stratos", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0029", "name": "Privilege Escalation", "display_name": "TA0029 - Privilege Escalation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1450", "name": "Exploit SS7 to Track Device Location", "display_name": "T1450 - Exploit SS7 to Track Device Location" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1412", "name": "Capture SMS Messages", "display_name": "T1412 - Capture SMS Messages" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 338, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1184, "FileHash-SHA1": 949, "FileHash-SHA256": 3712, "URL": 2925, "domain": 627, "hostname": 1319, "CVE": 26, "email": 8, "CIDR": 2 }, "indicator_count": 10752, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "862 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "654c5970817e6bf8b0e5b5ff", "name": "Lucky Mouse APT27 | Feodo Tracker | Malicious Tor Server | Apple iOS", "description": "Darkside 2020 Ecosystem .BEware\nMalicious Tor server. Link found in pulse created prior. \nMalvertizing target: Tsara Brashears\nRevenge Porn.\nThere may me others. Malicious Apple activities, locating, CVE exploits, unlocking, hijacker, service transfer, spyware, malicious full auth, tracking, endless. Seems to originate from a law firm that goes to far to defend clients and silence alleged victims. \nSome State allow the same privileges and tools the federal government to insurance, workers compensation, investigators and insurance company law firms for investigations. \nFear tactics they seem willing to back up. I was approached and asked about my cyber knowledge by strangers. I am followed now for using a tool properly.\nALL terms auto populated from various tools from various tools used including, State, Brian Sabey, cyber stalking. Perhaps he's made contact with target. Danger!", "modified": "2023-12-09T03:01:57.989000", "created": "2023-11-09T04:00:48.087000", "tags": [ "ssl certificate", "historical ssl", "communicating", "contacted", "resolutions", "whois record", "whois whois", "whois parent", "whois siblings", "skynet", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "safe site", "million", "team", "microsoft", "back", "download", "phishing", "union", "bank", "malicious site", "blacklist http", "exit", "traffic", "node tcp", "tor known", "tor relayrouter", "et tor", "known tor", "relayrouter", "anonymizer", "spammer", "malware", "dropped", "unlocker", "http", "critical risk", "redline stealer", "core", "hacktool", "execution", "type win32", "exe size", "first seen", "file name", "avast win32", "win32", "avg win32", "fortinet", "vitro", "mb first", "rmndrp", "clean mx", "undetected dns8", "undetected vx", "sophos", "vault", "zdb zeus", "cmc threat", "snort ip", "feodo tracker", "cybereason", "send bug", "pe yandex", "no data", "tag count", "count blacklist", "tag tag", "algorithm", "v3 serial", "number", "issuer", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "key identifier", "first", "seen", "valid", "no na", "no no", "ip security", "cndst root", "ca x3", "ca id", "research group", "cnisrg root", "no expired", "mozilla", "android", "malicious red team", "tsara brashears", "cyber stalking", "malvertizing", "invasion of privacy", "threat", "adult content", "apple", "iphone unlocker", "android", "exploited spyware", "malware host", "brute force", "revenge-rat", "banker", "evasive", "domain", "redline", "stealer", "phishing", "ramnit", "unreliable subdomains", "dridex", "gating", "msil", "rat", "loki", "network", "hacking", "sinkhole", "azorult", "c2", "historicalandnew", "targeted attack", "puffstealer", "rultazo", "lokibot", "loki pws", "burkina", "banker,dde,dridex,exploit", "banker,dridex,evasive", "trickbot", "ransomware,torrentlocker", "exploit_source", "blacknet", "FileRepMalware", "linux agent", "blacknet", "ios", "phishing paypal", "tagging", "defacement", "hit", "bounty", "phishing site", "malware site", "malware download", "endangerment", "Malicious domain - SANS Internet Storm Center", "evasive,msil,rat,revenge-rat", "prism_setting", "prism_object", "static engine", "social engineering", "jansky", "worm", "network rat", "networm", "Loki Password Stealer (PWS)", "South Carolina Federal Credit Union phishing", "darkweb", "yandex", "redirectors", "blacknet threats", "phishing,ransomware,sinkhole", "wanacrypt0r,wannacry,wcry", "tor c++", "tor c++ client", "python user", "js user", "hacker", "hijacker", "heur", "maltiverse", "alexa top", "exploit", "riskware", "unsafe", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "artemis", "installcore", "webshell", "crack", "webtoolbar", "search live", "api blog", "docs pricing", "november", "de indicators", "domains", "hashes", "__convergedlogin_pcustomizationloader_44b450e8d543eb53930d", "malicious url", "financial", "blacknet rat", "azorult", "stealer", "deep scan", "blacklist https", "referrer", "collections kp", "incident ip", "sneaky server", "replacement", "unauthorized", "emotet", "noname057", "generic malware", "engineering", "cyber threat", "facebook", "paypal", "dropbox", "united", "america", "banking", "wells fargo", "steam", "twitter", "sliver", "daum", "swift", "runescape", "betabot", "district", "iframe", "alexa", "downldr", "agent", "presenoker", "bladabindi", "live", "conduit", "pony", "covid19", "malicious", "cobalt strike", "suppobox", "ramnit", "meterpreter", "virut", "njrat", "pykspa", "asyncrat", "downloader", "fakealert", "binder", "virustotal", "formbook", "necurs", "trojan", "msil", "hiloti", "vawtrak", "simda", "kraken", "solimba", "icedid", "redirector", "suspic", "amadey", "raccoon", "nanocore rat", "revenge rat", "genkryptik", "fuery", "wacatac", "service", "cloudeye", "tinba", "domaiq", "ave maria", "zeus", "ransomware", "zbot", "generic", "trojanspy", "states", "inmortal", "locky", "strike", "china cobalt", "keybase", "cutwail", "citadel", "radamant", "kovter", "bradesco", "nymaim", "amonetize", "bondat", "ghost rat", "vjw0rm", "bandoo", "matsnu", "dnspionage", "darkgate", "vidar", "keylogger", "remcos", "agenttesla", "detplock", "win64", "smokeloader", "agent tesla", "kgs0", "kls0", "urls", "type name", "dns replication", "date", "domain", "win32 exe", "files", "detections type", "name", "drpsuinstaller", "vdfsurfs", "opera", "icwrmind", "notepad", "installer", "miner", "unknown", "networm", "houdini", "quasar rat", "gamehack", "dbatloader", "qakbot", "ursnif", "CVE-2005-1790", "CVE-2009-3672", "CVE-2010-3962", "CVE-2012-3993", "CVE-2014-6332", "CVE-2017-11882", "CVE-2020-0601", "CVE-2020-0674", "hallrender.com", "brian sabey", "insurance", "botnetwork", "botmaster", "command_and_control", "CVE-2021-27065", "CVE-2021-40444", "CVE-2023-4966", "CVE-2017-0199", "CVE-2018-4893", "CVE-2010-3333", "CVE-2015-1641", "CVE-2017-0147", "CVE-2017-8570", "CVE-2018-0802", "CVE-2018-8373", "CVE-2017-8759", "CVE-2018-8453", "CVE-2014-3153", "CVE-2015-1650", "CVE-2017-0143", "CVE-2017-8464", "Icefog", "Delf.NBX", "$WebWatson", "Gen:Heur.Ransom.HiddenTears", "mobilekey.pw", "bitbucket.org", "Anomalous.100%", "malware distribution site", "gootkit", "edsaid", "rightsaided", "betabot", "cobaltstrike4.tk", "mas.to", "BehavesLike.YahLover", "srdvd16010404", "languageenu", "buildno", "channelisales", "vendorname2581", "osregion", "device", "systemlocale", "majorver16", "quasar", "find", "lockbit", "chaos", "ransomexx", "grandoreiro", "evilnum", "banker" ], "references": [ "https://hybrid-analysis.com/sample/6765f47ea77c8274c8e4973ed95aedf59e75998c62f6029e23c58cdf36ed85ba/654afdbdc621e7037801cce7", "20.99.186.246 exploit source", "fp2e7a.wpc.2be4.phicdn.net", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (phishing, ELF, Prism.exe found)", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (password cracker)", "http://182.22.25.124:7878/182.22.25.124:443 (malicious dropper)", "init.ess.apple.com (malicious code script)", "https://www.pornhub.com/video/search?search=tsara+brashears (Malicious PW cracker | stylebk.css stylesheets - not found )", "https://urlscan.io/result/a328d9ff-fb49-4078-960d-a757fd41404f/#indicators", "VirusTotal Link: https://www.virustotal.com/gui/ip-address/20.99.186.246/detection", "Abuse IPDB Link: https://www.abuseipdb.com/check/20.99.186.246", "IPv4 45.12.253.72. command_and_control", "Hostname: ddos.dnsnb8.net command_and_control", "IPv4 95.213.186.51 command_and_control", "Hostname: www.supernetforme.com command_and_control", "IPv4 103.224.182.246 command_and_control", "IPv4 72.251.233.245 command_and_control", "IPv4 63.251.106.25 command_and_control", "IPv4 45.15.156.208 command_and_control", "IPv4 104.247.81.51 command_and_control", "http://ambisexual.phone-sex-blogs.com/http:/ambisexual.phone-sex-blogs.com/images/thumbnails/pic118.jpg (phishing)", "https://downloaddevtools.ir/ (phishing)", "happylifehappywife.com", "apples.encryptedwork.com (Interesting in the blacknet)", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635. (iOS unlocker and hijacker)", "https://www.anyxxxtube.net/media/favicon/apple (password cracker and iOS hijacker)", "https://www.apple.com/shop/browse/open/country_selector (exploit)", "www.norad.mil (federal tracking tool used by attorneys, law firms, and private investigators 'licensed or unlicensed') hi!", "http://init-p01st.push.apple.com/bag (malicious web creator)", "opencve.djgummikuh.de (CVE dispensary)", "Maltiverse Research Team", "URLscan.io", "Deep Research", "Hybrid Analysis", "URLhaus Abuse.ch", "Cyber Threat Coalition", "ThreatFox Abuse.ch" ], "public": 1, "adversary": "Lucky Mouse APT27 | NoName057(16) | Unnamed", "targeted_countries": [ "United States of America", "France", "Spain" ], "malware_families": [ { "id": "Feodo", "display_name": "Feodo", "target": null }, { "id": "Dridex", "display_name": "Dridex", "target": null }, { "id": "Redline Stealer", "display_name": "Redline Stealer", "target": null }, { "id": "Ramnit.N", "display_name": "Ramnit.N", "target": null }, { "id": "Loki Bot", "display_name": "Loki Bot", "target": null }, { "id": "Loki Password Stealer (PWS)", "display_name": "Loki Password Stealer (PWS)", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Zbd Zeus", "display_name": "Zbd Zeus", "target": null }, { "id": "Trojan:MSIL/Burkina", "display_name": "Trojan:MSIL/Burkina", "target": "/malware/Trojan:MSIL/Burkina" }, { "id": "Generic.TrickBot.1", "display_name": "Generic.TrickBot.1", "target": null }, { "id": "Exploit.CVE", "display_name": "Exploit.CVE", "target": null }, { "id": "Injector.IS.gen", "display_name": "Injector.IS.gen", "target": null }, { "id": "Gen:Variant.Razy", "display_name": "Gen:Variant.Razy", "target": null }, { "id": "Trojan.Androm.Gen", "display_name": "Trojan.Androm.Gen", "target": null }, { "id": "HEUR:Trojan.Linux.Agent", "display_name": "HEUR:Trojan.Linux.Agent", "target": null }, { "id": "BScope.Trojan", "display_name": "BScope.Trojan", "target": null }, { "id": "VBA.Downloader", "display_name": "VBA.Downloader", "target": null }, { "id": "Trojan.Notifier", "display_name": "Trojan.Notifier", "target": null }, { "id": "HEUR:Trojan.MSOffice.Alien", "display_name": "HEUR:Trojan.MSOffice.Alien", "target": null }, { "id": "Unsafe.AI_Score_100%", "display_name": "Unsafe.AI_Score_100%", "target": null }, { "id": "Gen:Variant.Johnnie", "display_name": "Gen:Variant.Johnnie", "target": null }, { "id": "DangerousObject.Multi", "display_name": "DangerousObject.Multi", "target": null }, { "id": "Trojan:Python/Downldr", "display_name": "Trojan:Python/Downldr", "target": "/malware/Trojan:Python/Downldr" }, { "id": "Trojan:Linux/Downldr", "display_name": "Trojan:Linux/Downldr", "target": "/malware/Trojan:Linux/Downldr" }, { "id": "Trojan:VBA/Downldr", "display_name": "Trojan:VBA/Downldr", "target": "/malware/Trojan:VBA/Downldr" }, { "id": "TrojanDownloader:Linux/Downldr", "display_name": "TrojanDownloader:Linux/Downldr", "target": "/malware/TrojanDownloader:Linux/Downldr" }, { "id": "Kryptik.FPH.gen", "display_name": "Kryptik.FPH.gen", "target": null }, { "id": "TROJ_FRS.VSNTFK19", "display_name": "TROJ_FRS.VSNTFK19", "target": null }, { "id": "Trojan.Ransom.GenericKD", "display_name": "Trojan.Ransom.GenericKD", "target": null }, { "id": "Phish.JAT", "display_name": "Phish.JAT", "target": null }, { "id": "Phishing.HTML", "display_name": "Phishing.HTML", "target": null }, { "id": "Generic.ASMalwS", "display_name": "Generic.ASMalwS", "target": null }, { "id": "Phish.AB", "display_name": "Phish.AB", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "ml.Generic", "display_name": "ml.Generic", "target": null }, { "id": "Xegumumune.8596c22f", "display_name": "Xegumumune.8596c22f", "target": null }, { "id": "Generic.Malware.SMYB", "display_name": "Generic.Malware.SMYB", "target": null }, { "id": "malicious.moderate.ml", "display_name": "malicious.moderate.ml", "target": null }, { "id": "Agent.NBAE", "display_name": "Agent.NBAE", "target": null }, { "id": "AGEN.1045227", "display_name": "AGEN.1045227", "target": null }, { "id": "Riskware.Agent", "display_name": "Riskware.Agent", "target": null }, { "id": "Gen:Variant.Cerbu", "display_name": "Gen:Variant.Cerbu", "target": null }, { "id": "IL:Trojan.MSILZilla", "display_name": "IL:Trojan.MSILZilla", "target": null }, { "id": "Dropped:Generic.Ransom.DMR", "display_name": "Dropped:Generic.Ransom.DMR", "target": null }, { "id": "Delf.NBX", "display_name": "Delf.NBX", "target": null }, { "id": "malicious.f01f67", "display_name": "malicious.f01f67", "target": null }, { "id": "AGEN.1144657", "display_name": "AGEN.1144657", "target": null }, { "id": "Trojan.Heur", "display_name": "Trojan.Heur", "target": null }, { "id": "Trojan.Malware.300983", "display_name": "Trojan.Malware.300983", "target": null }, { "id": "SdBot.CAOC", "display_name": "SdBot.CAOC", "target": null }, { "id": "Trojan.DelShad", "display_name": "Trojan.DelShad", "target": null }, { "id": "Exploit CVE-2017-11882", "display_name": "Exploit CVE-2017-11882", "target": null }, { "id": "GameHack.NL", "display_name": "GameHack.NL", "target": null }, { "id": "JS:Trojan.HideLink", "display_name": "JS:Trojan.HideLink", "target": null }, { "id": "Script.Agent", "display_name": "Script.Agent", "target": null }, { "id": "Macro.Agent", "display_name": "Macro.Agent", "target": null }, { "id": "Macro.Downloader.AMIP", "display_name": "Macro.Downloader.AMIP", "target": null }, { "id": "Trojan.VBA", "display_name": "Trojan.VBA", "target": null }, { "id": "HEUR.VBA.Trojan", "display_name": "HEUR.VBA.Trojan", "target": null }, { "id": "VB.EmoooDldr.10", "display_name": "VB.EmoooDldr.10", "target": null }, { "id": "VB:Trojan.Valyria", "display_name": "VB:Trojan.Valyria", "target": null }, { "id": "OpenSubtitles.A", "display_name": "OpenSubtitles.A", "target": null }, { "id": "VB.EmoDldr.4", "display_name": "VB.EmoDldr.4", "target": null }, { "id": "Packed-GV", "display_name": "Packed-GV", "target": null }, { "id": "Adware.InstallMonetizer", "display_name": "Adware.InstallMonetizer", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "HW32.Packed", "display_name": "HW32.Packed", "target": null }, { "id": "Zpevdo.B", "display_name": "Zpevdo.B", "target": null }, { "id": "Presenoker", "display_name": "Presenoker", "target": null }, { "id": "SGeneric", "display_name": "SGeneric", "target": null }, { "id": "GameHack.DOM", "display_name": "GameHack.DOM", "target": null }, { "id": "BehavesLike.Ransom", "display_name": "BehavesLike.Ransom", "target": null }, { "id": "CIL.StupidCryptor", "display_name": "CIL.StupidCryptor", "target": null }, { "id": "Gen:Heur.Ransom.MSIL", "display_name": "Gen:Heur.Ransom.MSIL", "target": null }, { "id": "Black.Gen2", "display_name": "Black.Gen2", "target": null }, { "id": "GameHack.CRS", "display_name": "GameHack.CRS", "target": null }, { "id": "Trojan.HTML.PHISH", "display_name": "Trojan.HTML.PHISH", "target": null }, { "id": "Gen:Heur.MSIL.Inject", "display_name": "Gen:Heur.MSIL.Inject", "target": null }, { "id": "Program.Unwanted", "display_name": "Program.Unwanted", "target": null }, { "id": "HEUR/QVM42.3.72EB.Malware", "display_name": "HEUR/QVM42.3.72EB.Malware", "target": null }, { "id": "suspicious.low.ml", "display_name": "suspicious.low.ml", "target": null }, { "id": "JS:Trojan.Cryxos", "display_name": "JS:Trojan.Cryxos", "target": null }, { "id": "Suspicious_GEN.F47V0520", "display_name": "Suspicious_GEN.F47V0520", "target": null }, { "id": "Dropper.Trojan.Generic", "display_name": "Dropper.Trojan.Generic", "target": null }, { "id": "Trojan.TrickBot", "display_name": "Trojan.TrickBot", "target": null }, { "id": "Malware.Tk.Generic", "display_name": "Malware.Tk.Generic", "target": null }, { "id": "TrojanSpy.Java", "display_name": "TrojanSpy.Java", "target": null }, { "id": "Riskware.NetFilter", "display_name": "Riskware.NetFilter", "target": null }, { "id": "RiskWare.Crack", "display_name": "RiskWare.Crack", "target": null }, { "id": "BehavesLike.Exploit", "display_name": "BehavesLike.Exploit", "target": null }, { "id": "Gen:NN.ZemsilF.34128", "display_name": "Gen:NN.ZemsilF.34128", "target": null }, { "id": "Wacapew.C", "display_name": "Wacapew.C", "target": null }, { "id": "Trojan.Malware.121218", "display_name": "Trojan.Malware.121218", "target": null }, { "id": "RiskWare.HackTool.Agent", "display_name": "RiskWare.HackTool.Agent", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Trojan.Generic", "display_name": "Trojan.Generic", "target": null }, { "id": "W32.Trojan", "display_name": "W32.Trojan", "target": null }, { "id": "BScope.Riskware", "display_name": "BScope.Riskware", "target": null }, { "id": "Gen:Variant.Bulz", "display_name": "Gen:Variant.Bulz", "target": null }, { "id": "Ransom:Win32/CVE-2017-0147", "display_name": "Ransom:Win32/CVE-2017-0147", "target": "/malware/Ransom:Win32/CVE-2017-0147" }, { "id": "Virus.Ramnit", "display_name": "Virus.Ramnit", "target": null }, { "id": "Virus.Virut", "display_name": "Virus.Virut", "target": null }, { "id": "Adware.KuziTui", "display_name": "Adware.KuziTui", "target": null }, { "id": "AGEN.1141126", "display_name": "AGEN.1141126", "target": null }, { "id": "W32.AIDetect", "display_name": "W32.AIDetect", "target": null }, { "id": "Trojan.Python", "display_name": "Trojan.Python", "target": null }, { "id": "W32.AIDetectVM", "display_name": "W32.AIDetectVM", "target": null }, { "id": "Suspicious.Save", "display_name": "Suspicious.Save", "target": null }, { "id": "Adware.Downware", "display_name": "Adware.Downware", "target": null }, { "id": "Ransom.Win64.Wacatac.oa", "display_name": "Ransom.Win64.Wacatac.oa", "target": null }, { "id": "OpenSubtitles.A", "display_name": "OpenSubtitles.A", "target": null }, { "id": "VB.EmoDldr.4", "display_name": "VB.EmoDldr.4", "target": null }, { "id": "Gen:Variant.Midie", "display_name": "Gen:Variant.Midie", "target": null }, { "id": "HEUR/QVM41.2.DA9B.Malware", "display_name": "HEUR/QVM41.2.DA9B.Malware", "target": null }, { "id": "Gen:Variant.Sirefef", "display_name": "Gen:Variant.Sirefef", "target": null }, { "id": "Macro.Trojan.Dropperd", "display_name": "Macro.Trojan.Dropperd", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Gen:Variant.Ursu", "display_name": "Gen:Variant.Ursu", "target": null }, { "id": "Redcap.rlhse", "display_name": "Redcap.rlhse", "target": null }, { "id": "Trojan.Trickster", "display_name": "Trojan.Trickster", "target": null }, { "id": "HTML_REDIR.SMR", "display_name": "HTML_REDIR.SMR", "target": null }, { "id": "TROJ_FRS.VSNTFK19", "display_name": "TROJ_FRS.VSNTFK19", "target": null }, { "id": "Hoax.JS.Phish", "display_name": "Hoax.JS.Phish", "target": null }, { "id": "JS:Iframe", "display_name": "JS:Iframe", "target": null }, { "id": "Application.SQLCrack", "display_name": "Application.SQLCrack", "target": null }, { "id": "susp.lnk", "display_name": "susp.lnk", "target": null }, { "id": "QVM201.0.B70B.Malware", "display_name": "QVM201.0.B70B.Malware", "target": null }, { "id": "Immortal Stealer", "display_name": "Immortal Stealer", "target": null }, { "id": "WebMonitor RAT", "display_name": "WebMonitor RAT", "target": null }, { "id": "Tor - S0183", "display_name": "Tor - S0183", "target": null }, { "id": "WannaCry", "display_name": "WannaCry", "target": null }, { "id": "WannaCryptor", "display_name": "WannaCryptor", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "DeepScan:Generic.Ransom.GandCrab5", "display_name": "DeepScan:Generic.Ransom.GandCrab5", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "States", "display_name": "States", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Locky", "display_name": "Locky", "target": null }, { "id": "Delf.NBX", "display_name": "Delf.NBX", "target": null }, { "id": "Gen:NN.ZexaF.32515", "display_name": "Gen:NN.ZexaF.32515", "target": null }, { "id": "FileRepMalware", "display_name": "FileRepMalware", "target": null }, { "id": "Gen:Variant.MSILPerseus", "display_name": "Gen:Variant.MSILPerseus", "target": null }, { "id": "Icefog", "display_name": "Icefog", "target": null }, { "id": "$WebWatson", "display_name": "$WebWatson", "target": null }, { "id": "Agent.AIK.gen", "display_name": "Agent.AIK.gen", "target": null }, { "id": "Agent.AIK.genCIL.StupidCryptor", "display_name": "Agent.AIK.genCIL.StupidCryptor", "target": null }, { "id": "Agent.YPEZ", "display_name": "Agent.YPEZ", "target": null }, { "id": "Application.InnovativSol", "display_name": "Application.InnovativSol", "target": null }, { "id": "Agent.ASO", "display_name": "Agent.ASO", "target": null }, { "id": "S-b748adc5", "display_name": "S-b748adc5", "target": null }, { "id": "W32.eHeur", "display_name": "W32.eHeur", "target": null }, { "id": "Kryptik.GUCB", "display_name": "Kryptik.GUCB", "target": null }, { "id": "AgentTesla", "display_name": "AgentTesla", "target": null }, { "id": "Autoit.bimwt", "display_name": "Autoit.bimwt", "target": null }, { "id": "HEUR:Trojan.OLE2.Alien", "display_name": "HEUR:Trojan.OLE2.Alien", "target": null }, { "id": "AGEN.1038489", "display_name": "AGEN.1038489", "target": null }, { "id": "Gen:Variant.Ser.Strictor", "display_name": "Gen:Variant.Ser.Strictor", "target": null }, { "id": "Packed.Themida.Gen", "display_name": "Packed.Themida.Gen", "target": null }, { "id": "AGEN.1043164", "display_name": "AGEN.1043164", "target": null }, { "id": "TrickBot - S0266", "display_name": "TrickBot - S0266", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Trojan.PornoAsset", "display_name": "Trojan.PornoAsset", "target": null }, { "id": "Ransom.Win64.PORNOASSET.SM1", "display_name": "Ransom.Win64.PORNOASSET.SM1", "target": null }, { "id": "Gen:Variant.Ulise", "display_name": "Gen:Variant.Ulise", "target": null }, { "id": "Trojan.Win64", "display_name": "Trojan.Win64", "target": null }, { "id": "Dropper.Trojan.Agent", "display_name": "Dropper.Trojan.Agent", "target": null }, { "id": "Heur.BZC.YAX.Pantera.10", "display_name": "Heur.BZC.YAX.Pantera.10", "target": null }, { "id": "malicious.high.ml", "display_name": "malicious.high.ml", "target": null }, { "id": "CVE-2015-1650", "display_name": "CVE-2015-1650", "target": null }, { "id": "Worm.Win64.AutoRun", "display_name": "Worm.Win64.AutoRun", "target": null }, { "id": "AIT.Heur.Cottonmouth.8.78F19BD7", "display_name": "AIT.Heur.Cottonmouth.8.78F19BD7", "target": null }, { "id": "Gen:Variant.Mikey", "display_name": "Gen:Variant.Mikey", "target": null }, { "id": "Trojan.Agent", "display_name": "Trojan.Agent", "target": null }, { "id": "Pua.Gen", "display_name": "Pua.Gen", "target": null }, { "id": "Trojan.Downloader.Generic", "display_name": "Trojan.Downloader.Generic", "target": null }, { "id": "Suspected of Trojan.Downloader.gen", "display_name": "Suspected of Trojan.Downloader.gen", "target": null }, { "id": "HEUR:RemoteAdmin.Generic", "display_name": "HEUR:RemoteAdmin.Generic", "target": null }, { "id": "Gen:Heur.Ransom.HiddenTears", "display_name": "Gen:Heur.Ransom.HiddenTears", "target": null }, { "id": "Nemucod.A", "display_name": "Nemucod.A", "target": null }, { "id": "Backdoor.Hupigon", "display_name": "Backdoor.Hupigon", "target": null }, { "id": "Trojan.Starter JS.Iframe", "display_name": "Trojan.Starter JS.Iframe", "target": null }, { "id": "fake ,promethiumm ,strongpity", "display_name": "fake ,promethiumm ,strongpity", "target": null }, { "id": "PUA.Reg1staid", "display_name": "PUA.Reg1staid", "target": null }, { "id": "Malware.Heur_Generic.A", "display_name": "Malware.Heur_Generic.A", "target": null }, { "id": "Bladabindi.Q", "display_name": "Bladabindi.Q", "target": null }, { "id": "W32.eHeur", "display_name": "W32.eHeur", "target": null }, { "id": "malicious.6e0700", "display_name": "malicious.6e0700", "target": null }, { "id": "Trojan.Inject", "display_name": "Trojan.Inject", "target": null }, { "id": "TSGeneric", "display_name": "TSGeneric", "target": null }, { "id": "RedCap.vneda", "display_name": "RedCap.vneda", "target": null }, { "id": "Trojan.Indiloadz", "display_name": "Trojan.Indiloadz", "target": null }, { "id": "Trojan.Ekstak", "display_name": "Trojan.Ekstak", "target": null }, { "id": "staticrr.paleokits.net", "display_name": "staticrr.paleokits.net", "target": null }, { "id": "MSIL.Downloader", "display_name": "MSIL.Downloader", "target": null }, { "id": "Trojan.Autoruns.GenericKDS", "display_name": "Trojan.Autoruns.GenericKDS", "target": null }, { "id": "MSIL.Trojan.BSE", "display_name": "MSIL.Trojan.BSE", "target": null }, { "id": "Adload.AD81", "display_name": "Adload.AD81", "target": null }, { "id": "Packed.Asprotect", "display_name": "Packed.Asprotect", "target": null }, { "id": "Gen:NN.ZemsilF.34062", "display_name": "Gen:NN.ZemsilF.34062", "target": null }, { "id": "Evo", "display_name": "Evo", "target": null }, { "id": "Agent.pwc", "display_name": "Agent.pwc", "target": null }, { "id": "RiskTool.Phpw", "display_name": "RiskTool.Phpw", "target": null }, { "id": "Gen:Variant.Symmi", "display_name": "Gen:Variant.Symmi", "target": null }, { "id": "Trojan.PWS", "display_name": "Trojan.PWS", "target": null }, { "id": "Generic.BitCoinMiner.3", "display_name": "Generic.BitCoinMiner.3", "target": null }, { "id": "Trojan.Tasker", "display_name": "Trojan.Tasker", "target": null }, { "id": "Gen:NN", "display_name": "Gen:NN", "target": null }, { "id": "Downloader.CertutilURLCache", "display_name": "Downloader.CertutilURLCache", "target": null }, { "id": "Elf", "display_name": "Elf", "target": null }, { "id": "Gen:Heur.MSIL.Androm", "display_name": "Gen:Heur.MSIL.Androm", "target": null }, { "id": "Kryptik.NRD", "display_name": "Kryptik.NRD", "target": null }, { "id": "Riskware", "display_name": "Riskware", "target": null }, { "id": "Kuluoz.B.gen", "display_name": "Kuluoz.B.gen", "target": null }, { "id": "Gen:Variant.RevengeRat", "display_name": "Gen:Variant.RevengeRat", "target": null }, { "id": "Gen:Variant.Mikey", "display_name": "Gen:Variant.Mikey", "target": null }, { "id": "VB.Chronos.7", "display_name": "VB.Chronos.7", "target": null }, { "id": "Kryptik.NOE", "display_name": "Kryptik.NOE", "target": null }, { "id": "HEUR:WebToolbar.Generic", "display_name": "HEUR:WebToolbar.Generic", "target": null }, { "id": "Gen:Variant.Barys", "display_name": "Gen:Variant.Barys", "target": null }, { "id": "Backdoor.Xtreme", "display_name": "Backdoor.Xtreme", "target": null }, { "id": "Trojan.MSIL", "display_name": "Trojan.MSIL", "target": null }, { "id": "Gen:Variant.Graftor", "display_name": "Gen:Variant.Graftor", "target": null }, { "id": "Backdoor.Agent", "display_name": "Backdoor.Agent", "target": null }, { "id": "Unsafe", "display_name": "Unsafe", "target": null }, { "id": "Trojan.PHP.Agent", "display_name": "Trojan.PHP.Agent", "target": null }, { "id": "Trojan.Agent", "display_name": "Trojan.Agent", "target": null }, { "id": "HEUR:Exploit.Generic", "display_name": "HEUR:Exploit.Generic", "target": null }, { "id": "Ransom_WCRY.SMALYM", "display_name": "Ransom_WCRY.SMALYM", "target": null }, { "id": "Ransom_WCRY.SMJ", "display_name": "Ransom_WCRY.SMJ", "target": null }, { "id": "Auslogics", "display_name": "Auslogics", "target": null }, { "id": "Gen:Variant.Jaiko", "display_name": "Gen:Variant.Jaiko", "target": null }, { "id": "Exploit.W32.Agent", "display_name": "Exploit.W32.Agent", "target": null }, { "id": "Trojan.Cud.Gen", "display_name": "Trojan.Cud.Gen", "target": null }, { "id": "Trojan.DOC.Downloader", "display_name": "Trojan.DOC.Downloader", "target": null }, { "id": "Backdoor.MSIL.Agent", "display_name": "Backdoor.MSIL.Agent", "target": null }, { "id": "Gen:Trojan.Heur2.LPTbHW@W64.HfsAutoB", "display_name": "Gen:Trojan.Heur2.LPTbHW@W64.HfsAutoB", "target": null }, { "id": "Gen:Variant.Kazy", "display_name": "Gen:Variant.Kazy", "target": null }, { "id": "Gen:Variant.Zusy", "display_name": "Gen:Variant.Zusy", "target": null }, { "id": "Ransom.WannaCrypt", "display_name": "Ransom.WannaCrypt", "target": null }, { "id": "Generic.ServStart.A", "display_name": "Generic.ServStart.A", "target": null }, { "id": "Trojan.Wanna", "display_name": "Trojan.Wanna", "target": null }, { "id": "Generic.MSIL.Bladabindi", "display_name": "Generic.MSIL.Bladabindi", "target": null }, { "id": "TROJ_GEN.R002C0OG518", "display_name": "TROJ_GEN.R002C0OG518", "target": null }, { "id": "Trojan.Chapak", "display_name": "Trojan.Chapak", "target": null }, { "id": "Indiloadz.BB", "display_name": "Indiloadz.BB", "target": null }, { "id": "BehavBehavesLike.PUPXBI", "display_name": "BehavBehavesLike.PUPXBI", "target": null }, { "id": "DeepScan:Generic.SpyAgent.6", "display_name": "DeepScan:Generic.SpyAgent.6", "target": null }, { "id": "Python.KeyLogger", "display_name": "Python.KeyLogger", "target": null }, { "id": "GameHack.CRS", "display_name": "GameHack.CRS", "target": null }, { "id": "Generic.MSIL.PasswordStealer", "display_name": "Generic.MSIL.PasswordStealer", "target": null }, { "id": "PSW.Agent", "display_name": "PSW.Agent", "target": null }, { "id": "malicious.8c45ba", "display_name": "malicious.8c45ba", "target": null }, { "id": "Dropper.Binder", "display_name": "Dropper.Binder", "target": null }, { "id": "Constructor.MSIL", "display_name": "Constructor.MSIL", "target": null }, { "id": "Linux.Agent", "display_name": "Linux.Agent", "target": null }, { "id": "Virus.3DMax.Script", "display_name": "Virus.3DMax.Script", "target": null }, { "id": "ScrInject.B", "display_name": "ScrInject.B", "target": null }, { "id": "Trojan.WisdomEyes.16070401.9500", "display_name": "Trojan.WisdomEyes.16070401.9500", "target": null }, { "id": "Application.SearchProtect", "display_name": "Application.SearchProtect", "target": null }, { "id": "JS:Trojan.Clicker", "display_name": "JS:Trojan.Clicker", "target": null }, { "id": "Faceliker.A", "display_name": "Faceliker.A", "target": null }, { "id": "JS:Trojan.JS.Faceliker", "display_name": "JS:Trojan.JS.Faceliker", "target": null }, { "id": "Constructor.MSIL Linux.Agent", "display_name": "Constructor.MSIL Linux.Agent", "target": null }, { "id": "PowerShell.Trojan", "display_name": "PowerShell.Trojan", "target": null }, { "id": "HTML:Script", "display_name": "HTML:Script", "target": null }, { "id": "ScrInject.B", "display_name": "ScrInject.B", "target": null }, { "id": "W32.AIDetectVM", "display_name": "W32.AIDetectVM", "target": null }, { "id": "HackTool.CheatEngine", "display_name": "HackTool.CheatEngine", "target": null }, { "id": "Injector.CLDS", "display_name": "Injector.CLDS", "target": null }, { "id": "VB.Downloader.2", "display_name": "VB.Downloader.2", "target": null }, { "id": "malicious.3e78cc", "display_name": "malicious.3e78cc", "target": null }, { "id": "malicious.d800d6", "display_name": "malicious.d800d6", "target": null }, { "id": "VB.PwShell.2", "display_name": "VB.PwShell.2", "target": null }, { "id": "Backdoor.RBot", "display_name": "Backdoor.RBot", "target": null }, { "id": "malicious.71b1a8", "display_name": "malicious.71b1a8", "target": null }, { "id": "TrojanSpy.KeyLogger", "display_name": "TrojanSpy.KeyLogger", "target": null }, { "id": "Injector.JDO", "display_name": "Injector.JDO", "target": null }, { "id": "Heur.Msword.Gen", "display_name": "Heur.Msword.Gen", "target": null }, { "id": "PSW.Discord", "display_name": "PSW.Discord", "target": null }, { "id": "Packed.VMProtect", "display_name": "Packed.VMProtect", "target": null }, { "id": "HEUR:AdWare.StartSurf", "display_name": "HEUR:AdWare.StartSurf", "target": null }, { "id": "Gen:Heur.NoobyProtect", "display_name": "Gen:Heur.NoobyProtect", "target": null }, { "id": "CIL.HeapOverride", "display_name": "CIL.HeapOverride", "target": null }, { "id": "HEUR:Trojan.Tasker", "display_name": "HEUR:Trojan.Tasker", "target": null }, { "id": "XLM.Trojan.Abracadabra.27", "display_name": "XLM.Trojan.Abracadabra.27", "target": null }, { "id": "HEUR:Backdoor.MSIL.NanoBot", "display_name": "HEUR:Backdoor.MSIL.NanoBot", "target": null }, { "id": "Trojan.PSW.Mimikatz", "display_name": "Trojan.PSW.Mimikatz", "target": null }, { "id": "TrojanSpy.Python", "display_name": "TrojanSpy.Python", "target": null }, { "id": "Trojan.Ole2.Vbs", "display_name": "Trojan.Ole2.Vbs", "target": null }, { "id": "Exploit.MSOffice", "display_name": "Exploit.MSOffice", "target": null }, { "id": "DeepScan:Generic.Ransom.AmnesiaE", "display_name": "DeepScan:Generic.Ransom.AmnesiaE", "target": null }, { "id": "Wacatac.D6", "display_name": "Wacatac.D6", "target": null }, { "id": "Backdoor.Androm", "display_name": "Backdoor.Androm", "target": null }, { "id": "Packed.NetSeal", "display_name": "Packed.NetSeal", "target": null }, { "id": "Trojan.MSIL.Injector", "display_name": "Trojan.MSIL.Injector", "target": null }, { "id": "Trojan.PWS.Agent", "display_name": "Trojan.PWS.Agent", "target": null }, { "id": "TScope.Trojan", "display_name": "TScope.Trojan", "target": null }, { "id": "PSW.Stealer", "display_name": "PSW.Stealer", "target": null }, { "id": "Trojan.PackedNET", "display_name": "Trojan.PackedNET", "target": null }, { "id": "Trojan.Java", "display_name": "Trojan.Java", "target": null }, { "id": "MalwareX", "display_name": "MalwareX", "target": null }, { "id": "Trojan.PSW.Python", "display_name": "Trojan.PSW.Python", "target": null }, { "id": "malicious.11abfc", "display_name": "malicious.11abfc", "target": null }, { "id": "Generic.ASMalwS", "display_name": "Generic.ASMalwS", "target": null }, { "id": "HEUR:Trojan.MSIL.Tasker", "display_name": "HEUR:Trojan.MSIL.Tasker", "target": null }, { "id": "PossibleThreat.PALLAS", "display_name": "PossibleThreat.PALLAS", "target": null }, { "id": "Backdoor.Poison", "display_name": "Backdoor.Poison", "target": null }, { "id": "Generic.MSIL.LimeRAT", "display_name": "Generic.MSIL.LimeRAT", "target": null }, { "id": "PWS-FCZZ", "display_name": "PWS-FCZZ", "target": null }, { "id": "Trojan.Script", "display_name": "Trojan.Script", "target": null }, { "id": "Gen:Heur.MSIL.Inject", "display_name": "Gen:Heur.MSIL.Inject", "target": null }, { "id": "Trojan.PWS.Growtopia", "display_name": "Trojan.PWS.Growtopia", "target": null }, { "id": "Spyware.Bobik", "display_name": "Spyware.Bobik", "target": null }, { "id": "HackTool.BruteForce", "display_name": "HackTool.BruteForce", "target": null }, { "id": "Hack.Patcher", "display_name": "Hack.Patcher", "target": null }, { "id": "PWS.p", "display_name": "PWS.p", "target": null }, { "id": "Suppobox", "display_name": "Suppobox", "target": null }, { "id": "index.php", "display_name": "index.php", "target": null }, { "id": "Packed.VMProtect", "display_name": "Packed.VMProtect", "target": null }, { "id": "SmokeLoader", "display_name": "SmokeLoader", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "SNH:Script [Dropper]", "display_name": "SNH:Script [Dropper]", "target": null }, { "id": "HEUR:Trojan.MSOffice.SAgent", "display_name": "HEUR:Trojan.MSOffice.SAgent", "target": null }, { "id": "Script.INF", "display_name": "Script.INF", "target": null }, { "id": "JS:Trojan.JS.Likejack", "display_name": "JS:Trojan.JS.Likejack", "target": null }, { "id": "SNH:Script [Dropper]", "display_name": "SNH:Script [Dropper]", "target": null }, { "id": "Trojan.JS.Agent", "display_name": "Trojan.JS.Agent", "target": null }, { "id": "APT Notes", "display_name": "APT Notes", "target": null }, { "id": "susp.rtf.objupdate", "display_name": "susp.rtf.objupdate", "target": null }, { "id": "RedCap.zoohz", "display_name": "RedCap.zoohz", "target": null }, { "id": "Trojan.Tasker", "display_name": "Trojan.Tasker", "target": null }, { "id": "virus.office.qexvmc", "display_name": "virus.office.qexvmc", "target": null }, { "id": "Trojan.KillProc", "display_name": "Trojan.KillProc", "target": null }, { "id": "Generic.MSIL.GrwtpStealer.1", "display_name": "Generic.MSIL.GrwtpStealer.1", "target": null }, { "id": "Suspicious.Cloud", "display_name": "Suspicious.Cloud", "target": null }, { "id": "PowerShell.DownLoader", "display_name": "PowerShell.DownLoader", "target": null }, { "id": "Downldr.gen", "display_name": "Downldr.gen", "target": null }, { "id": "AGEN.1030939", "display_name": "AGEN.1030939", "target": null }, { "id": "HackTool.Binder", "display_name": "HackTool.Binder", "target": null }, { "id": "Trojan.Inject", "display_name": "Trojan.Inject", "target": null }, { "id": "Dldr.Agent", "display_name": "Dldr.Agent", "target": null }, { "id": "Dropper.MSIL", "display_name": "Dropper.MSIL", "target": null }, { "id": "Trojan.VBKryjetor", "display_name": "Trojan.VBKryjetor", "target": null }, { "id": "PWSX", "display_name": "PWSX", "target": null }, { "id": "VB:Trojan.VBA.Agent", "display_name": "VB:Trojan.VBA.Agent", "target": null }, { "id": "HEUR:Trojan.MSOffice.Stratos", "display_name": "HEUR:Trojan.MSOffice.Stratos", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0029", "name": "Privilege Escalation", "display_name": "TA0029 - Privilege Escalation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1450", "name": "Exploit SS7 to Track Device Location", "display_name": "T1450 - Exploit SS7 to Track Device Location" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1412", "name": "Capture SMS Messages", "display_name": "T1412 - Capture SMS Messages" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 339, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1184, "FileHash-SHA1": 949, "FileHash-SHA256": 3712, "URL": 2925, "domain": 627, "hostname": 1319, "CVE": 26, "email": 8, "CIDR": 2 }, "indicator_count": 10752, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "862 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570917af75d1446c7c109eb", "name": "Apple's crappy FaceTime ~ Nothing has changed", "description": "", "modified": "2023-12-06T15:21:30.720000", "created": "2023-12-06T15:21:30.720000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 727, "domain": 213, "hostname": 342, "URL": 1029, "email": 1, "FileHash-MD5": 2 }, "indicator_count": 2314, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65463631b46319b3aa1d071f", "name": "Qausar RAT - aig.com |", "description": "Compilation of research identifilocates aig.com Defense Division of Workers Compensation. \nMalicious & invasive tactics remain. Target seem to have been removed from, revenge porn campaign targeted name no longer auto populates, registrant seems poised for campaign.\nTactics include phishing, tracking, geotracking, device location, monitoring, side loading apps and remote access. \n\nQausar Rat identified:\nAlso known by the names CinaRAT or Yggdrasil, Quasar RAT is a C#-based remote administration tool capable of gathering system information, a list of running applications, files, keystrokes, screenshots, and executing arbitrary shell commands.", "modified": "2023-12-04T11:01:36.202000", "created": "2023-11-04T12:16:49.600000", "tags": [ "general full", "url https", "reverse dns", "security tls", "protocol h2", "name value", "resource", "united", "asn16509", "amazon02", "main", "facebook", "http", "request chain", "november", "de page", "url history", "javascript", "meta", "page url", "redirected", "http redirect", "value", "mime type", "variables", "contexthub", "visitor object", "cq function", "sanitize object", "elqq", "domainpath name", "link", "property", "workers", "compensation", "login myaig", "liability", "contact", "a claim", "commercial auto", "login aig", "form", "cyber", "find", "team", "defense", "crime", "ransom", "energy", "cargo", "life", "media", "enterprise", "american international", "frankfurt", "germany", "october", "domains", "asn20940", "cisco", "umbrella rank", "domain", "de summary", "ssl certificate", "whois record", "whois whois", "malware", "network mooooda", "and china", "filter https", "dsp1", "keepaliveyes", "p11642963562", "quasar", "metro", "android", "djvu", "win32 exe", "win32 dll", "ms excel", "dao360", "spreadsheet", "files", "detections type", "name", "phishing", "tulach exploits", "falcon sandbox", "pattern match", "file", "script", "indicator", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "date", "unknown", "body", "error", "span", "class", "generator", "critical", "refresh", "open", "hybrid", "general", "local", "click", "strings", "tools", "look", "verify", "restart", "suricata" ], "references": [ "aig.com", "https://urlscan.io", "https://www.slatergordon.com.au/blog/revenge-porn-laws", "https://thehackernews.com/2023/10/quasar-rat-leverages-dll-side-loading.html?m=1", "https://hybrid-analysis.com/sample/6f4fb33ffb44474e86928549ef3f1a51d0f3e9e8c8d7a08b71b2b59b5921d311", "remoteaccess.aig.com", "https://remote.goeaston.net", "window.location.search", "location.search", "https://s3.rexdl.com/android/game/Desktop-Dungeons-v11-Mod-www.Rexdl.com.apk", "ghb-unoadsrv-com.geodns.me.1.1.11cec3ef.roksit.net", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "http://m.pornsexer.xxx.3.1.adiosfil.roksit.net/" ], "public": 1, "adversary": "American International", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "American International", "display_name": "American International", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [ "Reinsurance", "Travel" ], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 117, "FileHash-SHA256": 1962, "domain": 575, "hostname": 1623, "FileHash-MD5": 123, "URL": 3670, "CVE": 2 }, "indicator_count": 8072, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "867 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f21878bcd05f7d594ff86", "name": " AIG Hacked or Spoofed website?", "description": "", "modified": "2023-11-27T23:02:02.229000", "created": "2023-10-30T03:22:47.684000", "tags": [ "ssl certificate", "threat roundup", "contacted", "execution", "august", "march", "whois record", "contacted urls", "malware", "copy", "april", "crypto", "alive", "malicious", "ducktail", "ransomware", "dead", "skynet", "chinese", "october", "roundup", "february", "goldfinder", "sibot", "hacktool", "metro", "goldmax", "installer", "awful", "open", "android", "banker", "keylogger", "united", "maltiverse", "mail spammer", "phishing site", "cyber threat", "engineering", "emotet", "phishing", "spammer", "firehol", "bank", "azorult", "team", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "installcore", "nymaim", "suppobox", "download", "looquer", "domains", "cisco umbrella", "site", "heur", "alexa top", "million", "safe site", "adware", "malware site", "malicious site", "artemis", "opencandy", "riskware", "tofsee", "gandcrab", "trojanx", "trojan", "generic", "bankerx", "service", "runescape", "facebook", "exploit", "agent", "mimikatz", "unsafe", "alexa", "union", "webtoolbar", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist https", "dsp1", "noname057", "tag count", "sample", "samples", "blacklist", "tsara brashears", "alohatube", "trojan", "scanning_host", "Botnet", "malvertizing", "abuse", "cyber stalking", "defacement", "adult content", "threats", "silencing", "harassment", "target", "aig", "workers compensation", "severe", "attack", "hacking", "yixun tool", "spyware", "malware", "evasion", "malicious", "private investigator", "legal entities", "insurance company", "remote attack", "colorado", "tulach", "Attack origin: United States", "apple", "ios", "victim", "allegations", "assault", "revenge", "retaliation", "libel", "monitoring", "tracking", "pegatech", "bam.nr-data.net", "bam", "nr-data.net", "matrix", "data.net", "asp.net", "apple private data collection", "norad.mil", "norad tracker", "b.scope", "command_and_control", "pornhub", "alohatube", "sweetheart videos", "users voice", "interfacing", "social engineering", "BankerX", "law enforcement aware, complacent or complicit?", "NSA tool Tulach malaware", "metro tmobile", "AS 10975 (NET-AIG) US", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus ou", "entrust", "oentrust", "l1k validity", "cus stnew", "group", "info", "domain status", "server", "date", "registrar abuse", "new york", "postal code", "contact phone", "registrar url", "csc corporate", "code", "microsoft", "win32 exe", "files", "detections type", "name", "confed", "network", "label netaig", "registry arin", "country us", "continent na", "whois lookup", "no match", "google", "dns replication", "domain", "type name", "pine street", "whois database", "email", "registrar iana", "icann whois", "contact", "form", "tech", "iana id", "tech email", "admin country", "CVE-2017-0147", "CVE-2018-0802", "CVE-2017-17215", "CVE-2016-7255", "CVE-2017-11882", "CVE-2017-8570" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Singapore" ], "malware_families": [ { "id": "Chinese", "display_name": "Chinese", "target": null }, { "id": "Looquer", "display_name": "Looquer", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Mimikatz", "display_name": "Mimikatz", "target": null }, { "id": "HiddenTear", "display_name": "HiddenTear", "target": null }, { "id": "Neurovt", "display_name": "Neurovt", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" }, { "id": "Yixun", "display_name": "Yixun", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "GoldMax - S0588", "display_name": "GoldMax - S0588", "target": null }, { "id": "DUCKTAIL", "display_name": "DUCKTAIL", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "GandCrab", "display_name": "GandCrab", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Raccoon Stealer", "display_name": "Raccoon Stealer", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "FireHOL", "display_name": "FireHOL", "target": null }, { "id": "HackTool.BruteForce", "display_name": "HackTool.BruteForce", "target": null }, { "id": "HackTool.CheatEngine", "display_name": "HackTool.CheatEngine", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "NanoCore", "display_name": "NanoCore", "target": null }, { "id": "Immortal Stealer", "display_name": "Immortal Stealer", "target": null }, { "id": "WebToolBar", "display_name": "WebToolBar", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1497.002", "name": "User Activity Based Checks", "display_name": "T1497.002 - User Activity Based Checks" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "T1523", "name": "Evade Analysis Environment", "display_name": "T1523 - Evade Analysis Environment" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1134.001", "name": "Token Impersonation/Theft", "display_name": "T1134.001 - Token Impersonation/Theft" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "653db044432cdee91e2f5d1c", "export_count": 47, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5239, "FileHash-MD5": 929, "FileHash-SHA1": 500, "FileHash-SHA256": 3566, "domain": 1230, "hostname": 2051, "CVE": 6, "email": 5, "CIDR": 1 }, "indicator_count": 13527, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "874 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653db044432cdee91e2f5d1c", "name": "AIG Hacked or Spoofed website?", "description": "Extremely strange & disturbing report. Disruption under Cisco Umbrella hack may be linked to a matrix of DGA insurance domains. AIG.com. Unclear validity. Spoof Domain, a tool AIG uses? Targets Tsara Brashears. Tulach unlikely a person more likely a profile accessed by entities. Rogue attornoes, etc. Large smear campaign wild cover up including death threats. Reports assert target's been harassed & harmed for years. Is this a cybercrime? Example of malicious tools deployed against innocents.\nMissing STSH\nVerdict: Concerning potential for physical harm to Target or associates\nWhy: Avoid lawsuit and press / reputation \nWho: ?\nIP: 167.230.100.44\nHost: am1mxi05.aig.com\nRegistrar: CSC CORPORATE DOMAINS, INC.\nCreation date: 28 years ago", "modified": "2023-11-27T23:02:02.229000", "created": "2023-10-29T01:07:16.410000", "tags": [ "ssl certificate", "threat roundup", "contacted", "execution", "august", "march", "whois record", "contacted urls", "malware", "copy", "april", "crypto", "alive", "malicious", "ducktail", "ransomware", "dead", "skynet", "chinese", "october", "roundup", "february", "goldfinder", "sibot", "hacktool", "metro", "goldmax", "installer", "awful", "open", "android", "banker", "keylogger", "united", "maltiverse", "mail spammer", "phishing site", "cyber threat", "engineering", "emotet", "phishing", "spammer", "firehol", "bank", "azorult", "team", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "installcore", "nymaim", "suppobox", "download", "looquer", "domains", "cisco umbrella", "site", "heur", "alexa top", "million", "safe site", "adware", "malware site", "malicious site", "artemis", "opencandy", "riskware", "tofsee", "gandcrab", "trojanx", "trojan", "generic", "bankerx", "service", "runescape", "facebook", "exploit", "agent", "mimikatz", "unsafe", "alexa", "union", "webtoolbar", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist https", "dsp1", "noname057", "tag count", "sample", "samples", "blacklist", "tsara brashears", "alohatube", "trojan", "scanning_host", "Botnet", "malvertizing", "abuse", "cyber stalking", "defacement", "adult content", "threats", "silencing", "harassment", "target", "aig", "workers compensation", "severe", "attack", "hacking", "yixun tool", "spyware", "malware", "evasion", "malicious", "private investigator", "legal entities", "insurance company", "remote attack", "colorado", "tulach", "Attack origin: United States", "apple", "ios", "victim", "allegations", "assault", "revenge", "retaliation", "libel", "monitoring", "tracking", "pegatech", "bam.nr-data.net", "bam", "nr-data.net", "matrix", "data.net", "asp.net", "apple private data collection", "norad.mil", "norad tracker", "b.scope", "command_and_control", "pornhub", "alohatube", "sweetheart videos", "users voice", "interfacing", "social engineering", "BankerX", "law enforcement aware, complacent or complicit?", "NSA tool Tulach malaware", "metro tmobile", "AS 10975 (NET-AIG) US", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus ou", "entrust", "oentrust", "l1k validity", "cus stnew", "group", "info", "domain status", "server", "date", "registrar abuse", "new york", "postal code", "contact phone", "registrar url", "csc corporate", "code", "microsoft", "win32 exe", "files", "detections type", "name", "confed", "network", "label netaig", "registry arin", "country us", "continent na", "whois lookup", "no match", "google", "dns replication", "domain", "type name", "pine street", "whois database", "email", "registrar iana", "icann whois", "contact", "form", "tech", "iana id", "tech email", "admin country", "CVE-2017-0147", "CVE-2018-0802", "CVE-2017-17215", "CVE-2016-7255", "CVE-2017-11882", "CVE-2017-8570" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Singapore" ], "malware_families": [ { "id": "Chinese", "display_name": "Chinese", "target": null }, { "id": "Looquer", "display_name": "Looquer", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Mimikatz", "display_name": "Mimikatz", "target": null }, { "id": "HiddenTear", "display_name": "HiddenTear", "target": null }, { "id": "Neurovt", "display_name": "Neurovt", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" }, { "id": "Yixun", "display_name": "Yixun", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "GoldMax - S0588", "display_name": "GoldMax - S0588", "target": null }, { "id": "DUCKTAIL", "display_name": "DUCKTAIL", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "GandCrab", "display_name": "GandCrab", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Raccoon Stealer", "display_name": "Raccoon Stealer", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "FireHOL", "display_name": "FireHOL", "target": null }, { "id": "HackTool.BruteForce", "display_name": "HackTool.BruteForce", "target": null }, { "id": "HackTool.CheatEngine", "display_name": "HackTool.CheatEngine", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "NanoCore", "display_name": "NanoCore", "target": null }, { "id": "Immortal Stealer", "display_name": "Immortal Stealer", "target": null }, { "id": "WebToolBar", "display_name": "WebToolBar", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1497.002", "name": "User Activity Based Checks", "display_name": "T1497.002 - User Activity Based Checks" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "T1523", "name": "Evade Analysis Environment", "display_name": "T1523 - Evade Analysis Environment" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1134.001", "name": "Token Impersonation/Theft", "display_name": "T1134.001 - Token Impersonation/Theft" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5239, "FileHash-MD5": 929, "FileHash-SHA1": 500, "FileHash-SHA256": 3566, "domain": 1230, "hostname": 2051, "CVE": 6, "email": 5, "CIDR": 1 }, "indicator_count": 13527, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "874 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653db0487ec8c7a4c0b1ef0e", "name": "AIG Hacked or Spoofed website?", "description": "Extremely strange & disturbing report. Disruption under Cisco Umbrella hack may be linked to a matrix of DGA insurance domains. AIG.com. Unclear validity. Spoof Domain, a tool AIG uses? Targets Tsara Brashears. Tulach unlikely a person more likely a profile accessed by entities. Rogue attornoes, etc. Large smear campaign wild cover up including death threats. Reports assert target's been harassed & harmed for years. Is this a cybercrime? Example of malicious tools deployed against innocents.\nMissing STSH\nVerdict: Concerning potential for physical harm to Target or associates\nWhy: Avoid lawsuit and press / reputation \nWho: ?\nIP: 167.230.100.44\nHost: am1mxi05.aig.com\nRegistrar: CSC CORPORATE DOMAINS, INC.\nCreation date: 28 years ago", "modified": "2023-11-27T23:02:02.229000", "created": "2023-10-29T01:07:20.916000", "tags": [ "ssl certificate", "threat roundup", "contacted", "execution", "august", "march", "whois record", "contacted urls", "malware", "copy", "april", "crypto", "alive", "malicious", "ducktail", "ransomware", "dead", "skynet", "chinese", "october", "roundup", "february", "goldfinder", "sibot", "hacktool", "metro", "goldmax", "installer", "awful", "open", "android", "banker", "keylogger", "united", "maltiverse", "mail spammer", "phishing site", "cyber threat", "engineering", "emotet", "phishing", "spammer", "firehol", "bank", "azorult", "team", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "installcore", "nymaim", "suppobox", "download", "looquer", "domains", "cisco umbrella", "site", "heur", "alexa top", "million", "safe site", "adware", "malware site", "malicious site", "artemis", "opencandy", "riskware", "tofsee", "gandcrab", "trojanx", "trojan", "generic", "bankerx", "service", "runescape", "facebook", "exploit", "agent", "mimikatz", "unsafe", "alexa", "union", "webtoolbar", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist https", "dsp1", "noname057", "tag count", "sample", "samples", "blacklist", "tsara brashears", "alohatube", "trojan", "scanning_host", "Botnet", "malvertizing", "abuse", "cyber stalking", "defacement", "adult content", "threats", "silencing", "harassment", "target", "aig", "workers compensation", "severe", "attack", "hacking", "yixun tool", "spyware", "malware", "evasion", "malicious", "private investigator", "legal entities", "insurance company", "remote attack", "colorado", "tulach", "Attack origin: United States", "apple", "ios", "victim", "allegations", "assault", "revenge", "retaliation", "libel", "monitoring", "tracking", "pegatech", "bam.nr-data.net", "bam", "nr-data.net", "matrix", "data.net", "asp.net", "apple private data collection", "norad.mil", "norad tracker", "b.scope", "command_and_control", "pornhub", "alohatube", "sweetheart videos", "users voice", "interfacing", "social engineering", "BankerX", "law enforcement aware, complacent or complicit?", "NSA tool Tulach malaware", "metro tmobile", "AS 10975 (NET-AIG) US", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus ou", "entrust", "oentrust", "l1k validity", "cus stnew", "group", "info", "domain status", "server", "date", "registrar abuse", "new york", "postal code", "contact phone", "registrar url", "csc corporate", "code", "microsoft", "win32 exe", "files", "detections type", "name", "confed", "network", "label netaig", "registry arin", "country us", "continent na", "whois lookup", "no match", "google", "dns replication", "domain", "type name", "pine street", "whois database", "email", "registrar iana", "icann whois", "contact", "form", "tech", "iana id", "tech email", "admin country", "CVE-2017-0147", "CVE-2018-0802", "CVE-2017-17215", "CVE-2016-7255", "CVE-2017-11882", "CVE-2017-8570" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Singapore" ], "malware_families": [ { "id": "Chinese", "display_name": "Chinese", "target": null }, { "id": "Looquer", "display_name": "Looquer", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Mimikatz", "display_name": "Mimikatz", "target": null }, { "id": "HiddenTear", "display_name": "HiddenTear", "target": null }, { "id": "Neurovt", "display_name": "Neurovt", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" }, { "id": "Yixun", "display_name": "Yixun", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "GoldMax - S0588", "display_name": "GoldMax - S0588", "target": null }, { "id": "DUCKTAIL", "display_name": "DUCKTAIL", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "GandCrab", "display_name": "GandCrab", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Raccoon Stealer", "display_name": "Raccoon Stealer", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "FireHOL", "display_name": "FireHOL", "target": null }, { "id": "HackTool.BruteForce", "display_name": "HackTool.BruteForce", "target": null }, { "id": "HackTool.CheatEngine", "display_name": "HackTool.CheatEngine", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "NanoCore", "display_name": "NanoCore", "target": null }, { "id": "Immortal Stealer", "display_name": "Immortal Stealer", "target": null }, { "id": "WebToolBar", "display_name": "WebToolBar", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1497.002", "name": "User Activity Based Checks", "display_name": "T1497.002 - User Activity Based Checks" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "T1523", "name": "Evade Analysis Environment", "display_name": "T1523 - Evade Analysis Environment" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1134.001", "name": "Token Impersonation/Theft", "display_name": "T1134.001 - Token Impersonation/Theft" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5239, "FileHash-MD5": 929, "FileHash-SHA1": 500, "FileHash-SHA256": 3566, "domain": 1230, "hostname": 2051, "CVE": 6, "email": 5, "CIDR": 1 }, "indicator_count": 13527, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "874 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653db12d71978ca34e49e88e", "name": "Hacking stemming from malicious DGA Insurance domains under Cisco Umbrella", "description": "Extremely strange & disturbing report. A disruption at root of Cisco hack may be linked to a matrix of DGA insurance domains. AIG.com. Unclear validity. Spoof Domain, a tool AIG uses? Targets Tsara Brashears. Tulach unlikely a person more likely a profile accessed by entities. Rogue attornoes, etc. Large smear campaign wild cover up including death threats. Reports assert target's been harassed & harmed for years. Is this a cybercrime? Example of malicious tools deployed against innocents.\nMissing STSH\nVerdict: Concerning potential for physical harm to Target or associates\nWhy: Avoid lawsuit and press / reputation \nWho: ?\nIP: 167.230.100.44\nHost: am1mxi05.aig.com\nRegistrar: CSC CORPORATE DOMAINS, INC.\nCreation date: 28 years ago", "modified": "2023-11-27T23:02:02.229000", "created": "2023-10-29T01:11:09.672000", "tags": [ "ssl certificate", "threat roundup", "contacted", "execution", "august", "march", "whois record", "contacted urls", "malware", "copy", "april", "crypto", "alive", "malicious", "ducktail", "ransomware", "dead", "skynet", "chinese", "october", "roundup", "february", "goldfinder", "sibot", "hacktool", "metro", "goldmax", "installer", "awful", "open", "android", "banker", "keylogger", "united", "maltiverse", "mail spammer", "phishing site", "cyber threat", "engineering", "emotet", "phishing", "spammer", "firehol", "bank", "azorult", "team", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "installcore", "nymaim", "suppobox", "download", "looquer", "domains", "cisco umbrella", "site", "heur", "alexa top", "million", "safe site", "adware", "malware site", "malicious site", "artemis", "opencandy", "riskware", "tofsee", "gandcrab", "trojanx", "trojan", "generic", "bankerx", "service", "runescape", "facebook", "exploit", "agent", "mimikatz", "unsafe", "alexa", "union", "webtoolbar", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist https", "dsp1", "noname057", "tag count", "sample", "samples", "blacklist", "tsara brashears", "alohatube", "trojan", "scanning_host", "Botnet", "malvertizing", "abuse", "cyber stalking", "defacement", "adult content", "threats", "silencing", "harassment", "target", "aig", "workers compensation", "severe", "attack", "hacking", "yixun tool", "spyware", "malware", "evasion", "malicious", "private investigator", "legal entities", "insurance company", "remote attack", "colorado", "tulach", "Attack origin: United States", "apple", "ios", "victim", "allegations", "assault", "revenge", "retaliation", "libel", "monitoring", "tracking", "pegatech", "bam.nr-data.net", "bam", "nr-data.net", "matrix", "data.net", "asp.net", "apple private data collection", "norad.mil", "norad tracker", "b.scope", "command_and_control", "pornhub", "alohatube", "sweetheart videos", "users voice", "interfacing", "social engineering", "BankerX", "law enforcement aware, complacent or complicit?", "NSA tool Tulach malaware", "metro tmobile", "AS 10975 (NET-AIG) US", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus ou", "entrust", "oentrust", "l1k validity", "cus stnew", "group", "info", "domain status", "server", "date", "registrar abuse", "new york", "postal code", "contact phone", "registrar url", "csc corporate", "code", "microsoft", "win32 exe", "files", "detections type", "name", "confed", "network", "label netaig", "registry arin", "country us", "continent na", "whois lookup", "no match", "google", "dns replication", "domain", "type name", "pine street", "whois database", "email", "registrar iana", "icann whois", "contact", "form", "tech", "iana id", "tech email", "admin country", "CVE-2017-0147", "CVE-2018-0802", "CVE-2017-17215", "CVE-2016-7255", "CVE-2017-11882", "CVE-2017-8570", "defense entity fraud?" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Singapore" ], "malware_families": [ { "id": "Chinese", "display_name": "Chinese", "target": null }, { "id": "Looquer", "display_name": "Looquer", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Mimikatz", "display_name": "Mimikatz", "target": null }, { "id": "HiddenTear", "display_name": "HiddenTear", "target": null }, { "id": "Neurovt", "display_name": "Neurovt", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" }, { "id": "Yixun", "display_name": "Yixun", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "GoldMax - S0588", "display_name": "GoldMax - S0588", "target": null }, { "id": "DUCKTAIL", "display_name": "DUCKTAIL", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "GandCrab", "display_name": "GandCrab", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Raccoon Stealer", "display_name": "Raccoon Stealer", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "FireHOL", "display_name": "FireHOL", "target": null }, { "id": "HackTool.BruteForce", "display_name": "HackTool.BruteForce", "target": null }, { "id": "HackTool.CheatEngine", "display_name": "HackTool.CheatEngine", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "NanoCore", "display_name": "NanoCore", "target": null }, { "id": "Immortal Stealer", "display_name": "Immortal Stealer", "target": null }, { "id": "WebToolBar", "display_name": "WebToolBar", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1497.002", "name": "User Activity Based Checks", "display_name": "T1497.002 - User Activity Based Checks" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "T1523", "name": "Evade Analysis Environment", "display_name": "T1523 - Evade Analysis Environment" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1134.001", "name": "Token Impersonation/Theft", "display_name": "T1134.001 - Token Impersonation/Theft" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5239, "FileHash-MD5": 929, "FileHash-SHA1": 500, "FileHash-SHA256": 3566, "domain": 1230, "hostname": 2051, "CVE": 6, "email": 5, "CIDR": 1 }, "indicator_count": 13527, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "874 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653db32c6a6193714e513695", "name": "Targeted hacking via malicious DGA insurance domains AIGcom | Host: am1mxi05.aig.com | IP: 167.230.100.44", "description": "Extremely strange & disturbing report. A disruption at root of Cisco hack may be linked to a matrix of DGA insurance domains. AIG.com. Unclear validity. Spoof Domain, a tool AIG uses? Targets Tsara Brashears. Tulach unlikely a person more likely a profile accessed by entities. Rogue attornoes, etc. Large smear campaign wild cover up including death threats. Reports assert target's been harassed & harmed for years. Is this a cybercrime? Example of malicious tools deployed against innocents.\nMissing STSH\nVerdict: Concerning potential for physical harm to Target or associates\nWhy: Avoid lawsuit and press / reputation \nWho: ?\nIP: 167.230.100.44\nHost: am1mxi05.aig.com\nRegistrar: CSC CORPORATE DOMAINS, INC.\nCreation date: 28 years ago\nHard to understand.", "modified": "2023-11-27T23:02:02.229000", "created": "2023-10-29T01:19:40.692000", "tags": [ "ssl certificate", "threat roundup", "contacted", "execution", "august", "march", "whois record", "contacted urls", "malware", "copy", "april", "crypto", "alive", "malicious", "ducktail", "ransomware", "dead", "skynet", "chinese", "october", "roundup", "february", "goldfinder", "sibot", "hacktool", "metro", "goldmax", "installer", "awful", "open", "android", "banker", "keylogger", "united", "maltiverse", "mail spammer", "phishing site", "cyber threat", "engineering", "emotet", "phishing", "spammer", "firehol", "bank", "azorult", "team", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "installcore", "nymaim", "suppobox", "download", "looquer", "domains", "cisco umbrella", "site", "heur", "alexa top", "million", "safe site", "adware", "malware site", "malicious site", "artemis", "opencandy", "riskware", "tofsee", "gandcrab", "trojanx", "trojan", "generic", "bankerx", "service", "runescape", "facebook", "exploit", "agent", "mimikatz", "unsafe", "alexa", "union", "webtoolbar", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist https", "dsp1", "noname057", "tag count", "sample", "samples", "blacklist", "tsara brashears", "alohatube", "trojan", "scanning_host", "Botnet", "malvertizing", "abuse", "cyber stalking", "defacement", "adult content", "threats", "silencing", "harassment", "target", "aig", "workers compensation", "severe", "attack", "hacking", "yixun tool", "spyware", "malware", "evasion", "malicious", "private investigator", "legal entities", "insurance company", "remote attack", "colorado", "tulach", "Attack origin: United States", "apple", "ios", "victim", "allegations", "assault", "revenge", "retaliation", "libel", "monitoring", "tracking", "pegatech", "bam.nr-data.net", "bam", "nr-data.net", "matrix", "data.net", "asp.net", "apple private data collection", "norad.mil", "norad tracker", "b.scope", "command_and_control", "pornhub", "alohatube", "sweetheart videos", "users voice", "interfacing", "social engineering", "BankerX", "law enforcement aware, complacent or complicit?", "NSA tool Tulach malaware", "metro tmobile", "AS 10975 (NET-AIG) US", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus ou", "entrust", "oentrust", "l1k validity", "cus stnew", "group", "info", "domain status", "server", "date", "registrar abuse", "new york", "postal code", "contact phone", "registrar url", "csc corporate", "code", "microsoft", "win32 exe", "files", "detections type", "name", "confed", "network", "label netaig", "registry arin", "country us", "continent na", "whois lookup", "no match", "google", "dns replication", "domain", "type name", "pine street", "whois database", "email", "registrar iana", "icann whois", "contact", "form", "tech", "iana id", "tech email", "admin country", "CVE-2017-0147", "CVE-2018-0802", "CVE-2017-17215", "CVE-2016-7255", "CVE-2017-11882", "CVE-2017-8570" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Singapore" ], "malware_families": [ { "id": "Chinese", "display_name": "Chinese", "target": null }, { "id": "Looquer", "display_name": "Looquer", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Mimikatz", "display_name": "Mimikatz", "target": null }, { "id": "HiddenTear", "display_name": "HiddenTear", "target": null }, { "id": "Neurovt", "display_name": "Neurovt", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" }, { "id": "Yixun", "display_name": "Yixun", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "GoldMax - S0588", "display_name": "GoldMax - S0588", "target": null }, { "id": "DUCKTAIL", "display_name": "DUCKTAIL", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "GandCrab", "display_name": "GandCrab", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Raccoon Stealer", "display_name": "Raccoon Stealer", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "FireHOL", "display_name": "FireHOL", "target": null }, { "id": "HackTool.BruteForce", "display_name": "HackTool.BruteForce", "target": null }, { "id": "HackTool.CheatEngine", "display_name": "HackTool.CheatEngine", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "NanoCore", "display_name": "NanoCore", "target": null }, { "id": "Immortal Stealer", "display_name": "Immortal Stealer", "target": null }, { "id": "WebToolBar", "display_name": "WebToolBar", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1497.002", "name": "User Activity Based Checks", "display_name": "T1497.002 - User Activity Based Checks" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "T1523", "name": "Evade Analysis Environment", "display_name": "T1523 - Evade Analysis Environment" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1134.001", "name": "Token Impersonation/Theft", "display_name": "T1134.001 - Token Impersonation/Theft" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 55, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5239, "FileHash-MD5": 929, "FileHash-SHA1": 500, "FileHash-SHA256": 3566, "domain": 1230, "hostname": 2051, "CVE": 6, "email": 5, "CIDR": 1 }, "indicator_count": 13527, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "874 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f02c459cc8bcaa5ebeb7a", "name": "Targeted hacking via malicious DGA insurance domains AIGcom", "description": "", "modified": "2023-11-27T23:02:02.229000", "created": "2023-10-30T01:11:32.672000", "tags": [ "ssl certificate", "threat roundup", "contacted", "execution", "august", "march", "whois record", "contacted urls", "malware", "copy", "april", "crypto", "alive", "malicious", "ducktail", "ransomware", "dead", "skynet", "chinese", "october", "roundup", "february", "goldfinder", "sibot", "hacktool", "metro", "goldmax", "installer", "awful", "open", "android", "banker", "keylogger", "united", "maltiverse", "mail spammer", "phishing site", "cyber threat", "engineering", "emotet", "phishing", "spammer", "firehol", "bank", "azorult", "team", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "installcore", "nymaim", "suppobox", "download", "looquer", "domains", "cisco umbrella", "site", "heur", "alexa top", "million", "safe site", "adware", "malware site", "malicious site", "artemis", "opencandy", "riskware", "tofsee", "gandcrab", "trojanx", "trojan", "generic", "bankerx", "service", "runescape", "facebook", "exploit", "agent", "mimikatz", "unsafe", "alexa", "union", "webtoolbar", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist https", "dsp1", "noname057", "tag count", "sample", "samples", "blacklist", "tsara brashears", "alohatube", "trojan", "scanning_host", "Botnet", "malvertizing", "abuse", "cyber stalking", "defacement", "adult content", "threats", "silencing", "harassment", "target", "aig", "workers compensation", "severe", "attack", "hacking", "yixun tool", "spyware", "malware", "evasion", "malicious", "private investigator", "legal entities", "insurance company", "remote attack", "colorado", "tulach", "Attack origin: United States", "apple", "ios", "victim", "allegations", "assault", "revenge", "retaliation", "libel", "monitoring", "tracking", "pegatech", "bam.nr-data.net", "bam", "nr-data.net", "matrix", "data.net", "asp.net", "apple private data collection", "norad.mil", "norad tracker", "b.scope", "command_and_control", "pornhub", "alohatube", "sweetheart videos", "users voice", "interfacing", "social engineering", "BankerX", "law enforcement aware, complacent or complicit?", "NSA tool Tulach malaware", "metro tmobile", "AS 10975 (NET-AIG) US", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus ou", "entrust", "oentrust", "l1k validity", "cus stnew", "group", "info", "domain status", "server", "date", "registrar abuse", "new york", "postal code", "contact phone", "registrar url", "csc corporate", "code", "microsoft", "win32 exe", "files", "detections type", "name", "confed", "network", "label netaig", "registry arin", "country us", "continent na", "whois lookup", "no match", "google", "dns replication", "domain", "type name", "pine street", "whois database", "email", "registrar iana", "icann whois", "contact", "form", "tech", "iana id", "tech email", "admin country", "CVE-2017-0147", "CVE-2018-0802", "CVE-2017-17215", "CVE-2016-7255", "CVE-2017-11882", "CVE-2017-8570" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Singapore" ], "malware_families": [ { "id": "Chinese", "display_name": "Chinese", "target": null }, { "id": "Looquer", "display_name": "Looquer", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Mimikatz", "display_name": "Mimikatz", "target": null }, { "id": "HiddenTear", "display_name": "HiddenTear", "target": null }, { "id": "Neurovt", "display_name": "Neurovt", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" }, { "id": "Yixun", "display_name": "Yixun", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "GoldMax - S0588", "display_name": "GoldMax - S0588", "target": null }, { "id": "DUCKTAIL", "display_name": "DUCKTAIL", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "GandCrab", "display_name": "GandCrab", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Raccoon Stealer", "display_name": "Raccoon Stealer", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "FireHOL", "display_name": "FireHOL", "target": null }, { "id": "HackTool.BruteForce", "display_name": "HackTool.BruteForce", "target": null }, { "id": "HackTool.CheatEngine", "display_name": "HackTool.CheatEngine", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "NanoCore", "display_name": "NanoCore", "target": null }, { "id": "Immortal Stealer", "display_name": "Immortal Stealer", "target": null }, { "id": "WebToolBar", "display_name": "WebToolBar", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1497.002", "name": "User Activity Based Checks", "display_name": "T1497.002 - User Activity Based Checks" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "T1523", "name": "Evade Analysis Environment", "display_name": "T1523 - Evade Analysis Environment" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1134.001", "name": "Token Impersonation/Theft", "display_name": "T1134.001 - Token Impersonation/Theft" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": "653db32c6a6193714e513695", "export_count": 47, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5239, "FileHash-MD5": 929, "FileHash-SHA1": 500, "FileHash-SHA256": 3566, "domain": 1230, "hostname": 2051, "CVE": 6, "email": 5, "CIDR": 1 }, "indicator_count": 13527, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "874 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f05ff39b2dee54b89d17a", "name": "AIG Hacked or Spoofed website?", "description": "", "modified": "2023-11-27T23:02:02.229000", "created": "2023-10-30T01:25:19.036000", "tags": [ "ssl certificate", "threat roundup", "contacted", "execution", "august", "march", "whois record", "contacted urls", "malware", "copy", "april", "crypto", "alive", "malicious", "ducktail", "ransomware", "dead", "skynet", "chinese", "october", "roundup", "february", "goldfinder", "sibot", "hacktool", "metro", "goldmax", "installer", "awful", "open", "android", "banker", "keylogger", "united", "maltiverse", "mail spammer", "phishing site", "cyber threat", "engineering", "emotet", "phishing", "spammer", "firehol", "bank", "azorult", "team", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "installcore", "nymaim", "suppobox", "download", "looquer", "domains", "cisco umbrella", "site", "heur", "alexa top", "million", "safe site", "adware", "malware site", "malicious site", "artemis", "opencandy", "riskware", "tofsee", "gandcrab", "trojanx", "trojan", "generic", "bankerx", "service", "runescape", "facebook", "exploit", "agent", "mimikatz", "unsafe", "alexa", "union", "webtoolbar", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist https", "dsp1", "noname057", "tag count", "sample", "samples", "blacklist", "tsara brashears", "alohatube", "trojan", "scanning_host", "Botnet", "malvertizing", "abuse", "cyber stalking", "defacement", "adult content", "threats", "silencing", "harassment", "target", "aig", "workers compensation", "severe", "attack", "hacking", "yixun tool", "spyware", "malware", "evasion", "malicious", "private investigator", "legal entities", "insurance company", "remote attack", "colorado", "tulach", "Attack origin: United States", "apple", "ios", "victim", "allegations", "assault", "revenge", "retaliation", "libel", "monitoring", "tracking", "pegatech", "bam.nr-data.net", "bam", "nr-data.net", "matrix", "data.net", "asp.net", "apple private data collection", "norad.mil", "norad tracker", "b.scope", "command_and_control", "pornhub", "alohatube", "sweetheart videos", "users voice", "interfacing", "social engineering", "BankerX", "law enforcement aware, complacent or complicit?", "NSA tool Tulach malaware", "metro tmobile", "AS 10975 (NET-AIG) US", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus ou", "entrust", "oentrust", "l1k validity", "cus stnew", "group", "info", "domain status", "server", "date", "registrar abuse", "new york", "postal code", "contact phone", "registrar url", "csc corporate", "code", "microsoft", "win32 exe", "files", "detections type", "name", "confed", "network", "label netaig", "registry arin", "country us", "continent na", "whois lookup", "no match", "google", "dns replication", "domain", "type name", "pine street", "whois database", "email", "registrar iana", "icann whois", "contact", "form", "tech", "iana id", "tech email", "admin country", "CVE-2017-0147", "CVE-2018-0802", "CVE-2017-17215", "CVE-2016-7255", "CVE-2017-11882", "CVE-2017-8570" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Singapore" ], "malware_families": [ { "id": "Chinese", "display_name": "Chinese", "target": null }, { "id": "Looquer", "display_name": "Looquer", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Mimikatz", "display_name": "Mimikatz", "target": null }, { "id": "HiddenTear", "display_name": "HiddenTear", "target": null }, { "id": "Neurovt", "display_name": "Neurovt", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" }, { "id": "Yixun", "display_name": "Yixun", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "GoldMax - S0588", "display_name": "GoldMax - S0588", "target": null }, { "id": "DUCKTAIL", "display_name": "DUCKTAIL", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "GandCrab", "display_name": "GandCrab", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Raccoon Stealer", "display_name": "Raccoon Stealer", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "FireHOL", "display_name": "FireHOL", "target": null }, { "id": "HackTool.BruteForce", "display_name": "HackTool.BruteForce", "target": null }, { "id": "HackTool.CheatEngine", "display_name": "HackTool.CheatEngine", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "NanoCore", "display_name": "NanoCore", "target": null }, { "id": "Immortal Stealer", "display_name": "Immortal Stealer", "target": null }, { "id": "WebToolBar", "display_name": "WebToolBar", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1497.002", "name": "User Activity Based Checks", "display_name": "T1497.002 - User Activity Based Checks" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "T1523", "name": "Evade Analysis Environment", "display_name": "T1523 - Evade Analysis Environment" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1134.001", "name": "Token Impersonation/Theft", "display_name": "T1134.001 - Token Impersonation/Theft" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "653db0487ec8c7a4c0b1ef0e", "export_count": 47, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5239, "FileHash-MD5": 929, "FileHash-SHA1": 500, "FileHash-SHA256": 3566, "domain": 1230, "hostname": 2051, "CVE": 6, "email": 5, "CIDR": 1 }, "indicator_count": 13527, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "874 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f2100b535d359accfc3a6", "name": "CVE JAR Found | Massive active Malicious | Tulach & AIG associated | Scam", "description": "", "modified": "2023-11-24T12:03:49.398000", "created": "2023-10-30T03:20:32.349000", "tags": [ "first", "algorithm", "v3 serial", "number", "issuer", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "namecheap", "server", "registrar abuse", "code", "namecheap inc", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "win32 exe", "win32 dll", "type name", "user", "dns replication", "description", "utc submissions", "submitters", "cloudflarenet", "summary iocs", "community https", "urls", "amazonaes", "china telecom", "sector", "export", "cloud", "mb opera", "mb iesettings", "kb acrotray", "installer", "samplepath", "ssl certificate", "whois record", "tsara brashears", "apple ios", "p2404", "malware", "apple", "password", "critical risk", "password bypass", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "emotet", "tulach", "tulach.cc", "united", "heur", "team", "firehol", "malware site", "cyber threat", "malicious site", "phishing", "phishing site", "malicious", "downer", "artemis", "dnspionage", "kuaizip", "fusioncore", "softcnapp", "downloader", "trojan", "zbot", "cisco umbrella", "site", "safe site", "alexa top", "million", "maltiverse", "phishtank", "bank", "unsafe", "riskware", "alexa", "service", "facebook", "presenoker", "agent", "stealer", "phish", "union", "azorult", "runescape", "generic", "crack", "dapato", "iframe", "downldr", "vidar", "raccoon", "remcos", "miner", "agenttesla", "unknown", "detplock", "networm", "win64", "trickbot", "telecom", "media", "webtoolbar", "trojanspy", "no data", "tag count", "tld count", "ip summary", "url summary", "summary", "detection list", "blacklist https", "pattern match", "samuel tulach", "file", "localappdata", "ascii text", "title", "windows", "hyperv", "span", "mitre att", "meta", "path", "light", "dark", "vmprotect", "main", "footer", "body", "class", "hybrid", "accept", "local", "click", "strings", "error", "script", "form", "root ca", "textarea", "github", "input", "trust", "general", "june", "threat roundup", "july", "whois whois", "collection", "august", "lolkek", "ransomware", "ursnif", "lockbit", "chaos", "quasar", "april", "quasar rat", "dark power", "swisyn", "wiper", "cobalt strike", "attack", "bitrat", "formbook", "qakbot", "ransomexx", "gootloader", "maui ransomware", "Cobalt Strike", "physical threat", "target", "contacted circa 10.23.2023-" ], "references": [ "tulach.cc [Adversarial Malware Attack Source]", "http://1.116.132.182/weblogic_CVE_2020_2551.jar", "init-p01st.push.apple.com", "newrelic.se [Apple Collection]", "apple-dns.net. [Apple email collection]", "apple.com [=vaccine.com / negative http or https - insecure, malicious]", "nr-data.net [ Hidden private Apple data collection]", "http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]", "www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]", "https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter", "114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]", "mobile.twitter.com [titled hashtag Daisy Coleman]", "http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]", "12 CVE exploits posted in 'scoreblue' CVE tally", "Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "Above Assurant link. [ Hidden privacy threats,,Transactional campaign", "https://pin.it/ [SQLi Dumper]", "https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt", "msftconnecttest.com", "ncsi-geo.trafficmanager.net =analytics.tresensa.com", "https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]", "104.200.22.130 Command and Control", "aig.com", "https://github-cloud.s3.amazonaws.com [DNS prefetch]", "fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]", "103.224.212.34 scanning_host", "0-1.duckdns.org [malicious]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Daisy Coleman", "display_name": "Daisy Coleman", "target": null }, { "id": "Twitter Malware", "display_name": "Twitter Malware", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "CVE JAR", "display_name": "CVE JAR", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "TrickBot - S0266", "display_name": "TrickBot - S0266", "target": null }, { "id": "Death Bitches", "display_name": "Death Bitches", "target": null }, { "id": "Bit RAT", "display_name": "Bit RAT", "target": null }, { "id": "Swisyn", "display_name": "Swisyn", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Fusioncore", "display_name": "Fusioncore", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Raccoon", "display_name": "Raccoon", "target": null }, { "id": "Crack", "display_name": "Crack", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "Apple Malware", "display_name": "Apple Malware", "target": null }, { "id": "FonePaw", "display_name": "FonePaw", "target": null }, { "id": "Amazon AES", "display_name": "Amazon AES", "target": null }, { "id": "Facebook HT", "display_name": "Facebook HT", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla - S0331", "display_name": "Agent Tesla - S0331", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "Dapato", "display_name": "Dapato", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "DNSpionage", "display_name": "DNSpionage", "target": null }, { "id": "Trojan:Win32/Detplock", "display_name": "Trojan:Win32/Detplock", "target": "/malware/Trojan:Win32/Detplock" }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "PwndLocker", "display_name": "PwndLocker", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" } ], "industries": [], "TLP": "white", "cloned_from": "653960d6d09796c4ba4c1e90", "export_count": 43, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 641, "domain": 2295, "FileHash-MD5": 656, "FileHash-SHA256": 7727, "hostname": 2252, "email": 3, "URL": 4406, "CVE": 10 }, "indicator_count": 17990, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "877 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f219ce051cf01e9a6be8b", "name": "Speechless | Critical", "description": "", "modified": "2023-11-24T12:03:49.398000", "created": "2023-10-30T03:23:08.790000", "tags": [ "first", "algorithm", "v3 serial", "number", "issuer", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "namecheap", "server", "registrar abuse", "code", "namecheap inc", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "win32 exe", "win32 dll", "type name", "user", "dns replication", "description", "utc submissions", "submitters", "cloudflarenet", "summary iocs", "community https", "urls", "amazonaes", "china telecom", "sector", "export", "cloud", "mb opera", "mb iesettings", "kb acrotray", "installer", "samplepath", "ssl certificate", "whois record", "tsara brashears", "apple ios", "p2404", "malware", "apple", "password", "critical risk", "password bypass", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "emotet", "tulach", "tulach.cc", "united", "heur", "team", "firehol", "malware site", "cyber threat", "malicious site", "phishing", "phishing site", "malicious", "downer", "artemis", "dnspionage", "kuaizip", "fusioncore", "softcnapp", "downloader", "trojan", "zbot", "cisco umbrella", "site", "safe site", "alexa top", "million", "maltiverse", "phishtank", "bank", "unsafe", "riskware", "alexa", "service", "facebook", "presenoker", "agent", "stealer", "phish", "union", "azorult", "runescape", "generic", "crack", "dapato", "iframe", "downldr", "vidar", "raccoon", "remcos", "miner", "agenttesla", "unknown", "detplock", "networm", "win64", "trickbot", "telecom", "media", "webtoolbar", "trojanspy", "no data", "tag count", "tld count", "ip summary", "url summary", "summary", "detection list", "blacklist https", "pattern match", "samuel tulach", "file", "localappdata", "ascii text", "title", "windows", "hyperv", "span", "mitre att", "meta", "path", "light", "dark", "vmprotect", "main", "footer", "body", "class", "hybrid", "accept", "local", "click", "strings", "error", "script", "form", "root ca", "textarea", "github", "input", "trust", "general", "june", "threat roundup", "july", "whois whois", "collection", "august", "lolkek", "ransomware", "ursnif", "lockbit", "chaos", "quasar", "april", "quasar rat", "dark power", "swisyn", "wiper", "cobalt strike", "attack", "bitrat", "formbook", "qakbot", "ransomexx", "gootloader", "maui ransomware", "Cobalt Strike", "physical threat", "target", "contacted circa 10.23.2023-" ], "references": [ "tulach.cc [Adversarial Malware Attack Source]", "http://1.116.132.182/weblogic_CVE_2020_2551.jar", "init-p01st.push.apple.com", "newrelic.se [Apple Collection]", "apple-dns.net. [Apple email collection]", "apple.com [=vaccine.com / negative http or https - insecure, malicious]", "nr-data.net [ Hidden private Apple data collection]", "http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]", "www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]", "https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter", "114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]", "mobile.twitter.com [titled hashtag Daisy Coleman]", "http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]", "12 CVE exploits posted in 'scoreblue' CVE tally", "Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "Above Assurant link. [ Hidden privacy threats,,Transactional campaign", "https://pin.it/ [SQLi Dumper]", "https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt", "msftconnecttest.com", "ncsi-geo.trafficmanager.net =analytics.tresensa.com", "https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]", "104.200.22.130 Command and Control", "aig.com", "https://github-cloud.s3.amazonaws.com [DNS prefetch]", "fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]", "103.224.212.34 scanning_host", "0-1.duckdns.org [malicious]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Daisy Coleman", "display_name": "Daisy Coleman", "target": null }, { "id": "Twitter Malware", "display_name": "Twitter Malware", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "CVE JAR", "display_name": "CVE JAR", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "TrickBot - S0266", "display_name": "TrickBot - S0266", "target": null }, { "id": "Death Bitches", "display_name": "Death Bitches", "target": null }, { "id": "Bit RAT", "display_name": "Bit RAT", "target": null }, { "id": "Swisyn", "display_name": "Swisyn", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Fusioncore", "display_name": "Fusioncore", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Raccoon", "display_name": "Raccoon", "target": null }, { "id": "Crack", "display_name": "Crack", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "Apple Malware", "display_name": "Apple Malware", "target": null }, { "id": "FonePaw", "display_name": "FonePaw", "target": null }, { "id": "Amazon AES", "display_name": "Amazon AES", "target": null }, { "id": "Facebook HT", "display_name": "Facebook HT", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla - S0331", "display_name": "Agent Tesla - S0331", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "Dapato", "display_name": "Dapato", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "DNSpionage", "display_name": "DNSpionage", "target": null }, { "id": "Trojan:Win32/Detplock", "display_name": "Trojan:Win32/Detplock", "target": "/malware/Trojan:Win32/Detplock" }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "PwndLocker", "display_name": "PwndLocker", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" } ], "industries": [], "TLP": "green", "cloned_from": "653977171f690fb9ab978bf3", "export_count": 46, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 641, "domain": 2457, "FileHash-MD5": 656, "FileHash-SHA256": 8455, "hostname": 2605, "email": 3, "URL": 5548, "CVE": 12 }, "indicator_count": 20377, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "877 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653977171f690fb9ab978bf3", "name": "Speechless | Critical", "description": "Cyber threat. Target Tsara Brashears is now Tsara Brashears Malware. Looks like an investigation, might be a legitimate investigation. I have no insight as to whether investigation is warranted, staged, or silencing?? \nVerdict:\nAdversarial monitoring, harassment, Libel, cyber crime by a genius exploiting regulations and escalation privileges. Target at high risk.", "modified": "2023-11-24T12:03:49.398000", "created": "2023-10-25T20:14:14.532000", "tags": [ "first", "algorithm", "v3 serial", "number", "issuer", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "namecheap", "server", "registrar abuse", "code", "namecheap inc", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "win32 exe", "win32 dll", "type name", "user", "dns replication", "description", "utc submissions", "submitters", "cloudflarenet", "summary iocs", "community https", "urls", "amazonaes", "china telecom", "sector", "export", "cloud", "mb opera", "mb iesettings", "kb acrotray", "installer", "samplepath", "ssl certificate", "whois record", "tsara brashears", "apple ios", "p2404", "malware", "apple", "password", "critical risk", "password bypass", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "emotet", "tulach", "tulach.cc", "united", "heur", "team", "firehol", "malware site", "cyber threat", "malicious site", "phishing", "phishing site", "malicious", "downer", "artemis", "dnspionage", "kuaizip", "fusioncore", "softcnapp", "downloader", "trojan", "zbot", "cisco umbrella", "site", "safe site", "alexa top", "million", "maltiverse", "phishtank", "bank", "unsafe", "riskware", "alexa", "service", "facebook", "presenoker", "agent", "stealer", "phish", "union", "azorult", "runescape", "generic", "crack", "dapato", "iframe", "downldr", "vidar", "raccoon", "remcos", "miner", "agenttesla", "unknown", "detplock", "networm", "win64", "trickbot", "telecom", "media", "webtoolbar", "trojanspy", "no data", "tag count", "tld count", "ip summary", "url summary", "summary", "detection list", "blacklist https", "pattern match", "samuel tulach", "file", "localappdata", "ascii text", "title", "windows", "hyperv", "span", "mitre att", "meta", "path", "light", "dark", "vmprotect", "main", "footer", "body", "class", "hybrid", "accept", "local", "click", "strings", "error", "script", "form", "root ca", "textarea", "github", "input", "trust", "general", "june", "threat roundup", "july", "whois whois", "collection", "august", "lolkek", "ransomware", "ursnif", "lockbit", "chaos", "quasar", "april", "quasar rat", "dark power", "swisyn", "wiper", "cobalt strike", "attack", "bitrat", "formbook", "qakbot", "ransomexx", "gootloader", "maui ransomware", "Cobalt Strike", "physical threat", "target", "contacted circa 10.23.2023-" ], "references": [ "tulach.cc [Adversarial Malware Attack Source]", "http://1.116.132.182/weblogic_CVE_2020_2551.jar", "init-p01st.push.apple.com", "newrelic.se [Apple Collection]", "apple-dns.net. [Apple email collection]", "apple.com [=vaccine.com / negative http or https - insecure, malicious]", "nr-data.net [ Hidden private Apple data collection]", "http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]", "www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]", "https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter", "114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]", "mobile.twitter.com [titled hashtag Daisy Coleman]", "http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]", "12 CVE exploits posted in 'scoreblue' CVE tally", "Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "Above Assurant link. [ Hidden privacy threats,,Transactional campaign", "https://pin.it/ [SQLi Dumper]", "https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt", "msftconnecttest.com", "ncsi-geo.trafficmanager.net =analytics.tresensa.com", "https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]", "104.200.22.130 Command and Control", "aig.com", "https://github-cloud.s3.amazonaws.com [DNS prefetch]", "fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]", "103.224.212.34 scanning_host", "0-1.duckdns.org [malicious]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Daisy Coleman", "display_name": "Daisy Coleman", "target": null }, { "id": "Twitter Malware", "display_name": "Twitter Malware", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "CVE JAR", "display_name": "CVE JAR", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "TrickBot - S0266", "display_name": "TrickBot - S0266", "target": null }, { "id": "Death Bitches", "display_name": "Death Bitches", "target": null }, { "id": "Bit RAT", "display_name": "Bit RAT", "target": null }, { "id": "Swisyn", "display_name": "Swisyn", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Fusioncore", "display_name": "Fusioncore", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Raccoon", "display_name": "Raccoon", "target": null }, { "id": "Crack", "display_name": "Crack", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "Apple Malware", "display_name": "Apple Malware", "target": null }, { "id": "FonePaw", "display_name": "FonePaw", "target": null }, { "id": "Amazon AES", "display_name": "Amazon AES", "target": null }, { "id": "Facebook HT", "display_name": "Facebook HT", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla - S0331", "display_name": "Agent Tesla - S0331", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "Dapato", "display_name": "Dapato", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "DNSpionage", "display_name": "DNSpionage", "target": null }, { "id": "Trojan:Win32/Detplock", "display_name": "Trojan:Win32/Detplock", "target": "/malware/Trojan:Win32/Detplock" }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "PwndLocker", "display_name": "PwndLocker", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 57, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 641, "domain": 2457, "FileHash-MD5": 656, "FileHash-SHA256": 8455, "hostname": 2605, "email": 3, "URL": 5548, "CVE": 12 }, "indicator_count": 20377, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "877 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653960d6d09796c4ba4c1e90", "name": "CVE JAR Found | Massive active Malicious | unlatched issues", "description": "Monitoring Tsara Brashears - Extreme cyber attack against documented as alleged SA victim. Non-Adversarial Tsara Brashears inflicted with highly malicious Malware auto populated. Massive online attack on Tsara Brashears defaced digital profile. Attacks primarily by Adversarial Tulach malware.\nDaisy Coleman [deceased] moderate malware attack against target a documented SA survivor.\nThis is a revenge attacker. \nPhysical harm imminence [HIGH] SOS\nEdward Snowden speaks of similar attacks against American citizen. Was target warned of malware status or massive attack. Made aware of Botnet by any authority?", "modified": "2023-11-24T12:03:49.398000", "created": "2023-10-25T18:39:18.723000", "tags": [ "first", "algorithm", "v3 serial", "number", "issuer", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "namecheap", "server", "registrar abuse", "code", "namecheap inc", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "win32 exe", "win32 dll", "type name", "user", "dns replication", "description", "utc submissions", "submitters", "cloudflarenet", "summary iocs", "community https", "urls", "amazonaes", "china telecom", "sector", "export", "cloud", "mb opera", "mb iesettings", "kb acrotray", "installer", "samplepath", "ssl certificate", "whois record", "tsara brashears", "apple ios", "p2404", "malware", "apple", "password", "critical risk", "password bypass", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "emotet", "tulach", "tulach.cc", "united", "heur", "team", "firehol", "malware site", "cyber threat", "malicious site", "phishing", "phishing site", "malicious", "downer", "artemis", "dnspionage", "kuaizip", "fusioncore", "softcnapp", "downloader", "trojan", "zbot", "cisco umbrella", "site", "safe site", "alexa top", "million", "maltiverse", "phishtank", "bank", "unsafe", "riskware", "alexa", "service", "facebook", "presenoker", "agent", "stealer", "phish", "union", "azorult", "runescape", "generic", "crack", "dapato", "iframe", "downldr", "vidar", "raccoon", "remcos", "miner", "agenttesla", "unknown", "detplock", "networm", "win64", "trickbot", "telecom", "media", "webtoolbar", "trojanspy", "no data", "tag count", "tld count", "ip summary", "url summary", "summary", "detection list", "blacklist https", "pattern match", "samuel tulach", "file", "localappdata", "ascii text", "title", "windows", "hyperv", "span", "mitre att", "meta", "path", "light", "dark", "vmprotect", "main", "footer", "body", "class", "hybrid", "accept", "local", "click", "strings", "error", "script", "form", "root ca", "textarea", "github", "input", "trust", "general", "june", "threat roundup", "july", "whois whois", "collection", "august", "lolkek", "ransomware", "ursnif", "lockbit", "chaos", "quasar", "april", "quasar rat", "dark power", "swisyn", "wiper", "cobalt strike", "attack", "bitrat", "formbook", "qakbot", "ransomexx", "gootloader", "maui ransomware", "Cobalt Strike", "physical threat", "target", "contacted circa 10.23.2023-" ], "references": [ "tulach.cc [Adversarial Malware Attack Source]", "http://1.116.132.182/weblogic_CVE_2020_2551.jar", "init-p01st.push.apple.com", "newrelic.se [Apple Collection]", "apple-dns.net. [Apple email collection]", "apple.com [=vaccine.com / negative http or https - insecure, malicious]", "nr-data.net [ Hidden private Apple data collection]", "http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]", "www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]", "https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter", "114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]", "mobile.twitter.com [titled hashtag Daisy Coleman]", "http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]", "12 CVE exploits posted in 'scoreblue' CVE tally", "Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "Above Assurant link. [ Hidden privacy threats,,Transactional campaign", "https://pin.it/ [SQLi Dumper]", "https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt", "msftconnecttest.com", "ncsi-geo.trafficmanager.net =analytics.tresensa.com", "https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]", "104.200.22.130 Command and Control", "aig.com", "https://github-cloud.s3.amazonaws.com [DNS prefetch]", "fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]", "103.224.212.34 scanning_host", "0-1.duckdns.org [malicious]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Daisy Coleman", "display_name": "Daisy Coleman", "target": null }, { "id": "Twitter Malware", "display_name": "Twitter Malware", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "CVE JAR", "display_name": "CVE JAR", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "TrickBot - S0266", "display_name": "TrickBot - S0266", "target": null }, { "id": "Death Bitches", "display_name": "Death Bitches", "target": null }, { "id": "Bit RAT", "display_name": "Bit RAT", "target": null }, { "id": "Swisyn", "display_name": "Swisyn", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Fusioncore", "display_name": "Fusioncore", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Raccoon", "display_name": "Raccoon", "target": null }, { "id": "Crack", "display_name": "Crack", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "Apple Malware", "display_name": "Apple Malware", "target": null }, { "id": "FonePaw", "display_name": "FonePaw", "target": null }, { "id": "Amazon AES", "display_name": "Amazon AES", "target": null }, { "id": "Facebook HT", "display_name": "Facebook HT", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla - S0331", "display_name": "Agent Tesla - S0331", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "Dapato", "display_name": "Dapato", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "DNSpionage", "display_name": "DNSpionage", "target": null }, { "id": "Trojan:Win32/Detplock", "display_name": "Trojan:Win32/Detplock", "target": "/malware/Trojan:Win32/Detplock" }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "PwndLocker", "display_name": "PwndLocker", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 61, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 641, "domain": 2295, "FileHash-MD5": 656, "FileHash-SHA256": 7727, "hostname": 2252, "email": 3, "URL": 4406, "CVE": 10 }, "indicator_count": 17990, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "877 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63002a17b34d067bf9ed7e35", "name": "Apple's crappy FaceTime ~ Nothing has changed", "description": "", "modified": "2022-09-18T00:03:55.814000", "created": "2022-08-20T00:25:59.852000", "tags": [ "whois record", "whois", "vt graph", "collection", "devils work", "dsp1", "keepaliveyes", "mac malware", "ip check", "chinese", "qakbot", "ransomexx", "quasar", "mirai", "Apple Zero Day", "Ransomware" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransom:Win32/Wannaren.A", "display_name": "Ransom:Win32/Wannaren.A", "target": "/malware/Ransom:Win32/Wannaren.A" } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 727, "hostname": 342, "email": 1, "domain": 213, "URL": 1029, "FileHash-MD5": 2 }, "indicator_count": 2314, "is_author": false, "is_subscribing": null, "subscriber_count": 411, "modified_text": "1309 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "", "cdn777.pussyporn.pro \u2022 https://tubepornstars.co/ \u2022 porneramix.xyz", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "applemusic-spotlight.myunidays.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://pin.it/ [SQLi Dumper]", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635. (iOS unlocker and hijacker)", "https://hybrid-analysis.com/sample/6f4fb33ffb44474e86928549ef3f1a51d0f3e9e8c8d7a08b71b2b59b5921d311", "I haven\u2019t yet concluded why Tulach.cc is deeply interwoven in a malicious media campaign", "www.norad.mil (federal tracking tool used by attorneys, law firms, and private investigators 'licensed or unlicensed') hi!", "Deep Research", "https://urlscan.io/result/a328d9ff-fb49-4078-960d-a757fd41404f/#indicators", "IPv4 45.15.156.208 command_and_control", "msftconnecttest.com", "FileHash-SHA1\tf336b50f5cca2ddc0341e2c4001b419a830d27a5", "https://www.virustotal.com/gui/collection/malpedia_win_tofsee/summary", "window.location.search", "https://pin.it/ | https://www.anyxxxtube.net/search-porn/tsara-brashears/", "P\u2019s Contacted: 93.184.221.240 3.33.130.190 | Domains Contacted: counterslocal.com", "Above Assurant link. [ Hidden privacy threats,,Transactional campaign", "pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Cyber Threat Coalition", "http://alohatube.xyz/search/tsara-brashears", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]", "Domains Contacted: fenbushijujuefuwu.com", "Unix.Trojan.Mirai-9441505-0 Yara Detections is__elf \u2022 217.11.249.145", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]", "IPv4 45.12.253.72. command_and_control", "Project Endgame - pegausintel.com -Unsjre if related to NSO Group", "Hostname: www.supernetforme.com command_and_control", "20.99.186.246 exploit source", "The only thing necessary for the triumph of evil is for good men to do nothing.\u201d", "https://www.virustotal.com/graph/embed/g69422d071856425cb7ef01a90232cae9aef9af2362ad45db8fc83caabe618606?theme=dark", "https://nextcloud.tulach.cc/ \u2022 https://nextcloud.tulach.cc/", "angryblackwomyn.com", "https://www.youtube.com/youtubei/v1/log_event?alt=json&key=AIzaSyAO_FJ2SlqU8Q4STEHLGCilw_Y9_11qcW8", "Samuel Tulach\u2019s assets have been tightly connected to M. Brian Sabey, Esq", "https://www.apple.com/shop/browse/open/country_selector (exploit)", "The next pulse will show Apple IoC\u2019s related to Tulach.cc", "ThreatFox Abuse.ch", "https://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee", "api.telegram.org", "compromised_site_redirector_fromcharcode fromCharCode", "http://init-p01st.push.apple.com/bag (malicious web creator)", "https://rcmp[.]ca/en/alberta", "FileHash-SHA256\t00000254e6344d34a1e4ef157cb01d8b7efa65c22c996f9dfe85e7482c6c86ab", "x.com \u2022 https://x.com/BastionMediaFR/status/2042194819397673290", "https://www.anyxxxtube.net/media/favicon/apple (password cracker and iOS hijacker)", "Abuse IPDB Link: https://www.abuseipdb.com/check/20.99.186.246", "https://www.sweetheartvideo.com/tsara-brashears/", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://ambisexual.phone-sex-blogs.com/http:/ambisexual.phone-sex-blogs.com/images/thumbnails/pic118.jpg (phishing)", "access.blackbagtech.com", "https://vtbehaviour.commondatastorage.googleapis.com/d5bf2e0581ad7dca4e49e58e379107bf01ab36ae8e0900692e5782bfe7e86aba_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775558351&Signature=y1XPW6XWHz4cFiInU2H1MRXTtywNvzuP6qP%2BVIkFaZMsxldmbqUekc%2Fp3b1VId4O3UC3ckTmGqsRuznTxQLfWOOnxRXlD4QK4HFzPpTpKHXqWlrtdznOpHY%2Bv7wTzMzremLNFsxERoSd3zbAhEhirVop5Px%2BL937P9ywZuKM2DctbhUyiBzYXg%2FMjeVExwS%2FNlP8Sn%2BCx5tVuOIsiQoaZM%2FLak%2BsYPZVGDXZZn", "https://www.myminiweb.com/", "www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]", "newrelic.se [Apple Collection]", "https://urlscan.io", "https://thehackernews.com/2023/10/quasar-rat-leverages-dll-side-loading.html?m=1", "http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]", "Yara Detections: compromised_site_redirector_fromcharcode , Cabinet_Archive , SFX_CAB", "IPv4 63.251.106.25 command_and_control", "ncsi-geo.trafficmanager.net =analytics.tresensa.com", "https://www.pornhub.com/video/search?search=tsara+brashears (Malicious PW cracker | stylebk.css stylesheets - not found )", "dvd-game-new-releases.info", "opencve.djgummikuh.de (CVE dispensary)", "x.com - Malware Packed", "Samuel Tulach , an engineer writes about game security, Unity engine, and anti-cheat systems on his blog at tulach.cc", "https://vtbehaviour.commondatastorage.googleapis.com/dbd82852eb5958675f889c452fc71bae5cce8ddad596bd15d2a4a6700739f741_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775558174&Signature=SmpbnWta3giCZS997kqTvAF%2BZOmsy8guJi08oXMRbv9twEwYq0zHV5x5EgkJeE1uK593UWjmIyGGPmZZAznd5G9GmDLWpTBpm6AalirZIWVXEGKYqWW%2FcXP6AP4kPvUKQffGRRra22oorMkIGVUd4OSbUBHzjeXYtzRalcJNh00ErxP2ckokNZ%2BA6k7O42Vano2SrEQ6QXeQ%2BVWhBicFEaYV3BEDA%2Fn%2BNlMqbe6dzaU%", "init-p01st.push.apple.com", "Maltiverse Research Team", "https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter", "tulach.cc [Adversarial Malware Attack Source]", "https://www.hybrid-analysis.com/sample/32fee8f77b43f62e89c2156fd15a6fa350beff81429a6bc7984c0e54fe608f2a", "Worm:Win32/Benjamin", "Hybrid Analysis", "https://hybrid-analysis.com/sample/6765f47ea77c8274c8e4973ed95aedf59e75998c62f6029e23c58cdf36ed85ba/654afdbdc621e7037801cce7", "https://www.healthonecares.com/locations/presbyterian-st-lukes-medical-center", "init.ess.apple.com (malicious code script)", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (password cracker)", "fp2e7a.wpc.2be4.phicdn.net", "104.200.22.130 Command and Control", "https://urlquery.net/report/54993e5a-9b3f-4eef-a219-6ed529b4ea66", "ghb-unoadsrv-com.geodns.me.1.1.11cec3ef.roksit.net", "appleid.cdn-apple.com", "apples.encryptedwork.com (Interesting in the blacknet)", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (phishing, ELF, Prism.exe found)", "https://twitter.com/juvlarN", "Interesting Strings: http://schema.org/GovernmentOrganization https://support.google.com/chrome/?p=plugin_java https://crbug.com/593166", "IPv4 95.213.186.51 command_and_control", "IPv4 72.251.233.245 command_and_control", "\"uploader.exe\" created by Samuel Tulach has been identified as malicious by several security engines", "nr-data.net [ Hidden private Apple data collection]", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "http://182.22.25.124:7878/182.22.25.124:443 (malicious dropper)", "https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]", "http://ti.hicloudcam.com", "https://www.filescan.io/uploads/6775f8d1108e6fdea94ba637/reports/ba88f2c2-96e9-4106-9b93-4f7fa7f1519a/overview", "https://search.app.goo.gl/?ofl", "apple-dns.net. [Apple email collection]", "bleepingcomputer.com \u2022 CliffsNotes", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.", "https://thebrotherssabey.wordpress.com/", "https://downloaddevtools.ir/ (phishing)", "FileHash-MD5\ted5c771224fbd6f9b2c0cf1e8cce09b5", "Alerts network_icmp allocates_rwx packer_entropy pe_features pe_unknown_resource_name Related Pulses", "https://www.virustotal.com/gui/collection/22cbfd4f1a868301f4f66c5914ab66d63695118f829e90ede0c8450876d4dd13", "ns3.hallgrandsale.ru", "https://www.virustotal.com/gui/collection/22cbfd4f1a868301f4f66c5914ab66d63695118f829e90ede0c8450876d4dd13/iocs", "remoteaccess.aig.com", "https://viz.greynoise.io/analysis/ade7d4f8-0bf7-4582-9a91-f7b26c0bb9f7", "1.116.217.151 [Cobalt Strike]", "https://vtbehaviour.commondatastorage.googleapis.com/00497722a5a78f54380688c2f4e13f3ef6ae5ba3179e181842bc5f293931d249_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775558242&Signature=xZKVbPHnvq1qTJXNwiztrGD6NGaXqXZy2F7iZE8F8ZA5SQ2b0AHWfcMuFzBPL4S56%2Br1mdkSivnRKw4PtqmKSlmum59RFVyQrmIK25bmB%2FhGIdrtS0FEJHREeu2idOIA89pmPV7lOHS%2B%2BYVZ8CGGt7LqRG1WFqYY%2FsUuOmWwLyVT%2F8O9trgNAEO49TvZ9ce8AC5yY9pOagSk46K9CfKH%2BRUtwl1lKVpVFcS8P9OO0VKPNZJEs7AiA%2F", "http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]", "IPv4 104.247.81.51 command_and_control", "https://api.w.org/ \u2022 api.w.org", "https://www.forpsi.com domain forpsi.com\t Domain asp.net", "location.search", "beacons.bcp.gvt.com", "IPv4 103.224.182.246 command_and_control", "discord.com \u2022 discord.gg", "Interesting Strings: http://service.real.com/realplayer/security/02062012_player/en/", "developer.x.com \u2022 https://twitter.com/githubstatus", "acam-mdn.apple.com", "114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]", "nr-data.net", "blackhat.store", "api.item.yixun.com", "http://www.dvd-game-new-releases.info/skin/tsara-brashears-dead.akp", "cobaltstrike4.tk | https://cobaltstrike4.tk:8443/include/template/isx.php", "Mr. Tulach \u2022 known for his work in cybersecurity, particularly in reverse engineering & malware analysis", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://x.com/Atlassian__;JS8!!J7H9jp7aFkU!OInVM0IrDSAR1lXf8KzR9vKsmEOVrBkg1M6QqughgO13mcAOawaxDaclQnhkyp3JvPbgCZX33l1xnRdvb4OxVqJcCz2cn9HcSw", "12 CVE exploits posted in 'scoreblue' CVE tally", "https://www.hybrid-analysis.com/sample/32fee8f77b43f62e89c2156fd15a6fa350beff81429a6bc7984c0e54fe608f2a/67e0baae85aff10b880edd20", "aig.com", "https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt", "https://github-cloud.s3.amazonaws.com [DNS prefetch]", "VirusTotal Link: https://www.virustotal.com/gui/ip-address/20.99.186.246/detection", "vtbehaviour.commondatastorage.googleapis.com", "http://dreamsofspanking.com/scene/item/rosie-backlash-caning?utm_campaign=apr15", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/41ad1d349716b3e62f914c0907323ae8e0a37198d237a02d71a0d5e05ffaa727", "nr-data.net \u2022 www.youtube.com", "https://remote.goeaston.net", "www.youtube.com/watch?v=GyuMozsVyYs (why would targets channel be controlled by Tulach)", "https://tulach.cc/", "https://medium.com/the-pink/how-a-white-womans-anger-makes-her-racism-spill-out-563853905a42", "cpcontacts.webcamara.online", "remote.poc-2.com \u2022 https://otx.alienvault.com/indicator/url/https://tulach.cc/assets/img/ogp.png", "Interesting Strings: http://www.interoperabilitybridges.com/wmp http://crbug.com/40902 http://crbug.com/516527", "https://www.slatergordon.com.au/blog/revenge-porn-laws", "http://m.pornsexer.xxx.3.1.adiosfil.roksit.net/", "Pdf.Phishing.TtraffRobotInstall-7605656-0 00004feb58be42ba1bd506ea89f90c5e1d83e6e1fb84841931949a454b0bb539", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4", "https://assets.msn.com/bundles/v1/edgeChromium/latest/svg-assets-Twitter.b90ee19de735e00fb4a0.js", "Due to Samuel Tulach\u2019s good reputation , assume his assets are being abused by threat actors targeting", "happylifehappywife.com", "Antivirus Detections: ALF:HeraklezEval:Rogue:Win32/FakeRean", "Interesting Strings: https://support.google.com/chrome/?p=plugin_pdf", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://s3.rexdl.com/android/game/Desktop-Dungeons-v11-Mod-www.Rexdl.com.apk", "https://support.google.com/chrome/?p=plugin_quicktime https://chrome.google.com/", "porneramix.xyz \u2022 porntubner.online \u2022 pornhubhd.shop", "Antivirus Detections Cryp_Xed-12 , Mal/Generic-S , Packed/Upack Yara Detections Upackv039finalDwing , UpackV037Dwing", "103.224.212.34 scanning_host", "Hostname: ddos.dnsnb8.net command_and_control", "apple.com [=vaccine.com / negative http or https - insecure, malicious]", "fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]", "mobile.twitter.com [titled hashtag Daisy Coleman]", "0-1.duckdns.org [malicious]", "Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!", "Alerts: infostealer_cookies persistence_autorun recon_programs recon_fingerprint removes_zoneid_ads anomalous_deletefile", "https://static.digitecgalaxus.ch/Files/communication/app-download-badges/apple_email_rasterized_2x/fr.png", "https://vtbehaviour.commondatastorage.googleapis.com/07f7d05d67f46df46aa037ae72dbdb01b4c793b0efa97b3b606eb7c804bc9ac8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775557919&Signature=NmXnt5UXEu97u6S%2Fl1pR8Dj1wOV48%2BMQtA7itY%2FDaMxeTZKYWQG8Sc1yQ8Anau89lP6pFBfYLFKcZlXLyh0lxedEOnLubJoX%2FPdHFRwhsnXHKf9Paue%2FYfp2f3Xa3eCtAdjiZ%2FYtizogath35T7lFE%2FyYG10vWJI%2FID8Xpk55duyBuJFvI5UISNatR%2BriUlSjGvUurWgm62dXOPlBxRQvwk1ndbIS79tzUBzFcGe7A3RnhURjWI1", "http://1.116.132.182/weblogic_CVE_2020_2551.jar", "URLscan.io", "URLhaus Abuse.ch" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "American International", "NSO Group", "Lucky Mouse APT27 | NoName057(16) | Unnamed" ], "malware_families": [ "Cve-2015-1650", "Trojan.psw.python", "Exploit.cve", "Gen:nn.zexaf.32515", "Unsafe", "Trojan.vbkryjetor", "Risktool.phpw", "Gen:trojan.heur2.lptbhw@w64.hfsautob", "Trojan.ransom.generickd", "Worm.win64.autorun", "Ml.generic", "Backdoor:win32/tofsee.t", "Trojandropper:win32/muldrop.v!mtb", "Blacknet", "Opensubtitles.a", "Heur/qvm41.2.da9b.malware", "Tsara brashears", "Heur.vba.trojan", "Trojan.killproc", "Backdoor.rbot", "Alfper:hstr:wizremurl.a1", "Gen:variant.bulz", "Riskware.agent", "Malwarex", "Virut", "Cil.heapoverride", "Heur:trojan.tasker", "Macro.downloader.amip", "Locky", "Quasar rat", "$webwatson", "Pua.gen", "Hacktool.bruteforce", "Zbot", "Gamehack.dom", "Inmortal", "Goldmax - s0588", "Phish.ab", "Pws:win32/ymacco.aa50", "American international", "Ransom:win32/eniqma.a", "Trojanspy.keylogger", "Unsafe.ai_score_100%", "Packed.themida.gen", "Hacktool", "Html.trojan.ascii212_44_64_202-1", "Win.packer.pkr_ce1a-9980177-0", "Emotet", "Trojan:python/downldr", "Trojan.pornoasset", "#lowfi:siga:trojanspy:msil/keylogger", "Nanocore rat", "Hw32.packed", "Unruy", "Agen.1043164", "Ransom.win64.pornoasset.sm1", "Tulach malware", "Backdoor.agent", "Trojan.pws.growtopia", "Generic.msil.limerat", "#lowfi:win32/autoit", "Qakbot", "Bscope.riskware", "Azorult", "Heur:trojan.msil.tasker", "Loki bot", "Troj_gen.r002c0og518", "Trojan:vba/downldr", "Tofsee", "Gen:variant.msilperseus", "Trojan.tasker", "Packed.vmprotect", "Loki password stealer (pws)", "Chaos", "Firehol", "Gen:variant.jaiko", "Snh:script [dropper]", "Js:trojan.cryxos", "Injector.clds", "Trojan:win32/mydoom", "Skynet", "Gen:nn.zemsilf.34128", "Hacktool.cheatengine", "Pwsx", "Win.malware.cymt-10023133-0", "Trickbot - s0266", "Trojan.doc.downloader", "Filerepmalware", "Vb:trojan.valyria", "Trojan.python", "Trojan.starter js.iframe", "Backdoor.hupigon", "Unix.trojan.mirai-9441505-0", "Maui ransomware", "Black.gen2", "Agen.1030939", "Alf:trojan:win32/cassini_412f60c8!ibt", "Death bitches", "Trojandownloader:win32/nemucod", "Presenoker", "Ramnit.n", "Macro.agent", "Agen.1141126", "Redcap.rlhse", "Gen:heur.ransom.hiddentears", "Remcos", "Trojan.trickbot", "Heur:exploit.generic", "Gen:variant.graftor", "Backdoor.msil.agent", "Hallrender", "Agent tesla - s0331", "Chinese", "Deepscan:generic.ransom.amnesiae", "Tulach", "Raccoon stealer", "Gen:heur.noobyprotect", "Libraryloader", "Python.keylogger", "Packed.netseal", "Dropper.trojan.generic", "#lowfijavazkm", "Ransom_wcry.smj", "Gootloader", "Trojan.packednet", "Pua.reg1staid", "Downloader.certutilurlcache", "Ducktail", "Riskware", "Heur:trojan.linux.agent", "Generic.msil.grwtpstealer.1", "Hallgrand", "Generic.servstart.a", "Apple malware", "Silk", "Opencandy", "Trojan.downloader.generic", "Suspicious_gen.f47v0520", "Injector.is.gen", "Injector.jdo", "Trojan.vba", "Fake ,promethiumm ,strongpity", "Powershell.downloader", "Wannacry", "Trojanspy", "Feodo", "Pws-fczz", "Agenttesla", "Fonepaw", "Staticrr.paleokits.net", "Deepscan:generic.spyagent.6", "Constructor.msil", "Gen:variant.revengerat", "Formbook", "Win.malware.midie-6847893-0", "Heur.bzc.yax.pantera.10", "Pwndlocker", "Heur:remoteadmin.generic", "Js:iframe", "Win.malware.swisyn-7610494-0", "Js:trojan.js.faceliker", "Dropper.msil", "Trojan.chapak", "Crack", "Delf.nbx", "Wannacryptor", "Alf:heraklezeval:trojan:win32/azorult.fw!rfn", "Cve jar", "Dnspionage", "Virus.3dmax.script", "Gen:variant.midie", "Script.inf", "Yixun", "Ransomware", "Redcap.vneda", "Domains", "Adware.installmonetizer", "Gandcrab", "Virus.office.qexvmc", "Immortal stealer", "Neurovt", "Maltiverse", "Content reputation", "Upackv037dwing", "Exploit.w32.agent", "Et", "Webtoolbar", "Installcore", "Gen:heur.msil.inject", "Powershell.trojan", "Systweak", "Dridex", "Trojan.script", "Susp.rtf.objupdate", "Amazon aes", "Heur:trojan.ole2.alien", "Auslogics", "Elf", "Psw.stealer", "Riskware.hacktool.agent", "States", "Psw.agent", "Adware.kuzitui", "Xegumumune.8596c22f", "Gen:heur.ransom.msil", "Vb.chronos.7", "Trojan:win32/installcore", "Win.trojan.vbgeneric-6735875-0", "Bit rat", "Raccoon", "Dropper.binder", "Daisy coleman", "Goldfinder", "Ransom_wcry.smalym", "Malicious.d800d6", "Sdbot.caoc", "Malware.tk.generic", "Sabey", "Worm:win32/mofksys.rnd!mtb", "Bladabindi.q", "Macro.trojan.dropperd", "Generic.msil.passwordstealer", "Trojan.malware.121218", "Indiloadz.bb", "Networm", "Worm:win32/macoute.a", "Js:trojan.clicker", "Win.packed.botx-10021462-0", "Packed-gv", "Heur.msword.gen", "Apt notes", "Gen:variant.barys", "Trojan.php.agent", "Behaveslike.ransom", "Win.trojan.agent-1371484", "W32.aidetectvm", "Heur:trojan.msoffice.alien", "W32.eheur", "Mal/generic-s", "Autoit.bimwt", "Phish.jat", "Artemis", "Dark power", "Ransomexx", "Worm:win32/lightmoon.h", "Tor - s0183", "Kryptik.fph.gen", "Cryp_xed-12", "Trojanx", "Looquer", "Packed.asprotect", "Behavbehaveslike.pupxbi", "Exploit.msoffice", "Index.php", "Kryptik.gucb", "Evo", "Virus.ramnit", "Fusioncore", "Vba.downloader", "Vidar", "Trojan.notifier", "W32.trojan", "Brontok", "Agen.1045227", "Nymaim", "Kryptik.nrd", "Backdoor.androm", "Malicious.71b1a8", "Application.searchprotect", "Js:trojan.hidelink", "Program.unwanted", "Win.malware.generickdz-9937235-0", "Gen:variant.kazy", "Mirai", "Virus.virut", "Gen:variant.ursu", "Gen:variant.zusy", "Malicious.6e0700", "Trojanspy.python", "Vb.emodldr.4", "Constructor.msil linux.agent", "Trojan:win32/detplock", "Redcap.zoohz", "Slfper:softwarebundler:win32/icloader.a", "Script.agent", "Agen.1038489", "Win.trojan.barys-10005825-0", "Trojan.wanna", "Riskware.netfilter", "Trojan.inject", "Dropped:generic.ransom.dmr", "Susp.lnk", "Gen:variant.sirefef", "Gen:variant.razy", "Gen:variant.symmi", "Redline stealer", "Generic.malware.smyb", "Adware.downware", "Agent.ypez", "Trojan.pws", "Sgeneric", "Dangerousobject.multi", "Icefog", "Malicious.3e78cc", "Alf:hstr:virtool:win32/obfuscator!pecancer", "Heur:adware.startsurf", "Hack.patcher", "Zpevdo.b", "Hiddentear", "Vb.emooodldr.10", "Backdoor:win32/tofsee.", "Trojan.msil", "Ait.heur.cottonmouth.8.78f19bd7", "Dapato", "Ransom:win32/wannaren.a", "Agent.nbae", "Gen:nn.zemsilf.34062", "Application.sqlcrack", "Swrort", "Trojan.html.phish", "Malicious.11abfc", "Suspected of trojan.downloader.gen", "Filetour", "Agent.aik.gencil.stupidcryptor", "Win.malware.moonlight-9919383-0", "Vb.pwshell.2", "Linux.agent", "Backdoor.xtreme", "Trojan.heur", "Win.dropper.quasarrat-10023124-0", "Gen:heur.msil.androm", "Sibot", "Html:script", "Ransom.wannacrypt", "Trojan.js.agent", "Trojan.autoruns.generickds", "Tscope.trojan", "Behaveslike.exploit", "Generic.trickbot.1", "Downldr.gen", "Suspicious.save", "Gen:variant.cerbu", "Gamehack.crs", "Generic.msil.bladabindi", "Msil.downloader", "Blacknet rat", "Xtrat", "Twitter malware", "Trojan.indiloadz", "Trojan.trickster", "Trojanspy:win32/nivdort", "Kuluoz.b.gen", "Possiblethreat.pallas", "Ransom:win32/cve-2017-0147", "Hoax.js.phish", "Agent.aso", "Deepscan:generic.ransom.gandcrab5", "Faceliker.a", "Qvm201.0.b70b.malware", "Generic.asmalws", "Trojanspy:win32/nivdort.de", "Phishing.html", "Hacktool.binder", "Win.malware.aauto-9839281-0", "Heur/qvm42.3.72eb.malware", "Tsgeneric", "Msil.trojan.bse", "Malicious.high.ml", "Ransom.win64.wacatac.oa", "Alf:heraklezeval:rogue:win32/fakerean", "Heur:trojan.msoffice.sagent", "Gen:variant.mikey", "Malicious.f01f67", "Lockbit", "Trojan.pws.agent", "Agen.1144657", "Facebook ht", "Trojan.ole2.vbs", "Trojan.win64", "Suspicious.low.ml", "Dropper.trojan.agent", "Suspicious.cloud", "Malicious.8c45ba", "Kryptik.noe", "Xlm.trojan.abracadabra.27", "Js:trojan.js.likejack", "Trojandownloader:linux/downldr", "Zbd zeus", "Suppobox", "Trojan:linux/downldr", "Bscope.trojan", "Gen:nn", "Gen:variant.ulise", "Generic.bitcoinminer.3", "Win.trojan.zegost-9769410-0", "Trojan:win32/tiggre", "Simba", "Mimikatz", "Win.malware.razy-6979265-0", "Heur:backdoor.msil.nanobot", "Worm:win32/fesber.a", "Generic.malware", "Trojan.androm.gen", "Win.packed.generic-9967832-0", "Zpevdo", "Lolkek", "Trojan.ekstak", "Webmonitor rat", "Nanocore", "Dldr.agent", "Trojan.java", "Trojan.wisdomeyes.16070401.9500", "Riskware.crack", "Troj_frs.vsntfk19", "Adload.ad81", "Trojanspy.java", "Squirrelwaffle", "Gen:variant.johnnie", "Trojan.cud.gen", "Malware.heur_generic.a", "Cil.stupidcryptor", "S-b748adc5", "Il:trojan.msilzilla", "Trojan.delshad", "Slf:win32/elenquay.a", "W32.aidetect", "Win.trojan.tofsee-7102058-0", "Agent.pwc", "Heur:webtoolbar.generic", "Occamy", "Vb.downloader.2", "Trojan:msil/burkina", "Vb:trojan.vba.agent", "Backdoor.poison", "Html_redir.smr", "Win.malware.jaik-9968280-0", "Pws.p", "Trojan.malware.300983", "Wacapew.c", "Wacatac.d6", "Scrinject.b", "Heur:trojan.msoffice.stratos", "Exploit cve-2017-11882", "Agent.aik.gen", "Trojan.generic", "Trojan.msil.injector", "Trojan:win32/wacatac", "Worm:win32/benjamin", "Gamehack.nl", "Gen:variant.ser.strictor", "Application.innovativsol", "Cobalt strike", "Spyware.bobik", "Trojan.psw.mimikatz", "Psw.discord", "Trojan.agent", "Smokeloader", "Swisyn", "Win.packed.stealerc-10017074-0", "Malicious.moderate.ml", "Nemucod.a" ], "industries": [ "", "Healthcare", "Travel", "Education", "Government", "Reinsurance", "Technology", "Telecommunications" ], "unique_indicators": 134899 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/google.com", "whois": "http://whois.domaintools.com/google.com", "domain": "google.com", "hostname": "chrome.google.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 42, "pulses": [ { "id": "69d8a665177b8f64c7ce5fca", "name": "LibraryLoader \u2022 Samuel Tulach | Abuse of malicious sssets engineered by DevOp & Security Researcher", "description": "Samuel Tulach is involved in various projects related to government work, particularly in areas like DevSecOps and app modernization. \nOverview of Samuel Tulach's \"uploader.exe\"\nThe file \"uploader.exe\" created by Samuel Tulach has been identified as malicious by several security engines. This classification indicates that the file poses a potential threat to users' systems.\nSecurity Engine Flags. Several security engines have flagged \"uploader.exe\" as malicious.\nSecureAge APEX\tMalicious\nSentinelOne\tMalicious\nImplications of Malicious Flags\nPotential Risks: Files flagged as malicious can lead to various security issues, including data theft, unauthorized access, or system damage.\nRecommended Actions: Users should avoid downloading or executing this file. If already downloaded, it is advisable to delete it and run a full system scan using reputable antivirus software.", "modified": "2026-04-10T07:27:33.587000", "created": "2026-04-10T07:27:33.587000", "tags": [ "x vercel", "united", "america", "germany malware", "family", "ck ids", "packing", "tulach", "ocsp", "extraction", "data upload", "enter sc", "extra data", "include review", "exclude sugges", "find s", "failed", "typ no", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "initial access", "defense evasion", "pattern match", "mitre att", "ascii text", "span", "title", "meta", "path", "april", "hybrid", "general", "local", "encrypt", "click", "strings", "main", "footer", "pcsb", "naga", "magda", "no expiration", "url https", "domain", "github pages", "a domains", "passive dns", "mtb jan", "class", "sea x", "accept encoding", "trojanspy", "accept", "otx logo", "all ipv4", "urls", "files", "america flag", "space", "ck matrix", "handle", "winvmaddress", "cdecl crashpad", "null", "software", "comment", "entity", "internal", "blank", "magic", "infinity", "first", "valentine", "error", "webview", "front", "patched", "root", "tristate", "libraryloader", "packing t1045", "icmp traffic", "memcommit", "pe section", "low software", "pe resource", "filehash", "win32", "malware", "write", "backdoor", "present apr", "lowfi", "aaaa", "lowfijavazkm", "x.com", "dynamicloader", "crlf line", "unicode text", "utf8", "ee fc", "ff d5", "yara rule", "f0 ff", "eb e1", "unknown", "trojan", "zeppelin", "autorun", "united states", "china unknown", "div div", "ip address", "record value", "samuel tulach", "czechia unknown", "italy unknown", "gmt server", "all domain", "next associated", "reverse dns", "location czech", "all filehash", "md5 add", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "file type", "telfhash", "virustotal api", "vendor finding", "notes clamav", "files matching", "number", "t1045", "search", "directui", "element", "medium", "classinfobase", "value", "write c", "hwndhost", "sapeav12", "worm", "explorer", "insert", "movie", "mtb apr", "mtb mar", "trojandropper", "displayname", "windows", "high", "delete c", "tofsee", "stream", "push", "url http", "c mar", "virtool", "c jan", "c dec", "toolbar", "ransom", "article", "windows nt", "gmtvia", "html", "bad traffic", "et info", "tls handshake", "belgium", "present dec", "present feb", "intel", "elf upx", "medium risk", "info", "moved", "hostname add", "whois registrar", "media", "delphi", "guard", "code", "devsecops", "github", "github internet", "archive samuel", "tulach", "government work", "key areas", "devops process", "security engine", "flags", "apex malicious", "implications", "malicious flags", "potential risks", "name servers", "apple id", "script urls", "show process", "secure", "win64", "khtml", "gecko", "programfiles", "cookie", "comspec", "model", "june", "spawns", "id name", "malicious", "gui", "anti cheats", "game tech", "c++" ], "references": [ "https://nextcloud.tulach.cc/ \u2022 https://nextcloud.tulach.cc/", "bleepingcomputer.com \u2022 CliffsNotes", "x.com - Malware Packed", "nr-data.net \u2022 www.youtube.com", "Alerts network_icmp allocates_rwx packer_entropy pe_features pe_unknown_resource_name Related Pulses", "https://www.youtube.com/youtubei/v1/log_event?alt=json&key=AIzaSyAO_FJ2SlqU8Q4STEHLGCilw_Y9_11qcW8", "discord.com \u2022 discord.gg", "api.item.yixun.com", "Unix.Trojan.Mirai-9441505-0 Yara Detections is__elf \u2022 217.11.249.145", "Domains Contacted: fenbushijujuefuwu.com", "angryblackwomyn.com", "https://medium.com/the-pink/how-a-white-womans-anger-makes-her-racism-spill-out-563853905a42", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/41ad1d349716b3e62f914c0907323ae8e0a37198d237a02d71a0d5e05ffaa727", "https://www.forpsi.com domain forpsi.com\t Domain asp.net", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "www.youtube.com/watch?v=GyuMozsVyYs (why would targets channel be controlled by Tulach)", "https://x.com/Atlassian__;JS8!!J7H9jp7aFkU!OInVM0IrDSAR1lXf8KzR9vKsmEOVrBkg1M6QqughgO13mcAOawaxDaclQnhkyp3JvPbgCZX33l1xnRdvb4OxVqJcCz2cn9HcSw", "x.com \u2022 https://x.com/BastionMediaFR/status/2042194819397673290", "cdn777.pussyporn.pro \u2022 https://tubepornstars.co/ \u2022 porneramix.xyz", "porneramix.xyz \u2022 porntubner.online \u2022 pornhubhd.shop", "https://api.w.org/ \u2022 api.w.org", "remote.poc-2.com \u2022 https://otx.alienvault.com/indicator/url/https://tulach.cc/assets/img/ogp.png", "https://assets.msn.com/bundles/v1/edgeChromium/latest/svg-assets-Twitter.b90ee19de735e00fb4a0.js", "developer.x.com \u2022 https://twitter.com/githubstatus", "https://twitter.com/juvlarN", "appleid.cdn-apple.com", "https://static.digitecgalaxus.ch/Files/communication/app-download-badges/apple_email_rasterized_2x/fr.png", "Samuel Tulach , an engineer writes about game security, Unity engine, and anti-cheat systems on his blog at tulach.cc", "Mr. Tulach \u2022 known for his work in cybersecurity, particularly in reverse engineering & malware analysis", "\"uploader.exe\" created by Samuel Tulach has been identified as malicious by several security engines", "Due to Samuel Tulach\u2019s good reputation , assume his assets are being abused by threat actors targeting", "I haven\u2019t yet concluded why Tulach.cc is deeply interwoven in a malicious media campaign", "Samuel Tulach\u2019s assets have been tightly connected to M. Brian Sabey, Esq", "The next pulse will show Apple IoC\u2019s related to Tulach.cc" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "LibraryLoader", "display_name": "LibraryLoader", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/Azorult.FW!rfn", "display_name": "ALF:HeraklezEval:Trojan:Win32/Azorult.FW!rfn", "target": null }, { "id": "Win.Packed.Botx-10021462-0", "display_name": "Win.Packed.Botx-10021462-0", "target": null }, { "id": "Win.Malware.Cymt-10023133-0", "display_name": "Win.Malware.Cymt-10023133-0", "target": null }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "Win.Trojan.VBGeneric-6735875-0", "display_name": "Win.Trojan.VBGeneric-6735875-0", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Win.Malware.Generickdz-9937235-0", "display_name": "Win.Malware.Generickdz-9937235-0", "target": null }, { "id": "Win.Malware.Razy-6979265-0", "display_name": "Win.Malware.Razy-6979265-0", "target": null }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" }, { "id": "TrojanSpy:Win32/Nivdort.DE", "display_name": "TrojanSpy:Win32/Nivdort.DE", "target": "/malware/TrojanSpy:Win32/Nivdort.DE" }, { "id": "SLF:Win32/Elenquay.A", "display_name": "SLF:Win32/Elenquay.A", "target": "/malware/SLF:Win32/Elenquay.A" }, { "id": "Win.Dropper.QuasarRAT-10023124-0", "display_name": "Win.Dropper.QuasarRAT-10023124-0", "target": null }, { "id": "Win.Trojan.Zegost-9769410-0", "display_name": "Win.Trojan.Zegost-9769410-0", "target": null }, { "id": "ALF:HSTR:VirTool:Win32/Obfuscator!PECancer", "display_name": "ALF:HSTR:VirTool:Win32/Obfuscator!PECancer", "target": null }, { "id": "Win.Malware.Moonlight-9919383-0", "display_name": "Win.Malware.Moonlight-9919383-0", "target": null }, { "id": "Worm:Win32/Lightmoon.H", "display_name": "Worm:Win32/Lightmoon.H", "target": "/malware/Worm:Win32/Lightmoon.H" }, { "id": "Backdoor:Win32/Tofsee.", "display_name": "Backdoor:Win32/Tofsee.", "target": "/malware/Backdoor:Win32/Tofsee." }, { "id": "#LowfiJavaZKM", "display_name": "#LowfiJavaZKM", "target": null }, { "id": "Win.Malware.Swisyn-7610494-0", "display_name": "Win.Malware.Swisyn-7610494-0", "target": null }, { "id": "PWS:Win32/Ymacco.AA50", "display_name": "PWS:Win32/Ymacco.AA50", "target": "/malware/PWS:Win32/Ymacco.AA50" }, { "id": "Win.Packed.Stealerc-10017074-0", "display_name": "Win.Packed.Stealerc-10017074-0", "target": null }, { "id": "#Lowfi:Win32/AutoIt", "display_name": "#Lowfi:Win32/AutoIt", "target": "/malware/#Lowfi:Win32/AutoIt" }, { "id": "Html.Trojan.Ascii212_44_64_202-1", "display_name": "Html.Trojan.Ascii212_44_64_202-1", "target": null }, { "id": "ALFPER:HSTR:WizremURL.A1", "display_name": "ALFPER:HSTR:WizremURL.A1", "target": null }, { "id": "Win.Malware.Jaik-9968280-0", "display_name": "Win.Malware.Jaik-9968280-0", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Win.Malware.Jaik-9968280-0", "display_name": "Win.Malware.Jaik-9968280-0", "target": null }, { "id": "Win.Packer.pkr_ce1a-9980177-0", "display_name": "Win.Packer.pkr_ce1a-9980177-0", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Win.Malware.Midie-6847893-0", "display_name": "Win.Malware.Midie-6847893-0", "target": null }, { "id": "TrojanDropper:Win32/Muldrop.V!MTB", "display_name": "TrojanDropper:Win32/Muldrop.V!MTB", "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB" }, { "id": "Win.Malware.Aauto-9839281-0", "display_name": "Win.Malware.Aauto-9839281-0", "target": null }, { "id": "Win.Trojan.Agent-1371484", "display_name": "Win.Trojan.Agent-1371484", "target": null }, { "id": "SLFPER:SoftwareBundler:Win32/ICLoader.A", "display_name": "SLFPER:SoftwareBundler:Win32/ICLoader.A", "target": null }, { "id": "ALF:Trojan:Win32/Cassini_412f60c8!ibt", "display_name": "ALF:Trojan:Win32/Cassini_412f60c8!ibt", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Win.Packed.Generic-9967832-0", "display_name": "Win.Packed.Generic-9967832-0", "target": null }, { "id": "Win.Trojan.Barys-10005825-0", "display_name": "Win.Trojan.Barys-10005825-0", "target": null }, { "id": "Unix.Trojan.Mirai-9441505-0", "display_name": "Unix.Trojan.Mirai-9441505-0", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2710, "domain": 1227, "hostname": 1206, "FileHash-SHA256": 3867, "IPv4": 318, "FileHash-MD5": 593, "FileHash-SHA1": 459, "IPv6": 1, "SSLCertFingerprint": 19, "email": 20, "CVE": 1 }, "indicator_count": 10421, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d4ddf1680e25f8a35479af", "name": "VirusTotal report\n for atom.exe", "description": "i have a iphone.", "modified": "2026-04-07T10:36:51.092000", "created": "2026-04-07T10:35:29.819000", "tags": [ "file type", "ascii", "json", "ms windows", "pe file", "ascii text", "utf8", "sqlite version", "openpgp secret", "file", "code", "persistence", "fraud", "next", "windows sandbox", "calls process", "has permission", "mitre attack", "network info", "accesses", "overview", "zenbox android", "verdict", "guest system", "ultimate file", "info file", "cloud", "calls clear" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/07f7d05d67f46df46aa037ae72dbdb01b4c793b0efa97b3b606eb7c804bc9ac8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775557919&Signature=NmXnt5UXEu97u6S%2Fl1pR8Dj1wOV48%2BMQtA7itY%2FDaMxeTZKYWQG8Sc1yQ8Anau89lP6pFBfYLFKcZlXLyh0lxedEOnLubJoX%2FPdHFRwhsnXHKf9Paue%2FYfp2f3Xa3eCtAdjiZ%2FYtizogath35T7lFE%2FyYG10vWJI%2FID8Xpk55duyBuJFvI5UISNatR%2BriUlSjGvUurWgm62dXOPlBxRQvwk1ndbIS79tzUBzFcGe7A3RnhURjWI1", "https://vtbehaviour.commondatastorage.googleapis.com/dbd82852eb5958675f889c452fc71bae5cce8ddad596bd15d2a4a6700739f741_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775558174&Signature=SmpbnWta3giCZS997kqTvAF%2BZOmsy8guJi08oXMRbv9twEwYq0zHV5x5EgkJeE1uK593UWjmIyGGPmZZAznd5G9GmDLWpTBpm6AalirZIWVXEGKYqWW%2FcXP6AP4kPvUKQffGRRra22oorMkIGVUd4OSbUBHzjeXYtzRalcJNh00ErxP2ckokNZ%2BA6k7O42Vano2SrEQ6QXeQ%2BVWhBicFEaYV3BEDA%2Fn%2BNlMqbe6dzaU%", "https://vtbehaviour.commondatastorage.googleapis.com/00497722a5a78f54380688c2f4e13f3ef6ae5ba3179e181842bc5f293931d249_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775558242&Signature=xZKVbPHnvq1qTJXNwiztrGD6NGaXqXZy2F7iZE8F8ZA5SQ2b0AHWfcMuFzBPL4S56%2Br1mdkSivnRKw4PtqmKSlmum59RFVyQrmIK25bmB%2FhGIdrtS0FEJHREeu2idOIA89pmPV7lOHS%2B%2BYVZ8CGGt7LqRG1WFqYY%2FsUuOmWwLyVT%2F8O9trgNAEO49TvZ9ce8AC5yY9pOagSk46K9CfKH%2BRUtwl1lKVpVFcS8P9OO0VKPNZJEs7AiA%2F", "https://vtbehaviour.commondatastorage.googleapis.com/d5bf2e0581ad7dca4e49e58e379107bf01ab36ae8e0900692e5782bfe7e86aba_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775558351&Signature=y1XPW6XWHz4cFiInU2H1MRXTtywNvzuP6qP%2BVIkFaZMsxldmbqUekc%2Fp3b1VId4O3UC3ckTmGqsRuznTxQLfWOOnxRXlD4QK4HFzPpTpKHXqWlrtdznOpHY%2Bv7wTzMzremLNFsxERoSd3zbAhEhirVop5Px%2BL937P9ywZuKM2DctbhUyiBzYXg%2FMjeVExwS%2FNlP8Sn%2BCx5tVuOIsiQoaZM%2FLak%2BsYPZVGDXZZn" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1429", "name": "Capture Audio", "display_name": "T1429 - Capture Audio" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 20, "FileHash-SHA1": 19, "FileHash-SHA256": 165, "IPv4": 12, "URL": 101, "domain": 9, "hostname": 37 }, "indicator_count": 363, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "12 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d4ddf1828f3eeb138474ef", "name": "VirusTotal report\n for atom.exe", "description": "i have a iphone.", "modified": "2026-04-07T10:35:29.004000", "created": "2026-04-07T10:35:29.004000", "tags": [ "file type", "ascii", "json", "ms windows", "pe file", "ascii text", "utf8", "sqlite version", "openpgp secret", "file", "code", "persistence", "fraud", "next", "windows sandbox", "calls process", "has permission", "mitre attack", "network info", "accesses", "overview", "zenbox android", "verdict", "guest system", "ultimate file", "info file", "cloud", "calls clear" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/07f7d05d67f46df46aa037ae72dbdb01b4c793b0efa97b3b606eb7c804bc9ac8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775557919&Signature=NmXnt5UXEu97u6S%2Fl1pR8Dj1wOV48%2BMQtA7itY%2FDaMxeTZKYWQG8Sc1yQ8Anau89lP6pFBfYLFKcZlXLyh0lxedEOnLubJoX%2FPdHFRwhsnXHKf9Paue%2FYfp2f3Xa3eCtAdjiZ%2FYtizogath35T7lFE%2FyYG10vWJI%2FID8Xpk55duyBuJFvI5UISNatR%2BriUlSjGvUurWgm62dXOPlBxRQvwk1ndbIS79tzUBzFcGe7A3RnhURjWI1", "https://vtbehaviour.commondatastorage.googleapis.com/dbd82852eb5958675f889c452fc71bae5cce8ddad596bd15d2a4a6700739f741_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775558174&Signature=SmpbnWta3giCZS997kqTvAF%2BZOmsy8guJi08oXMRbv9twEwYq0zHV5x5EgkJeE1uK593UWjmIyGGPmZZAznd5G9GmDLWpTBpm6AalirZIWVXEGKYqWW%2FcXP6AP4kPvUKQffGRRra22oorMkIGVUd4OSbUBHzjeXYtzRalcJNh00ErxP2ckokNZ%2BA6k7O42Vano2SrEQ6QXeQ%2BVWhBicFEaYV3BEDA%2Fn%2BNlMqbe6dzaU%", "https://vtbehaviour.commondatastorage.googleapis.com/00497722a5a78f54380688c2f4e13f3ef6ae5ba3179e181842bc5f293931d249_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775558242&Signature=xZKVbPHnvq1qTJXNwiztrGD6NGaXqXZy2F7iZE8F8ZA5SQ2b0AHWfcMuFzBPL4S56%2Br1mdkSivnRKw4PtqmKSlmum59RFVyQrmIK25bmB%2FhGIdrtS0FEJHREeu2idOIA89pmPV7lOHS%2B%2BYVZ8CGGt7LqRG1WFqYY%2FsUuOmWwLyVT%2F8O9trgNAEO49TvZ9ce8AC5yY9pOagSk46K9CfKH%2BRUtwl1lKVpVFcS8P9OO0VKPNZJEs7AiA%2F", "https://vtbehaviour.commondatastorage.googleapis.com/d5bf2e0581ad7dca4e49e58e379107bf01ab36ae8e0900692e5782bfe7e86aba_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775558351&Signature=y1XPW6XWHz4cFiInU2H1MRXTtywNvzuP6qP%2BVIkFaZMsxldmbqUekc%2Fp3b1VId4O3UC3ckTmGqsRuznTxQLfWOOnxRXlD4QK4HFzPpTpKHXqWlrtdznOpHY%2Bv7wTzMzremLNFsxERoSd3zbAhEhirVop5Px%2BL937P9ywZuKM2DctbhUyiBzYXg%2FMjeVExwS%2FNlP8Sn%2BCx5tVuOIsiQoaZM%2FLak%2BsYPZVGDXZZn" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1429", "name": "Capture Audio", "display_name": "T1429 - Capture Audio" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 20, "FileHash-SHA1": 19, "FileHash-SHA256": 165, "IPv4": 11, "URL": 101, "domain": 9, "hostname": 37 }, "indicator_count": 362, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "12 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6709ad372568d7810af2e480", "name": "https://rcmp[.]ca/en/alberta // rcmp[.]ca // rcmp-grc[.]gc[.]ca - 12.06.25", "description": "Alberta RCMP\nhttps://rcmp[.]ca/en/alberta // rcmp[.]ca // rcmp-grc[.]gc[.]ca", "modified": "2026-01-05T22:04:46.025000", "created": "2024-10-11T22:56:55.968000", "tags": [ "entity", "RCMP", "Alberta", "EPS", "Edmonton Police Services", "RCMP AB", "CrimeStoppers AB" ], "references": [ "https://www.virustotal.com/graph/embed/g69422d071856425cb7ef01a90232cae9aef9af2362ad45db8fc83caabe618606?theme=dark", "https://www.virustotal.com/gui/collection/22cbfd4f1a868301f4f66c5914ab66d63695118f829e90ede0c8450876d4dd13/iocs", "https://urlquery.net/report/54993e5a-9b3f-4eef-a219-6ed529b4ea66", "https://www.filescan.io/uploads/6775f8d1108e6fdea94ba637/reports/ba88f2c2-96e9-4106-9b93-4f7fa7f1519a/overview", "https://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee", "https://www.virustotal.com/gui/collection/malpedia_win_tofsee/summary", "https://viz.greynoise.io/analysis/ade7d4f8-0bf7-4582-9a91-f7b26c0bb9f7", "", "https://rcmp[.]ca/en/alberta", "https://www.virustotal.com/gui/collection/22cbfd4f1a868301f4f66c5914ab66d63695118f829e90ede0c8450876d4dd13", "https://www.hybrid-analysis.com/sample/32fee8f77b43f62e89c2156fd15a6fa350beff81429a6bc7984c0e54fe608f2a/67e0baae85aff10b880edd20", "https://www.hybrid-analysis.com/sample/32fee8f77b43f62e89c2156fd15a6fa350beff81429a6bc7984c0e54fe608f2a" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "", "Government", "Telecommunications", "Education", "Technology", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 4, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 764, "FileHash-SHA1": 760, "FileHash-SHA256": 4062, "domain": 378, "hostname": 1808, "URL": 886, "SSLCertFingerprint": 18, "email": 10, "CVE": 1 }, "indicator_count": 8687, "is_author": false, "is_subscribing": null, "subscriber_count": 135, "modified_text": "104 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66eb3ef6d765187a437767e4", "name": "Hijacked 'Operation Endgame' Tofsee Ransomware", "description": "This a project. A target has been put into different Operations: Project Hilo, Project Helix, Operation Endgame, The NSO Cellebrite Pegasus hit list. These are real and very serious serious threat. Severe Cyber issues made their way to her infected devices as well as the devices of family members. Death threats continue to come in. Several DoD IP addresses found in a PDF. It's unresearched at this time,, DoD via BGP HE has been questionable considering use gateway abuse by SWIPPER. \n\nStill no authority can confirm victim is a suspect. Must be a crazy high to help Jeffrey Scott Reiner PT. DPT get away with assault in such a ridiculous manner. Court report posted online by Trellis (BS) is of course a falsified , vulnerability filled 'made you click' document.. Faldif0, empty docmpty doc, citing it was refreshed in 2023. \nThere is no doubt these masqueraders mean to intimidate, humiliate, isolate & harm target. These people are not in China. False attribution is likely. Attack is disseminates from USA.", "modified": "2024-10-18T20:04:41.836000", "created": "2024-09-18T20:58:30.691000", "tags": [ "as8075", "united", "pid425870621", "tid700443057", "tpid425870621", "slot1", "mascore2", "bcnt1", "unid88000705", "nct1", "date", "china", "china unknown", "passive dns", "body xml", "error code", "requestid", "hostid ec", "server", "gmt content", "type", "registry", "intel", "ms windows", "show", "entries", "search", "high", "pe32", "high process", "injection t1055", "salicode", "worm", "copy", "tools", "service", "write", "win32", "persistence", "execution", "april", "urls", "http", "unique", "scan endpoints", "all scoreblue", "url http", "pulse pulses", "ip address", "related nids", "code", "as54113", "unknown", "body", "fastly error", "please", "sea p", "msil", "accept", "aaaa", "nxdomain", "whitelisted", "as15169 google", "status", "as44273 host", "as46691", "domain", "url https", "files location", "info", "script urls", "path max", "age86400 set", "cookie", "script domains", "javascript", "script script", "trojanspy", "cname", "emails", "servers", "all search", "related pulses", "file samples", "files matching", "creation date", "germany unknown", "yara detections", "filehash", "av detections", "ids detections", "alerts", "analysis date", "file score", "meta", "home welcome", "write c", "delete c", "query", "local", "hostname", "a domains", "lowfi", "content type", "record value", "suite", "showing", "asnone united", "as29873", "ipv4", "pulse submit", "url analysis", "files", "pe32 executable", "potential scan", "0pgtwhu", "t1045", "port", "infection", "recon", "malware", "june", "delphi", "taobao network", "as45102 alibaba", "as4812 china", "next", "expiration date", "name servers", "dynamicloader", "dynamic", "sha256", "dynamic link", "library exe", "adobe", "incorporated", "read", "yara rule", "delete", "binary file", "push", "malicious", "july", "iocs", "levelbluelabs", "jeff4son", "adversaries", "registry run", "flow t1574", "dll sideloading", "boot", "logon autostart", "execution t1547", "keys", "startup folder", "t1497 may", "encryption", "catalog tree", "analysis ob0001", "virtual machine", "detection b0009", "check registry", "analysis ob0002", "executable code", "stack strings", "control ob0004", "get http", "http requests", "dns resolutions", "ip traffic", "pattern domains", "memory pattern", "urls http", "request", "response", "connection", "trojan", "otx scoreblue", "windows", "embeddedwb", "medium", "shellexecuteexw", "msie", "windows nt", "displayname", "tofsee", "hashes", "vhash", "authentihash", "ssdeep", "win32 exe", "magic pe32", "trid win32", "library", "read c", "file guard", "rtversion", "langchinese", "legalcopyright", "reserved", "ransom", "moved", "media", "ascii text", "default", "upack", "mike", "contacted", "x87xe1x1d", "regsetvalueexa", "x95xd3xa4", "regbinary", "x84xa8xe8i", "x8dxb7xb7", "hx88x9ax1e", "mx81xd1r", "x92xac", "xc2x84", "stream", "swipper", "pdfcreator.sf.net", "botnet", "black mercedes", "please forgive me", "therahand thouroughhand" ], "references": [ "Project Endgame - pegausintel.com -Unsjre if related to NSO Group", "Antivirus Detections: ALF:HeraklezEval:Rogue:Win32/FakeRean", "Yara Detections: compromised_site_redirector_fromcharcode , Cabinet_Archive , SFX_CAB", "Alerts: infostealer_cookies persistence_autorun recon_programs recon_fingerprint removes_zoneid_ads anomalous_deletefile", "P\u2019s Contacted: 93.184.221.240 3.33.130.190 | Domains Contacted: counterslocal.com", "compromised_site_redirector_fromcharcode fromCharCode", "Interesting Strings: http://www.interoperabilitybridges.com/wmp http://crbug.com/40902 http://crbug.com/516527", "Interesting Strings: http://service.real.com/realplayer/security/02062012_player/en/", "Interesting Strings: https://support.google.com/chrome/?p=plugin_pdf", "https://support.google.com/chrome/?p=plugin_quicktime https://chrome.google.com/", "Interesting Strings: http://schema.org/GovernmentOrganization https://support.google.com/chrome/?p=plugin_java https://crbug.com/593166", "Pdf.Phishing.TtraffRobotInstall-7605656-0 00004feb58be42ba1bd506ea89f90c5e1d83e6e1fb84841931949a454b0bb539", "Antivirus Detections Cryp_Xed-12 , Mal/Generic-S , Packed/Upack Yara Detections Upackv039finalDwing , UpackV037Dwing", "https://pin.it/ | https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Worm:Win32/Macoute.A", "display_name": "Worm:Win32/Macoute.A", "target": "/malware/Worm:Win32/Macoute.A" }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "ALF:HeraklezEval:Rogue:Win32/FakeRean", "display_name": "ALF:HeraklezEval:Rogue:Win32/FakeRean", "target": null }, { "id": "Worm:Win32/Fesber.A", "display_name": "Worm:Win32/Fesber.A", "target": "/malware/Worm:Win32/Fesber.A" }, { "id": "Ransom:Win32/Eniqma.A", "display_name": "Ransom:Win32/Eniqma.A", "target": "/malware/Ransom:Win32/Eniqma.A" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "UpackV037Dwing", "display_name": "UpackV037Dwing", "target": null }, { "id": "Cryp_Xed-12", "display_name": "Cryp_Xed-12", "target": null }, { "id": "Mal/Generic-S", "display_name": "Mal/Generic-S", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1493, "FileHash-SHA1": 1393, "FileHash-SHA256": 5881, "URL": 1495, "domain": 1947, "hostname": 1360, "email": 18, "CVE": 1 }, "indicator_count": 13588, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "548 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a4885e735b9e8ba94805bc", "name": "Apple | Worm:Win32/Benjamin | thebrotherssabey.com", "description": "", "modified": "2024-09-05T06:51:42.608000", "created": "2024-01-15T01:20:30.730000", "tags": [ "execution", "whois record", "contacted", "ssl certificate", "whois whois", "contacted urls", "copy", "historical ssl", "referrer", "urls url", "icmp", "malicious", "installer", "problems", "collections", "report", "phishing", "service tool", "greatness", "threat network", "emotet", "magniber", "startpage", "attack", "banker", "keylogger", "namecheap inc", "com laude", "ltd dba", "cloudflare", "porkbun llc", "ii llc", "csc corporate", "domains", "computer", "company limited", "first", "cloudflarenet", "google", "amazon02", "akamaias", "telecom italia", "utc submissions", "microsoftcorpas", "indonesia", "beijing gu", "appleaustin", "sucurisec", "amazonaes", "limited", "tsara brashears", "pornhub", "thebrotherssabey", "then brothers sabey", "brian sabey", "apple", "icloud", "apple engineering", "soc", "hacker", "teams", "malvertizing", "cyberthreat", "cyber crime", "data", "v3 serial", "number", "cgb stgreater", "ecc domain", "server ca", "subject public", "key info", "key algorithm", "ec oid", "remote", "remote attacker", "benjamin", "worm", "trojan", "win32", "trojanspy", "ransomware", "command and control", "cnc", "c2", "stealer", "password", "apple unlocker", "pornographers", "cyber stalking", "revenge rat", "masquerading", "scanning host", "phishing", "dns", "network", "cobalt strike", "mitre attack", "metro hacker", "t-mobile hacker", "stalker", "social engineering", "et", "torrent trecker", "view", "duckdns", "blackhat", "data center", "tracking", "illegal", "malware scripting", "malware spreader", "network rat", "multiple botnetworks" ], "references": [ "https://thebrotherssabey.wordpress.com/", "acam-mdn.apple.com", "beacons.bcp.gvt.com", "cpcontacts.webcamara.online", "http://dreamsofspanking.com/scene/item/rosie-backlash-caning?utm_campaign=apr15", "http://ti.hicloudcam.com", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://search.app.goo.gl/?ofl", "Worm:Win32/Benjamin", "FileHash-SHA256\t00000254e6344d34a1e4ef157cb01d8b7efa65c22c996f9dfe85e7482c6c86ab", "FileHash-MD5\ted5c771224fbd6f9b2c0cf1e8cce09b5", "FileHash-SHA1\tf336b50f5cca2ddc0341e2c4001b419a830d27a5", "applemusic-spotlight.myunidays.com", "nr-data.net", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4", "blackhat.store", "api.telegram.org", "cobaltstrike4.tk | https://cobaltstrike4.tk:8443/include/template/isx.php" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Worm:Win32/Benjamin", "display_name": "Worm:Win32/Benjamin", "target": "/malware/Worm:Win32/Benjamin" }, { "id": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "display_name": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Silk", "display_name": "Silk", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "65a429795adf468b427a3c8b", "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2469, "URL": 6038, "FileHash-MD5": 169, "FileHash-SHA1": 157, "FileHash-SHA256": 3922, "CIDR": 2, "hostname": 2787, "email": 2, "CVE": 1 }, "indicator_count": 15547, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "591 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b85faa9b8e3e1206d7f25c", "name": "Tsara Brashears Dead campaign | ET | Emotet Botnet | Injection ", "description": "", "modified": "2024-06-15T04:39:29.943000", "created": "2024-01-30T02:32:10.210000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls http", "ssl certificate", "whois record", "historical ssl", "whois whois", "apple ios", "contacted", "tsara brashears", "whois", "resolutions", "password", "hacktool", "crypto", "execution", "emotet", "installer", "banker", "keylogger", "critical", "copy", "content reputation", "et", "submission", "comodo valkyrie", "verdict", "bitdefender", "history first", "analysis", "utc http", "response final", "url http", "search", "entries", "passive dns", "urls", "record value", "unknown", "united", "gmt content", "dynamic report", "0 report", "date", "accept", "name servers", "scan endpoints", "all octoseek", "pulse pulses", "http", "ip address", "related nids", "files location", "http response", "final url", "serving ip", "address", "ipv4", "files", "location china", "asn as45090", "dns resolutions", "twitter", "log id", "gmtn", "tls web", "encrypt", "ca issuers", "f20b201c", "b467295d", "b2931e3f", "false", "as15169 google", "domain", "msie", "windows nt", "wow64", "slcc2", "media center", "create c", "write c", "read c", "medium", "next", "dock", "write", "persistence", "delete c", "path", "xport", "default", "years ago", "modified", "created", "email", "active created", "white", "filehash", "memcommit", "tlsv1", "show", "win32", "malware", "get na", "systemroot", "starizona", "lscottsdale", "creation date", "emails", "domain name", "showing", "pulse submit", "amazon", "server ca", "b535", "tulach", "hallrender", "hallgrand", "briansabey", "brian sabey", "mark", "mark brian sabey", "mark sabey", "cybercrime", "cyber stalking", "botnet", "evader", "hacker", "targeting" ], "references": [ "http://www.dvd-game-new-releases.info/skin/tsara-brashears-dead.akp", "dvd-game-new-releases.info", "1.116.217.151 [Cobalt Strike]", "https://www.myminiweb.com/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "http://alohatube.xyz/search/tsara-brashears", "vtbehaviour.commondatastorage.googleapis.com", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://tulach.cc/", "ns3.hallgrandsale.ru" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" } ], "industries": [], "TLP": "white", "cloned_from": "659719b77c383c73c05208a9", "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 13324, "FileHash-MD5": 718, "FileHash-SHA1": 617, "FileHash-SHA256": 5761, "domain": 3503, "hostname": 4475, "CVE": 1, "email": 3, "SSLCertFingerprint": 11 }, "indicator_count": 28413, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "673 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c6fca34accf64ef651846b", "name": "Skynet: Malware outbreak hits https://www.healthonecares.com/ network ", "description": "", "modified": "2024-03-11T01:03:58.799000", "created": "2024-02-10T04:33:39.687000", "tags": [ "threat", "paste", "iocs", "hostnames", "urls https", "samples", "ip summary", "url summary", "summary", "sample", "detection list", "blacklist", "generic malware", "cisco umbrella", "heur", "site", "safe site", "malware", "alexa top", "million", "malware site", "phishing site", "malicious site", "iframe", "acint", "crack", "conduit", "unsafe", "artemis", "team", "nircmd", "exploit", "wacatac", "phishing", "unruy", "alexa", "outbreak", "installcore", "iobit", "dropper", "mediaget", "zpevdo", "installpack", "zbot", "qakbot", "opencandy", "swrort", "downldr", "systweak", "behav", "tiggre", "genkryptik", "presenoker", "agent", "filetour", "cleaner", "rostpay", "union", "bank", "live", "win64", "xtrat", "psexec", "occamy", "brontok", "startpage", "nanocore", "keygen", "fareit", "secrisk", "fakealert", "webtoolbar", "trojanspy", "united", "malicious host", "control server", "cobalt strike", "squirrelwaffle", "pony", "binder", "suppobox", "virut", "ramnit", "formbook", "azorult", "simda", "nymaim", "malicious", "cve201711882", "download", "virustotal", "facebook", "service", "tag count", "tld count", "sun jan", "urls", "blacklist http", "contacted", "whois record", "ssl certificate", "execution", "resolutions", "referrer", "communicating", "historical ssl", "dropped", "redline stealer", "nanocore rat", "skynet", "njrat", "ransomware" ], "references": [ "https://www.healthonecares.com/locations/presbyterian-st-lukes-medical-center" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Swrort", "display_name": "Swrort", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "XTRat", "display_name": "XTRat", "target": null }, { "id": "ZBot", "display_name": "ZBot", "target": null }, { "id": "Zpevdo", "display_name": "Zpevdo", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "Squirrelwaffle", "display_name": "Squirrelwaffle", "target": null }, { "id": "SysTweak", "display_name": "SysTweak", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Brontok", "display_name": "Brontok", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null }, { "id": "Filetour", "display_name": "Filetour", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Simba", "display_name": "Simba", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Crack", "display_name": "Crack", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "green", "cloned_from": "65c6d66e70fdd3792838b5f8", "export_count": 78, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1409, "FileHash-SHA1": 772, "FileHash-SHA256": 787, "URL": 81, "domain": 27, "hostname": 135, "CVE": 18 }, "indicator_count": 3229, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "769 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c6d66e70fdd3792838b5f8", "name": "Skynet: Malware outbreak hits https://www.healthonecares.com/", "description": "Skynet: a Tor-powered trojan with DDoS, Bitcoin mining and Banking ...", "modified": "2024-03-11T01:03:58.799000", "created": "2024-02-10T01:50:38.758000", "tags": [ "threat", "paste", "iocs", "hostnames", "urls https", "samples", "ip summary", "url summary", "summary", "sample", "detection list", "blacklist", "generic malware", "cisco umbrella", "heur", "site", "safe site", "malware", "alexa top", "million", "malware site", "phishing site", "malicious site", "iframe", "acint", "crack", "conduit", "unsafe", "artemis", "team", "nircmd", "exploit", "wacatac", "phishing", "unruy", "alexa", "outbreak", "installcore", "iobit", "dropper", "mediaget", "zpevdo", "installpack", "zbot", "qakbot", "opencandy", "swrort", "downldr", "systweak", "behav", "tiggre", "genkryptik", "presenoker", "agent", "filetour", "cleaner", "rostpay", "union", "bank", "live", "win64", "xtrat", "psexec", "occamy", "brontok", "startpage", "nanocore", "keygen", "fareit", "secrisk", "fakealert", "webtoolbar", "trojanspy", "united", "malicious host", "control server", "cobalt strike", "squirrelwaffle", "pony", "binder", "suppobox", "virut", "ramnit", "formbook", "azorult", "simda", "nymaim", "malicious", "cve201711882", "download", "virustotal", "facebook", "service", "tag count", "tld count", "sun jan", "urls", "blacklist http", "contacted", "whois record", "ssl certificate", "execution", "resolutions", "referrer", "communicating", "historical ssl", "dropped", "redline stealer", "nanocore rat", "skynet", "njrat", "ransomware" ], "references": [ "https://www.healthonecares.com/locations/presbyterian-st-lukes-medical-center" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Swrort", "display_name": "Swrort", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "XTRat", "display_name": "XTRat", "target": null }, { "id": "ZBot", "display_name": "ZBot", "target": null }, { "id": "Zpevdo", "display_name": "Zpevdo", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "Squirrelwaffle", "display_name": "Squirrelwaffle", "target": null }, { "id": "SysTweak", "display_name": "SysTweak", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Brontok", "display_name": "Brontok", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null }, { "id": "Filetour", "display_name": "Filetour", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Simba", "display_name": "Simba", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Crack", "display_name": "Crack", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 79, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1409, "FileHash-SHA1": 772, "FileHash-SHA256": 787, "URL": 81, "domain": 27, "hostname": 135, "CVE": 18 }, "indicator_count": 3229, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "769 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c9717b0c7c783e1a390fc5", "name": "Report Spam Author avatar Skynet: Malware outbreak hits https://www.healthonecares.com/", "description": "", "modified": "2024-03-11T01:03:58.799000", "created": "2024-02-12T01:16:43.494000", "tags": [ "threat", "paste", "iocs", "hostnames", "urls https", "samples", "ip summary", "url summary", "summary", "sample", "detection list", "blacklist", "generic malware", "cisco umbrella", "heur", "site", "safe site", "malware", "alexa top", "million", "malware site", "phishing site", "malicious site", "iframe", "acint", "crack", "conduit", "unsafe", "artemis", "team", "nircmd", "exploit", "wacatac", "phishing", "unruy", "alexa", "outbreak", "installcore", "iobit", "dropper", "mediaget", "zpevdo", "installpack", "zbot", "qakbot", "opencandy", "swrort", "downldr", "systweak", "behav", "tiggre", "genkryptik", "presenoker", "agent", "filetour", "cleaner", "rostpay", "union", "bank", "live", "win64", "xtrat", "psexec", "occamy", "brontok", "startpage", "nanocore", "keygen", "fareit", "secrisk", "fakealert", "webtoolbar", "trojanspy", "united", "malicious host", "control server", "cobalt strike", "squirrelwaffle", "pony", "binder", "suppobox", "virut", "ramnit", "formbook", "azorult", "simda", "nymaim", "malicious", "cve201711882", "download", "virustotal", "facebook", "service", "tag count", "tld count", "sun jan", "urls", "blacklist http", "contacted", "whois record", "ssl certificate", "execution", "resolutions", "referrer", "communicating", "historical ssl", "dropped", "redline stealer", "nanocore rat", "skynet", "njrat", "ransomware" ], "references": [ "https://www.healthonecares.com/locations/presbyterian-st-lukes-medical-center" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Swrort", "display_name": "Swrort", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "XTRat", "display_name": "XTRat", "target": null }, { "id": "ZBot", "display_name": "ZBot", "target": null }, { "id": "Zpevdo", "display_name": "Zpevdo", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "Squirrelwaffle", "display_name": "Squirrelwaffle", "target": null }, { "id": "SysTweak", "display_name": "SysTweak", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Brontok", "display_name": "Brontok", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null }, { "id": "Filetour", "display_name": "Filetour", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Simba", "display_name": "Simba", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Crack", "display_name": "Crack", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "green", "cloned_from": "65c6d66e70fdd3792838b5f8", "export_count": 73, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1409, "FileHash-SHA1": 772, "FileHash-SHA256": 787, "URL": 81, "domain": 27, "hostname": 135, "CVE": 18 }, "indicator_count": 3229, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "769 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://chrome.google.com/webstore", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://chrome.google.com/webstore", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776641128.721713 }