{ "type": "URL", "indicator": "https://clickoogle.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://clickoogle.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3815601611, "indicator": "https://clickoogle.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "692f23547b713b128b9c8156", "name": "Indicator Deletion Attack | Chris P. Ahmann Esq still utilizes parking crews to execute cyber attacks", "description": "Unable to open malware indicators at this time. These attackers use Parking Crews for their exploits, leasing parked domains for the amount of time needed to execute an attack. The attack last predate me ever using Level Blue. I have to review indicators reports more closely but, I do see a the multitude of attacks against target TLB and an intersection of attacks concerning Disable_Duck (Alberta) Chris Ahmann , Colorado government indicated. \n\n[OTX auto populated - Adversaries may use techniques to evade detection in their malware or tools, as well as using techniques such as code signing, encryption, and other techniques for avoiding detection and monitoring of their activities.]", "modified": "2026-01-01T17:01:48.163000", "created": "2025-12-02T17:35:15.203000", "tags": [ "data upload", "extraction", "failed", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "development att", "united", "flag", "poland poland", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "mitre att", "ck matrix", "pattern match", "ascii text", "show process", "network traffic", "t1057", "general", "local", "path", "encrypt", "hosts ip", "details", "ssl certificate", "sha256", "sha1", "size", "unicode text", "crlf", "utf8", "lf line", "server", "command decode", "markmonitor", "amazon", "ltd dba", "com laude", "organization", "click", "show technique", "brand", "microsoft edge", "windows nt", "win64", "khtml", "gecko", "submitted", "prefetch1", "name server", "misc attack", "et tor", "known tor", "relayrouter", "contacted hosts", "google", "pornhub", "ip address", "t1480 execution", "file defense", "passive dns", "related nids", "urls", "files location", "flag united" ], "references": [ "deploy-delete-app-us-east-2-1.deploy-delete-test-us-east-2-1mtsufd.us-east-2.gamma.forgeapps.ec2.aws.dev", "Amazon.com \u2022 Google.com \u2022YouTube.com, Apple.com , etc Exploited", "cloudendpointsapis.com \u2022 https://www.vgt.pl/style/style.css \u2022 ceidg.gov.pl", "pl.wikipedia.org \u2022 fontawesome.io \u2022 opensource.org \u2022 videojet.com", "https://discoverreceiver.gurus.vmicrosoft.com/ \u2022 account.live.com \u2022 acctcdn.msauth.net", "https://www.milehighmedia.com/legal/2257", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://twitter.com/PORNO_SEXYBABES", "http://www.anyxxxtube.net/search-porn/tsara-brashears", "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net \u2022 wallpapers-nature.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022", "https://wallpapers-nature.com/ tsara-brashears/urlscan-io", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "http://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/EntryChangeHistory.Id=7a025cc6", "(Delete app that removed YoiTube views) www.youtube.com/watch?v=GyuMozsVyYs", "http://watchhers.net/index.php", "everesttech.net \u2022 aws.amazon.com \u2022 cm.everesttech.net \u2022 dpm.demdex.net \u2022 s3.amazonaws.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1358, "FileHash-MD5": 100, "FileHash-SHA1": 102, "FileHash-SHA256": 1682, "URL": 2497, "CVE": 2, "domain": 400, "SSLCertFingerprint": 6, "email": 3 }, "indicator_count": 6150, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "108 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "692e2d950ac7d1e2a3454a4f", "name": "Gooogle Accounts | Drive-by Compromise \u2022 Ransomware \u2022 Phishing Attack", "description": "Google accounts Drive-by Compromise. Affected Google accounts redirects to a suspicious non - Google homepage. |\nRansomware | Adware | Phishing | Injection | \nExploits seen affecting both OS and iOS devices. Threat actors able to remotely access iOS device, unlock, access iCloud. System root control, fully infected devices, Attackers continue to ravage devices w/ drive by compromise, unsafe adware, malware text, etc., Seeks to remove malicious IoC\u2019s on mock accounts , password stealers", "modified": "2025-12-31T23:04:59.378000", "created": "2025-12-02T00:06:45.807000", "tags": [ "iocs", "drop", "network traffic", "ck id", "mitre att", "ck matrix", "network related", "detected", "t1566", "t1204", "united", "click", "windir", "openurl c", "prefetch2", "tor analysis", "dns requests", "learn", "suspicious", "informative", "name tactics", "adversaries", "command", "initial access", "spawns", "found", "binary file", "t1189", "regsetvalueexa", "regdword", "post http", "medium", "high", "regbinary", "loader", "dock", "write", "malware", "unknown", "romania unknown", "present may", "msie", "chrome", "body", "passive dns", "ip address", "present jun", "welcome", "accept", "encrypt", "gmt content", "ipv4 add", "url analysis", "urls", "files", "reverse dns", "unknown aaaa", "certificate", "hostname add", "error", "flag", "domain address", "contacted hosts", "type", "india unknown", "record value", "body html", "head title", "title", "entries", "read c", "high defense", "evasion", "yara detections", "virtool", "win32", "ahmann", "hacker group", "law firm", "order", "google", "smart assembly" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "VirTool:MSIL/Injector.BF", "display_name": "VirTool:MSIL/Injector.BF", "target": "/malware/VirTool:MSIL/Injector.BF" }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1087.003", "name": "Email Account", "display_name": "T1087.003 - Email Account" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 115, "FileHash-SHA1": 112, "FileHash-SHA256": 589, "URL": 1795, "SSLCertFingerprint": 3, "domain": 319, "hostname": 847, "email": 1 }, "indicator_count": 3781, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "108 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67c800ef879d19160279c628", "name": "Phishing Campaign", "description": "List of", "modified": "2025-04-04T07:04:28.709000", "created": "2025-03-05T07:44:47.276000", "tags": [ "Phishing" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1193", "name": "Spearphishing Attachment", "display_name": "T1193 - Spearphishing Attachment" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "sandnelis", "id": "311058", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 286, "hostname": 86, "FileHash-SHA256": 241, "domain": 437 }, "indicator_count": 1050, "is_author": false, "is_subscribing": null, "subscriber_count": 9, "modified_text": "380 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "660b176a98b0c92ba5a962bc", "name": "\"No Problems\" - UAlberta TLD (Confirmed TLD - 08.04.24) & Subdomain compromise", "description": "Basically the above\n\n\"No Problems\", \"We are Unhackable\", etc. etc. causing problems.", "modified": "2024-09-04T05:01:56.993000", "created": "2024-04-01T20:22:02.851000", "tags": [ "BEC" ], "references": [ "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783/summary", "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783/iocs", "https://www.virustotal.com/graph/embed/gead337f35cdd4241b225b68ff0528a3834be5d60876745fa99254ff7f8a0df22?theme=dark", "https://www.virustotal.com/graph/embed/g1e31eca6803a433a9a33437d593a2bbdf979ff77c91340d1ab624d10dc8732b3?theme=dark", "https://dnstwist.it/#ea665d15-6507-4057-b2c9-18a2e546ee95", "https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore", "https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/", "https://malpedia.caad.fkie.fraunhofer.de/details/win.mydoom", "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America", "Netherlands" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 233, "FileHash-SHA1": 230, "FileHash-SHA256": 6703, "URL": 4450, "CIDR": 3, "domain": 6223, "hostname": 2863, "email": 7, "CVE": 53 }, "indicator_count": 20765, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "592 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658f967a4fc7ebe8021b9382", "name": "Mirai Apple Attack +", "description": "This is hard to make sense of. All calls, clicks on a DGA Domain masquerading as desired service, lands you on the radar of a faux service where in turn bad actors attack everything. Target, remotely hack, follow, smear your life, same victim auto populates 79%, no hunt for assaulter.\n I'm assuming to see it one must 1st be in a Botnet. We keep seeing the same targets but no preparator. \nShe said \"Life was busy, life was good; full of health and hope. Then one sunny October day... I'm still grateful but what happened my body, thoughts and the world around me? Where's God? Am I a criminally responsible for getting attacked?\"", "modified": "2024-01-29T03:01:29.910000", "created": "2023-12-30T04:03:06.598000", "tags": [ "whois record", "ssl certificate", "contacted", "whois whois", "historical ssl", "referrer", "communicating", "resolutions", "apple", "collections", "core", "stealer", "execution", "ratel", "suspicious", "threat", "paste", "iocs", "hostnames", "urls https", "windir", "json data", "localappdata", "ascii text", "unicode text", "pattern match", "file", "indicator", "mitre att", "path", "factory", "hybrid", "general", "memcommit", "regsetvalueexa", "regdword", "t1055", "high", "regbinary", "dynamic dns", "regsetvalueexw", "regsz", "medium", "win32", "malware", "copy", "capture", "name servers", "creation date", "servers", "passive dns", "urls", "domain", "search", "expiration date", "scan endpoints", "all scoreblue", "date", "next", "applenoc", "showing", "status", "united", "as44273 host", "unknown", "all search", "otx scoreblue", "aaaa", "as54113", "privacy inc", "customer", "asnone united", "entries", "pulse pulses", "dga", "redacted for", "as20940", "body", "for privacy", "ipv4", "files", "location united", "america asn", "as54252", "type name", "dns replication", "iana", "whois lookup", "ipv4 address", "ripe ncc", "afrinic", "africa", "apnic", "asia pacific", "arin", "lacnic", "elf executable", "sysv", "linux", "elf wgetboat", "contacted urls", "red team", "tsara brashears", "apple phone", "unlocker", "fakedout threat", "hostname", "samples", "mirai", "ph elf", "telefonica de", "elf collection", "llwn", "text", "gp practice", "oracle", "apple ios", "password", "threat network", "kgs0", "kls0", "hacktool", "probe", "malicious" ], "references": [ "https://www.rmvictimlaw.org/about-us/board-directors/hazel-heckers", "https://hybrid-analysis.com/sample/1f75fd5ec731cc5b1f338a5f7f44b42c9f1988214c373bf582d766934399b525", "https://twitter.com/PORNO_SEXYBABES", "IPv4 199.59.243.224 and IPv4 67.21.93.249 - command_and_control", "103.246.145.111 phishing", "nr-data.net | Apple Private Data collection", "BitRAT CnC: File Hash SHA256 23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706", "00000000.apple.com | remote SIM Swap", "https://otx.alienvault.com/indicator/file/23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706#:~:text=%C3%97", "103.246.145.111 - scanning host", "https://app-portal.wsgc.com/saml20/idp/sso?SAMLRequest=jZFBb8IwDIX/SpR70zS0sEa0iA1NQ2IagrLDLlNII4jWJl2cwvj3qyhI7IJ2tPzs9/x5PPmpK3RQDrQ1GY4IxUgZaUttdhneFM/BA57kYxB1xRo+bf3erNR3q8CjbtAA7zsZbp3hVoAGbkStgHvJ19PXBWeE8sZZb6WtMJoCKOc7qydroK2VWyt30FJtVosM771vgIfhETTZCvkF3roTkXtnjZaVIqBk67Q/hUICRrMugzbCn3NfR0XTBI11XlTkCDtJpK3Dc0Ia6rIJASxG81mGP0dpOYqGVEZxGYkk3iaDVMZMKipGMR0kSScDaNXcgBfGZ5hRNghoGrC4YIzTlNMhidPkA6Pl5bhHbXpo90hsexHwl6JYBsu3dYHR+xV+J8AX1Pzs7m4Z318srmBx/m+M4/DWK7+Uf7+c/wI=&RelayState=AcE8QCtmc3hl5id4ZjN8p", "https://www.virustotal.com/en/domain/sipa.be (GoodCop - BadCop 404 error. This may have been a dorkingbeauty graph or collection. There seems to be several VT users experiencing similar issues w/overlap", "https://ms13p01if-qufw21344001.ms.if.apple.com:8083/", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 (Apple remote hacktool that enter via Apple media)", "usw2-platform-dmchat-avengers-prod-ext.apple.com", "https://otx.alienvault.com/indicator/hostname/00000000.apple.com#:~:text=%C3%97", "Malware Hosting * Spyware: http://141.98.6.249/boat.arm7, http://141.98.6.249/boat.ppc , http://141.98.6.249/boat.x86" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "RATel", "display_name": "RATel", "target": null }, { "id": "trojan.mirai/genericrxui", "display_name": "trojan.mirai/genericrxui", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 578, "FileHash-SHA1": 521, "FileHash-SHA256": 6392, "URL": 5741, "domain": 2243, "hostname": 1536, "SSLCertFingerprint": 2, "email": 8, "CVE": 1 }, "indicator_count": 17022, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "811 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659127f3265ec6306b607faa", "name": "Mirai Apple Attack +", "description": "", "modified": "2024-01-29T03:01:29.910000", "created": "2023-12-31T08:36:03.380000", "tags": [ "whois record", "ssl certificate", "contacted", "whois whois", "historical ssl", "referrer", "communicating", "resolutions", "apple", "collections", "core", "stealer", "execution", "ratel", "suspicious", "threat", "paste", "iocs", "hostnames", "urls https", "windir", "json data", "localappdata", "ascii text", "unicode text", "pattern match", "file", "indicator", "mitre att", "path", "factory", "hybrid", "general", "memcommit", "regsetvalueexa", "regdword", "t1055", "high", "regbinary", "dynamic dns", "regsetvalueexw", "regsz", "medium", "win32", "malware", "copy", "capture", "name servers", "creation date", "servers", "passive dns", "urls", "domain", "search", "expiration date", "scan endpoints", "all scoreblue", "date", "next", "applenoc", "showing", "status", "united", "as44273 host", "unknown", "all search", "otx scoreblue", "aaaa", "as54113", "privacy inc", "customer", "asnone united", "entries", "pulse pulses", "dga", "redacted for", "as20940", "body", "for privacy", "ipv4", "files", "location united", "america asn", "as54252", "type name", "dns replication", "iana", "whois lookup", "ipv4 address", "ripe ncc", "afrinic", "africa", "apnic", "asia pacific", "arin", "lacnic", "elf executable", "sysv", "linux", "elf wgetboat", "contacted urls", "red team", "tsara brashears", "apple phone", "unlocker", "fakedout threat", "hostname", "samples", "mirai", "ph elf", "telefonica de", "elf collection", "llwn", "text", "gp practice", "oracle", "apple ios", "password", "threat network", "kgs0", "kls0", "hacktool", "probe", "malicious" ], "references": [ "https://www.rmvictimlaw.org/about-us/board-directors/hazel-heckers", "https://hybrid-analysis.com/sample/1f75fd5ec731cc5b1f338a5f7f44b42c9f1988214c373bf582d766934399b525", "https://twitter.com/PORNO_SEXYBABES", "IPv4 199.59.243.224 and IPv4 67.21.93.249 - command_and_control", "103.246.145.111 phishing", "nr-data.net | Apple Private Data collection", "BitRAT CnC: File Hash SHA256 23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706", "00000000.apple.com | remote SIM Swap", "https://otx.alienvault.com/indicator/file/23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706#:~:text=%C3%97", "103.246.145.111 - scanning host", "https://app-portal.wsgc.com/saml20/idp/sso?SAMLRequest=jZFBb8IwDIX/SpR70zS0sEa0iA1NQ2IagrLDLlNII4jWJl2cwvj3qyhI7IJ2tPzs9/x5PPmpK3RQDrQ1GY4IxUgZaUttdhneFM/BA57kYxB1xRo+bf3erNR3q8CjbtAA7zsZbp3hVoAGbkStgHvJ19PXBWeE8sZZb6WtMJoCKOc7qydroK2VWyt30FJtVosM771vgIfhETTZCvkF3roTkXtnjZaVIqBk67Q/hUICRrMugzbCn3NfR0XTBI11XlTkCDtJpK3Dc0Ia6rIJASxG81mGP0dpOYqGVEZxGYkk3iaDVMZMKipGMR0kSScDaNXcgBfGZ5hRNghoGrC4YIzTlNMhidPkA6Pl5bhHbXpo90hsexHwl6JYBsu3dYHR+xV+J8AX1Pzs7m4Z318srmBx/m+M4/DWK7+Uf7+c/wI=&RelayState=AcE8QCtmc3hl5id4ZjN8p", "https://www.virustotal.com/en/domain/sipa.be (GoodCop - BadCop 404 error. This may have been a dorkingbeauty graph or collection. There seems to be several VT users experiencing similar issues w/overlap", "https://ms13p01if-qufw21344001.ms.if.apple.com:8083/", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 (Apple remote hacktool that enter via Apple media)", "usw2-platform-dmchat-avengers-prod-ext.apple.com", "https://otx.alienvault.com/indicator/hostname/00000000.apple.com#:~:text=%C3%97", "Malware Hosting * Spyware: http://141.98.6.249/boat.arm7, http://141.98.6.249/boat.ppc , http://141.98.6.249/boat.x86" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "RATel", "display_name": "RATel", "target": null }, { "id": "trojan.mirai/genericrxui", "display_name": "trojan.mirai/genericrxui", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "green", "cloned_from": "658f967a4fc7ebe8021b9382", "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 578, "FileHash-SHA1": 521, "FileHash-SHA256": 6392, "URL": 5741, "domain": 2243, "hostname": 1536, "SSLCertFingerprint": 2, "email": 8, "CVE": 1 }, "indicator_count": 17022, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "811 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65944b9812ea52ab41c0259d", "name": "Mirai Apple Attack +", "description": "", "modified": "2024-01-29T03:01:29.910000", "created": "2024-01-02T17:44:56.709000", "tags": [ "whois record", "ssl certificate", "contacted", "whois whois", "historical ssl", "referrer", "communicating", "resolutions", "apple", "collections", "core", "stealer", "execution", "ratel", "suspicious", "threat", "paste", "iocs", "hostnames", "urls https", "windir", "json data", "localappdata", "ascii text", "unicode text", "pattern match", "file", "indicator", "mitre att", "path", "factory", "hybrid", "general", "memcommit", "regsetvalueexa", "regdword", "t1055", "high", "regbinary", "dynamic dns", "regsetvalueexw", "regsz", "medium", "win32", "malware", "copy", "capture", "name servers", "creation date", "servers", "passive dns", "urls", "domain", "search", "expiration date", "scan endpoints", "all scoreblue", "date", "next", "applenoc", "showing", "status", "united", "as44273 host", "unknown", "all search", "otx scoreblue", "aaaa", "as54113", "privacy inc", "customer", "asnone united", "entries", "pulse pulses", "dga", "redacted for", "as20940", "body", "for privacy", "ipv4", "files", "location united", "america asn", "as54252", "type name", "dns replication", "iana", "whois lookup", "ipv4 address", "ripe ncc", "afrinic", "africa", "apnic", "asia pacific", "arin", "lacnic", "elf executable", "sysv", "linux", "elf wgetboat", "contacted urls", "red team", "tsara brashears", "apple phone", "unlocker", "fakedout threat", "hostname", "samples", "mirai", "ph elf", "telefonica de", "elf collection", "llwn", "text", "gp practice", "oracle", "apple ios", "password", "threat network", "kgs0", "kls0", "hacktool", "probe", "malicious" ], "references": [ "https://www.rmvictimlaw.org/about-us/board-directors/hazel-heckers", "https://hybrid-analysis.com/sample/1f75fd5ec731cc5b1f338a5f7f44b42c9f1988214c373bf582d766934399b525", "https://twitter.com/PORNO_SEXYBABES", "IPv4 199.59.243.224 and IPv4 67.21.93.249 - command_and_control", "103.246.145.111 phishing", "nr-data.net | Apple Private Data collection", "BitRAT CnC: File Hash SHA256 23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706", "00000000.apple.com | remote SIM Swap", "https://otx.alienvault.com/indicator/file/23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706#:~:text=%C3%97", "103.246.145.111 - scanning host", "https://app-portal.wsgc.com/saml20/idp/sso?SAMLRequest=jZFBb8IwDIX/SpR70zS0sEa0iA1NQ2IagrLDLlNII4jWJl2cwvj3qyhI7IJ2tPzs9/x5PPmpK3RQDrQ1GY4IxUgZaUttdhneFM/BA57kYxB1xRo+bf3erNR3q8CjbtAA7zsZbp3hVoAGbkStgHvJ19PXBWeE8sZZb6WtMJoCKOc7qydroK2VWyt30FJtVosM771vgIfhETTZCvkF3roTkXtnjZaVIqBk67Q/hUICRrMugzbCn3NfR0XTBI11XlTkCDtJpK3Dc0Ia6rIJASxG81mGP0dpOYqGVEZxGYkk3iaDVMZMKipGMR0kSScDaNXcgBfGZ5hRNghoGrC4YIzTlNMhidPkA6Pl5bhHbXpo90hsexHwl6JYBsu3dYHR+xV+J8AX1Pzs7m4Z318srmBx/m+M4/DWK7+Uf7+c/wI=&RelayState=AcE8QCtmc3hl5id4ZjN8p", "https://www.virustotal.com/en/domain/sipa.be (GoodCop - BadCop 404 error. This may have been a dorkingbeauty graph or collection. There seems to be several VT users experiencing similar issues w/overlap", "https://ms13p01if-qufw21344001.ms.if.apple.com:8083/", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 (Apple remote hacktool that enter via Apple media)", "usw2-platform-dmchat-avengers-prod-ext.apple.com", "https://otx.alienvault.com/indicator/hostname/00000000.apple.com#:~:text=%C3%97", "Malware Hosting * Spyware: http://141.98.6.249/boat.arm7, http://141.98.6.249/boat.ppc , http://141.98.6.249/boat.x86" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "RATel", "display_name": "RATel", "target": null }, { "id": "trojan.mirai/genericrxui", "display_name": "trojan.mirai/genericrxui", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "green", "cloned_from": "658f967a4fc7ebe8021b9382", "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 578, "FileHash-SHA1": 521, "FileHash-SHA256": 6392, "URL": 5741, "domain": 2243, "hostname": 1536, "SSLCertFingerprint": 2, "email": 8, "CVE": 1 }, "indicator_count": 17022, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "811 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net \u2022 wallpapers-nature.com", "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783/summary", "https://otx.alienvault.com/indicator/hostname/00000000.apple.com#:~:text=%C3%97", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://twitter.com/PORNO_SEXYBABES", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex", "everesttech.net \u2022 aws.amazon.com \u2022 cm.everesttech.net \u2022 dpm.demdex.net \u2022 s3.amazonaws.com", "https://www.virustotal.com/graph/embed/g1e31eca6803a433a9a33437d593a2bbdf979ff77c91340d1ab624d10dc8732b3?theme=dark", "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783/iocs", "https://ms13p01if-qufw21344001.ms.if.apple.com:8083/", "https://discoverreceiver.gurus.vmicrosoft.com/ \u2022 account.live.com \u2022 acctcdn.msauth.net", "https://dnstwist.it/#ea665d15-6507-4057-b2c9-18a2e546ee95", "https://www.milehighmedia.com/legal/2257", "https://wallpapers-nature.com/ tsara-brashears/urlscan-io", "https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore", "https://otx.alienvault.com/indicator/file/23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706#:~:text=%C3%97", "https://hybrid-analysis.com/sample/1f75fd5ec731cc5b1f338a5f7f44b42c9f1988214c373bf582d766934399b525", "https://app-portal.wsgc.com/saml20/idp/sso?SAMLRequest=jZFBb8IwDIX/SpR70zS0sEa0iA1NQ2IagrLDLlNII4jWJl2cwvj3qyhI7IJ2tPzs9/x5PPmpK3RQDrQ1GY4IxUgZaUttdhneFM/BA57kYxB1xRo+bf3erNR3q8CjbtAA7zsZbp3hVoAGbkStgHvJ19PXBWeE8sZZb6WtMJoCKOc7qydroK2VWyt30FJtVosM771vgIfhETTZCvkF3roTkXtnjZaVIqBk67Q/hUICRrMugzbCn3NfR0XTBI11XlTkCDtJpK3Dc0Ia6rIJASxG81mGP0dpOYqGVEZxGYkk3iaDVMZMKipGMR0kSScDaNXcgBfGZ5hRNghoGrC4YIzTlNMhidPkA6Pl5bhHbXpo90hsexHwl6JYBsu3dYHR+xV+J8AX1Pzs7m4Z318srmBx/m+M4/DWK7+Uf7+c/wI=&RelayState=AcE8QCtmc3hl5id4ZjN8p", "http://watchhers.net/index.php", "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate", "https://www.rmvictimlaw.org/about-us/board-directors/hazel-heckers", "Amazon.com \u2022 Google.com \u2022YouTube.com, Apple.com , etc Exploited", "deploy-delete-app-us-east-2-1.deploy-delete-test-us-east-2-1mtsufd.us-east-2.gamma.forgeapps.ec2.aws.dev", "https://www.virustotal.com/graph/embed/gead337f35cdd4241b225b68ff0528a3834be5d60876745fa99254ff7f8a0df22?theme=dark", "00000000.apple.com | remote SIM Swap", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022", "https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "IPv4 199.59.243.224 and IPv4 67.21.93.249 - command_and_control", "cloudendpointsapis.com \u2022 https://www.vgt.pl/style/style.css \u2022 ceidg.gov.pl", "BitRAT CnC: File Hash SHA256 23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706", "http://www.anyxxxtube.net/search-porn/tsara-brashears", "Malware Hosting * Spyware: http://141.98.6.249/boat.arm7, http://141.98.6.249/boat.ppc , http://141.98.6.249/boat.x86", "103.246.145.111 - scanning host", "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "pl.wikipedia.org \u2022 fontawesome.io \u2022 opensource.org \u2022 videojet.com", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "https://malpedia.caad.fkie.fraunhofer.de/details/win.mydoom", "https://www.virustotal.com/en/domain/sipa.be (GoodCop - BadCop 404 error. This may have been a dorkingbeauty graph or collection. There seems to be several VT users experiencing similar issues w/overlap", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 (Apple remote hacktool that enter via Apple media)", "http://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/EntryChangeHistory.Id=7a025cc6", "103.246.145.111 phishing", "nr-data.net | Apple Private Data collection", "(Delete app that removed YoiTube views) www.youtube.com/watch?v=GyuMozsVyYs", "usw2-platform-dmchat-avengers-prod-ext.apple.com" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Cve-2023-22518", "Ratel", "Ransomware", "Virtool:msil/injector.bf", "Other malware", "Trojan.mirai/genericrxui" ], "industries": [ "Education", "Government", "Technology" ], "unique_indicators": 34362 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/clickoogle.com", "whois": "http://whois.domaintools.com/clickoogle.com", "domain": "clickoogle.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 7, "pulses": [ { "id": "692f23547b713b128b9c8156", "name": "Indicator Deletion Attack | Chris P. Ahmann Esq still utilizes parking crews to execute cyber attacks", "description": "Unable to open malware indicators at this time. These attackers use Parking Crews for their exploits, leasing parked domains for the amount of time needed to execute an attack. The attack last predate me ever using Level Blue. I have to review indicators reports more closely but, I do see a the multitude of attacks against target TLB and an intersection of attacks concerning Disable_Duck (Alberta) Chris Ahmann , Colorado government indicated. \n\n[OTX auto populated - Adversaries may use techniques to evade detection in their malware or tools, as well as using techniques such as code signing, encryption, and other techniques for avoiding detection and monitoring of their activities.]", "modified": "2026-01-01T17:01:48.163000", "created": "2025-12-02T17:35:15.203000", "tags": [ "data upload", "extraction", "failed", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "development att", "united", "flag", "poland poland", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "mitre att", "ck matrix", "pattern match", "ascii text", "show process", "network traffic", "t1057", "general", "local", "path", "encrypt", "hosts ip", "details", "ssl certificate", "sha256", "sha1", "size", "unicode text", "crlf", "utf8", "lf line", "server", "command decode", "markmonitor", "amazon", "ltd dba", "com laude", "organization", "click", "show technique", "brand", "microsoft edge", "windows nt", "win64", "khtml", "gecko", "submitted", "prefetch1", "name server", "misc attack", "et tor", "known tor", "relayrouter", "contacted hosts", "google", "pornhub", "ip address", "t1480 execution", "file defense", "passive dns", "related nids", "urls", "files location", "flag united" ], "references": [ "deploy-delete-app-us-east-2-1.deploy-delete-test-us-east-2-1mtsufd.us-east-2.gamma.forgeapps.ec2.aws.dev", "Amazon.com \u2022 Google.com \u2022YouTube.com, Apple.com , etc Exploited", "cloudendpointsapis.com \u2022 https://www.vgt.pl/style/style.css \u2022 ceidg.gov.pl", "pl.wikipedia.org \u2022 fontawesome.io \u2022 opensource.org \u2022 videojet.com", "https://discoverreceiver.gurus.vmicrosoft.com/ \u2022 account.live.com \u2022 acctcdn.msauth.net", "https://www.milehighmedia.com/legal/2257", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://twitter.com/PORNO_SEXYBABES", "http://www.anyxxxtube.net/search-porn/tsara-brashears", "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net \u2022 wallpapers-nature.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022", "https://wallpapers-nature.com/ tsara-brashears/urlscan-io", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "http://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/EntryChangeHistory.Id=7a025cc6", "(Delete app that removed YoiTube views) www.youtube.com/watch?v=GyuMozsVyYs", "http://watchhers.net/index.php", "everesttech.net \u2022 aws.amazon.com \u2022 cm.everesttech.net \u2022 dpm.demdex.net \u2022 s3.amazonaws.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1358, "FileHash-MD5": 100, "FileHash-SHA1": 102, "FileHash-SHA256": 1682, "URL": 2497, "CVE": 2, "domain": 400, "SSLCertFingerprint": 6, "email": 3 }, "indicator_count": 6150, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "108 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "692e2d950ac7d1e2a3454a4f", "name": "Gooogle Accounts | Drive-by Compromise \u2022 Ransomware \u2022 Phishing Attack", "description": "Google accounts Drive-by Compromise. Affected Google accounts redirects to a suspicious non - Google homepage. |\nRansomware | Adware | Phishing | Injection | \nExploits seen affecting both OS and iOS devices. Threat actors able to remotely access iOS device, unlock, access iCloud. System root control, fully infected devices, Attackers continue to ravage devices w/ drive by compromise, unsafe adware, malware text, etc., Seeks to remove malicious IoC\u2019s on mock accounts , password stealers", "modified": "2025-12-31T23:04:59.378000", "created": "2025-12-02T00:06:45.807000", "tags": [ "iocs", "drop", "network traffic", "ck id", "mitre att", "ck matrix", "network related", "detected", "t1566", "t1204", "united", "click", "windir", "openurl c", "prefetch2", "tor analysis", "dns requests", "learn", "suspicious", "informative", "name tactics", "adversaries", "command", "initial access", "spawns", "found", "binary file", "t1189", "regsetvalueexa", "regdword", "post http", "medium", "high", "regbinary", "loader", "dock", "write", "malware", "unknown", "romania unknown", "present may", "msie", "chrome", "body", "passive dns", "ip address", "present jun", "welcome", "accept", "encrypt", "gmt content", "ipv4 add", "url analysis", "urls", "files", "reverse dns", "unknown aaaa", "certificate", "hostname add", "error", "flag", "domain address", "contacted hosts", "type", "india unknown", "record value", "body html", "head title", "title", "entries", "read c", "high defense", "evasion", "yara detections", "virtool", "win32", "ahmann", "hacker group", "law firm", "order", "google", "smart assembly" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "VirTool:MSIL/Injector.BF", "display_name": "VirTool:MSIL/Injector.BF", "target": "/malware/VirTool:MSIL/Injector.BF" }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1087.003", "name": "Email Account", "display_name": "T1087.003 - Email Account" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 115, "FileHash-SHA1": 112, "FileHash-SHA256": 589, "URL": 1795, "SSLCertFingerprint": 3, "domain": 319, "hostname": 847, "email": 1 }, "indicator_count": 3781, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "108 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67c800ef879d19160279c628", "name": "Phishing Campaign", "description": "List of", "modified": "2025-04-04T07:04:28.709000", "created": "2025-03-05T07:44:47.276000", "tags": [ "Phishing" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1193", "name": "Spearphishing Attachment", "display_name": "T1193 - Spearphishing Attachment" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "sandnelis", "id": "311058", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 286, "hostname": 86, "FileHash-SHA256": 241, "domain": 437 }, "indicator_count": 1050, "is_author": false, "is_subscribing": null, "subscriber_count": 9, "modified_text": "380 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "660b176a98b0c92ba5a962bc", "name": "\"No Problems\" - UAlberta TLD (Confirmed TLD - 08.04.24) & Subdomain compromise", "description": "Basically the above\n\n\"No Problems\", \"We are Unhackable\", etc. etc. causing problems.", "modified": "2024-09-04T05:01:56.993000", "created": "2024-04-01T20:22:02.851000", "tags": [ "BEC" ], "references": [ "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783/summary", "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783/iocs", "https://www.virustotal.com/graph/embed/gead337f35cdd4241b225b68ff0528a3834be5d60876745fa99254ff7f8a0df22?theme=dark", "https://www.virustotal.com/graph/embed/g1e31eca6803a433a9a33437d593a2bbdf979ff77c91340d1ab624d10dc8732b3?theme=dark", "https://dnstwist.it/#ea665d15-6507-4057-b2c9-18a2e546ee95", "https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore", "https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/", "https://malpedia.caad.fkie.fraunhofer.de/details/win.mydoom", "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America", "Netherlands" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 233, "FileHash-SHA1": 230, "FileHash-SHA256": 6703, "URL": 4450, "CIDR": 3, "domain": 6223, "hostname": 2863, "email": 7, "CVE": 53 }, "indicator_count": 20765, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "592 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658f967a4fc7ebe8021b9382", "name": "Mirai Apple Attack +", "description": "This is hard to make sense of. All calls, clicks on a DGA Domain masquerading as desired service, lands you on the radar of a faux service where in turn bad actors attack everything. Target, remotely hack, follow, smear your life, same victim auto populates 79%, no hunt for assaulter.\n I'm assuming to see it one must 1st be in a Botnet. We keep seeing the same targets but no preparator. \nShe said \"Life was busy, life was good; full of health and hope. Then one sunny October day... I'm still grateful but what happened my body, thoughts and the world around me? Where's God? Am I a criminally responsible for getting attacked?\"", "modified": "2024-01-29T03:01:29.910000", "created": "2023-12-30T04:03:06.598000", "tags": [ "whois record", "ssl certificate", "contacted", "whois whois", "historical ssl", "referrer", "communicating", "resolutions", "apple", "collections", "core", "stealer", "execution", "ratel", "suspicious", "threat", "paste", "iocs", "hostnames", "urls https", "windir", "json data", "localappdata", "ascii text", "unicode text", "pattern match", "file", "indicator", "mitre att", "path", "factory", "hybrid", "general", "memcommit", "regsetvalueexa", "regdword", "t1055", "high", "regbinary", "dynamic dns", "regsetvalueexw", "regsz", "medium", "win32", "malware", "copy", "capture", "name servers", "creation date", "servers", "passive dns", "urls", "domain", "search", "expiration date", "scan endpoints", "all scoreblue", "date", "next", "applenoc", "showing", "status", "united", "as44273 host", "unknown", "all search", "otx scoreblue", "aaaa", "as54113", "privacy inc", "customer", "asnone united", "entries", "pulse pulses", "dga", "redacted for", "as20940", "body", "for privacy", "ipv4", "files", "location united", "america asn", "as54252", "type name", "dns replication", "iana", "whois lookup", "ipv4 address", "ripe ncc", "afrinic", "africa", "apnic", "asia pacific", "arin", "lacnic", "elf executable", "sysv", "linux", "elf wgetboat", "contacted urls", "red team", "tsara brashears", "apple phone", "unlocker", "fakedout threat", "hostname", "samples", "mirai", "ph elf", "telefonica de", "elf collection", "llwn", "text", "gp practice", "oracle", "apple ios", "password", "threat network", "kgs0", "kls0", "hacktool", "probe", "malicious" ], "references": [ "https://www.rmvictimlaw.org/about-us/board-directors/hazel-heckers", "https://hybrid-analysis.com/sample/1f75fd5ec731cc5b1f338a5f7f44b42c9f1988214c373bf582d766934399b525", "https://twitter.com/PORNO_SEXYBABES", "IPv4 199.59.243.224 and IPv4 67.21.93.249 - command_and_control", "103.246.145.111 phishing", "nr-data.net | Apple Private Data collection", "BitRAT CnC: File Hash SHA256 23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706", "00000000.apple.com | remote SIM Swap", "https://otx.alienvault.com/indicator/file/23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706#:~:text=%C3%97", "103.246.145.111 - scanning host", "https://app-portal.wsgc.com/saml20/idp/sso?SAMLRequest=jZFBb8IwDIX/SpR70zS0sEa0iA1NQ2IagrLDLlNII4jWJl2cwvj3qyhI7IJ2tPzs9/x5PPmpK3RQDrQ1GY4IxUgZaUttdhneFM/BA57kYxB1xRo+bf3erNR3q8CjbtAA7zsZbp3hVoAGbkStgHvJ19PXBWeE8sZZb6WtMJoCKOc7qydroK2VWyt30FJtVosM771vgIfhETTZCvkF3roTkXtnjZaVIqBk67Q/hUICRrMugzbCn3NfR0XTBI11XlTkCDtJpK3Dc0Ia6rIJASxG81mGP0dpOYqGVEZxGYkk3iaDVMZMKipGMR0kSScDaNXcgBfGZ5hRNghoGrC4YIzTlNMhidPkA6Pl5bhHbXpo90hsexHwl6JYBsu3dYHR+xV+J8AX1Pzs7m4Z318srmBx/m+M4/DWK7+Uf7+c/wI=&RelayState=AcE8QCtmc3hl5id4ZjN8p", "https://www.virustotal.com/en/domain/sipa.be (GoodCop - BadCop 404 error. This may have been a dorkingbeauty graph or collection. There seems to be several VT users experiencing similar issues w/overlap", "https://ms13p01if-qufw21344001.ms.if.apple.com:8083/", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 (Apple remote hacktool that enter via Apple media)", "usw2-platform-dmchat-avengers-prod-ext.apple.com", "https://otx.alienvault.com/indicator/hostname/00000000.apple.com#:~:text=%C3%97", "Malware Hosting * Spyware: http://141.98.6.249/boat.arm7, http://141.98.6.249/boat.ppc , http://141.98.6.249/boat.x86" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "RATel", "display_name": "RATel", "target": null }, { "id": "trojan.mirai/genericrxui", "display_name": "trojan.mirai/genericrxui", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 578, "FileHash-SHA1": 521, "FileHash-SHA256": 6392, "URL": 5741, "domain": 2243, "hostname": 1536, "SSLCertFingerprint": 2, "email": 8, "CVE": 1 }, "indicator_count": 17022, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "811 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659127f3265ec6306b607faa", "name": "Mirai Apple Attack +", "description": "", "modified": "2024-01-29T03:01:29.910000", "created": "2023-12-31T08:36:03.380000", "tags": [ "whois record", "ssl certificate", "contacted", "whois whois", "historical ssl", "referrer", "communicating", "resolutions", "apple", "collections", "core", "stealer", "execution", "ratel", "suspicious", "threat", "paste", "iocs", "hostnames", "urls https", "windir", "json data", "localappdata", "ascii text", "unicode text", "pattern match", "file", "indicator", "mitre att", "path", "factory", "hybrid", "general", "memcommit", "regsetvalueexa", "regdword", "t1055", "high", "regbinary", "dynamic dns", "regsetvalueexw", "regsz", "medium", "win32", "malware", "copy", "capture", "name servers", "creation date", "servers", "passive dns", "urls", "domain", "search", "expiration date", "scan endpoints", "all scoreblue", "date", "next", "applenoc", "showing", "status", "united", "as44273 host", "unknown", "all search", "otx scoreblue", "aaaa", "as54113", "privacy inc", "customer", "asnone united", "entries", "pulse pulses", "dga", "redacted for", "as20940", "body", "for privacy", "ipv4", "files", "location united", "america asn", "as54252", "type name", "dns replication", "iana", "whois lookup", "ipv4 address", "ripe ncc", "afrinic", "africa", "apnic", "asia pacific", "arin", "lacnic", "elf executable", "sysv", "linux", "elf wgetboat", "contacted urls", "red team", "tsara brashears", "apple phone", "unlocker", "fakedout threat", "hostname", "samples", "mirai", "ph elf", "telefonica de", "elf collection", "llwn", "text", "gp practice", "oracle", "apple ios", "password", "threat network", "kgs0", "kls0", "hacktool", "probe", "malicious" ], "references": [ "https://www.rmvictimlaw.org/about-us/board-directors/hazel-heckers", "https://hybrid-analysis.com/sample/1f75fd5ec731cc5b1f338a5f7f44b42c9f1988214c373bf582d766934399b525", "https://twitter.com/PORNO_SEXYBABES", "IPv4 199.59.243.224 and IPv4 67.21.93.249 - command_and_control", "103.246.145.111 phishing", "nr-data.net | Apple Private Data collection", "BitRAT CnC: File Hash SHA256 23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706", "00000000.apple.com | remote SIM Swap", "https://otx.alienvault.com/indicator/file/23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706#:~:text=%C3%97", "103.246.145.111 - scanning host", "https://app-portal.wsgc.com/saml20/idp/sso?SAMLRequest=jZFBb8IwDIX/SpR70zS0sEa0iA1NQ2IagrLDLlNII4jWJl2cwvj3qyhI7IJ2tPzs9/x5PPmpK3RQDrQ1GY4IxUgZaUttdhneFM/BA57kYxB1xRo+bf3erNR3q8CjbtAA7zsZbp3hVoAGbkStgHvJ19PXBWeE8sZZb6WtMJoCKOc7qydroK2VWyt30FJtVosM771vgIfhETTZCvkF3roTkXtnjZaVIqBk67Q/hUICRrMugzbCn3NfR0XTBI11XlTkCDtJpK3Dc0Ia6rIJASxG81mGP0dpOYqGVEZxGYkk3iaDVMZMKipGMR0kSScDaNXcgBfGZ5hRNghoGrC4YIzTlNMhidPkA6Pl5bhHbXpo90hsexHwl6JYBsu3dYHR+xV+J8AX1Pzs7m4Z318srmBx/m+M4/DWK7+Uf7+c/wI=&RelayState=AcE8QCtmc3hl5id4ZjN8p", "https://www.virustotal.com/en/domain/sipa.be (GoodCop - BadCop 404 error. This may have been a dorkingbeauty graph or collection. There seems to be several VT users experiencing similar issues w/overlap", "https://ms13p01if-qufw21344001.ms.if.apple.com:8083/", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 (Apple remote hacktool that enter via Apple media)", "usw2-platform-dmchat-avengers-prod-ext.apple.com", "https://otx.alienvault.com/indicator/hostname/00000000.apple.com#:~:text=%C3%97", "Malware Hosting * Spyware: http://141.98.6.249/boat.arm7, http://141.98.6.249/boat.ppc , http://141.98.6.249/boat.x86" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "RATel", "display_name": "RATel", "target": null }, { "id": "trojan.mirai/genericrxui", "display_name": "trojan.mirai/genericrxui", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "green", "cloned_from": "658f967a4fc7ebe8021b9382", "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 578, "FileHash-SHA1": 521, "FileHash-SHA256": 6392, "URL": 5741, "domain": 2243, "hostname": 1536, "SSLCertFingerprint": 2, "email": 8, "CVE": 1 }, "indicator_count": 17022, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "811 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65944b9812ea52ab41c0259d", "name": "Mirai Apple Attack +", "description": "", "modified": "2024-01-29T03:01:29.910000", "created": "2024-01-02T17:44:56.709000", "tags": [ "whois record", "ssl certificate", "contacted", "whois whois", "historical ssl", "referrer", "communicating", "resolutions", "apple", "collections", "core", "stealer", "execution", "ratel", "suspicious", "threat", "paste", "iocs", "hostnames", "urls https", "windir", "json data", "localappdata", "ascii text", "unicode text", "pattern match", "file", "indicator", "mitre att", "path", "factory", "hybrid", "general", "memcommit", "regsetvalueexa", "regdword", "t1055", "high", "regbinary", "dynamic dns", "regsetvalueexw", "regsz", "medium", "win32", "malware", "copy", "capture", "name servers", "creation date", "servers", "passive dns", "urls", "domain", "search", "expiration date", "scan endpoints", "all scoreblue", "date", "next", "applenoc", "showing", "status", "united", "as44273 host", "unknown", "all search", "otx scoreblue", "aaaa", "as54113", "privacy inc", "customer", "asnone united", "entries", "pulse pulses", "dga", "redacted for", "as20940", "body", "for privacy", "ipv4", "files", "location united", "america asn", "as54252", "type name", "dns replication", "iana", "whois lookup", "ipv4 address", "ripe ncc", "afrinic", "africa", "apnic", "asia pacific", "arin", "lacnic", "elf executable", "sysv", "linux", "elf wgetboat", "contacted urls", "red team", "tsara brashears", "apple phone", "unlocker", "fakedout threat", "hostname", "samples", "mirai", "ph elf", "telefonica de", "elf collection", "llwn", "text", "gp practice", "oracle", "apple ios", "password", "threat network", "kgs0", "kls0", "hacktool", "probe", "malicious" ], "references": [ "https://www.rmvictimlaw.org/about-us/board-directors/hazel-heckers", "https://hybrid-analysis.com/sample/1f75fd5ec731cc5b1f338a5f7f44b42c9f1988214c373bf582d766934399b525", "https://twitter.com/PORNO_SEXYBABES", "IPv4 199.59.243.224 and IPv4 67.21.93.249 - command_and_control", "103.246.145.111 phishing", "nr-data.net | Apple Private Data collection", "BitRAT CnC: File Hash SHA256 23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706", "00000000.apple.com | remote SIM Swap", "https://otx.alienvault.com/indicator/file/23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706#:~:text=%C3%97", "103.246.145.111 - scanning host", "https://app-portal.wsgc.com/saml20/idp/sso?SAMLRequest=jZFBb8IwDIX/SpR70zS0sEa0iA1NQ2IagrLDLlNII4jWJl2cwvj3qyhI7IJ2tPzs9/x5PPmpK3RQDrQ1GY4IxUgZaUttdhneFM/BA57kYxB1xRo+bf3erNR3q8CjbtAA7zsZbp3hVoAGbkStgHvJ19PXBWeE8sZZb6WtMJoCKOc7qydroK2VWyt30FJtVosM771vgIfhETTZCvkF3roTkXtnjZaVIqBk67Q/hUICRrMugzbCn3NfR0XTBI11XlTkCDtJpK3Dc0Ia6rIJASxG81mGP0dpOYqGVEZxGYkk3iaDVMZMKipGMR0kSScDaNXcgBfGZ5hRNghoGrC4YIzTlNMhidPkA6Pl5bhHbXpo90hsexHwl6JYBsu3dYHR+xV+J8AX1Pzs7m4Z318srmBx/m+M4/DWK7+Uf7+c/wI=&RelayState=AcE8QCtmc3hl5id4ZjN8p", "https://www.virustotal.com/en/domain/sipa.be (GoodCop - BadCop 404 error. This may have been a dorkingbeauty graph or collection. There seems to be several VT users experiencing similar issues w/overlap", "https://ms13p01if-qufw21344001.ms.if.apple.com:8083/", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 (Apple remote hacktool that enter via Apple media)", "usw2-platform-dmchat-avengers-prod-ext.apple.com", "https://otx.alienvault.com/indicator/hostname/00000000.apple.com#:~:text=%C3%97", "Malware Hosting * Spyware: http://141.98.6.249/boat.arm7, http://141.98.6.249/boat.ppc , http://141.98.6.249/boat.x86" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "RATel", "display_name": "RATel", "target": null }, { "id": "trojan.mirai/genericrxui", "display_name": "trojan.mirai/genericrxui", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "green", "cloned_from": "658f967a4fc7ebe8021b9382", "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 578, "FileHash-SHA1": 521, "FileHash-SHA256": 6392, "URL": 5741, "domain": 2243, "hostname": 1536, "SSLCertFingerprint": 2, "email": 8, "CVE": 1 }, "indicator_count": 17022, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "811 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://clickoogle.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://clickoogle.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776638528.2075858 }