{ "type": "URL", "indicator": "https://cloud.sihomuwe-ter.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://cloud.sihomuwe-ter.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 2865720006, "indicator": "https://cloud.sihomuwe-ter.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 10, "pulses": [ { "id": "6650751b8dd6c7d00f0d7478", "name": "ET INFO Terse | Apple | Win.Trojan.Zbot-6598057-0", "description": "Tags, results generated by Level Blue OTX. AlienVault\nMy limited research results: \nApple | CIDR\n17.0.0.0/8\nFileHash-SHA256 d9ff17dd19a01ad64a77df6837e566319d16a235ac7223b9f565f470e57154c8 | Antivirus Detections\nWin32:Dropper-gen, Adware.Xadupi.B, Mirai, Win.Trojan.Zbot-6598057-0,\na variant of Win32/ELEX.IE potentially unwanted, Adware.Xadupi.B, Artemis!69E9EFD2E75E\nIDS Detections:\nET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile.\nYara Detections: dbgdetect_funcs,\nAlerts: injection_runpe,\nnetwork_icmp,\nallocates_execute_remote_process,\npersistence_autorun,\ncreates_service,\ninjection_modifies_memory,\ninjection_write_memory,\nprocess_martian,\nransomware_extensions,\nransomware_mass_file_delete", "modified": "2024-06-23T10:00:24.005000", "created": "2024-05-24T11:08:10.044000", "tags": [ "technology", "apple computer", "dns replication", "date", "domain", "lookups", "city", "apple abuse", "orgid", "rtechhandle", "june", "threat roundup", "triad", "usps", "us citizens", "data theft", "august", "apple", "sweet quadreams", "spyware vendor", "get http", "png image", "rgba", "ms windows", "united", "intel", "windows nt", "as16509", "pe32", "crlf line", "win32", "write", "next", "artemis", "malware", "copy", "cname", "unknown", "passive dns", "scan endpoints", "all scoreblue", "pulse submit", "url analysis", "urls", "pagewritecopy", "pageexecuteread", "nx00xffxe2", "nx00xc7d", "memcommit", "pagenoaccess", "memreserve", "service", "high process", "injection t1055" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1524, "CIDR": 1, "URL": 5189, "email": 2, "hostname": 867, "FileHash-MD5": 117, "FileHash-SHA1": 27, "domain": 403 }, "indicator_count": 8130, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "707 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66507a6eb3fde0552a6ebd9d", "name": "Sweet QuaDreams Apple | Hostile Spy campaign | Service modifier (Updated) ", "description": "", "modified": "2024-06-23T10:00:24.005000", "created": "2024-05-24T11:30:54.138000", "tags": [ "technology", "apple computer", "dns replication", "date", "domain", "lookups", "city", "apple abuse", "orgid", "rtechhandle", "june", "threat roundup", "triad", "usps", "us citizens", "data theft", "august", "apple", "sweet quadreams", "spyware vendor", "get http", "png image", "rgba", "ms windows", "united", "intel", "windows nt", "as16509", "pe32", "crlf line", "win32", "write", "next", "artemis", "malware", "copy", "cname", "unknown", "passive dns", "scan endpoints", "all scoreblue", "pulse submit", "url analysis", "urls", "pagewritecopy", "pageexecuteread", "nx00xffxe2", "nx00xc7d", "memcommit", "pagenoaccess", "memreserve", "service", "high process", "injection t1055" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": "6650751b8dd6c7d00f0d7478", "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1524, "CIDR": 1, "URL": 5189, "email": 2, "hostname": 867, "FileHash-MD5": 117, "FileHash-SHA1": 27, "domain": 403 }, "indicator_count": 8130, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "707 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657089f0a9a109319e652f2e", "name": "Democracy.works_3.23.22", "description": "", "modified": "2023-12-06T14:49:20.276000", "created": "2023-12-06T14:49:20.276000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-SHA256": 3788, "URL": 10812, "hostname": 2537, "domain": 1018, "FileHash-MD5": 2, "FileHash-SHA1": 1 }, "indicator_count": 18160, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657089d7a9a109319e652f2d", "name": "DEMOCRACY.WORKS", "description": "", "modified": "2023-12-06T14:48:55.889000", "created": "2023-12-06T14:48:55.889000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 3611, "URL": 9861, "hostname": 2031, "domain": 945, "FileHash-MD5": 2, "FileHash-SHA1": 1 }, "indicator_count": 16452, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65707f8ee427db014eda79f3", "name": "FAKE MDM's and HASH", "description": "", "modified": "2023-12-06T14:05:02.692000", "created": "2023-12-06T14:05:02.692000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6858, "FileHash-SHA256": 2217, "FileHash-MD5": 488, "FileHash-SHA1": 494, "domain": 266, "hostname": 1729 }, "indicator_count": 12052, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65707f66d3fe743b63b06fc5", "name": "This is a botnet consisting of millions of user controlled devices masquerading as mdm enterprise", "description": "", "modified": "2023-12-06T14:04:22.492000", "created": "2023-12-06T14:04:22.492000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6912, "FileHash-SHA256": 2217, "domain": 248, "hostname": 1815, "FileHash-SHA1": 7 }, "indicator_count": 11199, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "623b7febb8bc01a01e42ab3d", "name": "Democracy.works_3.23.22", "description": "", "modified": "2022-04-22T00:03:50.614000", "created": "2022-03-23T20:15:39.720000", "tags": [], "references": [ "Democracy.works_3.23.22..pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10812, "hostname": 2537, "domain": 1018, "FileHash-SHA256": 3788, "CVE": 2, "FileHash-MD5": 2, "FileHash-SHA1": 1 }, "indicator_count": 18160, "is_author": false, "is_subscribing": null, "subscriber_count": 411, "modified_text": "1500 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "623920a2146150d2d8525a73", "name": "DEMOCRACY.WORKS", "description": "", "modified": "2022-04-20T00:02:21.571000", "created": "2022-03-22T01:04:34.472000", "tags": [], "references": [ "DEMOCRACY.WORKS.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9861, "domain": 945, "hostname": 2031, "FileHash-SHA256": 3611, "CVE": 1, "FileHash-MD5": 2, "FileHash-SHA1": 1 }, "indicator_count": 16452, "is_author": false, "is_subscribing": null, "subscriber_count": 413, "modified_text": "1502 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "621cb7979a0e098a59765794", "name": "FAKE MDM's and HASH", "description": "FAKE MDM HOSTS AND HASH FILES TO COMPLIMENT IT.", "modified": "2022-03-30T00:00:10.458000", "created": "2022-02-28T11:52:55.393000", "tags": [ "filehashsha256", "ipv4", "filehashsha1", "indicator", "description", "antiviru", "up blocker", "xoz1" ], "references": [ "621a207acd980846334d7fb4.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "craignbmed", "id": "181999", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_181999/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 488, "FileHash-SHA1": 494, "FileHash-SHA256": 2217, "URL": 6858, "domain": 266, "hostname": 1729 }, "indicator_count": 12052, "is_author": false, "is_subscribing": null, "subscriber_count": 46, "modified_text": "1523 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "621a207acd980846334d7fb4", "name": "This is a botnet consisting of millions of user controlled devices masquerading as mdm enterprise", "description": "sitting on home network private ip' all managed under the remotewd and w2go domains. They all look clean and shiny on the top layers but are all working together underneath to spread and cause merry hell. Compromised social media creds logging in to multiple other browssers at the same time exploiting others while you go about your business online. This is at least twice the size again of this pulse list", "modified": "2022-03-28T00:01:22.803000", "created": "2022-02-26T12:43:38.731000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1398", "name": "Modify OS Kernel or Boot Partition", "display_name": "T1398 - Modify OS Kernel or Boot Partition" }, { "id": "T1399", "name": "Modify Trusted Execution Environment", "display_name": "T1399 - Modify Trusted Execution Environment" }, { "id": "T1400", "name": "Modify System Partition", "display_name": "T1400 - Modify System Partition" }, { "id": "T1401", "name": "Device Administrator Permissions", "display_name": "T1401 - Device Administrator Permissions" }, { "id": "T1402", "name": "Broadcast Receivers", "display_name": "T1402 - Broadcast Receivers" }, { "id": "T1408", "name": "Disguise Root/Jailbreak Indicators", "display_name": "T1408 - Disguise Root/Jailbreak Indicators" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1204.003", "name": "Malicious Image", "display_name": "T1204.003 - Malicious Image" }, { "id": "T1205", "name": "Traffic Signaling", "display_name": "T1205 - Traffic Signaling" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1505.002", "name": "Transport Agent", "display_name": "T1505.002 - Transport Agent" }, { "id": "T1601.002", "name": "Downgrade System Image", "display_name": "T1601.002 - Downgrade System Image" }, { "id": "T1001.002", "name": "Steganography", "display_name": "T1001.002 - Steganography" }, { "id": "T1602.002", "name": "Network Device Configuration Dump", "display_name": "T1602.002 - Network Device Configuration Dump" }, { "id": "T1506", "name": "Web Session Cookie", "display_name": "T1506 - Web Session Cookie" }, { "id": "T1517", "name": "Access Notifications", "display_name": "T1517 - Access Notifications" }, { "id": "T1523", "name": "Evade Analysis Environment", "display_name": "T1523 - Evade Analysis Environment" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1815, "URL": 6912, "domain": 248, "FileHash-SHA256": 2217, "FileHash-SHA1": 7 }, "indicator_count": 11199, "is_author": false, "is_subscribing": null, "subscriber_count": 402, "modified_text": "1525 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Democracy.works_3.23.22..pdf", "621a207acd980846334d7fb4.csv", "DEMOCRACY.WORKS.pdf" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 36415 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/sihomuwe-ter.com", "whois": "http://whois.domaintools.com/sihomuwe-ter.com", "domain": "sihomuwe-ter.com", "hostname": "cloud.sihomuwe-ter.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 10, "pulses": [ { "id": "6650751b8dd6c7d00f0d7478", "name": "ET INFO Terse | Apple | Win.Trojan.Zbot-6598057-0", "description": "Tags, results generated by Level Blue OTX. AlienVault\nMy limited research results: \nApple | CIDR\n17.0.0.0/8\nFileHash-SHA256 d9ff17dd19a01ad64a77df6837e566319d16a235ac7223b9f565f470e57154c8 | Antivirus Detections\nWin32:Dropper-gen, Adware.Xadupi.B, Mirai, Win.Trojan.Zbot-6598057-0,\na variant of Win32/ELEX.IE potentially unwanted, Adware.Xadupi.B, Artemis!69E9EFD2E75E\nIDS Detections:\nET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile.\nYara Detections: dbgdetect_funcs,\nAlerts: injection_runpe,\nnetwork_icmp,\nallocates_execute_remote_process,\npersistence_autorun,\ncreates_service,\ninjection_modifies_memory,\ninjection_write_memory,\nprocess_martian,\nransomware_extensions,\nransomware_mass_file_delete", "modified": "2024-06-23T10:00:24.005000", "created": "2024-05-24T11:08:10.044000", "tags": [ "technology", "apple computer", "dns replication", "date", "domain", "lookups", "city", "apple abuse", "orgid", "rtechhandle", "june", "threat roundup", "triad", "usps", "us citizens", "data theft", "august", "apple", "sweet quadreams", "spyware vendor", "get http", "png image", "rgba", "ms windows", "united", "intel", "windows nt", "as16509", "pe32", "crlf line", "win32", "write", "next", "artemis", "malware", "copy", "cname", "unknown", "passive dns", "scan endpoints", "all scoreblue", "pulse submit", "url analysis", "urls", "pagewritecopy", "pageexecuteread", "nx00xffxe2", "nx00xc7d", "memcommit", "pagenoaccess", "memreserve", "service", "high process", "injection t1055" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1524, "CIDR": 1, "URL": 5189, "email": 2, "hostname": 867, "FileHash-MD5": 117, "FileHash-SHA1": 27, "domain": 403 }, "indicator_count": 8130, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "707 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66507a6eb3fde0552a6ebd9d", "name": "Sweet QuaDreams Apple | Hostile Spy campaign | Service modifier (Updated) ", "description": "", "modified": "2024-06-23T10:00:24.005000", "created": "2024-05-24T11:30:54.138000", "tags": [ "technology", "apple computer", "dns replication", "date", "domain", "lookups", "city", "apple abuse", "orgid", "rtechhandle", "june", "threat roundup", "triad", "usps", "us citizens", "data theft", "august", "apple", "sweet quadreams", "spyware vendor", "get http", "png image", "rgba", "ms windows", "united", "intel", "windows nt", "as16509", "pe32", "crlf line", "win32", "write", "next", "artemis", "malware", "copy", "cname", "unknown", "passive dns", "scan endpoints", "all scoreblue", "pulse submit", "url analysis", "urls", "pagewritecopy", "pageexecuteread", "nx00xffxe2", "nx00xc7d", "memcommit", "pagenoaccess", "memreserve", "service", "high process", "injection t1055" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": "6650751b8dd6c7d00f0d7478", "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1524, "CIDR": 1, "URL": 5189, "email": 2, "hostname": 867, "FileHash-MD5": 117, "FileHash-SHA1": 27, "domain": 403 }, "indicator_count": 8130, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "707 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657089f0a9a109319e652f2e", "name": "Democracy.works_3.23.22", "description": "", "modified": "2023-12-06T14:49:20.276000", "created": "2023-12-06T14:49:20.276000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-SHA256": 3788, "URL": 10812, "hostname": 2537, "domain": 1018, "FileHash-MD5": 2, "FileHash-SHA1": 1 }, "indicator_count": 18160, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657089d7a9a109319e652f2d", "name": "DEMOCRACY.WORKS", "description": "", "modified": "2023-12-06T14:48:55.889000", "created": "2023-12-06T14:48:55.889000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 3611, "URL": 9861, "hostname": 2031, "domain": 945, "FileHash-MD5": 2, "FileHash-SHA1": 1 }, "indicator_count": 16452, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65707f8ee427db014eda79f3", "name": "FAKE MDM's and HASH", "description": "", "modified": "2023-12-06T14:05:02.692000", "created": "2023-12-06T14:05:02.692000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6858, "FileHash-SHA256": 2217, "FileHash-MD5": 488, "FileHash-SHA1": 494, "domain": 266, "hostname": 1729 }, "indicator_count": 12052, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65707f66d3fe743b63b06fc5", "name": "This is a botnet consisting of millions of user controlled devices masquerading as mdm enterprise", "description": "", "modified": "2023-12-06T14:04:22.492000", "created": "2023-12-06T14:04:22.492000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6912, "FileHash-SHA256": 2217, "domain": 248, "hostname": 1815, "FileHash-SHA1": 7 }, "indicator_count": 11199, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "623b7febb8bc01a01e42ab3d", "name": "Democracy.works_3.23.22", "description": "", "modified": "2022-04-22T00:03:50.614000", "created": "2022-03-23T20:15:39.720000", "tags": [], "references": [ "Democracy.works_3.23.22..pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10812, "hostname": 2537, "domain": 1018, "FileHash-SHA256": 3788, "CVE": 2, "FileHash-MD5": 2, "FileHash-SHA1": 1 }, "indicator_count": 18160, "is_author": false, "is_subscribing": null, "subscriber_count": 411, "modified_text": "1500 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "623920a2146150d2d8525a73", "name": "DEMOCRACY.WORKS", "description": "", "modified": "2022-04-20T00:02:21.571000", "created": "2022-03-22T01:04:34.472000", "tags": [], "references": [ "DEMOCRACY.WORKS.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9861, "domain": 945, "hostname": 2031, "FileHash-SHA256": 3611, "CVE": 1, "FileHash-MD5": 2, "FileHash-SHA1": 1 }, "indicator_count": 16452, "is_author": false, "is_subscribing": null, "subscriber_count": 413, "modified_text": "1502 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "621cb7979a0e098a59765794", "name": "FAKE MDM's and HASH", "description": "FAKE MDM HOSTS AND HASH FILES TO COMPLIMENT IT.", "modified": "2022-03-30T00:00:10.458000", "created": "2022-02-28T11:52:55.393000", "tags": [ "filehashsha256", "ipv4", "filehashsha1", "indicator", "description", "antiviru", "up blocker", "xoz1" ], "references": [ "621a207acd980846334d7fb4.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "craignbmed", "id": "181999", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_181999/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 488, "FileHash-SHA1": 494, "FileHash-SHA256": 2217, "URL": 6858, "domain": 266, "hostname": 1729 }, "indicator_count": 12052, "is_author": false, "is_subscribing": null, "subscriber_count": 46, "modified_text": "1523 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "621a207acd980846334d7fb4", "name": "This is a botnet consisting of millions of user controlled devices masquerading as mdm enterprise", "description": "sitting on home network private ip' all managed under the remotewd and w2go domains. They all look clean and shiny on the top layers but are all working together underneath to spread and cause merry hell. Compromised social media creds logging in to multiple other browssers at the same time exploiting others while you go about your business online. This is at least twice the size again of this pulse list", "modified": "2022-03-28T00:01:22.803000", "created": "2022-02-26T12:43:38.731000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1398", "name": "Modify OS Kernel or Boot Partition", "display_name": "T1398 - Modify OS Kernel or Boot Partition" }, { "id": "T1399", "name": "Modify Trusted Execution Environment", "display_name": "T1399 - Modify Trusted Execution Environment" }, { "id": "T1400", "name": "Modify System Partition", "display_name": "T1400 - Modify System Partition" }, { "id": "T1401", "name": "Device Administrator Permissions", "display_name": "T1401 - Device Administrator Permissions" }, { "id": "T1402", "name": "Broadcast Receivers", "display_name": "T1402 - Broadcast Receivers" }, { "id": "T1408", "name": "Disguise Root/Jailbreak Indicators", "display_name": "T1408 - Disguise Root/Jailbreak Indicators" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1204.003", "name": "Malicious Image", "display_name": "T1204.003 - Malicious Image" }, { "id": "T1205", "name": "Traffic Signaling", "display_name": "T1205 - Traffic Signaling" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1505.002", "name": "Transport Agent", "display_name": "T1505.002 - Transport Agent" }, { "id": "T1601.002", "name": "Downgrade System Image", "display_name": "T1601.002 - Downgrade System Image" }, { "id": "T1001.002", "name": "Steganography", "display_name": "T1001.002 - Steganography" }, { "id": "T1602.002", "name": "Network Device Configuration Dump", "display_name": "T1602.002 - Network Device Configuration Dump" }, { "id": "T1506", "name": "Web Session Cookie", "display_name": "T1506 - Web Session Cookie" }, { "id": "T1517", "name": "Access Notifications", "display_name": "T1517 - Access Notifications" }, { "id": "T1523", "name": "Evade Analysis Environment", "display_name": "T1523 - Evade Analysis Environment" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1815, "URL": 6912, "domain": 248, "FileHash-SHA256": 2217, "FileHash-SHA1": 7 }, "indicator_count": 11199, "is_author": false, "is_subscribing": null, "subscriber_count": 402, "modified_text": "1525 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://cloud.sihomuwe-ter.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://cloud.sihomuwe-ter.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780224450.8863025 }