{ "type": "URL", "indicator": "https://cms.sas.stable-int.skyshowtime.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://cms.sas.stable-int.skyshowtime.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3756231620, "indicator": "https://cms.sas.stable-int.skyshowtime.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 18, "pulses": [ { "id": "656aafd0e93efa420f74123c", "name": "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335", "description": "", "modified": "2024-10-12T01:00:47.836000", "created": "2023-12-02T04:17:20.189000", "tags": [ "ssl certificate", "contacted", "threat roundup", "whois record", "communicating", "subdomains", "resolutions", "june", "july", "october", "august", "noname057", "generic malware", "ice fog", "tag count", "thu nov", "threat report", "ip summary", "url summary", "summary", "sample", "first", "generic", "detection list", "blacklist http", "cisco umbrella", "site", "heur", "alexa top", "safe site", "million", "malware", "alexa", "malware site", "malicious site", "unsafe", "artemis", "fakealert", "exploit", "opencandy", "riskware", "genkryptik", "iframe", "tiggre", "presenoker", "agent", "conduit", "wacatac", "phishing", "redline stealer", "dropper", "cobalt strike", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "filetour", "cleaner", "installpack", "xrat", "fusioncore", "azorult", "service", "runescape", "facebook", "bank", "download", "blacknet rat", "stealer", "maltiverse", "webtoolbar", "trojanspy", "united", "engineering", "cyber threat", "phishing site", "america", "emotet", "zbot", "malicious", "steam", "team", "indonesia", "miner", "ransomware", "ramnit", "pe resource", "historical ssl", "execution", "hacktool", "metasploit", "relic", "monitoring", "android", "skynet", "et", "anonymizer", "trojanx", "back", "laplasclipper", "win64", "trojan", "ghost rat", "suppobox", "asyncrat", "union", "samples", "blacklist", "malicious url", "hostname", "hostnames", "tsara brashears", "reinsurance", "pinnacol insurance", "industry and commerce", "state", "danger", "warning", "nr-data.net", "apple", "data.net", "asp.net", "domains", "hashes", "reverse dns", "general full", "resource", "software", "asn15169", "google", "url http", "server", "hash", "get h2", "main", "cookie", "thu dec", "germany", "frankfurt", "netherlands", "asn20446", "highwinds3", "page url", "search live", "api blog", "docs pricing", "tags", "november", "us summary", "http", "google safe", "browsing", "adware", "xtrat", "firehol", "microsoft", "control server", "services", "msil", "hiloti", "asn16509", "amazon02", "fastly", "asn54113", "prague", "login", "listen live", "centura health", "colorado jobs", "eeo public", "filing url", "blacklist https", "mimikatz", "beach research", "de indicators", "copyright", "gmbh version", "follow", "softcnapp", "philadelphia", "gamehack", "value", "line", "variables", "nreum", "postrelease", "url https", "security tls", "protocol h2", "name value", "scam", "gesponsert url", "outputldjh", "oid2", "uhis2", "uh1200", "uw1600", "uah1200", "uaw1600", "ucd24", "usd1", "utz60", "no data", "coinminer", "ip address", "exchange", "http attacker", "states", "jimburkedentistry", "leder-family", "adam lee", "erika lee", "malvertizing" ], "references": [ "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335", "https://www.denverpost.com/2018/07/17/marijuana-workers-compensation/amp/ Source", "http://jcsservices.in/gkqikjxn/index.php?pnz=jim@thejimburkefamily.com", "http://www.burkedentistry.com/Quarryville-Dentist-and-Staff/1567", "http://tracks.theleders.family", "photos.theleders.family", "http://45.159.189.105/bot/regex (tracks Tsara Brashears)", "45.159.189.105 (CNC IP \u2022 Tracking Tsara Brashears)", "http://mobtrack.trkclk.net", "https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "nr-data.net", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "103.233.208.9 (CNC IP)", "apex.jquery.com (scammer | works for who?)", "api.useragentswitch.com", "bam-cell.nr-data.net (Apple Private Data Collection | since found, result continuously modified)", "dns.google (DNS client services - Doug Cole)", "https://www.9and10news.com/2021/09/17/fbi-releases-update-on-suspicious-packages-left-at-att-stores/", "https://api.openinstall.io/api/v2/android/otby76/init?certFinger=44:B4:38:61:15:B4:57:55:B5:BF:D1:6B:34:CC:60:72:DA:C7:40:CE&macAddress=6D:51:08:93:04:7B&serialNumber=&apiVersion=2.3.0&deviceId=&pkg=com.mobikok.ecoupon&version=8.1.0&installId=&androidId=91ed20d90734918e&versionCode=333\u00d7tamp=1684541379839", "apple-dns.net", "emails.redvue.com (apple DNS w/amvima)", "142.250.180.4 (init.ess)", "init.ess.apple.com (Highly malicious. Will infiltrate devices when exploited. Spyware)", "freeimdatingsites.thomasdobo.eu", "https://urlscan.io/result/07fe876e-8864-474f-8b32-ba2d50c9a242/#indicators", "https://urlscan.io/domain/maxwam.tk", "https://urlscan.io/result/e770a861-9818-4309-b31e-fd18510532a7/#indicators" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "GameHack", "display_name": "GameHack", "target": null }, { "id": "States", "display_name": "States", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" } ], "industries": [], "TLP": "white", "cloned_from": "6562908e28e6cdc237fbf8db", "export_count": 107, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1956, "FileHash-SHA1": 867, "FileHash-SHA256": 3895, "URL": 11195, "domain": 2959, "hostname": 3575, "CVE": 16, "SSLCertFingerprint": 1, "email": 1 }, "indicator_count": 24465, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "554 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cb4772c3d3ad1f7accc98a", "name": "Ryuk Ransomware - workers.dev | https://house.mo.gov", "description": "Ryuk is ransomware version attributed to the hacker group WIZARD SPIDER that has compromised governments, academia, healthcare, manufacturing, and technology organizations.\n\nInterestingly, this ransomware family carries a Japanese name from the anime movie Death Note. The name means \u201cgift of god.\u201d It seems an odd choice for ransomware since the targets lose data or money. From the hacker's perspective, however, it could be considered a gift of god.", "modified": "2024-03-14T09:04:37.097000", "created": "2024-02-13T10:41:53.179000", "tags": [ "contacted", "ssl certificate", "contacted urls", "whois record", "whois whois", "relacionada", "execution", "p2404", "kgs0", "kls0", "lockbit", "lolkek", "emotet", "phishing", "ursnif", "malware", "core", "ryuk ransomware", "qakbot", "makop", "hacktool", "chaos", "ransomexx", "temp", "localappdata", "pattern match", "ascii text", "json data", "united", "indicator", "prefetch8", "observed email", "unicode text", "date", "hybrid", "win64", "general", "click", "strings", "tsara brashears", "suspicious", "falcon", "name verdict", "reinsurance", "scan endpoints", "all octoseek", "domain", "pulse pulses", "passive dns", "urls", "files", "ip address", "location united", "asn as13335", "title", "gmt server", "user agent", "443 ma2592000", "hostname", "encrypt", "script urls", "t matrix", "dch v", "meta", "trang ch", "body", "status", "search", "creation date", "record value", "domain name", "litespeed", "certificate", "speed", "next", "unknown", "ipv4", "reverse dns", "name servers", "expiration date", "showing", "pulse submit", "gandi sas", "moved", "emails", "servers", "error", "russia unknown", "as31483", "as12768", "as30943", "united kingdom", "as208722 yandex", "cname", "spyware", "tracking", "login" ], "references": [ "workers.dev [extraction \u2022 GET request attack]", "ddos.dnsnb8.net [command_and_control]", "www.supernetforme.com [command_and_control]", "https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html", "http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing \u2022 python]", "https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network \u2022 Data collection \u2022 phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 virus network \u2022 Apple data collection ]", "CVE: CVE-2023-23397", "0-129-112027imap-intranet-pv-175-166.matomo.cloud", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption \u2022 unlocker]", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://twitter.com/PORNO_SEXYBABES", "sex-ukraine.net", "http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg \u2022\t humani-teens.com", "feedercontroller.webcrawlingeap-prod-co4.binginternal.com", "accessoire-telephones.fr \u2022 bks-tv.ru [telecom] \u2022 coltel.ru [telecom] \u2022 ceptelefondata.com.tr [data collection \u2022 USA] ts-astra.ru [telecom] wifi.ru", "nexus.b2btest.ertelecom.ru", "Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k", "Tracking: trackyouremails.com \u2022 https://adservice.google.com.uy/clk", "http://micrologin.ogspy.net/track/dhl-information-contact.html" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "Ryuk Ransomware", "display_name": "Ryuk Ransomware", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 127, "FileHash-SHA1": 125, "FileHash-SHA256": 4862, "hostname": 3571, "URL": 10597, "CVE": 3, "domain": 3169, "email": 7 }, "indicator_count": 22461, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "766 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cb476d935dd560b4a3e938", "name": "Ryuk Ransomware - workers.dev | https://house.mo.gov", "description": "Ryuk is ransomware version attributed to the hacker group WIZARD SPIDER that has compromised governments, academia, healthcare, manufacturing, and technology organizations.\n\nInterestingly, this ransomware family carries a Japanese name from the anime movie Death Note. The name means \u201cgift of god.\u201d It seems an odd choice for ransomware since the targets lose data or money. From the hacker's perspective, however, it could be considered a gift of god.", "modified": "2024-03-14T09:04:37.097000", "created": "2024-02-13T10:41:49.380000", "tags": [ "contacted", "ssl certificate", "contacted urls", "whois record", "whois whois", "relacionada", "execution", "p2404", "kgs0", "kls0", "lockbit", "lolkek", "emotet", "phishing", "ursnif", "malware", "core", "ryuk ransomware", "qakbot", "makop", "hacktool", "chaos", "ransomexx", "temp", "localappdata", "pattern match", "ascii text", "json data", "united", "indicator", "prefetch8", "observed email", "unicode text", "date", "hybrid", "win64", "general", "click", "strings", "tsara brashears", "suspicious", "falcon", "name verdict", "reinsurance", "scan endpoints", "all octoseek", "domain", "pulse pulses", "passive dns", "urls", "files", "ip address", "location united", "asn as13335", "title", "gmt server", "user agent", "443 ma2592000", "hostname", "encrypt", "script urls", "t matrix", "dch v", "meta", "trang ch", "body", "status", "search", "creation date", "record value", "domain name", "litespeed", "certificate", "speed", "next", "unknown", "ipv4", "reverse dns", "name servers", "expiration date", "showing", "pulse submit", "gandi sas", "moved", "emails", "servers", "error", "russia unknown", "as31483", "as12768", "as30943", "united kingdom", "as208722 yandex", "cname", "spyware", "tracking", "login" ], "references": [ "workers.dev [extraction \u2022 GET request attack]", "ddos.dnsnb8.net [command_and_control]", "www.supernetforme.com [command_and_control]", "https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html", "http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing \u2022 python]", "https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network \u2022 Data collection \u2022 phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 virus network \u2022 Apple data collection ]", "CVE: CVE-2023-23397", "0-129-112027imap-intranet-pv-175-166.matomo.cloud", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption \u2022 unlocker]", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://twitter.com/PORNO_SEXYBABES", "sex-ukraine.net", "http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg \u2022\t humani-teens.com", "feedercontroller.webcrawlingeap-prod-co4.binginternal.com", "accessoire-telephones.fr \u2022 bks-tv.ru [telecom] \u2022 coltel.ru [telecom] \u2022 ceptelefondata.com.tr [data collection \u2022 USA] ts-astra.ru [telecom] wifi.ru", "nexus.b2btest.ertelecom.ru", "Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k", "Tracking: trackyouremails.com \u2022 https://adservice.google.com.uy/clk", "http://micrologin.ogspy.net/track/dhl-information-contact.html" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "Ryuk Ransomware", "display_name": "Ryuk Ransomware", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 127, "FileHash-SHA1": 125, "FileHash-SHA256": 4862, "hostname": 3571, "URL": 10597, "CVE": 3, "domain": 3169, "email": 7 }, "indicator_count": 22461, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "766 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cb476d0566c2d07e474df5", "name": "Ryuk Ransomware - workers.dev | https://house.mo.gov", "description": "Ryuk is ransomware version attributed to the hacker group WIZARD SPIDER that has compromised governments, academia, healthcare, manufacturing, and technology organizations.\n\nInterestingly, this ransomware family carries a Japanese name from the anime movie Death Note. The name means \u201cgift of god.\u201d It seems an odd choice for ransomware since the targets lose data or money. From the hacker's perspective, however, it could be considered a gift of god.", "modified": "2024-03-14T09:04:37.097000", "created": "2024-02-13T10:41:49.140000", "tags": [ "contacted", "ssl certificate", "contacted urls", "whois record", "whois whois", "relacionada", "execution", "p2404", "kgs0", "kls0", "lockbit", "lolkek", "emotet", "phishing", "ursnif", "malware", "core", "ryuk ransomware", "qakbot", "makop", "hacktool", "chaos", "ransomexx", "temp", "localappdata", "pattern match", "ascii text", "json data", "united", "indicator", "prefetch8", "observed email", "unicode text", "date", "hybrid", "win64", "general", "click", "strings", "tsara brashears", "suspicious", "falcon", "name verdict", "reinsurance", "scan endpoints", "all octoseek", "domain", "pulse pulses", "passive dns", "urls", "files", "ip address", "location united", "asn as13335", "title", "gmt server", "user agent", "443 ma2592000", "hostname", "encrypt", "script urls", "t matrix", "dch v", "meta", "trang ch", "body", "status", "search", "creation date", "record value", "domain name", "litespeed", "certificate", "speed", "next", "unknown", "ipv4", "reverse dns", "name servers", "expiration date", "showing", "pulse submit", "gandi sas", "moved", "emails", "servers", "error", "russia unknown", "as31483", "as12768", "as30943", "united kingdom", "as208722 yandex", "cname", "spyware", "tracking", "login" ], "references": [ "workers.dev [extraction \u2022 GET request attack]", "ddos.dnsnb8.net [command_and_control]", "www.supernetforme.com [command_and_control]", "https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html", "http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing \u2022 python]", "https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network \u2022 Data collection \u2022 phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 virus network \u2022 Apple data collection ]", "CVE: CVE-2023-23397", "0-129-112027imap-intranet-pv-175-166.matomo.cloud", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption \u2022 unlocker]", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://twitter.com/PORNO_SEXYBABES", "sex-ukraine.net", "http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg \u2022\t humani-teens.com", "feedercontroller.webcrawlingeap-prod-co4.binginternal.com", "accessoire-telephones.fr \u2022 bks-tv.ru [telecom] \u2022 coltel.ru [telecom] \u2022 ceptelefondata.com.tr [data collection \u2022 USA] ts-astra.ru [telecom] wifi.ru", "nexus.b2btest.ertelecom.ru", "Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k", "Tracking: trackyouremails.com \u2022 https://adservice.google.com.uy/clk", "http://micrologin.ogspy.net/track/dhl-information-contact.html" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "Ryuk Ransomware", "display_name": "Ryuk Ransomware", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 127, "FileHash-SHA1": 125, "FileHash-SHA256": 4862, "hostname": 3571, "URL": 10597, "CVE": 3, "domain": 3169, "email": 7 }, "indicator_count": 22461, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "766 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cb4768b06f4da2fba5959b", "name": "Ryuk Ransomware - workers.dev | https://house.mo.gov", "description": "Ryuk is ransomware version attributed to the hacker group WIZARD SPIDER that has compromised governments, academia, healthcare, manufacturing, and technology organizations.\n\nInterestingly, this ransomware family carries a Japanese name from the anime movie Death Note. The name means \u201cgift of god.\u201d It seems an odd choice for ransomware since the targets lose data or money. From the hacker's perspective, however, it could be considered a gift of god.", "modified": "2024-03-14T09:04:37.097000", "created": "2024-02-13T10:41:44.270000", "tags": [ "contacted", "ssl certificate", "contacted urls", "whois record", "whois whois", "relacionada", "execution", "p2404", "kgs0", "kls0", "lockbit", "lolkek", "emotet", "phishing", "ursnif", "malware", "core", "ryuk ransomware", "qakbot", "makop", "hacktool", "chaos", "ransomexx", "temp", "localappdata", "pattern match", "ascii text", "json data", "united", "indicator", "prefetch8", "observed email", "unicode text", "date", "hybrid", "win64", "general", "click", "strings", "tsara brashears", "suspicious", "falcon", "name verdict", "reinsurance", "scan endpoints", "all octoseek", "domain", "pulse pulses", "passive dns", "urls", "files", "ip address", "location united", "asn as13335", "title", "gmt server", "user agent", "443 ma2592000", "hostname", "encrypt", "script urls", "t matrix", "dch v", "meta", "trang ch", "body", "status", "search", "creation date", "record value", "domain name", "litespeed", "certificate", "speed", "next", "unknown", "ipv4", "reverse dns", "name servers", "expiration date", "showing", "pulse submit", "gandi sas", "moved", "emails", "servers", "error", "russia unknown", "as31483", "as12768", "as30943", "united kingdom", "as208722 yandex", "cname", "spyware", "tracking", "login" ], "references": [ "workers.dev [extraction \u2022 GET request attack]", "ddos.dnsnb8.net [command_and_control]", "www.supernetforme.com [command_and_control]", "https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html", "http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing \u2022 python]", "https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network \u2022 Data collection \u2022 phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 virus network \u2022 Apple data collection ]", "CVE: CVE-2023-23397", "0-129-112027imap-intranet-pv-175-166.matomo.cloud", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption \u2022 unlocker]", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://twitter.com/PORNO_SEXYBABES", "sex-ukraine.net", "http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg \u2022\t humani-teens.com", "feedercontroller.webcrawlingeap-prod-co4.binginternal.com", "accessoire-telephones.fr \u2022 bks-tv.ru [telecom] \u2022 coltel.ru [telecom] \u2022 ceptelefondata.com.tr [data collection \u2022 USA] ts-astra.ru [telecom] wifi.ru", "nexus.b2btest.ertelecom.ru", "Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k", "Tracking: trackyouremails.com \u2022 https://adservice.google.com.uy/clk", "http://micrologin.ogspy.net/track/dhl-information-contact.html" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "Ryuk Ransomware", "display_name": "Ryuk Ransomware", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 127, "FileHash-SHA1": 125, "FileHash-SHA256": 4862, "hostname": 3571, "URL": 10597, "CVE": 3, "domain": 3169, "email": 7 }, "indicator_count": 22461, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "766 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cab5eb4d0a233bf6f32edb", "name": "Malware Infection | Pseudonym 'Kevin Harden' Malvertizing RedTube Subsidiary", "description": "", "modified": "2024-03-11T02:01:13.710000", "created": "2024-02-13T00:20:59.154000", "tags": [ "trojan", "show", "scan endpoints", "all scoreblue", "filehash", "av detections", "ids detections", "yara detections", "alerts", "april", "win32", "copy", "push", "malware infection", "threat roundup", "whois record", "contacted", "october", "execution", "january", "attack", "suspicious", "hacktool", "emotet", "injection", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "http", "resource path", "size", "type mimetype", "primary request", "servicelogin", "kb document", "general full", "url https" ], "references": [ "https://www.redtube.com/ServiceLogin?hl=de&passive=true&continue=https://www.redtube.ccom/%3Fdata%3Dkevinharden1978%2540gmail.com%252Fkevinharden1978%2B.search", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Trojan:Win32/CryptInject.SD!MTB", "display_name": "Trojan:Win32/CryptInject.SD!MTB", "target": "/malware/Trojan:Win32/CryptInject.SD!MTB" }, { "id": "Win.Malware.Fileinfector-9834127-0", "display_name": "Win.Malware.Fileinfector-9834127-0", "target": null }, { "id": "Emotet b", "display_name": "Emotet b", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 276, "FileHash-SHA1": 274, "FileHash-SHA256": 3301, "URL": 2268, "hostname": 744, "CVE": 2, "domain": 340 }, "indicator_count": 7205, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "769 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cab601f0d674294b603758", "name": "Malware Infection | Pseudonym 'Kevin Harden' Malvertizing RedTube Subsidiary", "description": "", "modified": "2024-03-11T02:01:13.710000", "created": "2024-02-13T00:21:21.869000", "tags": [ "trojan", "show", "scan endpoints", "all scoreblue", "filehash", "av detections", "ids detections", "yara detections", "alerts", "april", "win32", "copy", "push", "malware infection", "threat roundup", "whois record", "contacted", "october", "execution", "january", "attack", "suspicious", "hacktool", "emotet", "injection", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "http", "resource path", "size", "type mimetype", "primary request", "servicelogin", "kb document", "general full", "url https" ], "references": [ "https://www.redtube.com/ServiceLogin?hl=de&passive=true&continue=https://www.redtube.ccom/%3Fdata%3Dkevinharden1978%2540gmail.com%252Fkevinharden1978%2B.search", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Trojan:Win32/CryptInject.SD!MTB", "display_name": "Trojan:Win32/CryptInject.SD!MTB", "target": "/malware/Trojan:Win32/CryptInject.SD!MTB" }, { "id": "Win.Malware.Fileinfector-9834127-0", "display_name": "Win.Malware.Fileinfector-9834127-0", "target": null }, { "id": "Emotet b", "display_name": "Emotet b", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 276, "FileHash-SHA1": 274, "FileHash-SHA256": 3301, "URL": 2268, "hostname": 744, "CVE": 2, "domain": 340 }, "indicator_count": 7205, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "769 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cab60667f8205c19d6b67b", "name": "Malware Infection | Pseudonym 'Kevin Harden' Malvertizing RedTube Subsidiary", "description": "", "modified": "2024-03-11T02:01:13.710000", "created": "2024-02-13T00:21:26.244000", "tags": [ "trojan", "show", "scan endpoints", "all scoreblue", "filehash", "av detections", "ids detections", "yara detections", "alerts", "april", "win32", "copy", "push", "malware infection", "threat roundup", "whois record", "contacted", "october", "execution", "january", "attack", "suspicious", "hacktool", "emotet", "injection", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "http", "resource path", "size", "type mimetype", "primary request", "servicelogin", "kb document", "general full", "url https" ], "references": [ "https://www.redtube.com/ServiceLogin?hl=de&passive=true&continue=https://www.redtube.ccom/%3Fdata%3Dkevinharden1978%2540gmail.com%252Fkevinharden1978%2B.search", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Trojan:Win32/CryptInject.SD!MTB", "display_name": "Trojan:Win32/CryptInject.SD!MTB", "target": "/malware/Trojan:Win32/CryptInject.SD!MTB" }, { "id": "Win.Malware.Fileinfector-9834127-0", "display_name": "Win.Malware.Fileinfector-9834127-0", "target": null }, { "id": "Emotet b", "display_name": "Emotet b", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 276, "FileHash-SHA1": 274, "FileHash-SHA256": 3301, "URL": 2268, "hostname": 744, "CVE": 2, "domain": 340 }, "indicator_count": 7205, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "769 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cab616bb5869335d184ae7", "name": "Malware Infection | Pseudonym 'Kevin Harden' Malvertizing RedTube Subsidiary", "description": "", "modified": "2024-03-11T02:01:13.710000", "created": "2024-02-13T00:21:42.183000", "tags": [ "trojan", "show", "scan endpoints", "all scoreblue", "filehash", "av detections", "ids detections", "yara detections", "alerts", "april", "win32", "copy", "push", "malware infection", "threat roundup", "whois record", "contacted", "october", "execution", "january", "attack", "suspicious", "hacktool", "emotet", "injection", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "http", "resource path", "size", "type mimetype", "primary request", "servicelogin", "kb document", "general full", "url https" ], "references": [ "https://www.redtube.com/ServiceLogin?hl=de&passive=true&continue=https://www.redtube.ccom/%3Fdata%3Dkevinharden1978%2540gmail.com%252Fkevinharden1978%2B.search", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Trojan:Win32/CryptInject.SD!MTB", "display_name": "Trojan:Win32/CryptInject.SD!MTB", "target": "/malware/Trojan:Win32/CryptInject.SD!MTB" }, { "id": "Win.Malware.Fileinfector-9834127-0", "display_name": "Win.Malware.Fileinfector-9834127-0", "target": null }, { "id": "Emotet b", "display_name": "Emotet b", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 276, "FileHash-SHA1": 274, "FileHash-SHA256": 3301, "URL": 2268, "hostname": 744, "CVE": 2, "domain": 340 }, "indicator_count": 7205, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "769 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6562908e28e6cdc237fbf8db", "name": "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335", "description": "", "modified": "2023-12-26T00:03:03.925000", "created": "2023-11-26T00:25:50.529000", "tags": [ "ssl certificate", "contacted", "threat roundup", "whois record", "communicating", "subdomains", "resolutions", "june", "july", "october", "august", "noname057", "generic malware", "ice fog", "tag count", "thu nov", "threat report", "ip summary", "url summary", "summary", "sample", "first", "generic", "detection list", "blacklist http", "cisco umbrella", "site", "heur", "alexa top", "safe site", "million", "malware", "alexa", "malware site", "malicious site", "unsafe", "artemis", "fakealert", "exploit", "opencandy", "riskware", "genkryptik", "iframe", "tiggre", "presenoker", "agent", "conduit", "wacatac", "phishing", "redline stealer", "dropper", "cobalt strike", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "filetour", "cleaner", "installpack", "xrat", "fusioncore", "azorult", "service", "runescape", "facebook", "bank", "download", "blacknet rat", "stealer", "maltiverse", "webtoolbar", "trojanspy", "united", "engineering", "cyber threat", "phishing site", "america", "emotet", "zbot", "malicious", "steam", "team", "indonesia", "miner", "ransomware", "ramnit", "pe resource", "historical ssl", "execution", "hacktool", "metasploit", "relic", "monitoring", "android", "skynet", "et", "anonymizer", "trojanx", "back", "laplasclipper", "win64", "trojan", "ghost rat", "suppobox", "asyncrat", "union", "samples", "blacklist", "malicious url", "hostname", "hostnames", "tsara brashears", "reinsurance", "pinnacol insurance", "industry and commerce", "state", "danger", "warning", "nr-data.net", "apple", "data.net", "asp.net", "domains", "hashes", "reverse dns", "general full", "resource", "software", "asn15169", "google", "url http", "server", "hash", "get h2", "main", "cookie", "thu dec", "germany", "frankfurt", "netherlands", "asn20446", "highwinds3", "page url", "search live", "api blog", "docs pricing", "tags", "november", "us summary", "http", "google safe", "browsing", "adware", "xtrat", "firehol", "microsoft", "control server", "services", "msil", "hiloti", "asn16509", "amazon02", "fastly", "asn54113", "prague", "login", "listen live", "centura health", "colorado jobs", "eeo public", "filing url", "blacklist https", "mimikatz", "beach research", "de indicators", "copyright", "gmbh version", "follow", "softcnapp", "philadelphia", "gamehack", "value", "line", "variables", "nreum", "postrelease", "url https", "security tls", "protocol h2", "name value", "scam", "gesponsert url", "outputldjh", "oid2", "uhis2", "uh1200", "uw1600", "uah1200", "uaw1600", "ucd24", "usd1", "utz60", "no data", "coinminer", "ip address", "exchange", "http attacker", "states", "jimburkedentistry", "leder-family", "adam lee", "erika lee", "malvertizing" ], "references": [ "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335", "https://www.denverpost.com/2018/07/17/marijuana-workers-compensation/amp/ Source", "http://jcsservices.in/gkqikjxn/index.php?pnz=jim@thejimburkefamily.com", "http://www.burkedentistry.com/Quarryville-Dentist-and-Staff/1567", "http://tracks.theleders.family", "photos.theleders.family", "http://45.159.189.105/bot/regex (tracks Tsara Brashears)", "45.159.189.105 (CNC IP \u2022 Tracking Tsara Brashears)", "http://mobtrack.trkclk.net", "https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "nr-data.net", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "103.233.208.9 (CNC IP)", "apex.jquery.com (scammer | works for who?)", "api.useragentswitch.com", "bam-cell.nr-data.net (Apple Private Data Collection | since found, result continuously modified)", "dns.google (DNS client services - Doug Cole)", "https://www.9and10news.com/2021/09/17/fbi-releases-update-on-suspicious-packages-left-at-att-stores/", "https://api.openinstall.io/api/v2/android/otby76/init?certFinger=44:B4:38:61:15:B4:57:55:B5:BF:D1:6B:34:CC:60:72:DA:C7:40:CE&macAddress=6D:51:08:93:04:7B&serialNumber=&apiVersion=2.3.0&deviceId=&pkg=com.mobikok.ecoupon&version=8.1.0&installId=&androidId=91ed20d90734918e&versionCode=333\u00d7tamp=1684541379839", "apple-dns.net", "emails.redvue.com (apple DNS w/amvima)", "142.250.180.4 (init.ess)", "init.ess.apple.com (Highly malicious. Will infiltrate devices when exploited. Spyware)", "freeimdatingsites.thomasdobo.eu", "https://urlscan.io/result/07fe876e-8864-474f-8b32-ba2d50c9a242/#indicators", "https://urlscan.io/domain/maxwam.tk", "https://urlscan.io/result/e770a861-9818-4309-b31e-fd18510532a7/#indicators" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "GameHack", "display_name": "GameHack", "target": null }, { "id": "States", "display_name": "States", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 83, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1956, "FileHash-SHA1": 867, "FileHash-SHA256": 3751, "URL": 10878, "domain": 2914, "hostname": 3520, "CVE": 16 }, "indicator_count": 23902, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "845 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656aafce24b001cba328dcbc", "name": "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335", "description": "", "modified": "2023-12-26T00:03:03.925000", "created": "2023-12-02T04:17:18.188000", "tags": [ "ssl certificate", "contacted", "threat roundup", "whois record", "communicating", "subdomains", "resolutions", "june", "july", "october", "august", "noname057", "generic malware", "ice fog", "tag count", "thu nov", "threat report", "ip summary", "url summary", "summary", "sample", "first", "generic", "detection list", "blacklist http", "cisco umbrella", "site", "heur", "alexa top", "safe site", "million", "malware", "alexa", "malware site", "malicious site", "unsafe", "artemis", "fakealert", "exploit", "opencandy", "riskware", "genkryptik", "iframe", "tiggre", "presenoker", "agent", "conduit", "wacatac", "phishing", "redline stealer", "dropper", "cobalt strike", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "filetour", "cleaner", "installpack", "xrat", "fusioncore", "azorult", "service", "runescape", "facebook", "bank", "download", "blacknet rat", "stealer", "maltiverse", "webtoolbar", "trojanspy", "united", "engineering", "cyber threat", "phishing site", "america", "emotet", "zbot", "malicious", "steam", "team", "indonesia", "miner", "ransomware", "ramnit", "pe resource", "historical ssl", "execution", "hacktool", "metasploit", "relic", "monitoring", "android", "skynet", "et", "anonymizer", "trojanx", "back", "laplasclipper", "win64", "trojan", "ghost rat", "suppobox", "asyncrat", "union", "samples", "blacklist", "malicious url", "hostname", "hostnames", "tsara brashears", "reinsurance", "pinnacol insurance", "industry and commerce", "state", "danger", "warning", "nr-data.net", "apple", "data.net", "asp.net", "domains", "hashes", "reverse dns", "general full", "resource", "software", "asn15169", "google", "url http", "server", "hash", "get h2", "main", "cookie", "thu dec", "germany", "frankfurt", "netherlands", "asn20446", "highwinds3", "page url", "search live", "api blog", "docs pricing", "tags", "november", "us summary", "http", "google safe", "browsing", "adware", "xtrat", "firehol", "microsoft", "control server", "services", "msil", "hiloti", "asn16509", "amazon02", "fastly", "asn54113", "prague", "login", "listen live", "centura health", "colorado jobs", "eeo public", "filing url", "blacklist https", "mimikatz", "beach research", "de indicators", "copyright", "gmbh version", "follow", "softcnapp", "philadelphia", "gamehack", "value", "line", "variables", "nreum", "postrelease", "url https", "security tls", "protocol h2", "name value", "scam", "gesponsert url", "outputldjh", "oid2", "uhis2", "uh1200", "uw1600", "uah1200", "uaw1600", "ucd24", "usd1", "utz60", "no data", "coinminer", "ip address", "exchange", "http attacker", "states", "jimburkedentistry", "leder-family", "adam lee", "erika lee", "malvertizing" ], "references": [ "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335", "https://www.denverpost.com/2018/07/17/marijuana-workers-compensation/amp/ Source", "http://jcsservices.in/gkqikjxn/index.php?pnz=jim@thejimburkefamily.com", "http://www.burkedentistry.com/Quarryville-Dentist-and-Staff/1567", "http://tracks.theleders.family", "photos.theleders.family", "http://45.159.189.105/bot/regex (tracks Tsara Brashears)", "45.159.189.105 (CNC IP \u2022 Tracking Tsara Brashears)", "http://mobtrack.trkclk.net", "https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "nr-data.net", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "103.233.208.9 (CNC IP)", "apex.jquery.com (scammer | works for who?)", "api.useragentswitch.com", "bam-cell.nr-data.net (Apple Private Data Collection | since found, result continuously modified)", "dns.google (DNS client services - Doug Cole)", "https://www.9and10news.com/2021/09/17/fbi-releases-update-on-suspicious-packages-left-at-att-stores/", "https://api.openinstall.io/api/v2/android/otby76/init?certFinger=44:B4:38:61:15:B4:57:55:B5:BF:D1:6B:34:CC:60:72:DA:C7:40:CE&macAddress=6D:51:08:93:04:7B&serialNumber=&apiVersion=2.3.0&deviceId=&pkg=com.mobikok.ecoupon&version=8.1.0&installId=&androidId=91ed20d90734918e&versionCode=333\u00d7tamp=1684541379839", "apple-dns.net", "emails.redvue.com (apple DNS w/amvima)", "142.250.180.4 (init.ess)", "init.ess.apple.com (Highly malicious. Will infiltrate devices when exploited. Spyware)", "freeimdatingsites.thomasdobo.eu", "https://urlscan.io/result/07fe876e-8864-474f-8b32-ba2d50c9a242/#indicators", "https://urlscan.io/domain/maxwam.tk", "https://urlscan.io/result/e770a861-9818-4309-b31e-fd18510532a7/#indicators" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "GameHack", "display_name": "GameHack", "target": null }, { "id": "States", "display_name": "States", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" } ], "industries": [], "TLP": "white", "cloned_from": "6562908e28e6cdc237fbf8db", "export_count": 78, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1956, "FileHash-SHA1": 867, "FileHash-SHA256": 3751, "URL": 10878, "domain": 2914, "hostname": 3520, "CVE": 16 }, "indicator_count": 23902, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "845 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655ae7b85bce5b026a160389", "name": "Command and Control Server and Services CRITICAL", "description": "HSBC\nInmortal\nRadar Ineractive\nRuleset Match:\nBackSwap Trojan detection by Ariel Millahuel\nCARROTBAT Malware detection by Ariel Millahuel", "modified": "2023-12-20T03:01:11.128000", "created": "2023-11-20T04:59:36.506000", "tags": [ "contacted", "execution", "dropped", "threat roundup", "august", "apple ios", "contacted urls", "referrer", "october", "april", "core", "february", "hacktool", "installer", "urls", "ovh sas", "domains", "ip detections", "country", "type name", "win32 exe", "noname057", "generic malware", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist http", "cisco umbrella", "site", "safe site", "wormx", "malicious site", "alexa top", "malware site", "million", "malicious url", "phishing site", "malware", "alexa", "phishing", "agent", "bank", "inmortal", "united", "cyber threat", "pony", "cnc zeus", "tracker", "cnc server", "covid19", "engineering", "http spammer", "host", "azorult", "asyncrat", "cobalt strike", "team", "hsbc", "file size", "files", "file type", "kb file", "highly targeted", "apple", "password", "tsara brashears", "awful", "radar ineractive", "no data", "blacklist", "malvertizing", "masquerading", "tulach", "114.114.114.114", "Noname057" ], "references": [], "public": 1, "adversary": "Unconfirmed Adversary", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 729, "FileHash-MD5": 950, "FileHash-SHA1": 482, "FileHash-SHA256": 878, "domain": 139, "hostname": 300, "CVE": 1 }, "indicator_count": 3479, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "851 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6558c481715409563073cb79", "name": "Fraud Services", "description": "http://kramtechnology.com/, fraud services, network, rat, trojan, phishing, malvertizing, malware hosting, scanning host, archives browser events.", "modified": "2023-12-18T05:05:36.760000", "created": "2023-11-18T14:04:48.923000", "tags": [ "methodpost", "dropped", "contacted", "ssl certificate", "whois record", "zva8k4ghshhpcb5", "contacted urls", "q0gpyr1balpdgpo", "historical ssl", "page dow", "blacklist http", "cisco umbrella", "site", "alexa top", "safe site", "million", "paypal", "team phishing", "malicious url", "alexa", "azorult", "phishing", "service", "runescape", "facebook", "bank", "download", "malware", "united", "passive dns", "scan endpoints", "all search", "otx octoseek", "ipv4", "pulse pulses", "urls", "files", "reverse dns", "twitter", "log id", "gmtn", "sectigo rsa", "secure server", "tls web", "salford", "sectigo limited", "ocsp", "false", "california", "british virgin", "locality", "d3 a5", "url http" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 14816, "FileHash-MD5": 41, "FileHash-SHA1": 33, "FileHash-SHA256": 5158, "domain": 3758, "hostname": 2961, "email": 4, "SSLCertFingerprint": 3, "CVE": 3 }, "indicator_count": 26777, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "853 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a79534c615a8f10f3380", "name": "Qakbot | Info Stealer | Sourced: Part-RU", "description": "", "modified": "2023-12-06T16:55:49.669000", "created": "2023-12-06T16:55:49.669000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2383, "hostname": 1027, "domain": 418, "URL": 2673, "FileHash-MD5": 99, "FileHash-SHA1": 98 }, "indicator_count": 6698, "is_author": false, "is_subscribing": null, "subscriber_count": 112, "modified_text": "864 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a581b1024ea61979da96", "name": "Quasar - Dark Web Instagram Account | Link found | Remote Access Trojan (RAT)", "description": "", "modified": "2023-12-06T16:46:57.782000", "created": "2023-12-06T16:46:57.782000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 3, "FileHash-SHA256": 5791, "hostname": 3255, "domain": 2317, "FileHash-MD5": 44, "FileHash-SHA1": 34, "URL": 11513 }, "indicator_count": 22957, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "864 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f1344cd54f3a86745a617", "name": "Qakbot | Info Stealer | Sourced: Part-RU", "description": "", "modified": "2023-10-31T16:03:29.760000", "created": "2023-10-30T02:21:56.497000", "tags": [ "ssl certificate", "contacted", "whois record", "execution", "bundled", "resolutions", "referrer", "communicating", "network", "historical ssl", "malware", "twitter", "hacktool", "june" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "6519c4b76612eda702942ad6", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 99, "FileHash-SHA1": 98, "FileHash-SHA256": 2383, "URL": 2673, "domain": 418, "hostname": 1027 }, "indicator_count": 6698, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "900 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6519c4b76612eda702942ad6", "name": "Qakbot | Info Stealer | Sourced: Part-RU", "description": "Info Stealer\nET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 789", "modified": "2023-10-31T16:03:29.760000", "created": "2023-10-01T19:12:55.573000", "tags": [ "ssl certificate", "contacted", "whois record", "execution", "bundled", "resolutions", "referrer", "communicating", "network", "historical ssl", "malware", "twitter", "hacktool", "june" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 99, "FileHash-SHA1": 98, "FileHash-SHA256": 2383, "URL": 2673, "domain": 418, "hostname": 1027 }, "indicator_count": 6698, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "900 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "650a0b7c9a6b3c5d0a2a3960", "name": "Quasar - Dark Web Instagram Account | Link found | Remote Access Trojan (RAT)", "description": "Link: apple.instagram.com \nQuasar is a lightweight, publicly available open-source Remote Access Trojan (RAT). Used by a variety of attackers. Typically packed to make analysis of the source demanding.\nAccount appears to have been breached, operational in dark web. Dead host.", "modified": "2023-10-19T14:04:37.381000", "created": "2023-09-19T20:58:36.137000", "tags": [ "contacted", "threat roundup", "execution", "ssl certificate", "dark web", "crypto threat", "resolutions", "referrer", "stealer", "quasar", "asyncrat", "error", "social engineering", "iPhone phishing", "Apple phishing", "email phishing", "emotet", "remote", "attacks" ], "references": [ "Alienvault OTX", "Data Analysis", "Online Research", "WebTools" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "India" ], "malware_families": [ { "id": "Backdoor:MSIL/AsyncRAT", "display_name": "Backdoor:MSIL/AsyncRAT", "target": "/malware/Backdoor:MSIL/AsyncRAT" }, { "id": "Backdoor:MSIL/QuasarRat", "display_name": "Backdoor:MSIL/QuasarRat", "target": "/malware/Backdoor:MSIL/QuasarRat" } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" } ], "industries": [ "Media", "Social Media", "Technology", "Hacking" ], "TLP": "white", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 44, "FileHash-SHA1": 34, "FileHash-SHA256": 5791, "URL": 11513, "domain": 2317, "hostname": 3255, "CVE": 3 }, "indicator_count": 22957, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "913 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "api.useragentswitch.com", "bam-cell.nr-data.net (Apple Private Data Collection | since found, result continuously modified)", "https://www.redtube.com/ServiceLogin?hl=de&passive=true&continue=https://www.redtube.ccom/%3Fdata%3Dkevinharden1978%2540gmail.com%252Fkevinharden1978%2B.search", "http://tracks.theleders.family", "WebTools", "Online Research", "103.233.208.9 (CNC IP)", "https://www.9and10news.com/2021/09/17/fbi-releases-update-on-suspicious-packages-left-at-att-stores/", "https://urlscan.io/domain/maxwam.tk", "emails.redvue.com (apple DNS w/amvima)", "nr-data.net", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 virus network \u2022 Apple data collection ]", "Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k", "Tracking: trackyouremails.com \u2022 https://adservice.google.com.uy/clk", "https://www.denverpost.com/2018/07/17/marijuana-workers-compensation/amp/ Source", "apex.jquery.com (scammer | works for who?)", "ddos.dnsnb8.net [command_and_control]", "init.ess.apple.com (Highly malicious. Will infiltrate devices when exploited. Spyware)", "www.supernetforme.com [command_and_control]", "https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network \u2022 Data collection \u2022 phishing]", "0-129-112027imap-intranet-pv-175-166.matomo.cloud", "https://twitter.com/PORNO_SEXYBABES", "Data Analysis", "http://mobtrack.trkclk.net", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html", "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "workers.dev [extraction \u2022 GET request attack]", "sex-ukraine.net", "accessoire-telephones.fr \u2022 bks-tv.ru [telecom] \u2022 coltel.ru [telecom] \u2022 ceptelefondata.com.tr [data collection \u2022 USA] ts-astra.ru [telecom] wifi.ru", "feedercontroller.webcrawlingeap-prod-co4.binginternal.com", "nexus.b2btest.ertelecom.ru", "http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg \u2022\t humani-teens.com", "https://urlscan.io/result/e770a861-9818-4309-b31e-fd18510532a7/#indicators", "photos.theleders.family", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://micrologin.ogspy.net/track/dhl-information-contact.html", "freeimdatingsites.thomasdobo.eu", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing \u2022 python]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption \u2022 unlocker]", "CVE: CVE-2023-23397", "http://www.burkedentistry.com/Quarryville-Dentist-and-Staff/1567", "https://api.openinstall.io/api/v2/android/otby76/init?certFinger=44:B4:38:61:15:B4:57:55:B5:BF:D1:6B:34:CC:60:72:DA:C7:40:CE&macAddress=6D:51:08:93:04:7B&serialNumber=&apiVersion=2.3.0&deviceId=&pkg=com.mobikok.ecoupon&version=8.1.0&installId=&androidId=91ed20d90734918e&versionCode=333\u00d7tamp=1684541379839", "http://jcsservices.in/gkqikjxn/index.php?pnz=jim@thejimburkefamily.com", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "Alienvault OTX", "apple-dns.net", "http://45.159.189.105/bot/regex (tracks Tsara Brashears)", "45.159.189.105 (CNC IP \u2022 Tracking Tsara Brashears)", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "142.250.180.4 (init.ess)", "https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://urlscan.io/result/07fe876e-8864-474f-8b32-ba2d50c9a242/#indicators", "dns.google (DNS client services - Doug Cole)" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Unconfirmed Adversary" ], "malware_families": [ "Hallrender", "Ursnif", "Gamehack", "Hacktool", "Hsbc", "Et", "Makop", "States", "Win32:trojan-gen", "Malware", "Maltiverse", "Trojan:win32/cryptinject.sd!mtb", "Trojanspy", "Ransomexx", "Qakbot", "Beach research", "Generic", "Hallgrand", "Webtoolbar", "Sabey", "Emotet b", "Inmortal", "Win.malware.fileinfector-9834127-0", "Emotet", "Radar ineractive", "Ryuk ransomware", "Backdoor:msil/quasarrat", "Lockbit", "Lolkek", "Backdoor:msil/asyncrat" ], "industries": [ "Technology", "Media", "Hacking", "Social media" ], "unique_indicators": 108818 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/skyshowtime.com", "whois": "http://whois.domaintools.com/skyshowtime.com", "domain": "skyshowtime.com", "hostname": "cms.sas.stable-int.skyshowtime.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 18, "pulses": [ { "id": "656aafd0e93efa420f74123c", "name": "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335", "description": "", "modified": "2024-10-12T01:00:47.836000", "created": "2023-12-02T04:17:20.189000", "tags": [ "ssl certificate", "contacted", "threat roundup", "whois record", "communicating", "subdomains", "resolutions", "june", "july", "october", "august", "noname057", "generic malware", "ice fog", "tag count", "thu nov", "threat report", "ip summary", "url summary", "summary", "sample", "first", "generic", "detection list", "blacklist http", "cisco umbrella", "site", "heur", "alexa top", "safe site", "million", "malware", "alexa", "malware site", "malicious site", "unsafe", "artemis", "fakealert", "exploit", "opencandy", "riskware", "genkryptik", "iframe", "tiggre", "presenoker", "agent", "conduit", "wacatac", "phishing", "redline stealer", "dropper", "cobalt strike", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "filetour", "cleaner", "installpack", "xrat", "fusioncore", "azorult", "service", "runescape", "facebook", "bank", "download", "blacknet rat", "stealer", "maltiverse", "webtoolbar", "trojanspy", "united", "engineering", "cyber threat", "phishing site", "america", "emotet", "zbot", "malicious", "steam", "team", "indonesia", "miner", "ransomware", "ramnit", "pe resource", "historical ssl", "execution", "hacktool", "metasploit", "relic", "monitoring", "android", "skynet", "et", "anonymizer", "trojanx", "back", "laplasclipper", "win64", "trojan", "ghost rat", "suppobox", "asyncrat", "union", "samples", "blacklist", "malicious url", "hostname", "hostnames", "tsara brashears", "reinsurance", "pinnacol insurance", "industry and commerce", "state", "danger", "warning", "nr-data.net", "apple", "data.net", "asp.net", "domains", "hashes", "reverse dns", "general full", "resource", "software", "asn15169", "google", "url http", "server", "hash", "get h2", "main", "cookie", "thu dec", "germany", "frankfurt", "netherlands", "asn20446", "highwinds3", "page url", "search live", "api blog", "docs pricing", "tags", "november", "us summary", "http", "google safe", "browsing", "adware", "xtrat", "firehol", "microsoft", "control server", "services", "msil", "hiloti", "asn16509", "amazon02", "fastly", "asn54113", "prague", "login", "listen live", "centura health", "colorado jobs", "eeo public", "filing url", "blacklist https", "mimikatz", "beach research", "de indicators", "copyright", "gmbh version", "follow", "softcnapp", "philadelphia", "gamehack", "value", "line", "variables", "nreum", "postrelease", "url https", "security tls", "protocol h2", "name value", "scam", "gesponsert url", "outputldjh", "oid2", "uhis2", "uh1200", "uw1600", "uah1200", "uaw1600", "ucd24", "usd1", "utz60", "no data", "coinminer", "ip address", "exchange", "http attacker", "states", "jimburkedentistry", "leder-family", "adam lee", "erika lee", "malvertizing" ], "references": [ "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335", "https://www.denverpost.com/2018/07/17/marijuana-workers-compensation/amp/ Source", "http://jcsservices.in/gkqikjxn/index.php?pnz=jim@thejimburkefamily.com", "http://www.burkedentistry.com/Quarryville-Dentist-and-Staff/1567", "http://tracks.theleders.family", "photos.theleders.family", "http://45.159.189.105/bot/regex (tracks Tsara Brashears)", "45.159.189.105 (CNC IP \u2022 Tracking Tsara Brashears)", "http://mobtrack.trkclk.net", "https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "nr-data.net", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "103.233.208.9 (CNC IP)", "apex.jquery.com (scammer | works for who?)", "api.useragentswitch.com", "bam-cell.nr-data.net (Apple Private Data Collection | since found, result continuously modified)", "dns.google (DNS client services - Doug Cole)", "https://www.9and10news.com/2021/09/17/fbi-releases-update-on-suspicious-packages-left-at-att-stores/", "https://api.openinstall.io/api/v2/android/otby76/init?certFinger=44:B4:38:61:15:B4:57:55:B5:BF:D1:6B:34:CC:60:72:DA:C7:40:CE&macAddress=6D:51:08:93:04:7B&serialNumber=&apiVersion=2.3.0&deviceId=&pkg=com.mobikok.ecoupon&version=8.1.0&installId=&androidId=91ed20d90734918e&versionCode=333\u00d7tamp=1684541379839", "apple-dns.net", "emails.redvue.com (apple DNS w/amvima)", "142.250.180.4 (init.ess)", "init.ess.apple.com (Highly malicious. Will infiltrate devices when exploited. Spyware)", "freeimdatingsites.thomasdobo.eu", "https://urlscan.io/result/07fe876e-8864-474f-8b32-ba2d50c9a242/#indicators", "https://urlscan.io/domain/maxwam.tk", "https://urlscan.io/result/e770a861-9818-4309-b31e-fd18510532a7/#indicators" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "GameHack", "display_name": "GameHack", "target": null }, { "id": "States", "display_name": "States", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" } ], "industries": [], "TLP": "white", "cloned_from": "6562908e28e6cdc237fbf8db", "export_count": 107, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1956, "FileHash-SHA1": 867, "FileHash-SHA256": 3895, "URL": 11195, "domain": 2959, "hostname": 3575, "CVE": 16, "SSLCertFingerprint": 1, "email": 1 }, "indicator_count": 24465, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "554 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cb4772c3d3ad1f7accc98a", "name": "Ryuk Ransomware - workers.dev | https://house.mo.gov", "description": "Ryuk is ransomware version attributed to the hacker group WIZARD SPIDER that has compromised governments, academia, healthcare, manufacturing, and technology organizations.\n\nInterestingly, this ransomware family carries a Japanese name from the anime movie Death Note. The name means \u201cgift of god.\u201d It seems an odd choice for ransomware since the targets lose data or money. From the hacker's perspective, however, it could be considered a gift of god.", "modified": "2024-03-14T09:04:37.097000", "created": "2024-02-13T10:41:53.179000", "tags": [ "contacted", "ssl certificate", "contacted urls", "whois record", "whois whois", "relacionada", "execution", "p2404", "kgs0", "kls0", "lockbit", "lolkek", "emotet", "phishing", "ursnif", "malware", "core", "ryuk ransomware", "qakbot", "makop", "hacktool", "chaos", "ransomexx", "temp", "localappdata", "pattern match", "ascii text", "json data", "united", "indicator", "prefetch8", "observed email", "unicode text", "date", "hybrid", "win64", "general", "click", "strings", "tsara brashears", "suspicious", "falcon", "name verdict", "reinsurance", "scan endpoints", "all octoseek", "domain", "pulse pulses", "passive dns", "urls", "files", "ip address", "location united", "asn as13335", "title", "gmt server", "user agent", "443 ma2592000", "hostname", "encrypt", "script urls", "t matrix", "dch v", "meta", "trang ch", "body", "status", "search", "creation date", "record value", "domain name", "litespeed", "certificate", "speed", "next", "unknown", "ipv4", "reverse dns", "name servers", "expiration date", "showing", "pulse submit", "gandi sas", "moved", "emails", "servers", "error", "russia unknown", "as31483", "as12768", "as30943", "united kingdom", "as208722 yandex", "cname", "spyware", "tracking", "login" ], "references": [ "workers.dev [extraction \u2022 GET request attack]", "ddos.dnsnb8.net [command_and_control]", "www.supernetforme.com [command_and_control]", "https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html", "http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing \u2022 python]", "https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network \u2022 Data collection \u2022 phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 virus network \u2022 Apple data collection ]", "CVE: CVE-2023-23397", "0-129-112027imap-intranet-pv-175-166.matomo.cloud", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption \u2022 unlocker]", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://twitter.com/PORNO_SEXYBABES", "sex-ukraine.net", "http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg \u2022\t humani-teens.com", "feedercontroller.webcrawlingeap-prod-co4.binginternal.com", "accessoire-telephones.fr \u2022 bks-tv.ru [telecom] \u2022 coltel.ru [telecom] \u2022 ceptelefondata.com.tr [data collection \u2022 USA] ts-astra.ru [telecom] wifi.ru", "nexus.b2btest.ertelecom.ru", "Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k", "Tracking: trackyouremails.com \u2022 https://adservice.google.com.uy/clk", "http://micrologin.ogspy.net/track/dhl-information-contact.html" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "Ryuk Ransomware", "display_name": "Ryuk Ransomware", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 127, "FileHash-SHA1": 125, "FileHash-SHA256": 4862, "hostname": 3571, "URL": 10597, "CVE": 3, "domain": 3169, "email": 7 }, "indicator_count": 22461, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "766 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cb476d935dd560b4a3e938", "name": "Ryuk Ransomware - workers.dev | https://house.mo.gov", "description": "Ryuk is ransomware version attributed to the hacker group WIZARD SPIDER that has compromised governments, academia, healthcare, manufacturing, and technology organizations.\n\nInterestingly, this ransomware family carries a Japanese name from the anime movie Death Note. The name means \u201cgift of god.\u201d It seems an odd choice for ransomware since the targets lose data or money. From the hacker's perspective, however, it could be considered a gift of god.", "modified": "2024-03-14T09:04:37.097000", "created": "2024-02-13T10:41:49.380000", "tags": [ "contacted", "ssl certificate", "contacted urls", "whois record", "whois whois", "relacionada", "execution", "p2404", "kgs0", "kls0", "lockbit", "lolkek", "emotet", "phishing", "ursnif", "malware", "core", "ryuk ransomware", "qakbot", "makop", "hacktool", "chaos", "ransomexx", "temp", "localappdata", "pattern match", "ascii text", "json data", "united", "indicator", "prefetch8", "observed email", "unicode text", "date", "hybrid", "win64", "general", "click", "strings", "tsara brashears", "suspicious", "falcon", "name verdict", "reinsurance", "scan endpoints", "all octoseek", "domain", "pulse pulses", "passive dns", "urls", "files", "ip address", "location united", "asn as13335", "title", "gmt server", "user agent", "443 ma2592000", "hostname", "encrypt", "script urls", "t matrix", "dch v", "meta", "trang ch", "body", "status", "search", "creation date", "record value", "domain name", "litespeed", "certificate", "speed", "next", "unknown", "ipv4", "reverse dns", "name servers", "expiration date", "showing", "pulse submit", "gandi sas", "moved", "emails", "servers", "error", "russia unknown", "as31483", "as12768", "as30943", "united kingdom", "as208722 yandex", "cname", "spyware", "tracking", "login" ], "references": [ "workers.dev [extraction \u2022 GET request attack]", "ddos.dnsnb8.net [command_and_control]", "www.supernetforme.com [command_and_control]", "https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html", "http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing \u2022 python]", "https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network \u2022 Data collection \u2022 phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 virus network \u2022 Apple data collection ]", "CVE: CVE-2023-23397", "0-129-112027imap-intranet-pv-175-166.matomo.cloud", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption \u2022 unlocker]", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://twitter.com/PORNO_SEXYBABES", "sex-ukraine.net", "http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg \u2022\t humani-teens.com", "feedercontroller.webcrawlingeap-prod-co4.binginternal.com", "accessoire-telephones.fr \u2022 bks-tv.ru [telecom] \u2022 coltel.ru [telecom] \u2022 ceptelefondata.com.tr [data collection \u2022 USA] ts-astra.ru [telecom] wifi.ru", "nexus.b2btest.ertelecom.ru", "Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k", "Tracking: trackyouremails.com \u2022 https://adservice.google.com.uy/clk", "http://micrologin.ogspy.net/track/dhl-information-contact.html" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "Ryuk Ransomware", "display_name": "Ryuk Ransomware", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 127, "FileHash-SHA1": 125, "FileHash-SHA256": 4862, "hostname": 3571, "URL": 10597, "CVE": 3, "domain": 3169, "email": 7 }, "indicator_count": 22461, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "766 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cb476d0566c2d07e474df5", "name": "Ryuk Ransomware - workers.dev | https://house.mo.gov", "description": "Ryuk is ransomware version attributed to the hacker group WIZARD SPIDER that has compromised governments, academia, healthcare, manufacturing, and technology organizations.\n\nInterestingly, this ransomware family carries a Japanese name from the anime movie Death Note. The name means \u201cgift of god.\u201d It seems an odd choice for ransomware since the targets lose data or money. From the hacker's perspective, however, it could be considered a gift of god.", "modified": "2024-03-14T09:04:37.097000", "created": "2024-02-13T10:41:49.140000", "tags": [ "contacted", "ssl certificate", "contacted urls", "whois record", "whois whois", "relacionada", "execution", "p2404", "kgs0", "kls0", "lockbit", "lolkek", "emotet", "phishing", "ursnif", "malware", "core", "ryuk ransomware", "qakbot", "makop", "hacktool", "chaos", "ransomexx", "temp", "localappdata", "pattern match", "ascii text", "json data", "united", "indicator", "prefetch8", "observed email", "unicode text", "date", "hybrid", "win64", "general", "click", "strings", "tsara brashears", "suspicious", "falcon", "name verdict", "reinsurance", "scan endpoints", "all octoseek", "domain", "pulse pulses", "passive dns", "urls", "files", "ip address", "location united", "asn as13335", "title", "gmt server", "user agent", "443 ma2592000", "hostname", "encrypt", "script urls", "t matrix", "dch v", "meta", "trang ch", "body", "status", "search", "creation date", "record value", "domain name", "litespeed", "certificate", "speed", "next", "unknown", "ipv4", "reverse dns", "name servers", "expiration date", "showing", "pulse submit", "gandi sas", "moved", "emails", "servers", "error", "russia unknown", "as31483", "as12768", "as30943", "united kingdom", "as208722 yandex", "cname", "spyware", "tracking", "login" ], "references": [ "workers.dev [extraction \u2022 GET request attack]", "ddos.dnsnb8.net [command_and_control]", "www.supernetforme.com [command_and_control]", "https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html", "http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing \u2022 python]", "https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network \u2022 Data collection \u2022 phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 virus network \u2022 Apple data collection ]", "CVE: CVE-2023-23397", "0-129-112027imap-intranet-pv-175-166.matomo.cloud", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption \u2022 unlocker]", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://twitter.com/PORNO_SEXYBABES", "sex-ukraine.net", "http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg \u2022\t humani-teens.com", "feedercontroller.webcrawlingeap-prod-co4.binginternal.com", "accessoire-telephones.fr \u2022 bks-tv.ru [telecom] \u2022 coltel.ru [telecom] \u2022 ceptelefondata.com.tr [data collection \u2022 USA] ts-astra.ru [telecom] wifi.ru", "nexus.b2btest.ertelecom.ru", "Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k", "Tracking: trackyouremails.com \u2022 https://adservice.google.com.uy/clk", "http://micrologin.ogspy.net/track/dhl-information-contact.html" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "Ryuk Ransomware", "display_name": "Ryuk Ransomware", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 127, "FileHash-SHA1": 125, "FileHash-SHA256": 4862, "hostname": 3571, "URL": 10597, "CVE": 3, "domain": 3169, "email": 7 }, "indicator_count": 22461, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "766 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cb4768b06f4da2fba5959b", "name": "Ryuk Ransomware - workers.dev | https://house.mo.gov", "description": "Ryuk is ransomware version attributed to the hacker group WIZARD SPIDER that has compromised governments, academia, healthcare, manufacturing, and technology organizations.\n\nInterestingly, this ransomware family carries a Japanese name from the anime movie Death Note. The name means \u201cgift of god.\u201d It seems an odd choice for ransomware since the targets lose data or money. From the hacker's perspective, however, it could be considered a gift of god.", "modified": "2024-03-14T09:04:37.097000", "created": "2024-02-13T10:41:44.270000", "tags": [ "contacted", "ssl certificate", "contacted urls", "whois record", "whois whois", "relacionada", "execution", "p2404", "kgs0", "kls0", "lockbit", "lolkek", "emotet", "phishing", "ursnif", "malware", "core", "ryuk ransomware", "qakbot", "makop", "hacktool", "chaos", "ransomexx", "temp", "localappdata", "pattern match", "ascii text", "json data", "united", "indicator", "prefetch8", "observed email", "unicode text", "date", "hybrid", "win64", "general", "click", "strings", "tsara brashears", "suspicious", "falcon", "name verdict", "reinsurance", "scan endpoints", "all octoseek", "domain", "pulse pulses", "passive dns", "urls", "files", "ip address", "location united", "asn as13335", "title", "gmt server", "user agent", "443 ma2592000", "hostname", "encrypt", "script urls", "t matrix", "dch v", "meta", "trang ch", "body", "status", "search", "creation date", "record value", "domain name", "litespeed", "certificate", "speed", "next", "unknown", "ipv4", "reverse dns", "name servers", "expiration date", "showing", "pulse submit", "gandi sas", "moved", "emails", "servers", "error", "russia unknown", "as31483", "as12768", "as30943", "united kingdom", "as208722 yandex", "cname", "spyware", "tracking", "login" ], "references": [ "workers.dev [extraction \u2022 GET request attack]", "ddos.dnsnb8.net [command_and_control]", "www.supernetforme.com [command_and_control]", "https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html", "http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing \u2022 python]", "https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network \u2022 Data collection \u2022 phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 virus network \u2022 Apple data collection ]", "CVE: CVE-2023-23397", "0-129-112027imap-intranet-pv-175-166.matomo.cloud", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption \u2022 unlocker]", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://twitter.com/PORNO_SEXYBABES", "sex-ukraine.net", "http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg \u2022\t humani-teens.com", "feedercontroller.webcrawlingeap-prod-co4.binginternal.com", "accessoire-telephones.fr \u2022 bks-tv.ru [telecom] \u2022 coltel.ru [telecom] \u2022 ceptelefondata.com.tr [data collection \u2022 USA] ts-astra.ru [telecom] wifi.ru", "nexus.b2btest.ertelecom.ru", "Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k", "Tracking: trackyouremails.com \u2022 https://adservice.google.com.uy/clk", "http://micrologin.ogspy.net/track/dhl-information-contact.html" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "Ryuk Ransomware", "display_name": "Ryuk Ransomware", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 127, "FileHash-SHA1": 125, "FileHash-SHA256": 4862, "hostname": 3571, "URL": 10597, "CVE": 3, "domain": 3169, "email": 7 }, "indicator_count": 22461, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "766 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cab5eb4d0a233bf6f32edb", "name": "Malware Infection | Pseudonym 'Kevin Harden' Malvertizing RedTube Subsidiary", "description": "", "modified": "2024-03-11T02:01:13.710000", "created": "2024-02-13T00:20:59.154000", "tags": [ "trojan", "show", "scan endpoints", "all scoreblue", "filehash", "av detections", "ids detections", "yara detections", "alerts", "april", "win32", "copy", "push", "malware infection", "threat roundup", "whois record", "contacted", "october", "execution", "january", "attack", "suspicious", "hacktool", "emotet", "injection", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "http", "resource path", "size", "type mimetype", "primary request", "servicelogin", "kb document", "general full", "url https" ], "references": [ "https://www.redtube.com/ServiceLogin?hl=de&passive=true&continue=https://www.redtube.ccom/%3Fdata%3Dkevinharden1978%2540gmail.com%252Fkevinharden1978%2B.search", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Trojan:Win32/CryptInject.SD!MTB", "display_name": "Trojan:Win32/CryptInject.SD!MTB", "target": "/malware/Trojan:Win32/CryptInject.SD!MTB" }, { "id": "Win.Malware.Fileinfector-9834127-0", "display_name": "Win.Malware.Fileinfector-9834127-0", "target": null }, { "id": "Emotet b", "display_name": "Emotet b", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 276, "FileHash-SHA1": 274, "FileHash-SHA256": 3301, "URL": 2268, "hostname": 744, "CVE": 2, "domain": 340 }, "indicator_count": 7205, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "769 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cab601f0d674294b603758", "name": "Malware Infection | Pseudonym 'Kevin Harden' Malvertizing RedTube Subsidiary", "description": "", "modified": "2024-03-11T02:01:13.710000", "created": "2024-02-13T00:21:21.869000", "tags": [ "trojan", "show", "scan endpoints", "all scoreblue", "filehash", "av detections", "ids detections", "yara detections", "alerts", "april", "win32", "copy", "push", "malware infection", "threat roundup", "whois record", "contacted", "october", "execution", "january", "attack", "suspicious", "hacktool", "emotet", "injection", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "http", "resource path", "size", "type mimetype", "primary request", "servicelogin", "kb document", "general full", "url https" ], "references": [ "https://www.redtube.com/ServiceLogin?hl=de&passive=true&continue=https://www.redtube.ccom/%3Fdata%3Dkevinharden1978%2540gmail.com%252Fkevinharden1978%2B.search", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Trojan:Win32/CryptInject.SD!MTB", "display_name": "Trojan:Win32/CryptInject.SD!MTB", "target": "/malware/Trojan:Win32/CryptInject.SD!MTB" }, { "id": "Win.Malware.Fileinfector-9834127-0", "display_name": "Win.Malware.Fileinfector-9834127-0", "target": null }, { "id": "Emotet b", "display_name": "Emotet b", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 276, "FileHash-SHA1": 274, "FileHash-SHA256": 3301, "URL": 2268, "hostname": 744, "CVE": 2, "domain": 340 }, "indicator_count": 7205, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "769 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cab60667f8205c19d6b67b", "name": "Malware Infection | Pseudonym 'Kevin Harden' Malvertizing RedTube Subsidiary", "description": "", "modified": "2024-03-11T02:01:13.710000", "created": "2024-02-13T00:21:26.244000", "tags": [ "trojan", "show", "scan endpoints", "all scoreblue", "filehash", "av detections", "ids detections", "yara detections", "alerts", "april", "win32", "copy", "push", "malware infection", "threat roundup", "whois record", "contacted", "october", "execution", "january", "attack", "suspicious", "hacktool", "emotet", "injection", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "http", "resource path", "size", "type mimetype", "primary request", "servicelogin", "kb document", "general full", "url https" ], "references": [ "https://www.redtube.com/ServiceLogin?hl=de&passive=true&continue=https://www.redtube.ccom/%3Fdata%3Dkevinharden1978%2540gmail.com%252Fkevinharden1978%2B.search", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Trojan:Win32/CryptInject.SD!MTB", "display_name": "Trojan:Win32/CryptInject.SD!MTB", "target": "/malware/Trojan:Win32/CryptInject.SD!MTB" }, { "id": "Win.Malware.Fileinfector-9834127-0", "display_name": "Win.Malware.Fileinfector-9834127-0", "target": null }, { "id": "Emotet b", "display_name": "Emotet b", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 276, "FileHash-SHA1": 274, "FileHash-SHA256": 3301, "URL": 2268, "hostname": 744, "CVE": 2, "domain": 340 }, "indicator_count": 7205, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "769 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cab616bb5869335d184ae7", "name": "Malware Infection | Pseudonym 'Kevin Harden' Malvertizing RedTube Subsidiary", "description": "", "modified": "2024-03-11T02:01:13.710000", "created": "2024-02-13T00:21:42.183000", "tags": [ "trojan", "show", "scan endpoints", "all scoreblue", "filehash", "av detections", "ids detections", "yara detections", "alerts", "april", "win32", "copy", "push", "malware infection", "threat roundup", "whois record", "contacted", "october", "execution", "january", "attack", "suspicious", "hacktool", "emotet", "injection", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "http", "resource path", "size", "type mimetype", "primary request", "servicelogin", "kb document", "general full", "url https" ], "references": [ "https://www.redtube.com/ServiceLogin?hl=de&passive=true&continue=https://www.redtube.ccom/%3Fdata%3Dkevinharden1978%2540gmail.com%252Fkevinharden1978%2B.search", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Trojan:Win32/CryptInject.SD!MTB", "display_name": "Trojan:Win32/CryptInject.SD!MTB", "target": "/malware/Trojan:Win32/CryptInject.SD!MTB" }, { "id": "Win.Malware.Fileinfector-9834127-0", "display_name": "Win.Malware.Fileinfector-9834127-0", "target": null }, { "id": "Emotet b", "display_name": "Emotet b", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 276, "FileHash-SHA1": 274, "FileHash-SHA256": 3301, "URL": 2268, "hostname": 744, "CVE": 2, "domain": 340 }, "indicator_count": 7205, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "769 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6562908e28e6cdc237fbf8db", "name": "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335", "description": "", "modified": "2023-12-26T00:03:03.925000", "created": "2023-11-26T00:25:50.529000", "tags": [ "ssl certificate", "contacted", "threat roundup", "whois record", "communicating", "subdomains", "resolutions", "june", "july", "october", "august", "noname057", "generic malware", "ice fog", "tag count", "thu nov", "threat report", "ip summary", "url summary", "summary", "sample", "first", "generic", "detection list", "blacklist http", "cisco umbrella", "site", "heur", "alexa top", "safe site", "million", "malware", "alexa", "malware site", "malicious site", "unsafe", "artemis", "fakealert", "exploit", "opencandy", "riskware", "genkryptik", "iframe", "tiggre", "presenoker", "agent", "conduit", "wacatac", "phishing", "redline stealer", "dropper", "cobalt strike", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "filetour", "cleaner", "installpack", "xrat", "fusioncore", "azorult", "service", "runescape", "facebook", "bank", "download", "blacknet rat", "stealer", "maltiverse", "webtoolbar", "trojanspy", "united", "engineering", "cyber threat", "phishing site", "america", "emotet", "zbot", "malicious", "steam", "team", "indonesia", "miner", "ransomware", "ramnit", "pe resource", "historical ssl", "execution", "hacktool", "metasploit", "relic", "monitoring", "android", "skynet", "et", "anonymizer", "trojanx", "back", "laplasclipper", "win64", "trojan", "ghost rat", "suppobox", "asyncrat", "union", "samples", "blacklist", "malicious url", "hostname", "hostnames", "tsara brashears", "reinsurance", "pinnacol insurance", "industry and commerce", "state", "danger", "warning", "nr-data.net", "apple", "data.net", "asp.net", "domains", "hashes", "reverse dns", "general full", "resource", "software", "asn15169", "google", "url http", "server", "hash", "get h2", "main", "cookie", "thu dec", "germany", "frankfurt", "netherlands", "asn20446", "highwinds3", "page url", "search live", "api blog", "docs pricing", "tags", "november", "us summary", "http", "google safe", "browsing", "adware", "xtrat", "firehol", "microsoft", "control server", "services", "msil", "hiloti", "asn16509", "amazon02", "fastly", "asn54113", "prague", "login", "listen live", "centura health", "colorado jobs", "eeo public", "filing url", "blacklist https", "mimikatz", "beach research", "de indicators", "copyright", "gmbh version", "follow", "softcnapp", "philadelphia", "gamehack", "value", "line", "variables", "nreum", "postrelease", "url https", "security tls", "protocol h2", "name value", "scam", "gesponsert url", "outputldjh", "oid2", "uhis2", "uh1200", "uw1600", "uah1200", "uaw1600", "ucd24", "usd1", "utz60", "no data", "coinminer", "ip address", "exchange", "http attacker", "states", "jimburkedentistry", "leder-family", "adam lee", "erika lee", "malvertizing" ], "references": [ "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335", "https://www.denverpost.com/2018/07/17/marijuana-workers-compensation/amp/ Source", "http://jcsservices.in/gkqikjxn/index.php?pnz=jim@thejimburkefamily.com", "http://www.burkedentistry.com/Quarryville-Dentist-and-Staff/1567", "http://tracks.theleders.family", "photos.theleders.family", "http://45.159.189.105/bot/regex (tracks Tsara Brashears)", "45.159.189.105 (CNC IP \u2022 Tracking Tsara Brashears)", "http://mobtrack.trkclk.net", "https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "nr-data.net", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "103.233.208.9 (CNC IP)", "apex.jquery.com (scammer | works for who?)", "api.useragentswitch.com", "bam-cell.nr-data.net (Apple Private Data Collection | since found, result continuously modified)", "dns.google (DNS client services - Doug Cole)", "https://www.9and10news.com/2021/09/17/fbi-releases-update-on-suspicious-packages-left-at-att-stores/", "https://api.openinstall.io/api/v2/android/otby76/init?certFinger=44:B4:38:61:15:B4:57:55:B5:BF:D1:6B:34:CC:60:72:DA:C7:40:CE&macAddress=6D:51:08:93:04:7B&serialNumber=&apiVersion=2.3.0&deviceId=&pkg=com.mobikok.ecoupon&version=8.1.0&installId=&androidId=91ed20d90734918e&versionCode=333\u00d7tamp=1684541379839", "apple-dns.net", "emails.redvue.com (apple DNS w/amvima)", "142.250.180.4 (init.ess)", "init.ess.apple.com (Highly malicious. Will infiltrate devices when exploited. Spyware)", "freeimdatingsites.thomasdobo.eu", "https://urlscan.io/result/07fe876e-8864-474f-8b32-ba2d50c9a242/#indicators", "https://urlscan.io/domain/maxwam.tk", "https://urlscan.io/result/e770a861-9818-4309-b31e-fd18510532a7/#indicators" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "GameHack", "display_name": "GameHack", "target": null }, { "id": "States", "display_name": "States", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 83, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1956, "FileHash-SHA1": 867, "FileHash-SHA256": 3751, "URL": 10878, "domain": 2914, "hostname": 3520, "CVE": 16 }, "indicator_count": 23902, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "845 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://cms.sas.stable-int.skyshowtime.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://cms.sas.stable-int.skyshowtime.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776611143.0869741 }