{ "type": "URL", "indicator": "https://code.jquery.com/jquery-3.3.1.min.js", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://code.jquery.com/jquery-3.3.1.min.js", "type": "url", "type_title": "URL", "validation": [ { "source": "akamai", "message": "Akamai rank: #689", "name": "Akamai Popular Domain" }, { "source": "whitelist", "message": "Whitelisted domain jquery.com", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain jquery.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 3158399525, "indicator": "https://code.jquery.com/jquery-3.3.1.min.js", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 49, "pulses": [ { "id": "66f38d1b2e4ef8d8db533d36", "name": "FormBook - moa.moe ??? Pegasus & Brian Sabey Related", "description": "", "modified": "2024-10-25T03:00:50.871000", "created": "2024-09-25T04:10:03.211000", "tags": [ "as54113", "united", "a domains", "passive dns", "unknown", "mtb sep", "github pages", "request id", "sea x", "twitter", "accept", "status", "cookie", "search", "certificate", "record value", "showing", "as8075", "aaaa", "asnone united", "yara detections", "trojan", "show", "all scoreblue", "av detections", "ids detections", "body", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "request", "urls", "443 ma2592000", "encrypt", "germany unknown", "meta http", "content", "gmt server", "th th", "ipv4", "main", "name servers", "redacted for", "for privacy", "servers", "meta", "homemakers", "as212222", "script domains", "script urls", "diy artikelen", "zo bieden", "class", "customer", "as16276", "canada unknown", "sigattr", "formbook cnc", "checkin", "win32", "entries", "bootasep apr", "alerts", "read", "write", "delete", "top source", "files", "location united", "creation date", "domain", "emails", "expiration date", "next", "ovhcloud meta", "cname", "as36459", "whitelisted ip", "address", "asn as36459", "registrar", "markmonitor", "related tags", "france unknown", "moved", "setcookie", "gmt contenttype", "refloadapihash", "france", "nxdomain", "aaaa fd00", "as16276 ovh", "poland", "error", "backend", "as40065", "china unknown", "deleted site", "atom", "record type", "ttl value", "as174 cogent", "pulse submit", "url analysis", "hostname", "as64050 bgpnet", "x9875 x9762", "gmt max", "httponly", "hong kong", "taiwan unknown", "china asn", "server", "privacy tech", "privacy admin", "registrar abuse", "country", "organization", "postal code", "stateprovince", "code", "data", "v3 serial", "number", "cus olet", "encrypt cnr3", "validity", "subject public", "key info", "key algorithm", "ec oid", "dns replication", "algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "first", "enom" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "China", "Singapore" ], "malware_families": [ { "id": "Win.Trojan.Barys-10005825-0", "display_name": "Win.Trojan.Barys-10005825-0", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4675, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 623, "FileHash-MD5": 760, "FileHash-SHA1": 794, "FileHash-SHA256": 3406, "domain": 1633, "hostname": 1037, "email": 17, "CVE": 1 }, "indicator_count": 8271, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "541 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6681f270d3801ae3dfde1cd0", "name": "Drive-by Compromise | TEL:Trojan:Win32/Injector | Zeus | Ransomware ", "description": "", "modified": "2024-07-30T08:04:39.977000", "created": "2024-07-01T00:04:00.567000", "tags": [ "vj83", "tsara brashears", "malware", "password bypass", "problems", "threat network", "infrastructure", "checking", "china", "iocs", "download", "relic", "monitoring", "installer", "graph", "server", "domain status", "date", "code", "country", "registrar abuse", "registrar", "whois lookup", "admin city", "redmond admin", "analyzer paste", "urls http", "z1277946686", "slfrd1", "uiebaae", "jid960554243", "samples", "malicious url", "z1767086795", "no data", "tag count", "count blacklist", "tag tag", "sample29", "team alexa", "million", "alexa", "site", "cisco umbrella", "hostname", "united", "mail spammer", "malicious site", "covid19", "cyber threat", "filerepmalware", "phishing site", "heur", "engineering", "keybase", "bank", "malicious", "artemis", "phishing", "div div", "domain", "passive dns", "creation date", "as46606", "content type", "script script", "a div", "unknown", "meta", "process32nextw", "medium", "wizard", "registry", "module load", "t1129", "registry run", "keys", "t1060", "memcommit", "win32", "service", "explorer", "june", "copy", "delphi", "tools", "persistence", "execution", "capture", "a dd", "h3 p", "search", "aaaa", "free", "p div", "virtool", "form", "window", "next", "status", "record value", "showing", "cname", "gmt content", "body", "pulses", "urls", "files ip", "address", "location united", "asn as13335", "whois registrar", "as8075", "access", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "yara detections", "push", "filehash", "av detections", "ids detections", "alerts", "analysis date", "sec ch", "xml base64", "ch ua", "ua full", "ua platform", "moved", "whois", "trojan", "entries", "gmt server", "centos", "ransom", "detection list", "alexa top", "bluehost", "e emeseieee", "msie", "windows nt", "wow64", "slcc2", "media center", "dynamicloader", "cryptowall", "malware beacon", "suspicious", "zeus", "write", "bits", "date hash", "avast avg", "mtb dec", "script urls", "typeof", "script domains", "as54600 peg", "li ol", "apple", "ios", "samsung", "tracking", "ms windows", "pe32", "read c", "intel", "pe32 executable", "qt translation", "regsetvalueexa", "write c", "show", "april", "observer", "stream", "local", "e eue", "goatsinacoat" ], "references": [ "espysite.azurewebsites.net", "http://45.159.189.105/bot/regex [command and control infection source]", "http://update.partitionwizard.com/checking-update/ko/verconfig-v11-registered.txt", "http://www.partitionwizard.com/checking-update/ko/verconfig-v11-registered.txt", "http://tracking.minitool.com/pw/launch.php?120100-from-enterprise-v11", "http://www.google-analytics.com/r/collect?v=1&_v=j83&a=160340377&t=pageview&_s=1&dl=http://tracking.minitool.com/pw/launch.html?120100-from-enterprise-v11&ul=en-us&de=utf-8&dt=launch%20tracking&sd=32-bit&sr=1152x864&vp=79x26&je=0&fl=19.0%20r0&_u=IEBAAE~&jid=960554243&gjid=1088832951&cid=1848517172.1595359858&tid=UA-686301-39&_gid=1248672958.1595359858", "http://tracking.minitool.com/pw/launch.html?120100-from-enterprise-v11", "https://twitter.com/PORNO_SEXYBABES", "https://adservice.google.com.uy/clk\t init.ess.apple.com", "WinToFlash-Lite-The-Bootable-USB-Creator-1.13.0000-Setup.exe | Setup.Bin Lockbin1.com", "crl.globalsign.com\tWinPCA.crl gscodesigng2.crl crl.globalsign.net root.crl crl.microsoft.com WinPCA.crl analytics.js tracking.minitool.com launch.php", "VTBehaviour.CommonDataStirage.GoogleAPIs.com\t Playatoms-pa.googleapis.com SongCulture.com bam.nr-data.net", "https://www.google.co.kr/ads/ga-audiences?v=1&aip=1&t=sr&_r=4&tid=UA-686301-28&cid=1048899291.1595287580&jid=1064984308&_v=j83&z=1277946686&slf_rd=1&random=491737294", "Yara Detections: Delphi , ProtectSharewareV11eCompservCMS", "Alerts: stops_service network_icmp network_irc persistence_autorun creates_largekey antisandbox_mouse_hook", "Alerts: infostealer_keylogger rat_pcclient process_interest injection_resumethread stealth_hiddenfile", "Domains Contacted: cdn2.minitool.com www.partitionwizard.com", "https://otx.alienvault.com/indicator/file/22e8de5785b65790950eeef5e81dadf9acd44d7767399f8a88bab8b7059b1269", "PWS:Win32/Ymacco: FileHash-SHA256 22e8de5785b65790950eeef5e81dadf9acd44d7767399f8a88bab8b7059b1269", "PWS:Win32/Ymacco: FileHash-MD5 0145b299e0d988750bd", "PWS:Win32/Ymacco: FileHash-SHA1 05d3eef1b402fcceced24bd5e8cc3d613c311419", "samsungdevapi.reverselogix.net", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/22e8de5785b65790950eeef5e81dadf9acd44d7767399f8a88bab8b7059b1269", "https://otx.alienvault.com/indicator/hostname/www.partitionwizard.com", "TEL:Trojan:Win32/Injector.AB!MSR: FileHash-SHA256 3a8d5782cd3335cb19bc9f1588a9303e7c8bf46aa0a6dd8d9a8fbada0dc23293", "TEL:Trojan:Win32/Injector.AB!MSR: FileHash-MD5 502983a98c69c012c600e2a2a7b2a1af", "TEL:Trojan:Win32/Injector.AB!MSR: FileHash-SHA1 217eed43662f43704c5c65bbdb503699b8689d6a", "CVE-2017-0147 CVE-2017-11882 CVE-2017-8570 CVE-2018-8453 CVE-2014-0160", "https://otx.alienvault.com/indicator/url/http://www.pulsesolutions.com/WebService/EasyLoggerWebService.asmx/", "Ransom:Win32/Crowti.A: FileHash-SHA256 3328a110970be661ce1267a553fa2ddf", "Ransom:Win32/Crowti.A: FileHash-SHA1 f7e6be8e6b15e4c67d82ec663abee6f0a292ff77", "Ransom:Win32/Crowti.A: FileHash-MD5 3328a110970be661ce1267a553fa2ddf", "https://otx.alienvault.com/indicator/file/94cdf28c30c4bb09d191990706844f10d8ba837459c9a81dd672f209e77c2fb9", "IDS Detections: CryptoWall Check-in Zeus Bot Connectivity Check External IP Check myexternalip.com IP Check myexternalip.com", "Alerts: procmem_yara injection_inter_process injection_create_remote_thread antiav_servicestop suricata_alert suspicious_command_tools", "Alerts: bcdedit_command stealth_network cape_detected_threat deletes_shadow_copies infostealer_cookies", "TrojanSpy:Win32/Nivdort.DC: FileHash-SHA256 00f4950d49404f58e223c0946f18a2a779c502d82ce67d419ce42f794666d3c8", "TrojanSpy:Win32/Nivdort.DC: FileHash-SHA1 fa773890465396aefe1a6b74d107ce1fee664ef9", "TrojanSpy:Win32/Nivdort.DC: FileHash-MD5 ecd1617974166e34de036ddf859a78f6", "Trojan:Win32/Formbook!MTB: FileHash-SHA256 c72bf65e0b2635221ce291191b40ddae3d599e418601dcef5d3ef4ab6e929d5f", "Trojan:Win32/Formbook!MTB: FileHash-SHA1 3bba9a34622ca39fe8b7132da8056a0d8c9be36c", "Trojan:Win32/Formbook!MTB: FileHash-MD5 1f5c006f1ef8d4998c5a6392c4082aef", "VirTool:Win32/Obfuscator.JM: FileHash-SHA256 b4cbdc6fe310af9d4d089d36141ca51d5b91ce877c6d0f6f78fc8bd8e6ce5b37", "https://saptools.mx/files/aud2txt-linux.zip | linuxeater.com | kent@riboe.se | https://saptools.mx/files/aud2txt-linux.zip", "Related Domains By Email DOMAIN ORGANISATION NAME: citrusea.com - Kent Riboe | linuxeater.com - Kent Riboe [kent@riboe.se]", "https://admin.safeid.io/Account/ResetPassword?token=Bx_9HrVhO0ihjnilL3BfcpM9s_1XmMRCAI4Sr1QWsLNmMlpmaAH0DI8fWkk7MSrh", "Tracking: jrstrackingfunction.com | http://tracking.orca-functions.zoovu.solutions/ | http://tracking.orca-functions.zoovu.solutions/", "Tracking: https://sharepointwow.msnd36.com/tracking/lc/3d8656d6-d66c-4b3b-aec3-a363f4faf30f/9d15012d-b2b5-4d70-abb1-eed6eff85f20/7b92544e-3ea3-dccc-179b-fdc110fc452a/", "Tracking: URL http://45.159.189.105/bot/regex | http://tracking.minitool.com/pw/launch.html?120100-from-enterprise-v11", "Tracking: http://tracking.minitool.com/pw/launch.php?120100-from-enterprise-v11 No Expiration\t0\t URL http://www.google-analytics.com/r/collect?v=1&_v=j83&a=160340377&t=pageview&_s=1&dl=http://tracking.minitool.com/pw/launch.html?120100-from-enterprise-v11&ul=en-us&de=utf-8&dt=launch%20tracking&sd=32-bit&sr=1152x864&vp=79x26&je=0&fl=19.0%20r0&_u=IEBAAE~&jid=960554243&gjid=1088832951&cid=1848517172.1595359858&tid=UA-686301-39&_gid=1248672958.1595359858&_r=1&z=1767086795", "IDS Detections: Win32/Kapahyku.A Activity 1 PUP/ASMalwNS.A Checkin Observed Suspicious UA (NSIS_Inetc (Mozilla))", "iappletech.com | init.ess.apple.com | https://appliedinnovation.forms.pia.ai/r | join.appliedpsych.com", "Zeus: FileHash-SHA256 94cdf28c30c4bb09d191990706844f10d8ba837459c9a81dd672f209e77c2fb9", "IDS Detections: CryptoWall Check-in Zeus Bot Connectivity Check External IP Check myexternalip.com IP Check myexternalip.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "PWS:Win32/Ymacco", "display_name": "PWS:Win32/Ymacco", "target": "/malware/PWS:Win32/Ymacco" }, { "id": "Win.Malware.Swisyn-7610494-0", "display_name": "Win.Malware.Swisyn-7610494-0", "target": null }, { "id": "Win32:VB-AJKP\\ [Trj]", "display_name": "Win32:VB-AJKP\\ [Trj]", "target": null }, { "id": "Win.Malware.Drivepack-9884589-1", "display_name": "Win.Malware.Drivepack-9884589-1", "target": null }, { "id": "TEL:Trojan:Win32/Injector.AB!MSR", "display_name": "TEL:Trojan:Win32/Injector.AB!MSR", "target": null }, { "id": "Ransom:Win32/Crowti.A", "display_name": "Ransom:Win32/Crowti.A", "target": "/malware/Ransom:Win32/Crowti.A" }, { "id": "Zeus", "display_name": "Zeus", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1054", "name": "Indicator Blocking", "display_name": "T1054 - Indicator Blocking" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [ "Healthcare", "Civil Society", "Targeted Individuals" ], "TLP": "green", "cloned_from": "668115d703e0a46887c7f08d", "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1324, "FileHash-SHA1": 931, "FileHash-SHA256": 2209, "URL": 1572, "hostname": 1628, "domain": 1711, "email": 10, "CVE": 5, "SSLCertFingerprint": 2 }, "indicator_count": 9392, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "628 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "668115d703e0a46887c7f08d", "name": "Drive-by Compromise | TEL:Trojan:Win32/Injector | Zeus | Ransomware", "description": "Targeted Individual has experienced attacks on both iOS, Android, MacBooks & PC's. Drive-by Compromise can be accomplished by various methods this can be done, for example: A pop up advert could have an 'X' in the corner that disguises itself as a close button, but actually acts as a catalyst for starting a malicious download once pressed. A tactic used on specific target is a pop-up w/with (a non-Google affiliated disclaimer)'Google' account chooser with Google logo desired email checked. [https://accounts.google.com/AccountChooser?]; checked. Every time TB acquired a new phone, this occurs. A link could appear legitimate, but clicking on it could cause the download to begin. Drive-by Compromise \u00b7 A legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript.", "modified": "2024-07-30T08:04:39.977000", "created": "2024-06-30T08:22:47.783000", "tags": [ "vj83", "tsara brashears", "malware", "password bypass", "problems", "threat network", "infrastructure", "checking", "china", "iocs", "download", "relic", "monitoring", "installer", "graph", "server", "domain status", "date", "code", "country", "registrar abuse", "registrar", "whois lookup", "admin city", "redmond admin", "analyzer paste", "urls http", "z1277946686", "slfrd1", "uiebaae", "jid960554243", "samples", "malicious url", "z1767086795", "no data", "tag count", "count blacklist", "tag tag", "sample29", "team alexa", "million", "alexa", "site", "cisco umbrella", "hostname", "united", "mail spammer", "malicious site", "covid19", "cyber threat", "filerepmalware", "phishing site", "heur", "engineering", "keybase", "bank", "malicious", "artemis", "phishing", "div div", "domain", "passive dns", "creation date", "as46606", "content type", "script script", "a div", "unknown", "meta", "process32nextw", "medium", "wizard", "registry", "module load", "t1129", "registry run", "keys", "t1060", "memcommit", "win32", "service", "explorer", "june", "copy", "delphi", "tools", "persistence", "execution", "capture", "a dd", "h3 p", "search", "aaaa", "free", "p div", "virtool", "form", "window", "next", "status", "record value", "showing", "cname", "gmt content", "body", "pulses", "urls", "files ip", "address", "location united", "asn as13335", "whois registrar", "as8075", "access", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "yara detections", "push", "filehash", "av detections", "ids detections", "alerts", "analysis date", "sec ch", "xml base64", "ch ua", "ua full", "ua platform", "moved", "whois", "trojan", "entries", "gmt server", "centos", "ransom", "detection list", "alexa top", "bluehost", "e emeseieee", "msie", "windows nt", "wow64", "slcc2", "media center", "dynamicloader", "cryptowall", "malware beacon", "suspicious", "zeus", "write", "bits", "date hash", "avast avg", "mtb dec", "script urls", "typeof", "script domains", "as54600 peg", "li ol", "apple", "ios", "samsung", "tracking", "ms windows", "pe32", "read c", "intel", "pe32 executable", "qt translation", "regsetvalueexa", "write c", "show", "april", "observer", "stream", "local", "e eue", "goatsinacoat" ], "references": [ "espysite.azurewebsites.net", "http://45.159.189.105/bot/regex [command and control infection source]", "http://update.partitionwizard.com/checking-update/ko/verconfig-v11-registered.txt", "http://www.partitionwizard.com/checking-update/ko/verconfig-v11-registered.txt", "http://tracking.minitool.com/pw/launch.php?120100-from-enterprise-v11", "http://www.google-analytics.com/r/collect?v=1&_v=j83&a=160340377&t=pageview&_s=1&dl=http://tracking.minitool.com/pw/launch.html?120100-from-enterprise-v11&ul=en-us&de=utf-8&dt=launch%20tracking&sd=32-bit&sr=1152x864&vp=79x26&je=0&fl=19.0%20r0&_u=IEBAAE~&jid=960554243&gjid=1088832951&cid=1848517172.1595359858&tid=UA-686301-39&_gid=1248672958.1595359858", "http://tracking.minitool.com/pw/launch.html?120100-from-enterprise-v11", "https://twitter.com/PORNO_SEXYBABES", "https://adservice.google.com.uy/clk\t init.ess.apple.com", "WinToFlash-Lite-The-Bootable-USB-Creator-1.13.0000-Setup.exe | Setup.Bin Lockbin1.com", "crl.globalsign.com\tWinPCA.crl gscodesigng2.crl crl.globalsign.net root.crl crl.microsoft.com WinPCA.crl analytics.js tracking.minitool.com launch.php", "VTBehaviour.CommonDataStirage.GoogleAPIs.com\t Playatoms-pa.googleapis.com SongCulture.com bam.nr-data.net", "https://www.google.co.kr/ads/ga-audiences?v=1&aip=1&t=sr&_r=4&tid=UA-686301-28&cid=1048899291.1595287580&jid=1064984308&_v=j83&z=1277946686&slf_rd=1&random=491737294", "Yara Detections: Delphi , ProtectSharewareV11eCompservCMS", "Alerts: stops_service network_icmp network_irc persistence_autorun creates_largekey antisandbox_mouse_hook", "Alerts: infostealer_keylogger rat_pcclient process_interest injection_resumethread stealth_hiddenfile", "Domains Contacted: cdn2.minitool.com www.partitionwizard.com", "https://otx.alienvault.com/indicator/file/22e8de5785b65790950eeef5e81dadf9acd44d7767399f8a88bab8b7059b1269", "PWS:Win32/Ymacco: FileHash-SHA256 22e8de5785b65790950eeef5e81dadf9acd44d7767399f8a88bab8b7059b1269", "PWS:Win32/Ymacco: FileHash-MD5 0145b299e0d988750bd", "PWS:Win32/Ymacco: FileHash-SHA1 05d3eef1b402fcceced24bd5e8cc3d613c311419", "samsungdevapi.reverselogix.net", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/22e8de5785b65790950eeef5e81dadf9acd44d7767399f8a88bab8b7059b1269", "https://otx.alienvault.com/indicator/hostname/www.partitionwizard.com", "TEL:Trojan:Win32/Injector.AB!MSR: FileHash-SHA256 3a8d5782cd3335cb19bc9f1588a9303e7c8bf46aa0a6dd8d9a8fbada0dc23293", "TEL:Trojan:Win32/Injector.AB!MSR: FileHash-MD5 502983a98c69c012c600e2a2a7b2a1af", "TEL:Trojan:Win32/Injector.AB!MSR: FileHash-SHA1 217eed43662f43704c5c65bbdb503699b8689d6a", "CVE-2017-0147 CVE-2017-11882 CVE-2017-8570 CVE-2018-8453 CVE-2014-0160", "https://otx.alienvault.com/indicator/url/http://www.pulsesolutions.com/WebService/EasyLoggerWebService.asmx/", "Ransom:Win32/Crowti.A: FileHash-SHA256 3328a110970be661ce1267a553fa2ddf", "Ransom:Win32/Crowti.A: FileHash-SHA1 f7e6be8e6b15e4c67d82ec663abee6f0a292ff77", "Ransom:Win32/Crowti.A: FileHash-MD5 3328a110970be661ce1267a553fa2ddf", "https://otx.alienvault.com/indicator/file/94cdf28c30c4bb09d191990706844f10d8ba837459c9a81dd672f209e77c2fb9", "IDS Detections: CryptoWall Check-in Zeus Bot Connectivity Check External IP Check myexternalip.com IP Check myexternalip.com", "Alerts: procmem_yara injection_inter_process injection_create_remote_thread antiav_servicestop suricata_alert suspicious_command_tools", "Alerts: bcdedit_command stealth_network cape_detected_threat deletes_shadow_copies infostealer_cookies", "TrojanSpy:Win32/Nivdort.DC: FileHash-SHA256 00f4950d49404f58e223c0946f18a2a779c502d82ce67d419ce42f794666d3c8", "TrojanSpy:Win32/Nivdort.DC: FileHash-SHA1 fa773890465396aefe1a6b74d107ce1fee664ef9", "TrojanSpy:Win32/Nivdort.DC: FileHash-MD5 ecd1617974166e34de036ddf859a78f6", "Trojan:Win32/Formbook!MTB: FileHash-SHA256 c72bf65e0b2635221ce291191b40ddae3d599e418601dcef5d3ef4ab6e929d5f", "Trojan:Win32/Formbook!MTB: FileHash-SHA1 3bba9a34622ca39fe8b7132da8056a0d8c9be36c", "Trojan:Win32/Formbook!MTB: FileHash-MD5 1f5c006f1ef8d4998c5a6392c4082aef", "VirTool:Win32/Obfuscator.JM: FileHash-SHA256 b4cbdc6fe310af9d4d089d36141ca51d5b91ce877c6d0f6f78fc8bd8e6ce5b37", "https://saptools.mx/files/aud2txt-linux.zip | linuxeater.com | kent@riboe.se | https://saptools.mx/files/aud2txt-linux.zip", "Related Domains By Email DOMAIN ORGANISATION NAME: citrusea.com - Kent Riboe | linuxeater.com - Kent Riboe [kent@riboe.se]", "https://admin.safeid.io/Account/ResetPassword?token=Bx_9HrVhO0ihjnilL3BfcpM9s_1XmMRCAI4Sr1QWsLNmMlpmaAH0DI8fWkk7MSrh", "Tracking: jrstrackingfunction.com | http://tracking.orca-functions.zoovu.solutions/ | http://tracking.orca-functions.zoovu.solutions/", "Tracking: https://sharepointwow.msnd36.com/tracking/lc/3d8656d6-d66c-4b3b-aec3-a363f4faf30f/9d15012d-b2b5-4d70-abb1-eed6eff85f20/7b92544e-3ea3-dccc-179b-fdc110fc452a/", "Tracking: URL http://45.159.189.105/bot/regex | http://tracking.minitool.com/pw/launch.html?120100-from-enterprise-v11", "Tracking: http://tracking.minitool.com/pw/launch.php?120100-from-enterprise-v11 No Expiration\t0\t URL http://www.google-analytics.com/r/collect?v=1&_v=j83&a=160340377&t=pageview&_s=1&dl=http://tracking.minitool.com/pw/launch.html?120100-from-enterprise-v11&ul=en-us&de=utf-8&dt=launch%20tracking&sd=32-bit&sr=1152x864&vp=79x26&je=0&fl=19.0%20r0&_u=IEBAAE~&jid=960554243&gjid=1088832951&cid=1848517172.1595359858&tid=UA-686301-39&_gid=1248672958.1595359858&_r=1&z=1767086795", "IDS Detections: Win32/Kapahyku.A Activity 1 PUP/ASMalwNS.A Checkin Observed Suspicious UA (NSIS_Inetc (Mozilla))", "iappletech.com | init.ess.apple.com | https://appliedinnovation.forms.pia.ai/r | join.appliedpsych.com", "Zeus: FileHash-SHA256 94cdf28c30c4bb09d191990706844f10d8ba837459c9a81dd672f209e77c2fb9", "IDS Detections: CryptoWall Check-in Zeus Bot Connectivity Check External IP Check myexternalip.com IP Check myexternalip.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "PWS:Win32/Ymacco", "display_name": "PWS:Win32/Ymacco", "target": "/malware/PWS:Win32/Ymacco" }, { "id": "Win.Malware.Swisyn-7610494-0", "display_name": "Win.Malware.Swisyn-7610494-0", "target": null }, { "id": "Win32:VB-AJKP\\ [Trj]", "display_name": "Win32:VB-AJKP\\ [Trj]", "target": null }, { "id": "Win.Malware.Drivepack-9884589-1", "display_name": "Win.Malware.Drivepack-9884589-1", "target": null }, { "id": "TEL:Trojan:Win32/Injector.AB!MSR", "display_name": "TEL:Trojan:Win32/Injector.AB!MSR", "target": null }, { "id": "Ransom:Win32/Crowti.A", "display_name": "Ransom:Win32/Crowti.A", "target": "/malware/Ransom:Win32/Crowti.A" }, { "id": "Zeus", "display_name": "Zeus", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1054", "name": "Indicator Blocking", "display_name": "T1054 - Indicator Blocking" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [ "Healthcare", "Civil Society", "Targeted Individuals" ], "TLP": "green", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1324, "FileHash-SHA1": 931, "FileHash-SHA256": 2209, "URL": 1572, "hostname": 1628, "domain": 1711, "email": 10, "CVE": 5, "SSLCertFingerprint": 2 }, "indicator_count": 9392, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "628 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "669f882c5109175fe742fe58", "name": "(I Cloned Title & Pulse) WHO EVERYONE HAS BEEN LOOKING FOR [Pulse of IoC's Curated by user Streaming Ex]", "description": "", "modified": "2024-07-23T10:38:36.002000", "created": "2024-07-23T10:38:36.002000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "65709e14974bdb5d6dbda091", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2066, "URL": 1939, "hostname": 2768, "FileHash-SHA256": 276, "email": 90, "CVE": 47, "CIDR": 1, "FileHash-MD5": 16, "FileHash-SHA1": 4 }, "indicator_count": 7207, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "635 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "666271a86acba18eb98ce7f3", "name": "Unix.Trojan.Mirai-6981158-0 | Win32/1ms0rry CoinMiner Botnet affects android user", "description": "Found an IP address in block: http://100.116.0.0/?\nFound on android device user. Target is being tracked. Uses .ru but tracks back to US based on other studies. Command 'redirect blame' found in association. Active, moved.", "modified": "2024-07-07T01:06:11.854000", "created": "2024-06-07T02:34:16.108000", "tags": [ "sha256", "sha1", "ascii text", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "null", "hybrid", "refresh", "body", "span", "june", "general", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "win32 exe", "win32 dll", "wextract", "type name", "pink ribbon", "passive dns", "urls", "scan endpoints", "all scoreblue", "pulse pulses", "files", "domain", "files ip", "address domain", "ip related", "referrer", "doublepulsar", "historical ssl", "darkpulsar", "ru sketchup", "flawedammyy", "date", "hostname", "pulse submit", "url analysis", "verdict", "next", "a nxdomain", "ip address", "url http", "http", "related nids", "files location", "as9123 timeweb", "russia unknown", "ipv4", "reverse dns", "russia", "united kingdom", "aaaa", "as198947 jsc", "as29470 jsc", "moved", "search", "nxdomain", "files domain", "files related", "unknown", "as63949 linode", "germany unknown", "main", "as59552 vhg", "title", "div div", "gmt content", "accept", "chegg", "regis", "special use IP", "tracking", "locate", "pe resource", "no data", "tag count", "analyzer threat", "url summary", "summary", "sample", "samples", "detection list", "count blacklist", "xiaav", "windowsxp", "script domains", "script urls", "body doctype", "ok server", "encrypt", "cookie", "p div", "script script", "div section", "as21342", "js core", "a domains", "link", "as43561", "location sofia", "telnet", "belemet.id", "100.116.0.0/?", "a li", "p td", "td tr", "a br", "meta", "as24940 hetzner", "grab", "this", "entries", "trojan", "ransom", "msil", "site", "cisco umbrella", "alexa top", "million", "alexa", "malicious site", "malicious url", "hostnames", "blacklist", "trickbot", "usa", "showing", "creation date", "record value", "dnssec", "memcommit", "win321ms0rry", "coinminer", "etpro trojan", "botnet cnc", "checkin", "activity", "medium", "t1055", "lowfi", "malware", "copy" ], "references": [ "IP Block: 100.116.0.0/ Details: https://www.virustotal.com/gui/ip-address/100.116.0.0/details", "bElement.id", "Unix.Mirai IP: https://otx.alienvault.com/indicator/ip/93.170.6.43", "https://otx.alienvault.com/indicator/file/a108ff340f5256cc17c1e8345aacc3cf6c91987a1884957ea75df6d23281480b", "Yara Detections: is__elf", "IDS Detections: TELNET login failed root login Bad Login Generic Ping Keep-Alive Inbound M3", "Alerts: network_icmp suricata_alert network_multiple_direct_ip_connections Medium Priority Related Pulses OTX User-Created Pulses (2) Related Tags 10 Related Tags manipulation , discovery , dhta3eru4egasjn , abuse elevation , setgid More File Type ELF - ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, not stripped Size 55 KB (56653 bytes) MD5", "IDS Detections MSIL/CoinMiner.ACM CnC Activity Win32/1ms0rry CoinMiner Botnet CnC Checkin", "b0t.fun: https://otx.alienvault.com/indicator/domain/b0t.fun", "IDS Detections: Win32/1ms0rry CoinMiner Botnet CnC Checkin MSIL/CoinMiner.ACM CnC Activity High Priority", "Alerts: nids_malware_alert injection_runpe network_icmp allocates_execute_remote_process antivm_queries_computername", "Alerts: persistence_autorun injection_ntsetcontextthread injection_resumethread dumped_buffer network_http raises_exception", "Alerts: antivm_network_adapters privilege_luid_check suspicious_tld allocates_rwx moves_self checks_debugger antivm_memory_available", "https://www.virustotal.com/gui/ip-address/100.116.0.0/summary" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "Germany", "Russian Federation" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Dark Pulsar", "display_name": "Dark Pulsar", "target": null }, { "id": "Unix.Trojan.Mirai-6981158-0", "display_name": "Unix.Trojan.Mirai-6981158-0", "target": null }, { "id": "TrickBot", "display_name": "TrickBot", "target": null }, { "id": "Packer.Native", "display_name": "Packer.Native", "target": null }, { "id": "Win.Packed.Lynx", "display_name": "Win.Packed.Lynx", "target": null }, { "id": "Sodinokibi.AB", "display_name": "Sodinokibi.AB", "target": null }, { "id": "CoinMiner.ACM", "display_name": "CoinMiner.ACM", "target": null }, { "id": "CoinMiner.WE", "display_name": "CoinMiner.WE", "target": null }, { "id": "CoinMiner.WM", "display_name": "CoinMiner.WM", "target": null }, { "id": "Win32/1ms0rry", "display_name": "Win32/1ms0rry", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1195, "FileHash-SHA1": 745, "FileHash-SHA256": 1212, "URL": 2436, "domain": 1264, "hostname": 1148, "email": 1 }, "indicator_count": 8001, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "651 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66480cb1cc174fd804e0cef9", "name": "Elgoogle", "description": "", "modified": "2024-05-18T02:12:28.801000", "created": "2024-05-18T02:04:33.967000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "65709f0bbdd32cb4b343a12f", "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Elgoogle", "id": "281171", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2218, "FileHash-SHA256": 24526, "FileHash-MD5": 7187, "URL": 1175, "hostname": 2514, "JA3": 2, "email": 83, "FileHash-SHA1": 7164, "CVE": 35 }, "indicator_count": 44904, "is_author": false, "is_subscribing": null, "subscriber_count": 8, "modified_text": "701 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b85dca7d8bf0aea33abc3a", "name": "PEXE - DOS executable ", "description": "", "modified": "2024-02-24T16:01:22.095000", "created": "2024-01-30T02:24:10.454000", "tags": [ "network_icmp", "sha256", "yara detections", "alerts", "icmp traffic", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "spain unknown", "search", "date", "status", "passive dns", "urls", "pulse submit", "url analysis", "files", "domain", "next", "as197068 hll", "russia unknown", "ipv4", "body", "alive", "belarus unknown", "aaaa", "moved", "domain names", "creation date", "record value", "expiration date", "a domains", "facebook", "twitter", "encrypt", "httponly", "url http", "http", "ip address", "related nids", "germany unknown", "united", "as3320 deutsche", "france unknown", "united kingdom", "italy unknown", "as7922 comcast", "as701 verizon", "as3209 vodafone", "china unknown", "unknown", "as44273 host", "msie", "chrome", "name servers", "hostname", "maxage86400", "ip asn", "maxage2592000", "gmt server", "amazons3", "unique", "as58061 scalaxy", "all search", "otx scoreblue", "cyprus unknown", "as26347", "customer", "entries", "sexkompas", "script urls", "meta", "as29182 jsc", "gmt content", "script domains", "gmt etag", "as61400", "screenshot", "apache", "path", "as59711 hz", "asn as59711", "dns resolutions", "non dsp", "cor cura", "url https", "as199386 zilore", "showing", "admitad meta", "as44066", "connection", "date sat", "server amazons3", "cloudfront", "xcache miss", "contentlength", "acceptranges", "server", "gmt expires", "code", "title error", "trojan", "body doctype", "html public", "w3cdtd html", "html head", "meta http", "win32", "as3326", "present jan", "reverse dns", "gmt path", "set cookie", "certificate", "pragma", "location united", "show", "medium", "authenticode", "delete", "productversion", "fileversion", "thawte", "copy", "malware", "write", "etpro", "as14061", "whitelisted", "as9009 m247", "paris", "otx telemetry", "for privacy", "redacted for", "dns", "DNSpionage", "apple", "ios", "global", "cyber threat", "tracking", "legal abuse", "privilege escalation", "network", "redirect", "exploit kit", "mey", "spyware", "dropper", "x adblock", "virgin islands", "type", "content length", "dga", "as3175 filanco", "cname", "thawte code", "as32244 liquid", "as24940 hetzner", "head body", "center hr", "gmt contenttype", "title", "registrar", "markmonitor", "internet", "iana", "nethandle", "net192", "net1920000", "iana special", "icann", "please refer", "ietf", "best current", "whois whois", "resolutions", "communicating", "referrer", "win32 exe", "putty", "java", "type name", "pe32 executable", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "info compiler", "products", "vs2005", "vs2008 sp1", "vs2008", "header x64", "name md5", "virtualalloc" ], "references": [ "PEXE - DOS executable (COM)", "redirect_keitaro_exploit_kit_compromised_site_se_referrer", "Found in: https://jbplegal.com", "http://sexkompas.xyz", "DGA Malware Mall Domains: hackingapple.com, video.import-apple.com, DGA- appledreamz.com", "tracking2youdu.com , cdn.livechatinc.com", "device-local-bf56eb52-6fc6-435b-aadb-9fa1dd89702c.remotewd.com | remotewd.com | 192.168.56.108", "http://www.mobiset.ru/photos/2011/march/15/samsung_s3850/img_9.jpg" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "China", "United States of America", "Chile", "Germany", "France" ], "malware_families": [ { "id": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "display_name": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "target": null }, { "id": "Win.Malware.Vtflooder-6260355-1", "display_name": "Win.Malware.Vtflooder-6260355-1", "target": null }, { "id": "Win.Trojan.Buzus-5453", "display_name": "Win.Trojan.Buzus-5453", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:PWSX-gen", "display_name": "Win32:PWSX-gen", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "ETPRO", "display_name": "ETPRO", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [ "Legal", "Healthcare", "Civil Society" ], "TLP": "white", "cloned_from": "65b4757a662a146889c60b6c", "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 153, "FileHash-SHA1": 71, "FileHash-SHA256": 1690, "URL": 9526, "domain": 4882, "hostname": 6120, "email": 250, "CVE": 2 }, "indicator_count": 22694, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "785 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b4757d6dd7dae344aed3f5", "name": "PEXE - DOS executable (COM)", "description": "", "modified": "2024-02-24T16:01:22.095000", "created": "2024-01-27T03:16:13.209000", "tags": [ "network_icmp", "sha256", "yara detections", "alerts", "icmp traffic", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "spain unknown", "search", "date", "status", "passive dns", "urls", "pulse submit", "url analysis", "files", "domain", "next", "as197068 hll", "russia unknown", "ipv4", "body", "alive", "belarus unknown", "aaaa", "moved", "domain names", "creation date", "record value", "expiration date", "a domains", "facebook", "twitter", "encrypt", "httponly", "url http", "http", "ip address", "related nids", "germany unknown", "united", "as3320 deutsche", "france unknown", "united kingdom", "italy unknown", "as7922 comcast", "as701 verizon", "as3209 vodafone", "china unknown", "unknown", "as44273 host", "msie", "chrome", "name servers", "hostname", "maxage86400", "ip asn", "maxage2592000", "gmt server", "amazons3", "unique", "as58061 scalaxy", "all search", "otx scoreblue", "cyprus unknown", "as26347", "customer", "entries", "sexkompas", "script urls", "meta", "as29182 jsc", "gmt content", "script domains", "gmt etag", "as61400", "screenshot", "apache", "path", "as59711 hz", "asn as59711", "dns resolutions", "non dsp", "cor cura", "url https", "as199386 zilore", "showing", "admitad meta", "as44066", "connection", "date sat", "server amazons3", "cloudfront", "xcache miss", "contentlength", "acceptranges", "server", "gmt expires", "code", "title error", "trojan", "body doctype", "html public", "w3cdtd html", "html head", "meta http", "win32", "as3326", "present jan", "reverse dns", "gmt path", "set cookie", "certificate", "pragma", "location united", "show", "medium", "authenticode", "delete", "productversion", "fileversion", "thawte", "copy", "malware", "write", "etpro", "as14061", "whitelisted", "as9009 m247", "paris", "otx telemetry", "for privacy", "redacted for", "dns", "DNSpionage", "apple", "ios", "global", "cyber threat", "tracking", "legal abuse", "privilege escalation", "network", "redirect", "exploit kit", "mey", "spyware", "dropper", "x adblock", "virgin islands", "type", "content length", "dga", "as3175 filanco", "cname", "thawte code", "as32244 liquid", "as24940 hetzner", "head body", "center hr", "gmt contenttype", "title", "registrar", "markmonitor", "internet", "iana", "nethandle", "net192", "net1920000", "iana special", "icann", "please refer", "ietf", "best current", "whois whois", "resolutions", "communicating", "referrer", "win32 exe", "putty", "java", "type name", "pe32 executable", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "info compiler", "products", "vs2005", "vs2008 sp1", "vs2008", "header x64", "name md5", "virtualalloc" ], "references": [ "PEXE - DOS executable (COM)", "redirect_keitaro_exploit_kit_compromised_site_se_referrer", "Found in: https://jbplegal.com", "http://sexkompas.xyz", "DGA Malware Mall Domains: hackingapple.com, video.import-apple.com, DGA- appledreamz.com", "tracking2youdu.com , cdn.livechatinc.com", "device-local-bf56eb52-6fc6-435b-aadb-9fa1dd89702c.remotewd.com | remotewd.com | 192.168.56.108", "http://www.mobiset.ru/photos/2011/march/15/samsung_s3850/img_9.jpg" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "China", "United States of America", "Chile", "Germany", "France" ], "malware_families": [ { "id": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "display_name": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "target": null }, { "id": "Win.Malware.Vtflooder-6260355-1", "display_name": "Win.Malware.Vtflooder-6260355-1", "target": null }, { "id": "Win.Trojan.Buzus-5453", "display_name": "Win.Trojan.Buzus-5453", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:PWSX-gen", "display_name": "Win32:PWSX-gen", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "ETPRO", "display_name": "ETPRO", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [ "Legal", "Healthcare", "Civil Society" ], "TLP": "white", "cloned_from": "65b2909ffdc623904cbfd91d", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 153, "FileHash-SHA1": 71, "FileHash-SHA256": 1690, "URL": 9526, "domain": 4882, "hostname": 6120, "email": 250, "CVE": 2 }, "indicator_count": 22694, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "785 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b4757a662a146889c60b6c", "name": "PEXE - DOS executable (COM)", "description": "", "modified": "2024-02-24T16:01:22.095000", "created": "2024-01-27T03:16:10.970000", "tags": [ "network_icmp", "sha256", "yara detections", "alerts", "icmp traffic", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "spain unknown", "search", "date", "status", "passive dns", "urls", "pulse submit", "url analysis", "files", "domain", "next", "as197068 hll", "russia unknown", "ipv4", "body", "alive", "belarus unknown", "aaaa", "moved", "domain names", "creation date", "record value", "expiration date", "a domains", "facebook", "twitter", "encrypt", "httponly", "url http", "http", "ip address", "related nids", "germany unknown", "united", "as3320 deutsche", "france unknown", "united kingdom", "italy unknown", "as7922 comcast", "as701 verizon", "as3209 vodafone", "china unknown", "unknown", "as44273 host", "msie", "chrome", "name servers", "hostname", "maxage86400", "ip asn", "maxage2592000", "gmt server", "amazons3", "unique", "as58061 scalaxy", "all search", "otx scoreblue", "cyprus unknown", "as26347", "customer", "entries", "sexkompas", "script urls", "meta", "as29182 jsc", "gmt content", "script domains", "gmt etag", "as61400", "screenshot", "apache", "path", "as59711 hz", "asn as59711", "dns resolutions", "non dsp", "cor cura", "url https", "as199386 zilore", "showing", "admitad meta", "as44066", "connection", "date sat", "server amazons3", "cloudfront", "xcache miss", "contentlength", "acceptranges", "server", "gmt expires", "code", "title error", "trojan", "body doctype", "html public", "w3cdtd html", "html head", "meta http", "win32", "as3326", "present jan", "reverse dns", "gmt path", "set cookie", "certificate", "pragma", "location united", "show", "medium", "authenticode", "delete", "productversion", "fileversion", "thawte", "copy", "malware", "write", "etpro", "as14061", "whitelisted", "as9009 m247", "paris", "otx telemetry", "for privacy", "redacted for", "dns", "DNSpionage", "apple", "ios", "global", "cyber threat", "tracking", "legal abuse", "privilege escalation", "network", "redirect", "exploit kit", "mey", "spyware", "dropper", "x adblock", "virgin islands", "type", "content length", "dga", "as3175 filanco", "cname", "thawte code", "as32244 liquid", "as24940 hetzner", "head body", "center hr", "gmt contenttype", "title", "registrar", "markmonitor", "internet", "iana", "nethandle", "net192", "net1920000", "iana special", "icann", "please refer", "ietf", "best current", "whois whois", "resolutions", "communicating", "referrer", "win32 exe", "putty", "java", "type name", "pe32 executable", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "info compiler", "products", "vs2005", "vs2008 sp1", "vs2008", "header x64", "name md5", "virtualalloc" ], "references": [ "PEXE - DOS executable (COM)", "redirect_keitaro_exploit_kit_compromised_site_se_referrer", "Found in: https://jbplegal.com", "http://sexkompas.xyz", "DGA Malware Mall Domains: hackingapple.com, video.import-apple.com, DGA- appledreamz.com", "tracking2youdu.com , cdn.livechatinc.com", "device-local-bf56eb52-6fc6-435b-aadb-9fa1dd89702c.remotewd.com | remotewd.com | 192.168.56.108", "http://www.mobiset.ru/photos/2011/march/15/samsung_s3850/img_9.jpg" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "China", "United States of America", "Chile", "Germany", "France" ], "malware_families": [ { "id": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "display_name": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "target": null }, { "id": "Win.Malware.Vtflooder-6260355-1", "display_name": "Win.Malware.Vtflooder-6260355-1", "target": null }, { "id": "Win.Trojan.Buzus-5453", "display_name": "Win.Trojan.Buzus-5453", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:PWSX-gen", "display_name": "Win32:PWSX-gen", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "ETPRO", "display_name": "ETPRO", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [ "Legal", "Healthcare", "Civil Society" ], "TLP": "white", "cloned_from": "65b2909ffdc623904cbfd91d", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 153, "FileHash-SHA1": 71, "FileHash-SHA256": 1690, "URL": 9526, "domain": 4882, "hostname": 6120, "email": 250, "CVE": 2 }, "indicator_count": 22694, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "785 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b2909ffdc623904cbfd91d", "name": "PEXE - DOS executable (COM)", "description": "I don't have a very good description. I can say this was found in a law firms website and it's not uncommon. Certain attorneys may be under attack based on clients represented. I other instances attorneys use a tool box of malware and other cyber weaponry to track, intimidating and spy on opposition. Very aggressive tactics use. Unfortunately attacks against opponents aren't limited to \"contactless\" attacks. Tracking. cyber espionage, malvertizing, iOS 'remotwd' , location tracking, reputation abuse.", "modified": "2024-02-24T16:01:22.095000", "created": "2024-01-25T16:47:26.970000", "tags": [ "network_icmp", "sha256", "yara detections", "alerts", "icmp traffic", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "spain unknown", "search", "date", "status", "passive dns", "urls", "pulse submit", "url analysis", "files", "domain", "next", "as197068 hll", "russia unknown", "ipv4", "body", "alive", "belarus unknown", "aaaa", "moved", "domain names", "creation date", "record value", "expiration date", "a domains", "facebook", "twitter", "encrypt", "httponly", "url http", "http", "ip address", "related nids", "germany unknown", "united", "as3320 deutsche", "france unknown", "united kingdom", "italy unknown", "as7922 comcast", "as701 verizon", "as3209 vodafone", "china unknown", "unknown", "as44273 host", "msie", "chrome", "name servers", "hostname", "maxage86400", "ip asn", "maxage2592000", "gmt server", "amazons3", "unique", "as58061 scalaxy", "all search", "otx scoreblue", "cyprus unknown", "as26347", "customer", "entries", "sexkompas", "script urls", "meta", "as29182 jsc", "gmt content", "script domains", "gmt etag", "as61400", "screenshot", "apache", "path", "as59711 hz", "asn as59711", "dns resolutions", "non dsp", "cor cura", "url https", "as199386 zilore", "showing", "admitad meta", "as44066", "connection", "date sat", "server amazons3", "cloudfront", "xcache miss", "contentlength", "acceptranges", "server", "gmt expires", "code", "title error", "trojan", "body doctype", "html public", "w3cdtd html", "html head", "meta http", "win32", "as3326", "present jan", "reverse dns", "gmt path", "set cookie", "certificate", "pragma", "location united", "show", "medium", "authenticode", "delete", "productversion", "fileversion", "thawte", "copy", "malware", "write", "etpro", "as14061", "whitelisted", "as9009 m247", "paris", "otx telemetry", "for privacy", "redacted for", "dns", "DNSpionage", "apple", "ios", "global", "cyber threat", "tracking", "legal abuse", "privilege escalation", "network", "redirect", "exploit kit", "mey", "spyware", "dropper", "x adblock", "virgin islands", "type", "content length", "dga", "as3175 filanco", "cname", "thawte code", "as32244 liquid", "as24940 hetzner", "head body", "center hr", "gmt contenttype", "title", "registrar", "markmonitor", "internet", "iana", "nethandle", "net192", "net1920000", "iana special", "icann", "please refer", "ietf", "best current", "whois whois", "resolutions", "communicating", "referrer", "win32 exe", "putty", "java", "type name", "pe32 executable", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "info compiler", "products", "vs2005", "vs2008 sp1", "vs2008", "header x64", "name md5", "virtualalloc" ], "references": [ "PEXE - DOS executable (COM)", "redirect_keitaro_exploit_kit_compromised_site_se_referrer", "Found in: https://jbplegal.com", "http://sexkompas.xyz", "DGA Malware Mall Domains: hackingapple.com, video.import-apple.com, DGA- appledreamz.com", "tracking2youdu.com , cdn.livechatinc.com", "device-local-bf56eb52-6fc6-435b-aadb-9fa1dd89702c.remotewd.com | remotewd.com | 192.168.56.108", "http://www.mobiset.ru/photos/2011/march/15/samsung_s3850/img_9.jpg" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "China", "United States of America", "Chile", "Germany", "France" ], "malware_families": [ { "id": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "display_name": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "target": null }, { "id": "Win.Malware.Vtflooder-6260355-1", "display_name": "Win.Malware.Vtflooder-6260355-1", "target": null }, { "id": "Win.Trojan.Buzus-5453", "display_name": "Win.Trojan.Buzus-5453", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:PWSX-gen", "display_name": "Win32:PWSX-gen", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "ETPRO", "display_name": "ETPRO", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [ "Legal", "Healthcare", "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 153, "FileHash-SHA1": 71, "FileHash-SHA256": 1690, "URL": 9526, "domain": 4882, "hostname": 6120, "email": 250, "CVE": 2 }, "indicator_count": 22694, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "785 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a756ee3c8ce2314e235a", "name": "Home Networks", "description": "", "modified": "2023-12-06T16:54:46.263000", "created": "2023-12-06T16:54:46.263000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 290, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2298, "FileHash-SHA256": 24535, "FileHash-MD5": 7197, "URL": 1188, "hostname": 2636, "JA3": 2, "email": 96, "CVE": 44, "FileHash-SHA1": 7174 }, "indicator_count": 45170, "is_author": false, "is_subscribing": null, "subscriber_count": 114, "modified_text": "864 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65709f0bbdd32cb4b343a12f", "name": "WHO SAV.COM LLC (SOURCEADULT.COM)", "description": "", "modified": "2023-12-06T16:19:23.067000", "created": "2023-12-06T16:19:23.067000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2218, "FileHash-SHA256": 24526, "FileHash-MD5": 7187, "URL": 1175, "hostname": 2514, "JA3": 2, "email": 83, "FileHash-SHA1": 7164, "CVE": 35 }, "indicator_count": 44904, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65709eee2f74978bd15d60a9", "name": "WHO SAV.COM LLC (SOURCEADULT.COM)", "description": "", "modified": "2023-12-06T16:18:53.346000", "created": "2023-12-06T16:18:53.346000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2219, "FileHash-SHA256": 24526, "FileHash-MD5": 7187, "URL": 1175, "hostname": 2513, "JA3": 2, "email": 83, "FileHash-SHA1": 7164, "CVE": 35 }, "indicator_count": 44904, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65709ed8415c89746a234d89", "name": "WHO SAV.COM LLC (SOURCEADULT.COM)", "description": "", "modified": "2023-12-06T16:18:32.627000", "created": "2023-12-06T16:18:32.627000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2218, "FileHash-SHA256": 24526, "FileHash-MD5": 7187, "URL": 1175, "hostname": 2513, "JA3": 2, "email": 83, "FileHash-SHA1": 7164, "CVE": 35 }, "indicator_count": 44903, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65709ebd65cdc059b8e373ef", "name": "WHO SAV.COM LLC (SOURCEADULT.COM)", "description": "", "modified": "2023-12-06T16:18:05.044000", "created": "2023-12-06T16:18:05.044000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2218, "FileHash-SHA256": 24526, "FileHash-MD5": 7187, "URL": 1175, "hostname": 2519, "JA3": 2, "email": 83, "FileHash-SHA1": 7164, "CVE": 36 }, "indicator_count": 44910, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65709ea58a4b251d0f7aac7b", "name": "WHO SAV.COM LLC (SOURCEADULT.COM)", "description": "", "modified": "2023-12-06T16:17:41.816000", "created": "2023-12-06T16:17:41.816000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2221, "FileHash-SHA256": 24526, "FileHash-MD5": 7187, "URL": 1176, "hostname": 2513, "JA3": 2, "email": 83, "FileHash-SHA1": 7164, "CVE": 37 }, "indicator_count": 44909, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65709e8b31eda9b13196277a", "name": "WHO SAV.COM LLC (SOURCEADULT.COM)", "description": "", "modified": "2023-12-06T16:17:15.458000", "created": "2023-12-06T16:17:15.458000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2222, "FileHash-SHA256": 24526, "FileHash-MD5": 7187, "URL": 1176, "hostname": 2513, "JA3": 2, "email": 83, "FileHash-SHA1": 7164, "CVE": 38 }, "indicator_count": 44911, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65709e736e1768898768814f", "name": "WHO SAV.COM LLC (SOURCEADULT.COM)", "description": "", "modified": "2023-12-06T16:16:51.265000", "created": "2023-12-06T16:16:51.265000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2221, "FileHash-SHA256": 24526, "FileHash-MD5": 7187, "URL": 1179, "hostname": 2521, "JA3": 2, "email": 84, "FileHash-SHA1": 7164, "CVE": 40 }, "indicator_count": 44924, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65709e5d4c59f8ac3f86f615", "name": "WHO SAV.COM LLC (SOURCEADULT.COM)", "description": "", "modified": "2023-12-06T16:16:29.659000", "created": "2023-12-06T16:16:29.659000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2430, "FileHash-SHA256": 24526, "FileHash-MD5": 7187, "URL": 1331, "hostname": 2748, "JA3": 2, "email": 94, "CVE": 42, "FileHash-SHA1": 7164 }, "indicator_count": 45524, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65709e245df26a29e78d740a", "name": "WHO IS MOBI GAMES AKA NIC", "description": "", "modified": "2023-12-06T16:15:32.595000", "created": "2023-12-06T16:15:32.595000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2428, "FileHash-MD5": 19, "URL": 2378, "hostname": 3144, "FileHash-SHA256": 307, "email": 87, "CVE": 47, "CIDR": 1, "FileHash-SHA1": 6 }, "indicator_count": 8417, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65709e1db42d958b88f07ca8", "name": "WHO IS MOBI GAMES AKA NIC", "description": "", "modified": "2023-12-06T16:15:25.303000", "created": "2023-12-06T16:15:25.303000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2428, "FileHash-MD5": 19, "URL": 2378, "hostname": 3141, "FileHash-SHA256": 307, "email": 87, "CVE": 47, "CIDR": 1, "FileHash-SHA1": 6 }, "indicator_count": 8414, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65709e14974bdb5d6dbda091", "name": "WHO EVERYONE HAS BEEN LOOKING FOR", "description": "", "modified": "2023-12-06T16:15:16.406000", "created": "2023-12-06T16:15:16.406000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2066, "URL": 1939, "hostname": 2768, "FileHash-SHA256": 276, "email": 90, "CVE": 47, "CIDR": 1, "FileHash-MD5": 16, "FileHash-SHA1": 4 }, "indicator_count": 7207, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65709ded7d8a5ce8dba3444a", "name": "Who is SHAW.CA (TUSCOW DOMAINS)", "description": "", "modified": "2023-12-06T16:14:37.212000", "created": "2023-12-06T16:14:37.212000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2362, "FileHash-SHA256": 24578, "FileHash-MD5": 7241, "URL": 1216, "hostname": 2688, "JA3": 2, "email": 97, "CVE": 43, "FileHash-SHA1": 7217 }, "indicator_count": 45444, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65709dd6926a5676de0e2a19", "name": "Who is SHAW.CA (TUSCOW DOMAINS)", "description": "", "modified": "2023-12-06T16:14:13.668000", "created": "2023-12-06T16:14:13.668000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2427, "FileHash-SHA256": 24528, "FileHash-MD5": 7187, "URL": 1346, "hostname": 2829, "JA3": 2, "email": 99, "CVE": 43, "FileHash-SHA1": 7164 }, "indicator_count": 45625, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65709ca13f7a17df14af4912", "name": "WHO IS NIC", "description": "", "modified": "2023-12-06T16:09:05.625000", "created": "2023-12-06T16:09:05.625000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2485, "FileHash-MD5": 39, "URL": 2407, "hostname": 3208, "FileHash-SHA256": 328, "email": 91, "CVE": 45, "CIDR": 1, "FileHash-SHA1": 26 }, "indicator_count": 8630, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65709a49ed44fea53e9aeec5", "name": "home networks", "description": "", "modified": "2023-12-06T15:59:05.075000", "created": "2023-12-06T15:59:05.075000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2298, "FileHash-SHA256": 24535, "FileHash-MD5": 7197, "URL": 1188, "hostname": 2636, "JA3": 2, "email": 96, "CVE": 44, "FileHash-SHA1": 7174 }, "indicator_count": 45170, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64944a718c48be8bb9d2c315", "name": "WHO IS NIC", "description": "", "modified": "2023-11-14T06:01:29.027000", "created": "2023-06-22T13:19:45.357000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "ellenmmm", "id": "233693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5199, "domain": 4162, "hostname": 5260, "email": 105, "FileHash-SHA256": 761, "FileHash-MD5": 40, "CVE": 97, "FileHash-SHA1": 28, "CIDR": 1 }, "indicator_count": 15653, "is_author": false, "is_subscribing": null, "subscriber_count": 96, "modified_text": "887 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f1b78e5e7e24debcdd89b", "name": "Home Networks", "description": "", "modified": "2023-10-30T02:56:56.851000", "created": "2023-10-30T02:56:56.851000", "tags": [ "home wifi" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "65136f65f7240bd2ba4b325c", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3274, "URL": 2565, "hostname": 3853, "FileHash-MD5": 12061, "FileHash-SHA1": 12035, "FileHash-SHA256": 57447, "CVE": 68, "IPv4": 84, "email": 109, "JA3": 2 }, "indicator_count": 91498, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "902 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f1b77c1090397a32b6979", "name": "Home Networks", "description": "", "modified": "2023-10-30T02:56:55.293000", "created": "2023-10-30T02:56:55.293000", "tags": [ "home wifi" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "65136f65f7240bd2ba4b325c", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3274, "URL": 2565, "hostname": 3853, "FileHash-MD5": 12061, "FileHash-SHA1": 12035, "FileHash-SHA256": 57447, "CVE": 68, "IPv4": 84, "email": 109, "JA3": 2 }, "indicator_count": 91498, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "902 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f1b744f82ff189926035a", "name": "Home Networks", "description": "", "modified": "2023-10-30T02:56:52.243000", "created": "2023-10-30T02:56:52.243000", "tags": [ "home wifi" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "65136f65f7240bd2ba4b325c", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3274, "URL": 2565, "hostname": 3853, "FileHash-MD5": 12061, "FileHash-SHA1": 12035, "FileHash-SHA256": 57447, "CVE": 68, "IPv4": 84, "email": 109, "JA3": 2 }, "indicator_count": 91498, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "902 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64c17dc55bd8ed9bca3d4c02", "name": "Who is SHAW.CA (TUSCOW DOMAINS)", "description": "", "modified": "2023-09-27T00:01:19.593000", "created": "2023-07-26T20:10:45.140000", "tags": [ "home wifi" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "645a0d4c0e0c3cffd34ec23a", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "ellenmmm", "id": "233693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3392, "URL": 2619, "hostname": 3967, "FileHash-MD5": 12115, "FileHash-SHA1": 12088, "FileHash-SHA256": 57501, "CVE": 61, "IPv4": 84, "email": 106, "JA3": 2 }, "indicator_count": 91935, "is_author": false, "is_subscribing": null, "subscriber_count": 85, "modified_text": "935 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65136f65f7240bd2ba4b325c", "name": "Home Networks", "description": "", "modified": "2023-09-26T23:55:17.763000", "created": "2023-09-26T23:55:17.763000", "tags": [ "home wifi" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "645a0d4c0e0c3cffd34ec23a", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3274, "URL": 2565, "hostname": 3853, "FileHash-MD5": 12061, "FileHash-SHA1": 12035, "FileHash-SHA256": 57447, "CVE": 68, "IPv4": 84, "email": 109, "JA3": 2 }, "indicator_count": 91498, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "935 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64c0e9db04ed02765f336f16", "name": "Who is Joel lesperance", "description": "", "modified": "2023-09-23T01:05:28.173000", "created": "2023-07-26T09:39:39.925000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64944a718c48be8bb9d2c315", "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ellenmmm", "id": "233693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3852, "domain": 2401, "hostname": 3458, "email": 127, "FileHash-SHA256": 637, "FileHash-MD5": 16, "CVE": 108, "FileHash-SHA1": 6 }, "indicator_count": 10605, "is_author": false, "is_subscribing": null, "subscriber_count": 85, "modified_text": "939 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64c82712d7810b852cabc855", "name": "WHO SAV.COM LLC (SOURCEADULT.COM)", "description": "", "modified": "2023-08-31T23:01:13.597000", "created": "2023-07-31T21:26:42.783000", "tags": [ "home wifi" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "64c17dc55bd8ed9bca3d4c02", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ellenmmm", "id": "233693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3442, "URL": 2763, "hostname": 4033, "FileHash-MD5": 12051, "FileHash-SHA1": 12025, "FileHash-SHA256": 57438, "CVE": 61, "IPv4": 84, "email": 105, "JA3": 2 }, "indicator_count": 92004, "is_author": false, "is_subscribing": null, "subscriber_count": 85, "modified_text": "961 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64c17dc34265fd1359962a8a", "name": "Who is SHAW.CA (TUSCOW DOMAINS)", "description": "", "modified": "2023-08-31T23:01:13.597000", "created": "2023-07-26T20:10:43.473000", "tags": [ "home wifi" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "645a0d4c0e0c3cffd34ec23a", "export_count": 299, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "ellenmmm", "id": "233693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3539, "URL": 3403, "hostname": 4473, "FileHash-MD5": 12051, "FileHash-SHA1": 12025, "FileHash-SHA256": 57441, "CVE": 63, "IPv4": 84, "email": 112, "JA3": 2 }, "indicator_count": 93193, "is_author": false, "is_subscribing": null, "subscriber_count": 84, "modified_text": "961 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64c8267397a7cce9adeecaa0", "name": "SAV.COM WHO IS SOURCEADULT.COM", "description": "", "modified": "2023-08-31T20:05:29.053000", "created": "2023-07-31T21:24:03.974000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64c0e9db04ed02765f336f16", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ellenmmm", "id": "233693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3868, "domain": 2452, "hostname": 3586, "email": 134, "FileHash-SHA256": 668, "FileHash-MD5": 17, "CVE": 109, "FileHash-SHA1": 7 }, "indicator_count": 10841, "is_author": false, "is_subscribing": null, "subscriber_count": 85, "modified_text": "961 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64c827144620e1502824a501", "name": "WHO SAV.COM LLC (SOURCEADULT.COM)", "description": "", "modified": "2023-08-31T19:04:41.183000", "created": "2023-07-31T21:26:44.747000", "tags": [ "home wifi" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "64c17dc55bd8ed9bca3d4c02", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ellenmmm", "id": "233693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3191, "URL": 2558, "hostname": 3737, "FileHash-MD5": 12051, "FileHash-SHA1": 12025, "FileHash-SHA256": 57438, "CVE": 56, "IPv4": 84, "email": 93, "JA3": 2 }, "indicator_count": 91235, "is_author": false, "is_subscribing": null, "subscriber_count": 85, "modified_text": "961 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64c826748caebf09e24fbd12", "name": "SAV.COM WHO IS SOURCEADULT.COM", "description": "", "modified": "2023-08-31T19:04:41.183000", "created": "2023-07-31T21:24:04.985000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64c0e9db04ed02765f336f16", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ellenmmm", "id": "233693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3904, "domain": 2435, "hostname": 3625, "email": 131, "FileHash-SHA256": 637, "FileHash-MD5": 16, "CVE": 109, "FileHash-SHA1": 6 }, "indicator_count": 10863, "is_author": false, "is_subscribing": null, "subscriber_count": 83, "modified_text": "961 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64c8271531ba066a327381f4", "name": "WHO SAV.COM LLC (SOURCEADULT.COM)", "description": "", "modified": "2023-08-31T00:02:54.189000", "created": "2023-07-31T21:26:45.582000", "tags": [ "home wifi" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "64c17dc55bd8ed9bca3d4c02", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ellenmmm", "id": "233693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3192, "URL": 2555, "hostname": 3729, "FileHash-MD5": 12051, "FileHash-SHA1": 12025, "FileHash-SHA256": 57438, "CVE": 53, "IPv4": 84, "email": 92, "JA3": 2 }, "indicator_count": 91221, "is_author": false, "is_subscribing": null, "subscriber_count": 83, "modified_text": "962 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64c3210e7bb5f0a9972175ba", "name": "WHO EVERYONE HAS BEEN LOOKING FOR", "description": "", "modified": "2023-08-31T00:02:54.189000", "created": "2023-07-28T01:59:42.114000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64944a718c48be8bb9d2c315", "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ellenmmm", "id": "233693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4204, "domain": 3263, "hostname": 4282, "email": 103, "FileHash-SHA256": 638, "FileHash-MD5": 17, "CVE": 97, "FileHash-SHA1": 6, "CIDR": 1 }, "indicator_count": 12611, "is_author": false, "is_subscribing": null, "subscriber_count": 85, "modified_text": "962 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64c8271853824d2e96b63e76", "name": "WHO SAV.COM LLC (SOURCEADULT.COM)", "description": "", "modified": "2023-08-31T00:02:54.189000", "created": "2023-07-31T21:26:48.513000", "tags": [ "home wifi" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "64c17dc55bd8ed9bca3d4c02", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ellenmmm", "id": "233693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3188, "URL": 2554, "hostname": 3728, "FileHash-MD5": 12051, "FileHash-SHA1": 12025, "FileHash-SHA256": 57438, "CVE": 49, "IPv4": 84, "email": 92, "JA3": 2 }, "indicator_count": 91211, "is_author": false, "is_subscribing": null, "subscriber_count": 85, "modified_text": "962 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64c8271a118ad7ca6ad1cc1c", "name": "WHO SAV.COM LLC (SOURCEADULT.COM)", "description": "", "modified": "2023-08-31T00:02:54.189000", "created": "2023-07-31T21:26:50.414000", "tags": [ "home wifi" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "64c17dc55bd8ed9bca3d4c02", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ellenmmm", "id": "233693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3189, "URL": 2554, "hostname": 3728, "FileHash-MD5": 12051, "FileHash-SHA1": 12025, "FileHash-SHA256": 57438, "CVE": 49, "IPv4": 84, "email": 92, "JA3": 2 }, "indicator_count": 91212, "is_author": false, "is_subscribing": null, "subscriber_count": 83, "modified_text": "962 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64c8271c154fb0e795a4eed4", "name": "WHO SAV.COM LLC (SOURCEADULT.COM)", "description": "", "modified": "2023-08-31T00:02:54.189000", "created": "2023-07-31T21:26:52.771000", "tags": [ "home wifi" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "64c17dc55bd8ed9bca3d4c02", "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ellenmmm", "id": "233693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3188, "URL": 2554, "hostname": 3729, "FileHash-MD5": 12051, "FileHash-SHA1": 12025, "FileHash-SHA256": 57438, "CVE": 49, "IPv4": 84, "email": 92, "JA3": 2 }, "indicator_count": 91212, "is_author": false, "is_subscribing": null, "subscriber_count": 84, "modified_text": "962 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64c827169fd4e55ea5b8075d", "name": "WHO SAV.COM LLC (SOURCEADULT.COM)", "description": "", "modified": "2023-08-30T21:00:58.817000", "created": "2023-07-31T21:26:46.039000", "tags": [ "home wifi" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "64c17dc55bd8ed9bca3d4c02", "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ellenmmm", "id": "233693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3191, "URL": 2555, "hostname": 3728, "FileHash-MD5": 12051, "FileHash-SHA1": 12025, "FileHash-SHA256": 57438, "CVE": 52, "IPv4": 84, "email": 92, "JA3": 2 }, "indicator_count": 91218, "is_author": false, "is_subscribing": null, "subscriber_count": 82, "modified_text": "962 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64c82716f08b75eef0ccad22", "name": "WHO SAV.COM LLC (SOURCEADULT.COM)", "description": "", "modified": "2023-08-30T21:00:58.817000", "created": "2023-07-31T21:26:46.776000", "tags": [ "home wifi" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "64c17dc55bd8ed9bca3d4c02", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ellenmmm", "id": "233693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3188, "URL": 2554, "hostname": 3734, "FileHash-MD5": 12051, "FileHash-SHA1": 12025, "FileHash-SHA256": 57438, "CVE": 51, "IPv4": 84, "email": 92, "JA3": 2 }, "indicator_count": 91219, "is_author": false, "is_subscribing": null, "subscriber_count": 81, "modified_text": "962 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "645a0d4c0e0c3cffd34ec23a", "name": "home networks", "description": "home wifi", "modified": "2023-08-30T03:05:36.781000", "created": "2023-05-09T09:07:24.476000", "tags": [ "home wifi" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ellenmmm", "id": "233693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3274, "URL": 2565, "hostname": 3853, "FileHash-MD5": 12061, "FileHash-SHA1": 12035, "FileHash-SHA256": 57447, "CVE": 68, "IPv4": 84, "email": 109, "JA3": 2 }, "indicator_count": 91498, "is_author": false, "is_subscribing": null, "subscriber_count": 94, "modified_text": "963 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64c446dacd742b956b571f9a", "name": "WHO IS MOBI GAMES AKA NIC", "description": "", "modified": "2023-08-30T00:00:55.061000", "created": "2023-07-28T22:53:14.751000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64944a718c48be8bb9d2c315", "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ellenmmm", "id": "233693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5170, "domain": 4104, "hostname": 5186, "email": 100, "FileHash-SHA256": 740, "FileHash-MD5": 20, "CVE": 98, "FileHash-SHA1": 8, "CIDR": 1 }, "indicator_count": 15427, "is_author": false, "is_subscribing": null, "subscriber_count": 84, "modified_text": "963 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64c446d9fa11016096a06f61", "name": "WHO IS MOBI GAMES AKA NIC", "description": "", "modified": "2023-08-30T00:00:55.061000", "created": "2023-07-28T22:53:13.536000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64944a718c48be8bb9d2c315", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ellenmmm", "id": "233693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5170, "domain": 4105, "hostname": 5183, "email": 100, "FileHash-SHA256": 740, "FileHash-MD5": 20, "CVE": 97, "FileHash-SHA1": 8, "CIDR": 1 }, "indicator_count": 15424, "is_author": false, "is_subscribing": null, "subscriber_count": 83, "modified_text": "963 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64bc42b07eabfe6151e757be", "name": "Who is Mickey lesperance", "description": "", "modified": "2023-08-30T00:00:55.061000", "created": "2023-07-22T20:57:20.188000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64944a718c48be8bb9d2c315", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ellenmmm", "id": "233693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1334, "domain": 879, "hostname": 1261, "email": 42, "FileHash-SHA256": 440, "FileHash-MD5": 12, "CVE": 101, "FileHash-SHA1": 3 }, "indicator_count": 4072, "is_author": false, "is_subscribing": null, "subscriber_count": 82, "modified_text": "963 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "crl.globalsign.com\tWinPCA.crl gscodesigng2.crl crl.globalsign.net root.crl crl.microsoft.com WinPCA.crl analytics.js tracking.minitool.com launch.php", "espysite.azurewebsites.net", "Zeus: FileHash-SHA256 94cdf28c30c4bb09d191990706844f10d8ba837459c9a81dd672f209e77c2fb9", "https://www.virustotal.com/gui/ip-address/100.116.0.0/summary", "Alerts: infostealer_keylogger rat_pcclient process_interest injection_resumethread stealth_hiddenfile", "Alerts: persistence_autorun injection_ntsetcontextthread injection_resumethread dumped_buffer network_http raises_exception", "Related Domains By Email DOMAIN ORGANISATION NAME: citrusea.com - Kent Riboe | linuxeater.com - Kent Riboe [kent@riboe.se]", "http://www.partitionwizard.com/checking-update/ko/verconfig-v11-registered.txt", "http://tracking.minitool.com/pw/launch.html?120100-from-enterprise-v11", "http://tracking.minitool.com/pw/launch.php?120100-from-enterprise-v11", "WinToFlash-Lite-The-Bootable-USB-Creator-1.13.0000-Setup.exe | Setup.Bin Lockbin1.com", "https://otx.alienvault.com/indicator/file/22e8de5785b65790950eeef5e81dadf9acd44d7767399f8a88bab8b7059b1269", "IDS Detections MSIL/CoinMiner.ACM CnC Activity Win32/1ms0rry CoinMiner Botnet CnC Checkin", "http://sexkompas.xyz", "Ransom:Win32/Crowti.A: FileHash-SHA256 3328a110970be661ce1267a553fa2ddf", "tracking2youdu.com , cdn.livechatinc.com", "Tracking: https://sharepointwow.msnd36.com/tracking/lc/3d8656d6-d66c-4b3b-aec3-a363f4faf30f/9d15012d-b2b5-4d70-abb1-eed6eff85f20/7b92544e-3ea3-dccc-179b-fdc110fc452a/", "Tracking: URL http://45.159.189.105/bot/regex | http://tracking.minitool.com/pw/launch.html?120100-from-enterprise-v11", "https://otx.alienvault.com/indicator/file/94cdf28c30c4bb09d191990706844f10d8ba837459c9a81dd672f209e77c2fb9", "Alerts: nids_malware_alert injection_runpe network_icmp allocates_execute_remote_process antivm_queries_computername", "http://www.mobiset.ru/photos/2011/march/15/samsung_s3850/img_9.jpg", "iappletech.com | init.ess.apple.com | https://appliedinnovation.forms.pia.ai/r | join.appliedpsych.com", "https://www.google.co.kr/ads/ga-audiences?v=1&aip=1&t=sr&_r=4&tid=UA-686301-28&cid=1048899291.1595287580&jid=1064984308&_v=j83&z=1277946686&slf_rd=1&random=491737294", "https://otx.alienvault.com/indicator/hostname/www.partitionwizard.com", "https://otx.alienvault.com/indicator/url/http://www.pulsesolutions.com/WebService/EasyLoggerWebService.asmx/", "Tracking: http://tracking.minitool.com/pw/launch.php?120100-from-enterprise-v11 No Expiration\t0\t URL http://www.google-analytics.com/r/collect?v=1&_v=j83&a=160340377&t=pageview&_s=1&dl=http://tracking.minitool.com/pw/launch.html?120100-from-enterprise-v11&ul=en-us&de=utf-8&dt=launch%20tracking&sd=32-bit&sr=1152x864&vp=79x26&je=0&fl=19.0%20r0&_u=IEBAAE~&jid=960554243&gjid=1088832951&cid=1848517172.1595359858&tid=UA-686301-39&_gid=1248672958.1595359858&_r=1&z=1767086795", "Tracking: jrstrackingfunction.com | http://tracking.orca-functions.zoovu.solutions/ | http://tracking.orca-functions.zoovu.solutions/", "Alerts: procmem_yara injection_inter_process injection_create_remote_thread antiav_servicestop suricata_alert suspicious_command_tools", "Yara Detections: Delphi , ProtectSharewareV11eCompservCMS", "Unix.Mirai IP: https://otx.alienvault.com/indicator/ip/93.170.6.43", "TrojanSpy:Win32/Nivdort.DC: FileHash-SHA256 00f4950d49404f58e223c0946f18a2a779c502d82ce67d419ce42f794666d3c8", "b0t.fun: https://otx.alienvault.com/indicator/domain/b0t.fun", "https://otx.alienvault.com/indicator/file/a108ff340f5256cc17c1e8345aacc3cf6c91987a1884957ea75df6d23281480b", "TEL:Trojan:Win32/Injector.AB!MSR: FileHash-MD5 502983a98c69c012c600e2a2a7b2a1af", "TEL:Trojan:Win32/Injector.AB!MSR: FileHash-SHA1 217eed43662f43704c5c65bbdb503699b8689d6a", "Trojan:Win32/Formbook!MTB: FileHash-SHA256 c72bf65e0b2635221ce291191b40ddae3d599e418601dcef5d3ef4ab6e929d5f", "Trojan:Win32/Formbook!MTB: FileHash-SHA1 3bba9a34622ca39fe8b7132da8056a0d8c9be36c", "Domains Contacted: cdn2.minitool.com www.partitionwizard.com", "https://saptools.mx/files/aud2txt-linux.zip | linuxeater.com | kent@riboe.se | https://saptools.mx/files/aud2txt-linux.zip", "redirect_keitaro_exploit_kit_compromised_site_se_referrer", "https://admin.safeid.io/Account/ResetPassword?token=Bx_9HrVhO0ihjnilL3BfcpM9s_1XmMRCAI4Sr1QWsLNmMlpmaAH0DI8fWkk7MSrh", "http://update.partitionwizard.com/checking-update/ko/verconfig-v11-registered.txt", "Ransom:Win32/Crowti.A: FileHash-MD5 3328a110970be661ce1267a553fa2ddf", "VirTool:Win32/Obfuscator.JM: FileHash-SHA256 b4cbdc6fe310af9d4d089d36141ca51d5b91ce877c6d0f6f78fc8bd8e6ce5b37", "http://45.159.189.105/bot/regex [command and control infection source]", "IP Block: 100.116.0.0/ Details: https://www.virustotal.com/gui/ip-address/100.116.0.0/details", "PWS:Win32/Ymacco: FileHash-MD5 0145b299e0d988750bd", "Alerts: network_icmp suricata_alert network_multiple_direct_ip_connections Medium Priority Related Pulses OTX User-Created Pulses (2) Related Tags 10 Related Tags manipulation , discovery , dhta3eru4egasjn , abuse elevation , setgid More File Type ELF - ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, not stripped Size 55 KB (56653 bytes) MD5", "Alerts: stops_service network_icmp network_irc persistence_autorun creates_largekey antisandbox_mouse_hook", "PWS:Win32/Ymacco: FileHash-SHA1 05d3eef1b402fcceced24bd5e8cc3d613c311419", "Alerts: bcdedit_command stealth_network cape_detected_threat deletes_shadow_copies infostealer_cookies", "TrojanSpy:Win32/Nivdort.DC: FileHash-MD5 ecd1617974166e34de036ddf859a78f6", "Trojan:Win32/Formbook!MTB: FileHash-MD5 1f5c006f1ef8d4998c5a6392c4082aef", "Found in: https://jbplegal.com", "https://twitter.com/PORNO_SEXYBABES", "PWS:Win32/Ymacco: FileHash-SHA256 22e8de5785b65790950eeef5e81dadf9acd44d7767399f8a88bab8b7059b1269", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/22e8de5785b65790950eeef5e81dadf9acd44d7767399f8a88bab8b7059b1269", "Yara Detections: is__elf", "CVE-2017-0147 CVE-2017-11882 CVE-2017-8570 CVE-2018-8453 CVE-2014-0160", "TrojanSpy:Win32/Nivdort.DC: FileHash-SHA1 fa773890465396aefe1a6b74d107ce1fee664ef9", "Alerts: antivm_network_adapters privilege_luid_check suspicious_tld allocates_rwx moves_self checks_debugger antivm_memory_available", "DGA Malware Mall Domains: hackingapple.com, video.import-apple.com, DGA- appledreamz.com", "TEL:Trojan:Win32/Injector.AB!MSR: FileHash-SHA256 3a8d5782cd3335cb19bc9f1588a9303e7c8bf46aa0a6dd8d9a8fbada0dc23293", "bElement.id", "VTBehaviour.CommonDataStirage.GoogleAPIs.com\t Playatoms-pa.googleapis.com SongCulture.com bam.nr-data.net", "samsungdevapi.reverselogix.net", "https://adservice.google.com.uy/clk\t init.ess.apple.com", "IDS Detections: Win32/Kapahyku.A Activity 1 PUP/ASMalwNS.A Checkin Observed Suspicious UA (NSIS_Inetc (Mozilla))", "device-local-bf56eb52-6fc6-435b-aadb-9fa1dd89702c.remotewd.com | remotewd.com | 192.168.56.108", "IDS Detections: Win32/1ms0rry CoinMiner Botnet CnC Checkin MSIL/CoinMiner.ACM CnC Activity High Priority", "IDS Detections: CryptoWall Check-in Zeus Bot Connectivity Check External IP Check myexternalip.com IP Check myexternalip.com", "Ransom:Win32/Crowti.A: FileHash-SHA1 f7e6be8e6b15e4c67d82ec663abee6f0a292ff77", "PEXE - DOS executable (COM)", "IDS Detections: TELNET login failed root login Bad Login Generic Ping Keep-Alive Inbound M3", "http://www.google-analytics.com/r/collect?v=1&_v=j83&a=160340377&t=pageview&_s=1&dl=http://tracking.minitool.com/pw/launch.html?120100-from-enterprise-v11&ul=en-us&de=utf-8&dt=launch%20tracking&sd=32-bit&sr=1152x864&vp=79x26&je=0&fl=19.0%20r0&_u=IEBAAE~&jid=960554243&gjid=1088832951&cid=1848517172.1595359858&tid=UA-686301-39&_gid=1248672958.1595359858" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Win32/1ms0rry", "Dark pulsar", "Pws:win32/ymacco", "Tel:trojan:win32/injector.ab!msr", "Win32:malware-gen", "Etpro", "Win.trojan.buzus-5453", "Win.packed.lynx", "Coinminer.acm", "Zeus", "Win.malware.vtflooder-6260355-1", "Packer.native", "Trickbot", "Win32:pwsx-gen", "Win32:vb-ajkp\\ [trj]", "Ransom:win32/crowti.a", "Formbook", "Unix.trojan.mirai-6981158-0", "Trojan:win32/glupteba.mt!mtb", "Win.malware.swisyn-7610494-0", "Sodinokibi.ab", "Mirai", "Win.trojan.barys-10005825-0", "Win.malware.drivepack-9884589-1", "Coinminer.wm", "Coinminer.we", "Win32:injector-cvf\\ [trj]\t\twin.mal" ], "industries": [ "Civil society", "Legal", "Targeted individuals", "Healthcare" ], "unique_indicators": 103381 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/jquery.com", "whois": "http://whois.domaintools.com/jquery.com", "domain": "jquery.com", "hostname": "code.jquery.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 49, "pulses": [ { "id": "66f38d1b2e4ef8d8db533d36", "name": "FormBook - moa.moe ??? Pegasus & Brian Sabey Related", "description": "", "modified": "2024-10-25T03:00:50.871000", "created": "2024-09-25T04:10:03.211000", "tags": [ "as54113", "united", "a domains", "passive dns", "unknown", "mtb sep", "github pages", "request id", "sea x", "twitter", "accept", "status", "cookie", "search", "certificate", "record value", "showing", "as8075", "aaaa", "asnone united", "yara detections", "trojan", "show", "all scoreblue", "av detections", "ids detections", "body", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "request", "urls", "443 ma2592000", "encrypt", "germany unknown", "meta http", "content", "gmt server", "th th", "ipv4", "main", "name servers", "redacted for", "for privacy", "servers", "meta", "homemakers", "as212222", "script domains", "script urls", "diy artikelen", "zo bieden", "class", "customer", "as16276", "canada unknown", "sigattr", "formbook cnc", "checkin", "win32", "entries", "bootasep apr", "alerts", "read", "write", "delete", "top source", "files", "location united", "creation date", "domain", "emails", "expiration date", "next", "ovhcloud meta", "cname", "as36459", "whitelisted ip", "address", "asn as36459", "registrar", "markmonitor", "related tags", "france unknown", "moved", "setcookie", "gmt contenttype", "refloadapihash", "france", "nxdomain", "aaaa fd00", "as16276 ovh", "poland", "error", "backend", "as40065", "china unknown", "deleted site", "atom", "record type", "ttl value", "as174 cogent", "pulse submit", "url analysis", "hostname", "as64050 bgpnet", "x9875 x9762", "gmt max", "httponly", "hong kong", "taiwan unknown", "china asn", "server", "privacy tech", "privacy admin", "registrar abuse", "country", "organization", "postal code", "stateprovince", "code", "data", "v3 serial", "number", "cus olet", "encrypt cnr3", "validity", "subject public", "key info", "key algorithm", "ec oid", "dns replication", "algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "first", "enom" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "China", "Singapore" ], "malware_families": [ { "id": "Win.Trojan.Barys-10005825-0", "display_name": "Win.Trojan.Barys-10005825-0", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4675, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 623, "FileHash-MD5": 760, "FileHash-SHA1": 794, "FileHash-SHA256": 3406, "domain": 1633, "hostname": 1037, "email": 17, "CVE": 1 }, "indicator_count": 8271, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "541 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6681f270d3801ae3dfde1cd0", "name": "Drive-by Compromise | TEL:Trojan:Win32/Injector | Zeus | Ransomware ", "description": "", "modified": "2024-07-30T08:04:39.977000", "created": "2024-07-01T00:04:00.567000", "tags": [ "vj83", "tsara brashears", "malware", "password bypass", "problems", "threat network", "infrastructure", "checking", "china", "iocs", "download", "relic", "monitoring", "installer", "graph", "server", "domain status", "date", "code", "country", "registrar abuse", "registrar", "whois lookup", "admin city", "redmond admin", "analyzer paste", "urls http", "z1277946686", "slfrd1", "uiebaae", "jid960554243", "samples", "malicious url", "z1767086795", "no data", "tag count", "count blacklist", "tag tag", "sample29", "team alexa", "million", "alexa", "site", "cisco umbrella", "hostname", "united", "mail spammer", "malicious site", "covid19", "cyber threat", "filerepmalware", "phishing site", "heur", "engineering", "keybase", "bank", "malicious", "artemis", "phishing", "div div", "domain", "passive dns", "creation date", "as46606", "content type", "script script", "a div", "unknown", "meta", "process32nextw", "medium", "wizard", "registry", "module load", "t1129", "registry run", "keys", "t1060", "memcommit", "win32", "service", "explorer", "june", "copy", "delphi", "tools", "persistence", "execution", "capture", "a dd", "h3 p", "search", "aaaa", "free", "p div", "virtool", "form", "window", "next", "status", "record value", "showing", "cname", "gmt content", "body", "pulses", "urls", "files ip", "address", "location united", "asn as13335", "whois registrar", "as8075", "access", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "yara detections", "push", "filehash", "av detections", "ids detections", "alerts", "analysis date", "sec ch", "xml base64", "ch ua", "ua full", "ua platform", "moved", "whois", "trojan", "entries", "gmt server", "centos", "ransom", "detection list", "alexa top", "bluehost", "e emeseieee", "msie", "windows nt", "wow64", "slcc2", "media center", "dynamicloader", "cryptowall", "malware beacon", "suspicious", "zeus", "write", "bits", "date hash", "avast avg", "mtb dec", "script urls", "typeof", "script domains", "as54600 peg", "li ol", "apple", "ios", "samsung", "tracking", "ms windows", "pe32", "read c", "intel", "pe32 executable", "qt translation", "regsetvalueexa", "write c", "show", "april", "observer", "stream", "local", "e eue", "goatsinacoat" ], "references": [ "espysite.azurewebsites.net", "http://45.159.189.105/bot/regex [command and control infection source]", "http://update.partitionwizard.com/checking-update/ko/verconfig-v11-registered.txt", "http://www.partitionwizard.com/checking-update/ko/verconfig-v11-registered.txt", "http://tracking.minitool.com/pw/launch.php?120100-from-enterprise-v11", "http://www.google-analytics.com/r/collect?v=1&_v=j83&a=160340377&t=pageview&_s=1&dl=http://tracking.minitool.com/pw/launch.html?120100-from-enterprise-v11&ul=en-us&de=utf-8&dt=launch%20tracking&sd=32-bit&sr=1152x864&vp=79x26&je=0&fl=19.0%20r0&_u=IEBAAE~&jid=960554243&gjid=1088832951&cid=1848517172.1595359858&tid=UA-686301-39&_gid=1248672958.1595359858", "http://tracking.minitool.com/pw/launch.html?120100-from-enterprise-v11", "https://twitter.com/PORNO_SEXYBABES", "https://adservice.google.com.uy/clk\t init.ess.apple.com", "WinToFlash-Lite-The-Bootable-USB-Creator-1.13.0000-Setup.exe | Setup.Bin Lockbin1.com", "crl.globalsign.com\tWinPCA.crl gscodesigng2.crl crl.globalsign.net root.crl crl.microsoft.com WinPCA.crl analytics.js tracking.minitool.com launch.php", "VTBehaviour.CommonDataStirage.GoogleAPIs.com\t Playatoms-pa.googleapis.com SongCulture.com bam.nr-data.net", "https://www.google.co.kr/ads/ga-audiences?v=1&aip=1&t=sr&_r=4&tid=UA-686301-28&cid=1048899291.1595287580&jid=1064984308&_v=j83&z=1277946686&slf_rd=1&random=491737294", "Yara Detections: Delphi , ProtectSharewareV11eCompservCMS", "Alerts: stops_service network_icmp network_irc persistence_autorun creates_largekey antisandbox_mouse_hook", "Alerts: infostealer_keylogger rat_pcclient process_interest injection_resumethread stealth_hiddenfile", "Domains Contacted: cdn2.minitool.com www.partitionwizard.com", "https://otx.alienvault.com/indicator/file/22e8de5785b65790950eeef5e81dadf9acd44d7767399f8a88bab8b7059b1269", "PWS:Win32/Ymacco: FileHash-SHA256 22e8de5785b65790950eeef5e81dadf9acd44d7767399f8a88bab8b7059b1269", "PWS:Win32/Ymacco: FileHash-MD5 0145b299e0d988750bd", "PWS:Win32/Ymacco: FileHash-SHA1 05d3eef1b402fcceced24bd5e8cc3d613c311419", "samsungdevapi.reverselogix.net", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/22e8de5785b65790950eeef5e81dadf9acd44d7767399f8a88bab8b7059b1269", "https://otx.alienvault.com/indicator/hostname/www.partitionwizard.com", "TEL:Trojan:Win32/Injector.AB!MSR: FileHash-SHA256 3a8d5782cd3335cb19bc9f1588a9303e7c8bf46aa0a6dd8d9a8fbada0dc23293", "TEL:Trojan:Win32/Injector.AB!MSR: FileHash-MD5 502983a98c69c012c600e2a2a7b2a1af", "TEL:Trojan:Win32/Injector.AB!MSR: FileHash-SHA1 217eed43662f43704c5c65bbdb503699b8689d6a", "CVE-2017-0147 CVE-2017-11882 CVE-2017-8570 CVE-2018-8453 CVE-2014-0160", "https://otx.alienvault.com/indicator/url/http://www.pulsesolutions.com/WebService/EasyLoggerWebService.asmx/", "Ransom:Win32/Crowti.A: FileHash-SHA256 3328a110970be661ce1267a553fa2ddf", "Ransom:Win32/Crowti.A: FileHash-SHA1 f7e6be8e6b15e4c67d82ec663abee6f0a292ff77", "Ransom:Win32/Crowti.A: FileHash-MD5 3328a110970be661ce1267a553fa2ddf", "https://otx.alienvault.com/indicator/file/94cdf28c30c4bb09d191990706844f10d8ba837459c9a81dd672f209e77c2fb9", "IDS Detections: CryptoWall Check-in Zeus Bot Connectivity Check External IP Check myexternalip.com IP Check myexternalip.com", "Alerts: procmem_yara injection_inter_process injection_create_remote_thread antiav_servicestop suricata_alert suspicious_command_tools", "Alerts: bcdedit_command stealth_network cape_detected_threat deletes_shadow_copies infostealer_cookies", "TrojanSpy:Win32/Nivdort.DC: FileHash-SHA256 00f4950d49404f58e223c0946f18a2a779c502d82ce67d419ce42f794666d3c8", "TrojanSpy:Win32/Nivdort.DC: FileHash-SHA1 fa773890465396aefe1a6b74d107ce1fee664ef9", "TrojanSpy:Win32/Nivdort.DC: FileHash-MD5 ecd1617974166e34de036ddf859a78f6", "Trojan:Win32/Formbook!MTB: FileHash-SHA256 c72bf65e0b2635221ce291191b40ddae3d599e418601dcef5d3ef4ab6e929d5f", "Trojan:Win32/Formbook!MTB: FileHash-SHA1 3bba9a34622ca39fe8b7132da8056a0d8c9be36c", "Trojan:Win32/Formbook!MTB: FileHash-MD5 1f5c006f1ef8d4998c5a6392c4082aef", "VirTool:Win32/Obfuscator.JM: FileHash-SHA256 b4cbdc6fe310af9d4d089d36141ca51d5b91ce877c6d0f6f78fc8bd8e6ce5b37", "https://saptools.mx/files/aud2txt-linux.zip | linuxeater.com | kent@riboe.se | https://saptools.mx/files/aud2txt-linux.zip", "Related Domains By Email DOMAIN ORGANISATION NAME: citrusea.com - Kent Riboe | linuxeater.com - Kent Riboe [kent@riboe.se]", "https://admin.safeid.io/Account/ResetPassword?token=Bx_9HrVhO0ihjnilL3BfcpM9s_1XmMRCAI4Sr1QWsLNmMlpmaAH0DI8fWkk7MSrh", "Tracking: jrstrackingfunction.com | http://tracking.orca-functions.zoovu.solutions/ | http://tracking.orca-functions.zoovu.solutions/", "Tracking: https://sharepointwow.msnd36.com/tracking/lc/3d8656d6-d66c-4b3b-aec3-a363f4faf30f/9d15012d-b2b5-4d70-abb1-eed6eff85f20/7b92544e-3ea3-dccc-179b-fdc110fc452a/", "Tracking: URL http://45.159.189.105/bot/regex | http://tracking.minitool.com/pw/launch.html?120100-from-enterprise-v11", "Tracking: http://tracking.minitool.com/pw/launch.php?120100-from-enterprise-v11 No Expiration\t0\t URL http://www.google-analytics.com/r/collect?v=1&_v=j83&a=160340377&t=pageview&_s=1&dl=http://tracking.minitool.com/pw/launch.html?120100-from-enterprise-v11&ul=en-us&de=utf-8&dt=launch%20tracking&sd=32-bit&sr=1152x864&vp=79x26&je=0&fl=19.0%20r0&_u=IEBAAE~&jid=960554243&gjid=1088832951&cid=1848517172.1595359858&tid=UA-686301-39&_gid=1248672958.1595359858&_r=1&z=1767086795", "IDS Detections: Win32/Kapahyku.A Activity 1 PUP/ASMalwNS.A Checkin Observed Suspicious UA (NSIS_Inetc (Mozilla))", "iappletech.com | init.ess.apple.com | https://appliedinnovation.forms.pia.ai/r | join.appliedpsych.com", "Zeus: FileHash-SHA256 94cdf28c30c4bb09d191990706844f10d8ba837459c9a81dd672f209e77c2fb9", "IDS Detections: CryptoWall Check-in Zeus Bot Connectivity Check External IP Check myexternalip.com IP Check myexternalip.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "PWS:Win32/Ymacco", "display_name": "PWS:Win32/Ymacco", "target": "/malware/PWS:Win32/Ymacco" }, { "id": "Win.Malware.Swisyn-7610494-0", "display_name": "Win.Malware.Swisyn-7610494-0", "target": null }, { "id": "Win32:VB-AJKP\\ [Trj]", "display_name": "Win32:VB-AJKP\\ [Trj]", "target": null }, { "id": "Win.Malware.Drivepack-9884589-1", "display_name": "Win.Malware.Drivepack-9884589-1", "target": null }, { "id": "TEL:Trojan:Win32/Injector.AB!MSR", "display_name": "TEL:Trojan:Win32/Injector.AB!MSR", "target": null }, { "id": "Ransom:Win32/Crowti.A", "display_name": "Ransom:Win32/Crowti.A", "target": "/malware/Ransom:Win32/Crowti.A" }, { "id": "Zeus", "display_name": "Zeus", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1054", "name": "Indicator Blocking", "display_name": "T1054 - Indicator Blocking" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [ "Healthcare", "Civil Society", "Targeted Individuals" ], "TLP": "green", "cloned_from": "668115d703e0a46887c7f08d", "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1324, "FileHash-SHA1": 931, "FileHash-SHA256": 2209, "URL": 1572, "hostname": 1628, "domain": 1711, "email": 10, "CVE": 5, "SSLCertFingerprint": 2 }, "indicator_count": 9392, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "628 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "668115d703e0a46887c7f08d", "name": "Drive-by Compromise | TEL:Trojan:Win32/Injector | Zeus | Ransomware", "description": "Targeted Individual has experienced attacks on both iOS, Android, MacBooks & PC's. Drive-by Compromise can be accomplished by various methods this can be done, for example: A pop up advert could have an 'X' in the corner that disguises itself as a close button, but actually acts as a catalyst for starting a malicious download once pressed. A tactic used on specific target is a pop-up w/with (a non-Google affiliated disclaimer)'Google' account chooser with Google logo desired email checked. [https://accounts.google.com/AccountChooser?]; checked. Every time TB acquired a new phone, this occurs. A link could appear legitimate, but clicking on it could cause the download to begin. Drive-by Compromise \u00b7 A legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript.", "modified": "2024-07-30T08:04:39.977000", "created": "2024-06-30T08:22:47.783000", "tags": [ "vj83", "tsara brashears", "malware", "password bypass", "problems", "threat network", "infrastructure", "checking", "china", "iocs", "download", "relic", "monitoring", "installer", "graph", "server", "domain status", "date", "code", "country", "registrar abuse", "registrar", "whois lookup", "admin city", "redmond admin", "analyzer paste", "urls http", "z1277946686", "slfrd1", "uiebaae", "jid960554243", "samples", "malicious url", "z1767086795", "no data", "tag count", "count blacklist", "tag tag", "sample29", "team alexa", "million", "alexa", "site", "cisco umbrella", "hostname", "united", "mail spammer", "malicious site", "covid19", "cyber threat", "filerepmalware", "phishing site", "heur", "engineering", "keybase", "bank", "malicious", "artemis", "phishing", "div div", "domain", "passive dns", "creation date", "as46606", "content type", "script script", "a div", "unknown", "meta", "process32nextw", "medium", "wizard", "registry", "module load", "t1129", "registry run", "keys", "t1060", "memcommit", "win32", "service", "explorer", "june", "copy", "delphi", "tools", "persistence", "execution", "capture", "a dd", "h3 p", "search", "aaaa", "free", "p div", "virtool", "form", "window", "next", "status", "record value", "showing", "cname", "gmt content", "body", "pulses", "urls", "files ip", "address", "location united", "asn as13335", "whois registrar", "as8075", "access", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "yara detections", "push", "filehash", "av detections", "ids detections", "alerts", "analysis date", "sec ch", "xml base64", "ch ua", "ua full", "ua platform", "moved", "whois", "trojan", "entries", "gmt server", "centos", "ransom", "detection list", "alexa top", "bluehost", "e emeseieee", "msie", "windows nt", "wow64", "slcc2", "media center", "dynamicloader", "cryptowall", "malware beacon", "suspicious", "zeus", "write", "bits", "date hash", "avast avg", "mtb dec", "script urls", "typeof", "script domains", "as54600 peg", "li ol", "apple", "ios", "samsung", "tracking", "ms windows", "pe32", "read c", "intel", "pe32 executable", "qt translation", "regsetvalueexa", "write c", "show", "april", "observer", "stream", "local", "e eue", "goatsinacoat" ], "references": [ "espysite.azurewebsites.net", "http://45.159.189.105/bot/regex [command and control infection source]", "http://update.partitionwizard.com/checking-update/ko/verconfig-v11-registered.txt", "http://www.partitionwizard.com/checking-update/ko/verconfig-v11-registered.txt", "http://tracking.minitool.com/pw/launch.php?120100-from-enterprise-v11", "http://www.google-analytics.com/r/collect?v=1&_v=j83&a=160340377&t=pageview&_s=1&dl=http://tracking.minitool.com/pw/launch.html?120100-from-enterprise-v11&ul=en-us&de=utf-8&dt=launch%20tracking&sd=32-bit&sr=1152x864&vp=79x26&je=0&fl=19.0%20r0&_u=IEBAAE~&jid=960554243&gjid=1088832951&cid=1848517172.1595359858&tid=UA-686301-39&_gid=1248672958.1595359858", "http://tracking.minitool.com/pw/launch.html?120100-from-enterprise-v11", "https://twitter.com/PORNO_SEXYBABES", "https://adservice.google.com.uy/clk\t init.ess.apple.com", "WinToFlash-Lite-The-Bootable-USB-Creator-1.13.0000-Setup.exe | Setup.Bin Lockbin1.com", "crl.globalsign.com\tWinPCA.crl gscodesigng2.crl crl.globalsign.net root.crl crl.microsoft.com WinPCA.crl analytics.js tracking.minitool.com launch.php", "VTBehaviour.CommonDataStirage.GoogleAPIs.com\t Playatoms-pa.googleapis.com SongCulture.com bam.nr-data.net", "https://www.google.co.kr/ads/ga-audiences?v=1&aip=1&t=sr&_r=4&tid=UA-686301-28&cid=1048899291.1595287580&jid=1064984308&_v=j83&z=1277946686&slf_rd=1&random=491737294", "Yara Detections: Delphi , ProtectSharewareV11eCompservCMS", "Alerts: stops_service network_icmp network_irc persistence_autorun creates_largekey antisandbox_mouse_hook", "Alerts: infostealer_keylogger rat_pcclient process_interest injection_resumethread stealth_hiddenfile", "Domains Contacted: cdn2.minitool.com www.partitionwizard.com", "https://otx.alienvault.com/indicator/file/22e8de5785b65790950eeef5e81dadf9acd44d7767399f8a88bab8b7059b1269", "PWS:Win32/Ymacco: FileHash-SHA256 22e8de5785b65790950eeef5e81dadf9acd44d7767399f8a88bab8b7059b1269", "PWS:Win32/Ymacco: FileHash-MD5 0145b299e0d988750bd", "PWS:Win32/Ymacco: FileHash-SHA1 05d3eef1b402fcceced24bd5e8cc3d613c311419", "samsungdevapi.reverselogix.net", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/22e8de5785b65790950eeef5e81dadf9acd44d7767399f8a88bab8b7059b1269", "https://otx.alienvault.com/indicator/hostname/www.partitionwizard.com", "TEL:Trojan:Win32/Injector.AB!MSR: FileHash-SHA256 3a8d5782cd3335cb19bc9f1588a9303e7c8bf46aa0a6dd8d9a8fbada0dc23293", "TEL:Trojan:Win32/Injector.AB!MSR: FileHash-MD5 502983a98c69c012c600e2a2a7b2a1af", "TEL:Trojan:Win32/Injector.AB!MSR: FileHash-SHA1 217eed43662f43704c5c65bbdb503699b8689d6a", "CVE-2017-0147 CVE-2017-11882 CVE-2017-8570 CVE-2018-8453 CVE-2014-0160", "https://otx.alienvault.com/indicator/url/http://www.pulsesolutions.com/WebService/EasyLoggerWebService.asmx/", "Ransom:Win32/Crowti.A: FileHash-SHA256 3328a110970be661ce1267a553fa2ddf", "Ransom:Win32/Crowti.A: FileHash-SHA1 f7e6be8e6b15e4c67d82ec663abee6f0a292ff77", "Ransom:Win32/Crowti.A: FileHash-MD5 3328a110970be661ce1267a553fa2ddf", "https://otx.alienvault.com/indicator/file/94cdf28c30c4bb09d191990706844f10d8ba837459c9a81dd672f209e77c2fb9", "IDS Detections: CryptoWall Check-in Zeus Bot Connectivity Check External IP Check myexternalip.com IP Check myexternalip.com", "Alerts: procmem_yara injection_inter_process injection_create_remote_thread antiav_servicestop suricata_alert suspicious_command_tools", "Alerts: bcdedit_command stealth_network cape_detected_threat deletes_shadow_copies infostealer_cookies", "TrojanSpy:Win32/Nivdort.DC: FileHash-SHA256 00f4950d49404f58e223c0946f18a2a779c502d82ce67d419ce42f794666d3c8", "TrojanSpy:Win32/Nivdort.DC: FileHash-SHA1 fa773890465396aefe1a6b74d107ce1fee664ef9", "TrojanSpy:Win32/Nivdort.DC: FileHash-MD5 ecd1617974166e34de036ddf859a78f6", "Trojan:Win32/Formbook!MTB: FileHash-SHA256 c72bf65e0b2635221ce291191b40ddae3d599e418601dcef5d3ef4ab6e929d5f", "Trojan:Win32/Formbook!MTB: FileHash-SHA1 3bba9a34622ca39fe8b7132da8056a0d8c9be36c", "Trojan:Win32/Formbook!MTB: FileHash-MD5 1f5c006f1ef8d4998c5a6392c4082aef", "VirTool:Win32/Obfuscator.JM: FileHash-SHA256 b4cbdc6fe310af9d4d089d36141ca51d5b91ce877c6d0f6f78fc8bd8e6ce5b37", "https://saptools.mx/files/aud2txt-linux.zip | linuxeater.com | kent@riboe.se | https://saptools.mx/files/aud2txt-linux.zip", "Related Domains By Email DOMAIN ORGANISATION NAME: citrusea.com - Kent Riboe | linuxeater.com - Kent Riboe [kent@riboe.se]", "https://admin.safeid.io/Account/ResetPassword?token=Bx_9HrVhO0ihjnilL3BfcpM9s_1XmMRCAI4Sr1QWsLNmMlpmaAH0DI8fWkk7MSrh", "Tracking: jrstrackingfunction.com | http://tracking.orca-functions.zoovu.solutions/ | http://tracking.orca-functions.zoovu.solutions/", "Tracking: https://sharepointwow.msnd36.com/tracking/lc/3d8656d6-d66c-4b3b-aec3-a363f4faf30f/9d15012d-b2b5-4d70-abb1-eed6eff85f20/7b92544e-3ea3-dccc-179b-fdc110fc452a/", "Tracking: URL http://45.159.189.105/bot/regex | http://tracking.minitool.com/pw/launch.html?120100-from-enterprise-v11", "Tracking: http://tracking.minitool.com/pw/launch.php?120100-from-enterprise-v11 No Expiration\t0\t URL http://www.google-analytics.com/r/collect?v=1&_v=j83&a=160340377&t=pageview&_s=1&dl=http://tracking.minitool.com/pw/launch.html?120100-from-enterprise-v11&ul=en-us&de=utf-8&dt=launch%20tracking&sd=32-bit&sr=1152x864&vp=79x26&je=0&fl=19.0%20r0&_u=IEBAAE~&jid=960554243&gjid=1088832951&cid=1848517172.1595359858&tid=UA-686301-39&_gid=1248672958.1595359858&_r=1&z=1767086795", "IDS Detections: Win32/Kapahyku.A Activity 1 PUP/ASMalwNS.A Checkin Observed Suspicious UA (NSIS_Inetc (Mozilla))", "iappletech.com | init.ess.apple.com | https://appliedinnovation.forms.pia.ai/r | join.appliedpsych.com", "Zeus: FileHash-SHA256 94cdf28c30c4bb09d191990706844f10d8ba837459c9a81dd672f209e77c2fb9", "IDS Detections: CryptoWall Check-in Zeus Bot Connectivity Check External IP Check myexternalip.com IP Check myexternalip.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "PWS:Win32/Ymacco", "display_name": "PWS:Win32/Ymacco", "target": "/malware/PWS:Win32/Ymacco" }, { "id": "Win.Malware.Swisyn-7610494-0", "display_name": "Win.Malware.Swisyn-7610494-0", "target": null }, { "id": "Win32:VB-AJKP\\ [Trj]", "display_name": "Win32:VB-AJKP\\ [Trj]", "target": null }, { "id": "Win.Malware.Drivepack-9884589-1", "display_name": "Win.Malware.Drivepack-9884589-1", "target": null }, { "id": "TEL:Trojan:Win32/Injector.AB!MSR", "display_name": "TEL:Trojan:Win32/Injector.AB!MSR", "target": null }, { "id": "Ransom:Win32/Crowti.A", "display_name": "Ransom:Win32/Crowti.A", "target": "/malware/Ransom:Win32/Crowti.A" }, { "id": "Zeus", "display_name": "Zeus", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1054", "name": "Indicator Blocking", "display_name": "T1054 - Indicator Blocking" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [ "Healthcare", "Civil Society", "Targeted Individuals" ], "TLP": "green", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1324, "FileHash-SHA1": 931, "FileHash-SHA256": 2209, "URL": 1572, "hostname": 1628, "domain": 1711, "email": 10, "CVE": 5, "SSLCertFingerprint": 2 }, "indicator_count": 9392, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "628 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "669f882c5109175fe742fe58", "name": "(I Cloned Title & Pulse) WHO EVERYONE HAS BEEN LOOKING FOR [Pulse of IoC's Curated by user Streaming Ex]", "description": "", "modified": "2024-07-23T10:38:36.002000", "created": "2024-07-23T10:38:36.002000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "65709e14974bdb5d6dbda091", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2066, "URL": 1939, "hostname": 2768, "FileHash-SHA256": 276, "email": 90, "CVE": 47, "CIDR": 1, "FileHash-MD5": 16, "FileHash-SHA1": 4 }, "indicator_count": 7207, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "635 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "666271a86acba18eb98ce7f3", "name": "Unix.Trojan.Mirai-6981158-0 | Win32/1ms0rry CoinMiner Botnet affects android user", "description": "Found an IP address in block: http://100.116.0.0/?\nFound on android device user. Target is being tracked. Uses .ru but tracks back to US based on other studies. Command 'redirect blame' found in association. Active, moved.", "modified": "2024-07-07T01:06:11.854000", "created": "2024-06-07T02:34:16.108000", "tags": [ "sha256", "sha1", "ascii text", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "null", "hybrid", "refresh", "body", "span", "june", "general", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "win32 exe", "win32 dll", "wextract", "type name", "pink ribbon", "passive dns", "urls", "scan endpoints", "all scoreblue", "pulse pulses", "files", "domain", "files ip", "address domain", "ip related", "referrer", "doublepulsar", "historical ssl", "darkpulsar", "ru sketchup", "flawedammyy", "date", "hostname", "pulse submit", "url analysis", "verdict", "next", "a nxdomain", "ip address", "url http", "http", "related nids", "files location", "as9123 timeweb", "russia unknown", "ipv4", "reverse dns", "russia", "united kingdom", "aaaa", "as198947 jsc", "as29470 jsc", "moved", "search", "nxdomain", "files domain", "files related", "unknown", "as63949 linode", "germany unknown", "main", "as59552 vhg", "title", "div div", "gmt content", "accept", "chegg", "regis", "special use IP", "tracking", "locate", "pe resource", "no data", "tag count", "analyzer threat", "url summary", "summary", "sample", "samples", "detection list", "count blacklist", "xiaav", "windowsxp", "script domains", "script urls", "body doctype", "ok server", "encrypt", "cookie", "p div", "script script", "div section", "as21342", "js core", "a domains", "link", "as43561", "location sofia", "telnet", "belemet.id", "100.116.0.0/?", "a li", "p td", "td tr", "a br", "meta", "as24940 hetzner", "grab", "this", "entries", "trojan", "ransom", "msil", "site", "cisco umbrella", "alexa top", "million", "alexa", "malicious site", "malicious url", "hostnames", "blacklist", "trickbot", "usa", "showing", "creation date", "record value", "dnssec", "memcommit", "win321ms0rry", "coinminer", "etpro trojan", "botnet cnc", "checkin", "activity", "medium", "t1055", "lowfi", "malware", "copy" ], "references": [ "IP Block: 100.116.0.0/ Details: https://www.virustotal.com/gui/ip-address/100.116.0.0/details", "bElement.id", "Unix.Mirai IP: https://otx.alienvault.com/indicator/ip/93.170.6.43", "https://otx.alienvault.com/indicator/file/a108ff340f5256cc17c1e8345aacc3cf6c91987a1884957ea75df6d23281480b", "Yara Detections: is__elf", "IDS Detections: TELNET login failed root login Bad Login Generic Ping Keep-Alive Inbound M3", "Alerts: network_icmp suricata_alert network_multiple_direct_ip_connections Medium Priority Related Pulses OTX User-Created Pulses (2) Related Tags 10 Related Tags manipulation , discovery , dhta3eru4egasjn , abuse elevation , setgid More File Type ELF - ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, not stripped Size 55 KB (56653 bytes) MD5", "IDS Detections MSIL/CoinMiner.ACM CnC Activity Win32/1ms0rry CoinMiner Botnet CnC Checkin", "b0t.fun: https://otx.alienvault.com/indicator/domain/b0t.fun", "IDS Detections: Win32/1ms0rry CoinMiner Botnet CnC Checkin MSIL/CoinMiner.ACM CnC Activity High Priority", "Alerts: nids_malware_alert injection_runpe network_icmp allocates_execute_remote_process antivm_queries_computername", "Alerts: persistence_autorun injection_ntsetcontextthread injection_resumethread dumped_buffer network_http raises_exception", "Alerts: antivm_network_adapters privilege_luid_check suspicious_tld allocates_rwx moves_self checks_debugger antivm_memory_available", "https://www.virustotal.com/gui/ip-address/100.116.0.0/summary" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "Germany", "Russian Federation" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Dark Pulsar", "display_name": "Dark Pulsar", "target": null }, { "id": "Unix.Trojan.Mirai-6981158-0", "display_name": "Unix.Trojan.Mirai-6981158-0", "target": null }, { "id": "TrickBot", "display_name": "TrickBot", "target": null }, { "id": "Packer.Native", "display_name": "Packer.Native", "target": null }, { "id": "Win.Packed.Lynx", "display_name": "Win.Packed.Lynx", "target": null }, { "id": "Sodinokibi.AB", "display_name": "Sodinokibi.AB", "target": null }, { "id": "CoinMiner.ACM", "display_name": "CoinMiner.ACM", "target": null }, { "id": "CoinMiner.WE", "display_name": "CoinMiner.WE", "target": null }, { "id": "CoinMiner.WM", "display_name": "CoinMiner.WM", "target": null }, { "id": "Win32/1ms0rry", "display_name": "Win32/1ms0rry", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1195, "FileHash-SHA1": 745, "FileHash-SHA256": 1212, "URL": 2436, "domain": 1264, "hostname": 1148, "email": 1 }, "indicator_count": 8001, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "651 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66480cb1cc174fd804e0cef9", "name": "Elgoogle", "description": "", "modified": "2024-05-18T02:12:28.801000", "created": "2024-05-18T02:04:33.967000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "65709f0bbdd32cb4b343a12f", "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Elgoogle", "id": "281171", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2218, "FileHash-SHA256": 24526, "FileHash-MD5": 7187, "URL": 1175, "hostname": 2514, "JA3": 2, "email": 83, "FileHash-SHA1": 7164, "CVE": 35 }, "indicator_count": 44904, "is_author": false, "is_subscribing": null, "subscriber_count": 8, "modified_text": "701 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b85dca7d8bf0aea33abc3a", "name": "PEXE - DOS executable ", "description": "", "modified": "2024-02-24T16:01:22.095000", "created": "2024-01-30T02:24:10.454000", "tags": [ "network_icmp", "sha256", "yara detections", "alerts", "icmp traffic", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "spain unknown", "search", "date", "status", "passive dns", "urls", "pulse submit", "url analysis", "files", "domain", "next", "as197068 hll", "russia unknown", "ipv4", "body", "alive", "belarus unknown", "aaaa", "moved", "domain names", "creation date", "record value", "expiration date", "a domains", "facebook", "twitter", "encrypt", "httponly", "url http", "http", "ip address", "related nids", "germany unknown", "united", "as3320 deutsche", "france unknown", "united kingdom", "italy unknown", "as7922 comcast", "as701 verizon", "as3209 vodafone", "china unknown", "unknown", "as44273 host", "msie", "chrome", "name servers", "hostname", "maxage86400", "ip asn", "maxage2592000", "gmt server", "amazons3", "unique", "as58061 scalaxy", "all search", "otx scoreblue", "cyprus unknown", "as26347", "customer", "entries", "sexkompas", "script urls", "meta", "as29182 jsc", "gmt content", "script domains", "gmt etag", "as61400", "screenshot", "apache", "path", "as59711 hz", "asn as59711", "dns resolutions", "non dsp", "cor cura", "url https", "as199386 zilore", "showing", "admitad meta", "as44066", "connection", "date sat", "server amazons3", "cloudfront", "xcache miss", "contentlength", "acceptranges", "server", "gmt expires", "code", "title error", "trojan", "body doctype", "html public", "w3cdtd html", "html head", "meta http", "win32", "as3326", "present jan", "reverse dns", "gmt path", "set cookie", "certificate", "pragma", "location united", "show", "medium", "authenticode", "delete", "productversion", "fileversion", "thawte", "copy", "malware", "write", "etpro", "as14061", "whitelisted", "as9009 m247", "paris", "otx telemetry", "for privacy", "redacted for", "dns", "DNSpionage", "apple", "ios", "global", "cyber threat", "tracking", "legal abuse", "privilege escalation", "network", "redirect", "exploit kit", "mey", "spyware", "dropper", "x adblock", "virgin islands", "type", "content length", "dga", "as3175 filanco", "cname", "thawte code", "as32244 liquid", "as24940 hetzner", "head body", "center hr", "gmt contenttype", "title", "registrar", "markmonitor", "internet", "iana", "nethandle", "net192", "net1920000", "iana special", "icann", "please refer", "ietf", "best current", "whois whois", "resolutions", "communicating", "referrer", "win32 exe", "putty", "java", "type name", "pe32 executable", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "info compiler", "products", "vs2005", "vs2008 sp1", "vs2008", "header x64", "name md5", "virtualalloc" ], "references": [ "PEXE - DOS executable (COM)", "redirect_keitaro_exploit_kit_compromised_site_se_referrer", "Found in: https://jbplegal.com", "http://sexkompas.xyz", "DGA Malware Mall Domains: hackingapple.com, video.import-apple.com, DGA- appledreamz.com", "tracking2youdu.com , cdn.livechatinc.com", "device-local-bf56eb52-6fc6-435b-aadb-9fa1dd89702c.remotewd.com | remotewd.com | 192.168.56.108", "http://www.mobiset.ru/photos/2011/march/15/samsung_s3850/img_9.jpg" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "China", "United States of America", "Chile", "Germany", "France" ], "malware_families": [ { "id": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "display_name": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "target": null }, { "id": "Win.Malware.Vtflooder-6260355-1", "display_name": "Win.Malware.Vtflooder-6260355-1", "target": null }, { "id": "Win.Trojan.Buzus-5453", "display_name": "Win.Trojan.Buzus-5453", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:PWSX-gen", "display_name": "Win32:PWSX-gen", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "ETPRO", "display_name": "ETPRO", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [ "Legal", "Healthcare", "Civil Society" ], "TLP": "white", "cloned_from": "65b4757a662a146889c60b6c", "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 153, "FileHash-SHA1": 71, "FileHash-SHA256": 1690, "URL": 9526, "domain": 4882, "hostname": 6120, "email": 250, "CVE": 2 }, "indicator_count": 22694, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "785 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b4757d6dd7dae344aed3f5", "name": "PEXE - DOS executable (COM)", "description": "", "modified": "2024-02-24T16:01:22.095000", "created": "2024-01-27T03:16:13.209000", "tags": [ "network_icmp", "sha256", "yara detections", "alerts", "icmp traffic", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "spain unknown", "search", "date", "status", "passive dns", "urls", "pulse submit", "url analysis", "files", "domain", "next", "as197068 hll", "russia unknown", "ipv4", "body", "alive", "belarus unknown", "aaaa", "moved", "domain names", "creation date", "record value", "expiration date", "a domains", "facebook", "twitter", "encrypt", "httponly", "url http", "http", "ip address", "related nids", "germany unknown", "united", "as3320 deutsche", "france unknown", "united kingdom", "italy unknown", "as7922 comcast", "as701 verizon", "as3209 vodafone", "china unknown", "unknown", "as44273 host", "msie", "chrome", "name servers", "hostname", "maxage86400", "ip asn", "maxage2592000", "gmt server", "amazons3", "unique", "as58061 scalaxy", "all search", "otx scoreblue", "cyprus unknown", "as26347", "customer", "entries", "sexkompas", "script urls", "meta", "as29182 jsc", "gmt content", "script domains", "gmt etag", "as61400", "screenshot", "apache", "path", "as59711 hz", "asn as59711", "dns resolutions", "non dsp", "cor cura", "url https", "as199386 zilore", "showing", "admitad meta", "as44066", "connection", "date sat", "server amazons3", "cloudfront", "xcache miss", "contentlength", "acceptranges", "server", "gmt expires", "code", "title error", "trojan", "body doctype", "html public", "w3cdtd html", "html head", "meta http", "win32", "as3326", "present jan", "reverse dns", "gmt path", "set cookie", "certificate", "pragma", "location united", "show", "medium", "authenticode", "delete", "productversion", "fileversion", "thawte", "copy", "malware", "write", "etpro", "as14061", "whitelisted", "as9009 m247", "paris", "otx telemetry", "for privacy", "redacted for", "dns", "DNSpionage", "apple", "ios", "global", "cyber threat", "tracking", "legal abuse", "privilege escalation", "network", "redirect", "exploit kit", "mey", "spyware", "dropper", "x adblock", "virgin islands", "type", "content length", "dga", "as3175 filanco", "cname", "thawte code", "as32244 liquid", "as24940 hetzner", "head body", "center hr", "gmt contenttype", "title", "registrar", "markmonitor", "internet", "iana", "nethandle", "net192", "net1920000", "iana special", "icann", "please refer", "ietf", "best current", "whois whois", "resolutions", "communicating", "referrer", "win32 exe", "putty", "java", "type name", "pe32 executable", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "info compiler", "products", "vs2005", "vs2008 sp1", "vs2008", "header x64", "name md5", "virtualalloc" ], "references": [ "PEXE - DOS executable (COM)", "redirect_keitaro_exploit_kit_compromised_site_se_referrer", "Found in: https://jbplegal.com", "http://sexkompas.xyz", "DGA Malware Mall Domains: hackingapple.com, video.import-apple.com, DGA- appledreamz.com", "tracking2youdu.com , cdn.livechatinc.com", "device-local-bf56eb52-6fc6-435b-aadb-9fa1dd89702c.remotewd.com | remotewd.com | 192.168.56.108", "http://www.mobiset.ru/photos/2011/march/15/samsung_s3850/img_9.jpg" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "China", "United States of America", "Chile", "Germany", "France" ], "malware_families": [ { "id": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "display_name": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "target": null }, { "id": "Win.Malware.Vtflooder-6260355-1", "display_name": "Win.Malware.Vtflooder-6260355-1", "target": null }, { "id": "Win.Trojan.Buzus-5453", "display_name": "Win.Trojan.Buzus-5453", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:PWSX-gen", "display_name": "Win32:PWSX-gen", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "ETPRO", "display_name": "ETPRO", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [ "Legal", "Healthcare", "Civil Society" ], "TLP": "white", "cloned_from": "65b2909ffdc623904cbfd91d", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 153, "FileHash-SHA1": 71, "FileHash-SHA256": 1690, "URL": 9526, "domain": 4882, "hostname": 6120, "email": 250, "CVE": 2 }, "indicator_count": 22694, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "785 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b4757a662a146889c60b6c", "name": "PEXE - DOS executable (COM)", "description": "", "modified": "2024-02-24T16:01:22.095000", "created": "2024-01-27T03:16:10.970000", "tags": [ "network_icmp", "sha256", "yara detections", "alerts", "icmp traffic", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "spain unknown", "search", "date", "status", "passive dns", "urls", "pulse submit", "url analysis", "files", "domain", "next", "as197068 hll", "russia unknown", "ipv4", "body", "alive", "belarus unknown", "aaaa", "moved", "domain names", "creation date", "record value", "expiration date", "a domains", "facebook", "twitter", "encrypt", "httponly", "url http", "http", "ip address", "related nids", "germany unknown", "united", "as3320 deutsche", "france unknown", "united kingdom", "italy unknown", "as7922 comcast", "as701 verizon", "as3209 vodafone", "china unknown", "unknown", "as44273 host", "msie", "chrome", "name servers", "hostname", "maxage86400", "ip asn", "maxage2592000", "gmt server", "amazons3", "unique", "as58061 scalaxy", "all search", "otx scoreblue", "cyprus unknown", "as26347", "customer", "entries", "sexkompas", "script urls", "meta", "as29182 jsc", "gmt content", "script domains", "gmt etag", "as61400", "screenshot", "apache", "path", "as59711 hz", "asn as59711", "dns resolutions", "non dsp", "cor cura", "url https", "as199386 zilore", "showing", "admitad meta", "as44066", "connection", "date sat", "server amazons3", "cloudfront", "xcache miss", "contentlength", "acceptranges", "server", "gmt expires", "code", "title error", "trojan", "body doctype", "html public", "w3cdtd html", "html head", "meta http", "win32", "as3326", "present jan", "reverse dns", "gmt path", "set cookie", "certificate", "pragma", "location united", "show", "medium", "authenticode", "delete", "productversion", "fileversion", "thawte", "copy", "malware", "write", "etpro", "as14061", "whitelisted", "as9009 m247", "paris", "otx telemetry", "for privacy", "redacted for", "dns", "DNSpionage", "apple", "ios", "global", "cyber threat", "tracking", "legal abuse", "privilege escalation", "network", "redirect", "exploit kit", "mey", "spyware", "dropper", "x adblock", "virgin islands", "type", "content length", "dga", "as3175 filanco", "cname", "thawte code", "as32244 liquid", "as24940 hetzner", "head body", "center hr", "gmt contenttype", "title", "registrar", "markmonitor", "internet", "iana", "nethandle", "net192", "net1920000", "iana special", "icann", "please refer", "ietf", "best current", "whois whois", "resolutions", "communicating", "referrer", "win32 exe", "putty", "java", "type name", "pe32 executable", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "info compiler", "products", "vs2005", "vs2008 sp1", "vs2008", "header x64", "name md5", "virtualalloc" ], "references": [ "PEXE - DOS executable (COM)", "redirect_keitaro_exploit_kit_compromised_site_se_referrer", "Found in: https://jbplegal.com", "http://sexkompas.xyz", "DGA Malware Mall Domains: hackingapple.com, video.import-apple.com, DGA- appledreamz.com", "tracking2youdu.com , cdn.livechatinc.com", "device-local-bf56eb52-6fc6-435b-aadb-9fa1dd89702c.remotewd.com | remotewd.com | 192.168.56.108", "http://www.mobiset.ru/photos/2011/march/15/samsung_s3850/img_9.jpg" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "China", "United States of America", "Chile", "Germany", "France" ], "malware_families": [ { "id": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "display_name": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "target": null }, { "id": "Win.Malware.Vtflooder-6260355-1", "display_name": "Win.Malware.Vtflooder-6260355-1", "target": null }, { "id": "Win.Trojan.Buzus-5453", "display_name": "Win.Trojan.Buzus-5453", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:PWSX-gen", "display_name": "Win32:PWSX-gen", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "ETPRO", "display_name": "ETPRO", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [ "Legal", "Healthcare", "Civil Society" ], "TLP": "white", "cloned_from": "65b2909ffdc623904cbfd91d", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 153, "FileHash-SHA1": 71, "FileHash-SHA256": 1690, "URL": 9526, "domain": 4882, "hostname": 6120, "email": 250, "CVE": 2 }, "indicator_count": 22694, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "785 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b2909ffdc623904cbfd91d", "name": "PEXE - DOS executable (COM)", "description": "I don't have a very good description. I can say this was found in a law firms website and it's not uncommon. Certain attorneys may be under attack based on clients represented. I other instances attorneys use a tool box of malware and other cyber weaponry to track, intimidating and spy on opposition. Very aggressive tactics use. Unfortunately attacks against opponents aren't limited to \"contactless\" attacks. Tracking. cyber espionage, malvertizing, iOS 'remotwd' , location tracking, reputation abuse.", "modified": "2024-02-24T16:01:22.095000", "created": "2024-01-25T16:47:26.970000", "tags": [ "network_icmp", "sha256", "yara detections", "alerts", "icmp traffic", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "spain unknown", "search", "date", "status", "passive dns", "urls", "pulse submit", "url analysis", "files", "domain", "next", "as197068 hll", "russia unknown", "ipv4", "body", "alive", "belarus unknown", "aaaa", "moved", "domain names", "creation date", "record value", "expiration date", "a domains", "facebook", "twitter", "encrypt", "httponly", "url http", "http", "ip address", "related nids", "germany unknown", "united", "as3320 deutsche", "france unknown", "united kingdom", "italy unknown", "as7922 comcast", "as701 verizon", "as3209 vodafone", "china unknown", "unknown", "as44273 host", "msie", "chrome", "name servers", "hostname", "maxage86400", "ip asn", "maxage2592000", "gmt server", "amazons3", "unique", "as58061 scalaxy", "all search", "otx scoreblue", "cyprus unknown", "as26347", "customer", "entries", "sexkompas", "script urls", "meta", "as29182 jsc", "gmt content", "script domains", "gmt etag", "as61400", "screenshot", "apache", "path", "as59711 hz", "asn as59711", "dns resolutions", "non dsp", "cor cura", "url https", "as199386 zilore", "showing", "admitad meta", "as44066", "connection", "date sat", "server amazons3", "cloudfront", "xcache miss", "contentlength", "acceptranges", "server", "gmt expires", "code", "title error", "trojan", "body doctype", "html public", "w3cdtd html", "html head", "meta http", "win32", "as3326", "present jan", "reverse dns", "gmt path", "set cookie", "certificate", "pragma", "location united", "show", "medium", "authenticode", "delete", "productversion", "fileversion", "thawte", "copy", "malware", "write", "etpro", "as14061", "whitelisted", "as9009 m247", "paris", "otx telemetry", "for privacy", "redacted for", "dns", "DNSpionage", "apple", "ios", "global", "cyber threat", "tracking", "legal abuse", "privilege escalation", "network", "redirect", "exploit kit", "mey", "spyware", "dropper", "x adblock", "virgin islands", "type", "content length", "dga", "as3175 filanco", "cname", "thawte code", "as32244 liquid", "as24940 hetzner", "head body", "center hr", "gmt contenttype", "title", "registrar", "markmonitor", "internet", "iana", "nethandle", "net192", "net1920000", "iana special", "icann", "please refer", "ietf", "best current", "whois whois", "resolutions", "communicating", "referrer", "win32 exe", "putty", "java", "type name", "pe32 executable", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "info compiler", "products", "vs2005", "vs2008 sp1", "vs2008", "header x64", "name md5", "virtualalloc" ], "references": [ "PEXE - DOS executable (COM)", "redirect_keitaro_exploit_kit_compromised_site_se_referrer", "Found in: https://jbplegal.com", "http://sexkompas.xyz", "DGA Malware Mall Domains: hackingapple.com, video.import-apple.com, DGA- appledreamz.com", "tracking2youdu.com , cdn.livechatinc.com", "device-local-bf56eb52-6fc6-435b-aadb-9fa1dd89702c.remotewd.com | remotewd.com | 192.168.56.108", "http://www.mobiset.ru/photos/2011/march/15/samsung_s3850/img_9.jpg" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "China", "United States of America", "Chile", "Germany", "France" ], "malware_families": [ { "id": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "display_name": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "target": null }, { "id": "Win.Malware.Vtflooder-6260355-1", "display_name": "Win.Malware.Vtflooder-6260355-1", "target": null }, { "id": "Win.Trojan.Buzus-5453", "display_name": "Win.Trojan.Buzus-5453", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:PWSX-gen", "display_name": "Win32:PWSX-gen", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "ETPRO", "display_name": "ETPRO", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [ "Legal", "Healthcare", "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 153, "FileHash-SHA1": 71, "FileHash-SHA256": 1690, "URL": 9526, "domain": 4882, "hostname": 6120, "email": 250, "CVE": 2 }, "indicator_count": 22694, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "785 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://code.jquery.com/jquery-3.3.1.min.js", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://code.jquery.com/jquery-3.3.1.min.js", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776616674.9453306 }