{ "type": "URL", "indicator": "https://cpcalendars.21-vision.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://cpcalendars.21-vision.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3678796659, "indicator": "https://cpcalendars.21-vision.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 12, "pulses": [ { "id": "6597f9c7542ffc6fffaecb30", "name": "Injection (RunPE) |Win.Packer - https://myminiweb.com", "description": "polypragmonic, dns, win.packer, ig hacking, network bind, tracking", "modified": "2024-02-04T12:05:19.275000", "created": "2024-01-05T12:44:55.030000", "tags": [ "ciphersuite", "delete c", "search", "entries", "united", "stcalifornia", "lmenlo park", "ometa platforms", "odigicert inc", "cndigicert sha2", "copy", "write", "unknown", "no expiration", "expiration", "filehashsha256", "hostname", "domain", "ipv4", "url http", "url https", "filehashmd5", "filehashsha1", "next", "iocs", "pdf report", "pcap", "scan endpoints", "win64", "stix", "openioc", "enter", "ssl certificate", "whois record", "apple ios", "communicating", "referrer", "contacted", "resolutions", "threat roundup", "password", "networks", "hacktool", "crypto", "twitter", "june", "probe", "ransomware", "malware", "tsara brashears", "botnet campaign", "january", "content reputation", "et" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2469, "FileHash-SHA1": 2295, "FileHash-SHA256": 4925, "SSLCertFingerprint": 2, "URL": 4484, "domain": 2044, "hostname": 2375, "email": 18, "CVE": 4 }, "indicator_count": 18616, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "806 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6597fa4d4b5e060fb8a606a8", "name": "Botnet Campaign", "description": "", "modified": "2024-02-04T12:05:19.275000", "created": "2024-01-05T12:47:09.403000", "tags": [ "ciphersuite", "delete c", "search", "entries", "united", "stcalifornia", "lmenlo park", "ometa platforms", "odigicert inc", "cndigicert sha2", "copy", "write", "unknown", "no expiration", "expiration", "filehashsha256", "hostname", "domain", "ipv4", "url http", "url https", "filehashmd5", "filehashsha1", "next", "iocs", "pdf report", "pcap", "scan endpoints", "win64", "stix", "openioc", "enter", "ssl certificate", "whois record", "apple ios", "communicating", "referrer", "contacted", "resolutions", "threat roundup", "password", "networks", "hacktool", "crypto", "twitter", "june", "probe", "ransomware", "malware", "tsara brashears", "botnet campaign", "january", "content reputation", "et" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": "6597f9c7542ffc6fffaecb30", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2469, "FileHash-SHA1": 2295, "FileHash-SHA256": 4925, "SSLCertFingerprint": 2, "URL": 4484, "domain": 2044, "hostname": 2375, "email": 18, "CVE": 4 }, "indicator_count": 18616, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "806 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6597fa4da16bd99cc5c02528", "name": "Botnet Campaign", "description": "", "modified": "2024-02-04T12:05:19.275000", "created": "2024-01-05T12:47:09.406000", "tags": [ "ciphersuite", "delete c", "search", "entries", "united", "stcalifornia", "lmenlo park", "ometa platforms", "odigicert inc", "cndigicert sha2", "copy", "write", "unknown", "no expiration", "expiration", "filehashsha256", "hostname", "domain", "ipv4", "url http", "url https", "filehashmd5", "filehashsha1", "next", "iocs", "pdf report", "pcap", "scan endpoints", "win64", "stix", "openioc", "enter", "ssl certificate", "whois record", "apple ios", "communicating", "referrer", "contacted", "resolutions", "threat roundup", "password", "networks", "hacktool", "crypto", "twitter", "june", "probe", "ransomware", "malware", "tsara brashears", "botnet campaign", "january", "content reputation", "et" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": "6597f9c7542ffc6fffaecb30", "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2469, "FileHash-SHA1": 2295, "FileHash-SHA256": 4925, "SSLCertFingerprint": 2, "URL": 4484, "domain": 2044, "hostname": 2375, "email": 18, "CVE": 4 }, "indicator_count": 18616, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "806 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65944a8149f2479b2fbc6cd1", "name": "Relic", "description": "Malicious redirect to BotNet malvertizing of a business affecting both .command YouTube distribution. YouTube encoded logins. Hacker attack, geo tracking, passwords crack, decryption, C2. Retaliation. Found in referenced Twitter link shared with me.", "modified": "2024-02-01T14:01:46.735000", "created": "2024-01-02T17:40:17.890000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls https", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers nel", "maxage5184000", "name verdict", "falcon sandbox", "whois record", "ssl certificate", "tsara brashears", "whois whois", "historical ssl", "contacted", "highly targeted", "hackers", "botnet", "apple ios", "malicious", "hacktool", "quasar", "download", "malware", "relic", "monitoring", "installer", "tofsee", "getprocaddress", "indicator", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "united", "file", "pattern match", "path", "date", "win64", "factory", "model", "comspec", "hybrid", "general", "click", "strings", "patch", "song culture", "tulach" ], "references": [ "rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru [phishing] SongCulture.comm& YouTube redirected by hacker", "https://hybrid-analysis.com/sample/3f1b1621818b3cfef7c58d8c3e382932a5a817579dffe8fbefc4cf6fdb8fc21d", "https://www.virustotal.com/gui/url/4657cd9117ad26288f2af98767de164d9af64e9c22e3eda9580766688ec38652/community", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/,", "https://twitter.com/sheriffspurlock?lang=en", "https://hybrid-analysis.com/sample/a728fc352e13fa39c7490ddcfff86b0919b3de6ea5786cf48b22095e0607bde9/6593b386f70b45c7c70419c8", "http://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru", "nr-data.net [Apple Private Data Collection]", "init.ess.apple.com [backdoor, malicious script, access via media]", "https://stackabuse.com/assets/images/apple", "https://apple.find-tracking.us/?id=jit./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./err", "location-icloud.com", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking| Botnet Campaign]", "mailtrack.io [tracking VirusTotal graphs, link trace back]", "http://rawlucky.com/submit/prizepicker/iq?devicemodel=iPhone&carrier=\u00aeion=Baghdad&brand=Apple&browser=AlohaBrowserMobile&prize=300k&u=track.bawiwia.com&isp=EarthlinkTelecommunicationsEquipmentTradingServicesDmcc&ts=29900ce7-726c-4c9f-b0c3-21ff2f859648&country=IQ&click_id=woot0oed65crk85u2oe4vubu&partner=2423996&skip=yes", "https://aheadofthegame.uk/about?utm_campaign=You%E2%80%99re%20nearly%20there!&utm_medium=email&utm_source=Eloqua&elqTrackId=e6385dd142e445f48aa17b4544780841&elq=0db2557254194121b23f3bec84f42097&elqaid=4059&elqat=1&elqCampaignId=", "https://pin.it/ [faux Pinterest for TB]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS Password Cracker [", "114.114.114.114 [ Tulach Malware IP]", "13.107.136.8 [ Tulach Malware IP redirect]", "http://114.114.114.114:9421/proxycontrolwarn/ [Tulach cnc | probe]", "http://114.114.114.114/d?dn=sinastorage.com [ storage of targeted individuals on and offline Behavior]", "http://114.114.114.114:7777/c/msdownload/update/others/2022/01/29136388_", "http://114.114.114.114/ipw.ps1", "194.245.148.189 [CnC]", "https://stackabuse.com/generating-command-line-interfaces-cli-with-fire-in-python/", "http://109.206.241.129/666bins/666.mpsl", "http://designspaceblog.com/?mystique=jquery_init&ver=2.4.2", "143.244.50.213 |169.150.249.162 [malware_hosting]", "http://watchhers.net/index.php [malware spreader]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian No Expiration\t0\t Domain twitter.com No Expiration\t0\t Hostname www.pornhub.com No Expiration\t0\t URL https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 No Expiration\t0\t URL", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "xred.mooo.com [pornhub trojan]", "https://twitter.com/PORNO_SEXYBABES [ malvertizing, contextualizing, malicious]", "http://45.159.189.105/bot/online?key=7ee57b1f6d4aff08f9755119b18cf0754b677addcb6a3063066112b10a357a8e&guid=DESKTOP-B0T93D6\\george", "https://otx.alienvault.com/indicator/url/https://www.hostinger.com/?REFERRALCODE=1ROCKY77 [ DGA parking]" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Comspec", "display_name": "Comspec", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8049, "FileHash-MD5": 388, "FileHash-SHA1": 212, "FileHash-SHA256": 7062, "domain": 4401, "hostname": 2653, "CVE": 2, "SSLCertFingerprint": 2 }, "indicator_count": 22769, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "809 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65551682899b039e02b8dc8a", "name": "Apple | iOS | Automated Attacks | Resource Hijacking | Google Tracker", "description": "Boot or Logon Autostart Execution\nCommand and Scripting Interpreter\nAutomated Collection\nWebToolbar \nAmazon rsa\nAmazon02\nAmazon S3\nPrivilege Abuse\nRetaliation", "modified": "2023-12-15T18:02:25.356000", "created": "2023-11-15T19:05:38.437000", "tags": [ "strong", "saal digital", "photo portal", "daten", "support", "saal", "bersicht", "informationen", "profis", "rabatte fr", "service", "heur", "malware", "cisco umbrella", "adware", "safe site", "malware site", "malicious site", "phishing site", "alexa top", "million", "tiggre", "presenoker", "agent", "opencandy", "conduit", "unsafe", "wacatac", "artemis", "phishing", "iframe", "installpack", "xrat", "fusioncore", "riskware", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "genkryptik", "exploit", "filetour", "cleaner", "webtoolbar", "trojanspy", "get fdm", "ms windows", "pe32", "intel", "search", "show", "united", "entries", "systemdrive", "program files", "installer", "write", "delphi", "next", "june", "win32", "copy", "pixel", "search live", "api blog", "docs pricing", "november", "de indicators", "domains", "hashes", "copyright", "gmbh version", "follow", "value", "variables", "langpage string", "lang", "saalgroup", "creoletohtml", "chat", "reverse dns", "resource", "general full", "asn16509", "amazon02", "url https", "security tls", "protocol h2", "hash", "get h2", "main", "request chain", "http", "de redirected", "http redirect", "site", "malicious url", "blacklist https", "domain", "screenshot", "windows nt", "win64", "khtml", "gecko", "amazons3", "aes128gcm", "amazon rsa", "aes256", "date", "name verdict", "pattern match", "root ca", "script", "done adding", "catalog file", "file", "indicator", "authority", "class", "mitre att", "meta", "unknown", "error", "hybrid", "accept", "general", "local", "click", "strings", "generator", "critical", "refresh", "tools", "null", "body", "create c", "html document", "xport", "noname057", "generic malware", "generic", "dapato", "alexa", "installcore", "downloader", "dropper", "outbreak", "iobit", "mediaget", "azorult", "runescape", "facebook", "bank", "download", "live", "rms", "maltiverse", "cyber threat", "engineering", "services", "malicious host", "malicious", "team", "zeus", "nymaim", "zbot", "simda", "asyncrat", "cobalt strike", "ransomware", "matsnu", "cutwail", "citadel", "pykspa", "raccoon", "kronos", "ramnit", "redline stealer", "apple", "apple", "html info", "title saal", "meta tags", "trackers google", "tag manager", "gtm5wjlq2", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "self", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "hostname", "anonymizer", "firehol", "mail spammer", "team proxy", "kraken", "suppobox", "tofsee", "vawtrak", "hotmail", "netsky", "stealer", "blacknet rat", "remcos", "miner", "hacktool", "trojan", "detplock", "team phishing", "a nxdomain", "passive dns", "scan endpoints", "all octoseek", "pulse pulses", "urls", "files", "ip address", "all search", "otx octoseek", "files ip", "contacted", "whois record", "ssl certificate", "pe resource", "bundled", "attack", "parent", "historical ssl", "collections", "communicating", "emotet", "execution", "markmonitor inc", "vhash", "authentihash", "imphash", "ssdeep", "win32 exe", "magic pe32", "trid win32", "archive", "valid", "serial number", "valid from", "valid usage", "code signing", "status status", "valid issuer", "assured id", "issuer issuer", "symantec sha256", "sections", "file type", "trid generic", "cil executable", "contained", "details module", "version id", "typelib id", "header target", "machine intel", "utc entry", "point", "sections name", "streams size", "entropy chi2", "guid", "blob", "namecheap", "ip detections", "country", "resolutions", "referrer", "whois whois", "threat roundup", "parent domain", "CVE-2023-22518", "CVE-2017-0143", "CVE-2017-0147", "CVE-2020-0601", "CVE-2017-8570", "CVE-2018-4893", "CVE-2017-11882", "CVE-2017-0199", "CVE-2014-3153", "W32.AIDetectNet.01", "trojan.adload/ursu", "targeting tsara brashears", "cybercrime", "privilege escalation", "defacement", "privilege abuse", "soc", "red team", "social engineering", "retaliation", "assault victim", "obsession" ], "references": [ "https://hybrid-analysis.com/sample/9e8ce8607b7f32f6f66c8126851a55818ff775ee060d2c448679e5eb1e22ba2a", "https://www.saal-digital.de/ordercockpit/?email=christ.robert@gmx.de&ordernumber=802109030129517", "\u2193 Interesting \u2193", "owa.telegrafix.com", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Phishing)", "christ.robert@gmx.de", "https://simtk.org/projects/sv_tests (Tsara Brashears project?)", "https://itunes.apple.com/de/app/saal-design-app/id1481631197?mt=8", "https://play.google.com/store/apps/details?id=com.saaldigital.designerapp.de&hl=de", "BEELab_web_1.0.2-prerelease.exe", "AfraidZad.exe", "https://mail.greycroft.com/owa/redir.aspx?SURL=a0oI1dvGGkFYUoACVEbN8REVrmfS6H0MhUvXdexgmertl7bBVhrTCGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAHAAcgBvAGQAdQBjAHQAaAB1AG4AdAAuAGMAbwBtAC8AdABlAGMAaAAvAGEAbgBpAG0AYQB0AGkAYwA.&URL=https://www.producthunt.com/tech/animatic", "greycroftpartners.com", "http://videotubeplayer.com/?groupds=1&clientId=201&productId=1407&tracking=w5JJ46MKQI493DMO1NDNTQ6K&publisher_id=", "trkpls3.com", "eg-monitoring.com", "http://m.pornsexer.xxx.3.1.adiosfil.roksit.net/", "https://twitter.com/PORNO_SEXYBABES" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "Italy", "Singapore", "France", "Germany", "Korea, Republic of" ], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 82, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 841, "FileHash-SHA1": 467, "FileHash-SHA256": 6370, "CVE": 9, "domain": 2160, "hostname": 3074, "email": 1, "URL": 6550, "SSLCertFingerprint": 1, "CIDR": 3 }, "indicator_count": 19476, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "856 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655516871038cbad9eae2bb7", "name": "Apple | iOS | Automated Attacks | Resource Hijacking | Google Tracker", "description": "Boot or Logon Autostart Execution\nCommand and Scripting Interpreter\nAutomated Collection\nWebToolbar \nAmazon rsa\nAmazon02\nAmazon S3\nPrivilege Abuse\nRetaliation", "modified": "2023-12-15T18:02:25.356000", "created": "2023-11-15T19:05:43.285000", "tags": [ "strong", "saal digital", "photo portal", "daten", "support", "saal", "bersicht", "informationen", "profis", "rabatte fr", "service", "heur", "malware", "cisco umbrella", "adware", "safe site", "malware site", "malicious site", "phishing site", "alexa top", "million", "tiggre", "presenoker", "agent", "opencandy", "conduit", "unsafe", "wacatac", "artemis", "phishing", "iframe", "installpack", "xrat", "fusioncore", "riskware", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "genkryptik", "exploit", "filetour", "cleaner", "webtoolbar", "trojanspy", "get fdm", "ms windows", "pe32", "intel", "search", "show", "united", "entries", "systemdrive", "program files", "installer", "write", "delphi", "next", "june", "win32", "copy", "pixel", "search live", "api blog", "docs pricing", "november", "de indicators", "domains", "hashes", "copyright", "gmbh version", "follow", "value", "variables", "langpage string", "lang", "saalgroup", "creoletohtml", "chat", "reverse dns", "resource", "general full", "asn16509", "amazon02", "url https", "security tls", "protocol h2", "hash", "get h2", "main", "request chain", "http", "de redirected", "http redirect", "site", "malicious url", "blacklist https", "domain", "screenshot", "windows nt", "win64", "khtml", "gecko", "amazons3", "aes128gcm", "amazon rsa", "aes256", "date", "name verdict", "pattern match", "root ca", "script", "done adding", "catalog file", "file", "indicator", "authority", "class", "mitre att", "meta", "unknown", "error", "hybrid", "accept", "general", "local", "click", "strings", "generator", "critical", "refresh", "tools", "null", "body", "create c", "html document", "xport", "noname057", "generic malware", "generic", "dapato", "alexa", "installcore", "downloader", "dropper", "outbreak", "iobit", "mediaget", "azorult", "runescape", "facebook", "bank", "download", "live", "rms", "maltiverse", "cyber threat", "engineering", "services", "malicious host", "malicious", "team", "zeus", "nymaim", "zbot", "simda", "asyncrat", "cobalt strike", "ransomware", "matsnu", "cutwail", "citadel", "pykspa", "raccoon", "kronos", "ramnit", "redline stealer", "apple", "apple", "html info", "title saal", "meta tags", "trackers google", "tag manager", "gtm5wjlq2", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "self", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "hostname", "anonymizer", "firehol", "mail spammer", "team proxy", "kraken", "suppobox", "tofsee", "vawtrak", "hotmail", "netsky", "stealer", "blacknet rat", "remcos", "miner", "hacktool", "trojan", "detplock", "team phishing", "a nxdomain", "passive dns", "scan endpoints", "all octoseek", "pulse pulses", "urls", "files", "ip address", "all search", "otx octoseek", "files ip", "contacted", "whois record", "ssl certificate", "pe resource", "bundled", "attack", "parent", "historical ssl", "collections", "communicating", "emotet", "execution", "markmonitor inc", "vhash", "authentihash", "imphash", "ssdeep", "win32 exe", "magic pe32", "trid win32", "archive", "valid", "serial number", "valid from", "valid usage", "code signing", "status status", "valid issuer", "assured id", "issuer issuer", "symantec sha256", "sections", "file type", "trid generic", "cil executable", "contained", "details module", "version id", "typelib id", "header target", "machine intel", "utc entry", "point", "sections name", "streams size", "entropy chi2", "guid", "blob", "namecheap", "ip detections", "country", "resolutions", "referrer", "whois whois", "threat roundup", "parent domain", "CVE-2023-22518", "CVE-2017-0143", "CVE-2017-0147", "CVE-2020-0601", "CVE-2017-8570", "CVE-2018-4893", "CVE-2017-11882", "CVE-2017-0199", "CVE-2014-3153", "W32.AIDetectNet.01", "trojan.adload/ursu", "targeting tsara brashears", "cybercrime", "privilege escalation", "defacement", "privilege abuse", "soc", "red team", "social engineering", "retaliation", "assault victim", "obsession" ], "references": [ "https://hybrid-analysis.com/sample/9e8ce8607b7f32f6f66c8126851a55818ff775ee060d2c448679e5eb1e22ba2a", "https://www.saal-digital.de/ordercockpit/?email=christ.robert@gmx.de&ordernumber=802109030129517", "\u2193 Interesting \u2193", "owa.telegrafix.com", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Phishing)", "christ.robert@gmx.de", "https://simtk.org/projects/sv_tests (Tsara Brashears project?)", "https://itunes.apple.com/de/app/saal-design-app/id1481631197?mt=8", "https://play.google.com/store/apps/details?id=com.saaldigital.designerapp.de&hl=de", "BEELab_web_1.0.2-prerelease.exe", "AfraidZad.exe", "https://mail.greycroft.com/owa/redir.aspx?SURL=a0oI1dvGGkFYUoACVEbN8REVrmfS6H0MhUvXdexgmertl7bBVhrTCGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAHAAcgBvAGQAdQBjAHQAaAB1AG4AdAAuAGMAbwBtAC8AdABlAGMAaAAvAGEAbgBpAG0AYQB0AGkAYwA.&URL=https://www.producthunt.com/tech/animatic", "greycroftpartners.com", "http://videotubeplayer.com/?groupds=1&clientId=201&productId=1407&tracking=w5JJ46MKQI493DMO1NDNTQ6K&publisher_id=", "trkpls3.com", "eg-monitoring.com", "http://m.pornsexer.xxx.3.1.adiosfil.roksit.net/", "https://twitter.com/PORNO_SEXYBABES" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "Italy", "Singapore", "France", "Germany", "Korea, Republic of" ], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 83, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 841, "FileHash-SHA1": 467, "FileHash-SHA256": 6370, "CVE": 9, "domain": 2160, "hostname": 3074, "email": 1, "URL": 6550, "SSLCertFingerprint": 1, "CIDR": 3 }, "indicator_count": 19476, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "856 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a7dda4ef145116f1593a", "name": "Packed.VMProt/ Packed.VMProtect Apple| iOS | Mac attack techapply.com", "description": "", "modified": "2023-12-06T16:57:01.831000", "created": "2023-12-06T16:57:01.831000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 5, "hostname": 551, "FileHash-SHA256": 650, "FileHash-MD5": 425, "FileHash-SHA1": 224, "URL": 1019, "domain": 485, "email": 2, "FilePath": 2 }, "indicator_count": 3363, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a7d867bfb30b452b94d0", "name": "Packed.VMProt/ Packed.VMProtect Apple| iOS | Mac attack techapply.com", "description": "", "modified": "2023-12-06T16:56:56.522000", "created": "2023-12-06T16:56:56.522000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 5, "hostname": 551, "FileHash-SHA256": 650, "FileHash-MD5": 425, "FileHash-SHA1": 224, "URL": 1019, "domain": 485, "email": 2, "FilePath": 2 }, "indicator_count": 3363, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "651f175a87ed5eba41657bf3", "name": "Packed.VMProt/ Packed.VMProtect Apple| iOS | Mac attack techapply.com", "description": "Significantly infected Apple ID. and various devices; spyrixkeylogger, spyware, networm, tracking, beacons, injection, full control iOS and apple devices as well as OS. Appears as investigated. Not a lawful investigated. 5+ year (analysis reveals dated CVE's and malware specially targets individual) of spying, tagging, targeting, cyber criminal, cyber harassment, unlocker, disabled apple IDs. Interface / dummy core, collection, webdisk harvesting, cyber criminal behavior. Possible red teaming. js user, code written for a variety programs/systems, C2, relay router. robots. \ncyber threat.\nhired\ntargeted \nbotnets\nmalware\nAI", "modified": "2023-11-04T16:00:22.229000", "created": "2023-10-05T20:06:50.075000", "tags": [ "engineering", "united", "cyber threat", "team", "malware", "telefonica co", "heur", "malicious site", "ip reputation", "bambernek pony", "zeus", "nymaim", "facebook", "raccoon", "download", "kronos", "ramnit", "simda", "bank", "phishing", "citadel", "zbot", "pykspa", "agent", "maltiverse", "noname057", "copyright", "reserved", "flag", "date", "name server", "markmonitor", "server", "organization", "germany germany", "sample", "session details", "click", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "exit node", "traffic group", "suricata alerts", "event category", "analysis", "malicious url", "windows nt", "wow64", "response", "gmt contenttype", "gecko host", "vary", "gmt etag", "general gets", "script", "parking crew", "apple", "apple id", "tsara", "tsara brashears", "spyware", "cyber criminal", "cyber stalking", "track", "track iphone", "accept all platforms", "infringement", "intellectual property", "suricata", "alert", "red team", "happywifehappylife", "malicious", "revenge", "posts", "post", "post to web", "post to server", "exploit", "command_and_control", "toggle", "logon", "login", "privilege", "ios", "attack", "mitre", "Packed.VMProt", "apple engineering", "abuse", "cve", "robots", "arizona", "bounce", "canada", "croatia", "base64_encoded", "%samplepath%", "tagging", "png image", "PSI-USA, Inc. dba Domain Robot Organization", "dns", "query", "evasive", "crack", "record type", "ttl value", "dns replication", "santa fe", "available from", "registrar abuse", "iana id", "domain status", "creation date", "registrar url", "code", "dapato", "predator", "win64", "conduit", "fakeinstaller", "installpack", "generic", "downloader", "spyrixkeylogger", "bitminer", "loadmoney", "filetour", "wacatac", "fusioncore", "cleaner", "networm", "mediaget", "softonic", "trojan", "encpk", "qbot", "swrort", "kraddare", "systweak", "iobit", "installcore", "artemis", "riskware", "dllinject", "driverpack", "trojanspy", "webtoolbar", "cisco umbrella", "ip hostname", "safe site", "site", "targeted", "AI", "dllinject" ], "references": [ "Spyware", "Parking Crew Spyware", "c.parkingcrew.net 185.53.178.30 TTL: 9\tPSI-USA, Inc. dba Domain Robot Organization: Team Internet AG Name Server: NS-1403.AWSDNS-47.ORG", "http://service.appleid.apple.online.hqvce.techapply.com/apple/f625bbcc3a59f078ffa95159c719501e/index.php?itunes=_connect-run&secure=5540zef1415405412104ef151511d7f84f5ze1f510eec8bd0e", "service.appleid.apple.online.hqvce.techapply.com 76.223.35.103 TTL: 600\tTitanic Hosting, Inc. Name Server: NS1.DNE.COM", "d38psrni17bvxu.cloudfront.net 18.239.196.136 TTL: 60\tMarkMonitor, Inc. Organization: Amazon.com, Inc. Name Server: NS-1306.AWSDNS-35.ORG", "https://www.hybrid-analysis.com/sample/6450c8bb8cec78135dd4891507099d1407ef1d9af40bc250251eb99888c20f7e/651eda366e1436b384026c6d", "wTools", "Research and Analysis", "go.microsoft.com 184.26.158.64 TTL: 2672\tMarkMonitor, Inc. Organization: Microsoft Corporation Name Server: NS1.MSFT.NET", "dllinject" ], "public": 1, "adversary": "Cyber Criminal", "targeted_countries": [ "Argentina", "Ireland", "United States of America" ], "malware_families": [ { "id": "Looquer", "display_name": "Looquer", "target": null }, { "id": "TinyZBot - S0004", "display_name": "TinyZBot - S0004", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Bambernek Pony", "display_name": "Bambernek Pony", "target": null }, { "id": "Ransom:Win32/Nymaim", "display_name": "Ransom:Win32/Nymaim", "target": "/malware/Ransom:Win32/Nymaim" }, { "id": "Backdoor:Win32/Simda", "display_name": "Backdoor:Win32/Simda", "target": "/malware/Backdoor:Win32/Simda" }, { "id": "TrojanSpy:Win32/Kronos", "display_name": "TrojanSpy:Win32/Kronos", "target": "/malware/TrojanSpy:Win32/Kronos" }, { "id": "Trojan:Win32/Raccoonstealer", "display_name": "Trojan:Win32/Raccoonstealer", "target": "/malware/Trojan:Win32/Raccoonstealer" }, { "id": "Packed.VMProtect", "display_name": "Packed.VMProtect", "target": null }, { "id": "Spammer:Win32/Noname", "display_name": "Spammer:Win32/Noname", "target": "/malware/Spammer:Win32/Noname" }, { "id": "Worm:Win32/Pykspa", "display_name": "Worm:Win32/Pykspa", "target": "/malware/Worm:Win32/Pykspa" }, { "id": "Banker", "display_name": "Banker", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Trojan:MSIL/Razy", "display_name": "Trojan:MSIL/Razy", "target": "/malware/Trojan:MSIL/Razy" }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "ALF:PUA:Win32/IObit", "display_name": "ALF:PUA:Win32/IObit", "target": null }, { "id": "TrojanDownloader:Win32/Kraddare", "display_name": "TrojanDownloader:Win32/Kraddare", "target": "/malware/TrojanDownloader:Win32/Kraddare" }, { "id": "ALF:PUA:Win32/FusionCore", "display_name": "ALF:PUA:Win32/FusionCore", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/SpyrixKeylogger", "display_name": "ALF:HeraklezEval:PUA:Win32/SpyrixKeylogger", "target": null }, { "id": "Trojan:Win32/Qbot", "display_name": "Trojan:Win32/Qbot", "target": "/malware/Trojan:Win32/Qbot" }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" }, { "id": "ALF:JASYP:PUAWin32/Systweak", "display_name": "ALF:JASYP:PUAWin32/Systweak", "target": null }, { "id": "Trojan:Win32/Dapato", "display_name": "Trojan:Win32/Dapato", "target": "/malware/Trojan:Win32/Dapato" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1070.003", "name": "Clear Command History", "display_name": "T1070.003 - Clear Command History" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 485, "hostname": 551, "URL": 1019, "FileHash-SHA256": 650, "CVE": 5, "FileHash-MD5": 425, "FileHash-SHA1": 224, "FilePath": 2, "email": 2 }, "indicator_count": 3363, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "897 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "651f177187ed5eba41657bf4", "name": "Packed.VMProt/ Packed.VMProtect Apple| iOS | Mac attack techapply.com", "description": "Significantly infected Apple ID. and various devices; spyrixkeylogger, spyware, networm, tracking, beacons, injection, full control iOS and apple devices as well as OS. Appears as investigated. Not a lawful investigated. 5+ year (analysis reveals dated CVE's and malware specially targets individual) of spying, tagging, targeting, cyber criminal, cyber harassment, unlocker, disabled apple IDs. Interface / dummy core, collection, webdisk harvesting, cyber criminal behavior. Possible red teaming. js user, code written for a variety programs/systems, C2, relay router. robots. \ncyber threat.\nhired\ntargeted \nbotnets\nmalware\nAI", "modified": "2023-11-04T16:00:22.229000", "created": "2023-10-05T20:07:13.805000", "tags": [ "engineering", "united", "cyber threat", "team", "malware", "telefonica co", "heur", "malicious site", "ip reputation", "bambernek pony", "zeus", "nymaim", "facebook", "raccoon", "download", "kronos", "ramnit", "simda", "bank", "phishing", "citadel", "zbot", "pykspa", "agent", "maltiverse", "noname057", "copyright", "reserved", "flag", "date", "name server", "markmonitor", "server", "organization", "germany germany", "sample", "session details", "click", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "exit node", "traffic group", "suricata alerts", "event category", "analysis", "malicious url", "windows nt", "wow64", "response", "gmt contenttype", "gecko host", "vary", "gmt etag", "general gets", "script", "parking crew", "apple", "apple id", "tsara", "tsara brashears", "spyware", "cyber criminal", "cyber stalking", "track", "track iphone", "accept all platforms", "infringement", "intellectual property", "suricata", "alert", "red team", "happywifehappylife", "malicious", "revenge", "posts", "post", "post to web", "post to server", "exploit", "command_and_control", "toggle", "logon", "login", "privilege", "ios", "attack", "mitre", "Packed.VMProt", "apple engineering", "abuse", "cve", "robots", "arizona", "bounce", "canada", "croatia", "base64_encoded", "%samplepath%", "tagging", "png image", "PSI-USA, Inc. dba Domain Robot Organization", "dns", "query", "evasive", "crack", "record type", "ttl value", "dns replication", "santa fe", "available from", "registrar abuse", "iana id", "domain status", "creation date", "registrar url", "code", "dapato", "predator", "win64", "conduit", "fakeinstaller", "installpack", "generic", "downloader", "spyrixkeylogger", "bitminer", "loadmoney", "filetour", "wacatac", "fusioncore", "cleaner", "networm", "mediaget", "softonic", "trojan", "encpk", "qbot", "swrort", "kraddare", "systweak", "iobit", "installcore", "artemis", "riskware", "dllinject", "driverpack", "trojanspy", "webtoolbar", "cisco umbrella", "ip hostname", "safe site", "site", "targeted", "AI", "dllinject" ], "references": [ "Spyware", "Parking Crew Spyware", "c.parkingcrew.net 185.53.178.30 TTL: 9\tPSI-USA, Inc. dba Domain Robot Organization: Team Internet AG Name Server: NS-1403.AWSDNS-47.ORG", "http://service.appleid.apple.online.hqvce.techapply.com/apple/f625bbcc3a59f078ffa95159c719501e/index.php?itunes=_connect-run&secure=5540zef1415405412104ef151511d7f84f5ze1f510eec8bd0e", "service.appleid.apple.online.hqvce.techapply.com 76.223.35.103 TTL: 600\tTitanic Hosting, Inc. Name Server: NS1.DNE.COM", "d38psrni17bvxu.cloudfront.net 18.239.196.136 TTL: 60\tMarkMonitor, Inc. Organization: Amazon.com, Inc. Name Server: NS-1306.AWSDNS-35.ORG", "https://www.hybrid-analysis.com/sample/6450c8bb8cec78135dd4891507099d1407ef1d9af40bc250251eb99888c20f7e/651eda366e1436b384026c6d", "wTools", "Research and Analysis", "go.microsoft.com 184.26.158.64 TTL: 2672\tMarkMonitor, Inc. Organization: Microsoft Corporation Name Server: NS1.MSFT.NET", "dllinject" ], "public": 1, "adversary": "Cyber Criminal", "targeted_countries": [ "Argentina", "Ireland", "United States of America" ], "malware_families": [ { "id": "Looquer", "display_name": "Looquer", "target": null }, { "id": "TinyZBot - S0004", "display_name": "TinyZBot - S0004", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Bambernek Pony", "display_name": "Bambernek Pony", "target": null }, { "id": "Ransom:Win32/Nymaim", "display_name": "Ransom:Win32/Nymaim", "target": "/malware/Ransom:Win32/Nymaim" }, { "id": "Backdoor:Win32/Simda", "display_name": "Backdoor:Win32/Simda", "target": "/malware/Backdoor:Win32/Simda" }, { "id": "TrojanSpy:Win32/Kronos", "display_name": "TrojanSpy:Win32/Kronos", "target": "/malware/TrojanSpy:Win32/Kronos" }, { "id": "Trojan:Win32/Raccoonstealer", "display_name": "Trojan:Win32/Raccoonstealer", "target": "/malware/Trojan:Win32/Raccoonstealer" }, { "id": "Packed.VMProtect", "display_name": "Packed.VMProtect", "target": null }, { "id": "Spammer:Win32/Noname", "display_name": "Spammer:Win32/Noname", "target": "/malware/Spammer:Win32/Noname" }, { "id": "Worm:Win32/Pykspa", "display_name": "Worm:Win32/Pykspa", "target": "/malware/Worm:Win32/Pykspa" }, { "id": "Banker", "display_name": "Banker", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Trojan:MSIL/Razy", "display_name": "Trojan:MSIL/Razy", "target": "/malware/Trojan:MSIL/Razy" }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "ALF:PUA:Win32/IObit", "display_name": "ALF:PUA:Win32/IObit", "target": null }, { "id": "TrojanDownloader:Win32/Kraddare", "display_name": "TrojanDownloader:Win32/Kraddare", "target": "/malware/TrojanDownloader:Win32/Kraddare" }, { "id": "ALF:PUA:Win32/FusionCore", "display_name": "ALF:PUA:Win32/FusionCore", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/SpyrixKeylogger", "display_name": "ALF:HeraklezEval:PUA:Win32/SpyrixKeylogger", "target": null }, { "id": "Trojan:Win32/Qbot", "display_name": "Trojan:Win32/Qbot", "target": "/malware/Trojan:Win32/Qbot" }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" }, { "id": "ALF:JASYP:PUAWin32/Systweak", "display_name": "ALF:JASYP:PUAWin32/Systweak", "target": null }, { "id": "Trojan:Win32/Dapato", "display_name": "Trojan:Win32/Dapato", "target": "/malware/Trojan:Win32/Dapato" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1070.003", "name": "Clear Command History", "display_name": "T1070.003 - Clear Command History" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 485, "hostname": 551, "URL": 1019, "FileHash-SHA256": 650, "CVE": 5, "FileHash-MD5": 425, "FileHash-SHA1": 224, "FilePath": 2, "email": 2 }, "indicator_count": 3363, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "897 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f14eabcb037c4257b827b", "name": "Packed.VMProt/ Packed.VMProtect Apple| iOS | Mac attack techapply.com", "description": "", "modified": "2023-11-04T16:00:22.229000", "created": "2023-10-30T02:28:58.264000", "tags": [ "engineering", "united", "cyber threat", "team", "malware", "telefonica co", "heur", "malicious site", "ip reputation", "bambernek pony", "zeus", "nymaim", "facebook", "raccoon", "download", "kronos", "ramnit", "simda", "bank", "phishing", "citadel", "zbot", "pykspa", "agent", "maltiverse", "noname057", "copyright", "reserved", "flag", "date", "name server", "markmonitor", "server", "organization", "germany germany", "sample", "session details", "click", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "exit node", "traffic group", "suricata alerts", "event category", "analysis", "malicious url", "windows nt", "wow64", "response", "gmt contenttype", "gecko host", "vary", "gmt etag", "general gets", "script", "parking crew", "apple", "apple id", "tsara", "tsara brashears", "spyware", "cyber criminal", "cyber stalking", "track", "track iphone", "accept all platforms", "infringement", "intellectual property", "suricata", "alert", "red team", "happywifehappylife", "malicious", "revenge", "posts", "post", "post to web", "post to server", "exploit", "command_and_control", "toggle", "logon", "login", "privilege", "ios", "attack", "mitre", "Packed.VMProt", "apple engineering", "abuse", "cve", "robots", "arizona", "bounce", "canada", "croatia", "base64_encoded", "%samplepath%", "tagging", "png image", "PSI-USA, Inc. dba Domain Robot Organization", "dns", "query", "evasive", "crack", "record type", "ttl value", "dns replication", "santa fe", "available from", "registrar abuse", "iana id", "domain status", "creation date", "registrar url", "code", "dapato", "predator", "win64", "conduit", "fakeinstaller", "installpack", "generic", "downloader", "spyrixkeylogger", "bitminer", "loadmoney", "filetour", "wacatac", "fusioncore", "cleaner", "networm", "mediaget", "softonic", "trojan", "encpk", "qbot", "swrort", "kraddare", "systweak", "iobit", "installcore", "artemis", "riskware", "dllinject", "driverpack", "trojanspy", "webtoolbar", "cisco umbrella", "ip hostname", "safe site", "site", "targeted", "AI", "dllinject" ], "references": [ "Spyware", "Parking Crew Spyware", "c.parkingcrew.net 185.53.178.30 TTL: 9\tPSI-USA, Inc. dba Domain Robot Organization: Team Internet AG Name Server: NS-1403.AWSDNS-47.ORG", "http://service.appleid.apple.online.hqvce.techapply.com/apple/f625bbcc3a59f078ffa95159c719501e/index.php?itunes=_connect-run&secure=5540zef1415405412104ef151511d7f84f5ze1f510eec8bd0e", "service.appleid.apple.online.hqvce.techapply.com 76.223.35.103 TTL: 600\tTitanic Hosting, Inc. Name Server: NS1.DNE.COM", "d38psrni17bvxu.cloudfront.net 18.239.196.136 TTL: 60\tMarkMonitor, Inc. Organization: Amazon.com, Inc. Name Server: NS-1306.AWSDNS-35.ORG", "https://www.hybrid-analysis.com/sample/6450c8bb8cec78135dd4891507099d1407ef1d9af40bc250251eb99888c20f7e/651eda366e1436b384026c6d", "wTools", "Research and Analysis", "go.microsoft.com 184.26.158.64 TTL: 2672\tMarkMonitor, Inc. Organization: Microsoft Corporation Name Server: NS1.MSFT.NET", "dllinject" ], "public": 1, "adversary": "Cyber Criminal", "targeted_countries": [ "Argentina", "Ireland", "United States of America" ], "malware_families": [ { "id": "Looquer", "display_name": "Looquer", "target": null }, { "id": "TinyZBot - S0004", "display_name": "TinyZBot - S0004", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Bambernek Pony", "display_name": "Bambernek Pony", "target": null }, { "id": "Ransom:Win32/Nymaim", "display_name": "Ransom:Win32/Nymaim", "target": "/malware/Ransom:Win32/Nymaim" }, { "id": "Backdoor:Win32/Simda", "display_name": "Backdoor:Win32/Simda", "target": "/malware/Backdoor:Win32/Simda" }, { "id": "TrojanSpy:Win32/Kronos", "display_name": "TrojanSpy:Win32/Kronos", "target": "/malware/TrojanSpy:Win32/Kronos" }, { "id": "Trojan:Win32/Raccoonstealer", "display_name": "Trojan:Win32/Raccoonstealer", "target": "/malware/Trojan:Win32/Raccoonstealer" }, { "id": "Packed.VMProtect", "display_name": "Packed.VMProtect", "target": null }, { "id": "Spammer:Win32/Noname", "display_name": "Spammer:Win32/Noname", "target": "/malware/Spammer:Win32/Noname" }, { "id": "Worm:Win32/Pykspa", "display_name": "Worm:Win32/Pykspa", "target": "/malware/Worm:Win32/Pykspa" }, { "id": "Banker", "display_name": "Banker", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Trojan:MSIL/Razy", "display_name": "Trojan:MSIL/Razy", "target": "/malware/Trojan:MSIL/Razy" }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "ALF:PUA:Win32/IObit", "display_name": "ALF:PUA:Win32/IObit", "target": null }, { "id": "TrojanDownloader:Win32/Kraddare", "display_name": "TrojanDownloader:Win32/Kraddare", "target": "/malware/TrojanDownloader:Win32/Kraddare" }, { "id": "ALF:PUA:Win32/FusionCore", "display_name": "ALF:PUA:Win32/FusionCore", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/SpyrixKeylogger", "display_name": "ALF:HeraklezEval:PUA:Win32/SpyrixKeylogger", "target": null }, { "id": "Trojan:Win32/Qbot", "display_name": "Trojan:Win32/Qbot", "target": "/malware/Trojan:Win32/Qbot" }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" }, { "id": "ALF:JASYP:PUAWin32/Systweak", "display_name": "ALF:JASYP:PUAWin32/Systweak", "target": null }, { "id": "Trojan:Win32/Dapato", "display_name": "Trojan:Win32/Dapato", "target": "/malware/Trojan:Win32/Dapato" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1070.003", "name": "Clear Command History", "display_name": "T1070.003 - Clear Command History" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [], "TLP": "white", "cloned_from": "651f177187ed5eba41657bf4", "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 485, "hostname": 551, "URL": 1019, "FileHash-SHA256": 650, "CVE": 5, "FileHash-MD5": 425, "FileHash-SHA1": 224, "FilePath": 2, "email": 2 }, "indicator_count": 3363, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "897 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "645c24248b419388ef116470", "name": "http://www.jspwiki.org/attach/LessLessPlugin/antlr.jar", "description": "", "modified": "2023-05-10T23:09:41.360000", "created": "2023-05-10T23:09:24.770000", "tags": [ "http://online.vehicle.tax.refund.ref560.iepalink.com/pjx", "gov.uk", "phishing", "car tax" ], "references": [ "http://online.vehicle.tax.refund.ref560.iepalink.com/pjx" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 623, "hostname": 391, "FileHash-SHA256": 372, "domain": 161, "CVE": 1, "IPv4": 32, "FileHash-MD5": 21, "FileHash-SHA1": 21 }, "indicator_count": 1622, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "1075 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "location-icloud.com", "https://play.google.com/store/apps/details?id=com.saaldigital.designerapp.de&hl=de", "Research and Analysis", "mailtrack.io [tracking VirusTotal graphs, link trace back]", "https://apple.find-tracking.us/?id=jit./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./err", "https://simtk.org/projects/sv_tests (Tsara Brashears project?)", "http://videotubeplayer.com/?groupds=1&clientId=201&productId=1407&tracking=w5JJ46MKQI493DMO1NDNTQ6K&publisher_id=", "http://114.114.114.114/ipw.ps1", "d38psrni17bvxu.cloudfront.net 18.239.196.136 TTL: 60\tMarkMonitor, Inc. Organization: Amazon.com, Inc. Name Server: NS-1306.AWSDNS-35.ORG", "nr-data.net [Apple Private Data Collection]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Phishing)", "Parking Crew Spyware", "go.microsoft.com 184.26.158.64 TTL: 2672\tMarkMonitor, Inc. Organization: Microsoft Corporation Name Server: NS1.MSFT.NET", "BEELab_web_1.0.2-prerelease.exe", "greycroftpartners.com", "AfraidZad.exe", "http://114.114.114.114/d?dn=sinastorage.com [ storage of targeted individuals on and offline Behavior]", "wTools", "http://rawlucky.com/submit/prizepicker/iq?devicemodel=iPhone&carrier=\u00aeion=Baghdad&brand=Apple&browser=AlohaBrowserMobile&prize=300k&u=track.bawiwia.com&isp=EarthlinkTelecommunicationsEquipmentTradingServicesDmcc&ts=29900ce7-726c-4c9f-b0c3-21ff2f859648&country=IQ&click_id=woot0oed65crk85u2oe4vubu&partner=2423996&skip=yes", "http://watchhers.net/index.php [malware spreader]", "http://m.pornsexer.xxx.3.1.adiosfil.roksit.net/", "http://online.vehicle.tax.refund.ref560.iepalink.com/pjx", "eg-monitoring.com", "https://aheadofthegame.uk/about?utm_campaign=You%E2%80%99re%20nearly%20there!&utm_medium=email&utm_source=Eloqua&elqTrackId=e6385dd142e445f48aa17b4544780841&elq=0db2557254194121b23f3bec84f42097&elqaid=4059&elqat=1&elqCampaignId=", "rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru [phishing] SongCulture.comm& YouTube redirected by hacker", "https://hybrid-analysis.com/sample/9e8ce8607b7f32f6f66c8126851a55818ff775ee060d2c448679e5eb1e22ba2a", "114.114.114.114 [ Tulach Malware IP]", "https://stackabuse.com/generating-command-line-interfaces-cli-with-fire-in-python/", "https://www.saal-digital.de/ordercockpit/?email=christ.robert@gmx.de&ordernumber=802109030129517", "service.appleid.apple.online.hqvce.techapply.com 76.223.35.103 TTL: 600\tTitanic Hosting, Inc. Name Server: NS1.DNE.COM", "https://hybrid-analysis.com/sample/3f1b1621818b3cfef7c58d8c3e382932a5a817579dffe8fbefc4cf6fdb8fc21d", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking| Botnet Campaign]", "https://stackabuse.com/assets/images/apple", "13.107.136.8 [ Tulach Malware IP redirect]", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "http://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru", "https://twitter.com/PORNO_SEXYBABES [ malvertizing, contextualizing, malicious]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/,", "194.245.148.189 [CnC]", "trkpls3.com", "c.parkingcrew.net 185.53.178.30 TTL: 9\tPSI-USA, Inc. dba Domain Robot Organization: Team Internet AG Name Server: NS-1403.AWSDNS-47.ORG", "143.244.50.213 |169.150.249.162 [malware_hosting]", "init.ess.apple.com [backdoor, malicious script, access via media]", "https://hybrid-analysis.com/sample/a728fc352e13fa39c7490ddcfff86b0919b3de6ea5786cf48b22095e0607bde9/6593b386f70b45c7c70419c8", "https://otx.alienvault.com/indicator/url/https://www.hostinger.com/?REFERRALCODE=1ROCKY77 [ DGA parking]", "https://twitter.com/PORNO_SEXYBABES", "Spyware", "http://45.159.189.105/bot/online?key=7ee57b1f6d4aff08f9755119b18cf0754b677addcb6a3063066112b10a357a8e&guid=DESKTOP-B0T93D6\\george", "\u2193 Interesting \u2193", "http://designspaceblog.com/?mystique=jquery_init&ver=2.4.2", "dllinject", "https://mail.greycroft.com/owa/redir.aspx?SURL=a0oI1dvGGkFYUoACVEbN8REVrmfS6H0MhUvXdexgmertl7bBVhrTCGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAHAAcgBvAGQAdQBjAHQAaAB1AG4AdAAuAGMAbwBtAC8AdABlAGMAaAAvAGEAbgBpAG0AYQB0AGkAYwA.&URL=https://www.producthunt.com/tech/animatic", "http://109.206.241.129/666bins/666.mpsl", "owa.telegrafix.com", "https://twitter.com/sheriffspurlock?lang=en", "http://114.114.114.114:7777/c/msdownload/update/others/2022/01/29136388_", "xred.mooo.com [pornhub trojan]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS Password Cracker [", "https://itunes.apple.com/de/app/saal-design-app/id1481631197?mt=8", "http://service.appleid.apple.online.hqvce.techapply.com/apple/f625bbcc3a59f078ffa95159c719501e/index.php?itunes=_connect-run&secure=5540zef1415405412104ef151511d7f84f5ze1f510eec8bd0e", "christ.robert@gmx.de", "https://www.hybrid-analysis.com/sample/6450c8bb8cec78135dd4891507099d1407ef1d9af40bc250251eb99888c20f7e/651eda366e1436b384026c6d", "https://www.virustotal.com/gui/url/4657cd9117ad26288f2af98767de164d9af64e9c22e3eda9580766688ec38652/community", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian No Expiration\t0\t Domain twitter.com No Expiration\t0\t Hostname www.pornhub.com No Expiration\t0\t URL https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 No Expiration\t0\t URL", "http://114.114.114.114:9421/proxycontrolwarn/ [Tulach cnc | probe]", "https://pin.it/ [faux Pinterest for TB]" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Cyber Criminal" ], "malware_families": [ "Trojandownloader:win32/kraddare", "Tinyzbot - s0004", "Content reputation", "Generic", "Tofsee", "Alf:heraklezeval:pua:win32/spyrixkeylogger", "Looquer", "Alf:pua:win32/fusioncore", "Spammer:win32/noname", "Trojan:win32/qbot", "Packed.vmprotect", "Trojan:win32/dapato", "Relic", "Bambernek pony", "Trojanspy:win32/kronos", "Banker", "Trojan:msil/razy", "Et", "Ramnit", "Trojan:win32/wacatac", "Webtoolbar", "Ransom:win32/nymaim", "Rms", "Backdoor:win32/simda", "Quasar rat", "Alf:jasyp:puawin32/systweak", "Maltiverse", "Alf:pua:win32/iobit", "Trojan:win32/raccoonstealer", "Hacktool", "Trojan:win32/installcore", "Tulach", "Worm:win32/pykspa", "Comspec", "Trojanspy" ], "industries": [], "unique_indicators": 62994 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/21-vision.com", "whois": "http://whois.domaintools.com/21-vision.com", "domain": "21-vision.com", "hostname": "cpcalendars.21-vision.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 12, "pulses": [ { "id": "6597f9c7542ffc6fffaecb30", "name": "Injection (RunPE) |Win.Packer - https://myminiweb.com", "description": "polypragmonic, dns, win.packer, ig hacking, network bind, tracking", "modified": "2024-02-04T12:05:19.275000", "created": "2024-01-05T12:44:55.030000", "tags": [ "ciphersuite", "delete c", "search", "entries", "united", "stcalifornia", "lmenlo park", "ometa platforms", "odigicert inc", "cndigicert sha2", "copy", "write", "unknown", "no expiration", "expiration", "filehashsha256", "hostname", "domain", "ipv4", "url http", "url https", "filehashmd5", "filehashsha1", "next", "iocs", "pdf report", "pcap", "scan endpoints", "win64", "stix", "openioc", "enter", "ssl certificate", "whois record", "apple ios", "communicating", "referrer", "contacted", "resolutions", "threat roundup", "password", "networks", "hacktool", "crypto", "twitter", "june", "probe", "ransomware", "malware", "tsara brashears", "botnet campaign", "january", "content reputation", "et" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2469, "FileHash-SHA1": 2295, "FileHash-SHA256": 4925, "SSLCertFingerprint": 2, "URL": 4484, "domain": 2044, "hostname": 2375, "email": 18, "CVE": 4 }, "indicator_count": 18616, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "806 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6597fa4d4b5e060fb8a606a8", "name": "Botnet Campaign", "description": "", "modified": "2024-02-04T12:05:19.275000", "created": "2024-01-05T12:47:09.403000", "tags": [ "ciphersuite", "delete c", "search", "entries", "united", "stcalifornia", "lmenlo park", "ometa platforms", "odigicert inc", "cndigicert sha2", "copy", "write", "unknown", "no expiration", "expiration", "filehashsha256", "hostname", "domain", "ipv4", "url http", "url https", "filehashmd5", "filehashsha1", "next", "iocs", "pdf report", "pcap", "scan endpoints", "win64", "stix", "openioc", "enter", "ssl certificate", "whois record", "apple ios", "communicating", "referrer", "contacted", "resolutions", "threat roundup", "password", "networks", "hacktool", "crypto", "twitter", "june", "probe", "ransomware", "malware", "tsara brashears", "botnet campaign", "january", "content reputation", "et" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": "6597f9c7542ffc6fffaecb30", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2469, "FileHash-SHA1": 2295, "FileHash-SHA256": 4925, "SSLCertFingerprint": 2, "URL": 4484, "domain": 2044, "hostname": 2375, "email": 18, "CVE": 4 }, "indicator_count": 18616, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "806 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6597fa4da16bd99cc5c02528", "name": "Botnet Campaign", "description": "", "modified": "2024-02-04T12:05:19.275000", "created": "2024-01-05T12:47:09.406000", "tags": [ "ciphersuite", "delete c", "search", "entries", "united", "stcalifornia", "lmenlo park", "ometa platforms", "odigicert inc", "cndigicert sha2", "copy", "write", "unknown", "no expiration", "expiration", "filehashsha256", "hostname", "domain", "ipv4", "url http", "url https", "filehashmd5", "filehashsha1", "next", "iocs", "pdf report", "pcap", "scan endpoints", "win64", "stix", "openioc", "enter", "ssl certificate", "whois record", "apple ios", "communicating", "referrer", "contacted", "resolutions", "threat roundup", "password", "networks", "hacktool", "crypto", "twitter", "june", "probe", "ransomware", "malware", "tsara brashears", "botnet campaign", "january", "content reputation", "et" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": "6597f9c7542ffc6fffaecb30", "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2469, "FileHash-SHA1": 2295, "FileHash-SHA256": 4925, "SSLCertFingerprint": 2, "URL": 4484, "domain": 2044, "hostname": 2375, "email": 18, "CVE": 4 }, "indicator_count": 18616, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "806 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65944a8149f2479b2fbc6cd1", "name": "Relic", "description": "Malicious redirect to BotNet malvertizing of a business affecting both .command YouTube distribution. YouTube encoded logins. Hacker attack, geo tracking, passwords crack, decryption, C2. Retaliation. Found in referenced Twitter link shared with me.", "modified": "2024-02-01T14:01:46.735000", "created": "2024-01-02T17:40:17.890000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls https", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers nel", "maxage5184000", "name verdict", "falcon sandbox", "whois record", "ssl certificate", "tsara brashears", "whois whois", "historical ssl", "contacted", "highly targeted", "hackers", "botnet", "apple ios", "malicious", "hacktool", "quasar", "download", "malware", "relic", "monitoring", "installer", "tofsee", "getprocaddress", "indicator", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "united", "file", "pattern match", "path", "date", "win64", "factory", "model", "comspec", "hybrid", "general", "click", "strings", "patch", "song culture", "tulach" ], "references": [ "rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru [phishing] SongCulture.comm& YouTube redirected by hacker", "https://hybrid-analysis.com/sample/3f1b1621818b3cfef7c58d8c3e382932a5a817579dffe8fbefc4cf6fdb8fc21d", "https://www.virustotal.com/gui/url/4657cd9117ad26288f2af98767de164d9af64e9c22e3eda9580766688ec38652/community", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/,", "https://twitter.com/sheriffspurlock?lang=en", "https://hybrid-analysis.com/sample/a728fc352e13fa39c7490ddcfff86b0919b3de6ea5786cf48b22095e0607bde9/6593b386f70b45c7c70419c8", "http://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru", "nr-data.net [Apple Private Data Collection]", "init.ess.apple.com [backdoor, malicious script, access via media]", "https://stackabuse.com/assets/images/apple", "https://apple.find-tracking.us/?id=jit./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./err", "location-icloud.com", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking| Botnet Campaign]", "mailtrack.io [tracking VirusTotal graphs, link trace back]", "http://rawlucky.com/submit/prizepicker/iq?devicemodel=iPhone&carrier=\u00aeion=Baghdad&brand=Apple&browser=AlohaBrowserMobile&prize=300k&u=track.bawiwia.com&isp=EarthlinkTelecommunicationsEquipmentTradingServicesDmcc&ts=29900ce7-726c-4c9f-b0c3-21ff2f859648&country=IQ&click_id=woot0oed65crk85u2oe4vubu&partner=2423996&skip=yes", "https://aheadofthegame.uk/about?utm_campaign=You%E2%80%99re%20nearly%20there!&utm_medium=email&utm_source=Eloqua&elqTrackId=e6385dd142e445f48aa17b4544780841&elq=0db2557254194121b23f3bec84f42097&elqaid=4059&elqat=1&elqCampaignId=", "https://pin.it/ [faux Pinterest for TB]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS Password Cracker [", "114.114.114.114 [ Tulach Malware IP]", "13.107.136.8 [ Tulach Malware IP redirect]", "http://114.114.114.114:9421/proxycontrolwarn/ [Tulach cnc | probe]", "http://114.114.114.114/d?dn=sinastorage.com [ storage of targeted individuals on and offline Behavior]", "http://114.114.114.114:7777/c/msdownload/update/others/2022/01/29136388_", "http://114.114.114.114/ipw.ps1", "194.245.148.189 [CnC]", "https://stackabuse.com/generating-command-line-interfaces-cli-with-fire-in-python/", "http://109.206.241.129/666bins/666.mpsl", "http://designspaceblog.com/?mystique=jquery_init&ver=2.4.2", "143.244.50.213 |169.150.249.162 [malware_hosting]", "http://watchhers.net/index.php [malware spreader]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian No Expiration\t0\t Domain twitter.com No Expiration\t0\t Hostname www.pornhub.com No Expiration\t0\t URL https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 No Expiration\t0\t URL", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "xred.mooo.com [pornhub trojan]", "https://twitter.com/PORNO_SEXYBABES [ malvertizing, contextualizing, malicious]", "http://45.159.189.105/bot/online?key=7ee57b1f6d4aff08f9755119b18cf0754b677addcb6a3063066112b10a357a8e&guid=DESKTOP-B0T93D6\\george", "https://otx.alienvault.com/indicator/url/https://www.hostinger.com/?REFERRALCODE=1ROCKY77 [ DGA parking]" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Comspec", "display_name": "Comspec", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8049, "FileHash-MD5": 388, "FileHash-SHA1": 212, "FileHash-SHA256": 7062, "domain": 4401, "hostname": 2653, "CVE": 2, "SSLCertFingerprint": 2 }, "indicator_count": 22769, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "809 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65551682899b039e02b8dc8a", "name": "Apple | iOS | Automated Attacks | Resource Hijacking | Google Tracker", "description": "Boot or Logon Autostart Execution\nCommand and Scripting Interpreter\nAutomated Collection\nWebToolbar \nAmazon rsa\nAmazon02\nAmazon S3\nPrivilege Abuse\nRetaliation", "modified": "2023-12-15T18:02:25.356000", "created": "2023-11-15T19:05:38.437000", "tags": [ "strong", "saal digital", "photo portal", "daten", "support", "saal", "bersicht", "informationen", "profis", "rabatte fr", "service", "heur", "malware", "cisco umbrella", "adware", "safe site", "malware site", "malicious site", "phishing site", "alexa top", "million", "tiggre", "presenoker", "agent", "opencandy", "conduit", "unsafe", "wacatac", "artemis", "phishing", "iframe", "installpack", "xrat", "fusioncore", "riskware", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "genkryptik", "exploit", "filetour", "cleaner", "webtoolbar", "trojanspy", "get fdm", "ms windows", "pe32", "intel", "search", "show", "united", "entries", "systemdrive", "program files", "installer", "write", "delphi", "next", "june", "win32", "copy", "pixel", "search live", "api blog", "docs pricing", "november", "de indicators", "domains", "hashes", "copyright", "gmbh version", "follow", "value", "variables", "langpage string", "lang", "saalgroup", "creoletohtml", "chat", "reverse dns", "resource", "general full", "asn16509", "amazon02", "url https", "security tls", "protocol h2", "hash", "get h2", "main", "request chain", "http", "de redirected", "http redirect", "site", "malicious url", "blacklist https", "domain", "screenshot", "windows nt", "win64", "khtml", "gecko", "amazons3", "aes128gcm", "amazon rsa", "aes256", "date", "name verdict", "pattern match", "root ca", "script", "done adding", "catalog file", "file", "indicator", "authority", "class", "mitre att", "meta", "unknown", "error", "hybrid", "accept", "general", "local", "click", "strings", "generator", "critical", "refresh", "tools", "null", "body", "create c", "html document", "xport", "noname057", "generic malware", "generic", "dapato", "alexa", "installcore", "downloader", "dropper", "outbreak", "iobit", "mediaget", "azorult", "runescape", "facebook", "bank", "download", "live", "rms", "maltiverse", "cyber threat", "engineering", "services", "malicious host", "malicious", "team", "zeus", "nymaim", "zbot", "simda", "asyncrat", "cobalt strike", "ransomware", "matsnu", "cutwail", "citadel", "pykspa", "raccoon", "kronos", "ramnit", "redline stealer", "apple", "apple", "html info", "title saal", "meta tags", "trackers google", "tag manager", "gtm5wjlq2", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "self", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "hostname", "anonymizer", "firehol", "mail spammer", "team proxy", "kraken", "suppobox", "tofsee", "vawtrak", "hotmail", "netsky", "stealer", "blacknet rat", "remcos", "miner", "hacktool", "trojan", "detplock", "team phishing", "a nxdomain", "passive dns", "scan endpoints", "all octoseek", "pulse pulses", "urls", "files", "ip address", "all search", "otx octoseek", "files ip", "contacted", "whois record", "ssl certificate", "pe resource", "bundled", "attack", "parent", "historical ssl", "collections", "communicating", "emotet", "execution", "markmonitor inc", "vhash", "authentihash", "imphash", "ssdeep", "win32 exe", "magic pe32", "trid win32", "archive", "valid", "serial number", "valid from", "valid usage", "code signing", "status status", "valid issuer", "assured id", "issuer issuer", "symantec sha256", "sections", "file type", "trid generic", "cil executable", "contained", "details module", "version id", "typelib id", "header target", "machine intel", "utc entry", "point", "sections name", "streams size", "entropy chi2", "guid", "blob", "namecheap", "ip detections", "country", "resolutions", "referrer", "whois whois", "threat roundup", "parent domain", "CVE-2023-22518", "CVE-2017-0143", "CVE-2017-0147", "CVE-2020-0601", "CVE-2017-8570", "CVE-2018-4893", "CVE-2017-11882", "CVE-2017-0199", "CVE-2014-3153", "W32.AIDetectNet.01", "trojan.adload/ursu", "targeting tsara brashears", "cybercrime", "privilege escalation", "defacement", "privilege abuse", "soc", "red team", "social engineering", "retaliation", "assault victim", "obsession" ], "references": [ "https://hybrid-analysis.com/sample/9e8ce8607b7f32f6f66c8126851a55818ff775ee060d2c448679e5eb1e22ba2a", "https://www.saal-digital.de/ordercockpit/?email=christ.robert@gmx.de&ordernumber=802109030129517", "\u2193 Interesting \u2193", "owa.telegrafix.com", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Phishing)", "christ.robert@gmx.de", "https://simtk.org/projects/sv_tests (Tsara Brashears project?)", "https://itunes.apple.com/de/app/saal-design-app/id1481631197?mt=8", "https://play.google.com/store/apps/details?id=com.saaldigital.designerapp.de&hl=de", "BEELab_web_1.0.2-prerelease.exe", "AfraidZad.exe", "https://mail.greycroft.com/owa/redir.aspx?SURL=a0oI1dvGGkFYUoACVEbN8REVrmfS6H0MhUvXdexgmertl7bBVhrTCGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAHAAcgBvAGQAdQBjAHQAaAB1AG4AdAAuAGMAbwBtAC8AdABlAGMAaAAvAGEAbgBpAG0AYQB0AGkAYwA.&URL=https://www.producthunt.com/tech/animatic", "greycroftpartners.com", "http://videotubeplayer.com/?groupds=1&clientId=201&productId=1407&tracking=w5JJ46MKQI493DMO1NDNTQ6K&publisher_id=", "trkpls3.com", "eg-monitoring.com", "http://m.pornsexer.xxx.3.1.adiosfil.roksit.net/", "https://twitter.com/PORNO_SEXYBABES" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "Italy", "Singapore", "France", "Germany", "Korea, Republic of" ], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 82, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 841, "FileHash-SHA1": 467, "FileHash-SHA256": 6370, "CVE": 9, "domain": 2160, "hostname": 3074, "email": 1, "URL": 6550, "SSLCertFingerprint": 1, "CIDR": 3 }, "indicator_count": 19476, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "856 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655516871038cbad9eae2bb7", "name": "Apple | iOS | Automated Attacks | Resource Hijacking | Google Tracker", "description": "Boot or Logon Autostart Execution\nCommand and Scripting Interpreter\nAutomated Collection\nWebToolbar \nAmazon rsa\nAmazon02\nAmazon S3\nPrivilege Abuse\nRetaliation", "modified": "2023-12-15T18:02:25.356000", "created": "2023-11-15T19:05:43.285000", "tags": [ "strong", "saal digital", "photo portal", "daten", "support", "saal", "bersicht", "informationen", "profis", "rabatte fr", "service", "heur", "malware", "cisco umbrella", "adware", "safe site", "malware site", "malicious site", "phishing site", "alexa top", "million", "tiggre", "presenoker", "agent", "opencandy", "conduit", "unsafe", "wacatac", "artemis", "phishing", "iframe", "installpack", "xrat", "fusioncore", "riskware", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "genkryptik", "exploit", "filetour", "cleaner", "webtoolbar", "trojanspy", "get fdm", "ms windows", "pe32", "intel", "search", "show", "united", "entries", "systemdrive", "program files", "installer", "write", "delphi", "next", "june", "win32", "copy", "pixel", "search live", "api blog", "docs pricing", "november", "de indicators", "domains", "hashes", "copyright", "gmbh version", "follow", "value", "variables", "langpage string", "lang", "saalgroup", "creoletohtml", "chat", "reverse dns", "resource", "general full", "asn16509", "amazon02", "url https", "security tls", "protocol h2", "hash", "get h2", "main", "request chain", "http", "de redirected", "http redirect", "site", "malicious url", "blacklist https", "domain", "screenshot", "windows nt", "win64", "khtml", "gecko", "amazons3", "aes128gcm", "amazon rsa", "aes256", "date", "name verdict", "pattern match", "root ca", "script", "done adding", "catalog file", "file", "indicator", "authority", "class", "mitre att", "meta", "unknown", "error", "hybrid", "accept", "general", "local", "click", "strings", "generator", "critical", "refresh", "tools", "null", "body", "create c", "html document", "xport", "noname057", "generic malware", "generic", "dapato", "alexa", "installcore", "downloader", "dropper", "outbreak", "iobit", "mediaget", "azorult", "runescape", "facebook", "bank", "download", "live", "rms", "maltiverse", "cyber threat", "engineering", "services", "malicious host", "malicious", "team", "zeus", "nymaim", "zbot", "simda", "asyncrat", "cobalt strike", "ransomware", "matsnu", "cutwail", "citadel", "pykspa", "raccoon", "kronos", "ramnit", "redline stealer", "apple", "apple", "html info", "title saal", "meta tags", "trackers google", "tag manager", "gtm5wjlq2", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "self", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "hostname", "anonymizer", "firehol", "mail spammer", "team proxy", "kraken", "suppobox", "tofsee", "vawtrak", "hotmail", "netsky", "stealer", "blacknet rat", "remcos", "miner", "hacktool", "trojan", "detplock", "team phishing", "a nxdomain", "passive dns", "scan endpoints", "all octoseek", "pulse pulses", "urls", "files", "ip address", "all search", "otx octoseek", "files ip", "contacted", "whois record", "ssl certificate", "pe resource", "bundled", "attack", "parent", "historical ssl", "collections", "communicating", "emotet", "execution", "markmonitor inc", "vhash", "authentihash", "imphash", "ssdeep", "win32 exe", "magic pe32", "trid win32", "archive", "valid", "serial number", "valid from", "valid usage", "code signing", "status status", "valid issuer", "assured id", "issuer issuer", "symantec sha256", "sections", "file type", "trid generic", "cil executable", "contained", "details module", "version id", "typelib id", "header target", "machine intel", "utc entry", "point", "sections name", "streams size", "entropy chi2", "guid", "blob", "namecheap", "ip detections", "country", "resolutions", "referrer", "whois whois", "threat roundup", "parent domain", "CVE-2023-22518", "CVE-2017-0143", "CVE-2017-0147", "CVE-2020-0601", "CVE-2017-8570", "CVE-2018-4893", "CVE-2017-11882", "CVE-2017-0199", "CVE-2014-3153", "W32.AIDetectNet.01", "trojan.adload/ursu", "targeting tsara brashears", "cybercrime", "privilege escalation", "defacement", "privilege abuse", "soc", "red team", "social engineering", "retaliation", "assault victim", "obsession" ], "references": [ "https://hybrid-analysis.com/sample/9e8ce8607b7f32f6f66c8126851a55818ff775ee060d2c448679e5eb1e22ba2a", "https://www.saal-digital.de/ordercockpit/?email=christ.robert@gmx.de&ordernumber=802109030129517", "\u2193 Interesting \u2193", "owa.telegrafix.com", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Phishing)", "christ.robert@gmx.de", "https://simtk.org/projects/sv_tests (Tsara Brashears project?)", "https://itunes.apple.com/de/app/saal-design-app/id1481631197?mt=8", "https://play.google.com/store/apps/details?id=com.saaldigital.designerapp.de&hl=de", "BEELab_web_1.0.2-prerelease.exe", "AfraidZad.exe", "https://mail.greycroft.com/owa/redir.aspx?SURL=a0oI1dvGGkFYUoACVEbN8REVrmfS6H0MhUvXdexgmertl7bBVhrTCGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAHAAcgBvAGQAdQBjAHQAaAB1AG4AdAAuAGMAbwBtAC8AdABlAGMAaAAvAGEAbgBpAG0AYQB0AGkAYwA.&URL=https://www.producthunt.com/tech/animatic", "greycroftpartners.com", "http://videotubeplayer.com/?groupds=1&clientId=201&productId=1407&tracking=w5JJ46MKQI493DMO1NDNTQ6K&publisher_id=", "trkpls3.com", "eg-monitoring.com", "http://m.pornsexer.xxx.3.1.adiosfil.roksit.net/", "https://twitter.com/PORNO_SEXYBABES" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "Italy", "Singapore", "France", "Germany", "Korea, Republic of" ], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 83, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 841, "FileHash-SHA1": 467, "FileHash-SHA256": 6370, "CVE": 9, "domain": 2160, "hostname": 3074, "email": 1, "URL": 6550, "SSLCertFingerprint": 1, "CIDR": 3 }, "indicator_count": 19476, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "856 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a7dda4ef145116f1593a", "name": "Packed.VMProt/ Packed.VMProtect Apple| iOS | Mac attack techapply.com", "description": "", "modified": "2023-12-06T16:57:01.831000", "created": "2023-12-06T16:57:01.831000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 5, "hostname": 551, "FileHash-SHA256": 650, "FileHash-MD5": 425, "FileHash-SHA1": 224, "URL": 1019, "domain": 485, "email": 2, "FilePath": 2 }, "indicator_count": 3363, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a7d867bfb30b452b94d0", "name": "Packed.VMProt/ Packed.VMProtect Apple| iOS | Mac attack techapply.com", "description": "", "modified": "2023-12-06T16:56:56.522000", "created": "2023-12-06T16:56:56.522000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 5, "hostname": 551, "FileHash-SHA256": 650, "FileHash-MD5": 425, "FileHash-SHA1": 224, "URL": 1019, "domain": 485, "email": 2, "FilePath": 2 }, "indicator_count": 3363, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "651f175a87ed5eba41657bf3", "name": "Packed.VMProt/ Packed.VMProtect Apple| iOS | Mac attack techapply.com", "description": "Significantly infected Apple ID. and various devices; spyrixkeylogger, spyware, networm, tracking, beacons, injection, full control iOS and apple devices as well as OS. Appears as investigated. Not a lawful investigated. 5+ year (analysis reveals dated CVE's and malware specially targets individual) of spying, tagging, targeting, cyber criminal, cyber harassment, unlocker, disabled apple IDs. Interface / dummy core, collection, webdisk harvesting, cyber criminal behavior. Possible red teaming. js user, code written for a variety programs/systems, C2, relay router. robots. \ncyber threat.\nhired\ntargeted \nbotnets\nmalware\nAI", "modified": "2023-11-04T16:00:22.229000", "created": "2023-10-05T20:06:50.075000", "tags": [ "engineering", "united", "cyber threat", "team", "malware", "telefonica co", "heur", "malicious site", "ip reputation", "bambernek pony", "zeus", "nymaim", "facebook", "raccoon", "download", "kronos", "ramnit", "simda", "bank", "phishing", "citadel", "zbot", "pykspa", "agent", "maltiverse", "noname057", "copyright", "reserved", "flag", "date", "name server", "markmonitor", "server", "organization", "germany germany", "sample", "session details", "click", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "exit node", "traffic group", "suricata alerts", "event category", "analysis", "malicious url", "windows nt", "wow64", "response", "gmt contenttype", "gecko host", "vary", "gmt etag", "general gets", "script", "parking crew", "apple", "apple id", "tsara", "tsara brashears", "spyware", "cyber criminal", "cyber stalking", "track", "track iphone", "accept all platforms", "infringement", "intellectual property", "suricata", "alert", "red team", "happywifehappylife", "malicious", "revenge", "posts", "post", "post to web", "post to server", "exploit", "command_and_control", "toggle", "logon", "login", "privilege", "ios", "attack", "mitre", "Packed.VMProt", "apple engineering", "abuse", "cve", "robots", "arizona", "bounce", "canada", "croatia", "base64_encoded", "%samplepath%", "tagging", "png image", "PSI-USA, Inc. dba Domain Robot Organization", "dns", "query", "evasive", "crack", "record type", "ttl value", "dns replication", "santa fe", "available from", "registrar abuse", "iana id", "domain status", "creation date", "registrar url", "code", "dapato", "predator", "win64", "conduit", "fakeinstaller", "installpack", "generic", "downloader", "spyrixkeylogger", "bitminer", "loadmoney", "filetour", "wacatac", "fusioncore", "cleaner", "networm", "mediaget", "softonic", "trojan", "encpk", "qbot", "swrort", "kraddare", "systweak", "iobit", "installcore", "artemis", "riskware", "dllinject", "driverpack", "trojanspy", "webtoolbar", "cisco umbrella", "ip hostname", "safe site", "site", "targeted", "AI", "dllinject" ], "references": [ "Spyware", "Parking Crew Spyware", "c.parkingcrew.net 185.53.178.30 TTL: 9\tPSI-USA, Inc. dba Domain Robot Organization: Team Internet AG Name Server: NS-1403.AWSDNS-47.ORG", "http://service.appleid.apple.online.hqvce.techapply.com/apple/f625bbcc3a59f078ffa95159c719501e/index.php?itunes=_connect-run&secure=5540zef1415405412104ef151511d7f84f5ze1f510eec8bd0e", "service.appleid.apple.online.hqvce.techapply.com 76.223.35.103 TTL: 600\tTitanic Hosting, Inc. Name Server: NS1.DNE.COM", "d38psrni17bvxu.cloudfront.net 18.239.196.136 TTL: 60\tMarkMonitor, Inc. Organization: Amazon.com, Inc. Name Server: NS-1306.AWSDNS-35.ORG", "https://www.hybrid-analysis.com/sample/6450c8bb8cec78135dd4891507099d1407ef1d9af40bc250251eb99888c20f7e/651eda366e1436b384026c6d", "wTools", "Research and Analysis", "go.microsoft.com 184.26.158.64 TTL: 2672\tMarkMonitor, Inc. Organization: Microsoft Corporation Name Server: NS1.MSFT.NET", "dllinject" ], "public": 1, "adversary": "Cyber Criminal", "targeted_countries": [ "Argentina", "Ireland", "United States of America" ], "malware_families": [ { "id": "Looquer", "display_name": "Looquer", "target": null }, { "id": "TinyZBot - S0004", "display_name": "TinyZBot - S0004", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Bambernek Pony", "display_name": "Bambernek Pony", "target": null }, { "id": "Ransom:Win32/Nymaim", "display_name": "Ransom:Win32/Nymaim", "target": "/malware/Ransom:Win32/Nymaim" }, { "id": "Backdoor:Win32/Simda", "display_name": "Backdoor:Win32/Simda", "target": "/malware/Backdoor:Win32/Simda" }, { "id": "TrojanSpy:Win32/Kronos", "display_name": "TrojanSpy:Win32/Kronos", "target": "/malware/TrojanSpy:Win32/Kronos" }, { "id": "Trojan:Win32/Raccoonstealer", "display_name": "Trojan:Win32/Raccoonstealer", "target": "/malware/Trojan:Win32/Raccoonstealer" }, { "id": "Packed.VMProtect", "display_name": "Packed.VMProtect", "target": null }, { "id": "Spammer:Win32/Noname", "display_name": "Spammer:Win32/Noname", "target": "/malware/Spammer:Win32/Noname" }, { "id": "Worm:Win32/Pykspa", "display_name": "Worm:Win32/Pykspa", "target": "/malware/Worm:Win32/Pykspa" }, { "id": "Banker", "display_name": "Banker", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Trojan:MSIL/Razy", "display_name": "Trojan:MSIL/Razy", "target": "/malware/Trojan:MSIL/Razy" }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "ALF:PUA:Win32/IObit", "display_name": "ALF:PUA:Win32/IObit", "target": null }, { "id": "TrojanDownloader:Win32/Kraddare", "display_name": "TrojanDownloader:Win32/Kraddare", "target": "/malware/TrojanDownloader:Win32/Kraddare" }, { "id": "ALF:PUA:Win32/FusionCore", "display_name": "ALF:PUA:Win32/FusionCore", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/SpyrixKeylogger", "display_name": "ALF:HeraklezEval:PUA:Win32/SpyrixKeylogger", "target": null }, { "id": "Trojan:Win32/Qbot", "display_name": "Trojan:Win32/Qbot", "target": "/malware/Trojan:Win32/Qbot" }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" }, { "id": "ALF:JASYP:PUAWin32/Systweak", "display_name": "ALF:JASYP:PUAWin32/Systweak", "target": null }, { "id": "Trojan:Win32/Dapato", "display_name": "Trojan:Win32/Dapato", "target": "/malware/Trojan:Win32/Dapato" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1070.003", "name": "Clear Command History", "display_name": "T1070.003 - Clear Command History" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 485, "hostname": 551, "URL": 1019, "FileHash-SHA256": 650, "CVE": 5, "FileHash-MD5": 425, "FileHash-SHA1": 224, "FilePath": 2, "email": 2 }, "indicator_count": 3363, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "897 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "651f177187ed5eba41657bf4", "name": "Packed.VMProt/ Packed.VMProtect Apple| iOS | Mac attack techapply.com", "description": "Significantly infected Apple ID. and various devices; spyrixkeylogger, spyware, networm, tracking, beacons, injection, full control iOS and apple devices as well as OS. Appears as investigated. Not a lawful investigated. 5+ year (analysis reveals dated CVE's and malware specially targets individual) of spying, tagging, targeting, cyber criminal, cyber harassment, unlocker, disabled apple IDs. Interface / dummy core, collection, webdisk harvesting, cyber criminal behavior. Possible red teaming. js user, code written for a variety programs/systems, C2, relay router. robots. \ncyber threat.\nhired\ntargeted \nbotnets\nmalware\nAI", "modified": "2023-11-04T16:00:22.229000", "created": "2023-10-05T20:07:13.805000", "tags": [ "engineering", "united", "cyber threat", "team", "malware", "telefonica co", "heur", "malicious site", "ip reputation", "bambernek pony", "zeus", "nymaim", "facebook", "raccoon", "download", "kronos", "ramnit", "simda", "bank", "phishing", "citadel", "zbot", "pykspa", "agent", "maltiverse", "noname057", "copyright", "reserved", "flag", "date", "name server", "markmonitor", "server", "organization", "germany germany", "sample", "session details", "click", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "exit node", "traffic group", "suricata alerts", "event category", "analysis", "malicious url", "windows nt", "wow64", "response", "gmt contenttype", "gecko host", "vary", "gmt etag", "general gets", "script", "parking crew", "apple", "apple id", "tsara", "tsara brashears", "spyware", "cyber criminal", "cyber stalking", "track", "track iphone", "accept all platforms", "infringement", "intellectual property", "suricata", "alert", "red team", "happywifehappylife", "malicious", "revenge", "posts", "post", "post to web", "post to server", "exploit", "command_and_control", "toggle", "logon", "login", "privilege", "ios", "attack", "mitre", "Packed.VMProt", "apple engineering", "abuse", "cve", "robots", "arizona", "bounce", "canada", "croatia", "base64_encoded", "%samplepath%", "tagging", "png image", "PSI-USA, Inc. dba Domain Robot Organization", "dns", "query", "evasive", "crack", "record type", "ttl value", "dns replication", "santa fe", "available from", "registrar abuse", "iana id", "domain status", "creation date", "registrar url", "code", "dapato", "predator", "win64", "conduit", "fakeinstaller", "installpack", "generic", "downloader", "spyrixkeylogger", "bitminer", "loadmoney", "filetour", "wacatac", "fusioncore", "cleaner", "networm", "mediaget", "softonic", "trojan", "encpk", "qbot", "swrort", "kraddare", "systweak", "iobit", "installcore", "artemis", "riskware", "dllinject", "driverpack", "trojanspy", "webtoolbar", "cisco umbrella", "ip hostname", "safe site", "site", "targeted", "AI", "dllinject" ], "references": [ "Spyware", "Parking Crew Spyware", "c.parkingcrew.net 185.53.178.30 TTL: 9\tPSI-USA, Inc. dba Domain Robot Organization: Team Internet AG Name Server: NS-1403.AWSDNS-47.ORG", "http://service.appleid.apple.online.hqvce.techapply.com/apple/f625bbcc3a59f078ffa95159c719501e/index.php?itunes=_connect-run&secure=5540zef1415405412104ef151511d7f84f5ze1f510eec8bd0e", "service.appleid.apple.online.hqvce.techapply.com 76.223.35.103 TTL: 600\tTitanic Hosting, Inc. Name Server: NS1.DNE.COM", "d38psrni17bvxu.cloudfront.net 18.239.196.136 TTL: 60\tMarkMonitor, Inc. Organization: Amazon.com, Inc. Name Server: NS-1306.AWSDNS-35.ORG", "https://www.hybrid-analysis.com/sample/6450c8bb8cec78135dd4891507099d1407ef1d9af40bc250251eb99888c20f7e/651eda366e1436b384026c6d", "wTools", "Research and Analysis", "go.microsoft.com 184.26.158.64 TTL: 2672\tMarkMonitor, Inc. Organization: Microsoft Corporation Name Server: NS1.MSFT.NET", "dllinject" ], "public": 1, "adversary": "Cyber Criminal", "targeted_countries": [ "Argentina", "Ireland", "United States of America" ], "malware_families": [ { "id": "Looquer", "display_name": "Looquer", "target": null }, { "id": "TinyZBot - S0004", "display_name": "TinyZBot - S0004", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Bambernek Pony", "display_name": "Bambernek Pony", "target": null }, { "id": "Ransom:Win32/Nymaim", "display_name": "Ransom:Win32/Nymaim", "target": "/malware/Ransom:Win32/Nymaim" }, { "id": "Backdoor:Win32/Simda", "display_name": "Backdoor:Win32/Simda", "target": "/malware/Backdoor:Win32/Simda" }, { "id": "TrojanSpy:Win32/Kronos", "display_name": "TrojanSpy:Win32/Kronos", "target": "/malware/TrojanSpy:Win32/Kronos" }, { "id": "Trojan:Win32/Raccoonstealer", "display_name": "Trojan:Win32/Raccoonstealer", "target": "/malware/Trojan:Win32/Raccoonstealer" }, { "id": "Packed.VMProtect", "display_name": "Packed.VMProtect", "target": null }, { "id": "Spammer:Win32/Noname", "display_name": "Spammer:Win32/Noname", "target": "/malware/Spammer:Win32/Noname" }, { "id": "Worm:Win32/Pykspa", "display_name": "Worm:Win32/Pykspa", "target": "/malware/Worm:Win32/Pykspa" }, { "id": "Banker", "display_name": "Banker", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Trojan:MSIL/Razy", "display_name": "Trojan:MSIL/Razy", "target": "/malware/Trojan:MSIL/Razy" }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "ALF:PUA:Win32/IObit", "display_name": "ALF:PUA:Win32/IObit", "target": null }, { "id": "TrojanDownloader:Win32/Kraddare", "display_name": "TrojanDownloader:Win32/Kraddare", "target": "/malware/TrojanDownloader:Win32/Kraddare" }, { "id": "ALF:PUA:Win32/FusionCore", "display_name": "ALF:PUA:Win32/FusionCore", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/SpyrixKeylogger", "display_name": "ALF:HeraklezEval:PUA:Win32/SpyrixKeylogger", "target": null }, { "id": "Trojan:Win32/Qbot", "display_name": "Trojan:Win32/Qbot", "target": "/malware/Trojan:Win32/Qbot" }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" }, { "id": "ALF:JASYP:PUAWin32/Systweak", "display_name": "ALF:JASYP:PUAWin32/Systweak", "target": null }, { "id": "Trojan:Win32/Dapato", "display_name": "Trojan:Win32/Dapato", "target": "/malware/Trojan:Win32/Dapato" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1070.003", "name": "Clear Command History", "display_name": "T1070.003 - Clear Command History" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 485, "hostname": 551, "URL": 1019, "FileHash-SHA256": 650, "CVE": 5, "FileHash-MD5": 425, "FileHash-SHA1": 224, "FilePath": 2, "email": 2 }, "indicator_count": 3363, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "897 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://cpcalendars.21-vision.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://cpcalendars.21-vision.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776698849.4468672 }