{ "type": "URL", "indicator": "https://cpcontacts.delightmultitrading.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://cpcontacts.delightmultitrading.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3784698523, "indicator": "https://cpcontacts.delightmultitrading.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "66762a4ccb10185d774ddbde", "name": "Lazarus Group - Emotet | Sony Music", "description": "Is the Lazarus Group still attacking Sony Music, affiliated, former, contacts, aspiring prospects and independent artists?\n\nA Denver Studio owner had former Sony leadership role was fully infected with Pegasus, Mirai and a Lazarus Group affiliation seen. An independent Denver publishing company and artists were greatly targeted and continue to be. A songwriter known to have recorded at Denver Studio had songs pirated. Tori Kelly and Justin Bieber recorded over chops copy written by artist. Strangely legally affiliated. A rumor suggests Lazarus group & Anonymous are hacker made up of government employees, police officers, attorneys and PI's. The government affiliated IP's are give rumors some weight. Hackers will hack anything, \nMost popular beliefs are artist was targeted and therefore the studio where she target worked from often. Denver Studio report scrubbed by HistoryKillerPro & other Unknown Stealers.", "modified": "2024-07-22T01:04:09.406000", "created": "2024-06-22T01:35:08.834000", "tags": [ "url https", "url http", "active related", "pulses hostname", "ipv4", "showing", "entries", "active", "passive dns", "as2527 sony", "all scoreblue", "pulse pulses", "urls", "files", "reverse dns", "location chiba", "united", "unknown", "date", "moved", "search", "gmt content", "domain", "body", "encrypt", "as58061 scalaxy", "asn as58061", "dns resolutions", "expiration", "no expiration", "hostname", "iocs", "filehashsha256", "scan endpoints", "next", "report spam", "lazarus created", "minutes ago", "amber tags", "filehashsha1", "group", "tip oriented", "threat research", "android10", "type indicator", "role title", "creation date", "emails", "pulse submit", "url analysis", "germany unknown", "aaaa", "cname", "as209453 gandi", "as209453", "france unknown", "ireland unknown", "susp", "backdoor", "win32", "meta", "cookie", "pragma", "open ports", "as20940", "status", "certificate", "rsa sha256", "record value", "historical ssl", "referrer", "collection", "vt graph", "glaxosmithkline", "cyber threat", "heur", "phishing", "team", "malicious site", "control server", "coalition", "team phishing", "engineering", "emotet", "malware", "malicious", "download", "cobalt strike", "binder", "dropper", "formbook", "facebook", "artemis", "azorult", "bank", "site", "cisco umbrella", "alexa top", "million", "alexa", "hostnames", "detection list", "blacklist", "a domains", "bitdefender", "leader", "as15133 verizon", "melbourne it", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "headers date", "gmt contenttype", "connection", "ip address", "web redirection", "sha1", "ascii text", "sha256", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "pattern match", "hybrid", "starfield", "format", "june", "local", "click", "strings", "contact", "loki" ], "references": [ "https://otx.alienvault.com/indicator/url/http://accounts-upadates-informations-services-login-customer-id.marketingplus1.com/itunes", "Relationship: Louisiana Cyber Investigators Alliance (LCIA)", "https://otx.alienvault.com/indicator/url/http://dashboard.loki.com/files/LokiApplet.jar", "Ransomware: https://www.bitdefender.com.au/blog/businessinsights/hive-ransomwares-offspring-hunters-international-takes-the-stage", "Emotet: IPv4 104.18.41.100 | IPv4 104.18.45.108", "Server: Web redirection - http://loki.com/download", "Phishing: http://forms.sonymusicfans.com/campaign/old-dominion-newsletter-sign-up/?ss=0", "Phishing: https://forms.sonymusicfans.com/campaign/jazmine-sullivan-heaux-tails-pre-save/", "Phishing: https://forms.sonymusicfans.com/campaign/jazmine-sullivan-heaux-tails-pre-save/", "Phishing: http://forms.sonymusicfans.com/campaign/old-dominion-newsletter-sign-up/?ss=0" ], "public": 1, "adversary": "Lazarus Group", "targeted_countries": [], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Win.Trojan.DarkKomet-1", "display_name": "Win.Trojan.DarkKomet-1", "target": null }, { "id": "VirTool:Win32/CeeInject", "display_name": "VirTool:Win32/CeeInject", "target": "/malware/VirTool:Win32/CeeInject" }, { "id": "Backdoor:MSIL/Bladabindi", "display_name": "Backdoor:MSIL/Bladabindi", "target": "/malware/Backdoor:MSIL/Bladabindi" }, { "id": "Win32:Evo-gen", "display_name": "Win32:Evo-gen", "target": null }, { "id": "Win32:Evo-gen\\ [Susp]", "display_name": "Win32:Evo-gen\\ [Susp]", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [ "Entertainment", "Technology", "Media" ], "TLP": "green", "cloned_from": null, "export_count": 50, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3528, "domain": 1453, "hostname": 1542, "FileHash-SHA256": 757, "FileHash-SHA1": 66, "FileHash-MD5": 79, "email": 5, "CVE": 4, "SSLCertFingerprint": 14 }, "indicator_count": 7448, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "636 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "667648f0bc130bdaa294ea19", "name": "Sony Music | Emotet - Lazarus Affiliated", "description": "", "modified": "2024-07-22T01:04:09.406000", "created": "2024-06-22T03:45:52.401000", "tags": [ "url https", "url http", "active related", "pulses hostname", "ipv4", "showing", "entries", "active", "passive dns", "as2527 sony", "all scoreblue", "pulse pulses", "urls", "files", "reverse dns", "location chiba", "united", "unknown", "date", "moved", "search", "gmt content", "domain", "body", "encrypt", "as58061 scalaxy", "asn as58061", "dns resolutions", "expiration", "no expiration", "hostname", "iocs", "filehashsha256", "scan endpoints", "next", "report spam", "lazarus created", "minutes ago", "amber tags", "filehashsha1", "group", "tip oriented", "threat research", "android10", "type indicator", "role title", "creation date", "emails", "pulse submit", "url analysis", "germany unknown", "aaaa", "cname", "as209453 gandi", "as209453", "france unknown", "ireland unknown", "susp", "backdoor", "win32", "meta", "cookie", "pragma", "open ports", "as20940", "status", "certificate", "rsa sha256", "record value", "historical ssl", "referrer", "collection", "vt graph", "glaxosmithkline", "cyber threat", "heur", "phishing", "team", "malicious site", "control server", "coalition", "team phishing", "engineering", "emotet", "malware", "malicious", "download", "cobalt strike", "binder", "dropper", "formbook", "facebook", "artemis", "azorult", "bank", "site", "cisco umbrella", "alexa top", "million", "alexa", "hostnames", "detection list", "blacklist", "a domains", "bitdefender", "leader", "as15133 verizon", "melbourne it", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "headers date", "gmt contenttype", "connection", "ip address", "web redirection", "sha1", "ascii text", "sha256", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "pattern match", "hybrid", "starfield", "format", "june", "local", "click", "strings", "contact", "loki" ], "references": [ "https://otx.alienvault.com/indicator/url/http://accounts-upadates-informations-services-login-customer-id.marketingplus1.com/itunes", "Relationship: Louisiana Cyber Investigators Alliance (LCIA)", "https://otx.alienvault.com/indicator/url/http://dashboard.loki.com/files/LokiApplet.jar", "Ransomware: https://www.bitdefender.com.au/blog/businessinsights/hive-ransomwares-offspring-hunters-international-takes-the-stage", "Emotet: IPv4 104.18.41.100 | IPv4 104.18.45.108", "Server: Web redirection - http://loki.com/download", "Phishing: http://forms.sonymusicfans.com/campaign/old-dominion-newsletter-sign-up/?ss=0", "Phishing: https://forms.sonymusicfans.com/campaign/jazmine-sullivan-heaux-tails-pre-save/", "Phishing: https://forms.sonymusicfans.com/campaign/jazmine-sullivan-heaux-tails-pre-save/", "Phishing: http://forms.sonymusicfans.com/campaign/old-dominion-newsletter-sign-up/?ss=0" ], "public": 1, "adversary": "Lazarus Group", "targeted_countries": [], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Win.Trojan.DarkKomet-1", "display_name": "Win.Trojan.DarkKomet-1", "target": null }, { "id": "VirTool:Win32/CeeInject", "display_name": "VirTool:Win32/CeeInject", "target": "/malware/VirTool:Win32/CeeInject" }, { "id": "Backdoor:MSIL/Bladabindi", "display_name": "Backdoor:MSIL/Bladabindi", "target": "/malware/Backdoor:MSIL/Bladabindi" }, { "id": "Win32:Evo-gen", "display_name": "Win32:Evo-gen", "target": null }, { "id": "Win32:Evo-gen\\ [Susp]", "display_name": "Win32:Evo-gen\\ [Susp]", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [ "Entertainment", "Technology", "Media" ], "TLP": "green", "cloned_from": "66762a4ccb10185d774ddbde", "export_count": 47, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3528, "domain": 1453, "hostname": 1542, "FileHash-SHA256": 757, "FileHash-SHA1": 66, "FileHash-MD5": 79, "email": 5, "CVE": 4, "SSLCertFingerprint": 14 }, "indicator_count": 7448, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "636 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6681f340f8c0223ae0ce199d", "name": "Bitdefender Ransomware| | Sony Music | Lazarus Affiliated", "description": "", "modified": "2024-07-22T01:04:09.406000", "created": "2024-07-01T00:07:28.402000", "tags": [ "url https", "url http", "active related", "pulses hostname", "ipv4", "showing", "entries", "active", "passive dns", "as2527 sony", "all scoreblue", "pulse pulses", "urls", "files", "reverse dns", "location chiba", "united", "unknown", "date", "moved", "search", "gmt content", "domain", "body", "encrypt", "as58061 scalaxy", "asn as58061", "dns resolutions", "expiration", "no expiration", "hostname", "iocs", "filehashsha256", "scan endpoints", "next", "report spam", "lazarus created", "minutes ago", "amber tags", "filehashsha1", "group", "tip oriented", "threat research", "android10", "type indicator", "role title", "creation date", "emails", "pulse submit", "url analysis", "germany unknown", "aaaa", "cname", "as209453 gandi", "as209453", "france unknown", "ireland unknown", "susp", "backdoor", "win32", "meta", "cookie", "pragma", "open ports", "as20940", "status", "certificate", "rsa sha256", "record value", "historical ssl", "referrer", "collection", "vt graph", "glaxosmithkline", "cyber threat", "heur", "phishing", "team", "malicious site", "control server", "coalition", "team phishing", "engineering", "emotet", "malware", "malicious", "download", "cobalt strike", "binder", "dropper", "formbook", "facebook", "artemis", "azorult", "bank", "site", "cisco umbrella", "alexa top", "million", "alexa", "hostnames", "detection list", "blacklist", "a domains", "bitdefender", "leader", "as15133 verizon", "melbourne it", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "headers date", "gmt contenttype", "connection", "ip address", "web redirection", "sha1", "ascii text", "sha256", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "pattern match", "hybrid", "starfield", "format", "june", "local", "click", "strings", "contact", "loki" ], "references": [ "https://otx.alienvault.com/indicator/url/http://accounts-upadates-informations-services-login-customer-id.marketingplus1.com/itunes", "Relationship: Louisiana Cyber Investigators Alliance (LCIA)", "https://otx.alienvault.com/indicator/url/http://dashboard.loki.com/files/LokiApplet.jar", "Ransomware: https://www.bitdefender.com.au/blog/businessinsights/hive-ransomwares-offspring-hunters-international-takes-the-stage", "Emotet: IPv4 104.18.41.100 | IPv4 104.18.45.108", "Server: Web redirection - http://loki.com/download", "Phishing: http://forms.sonymusicfans.com/campaign/old-dominion-newsletter-sign-up/?ss=0", "Phishing: https://forms.sonymusicfans.com/campaign/jazmine-sullivan-heaux-tails-pre-save/", "Phishing: https://forms.sonymusicfans.com/campaign/jazmine-sullivan-heaux-tails-pre-save/", "Phishing: http://forms.sonymusicfans.com/campaign/old-dominion-newsletter-sign-up/?ss=0" ], "public": 1, "adversary": "Lazarus Group", "targeted_countries": [], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Win.Trojan.DarkKomet-1", "display_name": "Win.Trojan.DarkKomet-1", "target": null }, { "id": "VirTool:Win32/CeeInject", "display_name": "VirTool:Win32/CeeInject", "target": "/malware/VirTool:Win32/CeeInject" }, { "id": "Backdoor:MSIL/Bladabindi", "display_name": "Backdoor:MSIL/Bladabindi", "target": "/malware/Backdoor:MSIL/Bladabindi" }, { "id": "Win32:Evo-gen", "display_name": "Win32:Evo-gen", "target": null }, { "id": "Win32:Evo-gen\\ [Susp]", "display_name": "Win32:Evo-gen\\ [Susp]", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [ "Entertainment", "Technology", "Media" ], "TLP": "green", "cloned_from": "667648f0bc130bdaa294ea19", "export_count": 6847, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3528, "domain": 1453, "hostname": 1542, "FileHash-SHA256": 757, "FileHash-SHA1": 66, "FileHash-MD5": 79, "email": 5, "CVE": 4, "SSLCertFingerprint": 14 }, "indicator_count": 7448, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "636 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c607c354336e9c19aa3e1f", "name": "RansomEXX + Cyber attack \u2022 Premier Denver Recording Studio", "description": "Studio description: Adelio developed and managed A-list producer DJ Frank E, who has worked with the likes of Kanye West, B.O.B., Madonna, and Justin Bieber...\nResearch confirms target releases songs recorded @ Side3 studios.\nCreative differences aren't uncommon, research shows a common kink with m. Brian sabey if hallrender hacking everything from hospital is to insurance portals. He's nuts. Unclear if true nameof attacker is Brian Sabey /Tulach / using NSO grouo and various cyver attacks. A man representing an attorney named M. Brian Sabey socially engineered himself and others into targets world. If studio interns or management had malice towards target, social engineering access would be easy.", "modified": "2024-03-10T11:05:48.248000", "created": "2024-02-09T11:08:51.939000", "tags": [ "url http", "united", "unknown", "search", "status", "creation date", "date", "expiration date", "showing", "as201682 liquid", "as32244 liquid", "trojan", "passive dns", "entries", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "open", "win32", "body", "date hash", "avast avg", "lowfi", "ssl certificate", "contacted", "whois whois", "sdhyzbh7v http", "whois record", "execution", "apple ios", "historical ssl", "resolutions", "sdhyzbh7v", "attack", "ransomexx", "quasar", "asyncrat", "hacktool", "maze", "find", "hell", "crypto", "remcosrat", "worm", "first", "utc submissions", "submitters", "computer", "company limited", "gandi sas", "porkbun llc", "ovh sas", "summary iocs", "graph community", "as63949 linode", "for privacy", "asnone united", "as174 cogent", "as197695 domain", "russia unknown", "as16276", "france unknown", "encrypt", "next", "tsara brashears", "targeting", "cyber threat", "abuse", "malware spreading", "hallgrand", "tulach", "sabey data centers", "sav.com", "outbreak", "location united", "asn as63949", "whois registrar", "related tags", "interfacing", "malicious", "retaliation", "botnet", "porn", "teen porn", "illegal activities", "theft", "side3studios" ], "references": [ "http://mobilesmafia.com/applications/botnet.ex", "Found in: https://Side3.com/", "CnC IP's: 198.58.118.167 \u2022 45.33.18.44 \u2022 45.33.2.79 \u2022 45.33.20.235 \u2022 45.33.23.183 \u2022 45.33.30.197 \u2022 45.79.19.196 \u2022 45.33.30.197 \u2022 45.56.79.23 \u2022 72.14.178.174 \u2022 72.14.185.43 \u2022 96.126.123.244", "https://otx.alienvault.com/indicator/domain/findmy-apple.support", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing \u2022 malvertizing \u2022 apple data collection]", "nr-data.net [Apple Private Data Collection]", "WHOIS Registrar: SAV.COM, LLC - 35, Creation Date: Feb 5, 2024 - again?", "/addons/error.txt&reffer=http://www.mp3olimp.net/\" target=\"_blank\" class=\"nowrap ellipsis\">http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03", "http://c1.getapplicationmy.info/?step_id=1&installer_id=5230748627062792346&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=2&download_id=8693199875993334460&external_id=0&session_id=16805482311189156276&hardware_id=369127768221549700&product_name=cocina.rar&installer_file_name=cocina.rar&product_file_name=cocina.rar&product_download_url=http://fra-7m17-stor09.uploaded.net/dl/a2433760-879d-4562-b94d-461547fc758c&AddToPayload=StepReport=", "http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03&product_file_name=vintage+boxing&AddToPayload=StepReport=", "http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03&product_file_name=vintage+boxing&AddToPayload=StepReport=", "http://c1.downlloaddatamy.info/?step_id=1&installer_id=4472257684899349270&publisher_id=2213&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=2&download_id=5397224780012170065&external_id=0&installer_type=IX_2013&hardware_id=15739043569615579517&session_id=6869288066589810689&installer_type=IX_2013&=&=&=&q=solutionnice.info&product_name=Design%20and%20Implementation%20of%20a%20Home%20Embedded%20Surveillance%20System%20with%20Ultra%20Low%20Alert%20Power%20doc&installer_file_", "http://c2.getapplicationmy.info/?step_id=1&installer_id=2096894809025524155&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=6356079339412925470&external_id=0&session_id=14287130792570298399&hardware_id=11580995441620935677&product_name=rachel%20blaine%20-%20don%20t%20you%20want%20me&product_file_name=error.txt&AddToPayload=", "http://c2.getapplicationmy.info/?step_id=1&installer_id=2488504921480818878&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=4&download_id=2186029835193520054&external_id=0&session_id=16256931977914952487&hardware_id=14366935065466949181&product_name=Libro%23003119.pdf&installer_file_name=Libro%23003119.pdf&product_file_name=Libro%23003119.pdf&product_download_url=http://fra-7m21-stor06.uploaded.net/dl/780b5695-d022-4fab-9aa0-b967ecaf5828&AddToPayload=StepReport=", "http://c2.getapplicationmy.info/?step_id=1&installer_id=2488504921480818878&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=4&download_id=2186029835193520054&external_id=0&session_id=16256931977914952487&hardware_id=14366935065466949181&product_name=Libro%23003119.pdf&installer_file_name=Libro%23003119.pdf&product_file_name=Libro%23003119.pdf&product_download_url=http://fra-7m21-stor06.uploaded.net/dl/780b5695-d022-4fab-9aa0-b967ecaf5828&AddToPayload=StepReport=", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "https://sexpornimages.com.leechlink.net [Match: www.sexpornimages.com/lynn/lynn-brashears-tsara-porn/rc1j0g.html]", "pornhub.org", "ww12.indianpornxxxtube.com", "youporndownload.com [park logic -malicious] http://golddesisex.com/en/search/teen%20anal%20long%20porn" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:Inject-BCL\\ [Trj]", "display_name": "Win32:Inject-BCL\\ [Trj]", "target": null }, { "id": "#Lowfi:SuspiciousSectionName", "display_name": "#Lowfi:SuspiciousSectionName", "target": null }, { "id": "Win32:Evo-gen\\ [Trj]", "display_name": "Win32:Evo-gen\\ [Trj]", "target": null }, { "id": "Win.Trojan.Mbrlock-9779766-0", "display_name": "Win.Trojan.Mbrlock-9779766-0", "target": null }, { "id": "Win.Trojan.Agent-828507", "display_name": "Win.Trojan.Agent-828507", "target": null }, { "id": "SHeur4.CEOO", "display_name": "SHeur4.CEOO", "target": null }, { "id": "Win32/Cryptor", "display_name": "Win32/Cryptor", "target": null }, { "id": "Win32/Tanatos.A", "display_name": "Win32/Tanatos.A", "target": null }, { "id": "W32.Sality-73", "display_name": "W32.Sality-73", "target": null }, { "id": "Generic_r.BYW", "display_name": "Generic_r.BYW", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Trojan:Win32/RemcosRAT", "display_name": "Trojan:Win32/RemcosRAT", "target": "/malware/Trojan:Win32/RemcosRAT" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null } ], "attack_ids": [ { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [ "Entertainment", "Technology", "Telecommunications", "Media" ], "TLP": "white", "cloned_from": null, "export_count": 39, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 71387, "domain": 8768, "hostname": 17727, "email": 16, "FileHash-MD5": 195, "FileHash-SHA1": 168, "FileHash-SHA256": 15313, "CVE": 9, "CIDR": 7 }, "indicator_count": 113590, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "770 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655dafbe9ac9ac786fde45ad", "name": "http://malwaredomainlist.com/ \u2022 CNC \u2022 Spyware \u2022 Tracking", "description": "Network capture, dga domain, ecc domain, data collection, voicemail access, mail spammer, registrar abuse\n\n[Auto populated. I can't cannot confirm or deny the accuracy of the following information: A summary of key facts and information about a malicious web domain, hosted by the US government, has been released by Google.com and its parent company, Alphabet, for use on its website.]", "modified": "2023-12-22T06:03:01.993000", "created": "2023-11-22T07:37:34.595000", "tags": [ "united", "as22612", "as2637", "creation date", "search", "moved", "expiration date", "date", "showing", "as397240", "next", "entries", "scan endpoints", "all octoseek", "dns replication", "win32 exe", "network capture", "android", "android adaway", "html", "files", "detections type", "name", "office open", "xml document", "namecheap", "namecheap inc", "whois lookups", "win32 dll", "text", "wextract", "text htaccess", "powershell", "detection list", "blacklist", "first", "ssl certificate", "whois record", "contacted", "december", "whois whois", "threat roundup", "historical ssl", "problems", "referrer", "pe resource", "startpage", "cyber threat", "redline stealer", "mail spammer", "hostname", "phishing site", "malicious site", "installcore", "http spammer", "malware site", "malware", "generic malware", "heur", "generic", "alexa top", "million", "site", "cisco umbrella", "alexa", "ip address", "algorithm", "data", "v3 serial", "number", "cat cnzerossl", "ecc domain", "secure site", "ca ozerossl", "validity", "subject public", "server", "email", "code", "registrar abuse", "country", "privacy service", "withheld", "privacy", "domain name", "pattern match", "ascii text", "appdata", "file", "windows nt", "svg scalable", "vector graphics", "indicator", "gif image", "accept", "hybrid", "general", "local", "pixel", "click", "twitter", "strings", "class", "generator", "critical", "command_and_control", "spyware", "tracking", "voicemail access", "dga", "apple" ], "references": [ "https://www.hybrid-analysis.com/sample/c0c84df54b890bb408fc2289f1e75a29991127bbe207aa30042616b5ea150342/655d9af5679c7afcc409895e", "\u2193Interesting\u2193", "IPv4 198.54.117.211 command_and_control", "IPv4 198.54.117.210 command_and_control", "IPv4 198.54.117.212 command_and_control", "IPv4 198.54.117.215 command_and_control", "IPv4 198.54.117.217 command_and_control", "IPv4 198.54.117.218 command_and_control", "apple-securityiphone-icloud.com", "tx-p2p-pull.video-voip.com.dorm.com", "http://updates.voicemailaccess.net/b0f6a00b15311023", "tvapp-server.de", "zeustracker.abuse.ch", "ransomwaretracker.abuse.ch", "http://t.trkitok.com/track/rep?oid=2001&st=1&id=DP2441--w1VJE427J8SGGRTP02MD7UEG___93737493-c08b-4dc7-ad30-b17a2c09e771___$mid", "louisianarooflawyers.com [phishing]", "hasownproperty.call" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 105, "FileHash-SHA1": 100, "FileHash-SHA256": 3072, "domain": 1188, "email": 5, "URL": 7940, "hostname": 1925, "CVE": 1 }, "indicator_count": 14336, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "849 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "louisianarooflawyers.com [phishing]", "pornhub.org", "IPv4 198.54.117.210 command_and_control", "http://c2.getapplicationmy.info/?step_id=1&installer_id=2488504921480818878&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=4&download_id=2186029835193520054&external_id=0&session_id=16256931977914952487&hardware_id=14366935065466949181&product_name=Libro%23003119.pdf&installer_file_name=Libro%23003119.pdf&product_file_name=Libro%23003119.pdf&product_download_url=http://fra-7m21-stor06.uploaded.net/dl/780b5695-d022-4fab-9aa0-b967ecaf5828&AddToPayload=StepReport=", "https://www.hybrid-analysis.com/sample/c0c84df54b890bb408fc2289f1e75a29991127bbe207aa30042616b5ea150342/655d9af5679c7afcc409895e", "http://c2.getapplicationmy.info/?step_id=1&installer_id=2096894809025524155&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=6356079339412925470&external_id=0&session_id=14287130792570298399&hardware_id=11580995441620935677&product_name=rachel%20blaine%20-%20don%20t%20you%20want%20me&product_file_name=error.txt&AddToPayload=", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing \u2022 malvertizing \u2022 apple data collection]", "http://mobilesmafia.com/applications/botnet.ex", "Ransomware: https://www.bitdefender.com.au/blog/businessinsights/hive-ransomwares-offspring-hunters-international-takes-the-stage", "nr-data.net [Apple Private Data Collection]", "http://c1.getapplicationmy.info/?step_id=1&installer_id=5230748627062792346&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=2&download_id=8693199875993334460&external_id=0&session_id=16805482311189156276&hardware_id=369127768221549700&product_name=cocina.rar&installer_file_name=cocina.rar&product_file_name=cocina.rar&product_download_url=http://fra-7m17-stor09.uploaded.net/dl/a2433760-879d-4562-b94d-461547fc758c&AddToPayload=StepReport=", "tvapp-server.de", "/addons/error.txt&reffer=http://www.mp3olimp.net/\" target=\"_blank\" class=\"nowrap ellipsis\">http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03", "http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03&product_file_name=vintage+boxing&AddToPayload=StepReport=", "Phishing: http://forms.sonymusicfans.com/campaign/old-dominion-newsletter-sign-up/?ss=0", "IPv4 198.54.117.211 command_and_control", "\u2193Interesting\u2193", "youporndownload.com [park logic -malicious] http://golddesisex.com/en/search/teen%20anal%20long%20porn", "https://otx.alienvault.com/indicator/url/http://accounts-upadates-informations-services-login-customer-id.marketingplus1.com/itunes", "IPv4 198.54.117.215 command_and_control", "tx-p2p-pull.video-voip.com.dorm.com", "IPv4 198.54.117.212 command_and_control", "ransomwaretracker.abuse.ch", "Relationship: Louisiana Cyber Investigators Alliance (LCIA)", "ww12.indianpornxxxtube.com", "Found in: https://Side3.com/", "CnC IP's: 198.58.118.167 \u2022 45.33.18.44 \u2022 45.33.2.79 \u2022 45.33.20.235 \u2022 45.33.23.183 \u2022 45.33.30.197 \u2022 45.79.19.196 \u2022 45.33.30.197 \u2022 45.56.79.23 \u2022 72.14.178.174 \u2022 72.14.185.43 \u2022 96.126.123.244", "http://c1.downlloaddatamy.info/?step_id=1&installer_id=4472257684899349270&publisher_id=2213&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=2&download_id=5397224780012170065&external_id=0&installer_type=IX_2013&hardware_id=15739043569615579517&session_id=6869288066589810689&installer_type=IX_2013&=&=&=&q=solutionnice.info&product_name=Design%20and%20Implementation%20of%20a%20Home%20Embedded%20Surveillance%20System%20with%20Ultra%20Low%20Alert%20Power%20doc&installer_file_", "https://otx.alienvault.com/indicator/url/http://dashboard.loki.com/files/LokiApplet.jar", "WHOIS Registrar: SAV.COM, LLC - 35, Creation Date: Feb 5, 2024 - again?", "Emotet: IPv4 104.18.41.100 | IPv4 104.18.45.108", "Phishing: https://forms.sonymusicfans.com/campaign/jazmine-sullivan-heaux-tails-pre-save/", "zeustracker.abuse.ch", "hasownproperty.call", "apple-securityiphone-icloud.com", "https://otx.alienvault.com/indicator/domain/findmy-apple.support", "Server: Web redirection - http://loki.com/download", "http://updates.voicemailaccess.net/b0f6a00b15311023", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "IPv4 198.54.117.218 command_and_control", "http://t.trkitok.com/track/rep?oid=2001&st=1&id=DP2441--w1VJE427J8SGGRTP02MD7UEG___93737493-c08b-4dc7-ad30-b17a2c09e771___$mid", "https://sexpornimages.com.leechlink.net [Match: www.sexpornimages.com/lynn/lynn-brashears-tsara-porn/rc1j0g.html]", "IPv4 198.54.117.217 command_and_control" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Lazarus Group" ], "malware_families": [ "Generic_r.byw", "Win32:evo-gen\\ [susp]", "Generic", "Win.trojan.mbrlock-9779766-0", "Blacknet", "Win.trojan.agent-828507", "W32.sality-73", "Trojan:win32/remcosrat", "Win32/cryptor", "Win.trojan.darkkomet-1", "Win32:evo-gen", "Ransomexx", "#lowfi:suspicioussectionname", "Win32:evo-gen\\ [trj]", "Installcore", "Win32:inject-bcl\\ [trj]", "Virtool:win32/ceeinject", "Mirai", "Quasar rat", "Sheur4.ceoo", "Hacktool", "Win32/tanatos.a", "Backdoor:msil/bladabindi" ], "industries": [ "Telecommunications", "Media", "Entertainment", "Technology" ], "unique_indicators": 44316 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/delightmultitrading.com", "whois": "http://whois.domaintools.com/delightmultitrading.com", "domain": "delightmultitrading.com", "hostname": "cpcontacts.delightmultitrading.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "66762a4ccb10185d774ddbde", "name": "Lazarus Group - Emotet | Sony Music", "description": "Is the Lazarus Group still attacking Sony Music, affiliated, former, contacts, aspiring prospects and independent artists?\n\nA Denver Studio owner had former Sony leadership role was fully infected with Pegasus, Mirai and a Lazarus Group affiliation seen. An independent Denver publishing company and artists were greatly targeted and continue to be. A songwriter known to have recorded at Denver Studio had songs pirated. Tori Kelly and Justin Bieber recorded over chops copy written by artist. Strangely legally affiliated. A rumor suggests Lazarus group & Anonymous are hacker made up of government employees, police officers, attorneys and PI's. The government affiliated IP's are give rumors some weight. Hackers will hack anything, \nMost popular beliefs are artist was targeted and therefore the studio where she target worked from often. Denver Studio report scrubbed by HistoryKillerPro & other Unknown Stealers.", "modified": "2024-07-22T01:04:09.406000", "created": "2024-06-22T01:35:08.834000", "tags": [ "url https", "url http", "active related", "pulses hostname", "ipv4", "showing", "entries", "active", "passive dns", "as2527 sony", "all scoreblue", "pulse pulses", "urls", "files", "reverse dns", "location chiba", "united", "unknown", "date", "moved", "search", "gmt content", "domain", "body", "encrypt", "as58061 scalaxy", "asn as58061", "dns resolutions", "expiration", "no expiration", "hostname", "iocs", "filehashsha256", "scan endpoints", "next", "report spam", "lazarus created", "minutes ago", "amber tags", "filehashsha1", "group", "tip oriented", "threat research", "android10", "type indicator", "role title", "creation date", "emails", "pulse submit", "url analysis", "germany unknown", "aaaa", "cname", "as209453 gandi", "as209453", "france unknown", "ireland unknown", "susp", "backdoor", "win32", "meta", "cookie", "pragma", "open ports", "as20940", "status", "certificate", "rsa sha256", "record value", "historical ssl", "referrer", "collection", "vt graph", "glaxosmithkline", "cyber threat", "heur", "phishing", "team", "malicious site", "control server", "coalition", "team phishing", "engineering", "emotet", "malware", "malicious", "download", "cobalt strike", "binder", "dropper", "formbook", "facebook", "artemis", "azorult", "bank", "site", "cisco umbrella", "alexa top", "million", "alexa", "hostnames", "detection list", "blacklist", "a domains", "bitdefender", "leader", "as15133 verizon", "melbourne it", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "headers date", "gmt contenttype", "connection", "ip address", "web redirection", "sha1", "ascii text", "sha256", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "pattern match", "hybrid", "starfield", "format", "june", "local", "click", "strings", "contact", "loki" ], "references": [ "https://otx.alienvault.com/indicator/url/http://accounts-upadates-informations-services-login-customer-id.marketingplus1.com/itunes", "Relationship: Louisiana Cyber Investigators Alliance (LCIA)", "https://otx.alienvault.com/indicator/url/http://dashboard.loki.com/files/LokiApplet.jar", "Ransomware: https://www.bitdefender.com.au/blog/businessinsights/hive-ransomwares-offspring-hunters-international-takes-the-stage", "Emotet: IPv4 104.18.41.100 | IPv4 104.18.45.108", "Server: Web redirection - http://loki.com/download", "Phishing: http://forms.sonymusicfans.com/campaign/old-dominion-newsletter-sign-up/?ss=0", "Phishing: https://forms.sonymusicfans.com/campaign/jazmine-sullivan-heaux-tails-pre-save/", "Phishing: https://forms.sonymusicfans.com/campaign/jazmine-sullivan-heaux-tails-pre-save/", "Phishing: http://forms.sonymusicfans.com/campaign/old-dominion-newsletter-sign-up/?ss=0" ], "public": 1, "adversary": "Lazarus Group", "targeted_countries": [], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Win.Trojan.DarkKomet-1", "display_name": "Win.Trojan.DarkKomet-1", "target": null }, { "id": "VirTool:Win32/CeeInject", "display_name": "VirTool:Win32/CeeInject", "target": "/malware/VirTool:Win32/CeeInject" }, { "id": "Backdoor:MSIL/Bladabindi", "display_name": "Backdoor:MSIL/Bladabindi", "target": "/malware/Backdoor:MSIL/Bladabindi" }, { "id": "Win32:Evo-gen", "display_name": "Win32:Evo-gen", "target": null }, { "id": "Win32:Evo-gen\\ [Susp]", "display_name": "Win32:Evo-gen\\ [Susp]", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [ "Entertainment", "Technology", "Media" ], "TLP": "green", "cloned_from": null, "export_count": 50, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3528, "domain": 1453, "hostname": 1542, "FileHash-SHA256": 757, "FileHash-SHA1": 66, "FileHash-MD5": 79, "email": 5, "CVE": 4, "SSLCertFingerprint": 14 }, "indicator_count": 7448, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "636 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "667648f0bc130bdaa294ea19", "name": "Sony Music | Emotet - Lazarus Affiliated", "description": "", "modified": "2024-07-22T01:04:09.406000", "created": "2024-06-22T03:45:52.401000", "tags": [ "url https", "url http", "active related", "pulses hostname", "ipv4", "showing", "entries", "active", "passive dns", "as2527 sony", "all scoreblue", "pulse pulses", "urls", "files", "reverse dns", "location chiba", "united", "unknown", "date", "moved", "search", "gmt content", "domain", "body", "encrypt", "as58061 scalaxy", "asn as58061", "dns resolutions", "expiration", "no expiration", "hostname", "iocs", "filehashsha256", "scan endpoints", "next", "report spam", "lazarus created", "minutes ago", "amber tags", "filehashsha1", "group", "tip oriented", "threat research", "android10", "type indicator", "role title", "creation date", "emails", "pulse submit", "url analysis", "germany unknown", "aaaa", "cname", "as209453 gandi", "as209453", "france unknown", "ireland unknown", "susp", "backdoor", "win32", "meta", "cookie", "pragma", "open ports", "as20940", "status", "certificate", "rsa sha256", "record value", "historical ssl", "referrer", "collection", "vt graph", "glaxosmithkline", "cyber threat", "heur", "phishing", "team", "malicious site", "control server", "coalition", "team phishing", "engineering", "emotet", "malware", "malicious", "download", "cobalt strike", "binder", "dropper", "formbook", "facebook", "artemis", "azorult", "bank", "site", "cisco umbrella", "alexa top", "million", "alexa", "hostnames", "detection list", "blacklist", "a domains", "bitdefender", "leader", "as15133 verizon", "melbourne it", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "headers date", "gmt contenttype", "connection", "ip address", "web redirection", "sha1", "ascii text", "sha256", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "pattern match", "hybrid", "starfield", "format", "june", "local", "click", "strings", "contact", "loki" ], "references": [ "https://otx.alienvault.com/indicator/url/http://accounts-upadates-informations-services-login-customer-id.marketingplus1.com/itunes", "Relationship: Louisiana Cyber Investigators Alliance (LCIA)", "https://otx.alienvault.com/indicator/url/http://dashboard.loki.com/files/LokiApplet.jar", "Ransomware: https://www.bitdefender.com.au/blog/businessinsights/hive-ransomwares-offspring-hunters-international-takes-the-stage", "Emotet: IPv4 104.18.41.100 | IPv4 104.18.45.108", "Server: Web redirection - http://loki.com/download", "Phishing: http://forms.sonymusicfans.com/campaign/old-dominion-newsletter-sign-up/?ss=0", "Phishing: https://forms.sonymusicfans.com/campaign/jazmine-sullivan-heaux-tails-pre-save/", "Phishing: https://forms.sonymusicfans.com/campaign/jazmine-sullivan-heaux-tails-pre-save/", "Phishing: http://forms.sonymusicfans.com/campaign/old-dominion-newsletter-sign-up/?ss=0" ], "public": 1, "adversary": "Lazarus Group", "targeted_countries": [], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Win.Trojan.DarkKomet-1", "display_name": "Win.Trojan.DarkKomet-1", "target": null }, { "id": "VirTool:Win32/CeeInject", "display_name": "VirTool:Win32/CeeInject", "target": "/malware/VirTool:Win32/CeeInject" }, { "id": "Backdoor:MSIL/Bladabindi", "display_name": "Backdoor:MSIL/Bladabindi", "target": "/malware/Backdoor:MSIL/Bladabindi" }, { "id": "Win32:Evo-gen", "display_name": "Win32:Evo-gen", "target": null }, { "id": "Win32:Evo-gen\\ [Susp]", "display_name": "Win32:Evo-gen\\ [Susp]", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [ "Entertainment", "Technology", "Media" ], "TLP": "green", "cloned_from": "66762a4ccb10185d774ddbde", "export_count": 47, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3528, "domain": 1453, "hostname": 1542, "FileHash-SHA256": 757, "FileHash-SHA1": 66, "FileHash-MD5": 79, "email": 5, "CVE": 4, "SSLCertFingerprint": 14 }, "indicator_count": 7448, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "636 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6681f340f8c0223ae0ce199d", "name": "Bitdefender Ransomware| | Sony Music | Lazarus Affiliated", "description": "", "modified": "2024-07-22T01:04:09.406000", "created": "2024-07-01T00:07:28.402000", "tags": [ "url https", "url http", "active related", "pulses hostname", "ipv4", "showing", "entries", "active", "passive dns", "as2527 sony", "all scoreblue", "pulse pulses", "urls", "files", "reverse dns", "location chiba", "united", "unknown", "date", "moved", "search", "gmt content", "domain", "body", "encrypt", "as58061 scalaxy", "asn as58061", "dns resolutions", "expiration", "no expiration", "hostname", "iocs", "filehashsha256", "scan endpoints", "next", "report spam", "lazarus created", "minutes ago", "amber tags", "filehashsha1", "group", "tip oriented", "threat research", "android10", "type indicator", "role title", "creation date", "emails", "pulse submit", "url analysis", "germany unknown", "aaaa", "cname", "as209453 gandi", "as209453", "france unknown", "ireland unknown", "susp", "backdoor", "win32", "meta", "cookie", "pragma", "open ports", "as20940", "status", "certificate", "rsa sha256", "record value", "historical ssl", "referrer", "collection", "vt graph", "glaxosmithkline", "cyber threat", "heur", "phishing", "team", "malicious site", "control server", "coalition", "team phishing", "engineering", "emotet", "malware", "malicious", "download", "cobalt strike", "binder", "dropper", "formbook", "facebook", "artemis", "azorult", "bank", "site", "cisco umbrella", "alexa top", "million", "alexa", "hostnames", "detection list", "blacklist", "a domains", "bitdefender", "leader", "as15133 verizon", "melbourne it", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "headers date", "gmt contenttype", "connection", "ip address", "web redirection", "sha1", "ascii text", "sha256", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "pattern match", "hybrid", "starfield", "format", "june", "local", "click", "strings", "contact", "loki" ], "references": [ "https://otx.alienvault.com/indicator/url/http://accounts-upadates-informations-services-login-customer-id.marketingplus1.com/itunes", "Relationship: Louisiana Cyber Investigators Alliance (LCIA)", "https://otx.alienvault.com/indicator/url/http://dashboard.loki.com/files/LokiApplet.jar", "Ransomware: https://www.bitdefender.com.au/blog/businessinsights/hive-ransomwares-offspring-hunters-international-takes-the-stage", "Emotet: IPv4 104.18.41.100 | IPv4 104.18.45.108", "Server: Web redirection - http://loki.com/download", "Phishing: http://forms.sonymusicfans.com/campaign/old-dominion-newsletter-sign-up/?ss=0", "Phishing: https://forms.sonymusicfans.com/campaign/jazmine-sullivan-heaux-tails-pre-save/", "Phishing: https://forms.sonymusicfans.com/campaign/jazmine-sullivan-heaux-tails-pre-save/", "Phishing: http://forms.sonymusicfans.com/campaign/old-dominion-newsletter-sign-up/?ss=0" ], "public": 1, "adversary": "Lazarus Group", "targeted_countries": [], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Win.Trojan.DarkKomet-1", "display_name": "Win.Trojan.DarkKomet-1", "target": null }, { "id": "VirTool:Win32/CeeInject", "display_name": "VirTool:Win32/CeeInject", "target": "/malware/VirTool:Win32/CeeInject" }, { "id": "Backdoor:MSIL/Bladabindi", "display_name": "Backdoor:MSIL/Bladabindi", "target": "/malware/Backdoor:MSIL/Bladabindi" }, { "id": "Win32:Evo-gen", "display_name": "Win32:Evo-gen", "target": null }, { "id": "Win32:Evo-gen\\ [Susp]", "display_name": "Win32:Evo-gen\\ [Susp]", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [ "Entertainment", "Technology", "Media" ], "TLP": "green", "cloned_from": "667648f0bc130bdaa294ea19", "export_count": 6847, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3528, "domain": 1453, "hostname": 1542, "FileHash-SHA256": 757, "FileHash-SHA1": 66, "FileHash-MD5": 79, "email": 5, "CVE": 4, "SSLCertFingerprint": 14 }, "indicator_count": 7448, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "636 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c607c354336e9c19aa3e1f", "name": "RansomEXX + Cyber attack \u2022 Premier Denver Recording Studio", "description": "Studio description: Adelio developed and managed A-list producer DJ Frank E, who has worked with the likes of Kanye West, B.O.B., Madonna, and Justin Bieber...\nResearch confirms target releases songs recorded @ Side3 studios.\nCreative differences aren't uncommon, research shows a common kink with m. Brian sabey if hallrender hacking everything from hospital is to insurance portals. He's nuts. Unclear if true nameof attacker is Brian Sabey /Tulach / using NSO grouo and various cyver attacks. A man representing an attorney named M. Brian Sabey socially engineered himself and others into targets world. If studio interns or management had malice towards target, social engineering access would be easy.", "modified": "2024-03-10T11:05:48.248000", "created": "2024-02-09T11:08:51.939000", "tags": [ "url http", "united", "unknown", "search", "status", "creation date", "date", "expiration date", "showing", "as201682 liquid", "as32244 liquid", "trojan", "passive dns", "entries", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "open", "win32", "body", "date hash", "avast avg", "lowfi", "ssl certificate", "contacted", "whois whois", "sdhyzbh7v http", "whois record", "execution", "apple ios", "historical ssl", "resolutions", "sdhyzbh7v", "attack", "ransomexx", "quasar", "asyncrat", "hacktool", "maze", "find", "hell", "crypto", "remcosrat", "worm", "first", "utc submissions", "submitters", "computer", "company limited", "gandi sas", "porkbun llc", "ovh sas", "summary iocs", "graph community", "as63949 linode", "for privacy", "asnone united", "as174 cogent", "as197695 domain", "russia unknown", "as16276", "france unknown", "encrypt", "next", "tsara brashears", "targeting", "cyber threat", "abuse", "malware spreading", "hallgrand", "tulach", "sabey data centers", "sav.com", "outbreak", "location united", "asn as63949", "whois registrar", "related tags", "interfacing", "malicious", "retaliation", "botnet", "porn", "teen porn", "illegal activities", "theft", "side3studios" ], "references": [ "http://mobilesmafia.com/applications/botnet.ex", "Found in: https://Side3.com/", "CnC IP's: 198.58.118.167 \u2022 45.33.18.44 \u2022 45.33.2.79 \u2022 45.33.20.235 \u2022 45.33.23.183 \u2022 45.33.30.197 \u2022 45.79.19.196 \u2022 45.33.30.197 \u2022 45.56.79.23 \u2022 72.14.178.174 \u2022 72.14.185.43 \u2022 96.126.123.244", "https://otx.alienvault.com/indicator/domain/findmy-apple.support", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing \u2022 malvertizing \u2022 apple data collection]", "nr-data.net [Apple Private Data Collection]", "WHOIS Registrar: SAV.COM, LLC - 35, Creation Date: Feb 5, 2024 - again?", "/addons/error.txt&reffer=http://www.mp3olimp.net/\" target=\"_blank\" class=\"nowrap ellipsis\">http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03", "http://c1.getapplicationmy.info/?step_id=1&installer_id=5230748627062792346&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=2&download_id=8693199875993334460&external_id=0&session_id=16805482311189156276&hardware_id=369127768221549700&product_name=cocina.rar&installer_file_name=cocina.rar&product_file_name=cocina.rar&product_download_url=http://fra-7m17-stor09.uploaded.net/dl/a2433760-879d-4562-b94d-461547fc758c&AddToPayload=StepReport=", "http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03&product_file_name=vintage+boxing&AddToPayload=StepReport=", "http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03&product_file_name=vintage+boxing&AddToPayload=StepReport=", "http://c1.downlloaddatamy.info/?step_id=1&installer_id=4472257684899349270&publisher_id=2213&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=2&download_id=5397224780012170065&external_id=0&installer_type=IX_2013&hardware_id=15739043569615579517&session_id=6869288066589810689&installer_type=IX_2013&=&=&=&q=solutionnice.info&product_name=Design%20and%20Implementation%20of%20a%20Home%20Embedded%20Surveillance%20System%20with%20Ultra%20Low%20Alert%20Power%20doc&installer_file_", "http://c2.getapplicationmy.info/?step_id=1&installer_id=2096894809025524155&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=6356079339412925470&external_id=0&session_id=14287130792570298399&hardware_id=11580995441620935677&product_name=rachel%20blaine%20-%20don%20t%20you%20want%20me&product_file_name=error.txt&AddToPayload=", "http://c2.getapplicationmy.info/?step_id=1&installer_id=2488504921480818878&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=4&download_id=2186029835193520054&external_id=0&session_id=16256931977914952487&hardware_id=14366935065466949181&product_name=Libro%23003119.pdf&installer_file_name=Libro%23003119.pdf&product_file_name=Libro%23003119.pdf&product_download_url=http://fra-7m21-stor06.uploaded.net/dl/780b5695-d022-4fab-9aa0-b967ecaf5828&AddToPayload=StepReport=", "http://c2.getapplicationmy.info/?step_id=1&installer_id=2488504921480818878&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=4&download_id=2186029835193520054&external_id=0&session_id=16256931977914952487&hardware_id=14366935065466949181&product_name=Libro%23003119.pdf&installer_file_name=Libro%23003119.pdf&product_file_name=Libro%23003119.pdf&product_download_url=http://fra-7m21-stor06.uploaded.net/dl/780b5695-d022-4fab-9aa0-b967ecaf5828&AddToPayload=StepReport=", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "https://sexpornimages.com.leechlink.net [Match: www.sexpornimages.com/lynn/lynn-brashears-tsara-porn/rc1j0g.html]", "pornhub.org", "ww12.indianpornxxxtube.com", "youporndownload.com [park logic -malicious] http://golddesisex.com/en/search/teen%20anal%20long%20porn" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:Inject-BCL\\ [Trj]", "display_name": "Win32:Inject-BCL\\ [Trj]", "target": null }, { "id": "#Lowfi:SuspiciousSectionName", "display_name": "#Lowfi:SuspiciousSectionName", "target": null }, { "id": "Win32:Evo-gen\\ [Trj]", "display_name": "Win32:Evo-gen\\ [Trj]", "target": null }, { "id": "Win.Trojan.Mbrlock-9779766-0", "display_name": "Win.Trojan.Mbrlock-9779766-0", "target": null }, { "id": "Win.Trojan.Agent-828507", "display_name": "Win.Trojan.Agent-828507", "target": null }, { "id": "SHeur4.CEOO", "display_name": "SHeur4.CEOO", "target": null }, { "id": "Win32/Cryptor", "display_name": "Win32/Cryptor", "target": null }, { "id": "Win32/Tanatos.A", "display_name": "Win32/Tanatos.A", "target": null }, { "id": "W32.Sality-73", "display_name": "W32.Sality-73", "target": null }, { "id": "Generic_r.BYW", "display_name": "Generic_r.BYW", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Trojan:Win32/RemcosRAT", "display_name": "Trojan:Win32/RemcosRAT", "target": "/malware/Trojan:Win32/RemcosRAT" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null } ], "attack_ids": [ { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [ "Entertainment", "Technology", "Telecommunications", "Media" ], "TLP": "white", "cloned_from": null, "export_count": 39, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 71387, "domain": 8768, "hostname": 17727, "email": 16, "FileHash-MD5": 195, "FileHash-SHA1": 168, "FileHash-SHA256": 15313, "CVE": 9, "CIDR": 7 }, "indicator_count": 113590, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "770 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655dafbe9ac9ac786fde45ad", "name": "http://malwaredomainlist.com/ \u2022 CNC \u2022 Spyware \u2022 Tracking", "description": "Network capture, dga domain, ecc domain, data collection, voicemail access, mail spammer, registrar abuse\n\n[Auto populated. I can't cannot confirm or deny the accuracy of the following information: A summary of key facts and information about a malicious web domain, hosted by the US government, has been released by Google.com and its parent company, Alphabet, for use on its website.]", "modified": "2023-12-22T06:03:01.993000", "created": "2023-11-22T07:37:34.595000", "tags": [ "united", "as22612", "as2637", "creation date", "search", "moved", "expiration date", "date", "showing", "as397240", "next", "entries", "scan endpoints", "all octoseek", "dns replication", "win32 exe", "network capture", "android", "android adaway", "html", "files", "detections type", "name", "office open", "xml document", "namecheap", "namecheap inc", "whois lookups", "win32 dll", "text", "wextract", "text htaccess", "powershell", "detection list", "blacklist", "first", "ssl certificate", "whois record", "contacted", "december", "whois whois", "threat roundup", "historical ssl", "problems", "referrer", "pe resource", "startpage", "cyber threat", "redline stealer", "mail spammer", "hostname", "phishing site", "malicious site", "installcore", "http spammer", "malware site", "malware", "generic malware", "heur", "generic", "alexa top", "million", "site", "cisco umbrella", "alexa", "ip address", "algorithm", "data", "v3 serial", "number", "cat cnzerossl", "ecc domain", "secure site", "ca ozerossl", "validity", "subject public", "server", "email", "code", "registrar abuse", "country", "privacy service", "withheld", "privacy", "domain name", "pattern match", "ascii text", "appdata", "file", "windows nt", "svg scalable", "vector graphics", "indicator", "gif image", "accept", "hybrid", "general", "local", "pixel", "click", "twitter", "strings", "class", "generator", "critical", "command_and_control", "spyware", "tracking", "voicemail access", "dga", "apple" ], "references": [ "https://www.hybrid-analysis.com/sample/c0c84df54b890bb408fc2289f1e75a29991127bbe207aa30042616b5ea150342/655d9af5679c7afcc409895e", "\u2193Interesting\u2193", "IPv4 198.54.117.211 command_and_control", "IPv4 198.54.117.210 command_and_control", "IPv4 198.54.117.212 command_and_control", "IPv4 198.54.117.215 command_and_control", "IPv4 198.54.117.217 command_and_control", "IPv4 198.54.117.218 command_and_control", "apple-securityiphone-icloud.com", "tx-p2p-pull.video-voip.com.dorm.com", "http://updates.voicemailaccess.net/b0f6a00b15311023", "tvapp-server.de", "zeustracker.abuse.ch", "ransomwaretracker.abuse.ch", "http://t.trkitok.com/track/rep?oid=2001&st=1&id=DP2441--w1VJE427J8SGGRTP02MD7UEG___93737493-c08b-4dc7-ad30-b17a2c09e771___$mid", "louisianarooflawyers.com [phishing]", "hasownproperty.call" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 105, "FileHash-SHA1": 100, "FileHash-SHA256": 3072, "domain": 1188, "email": 5, "URL": 7940, "hostname": 1925, "CVE": 1 }, "indicator_count": 14336, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "849 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://cpcontacts.delightmultitrading.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://cpcontacts.delightmultitrading.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776642174.532864 }