{ "type": "URL", "indicator": "https://cpcontacts.whitefools.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://cpcontacts.whitefools.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3183304621, "indicator": "https://cpcontacts.whitefools.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "65eb9d9426d9822cf0895b91", "name": "Australia Immortal | Ponmicup | Beach Research (modified by unknown)", "description": "", "modified": "2024-03-08T23:21:56.652000", "created": "2024-03-08T23:21:56.652000", "tags": [ "url https", "url http", "months ago", "michael roberts", "scan endpoints", "all milesit", "octoseek report", "spam author", "modified", "handle", "next", "returnurl", "potential", "ipv4", "rexxfield", "cyber threat", "united", "malicious", "team phishing", "hostname", "malware site", "coalition", "control server", "covid19", "malicious site", "malware", "team", "phishing", "virustotal", "bank", "facebook", "plasma", "kraken", "redline stealer", "citadel", "zeus", "ransomware", "zbot", "emotet", "simda", "pykspa", "inmortal", "domains", "detection list", "blacklist", "generic malware", "blacklist https", "cisco umbrella", "site", "alexa top", "safe site", "million", "ponmocup", "tsara brashears", "name verdict", "falcon sandbox", "et cins", "active threat", "reputation ip", "relay", "malicious host", "ice fog", "mail spammer", "brute force", "as11404", "first", "phishing site", "malicious url", "heur", "riskware", "agent", "unsafe", "download", "opencandy", "exploit", "mimikatz", "quasar rat", "iframe", "downldr", "presenoker", "artemis", "azorult", "service", "runescape", "union", "beach research", "drones", "miles2", "songculture attacked", "phishing", "monitoring", "mailtrak", "tracking", "geoapy", "location tracking", "obsession" ], "references": [], "public": 1, "adversary": "[Unnamed group]", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null } ], "attack_ids": [ { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "green", "cloned_from": "65418472eb20b10ee5510fde", "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3121, "domain": 1121, "hostname": 972, "FileHash-SHA256": 564, "email": 2, "CVE": 4, "FileHash-MD5": 74, "FileHash-SHA1": 39 }, "indicator_count": 5897, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "771 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6597f9c7542ffc6fffaecb30", "name": "Injection (RunPE) |Win.Packer - https://myminiweb.com", "description": "polypragmonic, dns, win.packer, ig hacking, network bind, tracking", "modified": "2024-02-04T12:05:19.275000", "created": "2024-01-05T12:44:55.030000", "tags": [ "ciphersuite", "delete c", "search", "entries", "united", "stcalifornia", "lmenlo park", "ometa platforms", "odigicert inc", "cndigicert sha2", "copy", "write", "unknown", "no expiration", "expiration", "filehashsha256", "hostname", "domain", "ipv4", "url http", "url https", "filehashmd5", "filehashsha1", "next", "iocs", "pdf report", "pcap", "scan endpoints", "win64", "stix", "openioc", "enter", "ssl certificate", "whois record", "apple ios", "communicating", "referrer", "contacted", "resolutions", "threat roundup", "password", "networks", "hacktool", "crypto", "twitter", "june", "probe", "ransomware", "malware", "tsara brashears", "botnet campaign", "january", "content reputation", "et" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2469, "FileHash-SHA1": 2295, "FileHash-SHA256": 4925, "SSLCertFingerprint": 2, "URL": 4484, "domain": 2044, "hostname": 2375, "email": 18, "CVE": 4 }, "indicator_count": 18616, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "805 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6597fa4d4b5e060fb8a606a8", "name": "Botnet Campaign", "description": "", "modified": "2024-02-04T12:05:19.275000", "created": "2024-01-05T12:47:09.403000", "tags": [ "ciphersuite", "delete c", "search", "entries", "united", "stcalifornia", "lmenlo park", "ometa platforms", "odigicert inc", "cndigicert sha2", "copy", "write", "unknown", "no expiration", "expiration", "filehashsha256", "hostname", "domain", "ipv4", "url http", "url https", "filehashmd5", "filehashsha1", "next", "iocs", "pdf report", "pcap", "scan endpoints", "win64", "stix", "openioc", "enter", "ssl certificate", "whois record", "apple ios", "communicating", "referrer", "contacted", "resolutions", "threat roundup", "password", "networks", "hacktool", "crypto", "twitter", "june", "probe", "ransomware", "malware", "tsara brashears", "botnet campaign", "january", "content reputation", "et" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": "6597f9c7542ffc6fffaecb30", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2469, "FileHash-SHA1": 2295, "FileHash-SHA256": 4925, "SSLCertFingerprint": 2, "URL": 4484, "domain": 2044, "hostname": 2375, "email": 18, "CVE": 4 }, "indicator_count": 18616, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "805 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6597fa4da16bd99cc5c02528", "name": "Botnet Campaign", "description": "", "modified": "2024-02-04T12:05:19.275000", "created": "2024-01-05T12:47:09.406000", "tags": [ "ciphersuite", "delete c", "search", "entries", "united", "stcalifornia", "lmenlo park", "ometa platforms", "odigicert inc", "cndigicert sha2", "copy", "write", "unknown", "no expiration", "expiration", "filehashsha256", "hostname", "domain", "ipv4", "url http", "url https", "filehashmd5", "filehashsha1", "next", "iocs", "pdf report", "pcap", "scan endpoints", "win64", "stix", "openioc", "enter", "ssl certificate", "whois record", "apple ios", "communicating", "referrer", "contacted", "resolutions", "threat roundup", "password", "networks", "hacktool", "crypto", "twitter", "june", "probe", "ransomware", "malware", "tsara brashears", "botnet campaign", "january", "content reputation", "et" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": "6597f9c7542ffc6fffaecb30", "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2469, "FileHash-SHA1": 2295, "FileHash-SHA256": 4925, "SSLCertFingerprint": 2, "URL": 4484, "domain": 2044, "hostname": 2375, "email": 18, "CVE": 4 }, "indicator_count": 18616, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "805 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65418472eb20b10ee5510fde", "name": "Australia Immortal | Ponmicup | Beach Research", "description": "Okay, Michael Roberts of Rexxfield[.]com is an alleged cyber security hacker, victim, adversary, etc. As far as I go back he is attached defacement. Mr. SQL. Allegedly works for attorneys. Cover up guy. I don't know if he is real despite the incredible stories online from capturing a murderer to being married to one. Based on what I've read he avenges medical professionals who commit crimes by attacking and silencing and his favorite injection. I was looking at device, a remote video from MILESIT.COM covered entire screen. (Auto populated: The results of an analysis of more than 400,000 IP addresses found on the OpenPhish website, compiled by the Phishing Research Team, have been published on Facebook, Twitter and Facebook.)", "modified": "2023-11-30T22:00:36.762000", "created": "2023-10-31T22:49:22.495000", "tags": [ "url https", "url http", "months ago", "michael roberts", "scan endpoints", "all milesit", "octoseek report", "spam author", "modified", "handle", "next", "returnurl", "potential", "ipv4", "rexxfield", "cyber threat", "united", "malicious", "team phishing", "hostname", "malware site", "coalition", "control server", "covid19", "malicious site", "malware", "team", "phishing", "virustotal", "bank", "facebook", "plasma", "kraken", "redline stealer", "citadel", "zeus", "ransomware", "zbot", "emotet", "simda", "pykspa", "inmortal", "domains", "detection list", "blacklist", "generic malware", "blacklist https", "cisco umbrella", "site", "alexa top", "safe site", "million", "ponmocup", "tsara brashears", "name verdict", "falcon sandbox", "et cins", "active threat", "reputation ip", "relay", "malicious host", "ice fog", "mail spammer", "brute force", "as11404", "first", "phishing site", "malicious url", "heur", "riskware", "agent", "unsafe", "download", "opencandy", "exploit", "mimikatz", "quasar rat", "iframe", "downldr", "presenoker", "artemis", "azorult", "service", "runescape", "union", "beach research", "drones", "miles2", "songculture attacked", "phishing", "monitoring", "mailtrak", "tracking", "geoapy", "location tracking", "obsession" ], "references": [], "public": 1, "adversary": "[Unnamed group]", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null } ], "attack_ids": [ { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 50, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3121, "domain": 1121, "hostname": 972, "FileHash-SHA256": 564, "email": 2, "CVE": 4, "FileHash-MD5": 74, "FileHash-SHA1": 39 }, "indicator_count": 5897, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "871 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6544cc36799d1c45c82c1ed7", "name": "Australia Immortal | Ponmicup | Beach Research", "description": "", "modified": "2023-11-30T22:00:36.762000", "created": "2023-11-03T10:32:22.249000", "tags": [ "url https", "url http", "months ago", "michael roberts", "scan endpoints", "all milesit", "octoseek report", "spam author", "modified", "handle", "next", "returnurl", "potential", "ipv4", "rexxfield", "cyber threat", "united", "malicious", "team phishing", "hostname", "malware site", "coalition", "control server", "covid19", "malicious site", "malware", "team", "phishing", "virustotal", "bank", "facebook", "plasma", "kraken", "redline stealer", "citadel", "zeus", "ransomware", "zbot", "emotet", "simda", "pykspa", "inmortal", "domains", "detection list", "blacklist", "generic malware", "blacklist https", "cisco umbrella", "site", "alexa top", "safe site", "million", "ponmocup", "tsara brashears", "name verdict", "falcon sandbox", "et cins", "active threat", "reputation ip", "relay", "malicious host", "ice fog", "mail spammer", "brute force", "as11404", "first", "phishing site", "malicious url", "heur", "riskware", "agent", "unsafe", "download", "opencandy", "exploit", "mimikatz", "quasar rat", "iframe", "downldr", "presenoker", "artemis", "azorult", "service", "runescape", "union", "beach research", "drones", "miles2", "songculture attacked", "phishing", "monitoring", "mailtrak", "tracking", "geoapy", "location tracking", "obsession" ], "references": [], "public": 1, "adversary": "[Unnamed group]", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null } ], "attack_ids": [ { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "green", "cloned_from": "65418472eb20b10ee5510fde", "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3121, "domain": 1121, "hostname": 972, "FileHash-SHA256": 564, "email": 2, "CVE": 4, "FileHash-MD5": 74, "FileHash-SHA1": 39 }, "indicator_count": 5897, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "871 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65459d8355ffcc57175db685", "name": "Australia Immortal | Ponmicup | Beach Research", "description": "", "modified": "2023-11-30T22:00:36.762000", "created": "2023-11-04T01:25:23.996000", "tags": [ "url https", "url http", "months ago", "michael roberts", "scan endpoints", "all milesit", "octoseek report", "spam author", "modified", "handle", "next", "returnurl", "potential", "ipv4", "rexxfield", "cyber threat", "united", "malicious", "team phishing", "hostname", "malware site", "coalition", "control server", "covid19", "malicious site", "malware", "team", "phishing", "virustotal", "bank", "facebook", "plasma", "kraken", "redline stealer", "citadel", "zeus", "ransomware", "zbot", "emotet", "simda", "pykspa", "inmortal", "domains", "detection list", "blacklist", "generic malware", "blacklist https", "cisco umbrella", "site", "alexa top", "safe site", "million", "ponmocup", "tsara brashears", "name verdict", "falcon sandbox", "et cins", "active threat", "reputation ip", "relay", "malicious host", "ice fog", "mail spammer", "brute force", "as11404", "first", "phishing site", "malicious url", "heur", "riskware", "agent", "unsafe", "download", "opencandy", "exploit", "mimikatz", "quasar rat", "iframe", "downldr", "presenoker", "artemis", "azorult", "service", "runescape", "union", "beach research", "drones", "miles2", "songculture attacked", "phishing", "monitoring", "mailtrak", "tracking", "geoapy", "location tracking", "obsession" ], "references": [], "public": 1, "adversary": "[Unnamed group]", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null } ], "attack_ids": [ { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "green", "cloned_from": "6544cc36799d1c45c82c1ed7", "export_count": 49, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3121, "domain": 1121, "hostname": 972, "FileHash-SHA256": 564, "email": 2, "CVE": 4, "FileHash-MD5": 74, "FileHash-SHA1": 39 }, "indicator_count": 5897, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "871 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "[Unnamed group]" ], "malware_families": [ "Domains", "Et", "Inmortal", "Content reputation", "Beach research" ], "industries": [], "unique_indicators": 24530 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/whitefools.com", "whois": "http://whois.domaintools.com/whitefools.com", "domain": "whitefools.com", "hostname": "cpcontacts.whitefools.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 7, "pulses": [ { "id": "65eb9d9426d9822cf0895b91", "name": "Australia Immortal | Ponmicup | Beach Research (modified by unknown)", "description": "", "modified": "2024-03-08T23:21:56.652000", "created": "2024-03-08T23:21:56.652000", "tags": [ "url https", "url http", "months ago", "michael roberts", "scan endpoints", "all milesit", "octoseek report", "spam author", "modified", "handle", "next", "returnurl", "potential", "ipv4", "rexxfield", "cyber threat", "united", "malicious", "team phishing", "hostname", "malware site", "coalition", "control server", "covid19", "malicious site", "malware", "team", "phishing", "virustotal", "bank", "facebook", "plasma", "kraken", "redline stealer", "citadel", "zeus", "ransomware", "zbot", "emotet", "simda", "pykspa", "inmortal", "domains", "detection list", "blacklist", "generic malware", "blacklist https", "cisco umbrella", "site", "alexa top", "safe site", "million", "ponmocup", "tsara brashears", "name verdict", "falcon sandbox", "et cins", "active threat", "reputation ip", "relay", "malicious host", "ice fog", "mail spammer", "brute force", "as11404", "first", "phishing site", "malicious url", "heur", "riskware", "agent", "unsafe", "download", "opencandy", "exploit", "mimikatz", "quasar rat", "iframe", "downldr", "presenoker", "artemis", "azorult", "service", "runescape", "union", "beach research", "drones", "miles2", "songculture attacked", "phishing", "monitoring", "mailtrak", "tracking", "geoapy", "location tracking", "obsession" ], "references": [], "public": 1, "adversary": "[Unnamed group]", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null } ], "attack_ids": [ { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "green", "cloned_from": "65418472eb20b10ee5510fde", "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3121, "domain": 1121, "hostname": 972, "FileHash-SHA256": 564, "email": 2, "CVE": 4, "FileHash-MD5": 74, "FileHash-SHA1": 39 }, "indicator_count": 5897, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "771 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6597f9c7542ffc6fffaecb30", "name": "Injection (RunPE) |Win.Packer - https://myminiweb.com", "description": "polypragmonic, dns, win.packer, ig hacking, network bind, tracking", "modified": "2024-02-04T12:05:19.275000", "created": "2024-01-05T12:44:55.030000", "tags": [ "ciphersuite", "delete c", "search", "entries", "united", "stcalifornia", "lmenlo park", "ometa platforms", "odigicert inc", "cndigicert sha2", "copy", "write", "unknown", "no expiration", "expiration", "filehashsha256", "hostname", "domain", "ipv4", "url http", "url https", "filehashmd5", "filehashsha1", "next", "iocs", "pdf report", "pcap", "scan endpoints", "win64", "stix", "openioc", "enter", "ssl certificate", "whois record", "apple ios", "communicating", "referrer", "contacted", "resolutions", "threat roundup", "password", "networks", "hacktool", "crypto", "twitter", "june", "probe", "ransomware", "malware", "tsara brashears", "botnet campaign", "january", "content reputation", "et" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2469, "FileHash-SHA1": 2295, "FileHash-SHA256": 4925, "SSLCertFingerprint": 2, "URL": 4484, "domain": 2044, "hostname": 2375, "email": 18, "CVE": 4 }, "indicator_count": 18616, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "805 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6597fa4d4b5e060fb8a606a8", "name": "Botnet Campaign", "description": "", "modified": "2024-02-04T12:05:19.275000", "created": "2024-01-05T12:47:09.403000", "tags": [ "ciphersuite", "delete c", "search", "entries", "united", "stcalifornia", "lmenlo park", "ometa platforms", "odigicert inc", "cndigicert sha2", "copy", "write", "unknown", "no expiration", "expiration", "filehashsha256", "hostname", "domain", "ipv4", "url http", "url https", "filehashmd5", "filehashsha1", "next", "iocs", "pdf report", "pcap", "scan endpoints", "win64", "stix", "openioc", "enter", "ssl certificate", "whois record", "apple ios", "communicating", "referrer", "contacted", "resolutions", "threat roundup", "password", "networks", "hacktool", "crypto", "twitter", "june", "probe", "ransomware", "malware", "tsara brashears", "botnet campaign", "january", "content reputation", "et" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": "6597f9c7542ffc6fffaecb30", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2469, "FileHash-SHA1": 2295, "FileHash-SHA256": 4925, "SSLCertFingerprint": 2, "URL": 4484, "domain": 2044, "hostname": 2375, "email": 18, "CVE": 4 }, "indicator_count": 18616, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "805 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6597fa4da16bd99cc5c02528", "name": "Botnet Campaign", "description": "", "modified": "2024-02-04T12:05:19.275000", "created": "2024-01-05T12:47:09.406000", "tags": [ "ciphersuite", "delete c", "search", "entries", "united", "stcalifornia", "lmenlo park", "ometa platforms", "odigicert inc", "cndigicert sha2", "copy", "write", "unknown", "no expiration", "expiration", "filehashsha256", "hostname", "domain", "ipv4", "url http", "url https", "filehashmd5", "filehashsha1", "next", "iocs", "pdf report", "pcap", "scan endpoints", "win64", "stix", "openioc", "enter", "ssl certificate", "whois record", "apple ios", "communicating", "referrer", "contacted", "resolutions", "threat roundup", "password", "networks", "hacktool", "crypto", "twitter", "june", "probe", "ransomware", "malware", "tsara brashears", "botnet campaign", "january", "content reputation", "et" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": "6597f9c7542ffc6fffaecb30", "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2469, "FileHash-SHA1": 2295, "FileHash-SHA256": 4925, "SSLCertFingerprint": 2, "URL": 4484, "domain": 2044, "hostname": 2375, "email": 18, "CVE": 4 }, "indicator_count": 18616, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "805 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65418472eb20b10ee5510fde", "name": "Australia Immortal | Ponmicup | Beach Research", "description": "Okay, Michael Roberts of Rexxfield[.]com is an alleged cyber security hacker, victim, adversary, etc. As far as I go back he is attached defacement. Mr. SQL. Allegedly works for attorneys. Cover up guy. I don't know if he is real despite the incredible stories online from capturing a murderer to being married to one. Based on what I've read he avenges medical professionals who commit crimes by attacking and silencing and his favorite injection. I was looking at device, a remote video from MILESIT.COM covered entire screen. (Auto populated: The results of an analysis of more than 400,000 IP addresses found on the OpenPhish website, compiled by the Phishing Research Team, have been published on Facebook, Twitter and Facebook.)", "modified": "2023-11-30T22:00:36.762000", "created": "2023-10-31T22:49:22.495000", "tags": [ "url https", "url http", "months ago", "michael roberts", "scan endpoints", "all milesit", "octoseek report", "spam author", "modified", "handle", "next", "returnurl", "potential", "ipv4", "rexxfield", "cyber threat", "united", "malicious", "team phishing", "hostname", "malware site", "coalition", "control server", "covid19", "malicious site", "malware", "team", "phishing", "virustotal", "bank", "facebook", "plasma", "kraken", "redline stealer", "citadel", "zeus", "ransomware", "zbot", "emotet", "simda", "pykspa", "inmortal", "domains", "detection list", "blacklist", "generic malware", "blacklist https", "cisco umbrella", "site", "alexa top", "safe site", "million", "ponmocup", "tsara brashears", "name verdict", "falcon sandbox", "et cins", "active threat", "reputation ip", "relay", "malicious host", "ice fog", "mail spammer", "brute force", "as11404", "first", "phishing site", "malicious url", "heur", "riskware", "agent", "unsafe", "download", "opencandy", "exploit", "mimikatz", "quasar rat", "iframe", "downldr", "presenoker", "artemis", "azorult", "service", "runescape", "union", "beach research", "drones", "miles2", "songculture attacked", "phishing", "monitoring", "mailtrak", "tracking", "geoapy", "location tracking", "obsession" ], "references": [], "public": 1, "adversary": "[Unnamed group]", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null } ], "attack_ids": [ { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 50, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3121, "domain": 1121, "hostname": 972, "FileHash-SHA256": 564, "email": 2, "CVE": 4, "FileHash-MD5": 74, "FileHash-SHA1": 39 }, "indicator_count": 5897, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "871 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6544cc36799d1c45c82c1ed7", "name": "Australia Immortal | Ponmicup | Beach Research", "description": "", "modified": "2023-11-30T22:00:36.762000", "created": "2023-11-03T10:32:22.249000", "tags": [ "url https", "url http", "months ago", "michael roberts", "scan endpoints", "all milesit", "octoseek report", "spam author", "modified", "handle", "next", "returnurl", "potential", "ipv4", "rexxfield", "cyber threat", "united", "malicious", "team phishing", "hostname", "malware site", "coalition", "control server", "covid19", "malicious site", "malware", "team", "phishing", "virustotal", "bank", "facebook", "plasma", "kraken", "redline stealer", "citadel", "zeus", "ransomware", "zbot", "emotet", "simda", "pykspa", "inmortal", "domains", "detection list", "blacklist", "generic malware", "blacklist https", "cisco umbrella", "site", "alexa top", "safe site", "million", "ponmocup", "tsara brashears", "name verdict", "falcon sandbox", "et cins", "active threat", "reputation ip", "relay", "malicious host", "ice fog", "mail spammer", "brute force", "as11404", "first", "phishing site", "malicious url", "heur", "riskware", "agent", "unsafe", "download", "opencandy", "exploit", "mimikatz", "quasar rat", "iframe", "downldr", "presenoker", "artemis", "azorult", "service", "runescape", "union", "beach research", "drones", "miles2", "songculture attacked", "phishing", "monitoring", "mailtrak", "tracking", "geoapy", "location tracking", "obsession" ], "references": [], "public": 1, "adversary": "[Unnamed group]", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null } ], "attack_ids": [ { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "green", "cloned_from": "65418472eb20b10ee5510fde", "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3121, "domain": 1121, "hostname": 972, "FileHash-SHA256": 564, "email": 2, "CVE": 4, "FileHash-MD5": 74, "FileHash-SHA1": 39 }, "indicator_count": 5897, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "871 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65459d8355ffcc57175db685", "name": "Australia Immortal | Ponmicup | Beach Research", "description": "", "modified": "2023-11-30T22:00:36.762000", "created": "2023-11-04T01:25:23.996000", "tags": [ "url https", "url http", "months ago", "michael roberts", "scan endpoints", "all milesit", "octoseek report", "spam author", "modified", "handle", "next", "returnurl", "potential", "ipv4", "rexxfield", "cyber threat", "united", "malicious", "team phishing", "hostname", "malware site", "coalition", "control server", "covid19", "malicious site", "malware", "team", "phishing", "virustotal", "bank", "facebook", "plasma", "kraken", "redline stealer", "citadel", "zeus", "ransomware", "zbot", "emotet", "simda", "pykspa", "inmortal", "domains", "detection list", "blacklist", "generic malware", "blacklist https", "cisco umbrella", "site", "alexa top", "safe site", "million", "ponmocup", "tsara brashears", "name verdict", "falcon sandbox", "et cins", "active threat", "reputation ip", "relay", "malicious host", "ice fog", "mail spammer", "brute force", "as11404", "first", "phishing site", "malicious url", "heur", "riskware", "agent", "unsafe", "download", "opencandy", "exploit", "mimikatz", "quasar rat", "iframe", "downldr", "presenoker", "artemis", "azorult", "service", "runescape", "union", "beach research", "drones", "miles2", "songculture attacked", "phishing", "monitoring", "mailtrak", "tracking", "geoapy", "location tracking", "obsession" ], "references": [], "public": 1, "adversary": "[Unnamed group]", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null } ], "attack_ids": [ { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "green", "cloned_from": "6544cc36799d1c45c82c1ed7", "export_count": 49, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3121, "domain": 1121, "hostname": 972, "FileHash-SHA256": 564, "email": 2, "CVE": 4, "FileHash-MD5": 74, "FileHash-SHA1": 39 }, "indicator_count": 5897, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "871 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://cpcontacts.whitefools.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://cpcontacts.whitefools.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776639748.2529242 }