{ "type": "URL", "indicator": "https://d4twhgtvn0ff5.cloudfront.net/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://d4twhgtvn0ff5.cloudfront.net/", "type": "url", "type_title": "URL", "validation": [ { "source": "alexa", "message": "Alexa rank: #569", "name": "Listed on Alexa" }, { "source": "akamai", "message": "Akamai rank: #4161", "name": "Akamai Popular Domain" }, { "source": "whitelist", "message": "Whitelisted domain cloudfront.net", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain cloudfront.net", "name": "Whitelisted domain" } ], "base_indicator": { "id": 3739889281, "indicator": "https://d4twhgtvn0ff5.cloudfront.net/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 22, "pulses": [ { "id": "69e1cc70fcbd3f613502e1f7", "name": "order clone by aclause21 Public", "description": "", "modified": "2026-04-17T09:28:38.049000", "created": "2026-04-17T06:00:16.867000", "tags": [ "access ta0001", "defense evasion", "access ta0006", "command", "control ta0011", "impact ta0040", "catalog tree", "ob0005 defense", "evasion ob0006", "impact ob0008", "hashes cape", "sandbox", "docguard", "yomi hunter", "zenbox", "ip traffic", "pattern domains", "memory pattern", "urls https", "adversaries", "mitre att", "t1189 found", "clickable urls", "pdf execution", "t1036", "creates", "hide artifacts", "exploitation", "e1564 hidden", "files", "discovery e1082", "e1203 data", "vhash", "ssdeep", "file type", "pdf document", "magic pdf", "trid adobe", "format", "file size", "united", "as32934", "passive dns", "unknown", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "urls", "status", "search", "showing", "server error", "certificate", "creation date", "high assurance", "server ca", "date", "body", "win32", "ransom", "entries", "icmp traffic", "packing t1045", "t1045", "pdb path", "pe resource", "show", "malware", "copy", "push", "write", "aaaa", "nxdomain", "united kingdom", "thailand", "vietnam", "as45430", "honduras", "indonesia", "mexico", "slovakia", "dynamicloader", "yara rule", "high", "ekyxe", "xe e", "eofae", "ee edcje4j", "tofsee", "windows", "medium", "stream", "grum", "as15169 google", "pulses", "record value", "error", "cname", "name servers", "ireland", "next", "federation asn", "as49505", "labs pulses", "trojan", "trojandropper", "related pulses", "file samples", "files matching", "date hash", "copyright", "all search", "reverse dns", "location united", "emails info", "expiration date", "as51167 contabo", "germany unknown", "a nxdomain", "as40021 contabo", "encrypt", "url http", "http", "ip address", "related nids", "files location", "ddos", "activity", "checkin", "win64", "mirai", "hosting", "files ip", "address", "czechia unknown", "as174 cogent", "asnone germany", "as15598", "as16625 akamai", "asnone united", "as20940", "as35994 akamai", "as12337 noris", "pulse submit", "url analysis", "backdoor", "gmt cache", "sameorigin", "443 ma2592000", "suspicious", "virtool", "emails", "domain name", "code", "brazil", "poland", "domain", "msie", "windows nt", "tcp syn", "resolverror", "exploit", "externalport", "internalport", "http headers", "home network", "demonbot", "andariel", "yara detections", "malware traffic", "nids", "dns query", "google safe", "browsing", "whois", "virustotal", "mtb apr", "asnone related", "open", "hash avast", "avg clamav", "msdefender apr", "as8075", "content type", "access", "cp bus", "cur cono", "fin ivdo", "onl our", "phy samo", "overview ip", "flag united", "hostname", "files domain", "as8068", "trojan features", "rsa tls", "issuing ca", "mirai variant", "useragent", "inbound", "realtek sdk", "miniigd upnp", "soap command", "activity mirai", "helloworld", "users", "alerts", "anomalous file", "recycle bin", "filehash", "av detections", "memcommit", "read c", "memreserve", "for privacy", "china unknown", "ag alberto", "pedraz", "holidaycheck ag", "project pi", "immobilien ag", "puma se", "kurt walther", "ag ingo", "kraupa", "timo salzsieder", "record type", "ttl value", "msms57295540", "subdomains", "ireland unknown", "analyzer paste", "iocs", "samples", "regsetvalueexa", "default", "regdword", "module load", "t1129", "http request", "process32nextw", "regbinary", "oxypumper", "tools", "dock", "april", "persistence", "execution", "download", "as62597 nsone", "echo request", "sweep", "payload hello", "world", "total", "please", "xport", "main", "look", "install", "servers", "found", "cnapple public", "accept", "chrome", "moved", "ssl certificate", "write c", "installcore", "june", "delphi", "as47846", "cookie", "as32787 akamai", "as714 apple", "m1", "onelouder", "brian sabey", "denver colorado", "fakedout threat", "gmt content", "x cache", "div div", "as8972 host", "france unknown", "registrar", "otx scoreblue", "address domain", "as24940 hetzner", "as44273 host", "asn as15598", "trojanspy", "mail spammer", "germany mail", "spammer", "hichina", "data redacted", "a domains", "wow64", "slcc2", "media center", "port", "powershell", "urls http", "tptjsw", "virus", "ids detections", "germany", "as8560", "austria", "as1921", "as14061", "whitelisted", "as16276", "script urls", "as16552 tiggee", "as9009 m247", "meta", "as29789", "detected m1", "mtb aug", "server", "as397241", "cryp", "hostmaster", "networks", "as19024", "gmt setcookie", "delete", "russia as49505", "sinkhole cookie", "value snkz", "pe32", "possible", "susp", "lnmp", "lnmp a", "licess", "shell", "as63949 linode", "as133618", "as21342", "cve201717215", "huawei remote", "huawei hg532", "malware worm", "gafgyt", "exploit none", "binbusybox", "delete c", "odigicert inc", "stwashington", "lredmond", "rsa ca", "cape", "nondns", "denver", "redacted for", "method status", "url hostname", "ip country", "type get", "date tue", "gmt contenttype", "connection", "cachecontrol", "expires thu", "gmt vary", "poland unknown", "title", "script domains", "updated date", "serce internetu", "cnc beacon", "javascript", "wsasend", "post", "delete shadows", "all quiet", "t1047", "instrumentation", "rpcs", "ms windows", "asnone dns", "http host", "ip check", "sha256", "bits", "adware malware", "etpro malware", "bios", "guard", "tulach", "spectrum", "cyber folks", "tsara brashears", ".pl", "contacted", "kryptikxp", "apple", "ios", "android", "sabey", "charter communications", "denvecolorado", "quantum fiber", "air force", "swipper", "masquerade", "hitmen", "mitm", "whitesky", "cyber warfare", "porn", "pornhub.software" ], "references": [ "DISTINCTIO8.pdf", "FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string", "IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set", "Tofsee: 'google.com' | https://www.gov50.icu |", "ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...)", "Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk", "Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing", "hubt.pornhub.com | www.pornhub.com | pornative.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/", "www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/", "Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da", "IDS Detections: WGET Command Specifying Output in HTTP Headers", "IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution", "Yara Detections: is__elf , DemonBot", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout", "FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c", "IDS Detections: Andariel Backdoor Activity (Checkin)", "Alerts: dead_host nids_malware_alert network_icmp nolookup_communication", "DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2", "IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound", "IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST", "IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy", "http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/", "https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com", "apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com", "autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com", "* https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "https://tulach.cc/ | tulach.cc |", "http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com", "google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl", "18teen.net | teensnow.com | grannies-porn.net | pornmd.com", "www.pornhubselect.com | pornhub.software" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Chile", "Morocco", "Taiwan", "Guatemala", "United Kingdom of Great Britain and Northern Ireland", "Ireland", "Kenya", "Peru", "Singapore", "Mexico", "Brazil", "Slovakia", "Spain", "Australia", "Belgium", "Germany", "Hungary", "Netherlands", "Russian Federation", "Japan", "Poland" ], "malware_families": [ { "id": "Ransom", "display_name": "Ransom", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "TEL:CreateScheduledTask", "display_name": "TEL:CreateScheduledTask", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.Mirai-6981169-0", "display_name": "Unix.Trojan.Mirai-6981169-0", "target": null }, { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "Ransom:Win32/Haperlock", "display_name": "Ransom:Win32/Haperlock", "target": "/malware/Ransom:Win32/Haperlock" }, { "id": "Trojan:Win32/Neurevt", "display_name": "Trojan:Win32/Neurevt", "target": "/malware/Trojan:Win32/Neurevt" }, { "id": "DDoS:Linux/Gafgyt.YA!MTB", "display_name": "DDoS:Linux/Gafgyt.YA!MTB", "target": "/malware/DDoS:Linux/Gafgyt.YA!MTB" }, { "id": "CVE-2017-17215", "display_name": "CVE-2017-17215", "target": null }, { "id": "CVE-2023-27350", "display_name": "CVE-2023-27350", "target": null }, { "id": "CVE-2014-8361", "display_name": "CVE-2014-8361", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "M1", "display_name": "M1", "target": null }, { "id": "OneLouder", "display_name": "OneLouder", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Win.Trojan.Sarwent-10012602-0", "display_name": "Win.Trojan.Sarwent-10012602-0", "target": null }, { "id": "Virus:Win32/Sivis.A", "display_name": "Virus:Win32/Sivis.A", "target": "/malware/Virus:Win32/Sivis.A" }, { "id": "Win.Trojan.Installcore-1177", "display_name": "Win.Trojan.Installcore-1177", "target": null }, { "id": "Win.Malware.Oxypumper-6900435-0", "display_name": "Win.Malware.Oxypumper-6900435-0", "target": null }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" } ], "industries": [], "TLP": "green", "cloned_from": "678f0dbdbc59dd2ea5656dcf", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7589, "FileHash-SHA1": 3982, "FileHash-SHA256": 8280, "URL": 442, "domain": 2416, "hostname": 2155, "email": 37, "CVE": 4, "SSLCertFingerprint": 6 }, "indicator_count": 24911, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69e1cc6fd3c4022e08db781d", "name": "order clone by aclause21 Public", "description": "", "modified": "2026-04-17T06:51:33.372000", "created": "2026-04-17T06:00:15.760000", "tags": [ "access ta0001", "defense evasion", "access ta0006", "command", "control ta0011", "impact ta0040", "catalog tree", "ob0005 defense", "evasion ob0006", "impact ob0008", "hashes cape", "sandbox", "docguard", "yomi hunter", "zenbox", "ip traffic", "pattern domains", "memory pattern", "urls https", "adversaries", "mitre att", "t1189 found", "clickable urls", "pdf execution", "t1036", "creates", "hide artifacts", "exploitation", "e1564 hidden", "files", "discovery e1082", "e1203 data", "vhash", "ssdeep", "file type", "pdf document", "magic pdf", "trid adobe", "format", "file size", "united", "as32934", "passive dns", "unknown", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "urls", "status", "search", "showing", "server error", "certificate", "creation date", "high assurance", "server ca", "date", "body", "win32", "ransom", "entries", "icmp traffic", "packing t1045", "t1045", "pdb path", "pe resource", "show", "malware", "copy", "push", "write", "aaaa", "nxdomain", "united kingdom", "thailand", "vietnam", "as45430", "honduras", "indonesia", "mexico", "slovakia", "dynamicloader", "yara rule", "high", "ekyxe", "xe e", "eofae", "ee edcje4j", "tofsee", "windows", "medium", "stream", "grum", "as15169 google", "pulses", "record value", "error", "cname", "name servers", "ireland", "next", "federation asn", "as49505", "labs pulses", "trojan", "trojandropper", "related pulses", "file samples", "files matching", "date hash", "copyright", "all search", "reverse dns", "location united", "emails info", "expiration date", "as51167 contabo", "germany unknown", "a nxdomain", "as40021 contabo", "encrypt", "url http", "http", "ip address", "related nids", "files location", "ddos", "activity", "checkin", "win64", "mirai", "hosting", "files ip", "address", "czechia unknown", "as174 cogent", "asnone germany", "as15598", "as16625 akamai", "asnone united", "as20940", "as35994 akamai", "as12337 noris", "pulse submit", "url analysis", "backdoor", "gmt cache", "sameorigin", "443 ma2592000", "suspicious", "virtool", "emails", "domain name", "code", "brazil", "poland", "domain", "msie", "windows nt", "tcp syn", "resolverror", "exploit", "externalport", "internalport", "http headers", "home network", "demonbot", "andariel", "yara detections", "malware traffic", "nids", "dns query", "google safe", "browsing", "whois", "virustotal", "mtb apr", "asnone related", "open", "hash avast", "avg clamav", "msdefender apr", "as8075", "content type", "access", "cp bus", "cur cono", "fin ivdo", "onl our", "phy samo", "overview ip", "flag united", "hostname", "files domain", "as8068", "trojan features", "rsa tls", "issuing ca", "mirai variant", "useragent", "inbound", "realtek sdk", "miniigd upnp", "soap command", "activity mirai", "helloworld", "users", "alerts", "anomalous file", "recycle bin", "filehash", "av detections", "memcommit", "read c", "memreserve", "for privacy", "china unknown", "ag alberto", "pedraz", "holidaycheck ag", "project pi", "immobilien ag", "puma se", "kurt walther", "ag ingo", "kraupa", "timo salzsieder", "record type", "ttl value", "msms57295540", "subdomains", "ireland unknown", "analyzer paste", "iocs", "samples", "regsetvalueexa", "default", "regdword", "module load", "t1129", "http request", "process32nextw", "regbinary", "oxypumper", "tools", "dock", "april", "persistence", "execution", "download", "as62597 nsone", "echo request", "sweep", "payload hello", "world", "total", "please", "xport", "main", "look", "install", "servers", "found", "cnapple public", "accept", "chrome", "moved", "ssl certificate", "write c", "installcore", "june", "delphi", "as47846", "cookie", "as32787 akamai", "as714 apple", "m1", "onelouder", "brian sabey", "denver colorado", "fakedout threat", "gmt content", "x cache", "div div", "as8972 host", "france unknown", "registrar", "otx scoreblue", "address domain", "as24940 hetzner", "as44273 host", "asn as15598", "trojanspy", "mail spammer", "germany mail", "spammer", "hichina", "data redacted", "a domains", "wow64", "slcc2", "media center", "port", "powershell", "urls http", "tptjsw", "virus", "ids detections", "germany", "as8560", "austria", "as1921", "as14061", "whitelisted", "as16276", "script urls", "as16552 tiggee", "as9009 m247", "meta", "as29789", "detected m1", "mtb aug", "server", "as397241", "cryp", "hostmaster", "networks", "as19024", "gmt setcookie", "delete", "russia as49505", "sinkhole cookie", "value snkz", "pe32", "possible", "susp", "lnmp", "lnmp a", "licess", "shell", "as63949 linode", "as133618", "as21342", "cve201717215", "huawei remote", "huawei hg532", "malware worm", "gafgyt", "exploit none", "binbusybox", "delete c", "odigicert inc", "stwashington", "lredmond", "rsa ca", "cape", "nondns", "denver", "redacted for", "method status", "url hostname", "ip country", "type get", "date tue", "gmt contenttype", "connection", "cachecontrol", "expires thu", "gmt vary", "poland unknown", "title", "script domains", "updated date", "serce internetu", "cnc beacon", "javascript", "wsasend", "post", "delete shadows", "all quiet", "t1047", "instrumentation", "rpcs", "ms windows", "asnone dns", "http host", "ip check", "sha256", "bits", "adware malware", "etpro malware", "bios", "guard", "tulach", "spectrum", "cyber folks", "tsara brashears", ".pl", "contacted", "kryptikxp", "apple", "ios", "android", "sabey", "charter communications", "denvecolorado", "quantum fiber", "air force", "swipper", "masquerade", "hitmen", "mitm", "whitesky", "cyber warfare", "porn", "pornhub.software" ], "references": [ "DISTINCTIO8.pdf", "FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string", "IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set", "Tofsee: 'google.com' | https://www.gov50.icu |", "ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...)", "Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk", "Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing", "hubt.pornhub.com | www.pornhub.com | pornative.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/", "www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/", "Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da", "IDS Detections: WGET Command Specifying Output in HTTP Headers", "IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution", "Yara Detections: is__elf , DemonBot", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout", "FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c", "IDS Detections: Andariel Backdoor Activity (Checkin)", "Alerts: dead_host nids_malware_alert network_icmp nolookup_communication", "DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2", "IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound", "IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST", "IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy", "http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/", "https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com", "apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com", "autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com", "* https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "https://tulach.cc/ | tulach.cc |", "http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com", "google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl", "18teen.net | teensnow.com | grannies-porn.net | pornmd.com", "www.pornhubselect.com | pornhub.software" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Chile", "Morocco", "Taiwan", "Guatemala", "United Kingdom of Great Britain and Northern Ireland", "Ireland", "Kenya", "Peru", "Singapore", "Mexico", "Brazil", "Slovakia", "Spain", "Australia", "Belgium", "Germany", "Hungary", "Netherlands", "Russian Federation", "Japan", "Poland" ], "malware_families": [ { "id": "Ransom", "display_name": "Ransom", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "TEL:CreateScheduledTask", "display_name": "TEL:CreateScheduledTask", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.Mirai-6981169-0", "display_name": "Unix.Trojan.Mirai-6981169-0", "target": null }, { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "Ransom:Win32/Haperlock", "display_name": "Ransom:Win32/Haperlock", "target": "/malware/Ransom:Win32/Haperlock" }, { "id": "Trojan:Win32/Neurevt", "display_name": "Trojan:Win32/Neurevt", "target": "/malware/Trojan:Win32/Neurevt" }, { "id": "DDoS:Linux/Gafgyt.YA!MTB", "display_name": "DDoS:Linux/Gafgyt.YA!MTB", "target": "/malware/DDoS:Linux/Gafgyt.YA!MTB" }, { "id": "CVE-2017-17215", "display_name": "CVE-2017-17215", "target": null }, { "id": "CVE-2023-27350", "display_name": "CVE-2023-27350", "target": null }, { "id": "CVE-2014-8361", "display_name": "CVE-2014-8361", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "M1", "display_name": "M1", "target": null }, { "id": "OneLouder", "display_name": "OneLouder", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Win.Trojan.Sarwent-10012602-0", "display_name": "Win.Trojan.Sarwent-10012602-0", "target": null }, { "id": "Virus:Win32/Sivis.A", "display_name": "Virus:Win32/Sivis.A", "target": "/malware/Virus:Win32/Sivis.A" }, { "id": "Win.Trojan.Installcore-1177", "display_name": "Win.Trojan.Installcore-1177", "target": null }, { "id": "Win.Malware.Oxypumper-6900435-0", "display_name": "Win.Malware.Oxypumper-6900435-0", "target": null }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" } ], "industries": [], "TLP": "green", "cloned_from": "678f0dbdbc59dd2ea5656dcf", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7589, "FileHash-SHA1": 3982, "FileHash-SHA256": 8280, "URL": 441, "domain": 2416, "hostname": 2155, "email": 37, "CVE": 4, "SSLCertFingerprint": 6 }, "indicator_count": 24910, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "692131f725473d708579ec3a", "name": "Drive-by Compromise", "description": "", "modified": "2025-11-22T03:45:59.649000", "created": "2025-11-22T03:45:59.649000", "tags": [ "access ta0001", "defense evasion", "access ta0006", "command", "control ta0011", "impact ta0040", "catalog tree", "ob0005 defense", "evasion ob0006", "impact ob0008", "hashes cape", "sandbox", "docguard", "yomi hunter", "zenbox", "ip traffic", "pattern domains", "memory pattern", "urls https", "adversaries", "mitre att", "t1189 found", "clickable urls", "pdf execution", "t1036", "creates", "hide artifacts", "exploitation", "e1564 hidden", "files", "discovery e1082", "e1203 data", "vhash", "ssdeep", "file type", "pdf document", "magic pdf", "trid adobe", "format", "file size", "united", "as32934", "passive dns", "unknown", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "urls", "status", "search", "showing", "server error", "certificate", "creation date", "high assurance", "server ca", "date", "body", "win32", "ransom", "entries", "icmp traffic", "packing t1045", "t1045", "pdb path", "pe resource", "show", "malware", "copy", "push", "write", "aaaa", "nxdomain", "united kingdom", "thailand", "vietnam", "as45430", "honduras", "indonesia", "mexico", "slovakia", "dynamicloader", "yara rule", "high", "ekyxe", "xe e", "eofae", "ee edcje4j", "tofsee", "windows", "medium", "stream", "grum", "as15169 google", "pulses", "record value", "error", "cname", "name servers", "ireland", "next", "federation asn", "as49505", "labs pulses", "trojan", "trojandropper", "related pulses", "file samples", "files matching", "date hash", "copyright", "all search", "reverse dns", "location united", "emails info", "expiration date", "as51167 contabo", "germany unknown", "a nxdomain", "as40021 contabo", "encrypt", "url http", "http", "ip address", "related nids", "files location", "ddos", "activity", "checkin", "win64", "mirai", "hosting", "files ip", "address", "czechia unknown", "as174 cogent", "asnone germany", "as15598", "as16625 akamai", "asnone united", "as20940", "as35994 akamai", "as12337 noris", "pulse submit", "url analysis", "backdoor", "gmt cache", "sameorigin", "443 ma2592000", "suspicious", "virtool", "emails", "domain name", "code", "brazil", "poland", "domain", "msie", "windows nt", "tcp syn", "resolverror", "exploit", "externalport", "internalport", "http headers", "home network", "demonbot", "andariel", "yara detections", "malware traffic", "nids", "dns query", "google safe", "browsing", "whois", "virustotal", "mtb apr", "asnone related", "open", "hash avast", "avg clamav", "msdefender apr", "as8075", "content type", "access", "cp bus", "cur cono", "fin ivdo", "onl our", "phy samo", "overview ip", "flag united", "hostname", "files domain", "as8068", "trojan features", "rsa tls", "issuing ca", "mirai variant", "useragent", "inbound", "realtek sdk", "miniigd upnp", "soap command", "activity mirai", "helloworld", "users", "alerts", "anomalous file", "recycle bin", "filehash", "av detections", "memcommit", "read c", "memreserve", "for privacy", "china unknown", "ag alberto", "pedraz", "holidaycheck ag", "project pi", "immobilien ag", "puma se", "kurt walther", "ag ingo", "kraupa", "timo salzsieder", "record type", "ttl value", "msms57295540", "subdomains", "ireland unknown", "analyzer paste", "iocs", "samples", "regsetvalueexa", "default", "regdword", "module load", "t1129", "http request", "process32nextw", "regbinary", "oxypumper", "tools", "dock", "april", "persistence", "execution", "download", "as62597 nsone", "echo request", "sweep", "payload hello", "world", "total", "please", "xport", "main", "look", "install", "servers", "found", "cnapple public", "accept", "chrome", "moved", "ssl certificate", "write c", "installcore", "june", "delphi", "as47846", "cookie", "as32787 akamai", "as714 apple", "m1", "onelouder", "brian sabey", "denver colorado", "fakedout threat", "gmt content", "x cache", "div div", "as8972 host", "france unknown", "registrar", "otx scoreblue", "address domain", "as24940 hetzner", "as44273 host", "asn as15598", "trojanspy", "mail spammer", "germany mail", "spammer", "hichina", "data redacted", "a domains", "wow64", "slcc2", "media center", "port", "powershell", "urls http", "tptjsw", "virus", "ids detections", "germany", "as8560", "austria", "as1921", "as14061", "whitelisted", "as16276", "script urls", "as16552 tiggee", "as9009 m247", "meta", "as29789", "detected m1", "mtb aug", "server", "as397241", "cryp", "hostmaster", "networks", "as19024", "gmt setcookie", "delete", "russia as49505", "sinkhole cookie", "value snkz", "pe32", "possible", "susp", "lnmp", "lnmp a", "licess", "shell", "as63949 linode", "as133618", "as21342", "cve201717215", "huawei remote", "huawei hg532", "malware worm", "gafgyt", "exploit none", "binbusybox", "delete c", "odigicert inc", "stwashington", "lredmond", "rsa ca", "cape", "nondns", "denver", "redacted for", "method status", "url hostname", "ip country", "type get", "date tue", "gmt contenttype", "connection", "cachecontrol", "expires thu", "gmt vary", "poland unknown", "title", "script domains", "updated date", "serce internetu", "cnc beacon", "javascript", "wsasend", "post", "delete shadows", "all quiet", "t1047", "instrumentation", "rpcs", "ms windows", "asnone dns", "http host", "ip check", "sha256", "bits", "adware malware", "etpro malware", "bios", "guard", "tulach", "spectrum", "cyber folks", "tsara brashears", ".pl", "contacted", "kryptikxp", "apple", "ios", "android", "sabey", "charter communications", "denvecolorado", "quantum fiber", "air force", "swipper", "masquerade", "hitmen", "mitm", "whitesky", "cyber warfare", "porn", "pornhub.software" ], "references": [ "DISTINCTIO8.pdf", "FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string", "IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set", "Tofsee: 'google.com' | https://www.gov50.icu |", "ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...)", "Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk", "Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing", "hubt.pornhub.com | www.pornhub.com | pornative.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/", "www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/", "Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da", "IDS Detections: WGET Command Specifying Output in HTTP Headers", "IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution", "Yara Detections: is__elf , DemonBot", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout", "FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c", "IDS Detections: Andariel Backdoor Activity (Checkin)", "Alerts: dead_host nids_malware_alert network_icmp nolookup_communication", "DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2", "IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound", "IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST", "IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy", "http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/", "https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com", "apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com", "autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com", "* https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "https://tulach.cc/ | tulach.cc |", "http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com", "google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl", "18teen.net | teensnow.com | grannies-porn.net | pornmd.com", "www.pornhubselect.com | pornhub.software" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Chile", "Morocco", "Taiwan", "Guatemala", "United Kingdom of Great Britain and Northern Ireland", "Ireland", "Kenya", "Peru", "Singapore", "Mexico", "Brazil", "Slovakia", "Spain", "Australia", "Belgium", "Germany", "Hungary", "Netherlands", "Russian Federation", "Japan", "Poland" ], "malware_families": [ { "id": "Ransom", "display_name": "Ransom", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "TEL:CreateScheduledTask", "display_name": "TEL:CreateScheduledTask", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.Mirai-6981169-0", "display_name": "Unix.Trojan.Mirai-6981169-0", "target": null }, { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "Ransom:Win32/Haperlock", "display_name": "Ransom:Win32/Haperlock", "target": "/malware/Ransom:Win32/Haperlock" }, { "id": "Trojan:Win32/Neurevt", "display_name": "Trojan:Win32/Neurevt", "target": "/malware/Trojan:Win32/Neurevt" }, { "id": "DDoS:Linux/Gafgyt.YA!MTB", "display_name": "DDoS:Linux/Gafgyt.YA!MTB", "target": "/malware/DDoS:Linux/Gafgyt.YA!MTB" }, { "id": "CVE-2017-17215", "display_name": "CVE-2017-17215", "target": null }, { "id": "CVE-2023-27350", "display_name": "CVE-2023-27350", "target": null }, { "id": "CVE-2014-8361", "display_name": "CVE-2014-8361", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "M1", "display_name": "M1", "target": null }, { "id": "OneLouder", "display_name": "OneLouder", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Win.Trojan.Sarwent-10012602-0", "display_name": "Win.Trojan.Sarwent-10012602-0", "target": null }, { "id": "Virus:Win32/Sivis.A", "display_name": "Virus:Win32/Sivis.A", "target": "/malware/Virus:Win32/Sivis.A" }, { "id": "Win.Trojan.Installcore-1177", "display_name": "Win.Trojan.Installcore-1177", "target": null }, { "id": "Win.Malware.Oxypumper-6900435-0", "display_name": "Win.Malware.Oxypumper-6900435-0", "target": null }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" } ], "industries": [], "TLP": "green", "cloned_from": "66f31b9a0551ca166c872292", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7589, "FileHash-SHA1": 3982, "FileHash-SHA256": 8280, "URL": 439, "domain": 2416, "hostname": 2154, "email": 37, "CVE": 4, "SSLCertFingerprint": 6 }, "indicator_count": 24907, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "148 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688ae705371a43d76d8f6e69", "name": "Trojan:Win32/Comisproc", "description": "Trojan:Win32/Comisproc!gmb\n[https://www.smsrl.it/en/foundry-toolings/prototypes/sand-casting/]\nFrom previous Hostile Denver community\u2019s pulse \u2018Vashti\u2019 public.Hi!\nI am Vashti. Named after a Queen married to a perverted King who after weeks of rimless and gluttony asked his wife the Queen to reveal herself to the men in his \u2018freak off\u2019 like a true lady she refused and was dethroned. Not a Queens obligation to this. She stood for her rights. He later married a child named Queen Esther.\n#Vashti_said_tell_your_ cat_i_said_hi #foundry #hitmen #comispro #denver #uptown #levelblue", "modified": "2025-08-30T03:00:57.020000", "created": "2025-07-31T03:46:13.849000", "tags": [ "italy unknown", "unknown ns", "united", "moved", "ip address", "creation date", "encrypt", "search", "record value", "entries", "body", "date", "passive dns", "urls", "url add", "pulse pulses", "http", "hostname", "files domain", "files related", "pulses none", "related tags", "a domains", "present jul", "showing", "domains", "domain add", "meta", "encrypt free", "research group", "isrg", "next http", "scans show", "extraction", "data upload", "extra", "source ur", "include data", "type", "extra data", "msie", "windows nt", "win64", "slcc2", "media center", "tlsv1", "show", "unknown", "trojan", "copy", "write", "malware", "hostile", "present may", "checked url", "hostname server", "response ip", "address google", "safe browsing", "present jun", "next associated", "medium", "high", "a file", "ms defender", "files matching", "number", "sample analysis", "hide samples", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "defense evasion", "command", "mitre att", "ck techniques", "ascii text", "copy md5", "copy sha1", "copy sha256", "size", "sha1", "sha256", "pattern match", "jfif", "exif standard", "core", "hybrid", "general", "local", "path", "click", "strings", "format" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1088, "hostname": 407, "domain": 621, "FileHash-SHA1": 156, "FileHash-SHA256": 1498, "email": 2, "FileHash-MD5": 204, "SSLCertFingerprint": 11 }, "indicator_count": 3987, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "232 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68788dfd4a0943cb318c7137", "name": "DarkWatchman Chekin Activity", "description": "", "modified": "2025-08-16T06:02:36.091000", "created": "2025-07-17T05:45:33.250000", "tags": [ "access ta0001", "defense evasion", "access ta0006", "command", "control ta0011", "impact ta0040", "catalog tree", "ob0005 defense", "evasion ob0006", "impact ob0008", "hashes cape", "sandbox", "docguard", "yomi hunter", "zenbox", "ip traffic", "pattern domains", "memory pattern", "urls https", "adversaries", "mitre att", "t1189 found", "clickable urls", "pdf execution", "t1036", "creates", "hide artifacts", "exploitation", "e1564 hidden", "files", "discovery e1082", "e1203 data", "vhash", "ssdeep", "file type", "pdf document", "magic pdf", "trid adobe", "format", "file size", "united", "as32934", "passive dns", "unknown", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "urls", "status", "search", "showing", "server error", "certificate", "creation date", "high assurance", "server ca", "date", "body", "win32", "ransom", "entries", "icmp traffic", "packing t1045", "t1045", "pdb path", "pe resource", "show", "malware", "copy", "push", "write", "aaaa", "nxdomain", "united kingdom", "thailand", "vietnam", "as45430", "honduras", "indonesia", "mexico", "slovakia", "dynamicloader", "yara rule", "high", "ekyxe", "xe e", "eofae", "ee edcje4j", "tofsee", "windows", "medium", "stream", "grum", "as15169 google", "pulses", "record value", "error", "cname", "name servers", "ireland", "next", "federation asn", "as49505", "labs pulses", "trojan", "trojandropper", "related pulses", "file samples", "files matching", "date hash", "copyright", "all search", "reverse dns", "location united", "emails info", "expiration date", "as51167 contabo", "germany unknown", "a nxdomain", "as40021 contabo", "encrypt", "url http", "http", "ip address", "related nids", "files location", "ddos", "activity", "checkin", "win64", "mirai", "hosting", "files ip", "address", "czechia unknown", "as174 cogent", "asnone germany", "as15598", "as16625 akamai", "asnone united", "as20940", "as35994 akamai", "as12337 noris", "pulse submit", "url analysis", "backdoor", "gmt cache", "sameorigin", "443 ma2592000", "suspicious", "virtool", "emails", "domain name", "code", "brazil", "poland", "domain", "msie", "windows nt", "tcp syn", "resolverror", "exploit", "externalport", "internalport", "http headers", "home network", "demonbot", "andariel", "yara detections", "malware traffic", "nids", "dns query", "google safe", "browsing", "whois", "virustotal", "mtb apr", "asnone related", "open", "hash avast", "avg clamav", "msdefender apr", "as8075", "content type", "access", "cp bus", "cur cono", "fin ivdo", "onl our", "phy samo", "overview ip", "flag united", "hostname", "files domain", "as8068", "trojan features", "rsa tls", "issuing ca", "mirai variant", "useragent", "inbound", "realtek sdk", "miniigd upnp", "soap command", "activity mirai", "helloworld", "users", "alerts", "anomalous file", "recycle bin", "filehash", "av detections", "memcommit", "read c", "memreserve", "for privacy", "china unknown", "ag alberto", "pedraz", "holidaycheck ag", "project pi", "immobilien ag", "puma se", "kurt walther", "ag ingo", "kraupa", "timo salzsieder", "record type", "ttl value", "msms57295540", "subdomains", "ireland unknown", "analyzer paste", "iocs", "samples", "regsetvalueexa", "default", "regdword", "module load", "t1129", "http request", "process32nextw", "regbinary", "oxypumper", "tools", "dock", "april", "persistence", "execution", "download", "as62597 nsone", "echo request", "sweep", "payload hello", "world", "total", "please", "xport", "main", "look", "install", "servers", "found", "cnapple public", "accept", "chrome", "moved", "ssl certificate", "write c", "installcore", "june", "delphi", "as47846", "cookie", "as32787 akamai", "as714 apple", "m1", "onelouder", "brian sabey", "denver colorado", "fakedout threat", "gmt content", "x cache", "div div", "as8972 host", "france unknown", "registrar", "otx scoreblue", "address domain", "as24940 hetzner", "as44273 host", "asn as15598", "trojanspy", "mail spammer", "germany mail", "spammer", "hichina", "data redacted", "a domains", "wow64", "slcc2", "media center", "port", "powershell", "urls http", "tptjsw", "virus", "ids detections", "germany", "as8560", "austria", "as1921", "as14061", "whitelisted", "as16276", "script urls", "as16552 tiggee", "as9009 m247", "meta", "as29789", "detected m1", "mtb aug", "server", "as397241", "cryp", "hostmaster", "networks", "as19024", "gmt setcookie", "delete", "russia as49505", "sinkhole cookie", "value snkz", "pe32", "possible", "susp", "lnmp", "lnmp a", "licess", "shell", "as63949 linode", "as133618", "as21342", "cve201717215", "huawei remote", "huawei hg532", "malware worm", "gafgyt", "exploit none", "binbusybox", "delete c", "odigicert inc", "stwashington", "lredmond", "rsa ca", "cape", "nondns", "denver", "redacted for", "method status", "url hostname", "ip country", "type get", "date tue", "gmt contenttype", "connection", "cachecontrol", "expires thu", "gmt vary", "poland unknown", "title", "script domains", "updated date", "serce internetu", "cnc beacon", "javascript", "wsasend", "post", "delete shadows", "all quiet", "t1047", "instrumentation", "rpcs", "ms windows", "asnone dns", "http host", "ip check", "sha256", "bits", "adware malware", "etpro malware", "bios", "guard", "tulach", "spectrum", "cyber folks", "tsara brashears", ".pl", "contacted", "kryptikxp", "apple", "ios", "android", "sabey", "charter communications", "denvecolorado", "quantum fiber", "air force", "swipper", "masquerade", "hitmen", "mitm", "whitesky", "cyber warfare", "porn", "pornhub.software" ], "references": [ "DISTINCTIO8.pdf", "FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string", "IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set", "Tofsee: 'google.com' | https://www.gov50.icu |", "ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...)", "Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk", "Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing", "hubt.pornhub.com | www.pornhub.com | pornative.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/", "www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/", "Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da", "IDS Detections: WGET Command Specifying Output in HTTP Headers", "IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution", "Yara Detections: is__elf , DemonBot", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout", "FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c", "IDS Detections: Andariel Backdoor Activity (Checkin)", "Alerts: dead_host nids_malware_alert network_icmp nolookup_communication", "DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2", "IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound", "IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST", "IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy", "http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/", "https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com", "apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com", "autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com", "* https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "https://tulach.cc/ | tulach.cc |", "http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com", "google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl", "18teen.net | teensnow.com | grannies-porn.net | pornmd.com", "www.pornhubselect.com | pornhub.software" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Chile", "Morocco", "Taiwan", "Guatemala", "United Kingdom of Great Britain and Northern Ireland", "Ireland", "Kenya", "Peru", "Singapore", "Mexico", "Brazil", "Slovakia", "Spain", "Australia", "Belgium", "Germany", "Hungary", "Netherlands", "Russian Federation", "Japan", "Poland" ], "malware_families": [ { "id": "Ransom", "display_name": "Ransom", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "TEL:CreateScheduledTask", "display_name": "TEL:CreateScheduledTask", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.Mirai-6981169-0", "display_name": "Unix.Trojan.Mirai-6981169-0", "target": null }, { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "Ransom:Win32/Haperlock", "display_name": "Ransom:Win32/Haperlock", "target": "/malware/Ransom:Win32/Haperlock" }, { "id": "Trojan:Win32/Neurevt", "display_name": "Trojan:Win32/Neurevt", "target": "/malware/Trojan:Win32/Neurevt" }, { "id": "DDoS:Linux/Gafgyt.YA!MTB", "display_name": "DDoS:Linux/Gafgyt.YA!MTB", "target": "/malware/DDoS:Linux/Gafgyt.YA!MTB" }, { "id": "CVE-2017-17215", "display_name": "CVE-2017-17215", "target": null }, { "id": "CVE-2023-27350", "display_name": "CVE-2023-27350", "target": null }, { "id": "CVE-2014-8361", "display_name": "CVE-2014-8361", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "M1", "display_name": "M1", "target": null }, { "id": "OneLouder", "display_name": "OneLouder", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Win.Trojan.Sarwent-10012602-0", "display_name": "Win.Trojan.Sarwent-10012602-0", "target": null }, { "id": "Virus:Win32/Sivis.A", "display_name": "Virus:Win32/Sivis.A", "target": "/malware/Virus:Win32/Sivis.A" }, { "id": "Win.Trojan.Installcore-1177", "display_name": "Win.Trojan.Installcore-1177", "target": null }, { "id": "Win.Malware.Oxypumper-6900435-0", "display_name": "Win.Malware.Oxypumper-6900435-0", "target": null }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" } ], "industries": [], "TLP": "green", "cloned_from": "678f0dbdbc59dd2ea5656dcf", "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7596, "FileHash-SHA1": 3987, "FileHash-SHA256": 8622, "URL": 1922, "domain": 2530, "hostname": 2524, "email": 37, "CVE": 6, "SSLCertFingerprint": 6 }, "indicator_count": 27230, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "246 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "678f0dbdbc59dd2ea5656dcf", "name": "Order ", "description": "", "modified": "2025-01-21T03:00:13.071000", "created": "2025-01-21T03:00:13.071000", "tags": [ "access ta0001", "defense evasion", "access ta0006", "command", "control ta0011", "impact ta0040", "catalog tree", "ob0005 defense", "evasion ob0006", "impact ob0008", "hashes cape", "sandbox", "docguard", "yomi hunter", "zenbox", "ip traffic", "pattern domains", "memory pattern", "urls https", "adversaries", "mitre att", "t1189 found", "clickable urls", "pdf execution", "t1036", "creates", "hide artifacts", "exploitation", "e1564 hidden", "files", "discovery e1082", "e1203 data", "vhash", "ssdeep", "file type", "pdf document", "magic pdf", "trid adobe", "format", "file size", "united", "as32934", "passive dns", "unknown", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "urls", "status", "search", "showing", "server error", "certificate", "creation date", "high assurance", "server ca", "date", "body", "win32", "ransom", "entries", "icmp traffic", "packing t1045", "t1045", "pdb path", "pe resource", "show", "malware", "copy", "push", "write", "aaaa", "nxdomain", "united kingdom", "thailand", "vietnam", "as45430", "honduras", "indonesia", "mexico", "slovakia", "dynamicloader", "yara rule", "high", "ekyxe", "xe e", "eofae", "ee edcje4j", "tofsee", "windows", "medium", "stream", "grum", "as15169 google", "pulses", "record value", "error", "cname", "name servers", "ireland", "next", "federation asn", "as49505", "labs pulses", "trojan", "trojandropper", "related pulses", "file samples", "files matching", "date hash", "copyright", "all search", "reverse dns", "location united", "emails info", "expiration date", "as51167 contabo", "germany unknown", "a nxdomain", "as40021 contabo", "encrypt", "url http", "http", "ip address", "related nids", "files location", "ddos", "activity", "checkin", "win64", "mirai", "hosting", "files ip", "address", "czechia unknown", "as174 cogent", "asnone germany", "as15598", "as16625 akamai", "asnone united", "as20940", "as35994 akamai", "as12337 noris", "pulse submit", "url analysis", "backdoor", "gmt cache", "sameorigin", "443 ma2592000", "suspicious", "virtool", "emails", "domain name", "code", "brazil", "poland", "domain", "msie", "windows nt", "tcp syn", "resolverror", "exploit", "externalport", "internalport", "http headers", "home network", "demonbot", "andariel", "yara detections", "malware traffic", "nids", "dns query", "google safe", "browsing", "whois", "virustotal", "mtb apr", "asnone related", "open", "hash avast", "avg clamav", "msdefender apr", "as8075", "content type", "access", "cp bus", "cur cono", "fin ivdo", "onl our", "phy samo", "overview ip", "flag united", "hostname", "files domain", "as8068", "trojan features", "rsa tls", "issuing ca", "mirai variant", "useragent", "inbound", "realtek sdk", "miniigd upnp", "soap command", "activity mirai", "helloworld", "users", "alerts", "anomalous file", "recycle bin", "filehash", "av detections", "memcommit", "read c", "memreserve", "for privacy", "china unknown", "ag alberto", "pedraz", "holidaycheck ag", "project pi", "immobilien ag", "puma se", "kurt walther", "ag ingo", "kraupa", "timo salzsieder", "record type", "ttl value", "msms57295540", "subdomains", "ireland unknown", "analyzer paste", "iocs", "samples", "regsetvalueexa", "default", "regdword", "module load", "t1129", "http request", "process32nextw", "regbinary", "oxypumper", "tools", "dock", "april", "persistence", "execution", "download", "as62597 nsone", "echo request", "sweep", "payload hello", "world", "total", "please", "xport", "main", "look", "install", "servers", "found", "cnapple public", "accept", "chrome", "moved", "ssl certificate", "write c", "installcore", "june", "delphi", "as47846", "cookie", "as32787 akamai", "as714 apple", "m1", "onelouder", "brian sabey", "denver colorado", "fakedout threat", "gmt content", "x cache", "div div", "as8972 host", "france unknown", "registrar", "otx scoreblue", "address domain", "as24940 hetzner", "as44273 host", "asn as15598", "trojanspy", "mail spammer", "germany mail", "spammer", "hichina", "data redacted", "a domains", "wow64", "slcc2", "media center", "port", "powershell", "urls http", "tptjsw", "virus", "ids detections", "germany", "as8560", "austria", "as1921", "as14061", "whitelisted", "as16276", "script urls", "as16552 tiggee", "as9009 m247", "meta", "as29789", "detected m1", "mtb aug", "server", "as397241", "cryp", "hostmaster", "networks", "as19024", "gmt setcookie", "delete", "russia as49505", "sinkhole cookie", "value snkz", "pe32", "possible", "susp", "lnmp", "lnmp a", "licess", "shell", "as63949 linode", "as133618", "as21342", "cve201717215", "huawei remote", "huawei hg532", "malware worm", "gafgyt", "exploit none", "binbusybox", "delete c", "odigicert inc", "stwashington", "lredmond", "rsa ca", "cape", "nondns", "denver", "redacted for", "method status", "url hostname", "ip country", "type get", "date tue", "gmt contenttype", "connection", "cachecontrol", "expires thu", "gmt vary", "poland unknown", "title", "script domains", "updated date", "serce internetu", "cnc beacon", "javascript", "wsasend", "post", "delete shadows", "all quiet", "t1047", "instrumentation", "rpcs", "ms windows", "asnone dns", "http host", "ip check", "sha256", "bits", "adware malware", "etpro malware", "bios", "guard", "tulach", "spectrum", "cyber folks", "tsara brashears", ".pl", "contacted", "kryptikxp", "apple", "ios", "android", "sabey", "charter communications", "denvecolorado", "quantum fiber", "air force", "swipper", "masquerade", "hitmen", "mitm", "whitesky", "cyber warfare", "porn", "pornhub.software" ], "references": [ "DISTINCTIO8.pdf", "FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string", "IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set", "Tofsee: 'google.com' | https://www.gov50.icu |", "ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...)", "Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk", "Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing", "hubt.pornhub.com | www.pornhub.com | pornative.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/", "www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/", "Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da", "IDS Detections: WGET Command Specifying Output in HTTP Headers", "IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution", "Yara Detections: is__elf , DemonBot", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout", "FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c", "IDS Detections: Andariel Backdoor Activity (Checkin)", "Alerts: dead_host nids_malware_alert network_icmp nolookup_communication", "DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2", "IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound", "IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST", "IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy", "http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/", "https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com", "apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com", "autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com", "* https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "https://tulach.cc/ | tulach.cc |", "http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com", "google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl", "18teen.net | teensnow.com | grannies-porn.net | pornmd.com", "www.pornhubselect.com | pornhub.software" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Chile", "Morocco", "Taiwan", "Guatemala", "United Kingdom of Great Britain and Northern Ireland", "Ireland", "Kenya", "Peru", "Singapore", "Mexico", "Brazil", "Slovakia", "Spain", "Australia", "Belgium", "Germany", "Hungary", "Netherlands", "Russian Federation", "Japan", "Poland" ], "malware_families": [ { "id": "Ransom", "display_name": "Ransom", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "TEL:CreateScheduledTask", "display_name": "TEL:CreateScheduledTask", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.Mirai-6981169-0", "display_name": "Unix.Trojan.Mirai-6981169-0", "target": null }, { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "Ransom:Win32/Haperlock", "display_name": "Ransom:Win32/Haperlock", "target": "/malware/Ransom:Win32/Haperlock" }, { "id": "Trojan:Win32/Neurevt", "display_name": "Trojan:Win32/Neurevt", "target": "/malware/Trojan:Win32/Neurevt" }, { "id": "DDoS:Linux/Gafgyt.YA!MTB", "display_name": "DDoS:Linux/Gafgyt.YA!MTB", "target": "/malware/DDoS:Linux/Gafgyt.YA!MTB" }, { "id": "CVE-2017-17215", "display_name": "CVE-2017-17215", "target": null }, { "id": "CVE-2023-27350", "display_name": "CVE-2023-27350", "target": null }, { "id": "CVE-2014-8361", "display_name": "CVE-2014-8361", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "M1", "display_name": "M1", "target": null }, { "id": "OneLouder", "display_name": "OneLouder", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Win.Trojan.Sarwent-10012602-0", "display_name": "Win.Trojan.Sarwent-10012602-0", "target": null }, { "id": "Virus:Win32/Sivis.A", "display_name": "Virus:Win32/Sivis.A", "target": "/malware/Virus:Win32/Sivis.A" }, { "id": "Win.Trojan.Installcore-1177", "display_name": "Win.Trojan.Installcore-1177", "target": null }, { "id": "Win.Malware.Oxypumper-6900435-0", "display_name": "Win.Malware.Oxypumper-6900435-0", "target": null }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" } ], "industries": [], "TLP": "green", "cloned_from": "66f31b9a0551ca166c872292", "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aclause21", "id": "303913", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7589, "FileHash-SHA1": 3982, "FileHash-SHA256": 8280, "URL": 439, "domain": 2416, "hostname": 2154, "email": 37, "CVE": 4, "SSLCertFingerprint": 6 }, "indicator_count": 24907, "is_author": false, "is_subscribing": null, "subscriber_count": 31, "modified_text": "453 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66f31b9a0551ca166c872292", "name": "Drive-by Compromise - Cyber warfare 4K + Unsuspecting potential victims", "description": "Network outage. Severe attack appears to disseminate from Denver, Co Charter Communications /Spectrum Denver - network and devices hacked. Successful at bringing down the network of 4000 + Whitesky clients, remotely sourcing targeted devices, leaking confidential information, phishing, deletng countless files. Most people in homes and building managers are referring to the multi day outage as outage or glitch. Located targeted devices, files encrypted, forced content, dumping & other malicious activity. \n*Cyber Folks .pl\n*https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit\n|| DDoS:Linux/Gafgyt.YA!MTB\nCVE-2017-17215\nVirus:Win32/Sivis.A\nBackdoor:Win32/Tofsee\nCVE-2014-8361\nCVE-2023-27350\nM1\nMirai\nNIDS\nOneLouder\nRansom\nRansom:Win32/Haperlock\nTEL:CreateScheduledTask ,\nTofsee , Trojan:Win32/Neurevt , Zombie.A ,TrojanSpy ,\nUnix.Trojan.Mirai ,Oxypumper , Qshell , Installcore ,Sarwent", "modified": "2024-10-24T19:00:50.385000", "created": "2024-09-24T20:05:46.785000", "tags": [ "access ta0001", "defense evasion", "access ta0006", "command", "control ta0011", "impact ta0040", "catalog tree", "ob0005 defense", "evasion ob0006", "impact ob0008", "hashes cape", "sandbox", "docguard", "yomi hunter", "zenbox", "ip traffic", "pattern domains", "memory pattern", "urls https", "adversaries", "mitre att", "t1189 found", "clickable urls", "pdf execution", "t1036", "creates", "hide artifacts", "exploitation", "e1564 hidden", "files", "discovery e1082", "e1203 data", "vhash", "ssdeep", "file type", "pdf document", "magic pdf", "trid adobe", "format", "file size", "united", "as32934", "passive dns", "unknown", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "urls", "status", "search", "showing", "server error", "certificate", "creation date", "high assurance", "server ca", "date", "body", "win32", "ransom", "entries", "icmp traffic", "packing t1045", "t1045", "pdb path", "pe resource", "show", "malware", "copy", "push", "write", "aaaa", "nxdomain", "united kingdom", "thailand", "vietnam", "as45430", "honduras", "indonesia", "mexico", "slovakia", "dynamicloader", "yara rule", "high", "ekyxe", "xe e", "eofae", "ee edcje4j", "tofsee", "windows", "medium", "stream", "grum", "as15169 google", "pulses", "record value", "error", "cname", "name servers", "ireland", "next", "federation asn", "as49505", "labs pulses", "trojan", "trojandropper", "related pulses", "file samples", "files matching", "date hash", "copyright", "all search", "reverse dns", "location united", "emails info", "expiration date", "as51167 contabo", "germany unknown", "a nxdomain", "as40021 contabo", "encrypt", "url http", "http", "ip address", "related nids", "files location", "ddos", "activity", "checkin", "win64", "mirai", "hosting", "files ip", "address", "czechia unknown", "as174 cogent", "asnone germany", "as15598", "as16625 akamai", "asnone united", "as20940", "as35994 akamai", "as12337 noris", "pulse submit", "url analysis", "backdoor", "gmt cache", "sameorigin", "443 ma2592000", "suspicious", "virtool", "emails", "domain name", "code", "brazil", "poland", "domain", "msie", "windows nt", "tcp syn", "resolverror", "exploit", "externalport", "internalport", "http headers", "home network", "demonbot", "andariel", "yara detections", "malware traffic", "nids", "dns query", "google safe", "browsing", "whois", "virustotal", "mtb apr", "asnone related", "open", "hash avast", "avg clamav", "msdefender apr", "as8075", "content type", "access", "cp bus", "cur cono", "fin ivdo", "onl our", "phy samo", "overview ip", "flag united", "hostname", "files domain", "as8068", "trojan features", "rsa tls", "issuing ca", "mirai variant", "useragent", "inbound", "realtek sdk", "miniigd upnp", "soap command", "activity mirai", "helloworld", "users", "alerts", "anomalous file", "recycle bin", "filehash", "av detections", "memcommit", "read c", "memreserve", "for privacy", "china unknown", "ag alberto", "pedraz", "holidaycheck ag", "project pi", "immobilien ag", "puma se", "kurt walther", "ag ingo", "kraupa", "timo salzsieder", "record type", "ttl value", "msms57295540", "subdomains", "ireland unknown", "analyzer paste", "iocs", "samples", "regsetvalueexa", "default", "regdword", "module load", "t1129", "http request", "process32nextw", "regbinary", "oxypumper", "tools", "dock", "april", "persistence", "execution", "download", "as62597 nsone", "echo request", "sweep", "payload hello", "world", "total", "please", "xport", "main", "look", "install", "servers", "found", "cnapple public", "accept", "chrome", "moved", "ssl certificate", "write c", "installcore", "june", "delphi", "as47846", "cookie", "as32787 akamai", "as714 apple", "m1", "onelouder", "brian sabey", "denver colorado", "fakedout threat", "gmt content", "x cache", "div div", "as8972 host", "france unknown", "registrar", "otx scoreblue", "address domain", "as24940 hetzner", "as44273 host", "asn as15598", "trojanspy", "mail spammer", "germany mail", "spammer", "hichina", "data redacted", "a domains", "wow64", "slcc2", "media center", "port", "powershell", "urls http", "tptjsw", "virus", "ids detections", "germany", "as8560", "austria", "as1921", "as14061", "whitelisted", "as16276", "script urls", "as16552 tiggee", "as9009 m247", "meta", "as29789", "detected m1", "mtb aug", "server", "as397241", "cryp", "hostmaster", "networks", "as19024", "gmt setcookie", "delete", "russia as49505", "sinkhole cookie", "value snkz", "pe32", "possible", "susp", "lnmp", "lnmp a", "licess", "shell", "as63949 linode", "as133618", "as21342", "cve201717215", "huawei remote", "huawei hg532", "malware worm", "gafgyt", "exploit none", "binbusybox", "delete c", "odigicert inc", "stwashington", "lredmond", "rsa ca", "cape", "nondns", "denver", "redacted for", "method status", "url hostname", "ip country", "type get", "date tue", "gmt contenttype", "connection", "cachecontrol", "expires thu", "gmt vary", "poland unknown", "title", "script domains", "updated date", "serce internetu", "cnc beacon", "javascript", "wsasend", "post", "delete shadows", "all quiet", "t1047", "instrumentation", "rpcs", "ms windows", "asnone dns", "http host", "ip check", "sha256", "bits", "adware malware", "etpro malware", "bios", "guard", "tulach", "spectrum", "cyber folks", "tsara brashears", ".pl", "contacted", "kryptikxp", "apple", "ios", "android", "sabey", "charter communications", "denvecolorado", "quantum fiber", "air force", "swipper", "masquerade", "hitmen", "mitm", "whitesky", "cyber warfare", "porn", "pornhub.software" ], "references": [ "DISTINCTIO8.pdf", "FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string", "IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set", "Tofsee: 'google.com' | https://www.gov50.icu |", "ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...)", "Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk", "Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing", "hubt.pornhub.com | www.pornhub.com | pornative.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/", "www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/", "Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da", "IDS Detections: WGET Command Specifying Output in HTTP Headers", "IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution", "Yara Detections: is__elf , DemonBot", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout", "FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c", "IDS Detections: Andariel Backdoor Activity (Checkin)", "Alerts: dead_host nids_malware_alert network_icmp nolookup_communication", "DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2", "IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound", "IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST", "IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy", "http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/", "https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com", "apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com", "autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com", "* https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "https://tulach.cc/ | tulach.cc |", "http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com", "google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl", "18teen.net | teensnow.com | grannies-porn.net | pornmd.com", "www.pornhubselect.com | pornhub.software" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Chile", "Morocco", "Taiwan", "Guatemala", "United Kingdom of Great Britain and Northern Ireland", "Ireland", "Kenya", "Peru", "Singapore", "Mexico", "Brazil", "Slovakia", "Spain", "Australia", "Belgium", "Germany", "Hungary", "Netherlands", "Russian Federation", "Japan", "Poland" ], "malware_families": [ { "id": "Ransom", "display_name": "Ransom", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "TEL:CreateScheduledTask", "display_name": "TEL:CreateScheduledTask", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.Mirai-6981169-0", "display_name": "Unix.Trojan.Mirai-6981169-0", "target": null }, { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "Ransom:Win32/Haperlock", "display_name": "Ransom:Win32/Haperlock", "target": "/malware/Ransom:Win32/Haperlock" }, { "id": "Trojan:Win32/Neurevt", "display_name": "Trojan:Win32/Neurevt", "target": "/malware/Trojan:Win32/Neurevt" }, { "id": "DDoS:Linux/Gafgyt.YA!MTB", "display_name": "DDoS:Linux/Gafgyt.YA!MTB", "target": "/malware/DDoS:Linux/Gafgyt.YA!MTB" }, { "id": "CVE-2017-17215", "display_name": "CVE-2017-17215", "target": null }, { "id": "CVE-2023-27350", "display_name": "CVE-2023-27350", "target": null }, { "id": "CVE-2014-8361", "display_name": "CVE-2014-8361", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "M1", "display_name": "M1", "target": null }, { "id": "OneLouder", "display_name": "OneLouder", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Win.Trojan.Sarwent-10012602-0", "display_name": "Win.Trojan.Sarwent-10012602-0", "target": null }, { "id": "Virus:Win32/Sivis.A", "display_name": "Virus:Win32/Sivis.A", "target": "/malware/Virus:Win32/Sivis.A" }, { "id": "Win.Trojan.Installcore-1177", "display_name": "Win.Trojan.Installcore-1177", "target": null }, { "id": "Win.Malware.Oxypumper-6900435-0", "display_name": "Win.Malware.Oxypumper-6900435-0", "target": null }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7589, "FileHash-SHA1": 3982, "FileHash-SHA256": 8280, "URL": 439, "domain": 2416, "hostname": 2154, "email": 37, "CVE": 4, "SSLCertFingerprint": 6 }, "indicator_count": 24907, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "541 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66ccbb1146fb07a45b6b97fe", "name": "Android Remotely Cracked: Swipper? | Being Sabey links found. Framing?", "description": "Targets phone and other devices cracked remotely. Phone calls made to a family member by phone. Some clues left behind.\n1 clue:mike@softwarezpro1.txt\nLong Link:http://bbd383ttka22.top/prize/luckyus-ad/nigh.php?c=69zejibbz5fz1&k=987ad34e7843dd8f3a3cb6559f188769&country_code=US&country_name=United%20States\u00aeion=New%20York&city=Plainview&isp=MCI%20Communications%20Services,%20Inc.%20d/b/a%20Verizon%20Business&lang=ja&ref_domain=&os=iOS&osv=16&browser=Chrome&browserv=115&brand=Apple&model=iPhone&marketing_name=iPhone&tablet=2&rheight=0&rwidth=0&e=5\n Stop! Swipper, Brian Sabey, Tulach, whoever you are. Arrest Jeffrey Reimer Scott DPT for groping breasts, V, assaulting so hard it separated victims hips and SI joint, Spinal Cord Injury length of spine. He literally assaulted her brain out. TBI with Arnold's Chiari. Demyelination from brain to toes. He never denied this to Employers. Hi, DPD Major crimes God Bless you...about the report?", "modified": "2024-10-14T18:03:35.631000", "created": "2024-08-26T17:27:45.763000", "tags": [ "unknown", "meta", "software", "site kit", "as53667", "free", "download full", "search", "showing", "encrypt", "date", "asnone united", "kingdom unknown", "wordpress site", "just", "passive dns", "meta http", "content", "gmt server", "a domains", "body", "server", "registrar", "dnssec", "domain name", "status", "abuse contact", "email", "registrar abuse", "contact phone", "registrar iana", "registrar url", "version crack", "crack serial", "keys license", "algorithm", "whois lookup", "creation date", "code", "namesilo", "country", "domain status", "contact email", "first", "historical ssl", "referrer", "cobalt strike", "switch dns", "query", "fraud risk", "traffic", "luna moth", "campaign", "analyzer paste", "iocs", "samples", "phishing", "malware", "maltiverse", "cyber threat", "engineering", "team phishing", "mail spammer", "telefonica co", "emotet", "download", "malicious", "team", "suppobox", "analyzer threat", "url summary", "ip summary", "summary", "sample", "detection list", "blacklist", "module load", "service", "create c", "show", "winhttp authip", "write c", "susp", "trojanspy", "related pulses", "copy", "write", "win32", "memcommit", "read c", "x00x00", "high defense", "evasion", "defense evasion", "cryptexportkey", "windows", "shellexecuteexw", "hash", "writeconsolew", "registry", "t1031", "modify existing", "trojan", "dock", "august", "push", "hostnames", "urls http", "cisco umbrella", "site", "alexa top", "million", "safe site", "malicious site", "tofsee", "google domain", "azorult", "runescape", "facebook", "bank", "alexa", "zbot", "dynamicloader", "yara rule", "high", "grum", "medium", "ids detections", "yara detections", "stream", "as15169 google", "as44273 host", "aaaa", "scan endpoints", "all scoreblue", "next", "type texthtml", "google safe", "browsing", "ipv4", "pulse pulses", "urls", "files", "co20230203", "pe resource", "url https", "archive", "posix tar", "flow t1574", "dll sideloading", "media t1091", "t1055", "spawns", "mitre att", "access ta0001", "replication", "dlls privilege", "window", "ip traffic", "udp a83f8110", "hashes", "t1055 spawns", "dlls defense", "dns resolutions", "user", "samplepath", "menu files", "written c", "files copied", "files dropped", "file", "pe32 executable", "ms windows", "intel", "win16 ne", "os2 executable", "generic windos", "executable", "contained", "info compiler", "products id", "header intel", "name md5", "type", "language", "sha256", "data", "entries", "filehash", "av detections", "as3215 orange", "related", "france unknown", "reverse dns", "singapore asn", "as16509", "united", "updated date", "pulse submit", "url analysis", "verdict", "as16342 toya", "all search", "otx scoreblue", "hostname", "ip address", "poland unknown", "moved", "gmt contenttype", "vary", "gmt content", "content length", "domain", "files ip", "address", "location poland", "asn as16342", "as16276", "as50599", "as8075", "as5617 orange", "a td", "as198921", "as29686 probe", "germany unknown", "germany", "title", "body doctype", "html public", "ietfdtd html", "head body", "as63949 linode", "united kingdom", "arial", "apache", "accept", "related nids", "files location", "flag united", "files domain", "files related", "as20940", "as4230 claro", "data redacted", "name servers", "expiration date", "invalid url", "mtb feb", "body html", "head title", "hacktool", "trojandropper", "mtb mar", "title head", "overview ip", "record value", "td tr", "tr tr", "dostpne jzyki", "tr table", "table", "utwrz stref", "modyfikuj stref", "td td", "win32vb", "win32qqpass", "worm", "win32mofksys", "worm worm", "win32salgorea", "support", "internet mobile", "win32tofsee", "as3842 inmotion", "as40676 psychz", "formbook cnc", "checkin", "exploit", "virtool", "trojan features", "file samples", "files matching", "date hash", "cname", "error", "script urls", "ezcrack all", "script", "provides", "softwares", "script domains", "pragma", "as202425 ip", "emails", "as46606", "crack", "aaaa nxdomain", "whitelisted", "nxdomain", "as36352", "malware trojan", "asnone", "virgin islands", "backdoor", "please", "win32botgor" ], "references": [ "aeuwa03.devtest.call2.team | mike@softwarezpro1.txt | softwarezpro.net | www.softwarezpro.net | mike@ hijacked targets device Attacked!", "http://cracx.net/fonepaw-iphone-data-recovery-3-8-0-crack/ | Malware: 74.208.236.140 malacrack.org ns2.filescrack.com ns1.filescrack.com", "http://softwarezpro.net/wp-content/themes/wellington/assets/js/svgxuse.min.js?ver=1.2.6", "animalpornotube.com | http://animalpornotube.com/files/gifamateurpay.gi | https://crackedvst.info/tag/k7-total-security-trial-resetter/", "https://activationskey.net/passfab-iphone-cracked-free-keys-2022 https://crackedvst.info/ui crackedvst.info: http://www.crackidea.net/", "http://activationskey.net/passfab-for-rar-full-cracked-2022/ activationskey.net: https://activationskey.net/passware-kit-forensic-2021-1-3-crack/ activationskey.net: | crackedvst.info: crackedvst.info:", "www.softwarezpro.net\thttps://i0.wp.com/softwarezpro.net/wp parking.namesilo.com softwarezpro.org softwarezap.net softwarezap.net", "anti-spyware-software.net http://softwarezpro.net/wp | | http://softwarezpro.net/xmlrpc.php | https://softwarezpro.net https://softwarezpro.net/\t URL\thttps://softwarezpro.net/comments/feed/ https://softwarezpro.net/feed/\t https://softwarezpro.net/page/2/\t URL\thttps://softwarezpro.net/wp https://softwarezpro.net/xmlrpc.php", "http://softwarezpro.net/wp-content/themes/wellington/assets/js/navigation.min.js?ver=20220224 | crackedvst.info", "pw-90cc2fc574f6dd6dccf2c3531928b039@privacyguardian.org | https://crackedvst.info/antares-autotune-pro-crack/", "www.endgame.com [Threatening] | https://mobisoft.info/dfx-audio-enhancer-crack | https://mobisoft.info/passfab-iphone-unlocker-key", "7cwork.a-poster.info a-poster.info: members.a-poster.info work.a-poster.info a-poster.info: http://20work.a-poster.info a-poster.info:", "http://250awork.a-poster.info/ a-poster.info: http://252fwork.a-poster.info a-poster.info: http://252fwork.a-poster.info/", "20work.a-poster.info a-poster.info: 250awork.a-poster.info a-poster.info: 252fwork.a-poster.info a-poster.info: a-poster.info:", "Trojan:Win32/Salgorea: FileHash-SHA256 e82334440ceddd927f35831fda83594f3657ca56187f7f7ddd7d60cba1be793", "Worm:Win32/Fasong: FileHash-SHA256 c7f2f4a6ed374bac385fa81177967fd013248652556e4ee95cea7f064f6b25dd", "Trojan:Win32/Glupteba: FileHash-SHA256 5e7fdbc4c66fbefd6aa95047a56c709765f18b3a3a65d5942acb4e4349b09039", "Worm:Win32/Mofksys: FileHash-SHA256 ef1a66214e210bc9ae0aef471b0a09f6083078343a0338fcaf1f2b04ebddbd9a", "Trojan:Win32/QQpass: FileHash-SHA256 86df64999ed25a02debca89a586c931b0f32b1edc0e7aa800c360be3ef456439", "TrojanSpy:Win32/Nivdort.DI: FileHash-SHA256 00734b135321562e7e0df7c2f8eb554435cc25c47f46747f79fc2116ac2cc6ef", "Win32:CrypterX-gen\\ [Trj]: FileHash-SHA256 002ea0849da3c63ce6c09c084567e9470c3616084ef19402316e9d52f35c62a7", "Trojan:Win32/Emotet.PC!MTB: FileHash-SHA256 02b9cac1880e348302125664c4955fd163a219b1eb8b50de0ad350e0c147a0b0", "Trojan:Win32/Zbot.SIBB3!MTB: FileHash-SHA256 bc1739628aadbcc99bcb93caab4a7a73534694c817d57cc0ed735bf4bd0f6e45", "ELF:Hajime-Q\\ [Trj] : FileHash-SHA256 aa310469926150f9d6f980dd6ba200d1c9c7dec7c4b66c7de4cff6a30c038560", "Win32/Tasekjom.A : FileHash-SHA256 1230ac0c362b6049b9de011229707e05852dd11af75ca7071a1f089e6aca61f5", "Win32/Muldrop FileHash-SHA256 67a5e78bb2897b15d510dfce0d89f60330db01d7944ebb4f1dd90ce36c907e1b", "PWS:Win32/VB : FileHash-SHA256 dbc78d07e96562c6370ab515f5d65cea88a1b163ad10718c66d15155f4075630", "Backdoor:Win32/Tofsee: FileHash-SHA256 5b616ad2410bef0bc894c4bff013afe2d7f44dcdeb79420bab14c766cc460aa7", "VirTool:Win32/Obfuscator FileHash-SHA256 874e78143b683016ef8e41977f9d3ee34b97b145b313cdefdeb3e8900db6df73", "RASMONTR.DLL 192.168.56.101", "iobit: https://cracxfree.com/iobit-malware-fighter-pro-2/http://activationskey.net/wp-content/uploads/2021/02/download-2-7.jpg", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/00734b135321562e7e0df7c2f8eb554435cc25c47f46747f79fc2116ac2cc6ef", "Parked: www.easycrypto.team | 'Parking Crew' ? Several names exist for advesarial 'Parking Hacker Groups' parking.namesilo.com", "Ranks high in search results because device is typically compromised with Convection engine and Keyword Tool", "a-fondness-for-beauty.com", "iobit: https://cracxfree.com/iobit-malware-fighter-pro-2/ | http://activationskey.net/wp-content/uploads/2021/02/download-2-7.jpg", "iobit: https://cracxfree.com/iobit-malware-fighter-pro-2/ | https://cracklink.info/iobit-uninstaller-pro-key/", "iobit: https://ezcrack.info/iobit-uninstaller-pro-crack | https://ezcrack.info/iobit-uninstaller-pro-crack/", "http://crackedvst.info/plugin-alliance-bundle-crack/: sedoparking.com | sedoparking.com/frmpark/ -", "Trojan:Win32/Zbot: FileHash-SHA256 b7875b426ce25f1d4785ba7043bbfdba49feb726cc829d681acdd67c3c302c70", "ALF:Trojan:Win32/Cassini_f28c33a2:\tFileHash-SHA256 6fc35cb8e18f0d9d72bc1a7037ae88f8036362799f930a1a30e290d31be3b216", "Backdoor:Win32/Botgor: FileHash-SHA256 b70353b3ecf532ad51e7d6a1790275df02c7393b87d40add47a3baccab39802f", "TrojanDropper:Win32/Muldrop: FileHash-SHA256 bf8e919cf6ce208f1c2f98f07df835099f14e2f8708197b0165479468079d902", "#LowFiCreateRemoteThread: FileHash-SHA256 0ab94d890afef8ebae42007a119a8686f71bdd9bdf357262481daa7c9c7a283e", "Trojan:Win32/Blihan: FileHash-SHA256 dada5208109416153937db5a6f44f03b8b9025347c235acdc70edfa24a2a882e", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 | itunes.apple.com", "http://appleid.com-index-manager-info-verify-receipt-account.usa.cc/ |", "https://realcrack.info/sidify-apple-music-converter-crack/ | applehouse-jp.com | iappletech.com | http://apple.int-access-accounts.usa.cc/", "http://apple-store.jspi304es-services-fixedbilling-responsive-managed-update-card.appleid-storeext.usa.cc/", "http://apple-unlocked-login.usa.cc/\t| http://apple.com.locked-account-verify-login.usa.cc/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort.DI", "display_name": "TrojanSpy:Win32/Nivdort.DI", "target": "/malware/TrojanSpy:Win32/Nivdort.DI" }, { "id": "Win32:CrypterX-gen\\ [Trj]", "display_name": "Win32:CrypterX-gen\\ [Trj]", "target": null }, { "id": "Trojan:Win32/Emotet.PC!MTB", "display_name": "Trojan:Win32/Emotet.PC!MTB", "target": "/malware/Trojan:Win32/Emotet.PC!MTB" }, { "id": "Trojan:Win32/CryptInject", "display_name": "Trojan:Win32/CryptInject", "target": "/malware/Trojan:Win32/CryptInject" }, { "id": "RASMONTR.DLL", "display_name": "RASMONTR.DLL", "target": null }, { "id": "Trojan:Win32/Salgorea", "display_name": "Trojan:Win32/Salgorea", "target": "/malware/Trojan:Win32/Salgorea" }, { "id": "Worm:Win32/Fasong", "display_name": "Worm:Win32/Fasong", "target": "/malware/Worm:Win32/Fasong" }, { "id": "Trojan:Win32/Glupteba", "display_name": "Trojan:Win32/Glupteba", "target": "/malware/Trojan:Win32/Glupteba" }, { "id": "Worm:Win32/Mofksys", "display_name": "Worm:Win32/Mofksys", "target": "/malware/Worm:Win32/Mofksys" }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "Trojan:Win32/Zbot.SIBB3!MTB", "display_name": "Trojan:Win32/Zbot.SIBB3!MTB", "target": "/malware/Trojan:Win32/Zbot.SIBB3!MTB" }, { "id": "ELF:Hajime-Q\\ [Trj]", "display_name": "ELF:Hajime-Q\\ [Trj]", "target": null }, { "id": "Win32/Tasekjom.A", "display_name": "Win32/Tasekjom.A", "target": null }, { "id": "TEL:Trojan:Win32/TrojanDownloader", "display_name": "TEL:Trojan:Win32/TrojanDownloader", "target": null }, { "id": "Win32/TrojanDropper", "display_name": "Win32/TrojanDropper", "target": null }, { "id": "Trojan:Win32/Muldrop", "display_name": "Trojan:Win32/Muldrop", "target": "/malware/Trojan:Win32/Muldrop" }, { "id": "PWS:Win32/VB", "display_name": "PWS:Win32/VB", "target": "/malware/PWS:Win32/VB" }, { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "Trojan:Win32/Blihan", "display_name": "Trojan:Win32/Blihan", "target": "/malware/Trojan:Win32/Blihan" }, { "id": "#LowFiCreateRemoteThread", "display_name": "#LowFiCreateRemoteThread", "target": null }, { "id": "Backdoor:Win32/Botgor", "display_name": "Backdoor:Win32/Botgor", "target": "/malware/Backdoor:Win32/Botgor" }, { "id": "ALF:Trojan:Win32/Cassini_f28c33a2", "display_name": "ALF:Trojan:Win32/Cassini_f28c33a2", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" } ], "industries": [ "Technology", "Telecommunications", "Civilian Devices" ], "TLP": "green", "cloned_from": null, "export_count": 112, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1629, "FileHash-MD5": 4822, "URL": 2002, "email": 18, "hostname": 1725, "FileHash-SHA1": 3921, "FileHash-SHA256": 9019, "URI": 1 }, "indicator_count": 23137, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "551 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66e47020bdbbc384d102d169", "name": "AWS Botnet *2nd L\u2070\u2070K \u00bb Quantum Fiber | Brute Forcer", "description": "I researched link again. Stealthy hackers surrounding a targets whereabouts in Denver Metro/Denver Proper (Co) and surrounding areas. Unsafe targeting activity escalates.\n\n*Tip { PDF:UrlMal-inf\\ [Trj] - https://www.quantumfiber.com/moving.html?utm_source=Digital&utm_medium=DV360_YouTube&utm_campaign=QuantumFiber_Residential_Prospecting&utm_content=Movers-RES-QF-Movers-ACH-OLV30-50-YouTube-NA&gclid=CjwKCAjwooq3BhB3Eiw } Malware Families:\nWin.Dropper.LokiBot-9975730-0\n#LowFiEnableDTContinueAfterUnpacking\n#LowFiMalf_gen\nALF:PUA:Block:IObit\nALF:Program:Win32/Webcompanion\nALF:Ransom:Win32/Babax\nALF:Trojan:Win32/FormBook\nAWS\nPDF:UrlMal-inf\\ [Trj]\nTrojan:Win32/Qbot\nTrojanDownloader:Win32/Upatre\nUnix\nUnix.Malware.Generic-9875933-0\nVirTool:Win32/Injector\nVirTool:Win32/Obfuscator\nWin.Dropper.LokiBot-9975730-0\nWin.Keylogger.Banbra-9936388-0\nWorm:Win32/Mofksys", "modified": "2024-10-13T13:01:27.179000", "created": "2024-09-13T17:02:24.806000", "tags": [ "namecheap", "server", "registrar abuse", "code", "dnssec", "email", "contact phone", "registrar iana", "registrar url", "registrar whois", "date", "vhash", "authentihash", "imphash", "ssdeep", "file type", "win32 exe", "magic pe32", "ms windows", "trid upx", "win16 ne", "generic", "packer", "info sections", "name virtual", "address virtual", "size raw", "size entropy", "md5 chi2", "upx0", "1 upx1", "upx2", "sysinternals", "zenbox", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "dynamic", "utc na", "utc facebook", "html info", "meta tags", "commerce cloud", "trackers google", "tag manager", "gtmkj5bfwx", "utc gtmp4hkt96", "utc gtm5z5w687v", "sample", "t1497", "sandbox evasion", "may sleep", "downloads", "http performs", "mitre att", "evasion ta0005", "upx software", "t1036 creates", "get http", "post http", "number", "ja3s", "algorithm", "subject", "data", "server ca", "odigicert inc", "cus lsan", "calls", "text", "passive dns", "urls", "scan endpoints", "all scoreblue", "url https", "http", "ip address", "related nids", "files location", "as8068", "united", "unknown", "ref b", "wed may", "entries", "mtb dec", "body", "please", "twitter", "malware", "trojan", "trojan features", "related pulses", "file samples", "files matching", "show", "search", "date hash", "next", "showing", "worm", "win32", "alf features", "aaaa", "cname", "united kingdom", "creation date", "certificate", "tlsv1", "oglobalsign", "stzhejiang", "lhangzhou", "oalibaba", "china", "encrypt", "copy", "write", "august", "local", "xport", "regsetvalueexa", "regdword", "regbinary", "medium", "high", "regsetvalueexw", "regsz", "langchinese", "delphi", "persistence", "execution", "read c", "create c", "msie", "windows nt", "wow64", "slcc2", "media center", "write c", "delete c", "mozilla", "as62597 nsone", "domain", "as20940", "as8075", "virtool", "whitelisted ip", "location united", "asn as8068", "registrar", "markmonitor", "tags", "related tags", "threat roundup", "october", "historical ssl", "referrer", "round", "december", "november", "guloader", "files", "detections file", "name file", "file size", "name", "html", "cab null", "ubuntu", "linux x8664", "contentlength", "gobrut", "malware c", "c request", "config", "meta", "photolan", "moved", "a domains", "as47748 daticum", "meta http", "content", "gmt server", "ipv4", "pragma", "apache", "sales", "expiration date", "name servers", "asnone bulgaria", "ns nxdomain", "nxdomain", "soa nxdomain", "cape", "gobrut malware", "suricata", "et malware", "bruter cnc", "checkin", "activity", "malware config", "yara detections", "contacted", "a li", "li ul", "div div", "set cookie", "as29873", "link", "hong kong", "as45102 alibaba", "div li", "gmt max", "age2592000 path", "log id", "gmtn", "tls web", "ca issuers", "timestamp", "b715", "b59bn timestamp", "false", "as2914 ntt", "record value", "data redacted", "as4230 claro", "invalid url", "research group", "as13768 aptum", "canada unknown", "canada", "hostpapa", "hosting", "click", "rdds service", "record", "registrant", "admin", "tech contact", "script domains", "as3257 gtt", "asnone canada", "access denied", "servers", "emails", "as397241", "as31898 oracle", "as397240", "overview ip", "flag united", "hostname", "files domain", "as15169 google", "as396982 google", "as16625 akamai", "as35994 akamai", "france", "discovery", "t1010", "t1012", "t1027", "information", "t1055", "injection", "t1057", "t1059", "ssh attacker", "mitm", "aitm", "tracker", "botnet", "binary", "ghostscript", "brendan coates", "daley", "trent wiltshire", "aws botnet", "filehashsha256", "filehashsha1", "filehashmd5", "https", "salitiy", "unix malware", "created", "url http", "unix", "aws", "role title", "added active", "report spam", "quantumfiber", "denver co", "critical", "default", "traditional", "compiler", "intel", "ms windows", "ssdeep", "rich pe", "imphash", "utc gtm5z5w687v", "utc gtmp4hkt96", "pecompact", "packer", "ids", "commerce cloud", "meta tags", "gmt etag", "accept encoding", "accept", "status", "west domains", "path", "author avatar", "active file", "denver", "vt graph", "currently", "im unaware", "pnpd5d", "susp", "filehash", "av detections", "pecompact", "february", "asnone germany", "as21499 host", "singapore", "germany", "object", "alerts", "icmp traffic", "createdate", "microsoft color", "msft", "format", "as44273 host", "content type", "kodak easyshare", "easyshare", "eastman kodak", "kodak", "kukacka", "virus", "rsdsr7siwwd d", "install", "service", "explorer", "windows", "name type", "md5 process", "sqlite", "sqlite version", "active", "pre crime", "cyber attack", "hackers", "quantum fiber", "quantumfiber.com", "target tsara brashears", "tech id", "hallrender", "brian sabey", "hijack", "spotify artists", "idlinea8 sep", "xo544", "xa10629", "sitegg", "fcolorffffff", "net1", "inhibit system", "oracle", "level 3" ], "references": [ "QuantumFiber.com a 2nd look", "Related Tags: https://www.virustotal.com/graph/embed/g17b255d00de64c0faa707968 [OG:dorkingbeauty | Cloned: StreaminingEx]", "13.107.21.200 Bat.Bing - Trojan:Win32/Qbot | ALF:Ransom:Win32/Babax | Worm:Win32/Mofksys | ALF:Program:Win32/Webcompanion", "IDS Detections: Win32.Lexip Checkin Unsupported/Fake FireFox Version 2.", "IDS Detections: Windows 98 User-Agent Detected - Possible Malware or Non-Updated System Unsupported/Fake Internet Explorer Version MSIE 5.", "Win.Dropper.LokiBot-9975730-0", "Win.Dropper.LokiBot-9975730-0 FileHash-SHA256 8f65d7817731cf1b7fada1be16d85464383813dd1f0388a933cec2abbeda4ba9", "IDS Detections: TLS Handshake Failure Yara Detections: Nullsoft_NSIS", "Alerts: network_icmp modifies_proxy_wpad multiple_useragents injection_resumethread", "Win.Keylogger.Banbra FileHash-SHA256 94517bb37a8ebe48a06a64b20237e287101bc93bbc840bf6e1ab7dfb28a2da5a", "Yara Detections: Delphi", "IDS Detections: Win32/Adware.Ymeta.A CnC Beacon Win32/Adware.Ymeta.A CnC Win32/Adware.Ymeta Variant Activity", "IDS Detections: Observed Suspicious UA (Mozilla/5.0) Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)", "Query to a *.top domain - Likely Hostile Query for .cc TLD", "Alerts: dead_host network_icmp nolookup_communication disables_proxy modifies_certificates modifies_proxy_wpad", "Alerts: ransomware_dropped_files ransomware_mass_file_delete antivm_vmware_in_instruction", "Unix.Malware.Generic: IDS Detections Generic.Go.Bruteforcer CnC Beacon Generic.Go.Bruteforcer Receiving Config", "Unix.Malware.Generic: Observed DNS Query for Israel Domain (.il) | Alerts: cape_detected_threat", "Unix.Malware.Generic: Yara Detections: is__elf , UPXProtectorv10x2 , UPX , ELFHighEntropy , ElfUPX , elf_empty_sections", "Unix.Malware.Generic:", "Unix.Malware.Generic:", "networkservice.exe: Matches rule SERVER-OTHER Spring Data Commons remote code execution attempt", "wallet.mewards.bing.com | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net | wallpapers-nature.com", "Malware Families: Win.Dropper.LokiBot-9975730-0 #LowFiEnableDTContinueAfterUnpacking #LowFiMalf_gen Worm:Win32/Mofksys", "Malware Families: ALF:PUA:Block:IObit ALF:Program:Win32/Webcompanion ALF:Ransom:Win32/Babax Win.Keylogger.Banbra-9936388-0", "Malware Families: ALF:Trojan:Win32/FormBook AWS PDF:UrlMal-inf\\ [Trj] Trojan:Win32/Qbot Unix.Malware.Generic-9875933-0", "Malware Families: VirTool:Win32/Injector TrojanDownloader:Win32/Upatre Unix VirTool:Win32/Obfuscator Win.Dropper.LokiBot-9975730-0" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win.Keylogger.Banbra-9936388-0", "display_name": "Win.Keylogger.Banbra-9936388-0", "target": null }, { "id": "#LowFiMalf_gen", "display_name": "#LowFiMalf_gen", "target": null }, { "id": "Trojan:Win32/Qbot", "display_name": "Trojan:Win32/Qbot", "target": "/malware/Trojan:Win32/Qbot" }, { "id": "ALF:Ransom:Win32/Babax", "display_name": "ALF:Ransom:Win32/Babax", "target": null }, { "id": "Worm:Win32/Mofksys", "display_name": "Worm:Win32/Mofksys", "target": "/malware/Worm:Win32/Mofksys" }, { "id": "ALF:Program:Win32/Webcompanion", "display_name": "ALF:Program:Win32/Webcompanion", "target": null }, { "id": "ALF:PUA:Block:IObit", "display_name": "ALF:PUA:Block:IObit", "target": null }, { "id": "Win.Dropper.LokiBot-9975730-0", "display_name": "Win.Dropper.LokiBot-9975730-0", "target": null }, { "id": "Win.Dropper.LokiBot-9975730-0", "display_name": "Win.Dropper.LokiBot-9975730-0", "target": null }, { "id": "VirTool:Win32/Obfuscator", "display_name": "VirTool:Win32/Obfuscator", "target": "/malware/VirTool:Win32/Obfuscator" }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" }, { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "Unix.Malware.Generic-9875933-0", "display_name": "Unix.Malware.Generic-9875933-0", "target": null }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Unix", "display_name": "Unix", "target": null }, { "id": "AWS", "display_name": "AWS", "target": null }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "PDF:UrlMal-inf\\ [Trj]", "display_name": "PDF:UrlMal-inf\\ [Trj]", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1510", "name": "Clipboard Modification", "display_name": "T1510 - Clipboard Modification" }, { "id": "T1414", "name": "Capture Clipboard Data", "display_name": "T1414 - Capture Clipboard Data" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1644, "FileHash-SHA1": 1614, "FileHash-SHA256": 2742, "URL": 2708, "domain": 2150, "hostname": 2508, "email": 21, "SSLCertFingerprint": 33, "CVE": 2 }, "indicator_count": 13422, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "553 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d49947eaaf6c57bec78719", "name": "Ransom.Win32.Birele.gsg: affecting a global cyber security entity", "description": "", "modified": "2024-10-01T16:04:13.437000", "created": "2024-09-01T16:41:43.676000", "tags": [ "no expiration", "domain", "expiration", "hostname", "filehashsha256", "url http", "ipv4", "url https", "iocs", "email abuse", "next", "all scoreblue", "create new", "pulse provide", "public tlp", "green", "adversary tags", "x509v3", "trojan", "virtool", "backdoor", "antivirus", "united", "et trojan", "possible", "sinkhole cookie", "et", "checkin win32/expressdownloader", "kw1ethical", "kw2ip", "kw3cloud", "kw4augmented", "filehashsha1", "filehashmd5", "termsurlhttp", "privacyurlhttp", "download", "ipv6", "versionid1", "pulse use", "pdf report", "pcap", "stix", "contact", "contacted", "adversaries", "adload", "dns", "activity", "acint", "aaaa", "analysis", "all scoreblue", "agent algorithm", "alexa top", "agent", "analyzer", "alexa", "alerts", "threat", "c!mtb", "win32.birele.gsg", "add malware", "ck t1027", "files", "xrat xtrat", "yara", "ransomware", "virus", "phishing", "paste analyzer", "threat anonymizer", "level as4230", "as32421", "gigenet", "as32181", "ntt", "as2914", "as20940", "as133618", "asyncrat", "ascii text", "claro", "babe", "pornhub", "av detections", "avast avg", "avatier ccir", "crack", "copy", "contact phone", "conduit", "command decode", "cnc", "command", "code command", "cobalt strike", "dos", "cnwe1 validity", "click", "cleaner", "ck techniques", "ck matrix", "backdoor", "ck id", "cisco umbrella", "choke", "bq jul", "body", "blacklist http", "module behav", "bcrypt", "bank", "zeus derivative", "yara rule", "yara detections", "crowdstrike", "xtrat", "xrat", "x509v3 key", "write", "worm", "windows nt", "win64", "win32", "network w", "network", "virus", "virtool virus", "validity", "v3 serial", "cus", "ogoogle", "cus olet", "cyber threat", "upxoepplace url", "upx alerts", "unsafe", "unknown", "united", "union", "twitter", "ttl value", "tsunami", "trust", "trojanspy", "trojan", "trident", "data redacted", "hash", "deepscan", "detection list", "malware", "potential ip", "exploit", "facebook", "false", "possible postal code", "files location", "port", "porno", "pink", "phishing site", "phishing", "files matching", "files related", "filetour", "firehol", "first", "flag united", "full name", "fusioncor", "genkryptik", "get na", "girlfriend", "hackers", "heur", "high", "high priority", "hostile", "html", "http spammer", "hybrid identifier", "ids detections", "iframe", "resource phish", "injection", "pattern match", "pe", "patcher", "passive dns", "null number", "nuance china", "nsis245zlib", "notice nsis", "no data", "nircmd", "namecheap inc", "name tactics", "name servers", "indicator", "informative", "installcore", "installpack", "invalid url", "iocs ip", "iocs ip", "ip summary", "ipv4", "javascript", "key algorithm", "key identifier", "key info", "crowdstrike", "known tor", "local", "luna host", "malicious", "malicious host", "malicious site", "malware", "malware site", "memscan", "meta", "million", "misc attack", "mitre att", "module load", "msdos", "mtb" ], "references": [ "crowdstrike.com \u00bb 7notrump.com contains pornhub.com and pastebin.com", "192.184.12.62 - Verdict: Suspicious Location: Los Angeles, United States of America ASN AS32421 Level 3 Parent Llc", "7notrump.com@privacy.above.com | Why are YOU hiding? Aren't you proud of your hateful and damaging works?", "Backdoor:Linux/Tsunami.C!MTB: FileHash-SHA256 94f82ebb09bc3ac922789af2ce272ecbf9fe303e5220c7ab3a31d6db1bea8ec4", "Backdoor:Linux/Tsunami.C!MTB: FileHash-MD5 c721d0c9d0daba37cc3e0d06331f7493", "Backdoor:Linux/Tsunami.C!MTB: FileHash-SHA1 8fceac50c534ddf1fc8d1c84b9f7fa06e41d891c", "Antivirus Detections: Win.Trojan.Tsunami-5 , Backdoor:Linux/Tsunami.C!MTB", "IDS Detections: Query to a .tk domain - Likely Hostile Yara Detections: is__elf , LinuxTsunami Alerts: suricata_alert", "VirTool:Win32/CeeInject.SN!bit: FileHash-MD5 d90dc74c1377355f3a58e3883fa8e38f", "VirTool:Win32/CeeInject.SN!bit: FileHash-SHA1 a6df4e57a54c4f9ecc5ed0d0759c57d8702f270f", "VirTool:Win32/CeeInject.SN!bit: FileHash-SHA256 9ae6df6d6c273c3037b083d3b3a78ed8329802f3ca065ceef644f5b1f7311269", "Antivirus Detections: Win32:TrojanX-gen\\ [Trj] , Win.Trojan.BlackMoon-7136668-0 , VirTool:Win32/CeeInject.SN!bit", "Hacktools_CN_WinEggDrop , CN_Portscan , Ping_Command_in_EXE More | Alerts: dead_host network_icmp persistence_autorun recon_beacon injection_resumethread creates_exe creates_service", "IDS Detections: ET TROJAN Win32/PurpleFox Related Domain in DNS Lookup Yara Detections: mimikatz , Mimikatz_Strings ,", "IDS Detections: Adware/Gertokr.C Variant Checkin MSIL/Linkury Toolbar Activity PUP.Win32.BoBrowser User-Agent (VersionDwl)", "IDS Detections: Rogue.Win32/FakeRean Checkin Win32/ExpressDownloader Variant CnC Beacon 1", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://hybrid-analysis.com/sample/db695a96adb70d5f6246273f4e6c218b2c44f02b3726c3dee4d56b6428bb0ddf", "Ransom.Win32.Birele.gsg: FileHash-MD5 06c2c738f40c310fb9eb2b6c35afe18d", "Ransom.Win32.Birele.gsg: FileHash-SHA1 51995c8b1002cf27d22a2026a825f1f4fedca280 955549cbca6acdbd617aebade070259efaf6cec6", "Ransom.Win32.Birele.gsg: FileHash-SHA256 00e1b6c35691a64a327eb642c80321e7c54956de106a254688062cdda3d265a9", "T1027 - Obfuscated Files or Information T1031 - Modify Existing Service T1040 - Network Sniffing T1045 - Software Packing T1057 - Process Discovery T1059 - Command and Scripting Interpreter T1059.007 - JavaScript T1060 - Registry Run Keys / Startup Folder T1071 - Application Layer Protocol T1071.001 - Web Protocols T1071.004 - DNS T1105 - Ingress Tool Transfer T1114 - Email Collection T1129 - Shared Modules T1132 - Data Encoding T1132.001 - Standard Encoding T1140 - Deobfuscate/Decode Files or Information T", "Antivirus Detections: Win32:Buterat-WQ\\ [Trj] , Win.Malware.Ulise-7170100-0 , Trojan:Win32/Neconyd.A", "IDS Detections: Ransom.Win32.Birele.gsg Checkin Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "ET TROJAN Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst", "Alerts: network_icmp creates_user_folder_exe disables_proxy modifies_proxy_wpad creates_exe", "Alerts: antivm_network_adapters packer_polymorphic network_cnc_http network_http" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Australia", "Brazil" ], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null }, { "id": "Checkin Win32/ExpressDownloader", "display_name": "Checkin Win32/ExpressDownloader", "target": null }, { "id": "Backdoor:Linux/Tsunami.C!MTB Ransom.Win32.Birele.gsg Trojan:Win32/Neconyd.A VirTool:Win32/CeeInject.SN!bit", "display_name": "Backdoor:Linux/Tsunami.C!MTB Ransom.Win32.Birele.gsg Trojan:Win32/Neconyd.A VirTool:Win32/CeeInject.SN!bit", "target": null }, { "id": "Win.Worm.Mydoom-5", "display_name": "Win.Worm.Mydoom-5", "target": null }, { "id": "Ransom.Win32.Birele.gsg", "display_name": "Ransom.Win32.Birele.gsg", "target": null }, { "id": "VirTool:Win32/CeeInject.SN!bit", "display_name": "VirTool:Win32/CeeInject.SN!bit", "target": "/malware/VirTool:Win32/CeeInject.SN!bit" }, { "id": "Trojan:Win32/Neconyd.A", "display_name": "Trojan:Win32/Neconyd.A", "target": "/malware/Trojan:Win32/Neconyd.A" }, { "id": "Backdoor:Linux/Tsunami.C!MTB", "display_name": "Backdoor:Linux/Tsunami.C!MTB", "target": "/malware/Backdoor:Linux/Tsunami.C!MTB" }, { "id": "C!MTB", "display_name": "C!MTB", "target": null }, { "id": "Win32.Birele.gsg", "display_name": "Win32.Birele.gsg", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" } ], "industries": [ "Media", "Technology", "Government" ], "TLP": "white", "cloned_from": "66ac1de146fa19aeb4bb119a", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2164, "FileHash-MD5": 2939, "FileHash-SHA1": 2271, "FileHash-SHA256": 3553, "domain": 1075, "email": 13, "hostname": 1064, "CVE": 8 }, "indicator_count": 13087, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "564 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66ac1de146fa19aeb4bb119a", "name": "Ransom.Win32.Birele.gsg: affecting a global cyber security entity", "description": "Ransomware, hacking, Linux attacks. 7notrump.com has been in circulation for more than 1 year. Malicious, pre-existing and not the result of hackers attempting to suddenly attack recently made vulnerable entities. Backdoor:Linux/Tsunami.C!MTB\nBackdoor:Linux/Tsunami.C!MTB , Ransom.Win32.Birele.gsg , Trojan:Win32/Neconyd.A , VirTool:Win32/CeeInject.SN!bit , \nC!MTB ,\nCheckin Win32/ExpressDownloader , \nET ,\nRansom.Win32.Birele.gsg , \nTrojan:Win32/Neconyd.A\nVirTool:Win32/CeeInject.SN!bit , Win.Worm.Mydoom-5 ,\nWin32.Birele.gsg", "modified": "2024-10-01T16:04:13.437000", "created": "2024-08-01T23:44:33.058000", "tags": [ "no expiration", "domain", "expiration", "hostname", "filehashsha256", "url http", "ipv4", "url https", "iocs", "email abuse", "next", "all scoreblue", "create new", "pulse provide", "public tlp", "green", "adversary tags", "x509v3", "trojan", "virtool", "backdoor", "antivirus", "united", "et trojan", "possible", "sinkhole cookie", "et", "checkin win32/expressdownloader", "kw1ethical", "kw2ip", "kw3cloud", "kw4augmented", "filehashsha1", "filehashmd5", "termsurlhttp", "privacyurlhttp", "download", "ipv6", "versionid1", "pulse use", "pdf report", "pcap", "stix", "contact", "contacted", "adversaries", "adload", "dns", "activity", "acint", "aaaa", "analysis", "all scoreblue", "agent algorithm", "alexa top", "agent", "analyzer", "alexa", "alerts", "threat", "c!mtb", "win32.birele.gsg", "add malware", "ck t1027", "files", "xrat xtrat", "yara", "ransomware", "virus", "phishing", "paste analyzer", "threat anonymizer", "level as4230", "as32421", "gigenet", "as32181", "ntt", "as2914", "as20940", "as133618", "asyncrat", "ascii text", "claro", "babe", "pornhub", "av detections", "avast avg", "avatier ccir", "crack", "copy", "contact phone", "conduit", "command decode", "cnc", "command", "code command", "cobalt strike", "dos", "cnwe1 validity", "click", "cleaner", "ck techniques", "ck matrix", "backdoor", "ck id", "cisco umbrella", "choke", "bq jul", "body", "blacklist http", "module behav", "bcrypt", "bank", "zeus derivative", "yara rule", "yara detections", "crowdstrike", "xtrat", "xrat", "x509v3 key", "write", "worm", "windows nt", "win64", "win32", "network w", "network", "virus", "virtool virus", "validity", "v3 serial", "cus", "ogoogle", "cus olet", "cyber threat", "upxoepplace url", "upx alerts", "unsafe", "unknown", "united", "union", "twitter", "ttl value", "tsunami", "trust", "trojanspy", "trojan", "trident", "data redacted", "hash", "deepscan", "detection list", "malware", "potential ip", "exploit", "facebook", "false", "possible postal code", "files location", "port", "porno", "pink", "phishing site", "phishing", "files matching", "files related", "filetour", "firehol", "first", "flag united", "full name", "fusioncor", "genkryptik", "get na", "girlfriend", "hackers", "heur", "high", "high priority", "hostile", "html", "http spammer", "hybrid identifier", "ids detections", "iframe", "resource phish", "injection", "pattern match", "pe", "patcher", "passive dns", "null number", "nuance china", "nsis245zlib", "notice nsis", "no data", "nircmd", "namecheap inc", "name tactics", "name servers", "indicator", "informative", "installcore", "installpack", "invalid url", "iocs ip", "iocs ip", "ip summary", "ipv4", "javascript", "key algorithm", "key identifier", "key info", "crowdstrike", "known tor", "local", "luna host", "malicious", "malicious host", "malicious site", "malware", "malware site", "memscan", "meta", "million", "misc attack", "mitre att", "module load", "msdos", "mtb" ], "references": [ "crowdstrike.com \u00bb 7notrump.com contains pornhub.com and pastebin.com", "192.184.12.62 - Verdict: Suspicious Location: Los Angeles, United States of America ASN AS32421 Level 3 Parent Llc", "7notrump.com@privacy.above.com | Why are YOU hiding? Aren't you proud of your hateful and damaging works?", "Backdoor:Linux/Tsunami.C!MTB: FileHash-SHA256 94f82ebb09bc3ac922789af2ce272ecbf9fe303e5220c7ab3a31d6db1bea8ec4", "Backdoor:Linux/Tsunami.C!MTB: FileHash-MD5 c721d0c9d0daba37cc3e0d06331f7493", "Backdoor:Linux/Tsunami.C!MTB: FileHash-SHA1 8fceac50c534ddf1fc8d1c84b9f7fa06e41d891c", "Antivirus Detections: Win.Trojan.Tsunami-5 , Backdoor:Linux/Tsunami.C!MTB", "IDS Detections: Query to a .tk domain - Likely Hostile Yara Detections: is__elf , LinuxTsunami Alerts: suricata_alert", "VirTool:Win32/CeeInject.SN!bit: FileHash-MD5 d90dc74c1377355f3a58e3883fa8e38f", "VirTool:Win32/CeeInject.SN!bit: FileHash-SHA1 a6df4e57a54c4f9ecc5ed0d0759c57d8702f270f", "VirTool:Win32/CeeInject.SN!bit: FileHash-SHA256 9ae6df6d6c273c3037b083d3b3a78ed8329802f3ca065ceef644f5b1f7311269", "Antivirus Detections: Win32:TrojanX-gen\\ [Trj] , Win.Trojan.BlackMoon-7136668-0 , VirTool:Win32/CeeInject.SN!bit", "Hacktools_CN_WinEggDrop , CN_Portscan , Ping_Command_in_EXE More | Alerts: dead_host network_icmp persistence_autorun recon_beacon injection_resumethread creates_exe creates_service", "IDS Detections: ET TROJAN Win32/PurpleFox Related Domain in DNS Lookup Yara Detections: mimikatz , Mimikatz_Strings ,", "IDS Detections: Adware/Gertokr.C Variant Checkin MSIL/Linkury Toolbar Activity PUP.Win32.BoBrowser User-Agent (VersionDwl)", "IDS Detections: Rogue.Win32/FakeRean Checkin Win32/ExpressDownloader Variant CnC Beacon 1", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://hybrid-analysis.com/sample/db695a96adb70d5f6246273f4e6c218b2c44f02b3726c3dee4d56b6428bb0ddf", "Ransom.Win32.Birele.gsg: FileHash-MD5 06c2c738f40c310fb9eb2b6c35afe18d", "Ransom.Win32.Birele.gsg: FileHash-SHA1 51995c8b1002cf27d22a2026a825f1f4fedca280 955549cbca6acdbd617aebade070259efaf6cec6", "Ransom.Win32.Birele.gsg: FileHash-SHA256 00e1b6c35691a64a327eb642c80321e7c54956de106a254688062cdda3d265a9", "T1027 - Obfuscated Files or Information T1031 - Modify Existing Service T1040 - Network Sniffing T1045 - Software Packing T1057 - Process Discovery T1059 - Command and Scripting Interpreter T1059.007 - JavaScript T1060 - Registry Run Keys / Startup Folder T1071 - Application Layer Protocol T1071.001 - Web Protocols T1071.004 - DNS T1105 - Ingress Tool Transfer T1114 - Email Collection T1129 - Shared Modules T1132 - Data Encoding T1132.001 - Standard Encoding T1140 - Deobfuscate/Decode Files or Information T", "Antivirus Detections: Win32:Buterat-WQ\\ [Trj] , Win.Malware.Ulise-7170100-0 , Trojan:Win32/Neconyd.A", "IDS Detections: Ransom.Win32.Birele.gsg Checkin Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "ET TROJAN Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst", "Alerts: network_icmp creates_user_folder_exe disables_proxy modifies_proxy_wpad creates_exe", "Alerts: antivm_network_adapters packer_polymorphic network_cnc_http network_http" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Australia", "Brazil" ], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null }, { "id": "Checkin Win32/ExpressDownloader", "display_name": "Checkin Win32/ExpressDownloader", "target": null }, { "id": "Backdoor:Linux/Tsunami.C!MTB Ransom.Win32.Birele.gsg Trojan:Win32/Neconyd.A VirTool:Win32/CeeInject.SN!bit", "display_name": "Backdoor:Linux/Tsunami.C!MTB Ransom.Win32.Birele.gsg Trojan:Win32/Neconyd.A VirTool:Win32/CeeInject.SN!bit", "target": null }, { "id": "Win.Worm.Mydoom-5", "display_name": "Win.Worm.Mydoom-5", "target": null }, { "id": "Ransom.Win32.Birele.gsg", "display_name": "Ransom.Win32.Birele.gsg", "target": null }, { "id": "VirTool:Win32/CeeInject.SN!bit", "display_name": "VirTool:Win32/CeeInject.SN!bit", "target": "/malware/VirTool:Win32/CeeInject.SN!bit" }, { "id": "Trojan:Win32/Neconyd.A", "display_name": "Trojan:Win32/Neconyd.A", "target": "/malware/Trojan:Win32/Neconyd.A" }, { "id": "Backdoor:Linux/Tsunami.C!MTB", "display_name": "Backdoor:Linux/Tsunami.C!MTB", "target": "/malware/Backdoor:Linux/Tsunami.C!MTB" }, { "id": "C!MTB", "display_name": "C!MTB", "target": null }, { "id": "Win32.Birele.gsg", "display_name": "Win32.Birele.gsg", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" } ], "industries": [ "Media", "Technology", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 69, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2164, "FileHash-MD5": 2939, "FileHash-SHA1": 2271, "FileHash-SHA256": 3553, "domain": 1075, "email": 13, "hostname": 1064, "CVE": 8 }, "indicator_count": 13087, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "564 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66ccc0e15d2c624ffa080a50", "name": "Botgor | See OG Link: https://otx.alienvault.com/pulse/66ccbb1146fb07a45b6b97fe", "description": "", "modified": "2024-09-25T15:03:34.890000", "created": "2024-08-26T17:52:33.104000", "tags": [ "unknown", "meta", "software", "site kit", "as53667", "free", "download full", "search", "showing", "encrypt", "date", "asnone united", "kingdom unknown", "wordpress site", "just", "passive dns", "meta http", "content", "gmt server", "a domains", "body", "server", "registrar", "dnssec", "domain name", "status", "abuse contact", "email", "registrar abuse", "contact phone", "registrar iana", "registrar url", "version crack", "crack serial", "keys license", "algorithm", "whois lookup", "creation date", "code", "namesilo", "country", "domain status", "contact email", "first", "historical ssl", "referrer", "cobalt strike", "switch dns", "query", "fraud risk", "traffic", "luna moth", "campaign", "analyzer paste", "iocs", "samples", "phishing", "malware", "maltiverse", "cyber threat", "engineering", "team phishing", "mail spammer", "telefonica co", "emotet", "download", "malicious", "team", "suppobox", "analyzer threat", "url summary", "ip summary", "summary", "sample", "detection list", "blacklist", "module load", "service", "create c", "show", "winhttp authip", "write c", "susp", "trojanspy", "related pulses", "copy", "write", "win32", "memcommit", "read c", "x00x00", "high defense", "evasion", "defense evasion", "cryptexportkey", "windows", "shellexecuteexw", "hash", "writeconsolew", "registry", "t1031", "modify existing", "trojan", "dock", "august", "push", "hostnames", "urls http", "cisco umbrella", "site", "alexa top", "million", "safe site", "malicious site", "tofsee", "google domain", "azorult", "runescape", "facebook", "bank", "alexa", "zbot", "dynamicloader", "yara rule", "high", "grum", "medium", "ids detections", "yara detections", "stream", "as15169 google", "as44273 host", "aaaa", "scan endpoints", "all scoreblue", "next", "type texthtml", "google safe", "browsing", "ipv4", "pulse pulses", "urls", "files", "co20230203", "pe resource", "url https", "archive", "posix tar", "flow t1574", "dll sideloading", "media t1091", "t1055", "spawns", "mitre att", "access ta0001", "replication", "dlls privilege", "window", "ip traffic", "udp a83f8110", "hashes", "t1055 spawns", "dlls defense", "dns resolutions", "user", "samplepath", "menu files", "written c", "files copied", "files dropped", "file", "pe32 executable", "ms windows", "intel", "win16 ne", "os2 executable", "generic windos", "executable", "contained", "info compiler", "products id", "header intel", "name md5", "type", "language", "sha256", "data", "entries", "filehash", "av detections", "as3215 orange", "related", "france unknown", "reverse dns", "singapore asn", "as16509", "united", "updated date", "pulse submit", "url analysis", "verdict", "as16342 toya", "all search", "otx scoreblue", "hostname", "ip address", "poland unknown", "moved", "gmt contenttype", "vary", "gmt content", "content length", "domain", "files ip", "address", "location poland", "asn as16342", "as16276", "as50599", "as8075", "as5617 orange", "a td", "as198921", "as29686 probe", "germany unknown", "germany", "title", "body doctype", "html public", "ietfdtd html", "head body", "as63949 linode", "united kingdom", "arial", "apache", "accept", "related nids", "files location", "flag united", "files domain", "files related", "as20940", "as4230 claro", "data redacted", "name servers", "expiration date", "invalid url", "mtb feb", "body html", "head title", "hacktool", "trojandropper", "mtb mar", "title head", "overview ip", "record value", "td tr", "tr tr", "dostpne jzyki", "tr table", "table", "utwrz stref", "modyfikuj stref", "td td", "win32vb", "win32qqpass", "worm", "win32mofksys", "worm worm", "win32salgorea", "support", "internet mobile", "win32tofsee", "as3842 inmotion", "as40676 psychz", "formbook cnc", "checkin", "exploit", "virtool", "trojan features", "file samples", "files matching", "date hash", "cname", "error", "script urls", "ezcrack all", "script", "provides", "softwares", "script domains", "pragma", "as202425 ip", "emails", "as46606", "crack", "aaaa nxdomain", "whitelisted", "nxdomain", "as36352", "malware trojan", "asnone", "virgin islands", "backdoor", "please", "win32botgor" ], "references": [ "aeuwa03.devtest.call2.team | mike@softwarezpro1.txt | softwarezpro.net | www.softwarezpro.net | mike@ hijacked targets device Attacked!", "http://cracx.net/fonepaw-iphone-data-recovery-3-8-0-crack/ | Malware: 74.208.236.140 malacrack.org ns2.filescrack.com ns1.filescrack.com", "http://softwarezpro.net/wp-content/themes/wellington/assets/js/svgxuse.min.js?ver=1.2.6", "animalpornotube.com | http://animalpornotube.com/files/gifamateurpay.gi | https://crackedvst.info/tag/k7-total-security-trial-resetter/", "https://activationskey.net/passfab-iphone-cracked-free-keys-2022 https://crackedvst.info/ui crackedvst.info: http://www.crackidea.net/", "http://activationskey.net/passfab-for-rar-full-cracked-2022/ activationskey.net: https://activationskey.net/passware-kit-forensic-2021-1-3-crack/ activationskey.net: | crackedvst.info: crackedvst.info:", "www.softwarezpro.net\thttps://i0.wp.com/softwarezpro.net/wp parking.namesilo.com softwarezpro.org softwarezap.net softwarezap.net", "anti-spyware-software.net http://softwarezpro.net/wp | | http://softwarezpro.net/xmlrpc.php | https://softwarezpro.net https://softwarezpro.net/\t URL\thttps://softwarezpro.net/comments/feed/ https://softwarezpro.net/feed/\t https://softwarezpro.net/page/2/\t URL\thttps://softwarezpro.net/wp https://softwarezpro.net/xmlrpc.php", "http://softwarezpro.net/wp-content/themes/wellington/assets/js/navigation.min.js?ver=20220224 | crackedvst.info", "pw-90cc2fc574f6dd6dccf2c3531928b039@privacyguardian.org | https://crackedvst.info/antares-autotune-pro-crack/", "www.endgame.com [Threatening] | https://mobisoft.info/dfx-audio-enhancer-crack | https://mobisoft.info/passfab-iphone-unlocker-key", "7cwork.a-poster.info a-poster.info: members.a-poster.info work.a-poster.info a-poster.info: http://20work.a-poster.info a-poster.info:", "http://250awork.a-poster.info/ a-poster.info: http://252fwork.a-poster.info a-poster.info: http://252fwork.a-poster.info/", "20work.a-poster.info a-poster.info: 250awork.a-poster.info a-poster.info: 252fwork.a-poster.info a-poster.info: a-poster.info:", "Trojan:Win32/Salgorea: FileHash-SHA256 e82334440ceddd927f35831fda83594f3657ca56187f7f7ddd7d60cba1be793", "Worm:Win32/Fasong: FileHash-SHA256 c7f2f4a6ed374bac385fa81177967fd013248652556e4ee95cea7f064f6b25dd", "Trojan:Win32/Glupteba: FileHash-SHA256 5e7fdbc4c66fbefd6aa95047a56c709765f18b3a3a65d5942acb4e4349b09039", "Worm:Win32/Mofksys: FileHash-SHA256 ef1a66214e210bc9ae0aef471b0a09f6083078343a0338fcaf1f2b04ebddbd9a", "Trojan:Win32/QQpass: FileHash-SHA256 86df64999ed25a02debca89a586c931b0f32b1edc0e7aa800c360be3ef456439", "TrojanSpy:Win32/Nivdort.DI: FileHash-SHA256 00734b135321562e7e0df7c2f8eb554435cc25c47f46747f79fc2116ac2cc6ef", "Win32:CrypterX-gen\\ [Trj]: FileHash-SHA256 002ea0849da3c63ce6c09c084567e9470c3616084ef19402316e9d52f35c62a7", "Trojan:Win32/Emotet.PC!MTB: FileHash-SHA256 02b9cac1880e348302125664c4955fd163a219b1eb8b50de0ad350e0c147a0b0", "Trojan:Win32/Zbot.SIBB3!MTB: FileHash-SHA256 bc1739628aadbcc99bcb93caab4a7a73534694c817d57cc0ed735bf4bd0f6e45", "ELF:Hajime-Q\\ [Trj] : FileHash-SHA256 aa310469926150f9d6f980dd6ba200d1c9c7dec7c4b66c7de4cff6a30c038560", "Win32/Tasekjom.A : FileHash-SHA256 1230ac0c362b6049b9de011229707e05852dd11af75ca7071a1f089e6aca61f5", "Win32/Muldrop FileHash-SHA256 67a5e78bb2897b15d510dfce0d89f60330db01d7944ebb4f1dd90ce36c907e1b", "PWS:Win32/VB : FileHash-SHA256 dbc78d07e96562c6370ab515f5d65cea88a1b163ad10718c66d15155f4075630", "Backdoor:Win32/Tofsee: FileHash-SHA256 5b616ad2410bef0bc894c4bff013afe2d7f44dcdeb79420bab14c766cc460aa7", "VirTool:Win32/Obfuscator FileHash-SHA256 874e78143b683016ef8e41977f9d3ee34b97b145b313cdefdeb3e8900db6df73", "RASMONTR.DLL 192.168.56.101", "iobit: https://cracxfree.com/iobit-malware-fighter-pro-2/http://activationskey.net/wp-content/uploads/2021/02/download-2-7.jpg", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/00734b135321562e7e0df7c2f8eb554435cc25c47f46747f79fc2116ac2cc6ef", "Parked: www.easycrypto.team | 'Parking Crew' ? Several names exist for advesarial 'Parking Hacker Groups' parking.namesilo.com", "Ranks high in search results because device is typically compromised with Convection engine and Keyword Tool", "a-fondness-for-beauty.com", "iobit: https://cracxfree.com/iobit-malware-fighter-pro-2/ | http://activationskey.net/wp-content/uploads/2021/02/download-2-7.jpg", "iobit: https://cracxfree.com/iobit-malware-fighter-pro-2/ | https://cracklink.info/iobit-uninstaller-pro-key/", "iobit: https://ezcrack.info/iobit-uninstaller-pro-crack | https://ezcrack.info/iobit-uninstaller-pro-crack/", "http://crackedvst.info/plugin-alliance-bundle-crack/: sedoparking.com | sedoparking.com/frmpark/ -", "Trojan:Win32/Zbot: FileHash-SHA256 b7875b426ce25f1d4785ba7043bbfdba49feb726cc829d681acdd67c3c302c70", "ALF:Trojan:Win32/Cassini_f28c33a2:\tFileHash-SHA256 6fc35cb8e18f0d9d72bc1a7037ae88f8036362799f930a1a30e290d31be3b216", "Backdoor:Win32/Botgor: FileHash-SHA256 b70353b3ecf532ad51e7d6a1790275df02c7393b87d40add47a3baccab39802f", "TrojanDropper:Win32/Muldrop: FileHash-SHA256 bf8e919cf6ce208f1c2f98f07df835099f14e2f8708197b0165479468079d902", "#LowFiCreateRemoteThread: FileHash-SHA256 0ab94d890afef8ebae42007a119a8686f71bdd9bdf357262481daa7c9c7a283e", "Trojan:Win32/Blihan: FileHash-SHA256 dada5208109416153937db5a6f44f03b8b9025347c235acdc70edfa24a2a882e", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 | itunes.apple.com", "http://appleid.com-index-manager-info-verify-receipt-account.usa.cc/ |", "https://realcrack.info/sidify-apple-music-converter-crack/ | applehouse-jp.com | iappletech.com | http://apple.int-access-accounts.usa.cc/", "http://apple-store.jspi304es-services-fixedbilling-responsive-managed-update-card.appleid-storeext.usa.cc/", "http://apple-unlocked-login.usa.cc/\t| http://apple.com.locked-account-verify-login.usa.cc/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort.DI", "display_name": "TrojanSpy:Win32/Nivdort.DI", "target": "/malware/TrojanSpy:Win32/Nivdort.DI" }, { "id": "Win32:CrypterX-gen\\ [Trj]", "display_name": "Win32:CrypterX-gen\\ [Trj]", "target": null }, { "id": "Trojan:Win32/Emotet.PC!MTB", "display_name": "Trojan:Win32/Emotet.PC!MTB", "target": "/malware/Trojan:Win32/Emotet.PC!MTB" }, { "id": "Trojan:Win32/CryptInject", "display_name": "Trojan:Win32/CryptInject", "target": "/malware/Trojan:Win32/CryptInject" }, { "id": "RASMONTR.DLL", "display_name": "RASMONTR.DLL", "target": null }, { "id": "Trojan:Win32/Salgorea", "display_name": "Trojan:Win32/Salgorea", "target": "/malware/Trojan:Win32/Salgorea" }, { "id": "Worm:Win32/Fasong", "display_name": "Worm:Win32/Fasong", "target": "/malware/Worm:Win32/Fasong" }, { "id": "Trojan:Win32/Glupteba", "display_name": "Trojan:Win32/Glupteba", "target": "/malware/Trojan:Win32/Glupteba" }, { "id": "Worm:Win32/Mofksys", "display_name": "Worm:Win32/Mofksys", "target": "/malware/Worm:Win32/Mofksys" }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "Trojan:Win32/Zbot.SIBB3!MTB", "display_name": "Trojan:Win32/Zbot.SIBB3!MTB", "target": "/malware/Trojan:Win32/Zbot.SIBB3!MTB" }, { "id": "ELF:Hajime-Q\\ [Trj]", "display_name": "ELF:Hajime-Q\\ [Trj]", "target": null }, { "id": "Win32/Tasekjom.A", "display_name": "Win32/Tasekjom.A", "target": null }, { "id": "TEL:Trojan:Win32/TrojanDownloader", "display_name": "TEL:Trojan:Win32/TrojanDownloader", "target": null }, { "id": "Win32/TrojanDropper", "display_name": "Win32/TrojanDropper", "target": null }, { "id": "Trojan:Win32/Muldrop", "display_name": "Trojan:Win32/Muldrop", "target": "/malware/Trojan:Win32/Muldrop" }, { "id": "PWS:Win32/VB", "display_name": "PWS:Win32/VB", "target": "/malware/PWS:Win32/VB" }, { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "Trojan:Win32/Blihan", "display_name": "Trojan:Win32/Blihan", "target": "/malware/Trojan:Win32/Blihan" }, { "id": "#LowFiCreateRemoteThread", "display_name": "#LowFiCreateRemoteThread", "target": null }, { "id": "Backdoor:Win32/Botgor", "display_name": "Backdoor:Win32/Botgor", "target": "/malware/Backdoor:Win32/Botgor" }, { "id": "ALF:Trojan:Win32/Cassini_f28c33a2", "display_name": "ALF:Trojan:Win32/Cassini_f28c33a2", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" } ], "industries": [ "Technology", "Telecommunications", "Civilian Devices" ], "TLP": "green", "cloned_from": "66ccbb1146fb07a45b6b97fe", "export_count": 4029, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1492, "FileHash-MD5": 4799, "URL": 1297, "email": 17, "hostname": 1487, "FileHash-SHA1": 3901, "FileHash-SHA256": 8846, "URI": 1 }, "indicator_count": 21840, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "571 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66b4f1234e20d1551dd7647a", "name": "Boratoken - x.com | Ransom | SnakeKeylogger | X.com redirect | Brian Sabey search results", "description": "Aggressively malicious x.com template.\nIntroduction: ' I was surprised to find this' regarding Google Phish of a 'Samuel Tulach' @X.Com Discussion: Exodus/ Cellebrite/Pegasus/NSO, Brian Sabey,etc,.\nImpacts at least 1 single individual, virustotal, Twitter/x.com.", "modified": "2024-09-07T22:38:23.513000", "created": "2024-08-08T16:24:02.550000", "tags": [ "no expiration", "filehashmd5", "iocs", "next", "all scoreblue", "pulse use", "domain", "ipv4", "url http", "url https", "cidr", "email", "ipv6", "code", "pdf report", "contact", "contacted", "registrar abuse", "phishing", "malware beacon", "x com", "twitter", "ransomware", "pyinstaller", "trojanspy", "trojan", "borpa", "samas", "formbook", "formbook cnc", "vtflooder", "namecheap", "'m nudie", "remote job", "get her work", "false files", "pornhub", "aaaa", "proofpoint", "are you hiring", "unknown", "united", "asnone united", "creation date", "search", "germany unknown", "expiration date", "date", "showing", "as61969 team", "body", "meta", "code", "screenshot", "servers", "server", "web attack" ], "references": [ "https://twitter.com/ootiosum/status/1812208222150726029a4dmHAxV0M0QIHawADl4Qr4kDegUI-QEQAA&usg=AOvVaw37yALadqlgoR9_xlQ5B4Hm", "http://borpatoken.com/", "netflix.com Akamai rank: #6", "phyn.app", "https://phyn.app/assets/images/Netflix-Background-phyn-dark.png", "pornhero.net 'we don't need another hero, hero, hero...' No Expiration\t0\t URL https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian No Expiration\t0\t Hostname www.pornhub.com No Expiration\t0\t URL https://8muses.info/other/adventure-time-porn-vault-boners-3-cartoon-porn-frosty-sanchez/20/ No Expiration\t14\t URL https://8muses.info/simpsons-porn/simpsons-special-bigboy/", "https://twitter.com/PORNO_SEXYBABES [Twitter Tsara Brashears related]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "x.com related: www.pornhub.com", "Twitter/ X.xom related: https://8muses.info/other/adventure-time-porn-vault-boners-3-cartoon-porn-frosty-sanchez/20/", "TAGS: api call app store as13414 twitter as15133 verizon as16625 akamai as18450 as20940 as2914 ntt as397240 as397241 asnone ca issuers", "TAGS: camaro dragon canada click cloudfront cname co number code contact content content gmt copy crlf line cyber defense", "TAGS: email expiry gmt false file files final url for privacy form format malware beacon meta http meta tags namecheap inc", "TAGS: passive dns pattern match title page trojandropper united 12110kb aaaa add tag adversary tags", "TAGS: all scoreblue analyzer apache autoit borpa browser canada cidr ck id ck matrix code code contact contacted", "TAGS: create new domain email expiration filehashmd5 formbook cnc get google phish green hackers hackers heroku hostname", "TAGS: iocs layoutid8 malware nameaul namecheap next no expiration pcap pdf report pegasus topic phish phishing", "TAGS: photoshop prefs privacy service provider public tlp pulse provide pulse use pyinstaller", "TAGS: ransom ransomware red team registrar abuse roboto samas samuel tulach scan endpoints", "TAGS: screenshot snake snake keylogger suspicious template trojan downloader trojanspy tulach url http url https x template x verce" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 500, "FileHash-SHA1": 485, "FileHash-SHA256": 1177, "URL": 1033, "SSLCertFingerprint": 4, "domain": 801, "hostname": 1139, "email": 14, "CIDR": 2 }, "indicator_count": 5155, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "588 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66b4e1b160db601dc0d36b28", "name": "Phishing | Malware | Reputation | VT Flooder -x.com 'Malicious' Twitter template Brian Sabey Hall Render search results", "description": "VTFlooder - Impacting Virustotal with DOS aytack. Clear aggressive command codes to locate Tsara Brashears. Will attack all things deemed TB \u00bb Google Phish of a 'Samuel Tulach' @X.Com Discussion: Exodus/ Cellebrite/Pegasus/NSO/ Brian Sabey Introduction: 'surprised to see 'tulach' malware.", "modified": "2024-09-07T15:03:07.903000", "created": "2024-08-08T15:18:09.055000", "tags": [ "contact", "contacted", "twitter", "phishing", "all scoreblue", "impacting azure", "ca issuuer", "google", "crack", "click", "as396982 google", "united", "unknown", "passive dns", "entries", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "urls", "win32", "search", "creation date", "pulses", "encrypt", "record value", "emails", "expiration date", "showing", "date", "next", "log id", "gmtn", "tls web", "http", "unique", "ca issuers", "a8n timestamp", "false", "\u2019m nudie", "as60592 gransy", "czechia unknown", "name servers", "domain", "as54600 peg", "a nxdomain", "bq jun", "virtool", "contentlength", "generic http", "exe upload", "show", "cape", "activity", "inbound", "delete", "trojan", "copy", "malware", "write", "levelblue", "open threat", "dns lookup", "flooder", "as15169 google", "for privacy", "as16276", "france unknown", "refresh", "a domains", "as20940", "aaaa", "as4230 claro", "status", "cname", "as2914 ntt", "nxdomain", "meta", "files", "virustotal" ], "references": [ "https://twitter.com/ootiosum/status/1812208222150726029a4dmHAxV0M0QIHawADl4Qr4kDegUI-QEQAA&usg=AOvVaw37yALadqlgoR9_xlQ5B4Hm", "https://otx.alienvault.com/indicator/url/http://108.ns768.com", "https://www.hansreinl.de/blog/twitter-recess-css-cleaning-tool-build-on-less", "http://dezaula.com/myadd?id=186&q=connectify+hotspot+pro+2017+crack", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "botnetsinkhole@gmail.com", "Virus Total vtapi DOS", "https://otx.alienvault.com/indicator/file/21ed90477e60b574d8b76d996f2e5cd2ba9c613f3f340032a6f03efb69722abc", "Because: Jeffrey Scott Reimer assaulted Tsara Brashears leaving her with a multi spinal cord injury + TBI", "This should be illegal everyone knows who uses these resources" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "\u2019m Nudie", "display_name": "\u2019m Nudie", "target": null }, { "id": "Worm:Win32/Nuqel.TB", "display_name": "Worm:Win32/Nuqel.TB", "target": "/malware/Worm:Win32/Nuqel.TB" }, { "id": "Trojan:Win32/Vflooder.E", "display_name": "Trojan:Win32/Vflooder.E", "target": "/malware/Trojan:Win32/Vflooder.E" } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 138, "FileHash-MD5": 334, "FileHash-SHA1": 335, "FileHash-SHA256": 342, "domain": 623, "hostname": 390, "email": 5, "SSLCertFingerprint": 2 }, "indicator_count": 2169, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "589 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66a4d15c60edc83ca6bfc97e", "name": "Fraud Services, Updates, Network Worm, SpyWare - Misc Attack", "description": "", "modified": "2024-08-26T10:04:37.360000", "created": "2024-07-27T10:52:12.501000", "tags": [ "united", "unknown", "a domains", "search", "creation date", "record value", "cyberlynk", "date", "expiration date", "title", "encrypt", "body", "as54113", "aaaa", "cname", "next", "algorithm", "data", "v3 serial", "number", "cus olet", "encrypt cnr3", "validity", "subject public", "key info", "key algorithm", "files", "type name", "android", "server", "registrar abuse", "dnssec", "domain name", "contact phone", "registrar url", "registrar whois", "registrar", "llc registry", "code", "key identifier", "subject key", "identifier", "x509v3 key", "first", "dns replication", "historical ssl", "no data", "tag count", "fakedout threat", "analyzer threat", "url summary", "ip summary", "summary", "sample", "samples", "detection list", "heur", "cisco umbrella", "site", "malware", "safe site", "million", "alexa top", "malicious site", "phishing site", "suspected", "unsafe", "wacatac", "artemis", "iframe", "presenoker", "phishing", "opencandy", "downldr", "cleaner", "conduit", "riskware", "nircmd", "swrort", "tiggre", "agent", "filetour", "fusioncore", "unruy", "crack", "exploit", "cobalt strike", "xrat", "alexa", "acint", "systweak", "behav", "genkryptik", "blacknet rat", "stealer", "installpack", "azorult", "service", "runescape", "facebook", "bank", "download", "zbot", "xtrat", "installcore", "patcher", "adload", "win64", "class", "twitter", "accept", "malware site", "maltiverse", "ransomware", "phishingms", "anonymisation", "suppobox", "emotet", "revengerat", "downloader", "emailworm", "ramnit", "warbot", "citadel", "zeus", "simda", "keitaro", "virut", "team", "cultureneutral", "get na", "show", "delete c", "delete", "yara detections", "copy", "nivdort", "write", "trojanspy", "bayrob", "intel", "ms windows", "default", "pe32 executable", "document file", "v2 document", "pe32", "worm", "entries", "td td", "rufus", "mtb apr", "servers", "as39122", "span", "github pages", "passive dns", "formbook cnc", "checkin", "dridex", "request", "less see", "http request", "status", "name servers", "certificate", "urls", "div div", "header click", "meta", "homepage", "form", "date hash", "avast avg", "backdoor", "mtb jul", "as36459", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "sha256", "sha1", "ascii text", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "pattern match", "null", "hybrid", "refresh", "general", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "suspicious", "windows nt", "apache", "path", "pragma", "footer", "as8068", "as8075", "as15169 google", "as16552 tiggee", "virtool", "related pulses", "file samples", "files matching", "showing", "domain", "as22612", "as397240", "as19527 google", "moved", "gmt server", "as20940", "as4230 claro", "trojan", "ninite", "as2914 ntt", "win32", "brazil unknown", "brazil", "invalid url", "trojandropper", "body html", "head title", "asnone united", "as23393" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil", "India" ], "malware_families": [ { "id": "Dridex", "display_name": "Dridex", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 46, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1034, "domain": 1210, "email": 13, "hostname": 1031, "FileHash-SHA1": 685, "FileHash-SHA256": 1036, "FileHash-MD5": 927, "CVE": 10 }, "indicator_count": 5946, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "601 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66b8fe985a7460e0ee01be8a", "name": "r3.o.lencr.org", "description": "", "modified": "2024-08-11T18:14:13.378000", "created": "2024-08-11T18:10:32.276000", "tags": [ "as20940", "united", "trojan", "search", "passive dns", "urls", "entries", "dashboard", "browse scan", "endpoints all", "date", "a domains", "aaaa", "record value", "scan endpoints", "all search", "otx octoseek", "domain related", "showing" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "64dc045f5344129c48c41826", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 664, "email": 13, "hostname": 1352, "FileHash-SHA256": 2550, "URL": 5422, "FileHash-MD5": 761, "FileHash-SHA1": 615 }, "indicator_count": 11377, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "615 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64dc045f5344129c48c41826", "name": "r3.o.lencr.org", "description": "Malware. R3.o.lencr.org is a browser-redirecting app aka browser hijacking, that attaches itself to main browser in devices. Ability to take control over some settings. Tracker. Scammers use Lencr.org/ LetsEncrypt in websites that have malicious content and activities. \nMalicious Activity:\nALF:Trojan:Win32/Cassini_f9070846!ibt\nALFPER:CERT:SoftwareBundler:Win32/InstallMonetizer\nTrojan:Win32/Dorv.A!rfn\nTrojan:Win32/Prepscram\nTrojan:Win32/Zbot.SIBG!MTB\nTrojanDownloader:Win32/Banload\nTrojanDownloader:Win32/Upatre.D\nTrojanDownloader:Win32/Upatre.J\nWin.Downloader.Mailru-9797354-1\nWin.Dropper.Agent-185636\nRiskware\nMalicious Adware spamming \n\n(Auto Generated Description: A complete list of malicious files has been published on the website of Cloudflare.com, the company that provides access to the service for users who use its services to access their email addresses.)", "modified": "2023-09-15T04:05:29.096000", "created": "2023-08-15T23:03:59.403000", "tags": [ "as20940", "united", "trojan", "search", "passive dns", "urls", "entries", "dashboard", "browse scan", "endpoints all", "date", "a domains", "aaaa", "record value", "scan endpoints", "all search", "otx octoseek", "domain related", "showing" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 664, "email": 13, "hostname": 1352, "FileHash-SHA256": 1750, "URL": 5422, "FileHash-MD5": 207, "FileHash-SHA1": 61 }, "indicator_count": 9469, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "947 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64dc046b5e8f1a8a730b4b5a", "name": "r3.o.lencr.org", "description": "Malware. R3.o.lencr.org is a browser-redirecting app aka browser hijacking, that attaches itself to main browser in devices. Ability to take control over some settings. Tracker. Scammers use Lencr.org/ LetsEncrypt in websites that have malicious content and activities. \nMalicious Activity:\nALF:Trojan:Win32/Cassini_f9070846!ibt\nALFPER:CERT:SoftwareBundler:Win32/InstallMonetizer\nTrojan:Win32/Dorv.A!rfn\nTrojan:Win32/Prepscram\nTrojan:Win32/Zbot.SIBG!MTB\nTrojanDownloader:Win32/Banload\nTrojanDownloader:Win32/Upatre.D\nTrojanDownloader:Win32/Upatre.J\nWin.Downloader.Mailru-9797354-1\nWin.Dropper.Agent-185636\nRiskware\nMalicious Adware spamming \n\n(Auto Generated Description: A complete list of malicious files has been published on the website of Cloudflare.com, the company that provides access to the service for users who use its services to access their email addresses.)", "modified": "2023-09-14T22:03:31.530000", "created": "2023-08-15T23:04:11.199000", "tags": [ "as20940", "united", "trojan", "search", "passive dns", "urls", "entries", "dashboard", "browse scan", "endpoints all", "date", "a domains", "aaaa", "record value", "scan endpoints", "all search", "otx octoseek", "domain related", "showing" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 147, "email": 1, "hostname": 364, "FileHash-SHA256": 260, "URL": 1749 }, "indicator_count": 2521, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "947 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64dc046a5a8beadd263d255d", "name": "r3.o.lencr.org", "description": "Malware. R3.o.lencr.org is a browser-redirecting app aka browser hijacking, that attaches itself to main browser in devices. Ability to take control over some settings. Tracker. Scammers use Lencr.org/ LetsEncrypt in websites that have malicious content and activities. \nMalicious Activity:\nALF:Trojan:Win32/Cassini_f9070846!ibt\nALFPER:CERT:SoftwareBundler:Win32/InstallMonetizer\nTrojan:Win32/Dorv.A!rfn\nTrojan:Win32/Prepscram\nTrojan:Win32/Zbot.SIBG!MTB\nTrojanDownloader:Win32/Banload\nTrojanDownloader:Win32/Upatre.D\nTrojanDownloader:Win32/Upatre.J\nWin.Downloader.Mailru-9797354-1\nWin.Dropper.Agent-185636\nRiskware\nMalicious Adware spamming \n\n(Auto Generated Description: A complete list of malicious files has been published on the website of Cloudflare.com, the company that provides access to the service for users who use its services to access their email addresses.)", "modified": "2023-09-14T22:03:31.530000", "created": "2023-08-15T23:04:10.805000", "tags": [ "as20940", "united", "trojan", "search", "passive dns", "urls", "entries", "dashboard", "browse scan", "endpoints all", "date", "a domains", "aaaa", "record value", "scan endpoints", "all search", "otx octoseek", "domain related", "showing" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 147, "email": 1, "hostname": 364, "FileHash-SHA256": 260, "URL": 1749 }, "indicator_count": 2521, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "947 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64dc046719495deba564bbd8", "name": "r3.o.lencr.org", "description": "Malware. R3.o.lencr.org is a browser-redirecting app aka browser hijacking, that attaches itself to main browser in devices. Ability to take control over some settings. Tracker. Scammers use Lencr.org/ LetsEncrypt in websites that have malicious content and activities. \nMalicious Activity:\nALF:Trojan:Win32/Cassini_f9070846!ibt\nALFPER:CERT:SoftwareBundler:Win32/InstallMonetizer\nTrojan:Win32/Dorv.A!rfn\nTrojan:Win32/Prepscram\nTrojan:Win32/Zbot.SIBG!MTB\nTrojanDownloader:Win32/Banload\nTrojanDownloader:Win32/Upatre.D\nTrojanDownloader:Win32/Upatre.J\nWin.Downloader.Mailru-9797354-1\nWin.Dropper.Agent-185636\nRiskware\nMalicious Adware spamming \n\n(Auto Generated Description: A complete list of malicious files has been published on the website of Cloudflare.com, the company that provides access to the service for users who use its services to access their email addresses.)", "modified": "2023-09-14T22:03:31.530000", "created": "2023-08-15T23:04:07.914000", "tags": [ "as20940", "united", "trojan", "search", "passive dns", "urls", "entries", "dashboard", "browse scan", "endpoints all", "date", "a domains", "aaaa", "record value", "scan endpoints", "all search", "otx octoseek", "domain related", "showing" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 147, "email": 1, "hostname": 364, "FileHash-SHA256": 260, "URL": 1749 }, "indicator_count": 2521, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "947 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64dc046717ad683a5239a8a6", "name": "r3.o.lencr.org", "description": "Malware. R3.o.lencr.org is a browser-redirecting app aka browser hijacking, that attaches itself to main browser in devices. Ability to take control over some settings. Tracker. Scammers use Lencr.org/ LetsEncrypt in websites that have malicious content and activities. \nMalicious Activity:\nALF:Trojan:Win32/Cassini_f9070846!ibt\nALFPER:CERT:SoftwareBundler:Win32/InstallMonetizer\nTrojan:Win32/Dorv.A!rfn\nTrojan:Win32/Prepscram\nTrojan:Win32/Zbot.SIBG!MTB\nTrojanDownloader:Win32/Banload\nTrojanDownloader:Win32/Upatre.D\nTrojanDownloader:Win32/Upatre.J\nWin.Downloader.Mailru-9797354-1\nWin.Dropper.Agent-185636\nRiskware\nMalicious Adware spamming \n\n(Auto Generated Description: A complete list of malicious files has been published on the website of Cloudflare.com, the company that provides access to the service for users who use its services to access their email addresses.)", "modified": "2023-09-14T22:03:31.530000", "created": "2023-08-15T23:04:07.114000", "tags": [ "as20940", "united", "trojan", "search", "passive dns", "urls", "entries", "dashboard", "browse scan", "endpoints all", "date", "a domains", "aaaa", "record value", "scan endpoints", "all search", "otx octoseek", "domain related", "showing" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 147, "email": 1, "hostname": 364, "FileHash-SHA256": 260, "URL": 1749 }, "indicator_count": 2521, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "947 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64dc0463e890964b99513901", "name": "r3.o.lencr.org", "description": "Malware. R3.o.lencr.org is a browser-redirecting app aka browser hijacking, that attaches itself to main browser in devices. Ability to take control over some settings. Tracker. Scammers use Lencr.org/ LetsEncrypt in websites that have malicious content and activities. \nMalicious Activity:\nALF:Trojan:Win32/Cassini_f9070846!ibt\nALFPER:CERT:SoftwareBundler:Win32/InstallMonetizer\nTrojan:Win32/Dorv.A!rfn\nTrojan:Win32/Prepscram\nTrojan:Win32/Zbot.SIBG!MTB\nTrojanDownloader:Win32/Banload\nTrojanDownloader:Win32/Upatre.D\nTrojanDownloader:Win32/Upatre.J\nWin.Downloader.Mailru-9797354-1\nWin.Dropper.Agent-185636\nRiskware\nMalicious Adware spamming \n\n(Auto Generated Description: A complete list of malicious files has been published on the website of Cloudflare.com, the company that provides access to the service for users who use its services to access their email addresses.)", "modified": "2023-09-14T22:03:31.530000", "created": "2023-08-15T23:04:03.466000", "tags": [ "as20940", "united", "trojan", "search", "passive dns", "urls", "entries", "dashboard", "browse scan", "endpoints all", "date", "a domains", "aaaa", "record value", "scan endpoints", "all search", "otx octoseek", "domain related", "showing" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 147, "email": 1, "hostname": 364, "FileHash-SHA256": 260, "URL": 1749 }, "indicator_count": 2521, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "947 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Backdoor:Linux/Tsunami.C!MTB: FileHash-SHA1 8fceac50c534ddf1fc8d1c84b9f7fa06e41d891c", "http://apple-unlocked-login.usa.cc/\t| http://apple.com.locked-account-verify-login.usa.cc/", "pornhero.net 'we don't need another hero, hero, hero...' No Expiration\t0\t URL https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian No Expiration\t0\t Hostname www.pornhub.com No Expiration\t0\t URL https://8muses.info/other/adventure-time-porn-vault-boners-3-cartoon-porn-frosty-sanchez/20/ No Expiration\t14\t URL https://8muses.info/simpsons-porn/simpsons-special-bigboy/", "Twitter/ X.xom related: https://8muses.info/other/adventure-time-porn-vault-boners-3-cartoon-porn-frosty-sanchez/20/", "netflix.com Akamai rank: #6", "Win32/Muldrop FileHash-SHA256 67a5e78bb2897b15d510dfce0d89f60330db01d7944ebb4f1dd90ce36c907e1b", "VirTool:Win32/Obfuscator FileHash-SHA256 874e78143b683016ef8e41977f9d3ee34b97b145b313cdefdeb3e8900db6df73", "Related Tags: https://www.virustotal.com/graph/embed/g17b255d00de64c0faa707968 [OG:dorkingbeauty | Cloned: StreaminingEx]", "http://crackedvst.info/plugin-alliance-bundle-crack/: sedoparking.com | sedoparking.com/frmpark/ -", "www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/", "PWS:Win32/VB : FileHash-SHA256 dbc78d07e96562c6370ab515f5d65cea88a1b163ad10718c66d15155f4075630", "Malware Families: Win.Dropper.LokiBot-9975730-0 #LowFiEnableDTContinueAfterUnpacking #LowFiMalf_gen Worm:Win32/Mofksys", "Worm:Win32/Mofksys: FileHash-SHA256 ef1a66214e210bc9ae0aef471b0a09f6083078343a0338fcaf1f2b04ebddbd9a", "Malware Families: ALF:Trojan:Win32/FormBook AWS PDF:UrlMal-inf\\ [Trj] Trojan:Win32/Qbot Unix.Malware.Generic-9875933-0", "TAGS: email expiry gmt false file files final url for privacy form format malware beacon meta http meta tags namecheap inc", "Malware Families: ALF:PUA:Block:IObit ALF:Program:Win32/Webcompanion ALF:Ransom:Win32/Babax Win.Keylogger.Banbra-9936388-0", "Trojan:Win32/Salgorea: FileHash-SHA256 e82334440ceddd927f35831fda83594f3657ca56187f7f7ddd7d60cba1be793", "Backdoor:Linux/Tsunami.C!MTB: FileHash-MD5 c721d0c9d0daba37cc3e0d06331f7493", "Tofsee: 'google.com' | https://www.gov50.icu |", "20work.a-poster.info a-poster.info: 250awork.a-poster.info a-poster.info: 252fwork.a-poster.info a-poster.info: a-poster.info:", "13.107.21.200 Bat.Bing - Trojan:Win32/Qbot | ALF:Ransom:Win32/Babax | Worm:Win32/Mofksys | ALF:Program:Win32/Webcompanion", "Malware Families: VirTool:Win32/Injector TrojanDownloader:Win32/Upatre Unix VirTool:Win32/Obfuscator Win.Dropper.LokiBot-9975730-0", "Unix.Malware.Generic: Observed DNS Query for Israel Domain (.il) | Alerts: cape_detected_threat", "TAGS: iocs layoutid8 malware nameaul namecheap next no expiration pcap pdf report pegasus topic phish phishing", "iobit: https://cracxfree.com/iobit-malware-fighter-pro-2/ | http://activationskey.net/wp-content/uploads/2021/02/download-2-7.jpg", "Win.Keylogger.Banbra FileHash-SHA256 94517bb37a8ebe48a06a64b20237e287101bc93bbc840bf6e1ab7dfb28a2da5a", "IDS Detections: Query to a .tk domain - Likely Hostile Yara Detections: is__elf , LinuxTsunami Alerts: suricata_alert", "IDS Detections: ET TROJAN Win32/PurpleFox Related Domain in DNS Lookup Yara Detections: mimikatz , Mimikatz_Strings ,", "Backdoor:Win32/Botgor: FileHash-SHA256 b70353b3ecf532ad51e7d6a1790275df02c7393b87d40add47a3baccab39802f", "192.184.12.62 - Verdict: Suspicious Location: Los Angeles, United States of America ASN AS32421 Level 3 Parent Llc", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://twitter.com/PORNO_SEXYBABES [Twitter Tsara Brashears related]", "iobit: https://cracxfree.com/iobit-malware-fighter-pro-2/ | https://cracklink.info/iobit-uninstaller-pro-key/", "www.pornhubselect.com | pornhub.software", "aeuwa03.devtest.call2.team | mike@softwarezpro1.txt | softwarezpro.net | www.softwarezpro.net | mike@ hijacked targets device Attacked!", "www.softwarezpro.net\thttps://i0.wp.com/softwarezpro.net/wp parking.namesilo.com softwarezpro.org softwarezap.net softwarezap.net", "iobit: https://ezcrack.info/iobit-uninstaller-pro-crack | https://ezcrack.info/iobit-uninstaller-pro-crack/", "TAGS: passive dns pattern match title page trojandropper united 12110kb aaaa add tag adversary tags", "Virus Total vtapi DOS", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/", "QuantumFiber.com a 2nd look", "IDS Detections: Observed Suspicious UA (Mozilla/5.0) Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)", "Trojan:Win32/Glupteba: FileHash-SHA256 5e7fdbc4c66fbefd6aa95047a56c709765f18b3a3a65d5942acb4e4349b09039", "Win32:CrypterX-gen\\ [Trj]: FileHash-SHA256 002ea0849da3c63ce6c09c084567e9470c3616084ef19402316e9d52f35c62a7", "http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com", "Alerts: network_icmp modifies_proxy_wpad multiple_useragents injection_resumethread", "DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2", "https://phyn.app/assets/images/Netflix-Background-phyn-dark.png", "IDS Detections: Win32.Lexip Checkin Unsupported/Fake FireFox Version 2.", "IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound", "IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set", "crowdstrike.com \u00bb 7notrump.com contains pornhub.com and pastebin.com", "wallet.mewards.bing.com | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net | wallpapers-nature.com", "http://dezaula.com/myadd?id=186&q=connectify+hotspot+pro+2017+crack", "https://www.hansreinl.de/blog/twitter-recess-css-cleaning-tool-build-on-less", "This should be illegal everyone knows who uses these resources", "Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk", "VirTool:Win32/CeeInject.SN!bit: FileHash-SHA256 9ae6df6d6c273c3037b083d3b3a78ed8329802f3ca065ceef644f5b1f7311269", "Win32/Tasekjom.A : FileHash-SHA256 1230ac0c362b6049b9de011229707e05852dd11af75ca7071a1f089e6aca61f5", "Trojan:Win32/QQpass: FileHash-SHA256 86df64999ed25a02debca89a586c931b0f32b1edc0e7aa800c360be3ef456439", "http://borpatoken.com/", "https://otx.alienvault.com/indicator/file/21ed90477e60b574d8b76d996f2e5cd2ba9c613f3f340032a6f03efb69722abc", "Alerts: ransomware_dropped_files ransomware_mass_file_delete antivm_vmware_in_instruction", "IDS Detections: TLS Handshake Failure Yara Detections: Nullsoft_NSIS", "Alerts: dead_host nids_malware_alert network_icmp nolookup_communication", "TAGS: create new domain email expiration filehashmd5 formbook cnc get google phish green hackers hackers heroku hostname", "18teen.net | teensnow.com | grannies-porn.net | pornmd.com", "TAGS: api call app store as13414 twitter as15133 verizon as16625 akamai as18450 as20940 as2914 ntt as397240 as397241 asnone ca issuers", "IDS Detections: Rogue.Win32/FakeRean Checkin Win32/ExpressDownloader Variant CnC Beacon 1", "IDS Detections: Ransom.Win32.Birele.gsg Checkin Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "http://apple-store.jspi304es-services-fixedbilling-responsive-managed-update-card.appleid-storeext.usa.cc/", "Query to a *.top domain - Likely Hostile Query for .cc TLD", "TAGS: ransom ransomware red team registrar abuse roboto samas samuel tulach scan endpoints", "Win.Dropper.LokiBot-9975730-0", "DISTINCTIO8.pdf", "Ransom.Win32.Birele.gsg: FileHash-SHA256 00e1b6c35691a64a327eb642c80321e7c54956de106a254688062cdda3d265a9", "http://250awork.a-poster.info/ a-poster.info: http://252fwork.a-poster.info a-poster.info: http://252fwork.a-poster.info/", "Parked: www.easycrypto.team | 'Parking Crew' ? Several names exist for advesarial 'Parking Hacker Groups' parking.namesilo.com", "phyn.app", "google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl", "Unix.Malware.Generic:", "Antivirus Detections: Win32:TrojanX-gen\\ [Trj] , Win.Trojan.BlackMoon-7136668-0 , VirTool:Win32/CeeInject.SN!bit", "TAGS: all scoreblue analyzer apache autoit borpa browser canada cidr ck id ck matrix code code contact contacted", "Ransom.Win32.Birele.gsg: FileHash-SHA1 51995c8b1002cf27d22a2026a825f1f4fedca280 955549cbca6acdbd617aebade070259efaf6cec6", "anti-spyware-software.net http://softwarezpro.net/wp | | http://softwarezpro.net/xmlrpc.php | https://softwarezpro.net https://softwarezpro.net/\t URL\thttps://softwarezpro.net/comments/feed/ https://softwarezpro.net/feed/\t https://softwarezpro.net/page/2/\t URL\thttps://softwarezpro.net/wp https://softwarezpro.net/xmlrpc.php", "Trojan:Win32/Emotet.PC!MTB: FileHash-SHA256 02b9cac1880e348302125664c4955fd163a219b1eb8b50de0ad350e0c147a0b0", "T1027 - Obfuscated Files or Information T1031 - Modify Existing Service T1040 - Network Sniffing T1045 - Software Packing T1057 - Process Discovery T1059 - Command and Scripting Interpreter T1059.007 - JavaScript T1060 - Registry Run Keys / Startup Folder T1071 - Application Layer Protocol T1071.001 - Web Protocols T1071.004 - DNS T1105 - Ingress Tool Transfer T1114 - Email Collection T1129 - Shared Modules T1132 - Data Encoding T1132.001 - Standard Encoding T1140 - Deobfuscate/Decode Files or Information T", "TrojanSpy:Win32/Nivdort.DI: FileHash-SHA256 00734b135321562e7e0df7c2f8eb554435cc25c47f46747f79fc2116ac2cc6ef", "hubt.pornhub.com | www.pornhub.com | pornative.com", "Antivirus Detections: Win.Trojan.Tsunami-5 , Backdoor:Linux/Tsunami.C!MTB", "Alerts: dead_host network_icmp nolookup_communication disables_proxy modifies_certificates modifies_proxy_wpad", "Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da", "ELF:Hajime-Q\\ [Trj] : FileHash-SHA256 aa310469926150f9d6f980dd6ba200d1c9c7dec7c4b66c7de4cff6a30c038560", "http://activationskey.net/passfab-for-rar-full-cracked-2022/ activationskey.net: https://activationskey.net/passware-kit-forensic-2021-1-3-crack/ activationskey.net: | crackedvst.info: crackedvst.info:", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/00734b135321562e7e0df7c2f8eb554435cc25c47f46747f79fc2116ac2cc6ef", "IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST", "Yara Detections: Delphi", "botnetsinkhole@gmail.com", "IDS Detections: Win32/Adware.Ymeta.A CnC Beacon Win32/Adware.Ymeta.A CnC Win32/Adware.Ymeta Variant Activity", "https://activationskey.net/passfab-iphone-cracked-free-keys-2022 https://crackedvst.info/ui crackedvst.info: http://www.crackidea.net/", "Antivirus Detections: Win32:Buterat-WQ\\ [Trj] , Win.Malware.Ulise-7170100-0 , Trojan:Win32/Neconyd.A", "Because: Jeffrey Scott Reimer assaulted Tsara Brashears leaving her with a multi spinal cord injury + TBI", "7notrump.com@privacy.above.com | Why are YOU hiding? Aren't you proud of your hateful and damaging works?", "Alerts: network_icmp creates_user_folder_exe disables_proxy modifies_proxy_wpad creates_exe", "IDS Detections: Andariel Backdoor Activity (Checkin)", "Backdoor:Linux/Tsunami.C!MTB: FileHash-SHA256 94f82ebb09bc3ac922789af2ce272ecbf9fe303e5220c7ab3a31d6db1bea8ec4", "https://realcrack.info/sidify-apple-music-converter-crack/ | applehouse-jp.com | iappletech.com | http://apple.int-access-accounts.usa.cc/", "Unix.Malware.Generic: Yara Detections: is__elf , UPXProtectorv10x2 , UPX , ELFHighEntropy , ElfUPX , elf_empty_sections", "https://hybrid-analysis.com/sample/db695a96adb70d5f6246273f4e6c218b2c44f02b3726c3dee4d56b6428bb0ddf", "IDS Detections: Adware/Gertokr.C Variant Checkin MSIL/Linkury Toolbar Activity PUP.Win32.BoBrowser User-Agent (VersionDwl)", "Backdoor:Win32/Tofsee: FileHash-SHA256 5b616ad2410bef0bc894c4bff013afe2d7f44dcdeb79420bab14c766cc460aa7", "Hacktools_CN_WinEggDrop , CN_Portscan , Ping_Command_in_EXE More | Alerts: dead_host network_icmp persistence_autorun recon_beacon injection_resumethread creates_exe creates_service", "Ransom.Win32.Birele.gsg: FileHash-MD5 06c2c738f40c310fb9eb2b6c35afe18d", "iobit: https://cracxfree.com/iobit-malware-fighter-pro-2/http://activationskey.net/wp-content/uploads/2021/02/download-2-7.jpg", "TAGS: photoshop prefs privacy service provider public tlp pulse provide pulse use pyinstaller", "IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy", "Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing", "https://otx.alienvault.com/indicator/url/http://108.ns768.com", "Trojan:Win32/Zbot.SIBB3!MTB: FileHash-SHA256 bc1739628aadbcc99bcb93caab4a7a73534694c817d57cc0ed735bf4bd0f6e45", "networkservice.exe: Matches rule SERVER-OTHER Spring Data Commons remote code execution attempt", "RASMONTR.DLL 192.168.56.101", "ET TROJAN Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst", "VirTool:Win32/CeeInject.SN!bit: FileHash-MD5 d90dc74c1377355f3a58e3883fa8e38f", "http://softwarezpro.net/wp-content/themes/wellington/assets/js/svgxuse.min.js?ver=1.2.6", "a-fondness-for-beauty.com", "ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...)", "http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/", "IDS Detections: Windows 98 User-Agent Detected - Possible Malware or Non-Updated System Unsupported/Fake Internet Explorer Version MSIE 5.", "https://tulach.cc/ | tulach.cc |", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 | itunes.apple.com", "TAGS: screenshot snake snake keylogger suspicious template trojan downloader trojanspy tulach url http url https x template x verce", "http://cracx.net/fonepaw-iphone-data-recovery-3-8-0-crack/ | Malware: 74.208.236.140 malacrack.org ns2.filescrack.com ns1.filescrack.com", "x.com related: www.pornhub.com", "Trojan:Win32/Zbot: FileHash-SHA256 b7875b426ce25f1d4785ba7043bbfdba49feb726cc829d681acdd67c3c302c70", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout", "www.endgame.com [Threatening] | https://mobisoft.info/dfx-audio-enhancer-crack | https://mobisoft.info/passfab-iphone-unlocker-key", "Alerts: antivm_network_adapters packer_polymorphic network_cnc_http network_http", "IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution", "http://softwarezpro.net/wp-content/themes/wellington/assets/js/navigation.min.js?ver=20220224 | crackedvst.info", "pw-90cc2fc574f6dd6dccf2c3531928b039@privacyguardian.org | https://crackedvst.info/antares-autotune-pro-crack/", "TrojanDropper:Win32/Muldrop: FileHash-SHA256 bf8e919cf6ce208f1c2f98f07df835099f14e2f8708197b0165479468079d902", "FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c", "https://twitter.com/ootiosum/status/1812208222150726029a4dmHAxV0M0QIHawADl4Qr4kDegUI-QEQAA&usg=AOvVaw37yALadqlgoR9_xlQ5B4Hm", "FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string", "IDS Detections: WGET Command Specifying Output in HTTP Headers", "Unix.Malware.Generic: IDS Detections Generic.Go.Bruteforcer CnC Beacon Generic.Go.Bruteforcer Receiving Config", "VirTool:Win32/CeeInject.SN!bit: FileHash-SHA1 a6df4e57a54c4f9ecc5ed0d0759c57d8702f270f", "TAGS: camaro dragon canada click cloudfront cname co number code contact content content gmt copy crlf line cyber defense", "#LowFiCreateRemoteThread: FileHash-SHA256 0ab94d890afef8ebae42007a119a8686f71bdd9bdf357262481daa7c9c7a283e", "Ranks high in search results because device is typically compromised with Convection engine and Keyword Tool", "http://appleid.com-index-manager-info-verify-receipt-account.usa.cc/ |", "ALF:Trojan:Win32/Cassini_f28c33a2:\tFileHash-SHA256 6fc35cb8e18f0d9d72bc1a7037ae88f8036362799f930a1a30e290d31be3b216", "Win.Dropper.LokiBot-9975730-0 FileHash-SHA256 8f65d7817731cf1b7fada1be16d85464383813dd1f0388a933cec2abbeda4ba9", "https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com", "* https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "Worm:Win32/Fasong: FileHash-SHA256 c7f2f4a6ed374bac385fa81177967fd013248652556e4ee95cea7f064f6b25dd", "Trojan:Win32/Blihan: FileHash-SHA256 dada5208109416153937db5a6f44f03b8b9025347c235acdc70edfa24a2a882e", "7cwork.a-poster.info a-poster.info: members.a-poster.info work.a-poster.info a-poster.info: http://20work.a-poster.info a-poster.info:", "animalpornotube.com | http://animalpornotube.com/files/gifamateurpay.gi | https://crackedvst.info/tag/k7-total-security-trial-resetter/", "https://www.pornhub.com/video/search?search=tsara+brashears", "apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com", "Yara Detections: is__elf , DemonBot", "autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Worm:win32/mofksys", "#lowfimalf_gen", "Trojan:win32/qbot", "Unix.malware.generic-9875933-0", "Ransom.win32.birele.gsg", "#lowficreateremotethread", "Alf:trojan:win32/formbook", "Win.malware.oxypumper-6900435-0", "Trojan:win32/qqpass", "Unix.trojan.mirai-6981169-0", "Trojanspy:win32/nivdort.di", "Rasmontr.dll", "Win32:crypterx-gen\\ [trj]", "Ransom", "Cve-2017-17215", "Backdoor:win32/tofsee", "Trojan:win32/glupteba", "Alf:ransom:win32/babax", "Virtool:win32/injector", "Trojanspy", "Alf:program:win32/webcompanion", "Et", "Win.trojan.installcore-1177", "Cve-2023-27350", "Checkin win32/expressdownloader", "Ddos:linux/gafgyt.ya!mtb", "Trojan:win32/salgorea", "Win32/trojandropper", "Trojan:win32/blihan", "Virus:win32/sivis.a", "Win.keylogger.banbra-9936388-0", "Virtool:win32/obfuscator", "#lowfienabledtcontinueafterunpacking", "Unix", "Backdoor:win32/botgor", "Ransom:win32/haperlock", "Backdoor:linux/tsunami.c!mtb ransom.win32.birele.gsg trojan:win32/neconyd.a virtool:win32/ceeinject.sn!bit", "Trojan:win32/neconyd.a", "Win32.birele.gsg", "Trojan:win32/muldrop", "Trojan:win32/emotet.pc!mtb", "\u2019m nudie", "Trojan:win32/neurevt", "Elf:hajime-q\\ [trj]", "Tel:trojan:win32/trojandownloader", "Cve-2014-8361", "C!mtb", "Nids", "Worm:win32/fasong", "Pdf:urlmal-inf\\ [trj]", "Virtool:win32/ceeinject.sn!bit", "Onelouder", "Backdoor:linux/tsunami.c!mtb", "Win.worm.mydoom-5", "Trojan:win32/vflooder.e", "Aws", "Worm:win32/nuqel.tb", "Dridex", "Alf:pua:block:iobit", "Pws:win32/vb", "Tel:createscheduledtask", "Trojandownloader:win32/upatre", "Alf:trojan:win32/cassini_f28c33a2", "Tofsee", "Trojan:win32/zbot.sibb3!mtb", "Win.trojan.sarwent-10012602-0", "Win.malware.qshell-9875653-0", "Trojan:win32/cryptinject", "Win32/tasekjom.a", "Mirai", "Win.dropper.lokibot-9975730-0", "M1", "Trojan:win32/zombie.a" ], "industries": [ "Media", "Telecommunications", "Civilian devices", "Technology", "Government" ], "unique_indicators": 100710 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/cloudfront.net", "whois": "http://whois.domaintools.com/cloudfront.net", "domain": "cloudfront.net", "hostname": "d4twhgtvn0ff5.cloudfront.net" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 22, "pulses": [ { "id": "69e1cc70fcbd3f613502e1f7", "name": "order clone by aclause21 Public", "description": "", "modified": "2026-04-17T09:28:38.049000", "created": "2026-04-17T06:00:16.867000", "tags": [ "access ta0001", "defense evasion", "access ta0006", "command", "control ta0011", "impact ta0040", "catalog tree", "ob0005 defense", "evasion ob0006", "impact ob0008", "hashes cape", "sandbox", "docguard", "yomi hunter", "zenbox", "ip traffic", "pattern domains", "memory pattern", "urls https", "adversaries", "mitre att", "t1189 found", "clickable urls", "pdf execution", "t1036", "creates", "hide artifacts", "exploitation", "e1564 hidden", "files", "discovery e1082", "e1203 data", "vhash", "ssdeep", "file type", "pdf document", "magic pdf", "trid adobe", "format", "file size", "united", "as32934", "passive dns", "unknown", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "urls", "status", "search", "showing", "server error", "certificate", "creation date", "high assurance", "server ca", "date", "body", "win32", "ransom", "entries", "icmp traffic", "packing t1045", "t1045", "pdb path", "pe resource", "show", "malware", "copy", "push", "write", "aaaa", "nxdomain", "united kingdom", "thailand", "vietnam", "as45430", "honduras", "indonesia", "mexico", "slovakia", "dynamicloader", "yara rule", "high", "ekyxe", "xe e", "eofae", "ee edcje4j", "tofsee", "windows", "medium", "stream", "grum", "as15169 google", "pulses", "record value", "error", "cname", "name servers", "ireland", "next", "federation asn", "as49505", "labs pulses", "trojan", "trojandropper", "related pulses", "file samples", "files matching", "date hash", "copyright", "all search", "reverse dns", "location united", "emails info", "expiration date", "as51167 contabo", "germany unknown", "a nxdomain", "as40021 contabo", "encrypt", "url http", "http", "ip address", "related nids", "files location", "ddos", "activity", "checkin", "win64", "mirai", "hosting", "files ip", "address", "czechia unknown", "as174 cogent", "asnone germany", "as15598", "as16625 akamai", "asnone united", "as20940", "as35994 akamai", "as12337 noris", "pulse submit", "url analysis", "backdoor", "gmt cache", "sameorigin", "443 ma2592000", "suspicious", "virtool", "emails", "domain name", "code", "brazil", "poland", "domain", "msie", "windows nt", "tcp syn", "resolverror", "exploit", "externalport", "internalport", "http headers", "home network", "demonbot", "andariel", "yara detections", "malware traffic", "nids", "dns query", "google safe", "browsing", "whois", "virustotal", "mtb apr", "asnone related", "open", "hash avast", "avg clamav", "msdefender apr", "as8075", "content type", "access", "cp bus", "cur cono", "fin ivdo", "onl our", "phy samo", "overview ip", "flag united", "hostname", "files domain", "as8068", "trojan features", "rsa tls", "issuing ca", "mirai variant", "useragent", "inbound", "realtek sdk", "miniigd upnp", "soap command", "activity mirai", "helloworld", "users", "alerts", "anomalous file", "recycle bin", "filehash", "av detections", "memcommit", "read c", "memreserve", "for privacy", "china unknown", "ag alberto", "pedraz", "holidaycheck ag", "project pi", "immobilien ag", "puma se", "kurt walther", "ag ingo", "kraupa", "timo salzsieder", "record type", "ttl value", "msms57295540", "subdomains", "ireland unknown", "analyzer paste", "iocs", "samples", "regsetvalueexa", "default", "regdword", "module load", "t1129", "http request", "process32nextw", "regbinary", "oxypumper", "tools", "dock", "april", "persistence", "execution", "download", "as62597 nsone", "echo request", "sweep", "payload hello", "world", "total", "please", "xport", "main", "look", "install", "servers", "found", "cnapple public", "accept", "chrome", "moved", "ssl certificate", "write c", "installcore", "june", "delphi", "as47846", "cookie", "as32787 akamai", "as714 apple", "m1", "onelouder", "brian sabey", "denver colorado", "fakedout threat", "gmt content", "x cache", "div div", "as8972 host", "france unknown", "registrar", "otx scoreblue", "address domain", "as24940 hetzner", "as44273 host", "asn as15598", "trojanspy", "mail spammer", "germany mail", "spammer", "hichina", "data redacted", "a domains", "wow64", "slcc2", "media center", "port", "powershell", "urls http", "tptjsw", "virus", "ids detections", "germany", "as8560", "austria", "as1921", "as14061", "whitelisted", "as16276", "script urls", "as16552 tiggee", "as9009 m247", "meta", "as29789", "detected m1", "mtb aug", "server", "as397241", "cryp", "hostmaster", "networks", "as19024", "gmt setcookie", "delete", "russia as49505", "sinkhole cookie", "value snkz", "pe32", "possible", "susp", "lnmp", "lnmp a", "licess", "shell", "as63949 linode", "as133618", "as21342", "cve201717215", "huawei remote", "huawei hg532", "malware worm", "gafgyt", "exploit none", "binbusybox", "delete c", "odigicert inc", "stwashington", "lredmond", "rsa ca", "cape", "nondns", "denver", "redacted for", "method status", "url hostname", "ip country", "type get", "date tue", "gmt contenttype", "connection", "cachecontrol", "expires thu", "gmt vary", "poland unknown", "title", "script domains", "updated date", "serce internetu", "cnc beacon", "javascript", "wsasend", "post", "delete shadows", "all quiet", "t1047", "instrumentation", "rpcs", "ms windows", "asnone dns", "http host", "ip check", "sha256", "bits", "adware malware", "etpro malware", "bios", "guard", "tulach", "spectrum", "cyber folks", "tsara brashears", ".pl", "contacted", "kryptikxp", "apple", "ios", "android", "sabey", "charter communications", "denvecolorado", "quantum fiber", "air force", "swipper", "masquerade", "hitmen", "mitm", "whitesky", "cyber warfare", "porn", "pornhub.software" ], "references": [ "DISTINCTIO8.pdf", "FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string", "IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set", "Tofsee: 'google.com' | https://www.gov50.icu |", "ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...)", "Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk", "Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing", "hubt.pornhub.com | www.pornhub.com | pornative.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/", "www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/", "Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da", "IDS Detections: WGET Command Specifying Output in HTTP Headers", "IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution", "Yara Detections: is__elf , DemonBot", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout", "FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c", "IDS Detections: Andariel Backdoor Activity (Checkin)", "Alerts: dead_host nids_malware_alert network_icmp nolookup_communication", "DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2", "IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound", "IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST", "IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy", "http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/", "https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com", "apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com", "autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com", "* https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "https://tulach.cc/ | tulach.cc |", "http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com", "google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl", "18teen.net | teensnow.com | grannies-porn.net | pornmd.com", "www.pornhubselect.com | pornhub.software" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Chile", "Morocco", "Taiwan", "Guatemala", "United Kingdom of Great Britain and Northern Ireland", "Ireland", "Kenya", "Peru", "Singapore", "Mexico", "Brazil", "Slovakia", "Spain", "Australia", "Belgium", "Germany", "Hungary", "Netherlands", "Russian Federation", "Japan", "Poland" ], "malware_families": [ { "id": "Ransom", "display_name": "Ransom", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "TEL:CreateScheduledTask", "display_name": "TEL:CreateScheduledTask", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.Mirai-6981169-0", "display_name": "Unix.Trojan.Mirai-6981169-0", "target": null }, { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "Ransom:Win32/Haperlock", "display_name": "Ransom:Win32/Haperlock", "target": "/malware/Ransom:Win32/Haperlock" }, { "id": "Trojan:Win32/Neurevt", "display_name": "Trojan:Win32/Neurevt", "target": "/malware/Trojan:Win32/Neurevt" }, { "id": "DDoS:Linux/Gafgyt.YA!MTB", "display_name": "DDoS:Linux/Gafgyt.YA!MTB", "target": "/malware/DDoS:Linux/Gafgyt.YA!MTB" }, { "id": "CVE-2017-17215", "display_name": "CVE-2017-17215", "target": null }, { "id": "CVE-2023-27350", "display_name": "CVE-2023-27350", "target": null }, { "id": "CVE-2014-8361", "display_name": "CVE-2014-8361", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "M1", "display_name": "M1", "target": null }, { "id": "OneLouder", "display_name": "OneLouder", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Win.Trojan.Sarwent-10012602-0", "display_name": "Win.Trojan.Sarwent-10012602-0", "target": null }, { "id": "Virus:Win32/Sivis.A", "display_name": "Virus:Win32/Sivis.A", "target": "/malware/Virus:Win32/Sivis.A" }, { "id": "Win.Trojan.Installcore-1177", "display_name": "Win.Trojan.Installcore-1177", "target": null }, { "id": "Win.Malware.Oxypumper-6900435-0", "display_name": "Win.Malware.Oxypumper-6900435-0", "target": null }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" } ], "industries": [], "TLP": "green", "cloned_from": "678f0dbdbc59dd2ea5656dcf", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7589, "FileHash-SHA1": 3982, "FileHash-SHA256": 8280, "URL": 442, "domain": 2416, "hostname": 2155, "email": 37, "CVE": 4, "SSLCertFingerprint": 6 }, "indicator_count": 24911, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69e1cc6fd3c4022e08db781d", "name": "order clone by aclause21 Public", "description": "", "modified": "2026-04-17T06:51:33.372000", "created": "2026-04-17T06:00:15.760000", "tags": [ "access ta0001", "defense evasion", "access ta0006", "command", "control ta0011", "impact ta0040", "catalog tree", "ob0005 defense", "evasion ob0006", "impact ob0008", "hashes cape", "sandbox", "docguard", "yomi hunter", "zenbox", "ip traffic", "pattern domains", "memory pattern", "urls https", "adversaries", "mitre att", "t1189 found", "clickable urls", "pdf execution", "t1036", "creates", "hide artifacts", "exploitation", "e1564 hidden", "files", "discovery e1082", "e1203 data", "vhash", "ssdeep", "file type", "pdf document", "magic pdf", "trid adobe", "format", "file size", "united", "as32934", "passive dns", "unknown", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "urls", "status", "search", "showing", "server error", "certificate", "creation date", "high assurance", "server ca", "date", "body", "win32", "ransom", "entries", "icmp traffic", "packing t1045", "t1045", "pdb path", "pe resource", "show", "malware", "copy", "push", "write", "aaaa", "nxdomain", "united kingdom", "thailand", "vietnam", "as45430", "honduras", "indonesia", "mexico", "slovakia", "dynamicloader", "yara rule", "high", "ekyxe", "xe e", "eofae", "ee edcje4j", "tofsee", "windows", "medium", "stream", "grum", "as15169 google", "pulses", "record value", "error", "cname", "name servers", "ireland", "next", "federation asn", "as49505", "labs pulses", "trojan", "trojandropper", "related pulses", "file samples", "files matching", "date hash", "copyright", "all search", "reverse dns", "location united", "emails info", "expiration date", "as51167 contabo", "germany unknown", "a nxdomain", "as40021 contabo", "encrypt", "url http", "http", "ip address", "related nids", "files location", "ddos", "activity", "checkin", "win64", "mirai", "hosting", "files ip", "address", "czechia unknown", "as174 cogent", "asnone germany", "as15598", "as16625 akamai", "asnone united", "as20940", "as35994 akamai", "as12337 noris", "pulse submit", "url analysis", "backdoor", "gmt cache", "sameorigin", "443 ma2592000", "suspicious", "virtool", "emails", "domain name", "code", "brazil", "poland", "domain", "msie", "windows nt", "tcp syn", "resolverror", "exploit", "externalport", "internalport", "http headers", "home network", "demonbot", "andariel", "yara detections", "malware traffic", "nids", "dns query", "google safe", "browsing", "whois", "virustotal", "mtb apr", "asnone related", "open", "hash avast", "avg clamav", "msdefender apr", "as8075", "content type", "access", "cp bus", "cur cono", "fin ivdo", "onl our", "phy samo", "overview ip", "flag united", "hostname", "files domain", "as8068", "trojan features", "rsa tls", "issuing ca", "mirai variant", "useragent", "inbound", "realtek sdk", "miniigd upnp", "soap command", "activity mirai", "helloworld", "users", "alerts", "anomalous file", "recycle bin", "filehash", "av detections", "memcommit", "read c", "memreserve", "for privacy", "china unknown", "ag alberto", "pedraz", "holidaycheck ag", "project pi", "immobilien ag", "puma se", "kurt walther", "ag ingo", "kraupa", "timo salzsieder", "record type", "ttl value", "msms57295540", "subdomains", "ireland unknown", "analyzer paste", "iocs", "samples", "regsetvalueexa", "default", "regdword", "module load", "t1129", "http request", "process32nextw", "regbinary", "oxypumper", "tools", "dock", "april", "persistence", "execution", "download", "as62597 nsone", "echo request", "sweep", "payload hello", "world", "total", "please", "xport", "main", "look", "install", "servers", "found", "cnapple public", "accept", "chrome", "moved", "ssl certificate", "write c", "installcore", "june", "delphi", "as47846", "cookie", "as32787 akamai", "as714 apple", "m1", "onelouder", "brian sabey", "denver colorado", "fakedout threat", "gmt content", "x cache", "div div", "as8972 host", "france unknown", "registrar", "otx scoreblue", "address domain", "as24940 hetzner", "as44273 host", "asn as15598", "trojanspy", "mail spammer", "germany mail", "spammer", "hichina", "data redacted", "a domains", "wow64", "slcc2", "media center", "port", "powershell", "urls http", "tptjsw", "virus", "ids detections", "germany", "as8560", "austria", "as1921", "as14061", "whitelisted", "as16276", "script urls", "as16552 tiggee", "as9009 m247", "meta", "as29789", "detected m1", "mtb aug", "server", "as397241", "cryp", "hostmaster", "networks", "as19024", "gmt setcookie", "delete", "russia as49505", "sinkhole cookie", "value snkz", "pe32", "possible", "susp", "lnmp", "lnmp a", "licess", "shell", "as63949 linode", "as133618", "as21342", "cve201717215", "huawei remote", "huawei hg532", "malware worm", "gafgyt", "exploit none", "binbusybox", "delete c", "odigicert inc", "stwashington", "lredmond", "rsa ca", "cape", "nondns", "denver", "redacted for", "method status", "url hostname", "ip country", "type get", "date tue", "gmt contenttype", "connection", "cachecontrol", "expires thu", "gmt vary", "poland unknown", "title", "script domains", "updated date", "serce internetu", "cnc beacon", "javascript", "wsasend", "post", "delete shadows", "all quiet", "t1047", "instrumentation", "rpcs", "ms windows", "asnone dns", "http host", "ip check", "sha256", "bits", "adware malware", "etpro malware", "bios", "guard", "tulach", "spectrum", "cyber folks", "tsara brashears", ".pl", "contacted", "kryptikxp", "apple", "ios", "android", "sabey", "charter communications", "denvecolorado", "quantum fiber", "air force", "swipper", "masquerade", "hitmen", "mitm", "whitesky", "cyber warfare", "porn", "pornhub.software" ], "references": [ "DISTINCTIO8.pdf", "FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string", "IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set", "Tofsee: 'google.com' | https://www.gov50.icu |", "ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...)", "Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk", "Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing", "hubt.pornhub.com | www.pornhub.com | pornative.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/", "www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/", "Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da", "IDS Detections: WGET Command Specifying Output in HTTP Headers", "IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution", "Yara Detections: is__elf , DemonBot", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout", "FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c", "IDS Detections: Andariel Backdoor Activity (Checkin)", "Alerts: dead_host nids_malware_alert network_icmp nolookup_communication", "DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2", "IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound", "IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST", "IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy", "http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/", "https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com", "apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com", "autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com", "* https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "https://tulach.cc/ | tulach.cc |", "http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com", "google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl", "18teen.net | teensnow.com | grannies-porn.net | pornmd.com", "www.pornhubselect.com | pornhub.software" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Chile", "Morocco", "Taiwan", "Guatemala", "United Kingdom of Great Britain and Northern Ireland", "Ireland", "Kenya", "Peru", "Singapore", "Mexico", "Brazil", "Slovakia", "Spain", "Australia", "Belgium", "Germany", "Hungary", "Netherlands", "Russian Federation", "Japan", "Poland" ], "malware_families": [ { "id": "Ransom", "display_name": "Ransom", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "TEL:CreateScheduledTask", "display_name": "TEL:CreateScheduledTask", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.Mirai-6981169-0", "display_name": "Unix.Trojan.Mirai-6981169-0", "target": null }, { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "Ransom:Win32/Haperlock", "display_name": "Ransom:Win32/Haperlock", "target": "/malware/Ransom:Win32/Haperlock" }, { "id": "Trojan:Win32/Neurevt", "display_name": "Trojan:Win32/Neurevt", "target": "/malware/Trojan:Win32/Neurevt" }, { "id": "DDoS:Linux/Gafgyt.YA!MTB", "display_name": "DDoS:Linux/Gafgyt.YA!MTB", "target": "/malware/DDoS:Linux/Gafgyt.YA!MTB" }, { "id": "CVE-2017-17215", "display_name": "CVE-2017-17215", "target": null }, { "id": "CVE-2023-27350", "display_name": "CVE-2023-27350", "target": null }, { "id": "CVE-2014-8361", "display_name": "CVE-2014-8361", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "M1", "display_name": "M1", "target": null }, { "id": "OneLouder", "display_name": "OneLouder", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Win.Trojan.Sarwent-10012602-0", "display_name": "Win.Trojan.Sarwent-10012602-0", "target": null }, { "id": "Virus:Win32/Sivis.A", "display_name": "Virus:Win32/Sivis.A", "target": "/malware/Virus:Win32/Sivis.A" }, { "id": "Win.Trojan.Installcore-1177", "display_name": "Win.Trojan.Installcore-1177", "target": null }, { "id": "Win.Malware.Oxypumper-6900435-0", "display_name": "Win.Malware.Oxypumper-6900435-0", "target": null }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" } ], "industries": [], "TLP": "green", "cloned_from": "678f0dbdbc59dd2ea5656dcf", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7589, "FileHash-SHA1": 3982, "FileHash-SHA256": 8280, "URL": 441, "domain": 2416, "hostname": 2155, "email": 37, "CVE": 4, "SSLCertFingerprint": 6 }, "indicator_count": 24910, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "692131f725473d708579ec3a", "name": "Drive-by Compromise", "description": "", "modified": "2025-11-22T03:45:59.649000", "created": "2025-11-22T03:45:59.649000", "tags": [ "access ta0001", "defense evasion", "access ta0006", "command", "control ta0011", "impact ta0040", "catalog tree", "ob0005 defense", "evasion ob0006", "impact ob0008", "hashes cape", "sandbox", "docguard", "yomi hunter", "zenbox", "ip traffic", "pattern domains", "memory pattern", "urls https", "adversaries", "mitre att", "t1189 found", "clickable urls", "pdf execution", "t1036", "creates", "hide artifacts", "exploitation", "e1564 hidden", "files", "discovery e1082", "e1203 data", "vhash", "ssdeep", "file type", "pdf document", "magic pdf", "trid adobe", "format", "file size", "united", "as32934", "passive dns", "unknown", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "urls", "status", "search", "showing", "server error", "certificate", "creation date", "high assurance", "server ca", "date", "body", "win32", "ransom", "entries", "icmp traffic", "packing t1045", "t1045", "pdb path", "pe resource", "show", "malware", "copy", "push", "write", "aaaa", "nxdomain", "united kingdom", "thailand", "vietnam", "as45430", "honduras", "indonesia", "mexico", "slovakia", "dynamicloader", "yara rule", "high", "ekyxe", "xe e", "eofae", "ee edcje4j", "tofsee", "windows", "medium", "stream", "grum", "as15169 google", "pulses", "record value", "error", "cname", "name servers", "ireland", "next", "federation asn", "as49505", "labs pulses", "trojan", "trojandropper", "related pulses", "file samples", "files matching", "date hash", "copyright", "all search", "reverse dns", "location united", "emails info", "expiration date", "as51167 contabo", "germany unknown", "a nxdomain", "as40021 contabo", "encrypt", "url http", "http", "ip address", "related nids", "files location", "ddos", "activity", "checkin", "win64", "mirai", "hosting", "files ip", "address", "czechia unknown", "as174 cogent", "asnone germany", "as15598", "as16625 akamai", "asnone united", "as20940", "as35994 akamai", "as12337 noris", "pulse submit", "url analysis", "backdoor", "gmt cache", "sameorigin", "443 ma2592000", "suspicious", "virtool", "emails", "domain name", "code", "brazil", "poland", "domain", "msie", "windows nt", "tcp syn", "resolverror", "exploit", "externalport", "internalport", "http headers", "home network", "demonbot", "andariel", "yara detections", "malware traffic", "nids", "dns query", "google safe", "browsing", "whois", "virustotal", "mtb apr", "asnone related", "open", "hash avast", "avg clamav", "msdefender apr", "as8075", "content type", "access", "cp bus", "cur cono", "fin ivdo", "onl our", "phy samo", "overview ip", "flag united", "hostname", "files domain", "as8068", "trojan features", "rsa tls", "issuing ca", "mirai variant", "useragent", "inbound", "realtek sdk", "miniigd upnp", "soap command", "activity mirai", "helloworld", "users", "alerts", "anomalous file", "recycle bin", "filehash", "av detections", "memcommit", "read c", "memreserve", "for privacy", "china unknown", "ag alberto", "pedraz", "holidaycheck ag", "project pi", "immobilien ag", "puma se", "kurt walther", "ag ingo", "kraupa", "timo salzsieder", "record type", "ttl value", "msms57295540", "subdomains", "ireland unknown", "analyzer paste", "iocs", "samples", "regsetvalueexa", "default", "regdword", "module load", "t1129", "http request", "process32nextw", "regbinary", "oxypumper", "tools", "dock", "april", "persistence", "execution", "download", "as62597 nsone", "echo request", "sweep", "payload hello", "world", "total", "please", "xport", "main", "look", "install", "servers", "found", "cnapple public", "accept", "chrome", "moved", "ssl certificate", "write c", "installcore", "june", "delphi", "as47846", "cookie", "as32787 akamai", "as714 apple", "m1", "onelouder", "brian sabey", "denver colorado", "fakedout threat", "gmt content", "x cache", "div div", "as8972 host", "france unknown", "registrar", "otx scoreblue", "address domain", "as24940 hetzner", "as44273 host", "asn as15598", "trojanspy", "mail spammer", "germany mail", "spammer", "hichina", "data redacted", "a domains", "wow64", "slcc2", "media center", "port", "powershell", "urls http", "tptjsw", "virus", "ids detections", "germany", "as8560", "austria", "as1921", "as14061", "whitelisted", "as16276", "script urls", "as16552 tiggee", "as9009 m247", "meta", "as29789", "detected m1", "mtb aug", "server", "as397241", "cryp", "hostmaster", "networks", "as19024", "gmt setcookie", "delete", "russia as49505", "sinkhole cookie", "value snkz", "pe32", "possible", "susp", "lnmp", "lnmp a", "licess", "shell", "as63949 linode", "as133618", "as21342", "cve201717215", "huawei remote", "huawei hg532", "malware worm", "gafgyt", "exploit none", "binbusybox", "delete c", "odigicert inc", "stwashington", "lredmond", "rsa ca", "cape", "nondns", "denver", "redacted for", "method status", "url hostname", "ip country", "type get", "date tue", "gmt contenttype", "connection", "cachecontrol", "expires thu", "gmt vary", "poland unknown", "title", "script domains", "updated date", "serce internetu", "cnc beacon", "javascript", "wsasend", "post", "delete shadows", "all quiet", "t1047", "instrumentation", "rpcs", "ms windows", "asnone dns", "http host", "ip check", "sha256", "bits", "adware malware", "etpro malware", "bios", "guard", "tulach", "spectrum", "cyber folks", "tsara brashears", ".pl", "contacted", "kryptikxp", "apple", "ios", "android", "sabey", "charter communications", "denvecolorado", "quantum fiber", "air force", "swipper", "masquerade", "hitmen", "mitm", "whitesky", "cyber warfare", "porn", "pornhub.software" ], "references": [ "DISTINCTIO8.pdf", "FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string", "IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set", "Tofsee: 'google.com' | https://www.gov50.icu |", "ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...)", "Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk", "Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing", "hubt.pornhub.com | www.pornhub.com | pornative.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/", "www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/", "Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da", "IDS Detections: WGET Command Specifying Output in HTTP Headers", "IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution", "Yara Detections: is__elf , DemonBot", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout", "FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c", "IDS Detections: Andariel Backdoor Activity (Checkin)", "Alerts: dead_host nids_malware_alert network_icmp nolookup_communication", "DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2", "IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound", "IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST", "IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy", "http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/", "https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com", "apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com", "autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com", "* https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "https://tulach.cc/ | tulach.cc |", "http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com", "google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl", "18teen.net | teensnow.com | grannies-porn.net | pornmd.com", "www.pornhubselect.com | pornhub.software" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Chile", "Morocco", "Taiwan", "Guatemala", "United Kingdom of Great Britain and Northern Ireland", "Ireland", "Kenya", "Peru", "Singapore", "Mexico", "Brazil", "Slovakia", "Spain", "Australia", "Belgium", "Germany", "Hungary", "Netherlands", "Russian Federation", "Japan", "Poland" ], "malware_families": [ { "id": "Ransom", "display_name": "Ransom", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "TEL:CreateScheduledTask", "display_name": "TEL:CreateScheduledTask", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.Mirai-6981169-0", "display_name": "Unix.Trojan.Mirai-6981169-0", "target": null }, { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "Ransom:Win32/Haperlock", "display_name": "Ransom:Win32/Haperlock", "target": "/malware/Ransom:Win32/Haperlock" }, { "id": "Trojan:Win32/Neurevt", "display_name": "Trojan:Win32/Neurevt", "target": "/malware/Trojan:Win32/Neurevt" }, { "id": "DDoS:Linux/Gafgyt.YA!MTB", "display_name": "DDoS:Linux/Gafgyt.YA!MTB", "target": "/malware/DDoS:Linux/Gafgyt.YA!MTB" }, { "id": "CVE-2017-17215", "display_name": "CVE-2017-17215", "target": null }, { "id": "CVE-2023-27350", "display_name": "CVE-2023-27350", "target": null }, { "id": "CVE-2014-8361", "display_name": "CVE-2014-8361", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "M1", "display_name": "M1", "target": null }, { "id": "OneLouder", "display_name": "OneLouder", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Win.Trojan.Sarwent-10012602-0", "display_name": "Win.Trojan.Sarwent-10012602-0", "target": null }, { "id": "Virus:Win32/Sivis.A", "display_name": "Virus:Win32/Sivis.A", "target": "/malware/Virus:Win32/Sivis.A" }, { "id": "Win.Trojan.Installcore-1177", "display_name": "Win.Trojan.Installcore-1177", "target": null }, { "id": "Win.Malware.Oxypumper-6900435-0", "display_name": "Win.Malware.Oxypumper-6900435-0", "target": null }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" } ], "industries": [], "TLP": "green", "cloned_from": "66f31b9a0551ca166c872292", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7589, "FileHash-SHA1": 3982, "FileHash-SHA256": 8280, "URL": 439, "domain": 2416, "hostname": 2154, "email": 37, "CVE": 4, "SSLCertFingerprint": 6 }, "indicator_count": 24907, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "148 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688ae705371a43d76d8f6e69", "name": "Trojan:Win32/Comisproc", "description": "Trojan:Win32/Comisproc!gmb\n[https://www.smsrl.it/en/foundry-toolings/prototypes/sand-casting/]\nFrom previous Hostile Denver community\u2019s pulse \u2018Vashti\u2019 public.Hi!\nI am Vashti. Named after a Queen married to a perverted King who after weeks of rimless and gluttony asked his wife the Queen to reveal herself to the men in his \u2018freak off\u2019 like a true lady she refused and was dethroned. Not a Queens obligation to this. She stood for her rights. He later married a child named Queen Esther.\n#Vashti_said_tell_your_ cat_i_said_hi #foundry #hitmen #comispro #denver #uptown #levelblue", "modified": "2025-08-30T03:00:57.020000", "created": "2025-07-31T03:46:13.849000", "tags": [ "italy unknown", "unknown ns", "united", "moved", "ip address", "creation date", "encrypt", "search", "record value", "entries", "body", "date", "passive dns", "urls", "url add", "pulse pulses", "http", "hostname", "files domain", "files related", "pulses none", "related tags", "a domains", "present jul", "showing", "domains", "domain add", "meta", "encrypt free", "research group", "isrg", "next http", "scans show", "extraction", "data upload", "extra", "source ur", "include data", "type", "extra data", "msie", "windows nt", "win64", "slcc2", "media center", "tlsv1", "show", "unknown", "trojan", "copy", "write", "malware", "hostile", "present may", "checked url", "hostname server", "response ip", "address google", "safe browsing", "present jun", "next associated", "medium", "high", "a file", "ms defender", "files matching", "number", "sample analysis", "hide samples", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "defense evasion", "command", "mitre att", "ck techniques", "ascii text", "copy md5", "copy sha1", "copy sha256", "size", "sha1", "sha256", "pattern match", "jfif", "exif standard", "core", "hybrid", "general", "local", "path", "click", "strings", "format" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1088, "hostname": 407, "domain": 621, "FileHash-SHA1": 156, "FileHash-SHA256": 1498, "email": 2, "FileHash-MD5": 204, "SSLCertFingerprint": 11 }, "indicator_count": 3987, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "232 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68788dfd4a0943cb318c7137", "name": "DarkWatchman Chekin Activity", "description": "", "modified": "2025-08-16T06:02:36.091000", "created": "2025-07-17T05:45:33.250000", "tags": [ "access ta0001", "defense evasion", "access ta0006", "command", "control ta0011", "impact ta0040", "catalog tree", "ob0005 defense", "evasion ob0006", "impact ob0008", "hashes cape", "sandbox", "docguard", "yomi hunter", "zenbox", "ip traffic", "pattern domains", "memory pattern", "urls https", "adversaries", "mitre att", "t1189 found", "clickable urls", "pdf execution", "t1036", "creates", "hide artifacts", "exploitation", "e1564 hidden", "files", "discovery e1082", "e1203 data", "vhash", "ssdeep", "file type", "pdf document", "magic pdf", "trid adobe", "format", "file size", "united", "as32934", "passive dns", "unknown", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "urls", "status", "search", "showing", "server error", "certificate", "creation date", "high assurance", "server ca", "date", "body", "win32", "ransom", "entries", "icmp traffic", "packing t1045", "t1045", "pdb path", "pe resource", "show", "malware", "copy", "push", "write", "aaaa", "nxdomain", "united kingdom", "thailand", "vietnam", "as45430", "honduras", "indonesia", "mexico", "slovakia", "dynamicloader", "yara rule", "high", "ekyxe", "xe e", "eofae", "ee edcje4j", "tofsee", "windows", "medium", "stream", "grum", "as15169 google", "pulses", "record value", "error", "cname", "name servers", "ireland", "next", "federation asn", "as49505", "labs pulses", "trojan", "trojandropper", "related pulses", "file samples", "files matching", "date hash", "copyright", "all search", "reverse dns", "location united", "emails info", "expiration date", "as51167 contabo", "germany unknown", "a nxdomain", "as40021 contabo", "encrypt", "url http", "http", "ip address", "related nids", "files location", "ddos", "activity", "checkin", "win64", "mirai", "hosting", "files ip", "address", "czechia unknown", "as174 cogent", "asnone germany", "as15598", "as16625 akamai", "asnone united", "as20940", "as35994 akamai", "as12337 noris", "pulse submit", "url analysis", "backdoor", "gmt cache", "sameorigin", "443 ma2592000", "suspicious", "virtool", "emails", "domain name", "code", "brazil", "poland", "domain", "msie", "windows nt", "tcp syn", "resolverror", "exploit", "externalport", "internalport", "http headers", "home network", "demonbot", "andariel", "yara detections", "malware traffic", "nids", "dns query", "google safe", "browsing", "whois", "virustotal", "mtb apr", "asnone related", "open", "hash avast", "avg clamav", "msdefender apr", "as8075", "content type", "access", "cp bus", "cur cono", "fin ivdo", "onl our", "phy samo", "overview ip", "flag united", "hostname", "files domain", "as8068", "trojan features", "rsa tls", "issuing ca", "mirai variant", "useragent", "inbound", "realtek sdk", "miniigd upnp", "soap command", "activity mirai", "helloworld", "users", "alerts", "anomalous file", "recycle bin", "filehash", "av detections", "memcommit", "read c", "memreserve", "for privacy", "china unknown", "ag alberto", "pedraz", "holidaycheck ag", "project pi", "immobilien ag", "puma se", "kurt walther", "ag ingo", "kraupa", "timo salzsieder", "record type", "ttl value", "msms57295540", "subdomains", "ireland unknown", "analyzer paste", "iocs", "samples", "regsetvalueexa", "default", "regdword", "module load", "t1129", "http request", "process32nextw", "regbinary", "oxypumper", "tools", "dock", "april", "persistence", "execution", "download", "as62597 nsone", "echo request", "sweep", "payload hello", "world", "total", "please", "xport", "main", "look", "install", "servers", "found", "cnapple public", "accept", "chrome", "moved", "ssl certificate", "write c", "installcore", "june", "delphi", "as47846", "cookie", "as32787 akamai", "as714 apple", "m1", "onelouder", "brian sabey", "denver colorado", "fakedout threat", "gmt content", "x cache", "div div", "as8972 host", "france unknown", "registrar", "otx scoreblue", "address domain", "as24940 hetzner", "as44273 host", "asn as15598", "trojanspy", "mail spammer", "germany mail", "spammer", "hichina", "data redacted", "a domains", "wow64", "slcc2", "media center", "port", "powershell", "urls http", "tptjsw", "virus", "ids detections", "germany", "as8560", "austria", "as1921", "as14061", "whitelisted", "as16276", "script urls", "as16552 tiggee", "as9009 m247", "meta", "as29789", "detected m1", "mtb aug", "server", "as397241", "cryp", "hostmaster", "networks", "as19024", "gmt setcookie", "delete", "russia as49505", "sinkhole cookie", "value snkz", "pe32", "possible", "susp", "lnmp", "lnmp a", "licess", "shell", "as63949 linode", "as133618", "as21342", "cve201717215", "huawei remote", "huawei hg532", "malware worm", "gafgyt", "exploit none", "binbusybox", "delete c", "odigicert inc", "stwashington", "lredmond", "rsa ca", "cape", "nondns", "denver", "redacted for", "method status", "url hostname", "ip country", "type get", "date tue", "gmt contenttype", "connection", "cachecontrol", "expires thu", "gmt vary", "poland unknown", "title", "script domains", "updated date", "serce internetu", "cnc beacon", "javascript", "wsasend", "post", "delete shadows", "all quiet", "t1047", "instrumentation", "rpcs", "ms windows", "asnone dns", "http host", "ip check", "sha256", "bits", "adware malware", "etpro malware", "bios", "guard", "tulach", "spectrum", "cyber folks", "tsara brashears", ".pl", "contacted", "kryptikxp", "apple", "ios", "android", "sabey", "charter communications", "denvecolorado", "quantum fiber", "air force", "swipper", "masquerade", "hitmen", "mitm", "whitesky", "cyber warfare", "porn", "pornhub.software" ], "references": [ "DISTINCTIO8.pdf", "FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string", "IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set", "Tofsee: 'google.com' | https://www.gov50.icu |", "ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...)", "Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk", "Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing", "hubt.pornhub.com | www.pornhub.com | pornative.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/", "www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/", "Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da", "IDS Detections: WGET Command Specifying Output in HTTP Headers", "IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution", "Yara Detections: is__elf , DemonBot", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout", "FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c", "IDS Detections: Andariel Backdoor Activity (Checkin)", "Alerts: dead_host nids_malware_alert network_icmp nolookup_communication", "DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2", "IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound", "IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST", "IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy", "http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/", "https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com", "apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com", "autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com", "* https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "https://tulach.cc/ | tulach.cc |", "http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com", "google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl", "18teen.net | teensnow.com | grannies-porn.net | pornmd.com", "www.pornhubselect.com | pornhub.software" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Chile", "Morocco", "Taiwan", "Guatemala", "United Kingdom of Great Britain and Northern Ireland", "Ireland", "Kenya", "Peru", "Singapore", "Mexico", "Brazil", "Slovakia", "Spain", "Australia", "Belgium", "Germany", "Hungary", "Netherlands", "Russian Federation", "Japan", "Poland" ], "malware_families": [ { "id": "Ransom", "display_name": "Ransom", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "TEL:CreateScheduledTask", "display_name": "TEL:CreateScheduledTask", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.Mirai-6981169-0", "display_name": "Unix.Trojan.Mirai-6981169-0", "target": null }, { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "Ransom:Win32/Haperlock", "display_name": "Ransom:Win32/Haperlock", "target": "/malware/Ransom:Win32/Haperlock" }, { "id": "Trojan:Win32/Neurevt", "display_name": "Trojan:Win32/Neurevt", "target": "/malware/Trojan:Win32/Neurevt" }, { "id": "DDoS:Linux/Gafgyt.YA!MTB", "display_name": "DDoS:Linux/Gafgyt.YA!MTB", "target": "/malware/DDoS:Linux/Gafgyt.YA!MTB" }, { "id": "CVE-2017-17215", "display_name": "CVE-2017-17215", "target": null }, { "id": "CVE-2023-27350", "display_name": "CVE-2023-27350", "target": null }, { "id": "CVE-2014-8361", "display_name": "CVE-2014-8361", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "M1", "display_name": "M1", "target": null }, { "id": "OneLouder", "display_name": "OneLouder", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Win.Trojan.Sarwent-10012602-0", "display_name": "Win.Trojan.Sarwent-10012602-0", "target": null }, { "id": "Virus:Win32/Sivis.A", "display_name": "Virus:Win32/Sivis.A", "target": "/malware/Virus:Win32/Sivis.A" }, { "id": "Win.Trojan.Installcore-1177", "display_name": "Win.Trojan.Installcore-1177", "target": null }, { "id": "Win.Malware.Oxypumper-6900435-0", "display_name": "Win.Malware.Oxypumper-6900435-0", "target": null }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" } ], "industries": [], "TLP": "green", "cloned_from": "678f0dbdbc59dd2ea5656dcf", "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7596, "FileHash-SHA1": 3987, "FileHash-SHA256": 8622, "URL": 1922, "domain": 2530, "hostname": 2524, "email": 37, "CVE": 6, "SSLCertFingerprint": 6 }, "indicator_count": 27230, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "246 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "678f0dbdbc59dd2ea5656dcf", "name": "Order ", "description": "", "modified": "2025-01-21T03:00:13.071000", "created": "2025-01-21T03:00:13.071000", "tags": [ "access ta0001", "defense evasion", "access ta0006", "command", "control ta0011", "impact ta0040", "catalog tree", "ob0005 defense", "evasion ob0006", "impact ob0008", "hashes cape", "sandbox", "docguard", "yomi hunter", "zenbox", "ip traffic", "pattern domains", "memory pattern", "urls https", "adversaries", "mitre att", "t1189 found", "clickable urls", "pdf execution", "t1036", "creates", "hide artifacts", "exploitation", "e1564 hidden", "files", "discovery e1082", "e1203 data", "vhash", "ssdeep", "file type", "pdf document", "magic pdf", "trid adobe", "format", "file size", "united", "as32934", "passive dns", "unknown", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "urls", "status", "search", "showing", "server error", "certificate", "creation date", "high assurance", "server ca", "date", "body", "win32", "ransom", "entries", "icmp traffic", "packing t1045", "t1045", "pdb path", "pe resource", "show", "malware", "copy", "push", "write", "aaaa", "nxdomain", "united kingdom", "thailand", "vietnam", "as45430", "honduras", "indonesia", "mexico", "slovakia", "dynamicloader", "yara rule", "high", "ekyxe", "xe e", "eofae", "ee edcje4j", "tofsee", "windows", "medium", "stream", "grum", "as15169 google", "pulses", "record value", "error", "cname", "name servers", "ireland", "next", "federation asn", "as49505", "labs pulses", "trojan", "trojandropper", "related pulses", "file samples", "files matching", "date hash", "copyright", "all search", "reverse dns", "location united", "emails info", "expiration date", "as51167 contabo", "germany unknown", "a nxdomain", "as40021 contabo", "encrypt", "url http", "http", "ip address", "related nids", "files location", "ddos", "activity", "checkin", "win64", "mirai", "hosting", "files ip", "address", "czechia unknown", "as174 cogent", "asnone germany", "as15598", "as16625 akamai", "asnone united", "as20940", "as35994 akamai", "as12337 noris", "pulse submit", "url analysis", "backdoor", "gmt cache", "sameorigin", "443 ma2592000", "suspicious", "virtool", "emails", "domain name", "code", "brazil", "poland", "domain", "msie", "windows nt", "tcp syn", "resolverror", "exploit", "externalport", "internalport", "http headers", "home network", "demonbot", "andariel", "yara detections", "malware traffic", "nids", "dns query", "google safe", "browsing", "whois", "virustotal", "mtb apr", "asnone related", "open", "hash avast", "avg clamav", "msdefender apr", "as8075", "content type", "access", "cp bus", "cur cono", "fin ivdo", "onl our", "phy samo", "overview ip", "flag united", "hostname", "files domain", "as8068", "trojan features", "rsa tls", "issuing ca", "mirai variant", "useragent", "inbound", "realtek sdk", "miniigd upnp", "soap command", "activity mirai", "helloworld", "users", "alerts", "anomalous file", "recycle bin", "filehash", "av detections", "memcommit", "read c", "memreserve", "for privacy", "china unknown", "ag alberto", "pedraz", "holidaycheck ag", "project pi", "immobilien ag", "puma se", "kurt walther", "ag ingo", "kraupa", "timo salzsieder", "record type", "ttl value", "msms57295540", "subdomains", "ireland unknown", "analyzer paste", "iocs", "samples", "regsetvalueexa", "default", "regdword", "module load", "t1129", "http request", "process32nextw", "regbinary", "oxypumper", "tools", "dock", "april", "persistence", "execution", "download", "as62597 nsone", "echo request", "sweep", "payload hello", "world", "total", "please", "xport", "main", "look", "install", "servers", "found", "cnapple public", "accept", "chrome", "moved", "ssl certificate", "write c", "installcore", "june", "delphi", "as47846", "cookie", "as32787 akamai", "as714 apple", "m1", "onelouder", "brian sabey", "denver colorado", "fakedout threat", "gmt content", "x cache", "div div", "as8972 host", "france unknown", "registrar", "otx scoreblue", "address domain", "as24940 hetzner", "as44273 host", "asn as15598", "trojanspy", "mail spammer", "germany mail", "spammer", "hichina", "data redacted", "a domains", "wow64", "slcc2", "media center", "port", "powershell", "urls http", "tptjsw", "virus", "ids detections", "germany", "as8560", "austria", "as1921", "as14061", "whitelisted", "as16276", "script urls", "as16552 tiggee", "as9009 m247", "meta", "as29789", "detected m1", "mtb aug", "server", "as397241", "cryp", "hostmaster", "networks", "as19024", "gmt setcookie", "delete", "russia as49505", "sinkhole cookie", "value snkz", "pe32", "possible", "susp", "lnmp", "lnmp a", "licess", "shell", "as63949 linode", "as133618", "as21342", "cve201717215", "huawei remote", "huawei hg532", "malware worm", "gafgyt", "exploit none", "binbusybox", "delete c", "odigicert inc", "stwashington", "lredmond", "rsa ca", "cape", "nondns", "denver", "redacted for", "method status", "url hostname", "ip country", "type get", "date tue", "gmt contenttype", "connection", "cachecontrol", "expires thu", "gmt vary", "poland unknown", "title", "script domains", "updated date", "serce internetu", "cnc beacon", "javascript", "wsasend", "post", "delete shadows", "all quiet", "t1047", "instrumentation", "rpcs", "ms windows", "asnone dns", "http host", "ip check", "sha256", "bits", "adware malware", "etpro malware", "bios", "guard", "tulach", "spectrum", "cyber folks", "tsara brashears", ".pl", "contacted", "kryptikxp", "apple", "ios", "android", "sabey", "charter communications", "denvecolorado", "quantum fiber", "air force", "swipper", "masquerade", "hitmen", "mitm", "whitesky", "cyber warfare", "porn", "pornhub.software" ], "references": [ "DISTINCTIO8.pdf", "FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string", "IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set", "Tofsee: 'google.com' | https://www.gov50.icu |", "ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...)", "Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk", "Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing", "hubt.pornhub.com | www.pornhub.com | pornative.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/", "www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/", "Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da", "IDS Detections: WGET Command Specifying Output in HTTP Headers", "IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution", "Yara Detections: is__elf , DemonBot", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout", "FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c", "IDS Detections: Andariel Backdoor Activity (Checkin)", "Alerts: dead_host nids_malware_alert network_icmp nolookup_communication", "DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2", "IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound", "IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST", "IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy", "http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/", "https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com", "apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com", "autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com", "* https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "https://tulach.cc/ | tulach.cc |", "http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com", "google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl", "18teen.net | teensnow.com | grannies-porn.net | pornmd.com", "www.pornhubselect.com | pornhub.software" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Chile", "Morocco", "Taiwan", "Guatemala", "United Kingdom of Great Britain and Northern Ireland", "Ireland", "Kenya", "Peru", "Singapore", "Mexico", "Brazil", "Slovakia", "Spain", "Australia", "Belgium", "Germany", "Hungary", "Netherlands", "Russian Federation", "Japan", "Poland" ], "malware_families": [ { "id": "Ransom", "display_name": "Ransom", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "TEL:CreateScheduledTask", "display_name": "TEL:CreateScheduledTask", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.Mirai-6981169-0", "display_name": "Unix.Trojan.Mirai-6981169-0", "target": null }, { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "Ransom:Win32/Haperlock", "display_name": "Ransom:Win32/Haperlock", "target": "/malware/Ransom:Win32/Haperlock" }, { "id": "Trojan:Win32/Neurevt", "display_name": "Trojan:Win32/Neurevt", "target": "/malware/Trojan:Win32/Neurevt" }, { "id": "DDoS:Linux/Gafgyt.YA!MTB", "display_name": "DDoS:Linux/Gafgyt.YA!MTB", "target": "/malware/DDoS:Linux/Gafgyt.YA!MTB" }, { "id": "CVE-2017-17215", "display_name": "CVE-2017-17215", "target": null }, { "id": "CVE-2023-27350", "display_name": "CVE-2023-27350", "target": null }, { "id": "CVE-2014-8361", "display_name": "CVE-2014-8361", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "M1", "display_name": "M1", "target": null }, { "id": "OneLouder", "display_name": "OneLouder", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Win.Trojan.Sarwent-10012602-0", "display_name": "Win.Trojan.Sarwent-10012602-0", "target": null }, { "id": "Virus:Win32/Sivis.A", "display_name": "Virus:Win32/Sivis.A", "target": "/malware/Virus:Win32/Sivis.A" }, { "id": "Win.Trojan.Installcore-1177", "display_name": "Win.Trojan.Installcore-1177", "target": null }, { "id": "Win.Malware.Oxypumper-6900435-0", "display_name": "Win.Malware.Oxypumper-6900435-0", "target": null }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" } ], "industries": [], "TLP": "green", "cloned_from": "66f31b9a0551ca166c872292", "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aclause21", "id": "303913", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7589, "FileHash-SHA1": 3982, "FileHash-SHA256": 8280, "URL": 439, "domain": 2416, "hostname": 2154, "email": 37, "CVE": 4, "SSLCertFingerprint": 6 }, "indicator_count": 24907, "is_author": false, "is_subscribing": null, "subscriber_count": 31, "modified_text": "453 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66f31b9a0551ca166c872292", "name": "Drive-by Compromise - Cyber warfare 4K + Unsuspecting potential victims", "description": "Network outage. Severe attack appears to disseminate from Denver, Co Charter Communications /Spectrum Denver - network and devices hacked. Successful at bringing down the network of 4000 + Whitesky clients, remotely sourcing targeted devices, leaking confidential information, phishing, deletng countless files. Most people in homes and building managers are referring to the multi day outage as outage or glitch. Located targeted devices, files encrypted, forced content, dumping & other malicious activity. \n*Cyber Folks .pl\n*https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit\n|| DDoS:Linux/Gafgyt.YA!MTB\nCVE-2017-17215\nVirus:Win32/Sivis.A\nBackdoor:Win32/Tofsee\nCVE-2014-8361\nCVE-2023-27350\nM1\nMirai\nNIDS\nOneLouder\nRansom\nRansom:Win32/Haperlock\nTEL:CreateScheduledTask ,\nTofsee , Trojan:Win32/Neurevt , Zombie.A ,TrojanSpy ,\nUnix.Trojan.Mirai ,Oxypumper , Qshell , Installcore ,Sarwent", "modified": "2024-10-24T19:00:50.385000", "created": "2024-09-24T20:05:46.785000", "tags": [ "access ta0001", "defense evasion", "access ta0006", "command", "control ta0011", "impact ta0040", "catalog tree", "ob0005 defense", "evasion ob0006", "impact ob0008", "hashes cape", "sandbox", "docguard", "yomi hunter", "zenbox", "ip traffic", "pattern domains", "memory pattern", "urls https", "adversaries", "mitre att", "t1189 found", "clickable urls", "pdf execution", "t1036", "creates", "hide artifacts", "exploitation", "e1564 hidden", "files", "discovery e1082", "e1203 data", "vhash", "ssdeep", "file type", "pdf document", "magic pdf", "trid adobe", "format", "file size", "united", "as32934", "passive dns", "unknown", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "urls", "status", "search", "showing", "server error", "certificate", "creation date", "high assurance", "server ca", "date", "body", "win32", "ransom", "entries", "icmp traffic", "packing t1045", "t1045", "pdb path", "pe resource", "show", "malware", "copy", "push", "write", "aaaa", "nxdomain", "united kingdom", "thailand", "vietnam", "as45430", "honduras", "indonesia", "mexico", "slovakia", "dynamicloader", "yara rule", "high", "ekyxe", "xe e", "eofae", "ee edcje4j", "tofsee", "windows", "medium", "stream", "grum", "as15169 google", "pulses", "record value", "error", "cname", "name servers", "ireland", "next", "federation asn", "as49505", "labs pulses", "trojan", "trojandropper", "related pulses", "file samples", "files matching", "date hash", "copyright", "all search", "reverse dns", "location united", "emails info", "expiration date", "as51167 contabo", "germany unknown", "a nxdomain", "as40021 contabo", "encrypt", "url http", "http", "ip address", "related nids", "files location", "ddos", "activity", "checkin", "win64", "mirai", "hosting", "files ip", "address", "czechia unknown", "as174 cogent", "asnone germany", "as15598", "as16625 akamai", "asnone united", "as20940", "as35994 akamai", "as12337 noris", "pulse submit", "url analysis", "backdoor", "gmt cache", "sameorigin", "443 ma2592000", "suspicious", "virtool", "emails", "domain name", "code", "brazil", "poland", "domain", "msie", "windows nt", "tcp syn", "resolverror", "exploit", "externalport", "internalport", "http headers", "home network", "demonbot", "andariel", "yara detections", "malware traffic", "nids", "dns query", "google safe", "browsing", "whois", "virustotal", "mtb apr", "asnone related", "open", "hash avast", "avg clamav", "msdefender apr", "as8075", "content type", "access", "cp bus", "cur cono", "fin ivdo", "onl our", "phy samo", "overview ip", "flag united", "hostname", "files domain", "as8068", "trojan features", "rsa tls", "issuing ca", "mirai variant", "useragent", "inbound", "realtek sdk", "miniigd upnp", "soap command", "activity mirai", "helloworld", "users", "alerts", "anomalous file", "recycle bin", "filehash", "av detections", "memcommit", "read c", "memreserve", "for privacy", "china unknown", "ag alberto", "pedraz", "holidaycheck ag", "project pi", "immobilien ag", "puma se", "kurt walther", "ag ingo", "kraupa", "timo salzsieder", "record type", "ttl value", "msms57295540", "subdomains", "ireland unknown", "analyzer paste", "iocs", "samples", "regsetvalueexa", "default", "regdword", "module load", "t1129", "http request", "process32nextw", "regbinary", "oxypumper", "tools", "dock", "april", "persistence", "execution", "download", "as62597 nsone", "echo request", "sweep", "payload hello", "world", "total", "please", "xport", "main", "look", "install", "servers", "found", "cnapple public", "accept", "chrome", "moved", "ssl certificate", "write c", "installcore", "june", "delphi", "as47846", "cookie", "as32787 akamai", "as714 apple", "m1", "onelouder", "brian sabey", "denver colorado", "fakedout threat", "gmt content", "x cache", "div div", "as8972 host", "france unknown", "registrar", "otx scoreblue", "address domain", "as24940 hetzner", "as44273 host", "asn as15598", "trojanspy", "mail spammer", "germany mail", "spammer", "hichina", "data redacted", "a domains", "wow64", "slcc2", "media center", "port", "powershell", "urls http", "tptjsw", "virus", "ids detections", "germany", "as8560", "austria", "as1921", "as14061", "whitelisted", "as16276", "script urls", "as16552 tiggee", "as9009 m247", "meta", "as29789", "detected m1", "mtb aug", "server", "as397241", "cryp", "hostmaster", "networks", "as19024", "gmt setcookie", "delete", "russia as49505", "sinkhole cookie", "value snkz", "pe32", "possible", "susp", "lnmp", "lnmp a", "licess", "shell", "as63949 linode", "as133618", "as21342", "cve201717215", "huawei remote", "huawei hg532", "malware worm", "gafgyt", "exploit none", "binbusybox", "delete c", "odigicert inc", "stwashington", "lredmond", "rsa ca", "cape", "nondns", "denver", "redacted for", "method status", "url hostname", "ip country", "type get", "date tue", "gmt contenttype", "connection", "cachecontrol", "expires thu", "gmt vary", "poland unknown", "title", "script domains", "updated date", "serce internetu", "cnc beacon", "javascript", "wsasend", "post", "delete shadows", "all quiet", "t1047", "instrumentation", "rpcs", "ms windows", "asnone dns", "http host", "ip check", "sha256", "bits", "adware malware", "etpro malware", "bios", "guard", "tulach", "spectrum", "cyber folks", "tsara brashears", ".pl", "contacted", "kryptikxp", "apple", "ios", "android", "sabey", "charter communications", "denvecolorado", "quantum fiber", "air force", "swipper", "masquerade", "hitmen", "mitm", "whitesky", "cyber warfare", "porn", "pornhub.software" ], "references": [ "DISTINCTIO8.pdf", "FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string", "IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set", "Tofsee: 'google.com' | https://www.gov50.icu |", "ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...)", "Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk", "Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing", "hubt.pornhub.com | www.pornhub.com | pornative.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/", "www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/", "Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da", "IDS Detections: WGET Command Specifying Output in HTTP Headers", "IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution", "Yara Detections: is__elf , DemonBot", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout", "FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c", "IDS Detections: Andariel Backdoor Activity (Checkin)", "Alerts: dead_host nids_malware_alert network_icmp nolookup_communication", "DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2", "IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound", "IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST", "IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy", "http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/", "https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com", "apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com", "autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com", "* https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "https://tulach.cc/ | tulach.cc |", "http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com", "google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl", "18teen.net | teensnow.com | grannies-porn.net | pornmd.com", "www.pornhubselect.com | pornhub.software" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Chile", "Morocco", "Taiwan", "Guatemala", "United Kingdom of Great Britain and Northern Ireland", "Ireland", "Kenya", "Peru", "Singapore", "Mexico", "Brazil", "Slovakia", "Spain", "Australia", "Belgium", "Germany", "Hungary", "Netherlands", "Russian Federation", "Japan", "Poland" ], "malware_families": [ { "id": "Ransom", "display_name": "Ransom", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "TEL:CreateScheduledTask", "display_name": "TEL:CreateScheduledTask", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.Mirai-6981169-0", "display_name": "Unix.Trojan.Mirai-6981169-0", "target": null }, { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "Ransom:Win32/Haperlock", "display_name": "Ransom:Win32/Haperlock", "target": "/malware/Ransom:Win32/Haperlock" }, { "id": "Trojan:Win32/Neurevt", "display_name": "Trojan:Win32/Neurevt", "target": "/malware/Trojan:Win32/Neurevt" }, { "id": "DDoS:Linux/Gafgyt.YA!MTB", "display_name": "DDoS:Linux/Gafgyt.YA!MTB", "target": "/malware/DDoS:Linux/Gafgyt.YA!MTB" }, { "id": "CVE-2017-17215", "display_name": "CVE-2017-17215", "target": null }, { "id": "CVE-2023-27350", "display_name": "CVE-2023-27350", "target": null }, { "id": "CVE-2014-8361", "display_name": "CVE-2014-8361", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "M1", "display_name": "M1", "target": null }, { "id": "OneLouder", "display_name": "OneLouder", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Win.Trojan.Sarwent-10012602-0", "display_name": "Win.Trojan.Sarwent-10012602-0", "target": null }, { "id": "Virus:Win32/Sivis.A", "display_name": "Virus:Win32/Sivis.A", "target": "/malware/Virus:Win32/Sivis.A" }, { "id": "Win.Trojan.Installcore-1177", "display_name": "Win.Trojan.Installcore-1177", "target": null }, { "id": "Win.Malware.Oxypumper-6900435-0", "display_name": "Win.Malware.Oxypumper-6900435-0", "target": null }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7589, "FileHash-SHA1": 3982, "FileHash-SHA256": 8280, "URL": 439, "domain": 2416, "hostname": 2154, "email": 37, "CVE": 4, "SSLCertFingerprint": 6 }, "indicator_count": 24907, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "541 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66ccbb1146fb07a45b6b97fe", "name": "Android Remotely Cracked: Swipper? | Being Sabey links found. Framing?", "description": "Targets phone and other devices cracked remotely. Phone calls made to a family member by phone. Some clues left behind.\n1 clue:mike@softwarezpro1.txt\nLong Link:http://bbd383ttka22.top/prize/luckyus-ad/nigh.php?c=69zejibbz5fz1&k=987ad34e7843dd8f3a3cb6559f188769&country_code=US&country_name=United%20States\u00aeion=New%20York&city=Plainview&isp=MCI%20Communications%20Services,%20Inc.%20d/b/a%20Verizon%20Business&lang=ja&ref_domain=&os=iOS&osv=16&browser=Chrome&browserv=115&brand=Apple&model=iPhone&marketing_name=iPhone&tablet=2&rheight=0&rwidth=0&e=5\n Stop! Swipper, Brian Sabey, Tulach, whoever you are. Arrest Jeffrey Reimer Scott DPT for groping breasts, V, assaulting so hard it separated victims hips and SI joint, Spinal Cord Injury length of spine. He literally assaulted her brain out. TBI with Arnold's Chiari. Demyelination from brain to toes. He never denied this to Employers. Hi, DPD Major crimes God Bless you...about the report?", "modified": "2024-10-14T18:03:35.631000", "created": "2024-08-26T17:27:45.763000", "tags": [ "unknown", "meta", "software", "site kit", "as53667", "free", "download full", "search", "showing", "encrypt", "date", "asnone united", "kingdom unknown", "wordpress site", "just", "passive dns", "meta http", "content", "gmt server", "a domains", "body", "server", "registrar", "dnssec", "domain name", "status", "abuse contact", "email", "registrar abuse", "contact phone", "registrar iana", "registrar url", "version crack", "crack serial", "keys license", "algorithm", "whois lookup", "creation date", "code", "namesilo", "country", "domain status", "contact email", "first", "historical ssl", "referrer", "cobalt strike", "switch dns", "query", "fraud risk", "traffic", "luna moth", "campaign", "analyzer paste", "iocs", "samples", "phishing", "malware", "maltiverse", "cyber threat", "engineering", "team phishing", "mail spammer", "telefonica co", "emotet", "download", "malicious", "team", "suppobox", "analyzer threat", "url summary", "ip summary", "summary", "sample", "detection list", "blacklist", "module load", "service", "create c", "show", "winhttp authip", "write c", "susp", "trojanspy", "related pulses", "copy", "write", "win32", "memcommit", "read c", "x00x00", "high defense", "evasion", "defense evasion", "cryptexportkey", "windows", "shellexecuteexw", "hash", "writeconsolew", "registry", "t1031", "modify existing", "trojan", "dock", "august", "push", "hostnames", "urls http", "cisco umbrella", "site", "alexa top", "million", "safe site", "malicious site", "tofsee", "google domain", "azorult", "runescape", "facebook", "bank", "alexa", "zbot", "dynamicloader", "yara rule", "high", "grum", "medium", "ids detections", "yara detections", "stream", "as15169 google", "as44273 host", "aaaa", "scan endpoints", "all scoreblue", "next", "type texthtml", "google safe", "browsing", "ipv4", "pulse pulses", "urls", "files", "co20230203", "pe resource", "url https", "archive", "posix tar", "flow t1574", "dll sideloading", "media t1091", "t1055", "spawns", "mitre att", "access ta0001", "replication", "dlls privilege", "window", "ip traffic", "udp a83f8110", "hashes", "t1055 spawns", "dlls defense", "dns resolutions", "user", "samplepath", "menu files", "written c", "files copied", "files dropped", "file", "pe32 executable", "ms windows", "intel", "win16 ne", "os2 executable", "generic windos", "executable", "contained", "info compiler", "products id", "header intel", "name md5", "type", "language", "sha256", "data", "entries", "filehash", "av detections", "as3215 orange", "related", "france unknown", "reverse dns", "singapore asn", "as16509", "united", "updated date", "pulse submit", "url analysis", "verdict", "as16342 toya", "all search", "otx scoreblue", "hostname", "ip address", "poland unknown", "moved", "gmt contenttype", "vary", "gmt content", "content length", "domain", "files ip", "address", "location poland", "asn as16342", "as16276", "as50599", "as8075", "as5617 orange", "a td", "as198921", "as29686 probe", "germany unknown", "germany", "title", "body doctype", "html public", "ietfdtd html", "head body", "as63949 linode", "united kingdom", "arial", "apache", "accept", "related nids", "files location", "flag united", "files domain", "files related", "as20940", "as4230 claro", "data redacted", "name servers", "expiration date", "invalid url", "mtb feb", "body html", "head title", "hacktool", "trojandropper", "mtb mar", "title head", "overview ip", "record value", "td tr", "tr tr", "dostpne jzyki", "tr table", "table", "utwrz stref", "modyfikuj stref", "td td", "win32vb", "win32qqpass", "worm", "win32mofksys", "worm worm", "win32salgorea", "support", "internet mobile", "win32tofsee", "as3842 inmotion", "as40676 psychz", "formbook cnc", "checkin", "exploit", "virtool", "trojan features", "file samples", "files matching", "date hash", "cname", "error", "script urls", "ezcrack all", "script", "provides", "softwares", "script domains", "pragma", "as202425 ip", "emails", "as46606", "crack", "aaaa nxdomain", "whitelisted", "nxdomain", "as36352", "malware trojan", "asnone", "virgin islands", "backdoor", "please", "win32botgor" ], "references": [ "aeuwa03.devtest.call2.team | mike@softwarezpro1.txt | softwarezpro.net | www.softwarezpro.net | mike@ hijacked targets device Attacked!", "http://cracx.net/fonepaw-iphone-data-recovery-3-8-0-crack/ | Malware: 74.208.236.140 malacrack.org ns2.filescrack.com ns1.filescrack.com", "http://softwarezpro.net/wp-content/themes/wellington/assets/js/svgxuse.min.js?ver=1.2.6", "animalpornotube.com | http://animalpornotube.com/files/gifamateurpay.gi | https://crackedvst.info/tag/k7-total-security-trial-resetter/", "https://activationskey.net/passfab-iphone-cracked-free-keys-2022 https://crackedvst.info/ui crackedvst.info: http://www.crackidea.net/", "http://activationskey.net/passfab-for-rar-full-cracked-2022/ activationskey.net: https://activationskey.net/passware-kit-forensic-2021-1-3-crack/ activationskey.net: | crackedvst.info: crackedvst.info:", "www.softwarezpro.net\thttps://i0.wp.com/softwarezpro.net/wp parking.namesilo.com softwarezpro.org softwarezap.net softwarezap.net", "anti-spyware-software.net http://softwarezpro.net/wp | | http://softwarezpro.net/xmlrpc.php | https://softwarezpro.net https://softwarezpro.net/\t URL\thttps://softwarezpro.net/comments/feed/ https://softwarezpro.net/feed/\t https://softwarezpro.net/page/2/\t URL\thttps://softwarezpro.net/wp https://softwarezpro.net/xmlrpc.php", "http://softwarezpro.net/wp-content/themes/wellington/assets/js/navigation.min.js?ver=20220224 | crackedvst.info", "pw-90cc2fc574f6dd6dccf2c3531928b039@privacyguardian.org | https://crackedvst.info/antares-autotune-pro-crack/", "www.endgame.com [Threatening] | https://mobisoft.info/dfx-audio-enhancer-crack | https://mobisoft.info/passfab-iphone-unlocker-key", "7cwork.a-poster.info a-poster.info: members.a-poster.info work.a-poster.info a-poster.info: http://20work.a-poster.info a-poster.info:", "http://250awork.a-poster.info/ a-poster.info: http://252fwork.a-poster.info a-poster.info: http://252fwork.a-poster.info/", "20work.a-poster.info a-poster.info: 250awork.a-poster.info a-poster.info: 252fwork.a-poster.info a-poster.info: a-poster.info:", "Trojan:Win32/Salgorea: FileHash-SHA256 e82334440ceddd927f35831fda83594f3657ca56187f7f7ddd7d60cba1be793", "Worm:Win32/Fasong: FileHash-SHA256 c7f2f4a6ed374bac385fa81177967fd013248652556e4ee95cea7f064f6b25dd", "Trojan:Win32/Glupteba: FileHash-SHA256 5e7fdbc4c66fbefd6aa95047a56c709765f18b3a3a65d5942acb4e4349b09039", "Worm:Win32/Mofksys: FileHash-SHA256 ef1a66214e210bc9ae0aef471b0a09f6083078343a0338fcaf1f2b04ebddbd9a", "Trojan:Win32/QQpass: FileHash-SHA256 86df64999ed25a02debca89a586c931b0f32b1edc0e7aa800c360be3ef456439", "TrojanSpy:Win32/Nivdort.DI: FileHash-SHA256 00734b135321562e7e0df7c2f8eb554435cc25c47f46747f79fc2116ac2cc6ef", "Win32:CrypterX-gen\\ [Trj]: FileHash-SHA256 002ea0849da3c63ce6c09c084567e9470c3616084ef19402316e9d52f35c62a7", "Trojan:Win32/Emotet.PC!MTB: FileHash-SHA256 02b9cac1880e348302125664c4955fd163a219b1eb8b50de0ad350e0c147a0b0", "Trojan:Win32/Zbot.SIBB3!MTB: FileHash-SHA256 bc1739628aadbcc99bcb93caab4a7a73534694c817d57cc0ed735bf4bd0f6e45", "ELF:Hajime-Q\\ [Trj] : FileHash-SHA256 aa310469926150f9d6f980dd6ba200d1c9c7dec7c4b66c7de4cff6a30c038560", "Win32/Tasekjom.A : FileHash-SHA256 1230ac0c362b6049b9de011229707e05852dd11af75ca7071a1f089e6aca61f5", "Win32/Muldrop FileHash-SHA256 67a5e78bb2897b15d510dfce0d89f60330db01d7944ebb4f1dd90ce36c907e1b", "PWS:Win32/VB : FileHash-SHA256 dbc78d07e96562c6370ab515f5d65cea88a1b163ad10718c66d15155f4075630", "Backdoor:Win32/Tofsee: FileHash-SHA256 5b616ad2410bef0bc894c4bff013afe2d7f44dcdeb79420bab14c766cc460aa7", "VirTool:Win32/Obfuscator FileHash-SHA256 874e78143b683016ef8e41977f9d3ee34b97b145b313cdefdeb3e8900db6df73", "RASMONTR.DLL 192.168.56.101", "iobit: https://cracxfree.com/iobit-malware-fighter-pro-2/http://activationskey.net/wp-content/uploads/2021/02/download-2-7.jpg", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/00734b135321562e7e0df7c2f8eb554435cc25c47f46747f79fc2116ac2cc6ef", "Parked: www.easycrypto.team | 'Parking Crew' ? Several names exist for advesarial 'Parking Hacker Groups' parking.namesilo.com", "Ranks high in search results because device is typically compromised with Convection engine and Keyword Tool", "a-fondness-for-beauty.com", "iobit: https://cracxfree.com/iobit-malware-fighter-pro-2/ | http://activationskey.net/wp-content/uploads/2021/02/download-2-7.jpg", "iobit: https://cracxfree.com/iobit-malware-fighter-pro-2/ | https://cracklink.info/iobit-uninstaller-pro-key/", "iobit: https://ezcrack.info/iobit-uninstaller-pro-crack | https://ezcrack.info/iobit-uninstaller-pro-crack/", "http://crackedvst.info/plugin-alliance-bundle-crack/: sedoparking.com | sedoparking.com/frmpark/ -", "Trojan:Win32/Zbot: FileHash-SHA256 b7875b426ce25f1d4785ba7043bbfdba49feb726cc829d681acdd67c3c302c70", "ALF:Trojan:Win32/Cassini_f28c33a2:\tFileHash-SHA256 6fc35cb8e18f0d9d72bc1a7037ae88f8036362799f930a1a30e290d31be3b216", "Backdoor:Win32/Botgor: FileHash-SHA256 b70353b3ecf532ad51e7d6a1790275df02c7393b87d40add47a3baccab39802f", "TrojanDropper:Win32/Muldrop: FileHash-SHA256 bf8e919cf6ce208f1c2f98f07df835099f14e2f8708197b0165479468079d902", "#LowFiCreateRemoteThread: FileHash-SHA256 0ab94d890afef8ebae42007a119a8686f71bdd9bdf357262481daa7c9c7a283e", "Trojan:Win32/Blihan: FileHash-SHA256 dada5208109416153937db5a6f44f03b8b9025347c235acdc70edfa24a2a882e", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 | itunes.apple.com", "http://appleid.com-index-manager-info-verify-receipt-account.usa.cc/ |", "https://realcrack.info/sidify-apple-music-converter-crack/ | applehouse-jp.com | iappletech.com | http://apple.int-access-accounts.usa.cc/", "http://apple-store.jspi304es-services-fixedbilling-responsive-managed-update-card.appleid-storeext.usa.cc/", "http://apple-unlocked-login.usa.cc/\t| http://apple.com.locked-account-verify-login.usa.cc/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort.DI", "display_name": "TrojanSpy:Win32/Nivdort.DI", "target": "/malware/TrojanSpy:Win32/Nivdort.DI" }, { "id": "Win32:CrypterX-gen\\ [Trj]", "display_name": "Win32:CrypterX-gen\\ [Trj]", "target": null }, { "id": "Trojan:Win32/Emotet.PC!MTB", "display_name": "Trojan:Win32/Emotet.PC!MTB", "target": "/malware/Trojan:Win32/Emotet.PC!MTB" }, { "id": "Trojan:Win32/CryptInject", "display_name": "Trojan:Win32/CryptInject", "target": "/malware/Trojan:Win32/CryptInject" }, { "id": "RASMONTR.DLL", "display_name": "RASMONTR.DLL", "target": null }, { "id": "Trojan:Win32/Salgorea", "display_name": "Trojan:Win32/Salgorea", "target": "/malware/Trojan:Win32/Salgorea" }, { "id": "Worm:Win32/Fasong", "display_name": "Worm:Win32/Fasong", "target": "/malware/Worm:Win32/Fasong" }, { "id": "Trojan:Win32/Glupteba", "display_name": "Trojan:Win32/Glupteba", "target": "/malware/Trojan:Win32/Glupteba" }, { "id": "Worm:Win32/Mofksys", "display_name": "Worm:Win32/Mofksys", "target": "/malware/Worm:Win32/Mofksys" }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "Trojan:Win32/Zbot.SIBB3!MTB", "display_name": "Trojan:Win32/Zbot.SIBB3!MTB", "target": "/malware/Trojan:Win32/Zbot.SIBB3!MTB" }, { "id": "ELF:Hajime-Q\\ [Trj]", "display_name": "ELF:Hajime-Q\\ [Trj]", "target": null }, { "id": "Win32/Tasekjom.A", "display_name": "Win32/Tasekjom.A", "target": null }, { "id": "TEL:Trojan:Win32/TrojanDownloader", "display_name": "TEL:Trojan:Win32/TrojanDownloader", "target": null }, { "id": "Win32/TrojanDropper", "display_name": "Win32/TrojanDropper", "target": null }, { "id": "Trojan:Win32/Muldrop", "display_name": "Trojan:Win32/Muldrop", "target": "/malware/Trojan:Win32/Muldrop" }, { "id": "PWS:Win32/VB", "display_name": "PWS:Win32/VB", "target": "/malware/PWS:Win32/VB" }, { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "Trojan:Win32/Blihan", "display_name": "Trojan:Win32/Blihan", "target": "/malware/Trojan:Win32/Blihan" }, { "id": "#LowFiCreateRemoteThread", "display_name": "#LowFiCreateRemoteThread", "target": null }, { "id": "Backdoor:Win32/Botgor", "display_name": "Backdoor:Win32/Botgor", "target": "/malware/Backdoor:Win32/Botgor" }, { "id": "ALF:Trojan:Win32/Cassini_f28c33a2", "display_name": "ALF:Trojan:Win32/Cassini_f28c33a2", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" } ], "industries": [ "Technology", "Telecommunications", "Civilian Devices" ], "TLP": "green", "cloned_from": null, "export_count": 112, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1629, "FileHash-MD5": 4822, "URL": 2002, "email": 18, "hostname": 1725, "FileHash-SHA1": 3921, "FileHash-SHA256": 9019, "URI": 1 }, "indicator_count": 23137, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "551 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66e47020bdbbc384d102d169", "name": "AWS Botnet *2nd L\u2070\u2070K \u00bb Quantum Fiber | Brute Forcer", "description": "I researched link again. Stealthy hackers surrounding a targets whereabouts in Denver Metro/Denver Proper (Co) and surrounding areas. Unsafe targeting activity escalates.\n\n*Tip { PDF:UrlMal-inf\\ [Trj] - https://www.quantumfiber.com/moving.html?utm_source=Digital&utm_medium=DV360_YouTube&utm_campaign=QuantumFiber_Residential_Prospecting&utm_content=Movers-RES-QF-Movers-ACH-OLV30-50-YouTube-NA&gclid=CjwKCAjwooq3BhB3Eiw } Malware Families:\nWin.Dropper.LokiBot-9975730-0\n#LowFiEnableDTContinueAfterUnpacking\n#LowFiMalf_gen\nALF:PUA:Block:IObit\nALF:Program:Win32/Webcompanion\nALF:Ransom:Win32/Babax\nALF:Trojan:Win32/FormBook\nAWS\nPDF:UrlMal-inf\\ [Trj]\nTrojan:Win32/Qbot\nTrojanDownloader:Win32/Upatre\nUnix\nUnix.Malware.Generic-9875933-0\nVirTool:Win32/Injector\nVirTool:Win32/Obfuscator\nWin.Dropper.LokiBot-9975730-0\nWin.Keylogger.Banbra-9936388-0\nWorm:Win32/Mofksys", "modified": "2024-10-13T13:01:27.179000", "created": "2024-09-13T17:02:24.806000", "tags": [ "namecheap", "server", "registrar abuse", "code", "dnssec", "email", "contact phone", "registrar iana", "registrar url", "registrar whois", "date", "vhash", "authentihash", "imphash", "ssdeep", "file type", "win32 exe", "magic pe32", "ms windows", "trid upx", "win16 ne", "generic", "packer", "info sections", "name virtual", "address virtual", "size raw", "size entropy", "md5 chi2", "upx0", "1 upx1", "upx2", "sysinternals", "zenbox", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "dynamic", "utc na", "utc facebook", "html info", "meta tags", "commerce cloud", "trackers google", "tag manager", "gtmkj5bfwx", "utc gtmp4hkt96", "utc gtm5z5w687v", "sample", "t1497", "sandbox evasion", "may sleep", "downloads", "http performs", "mitre att", "evasion ta0005", "upx software", "t1036 creates", "get http", "post http", "number", "ja3s", "algorithm", "subject", "data", "server ca", "odigicert inc", "cus lsan", "calls", "text", "passive dns", "urls", "scan endpoints", "all scoreblue", "url https", "http", "ip address", "related nids", "files location", "as8068", "united", "unknown", "ref b", "wed may", "entries", "mtb dec", "body", "please", "twitter", "malware", "trojan", "trojan features", "related pulses", "file samples", "files matching", "show", "search", "date hash", "next", "showing", "worm", "win32", "alf features", "aaaa", "cname", "united kingdom", "creation date", "certificate", "tlsv1", "oglobalsign", "stzhejiang", "lhangzhou", "oalibaba", "china", "encrypt", "copy", "write", "august", "local", "xport", "regsetvalueexa", "regdword", "regbinary", "medium", "high", "regsetvalueexw", "regsz", "langchinese", "delphi", "persistence", "execution", "read c", "create c", "msie", "windows nt", "wow64", "slcc2", "media center", "write c", "delete c", "mozilla", "as62597 nsone", "domain", "as20940", "as8075", "virtool", "whitelisted ip", "location united", "asn as8068", "registrar", "markmonitor", "tags", "related tags", "threat roundup", "october", "historical ssl", "referrer", "round", "december", "november", "guloader", "files", "detections file", "name file", "file size", "name", "html", "cab null", "ubuntu", "linux x8664", "contentlength", "gobrut", "malware c", "c request", "config", "meta", "photolan", "moved", "a domains", "as47748 daticum", "meta http", "content", "gmt server", "ipv4", "pragma", "apache", "sales", "expiration date", "name servers", "asnone bulgaria", "ns nxdomain", "nxdomain", "soa nxdomain", "cape", "gobrut malware", "suricata", "et malware", "bruter cnc", "checkin", "activity", "malware config", "yara detections", "contacted", "a li", "li ul", "div div", "set cookie", "as29873", "link", "hong kong", "as45102 alibaba", "div li", "gmt max", "age2592000 path", "log id", "gmtn", "tls web", "ca issuers", "timestamp", "b715", "b59bn timestamp", "false", "as2914 ntt", "record value", "data redacted", "as4230 claro", "invalid url", "research group", "as13768 aptum", "canada unknown", "canada", "hostpapa", "hosting", "click", "rdds service", "record", "registrant", "admin", "tech contact", "script domains", "as3257 gtt", "asnone canada", "access denied", "servers", "emails", "as397241", "as31898 oracle", "as397240", "overview ip", "flag united", "hostname", "files domain", "as15169 google", "as396982 google", "as16625 akamai", "as35994 akamai", "france", "discovery", "t1010", "t1012", "t1027", "information", "t1055", "injection", "t1057", "t1059", "ssh attacker", "mitm", "aitm", "tracker", "botnet", "binary", "ghostscript", "brendan coates", "daley", "trent wiltshire", "aws botnet", "filehashsha256", "filehashsha1", "filehashmd5", "https", "salitiy", "unix malware", "created", "url http", "unix", "aws", "role title", "added active", "report spam", "quantumfiber", "denver co", "critical", "default", "traditional", "compiler", "intel", "ms windows", "ssdeep", "rich pe", "imphash", "utc gtm5z5w687v", "utc gtmp4hkt96", "pecompact", "packer", "ids", "commerce cloud", "meta tags", "gmt etag", "accept encoding", "accept", "status", "west domains", "path", "author avatar", "active file", "denver", "vt graph", "currently", "im unaware", "pnpd5d", "susp", "filehash", "av detections", "pecompact", "february", "asnone germany", "as21499 host", "singapore", "germany", "object", "alerts", "icmp traffic", "createdate", "microsoft color", "msft", "format", "as44273 host", "content type", "kodak easyshare", "easyshare", "eastman kodak", "kodak", "kukacka", "virus", "rsdsr7siwwd d", "install", "service", "explorer", "windows", "name type", "md5 process", "sqlite", "sqlite version", "active", "pre crime", "cyber attack", "hackers", "quantum fiber", "quantumfiber.com", "target tsara brashears", "tech id", "hallrender", "brian sabey", "hijack", "spotify artists", "idlinea8 sep", "xo544", "xa10629", "sitegg", "fcolorffffff", "net1", "inhibit system", "oracle", "level 3" ], "references": [ "QuantumFiber.com a 2nd look", "Related Tags: https://www.virustotal.com/graph/embed/g17b255d00de64c0faa707968 [OG:dorkingbeauty | Cloned: StreaminingEx]", "13.107.21.200 Bat.Bing - Trojan:Win32/Qbot | ALF:Ransom:Win32/Babax | Worm:Win32/Mofksys | ALF:Program:Win32/Webcompanion", "IDS Detections: Win32.Lexip Checkin Unsupported/Fake FireFox Version 2.", "IDS Detections: Windows 98 User-Agent Detected - Possible Malware or Non-Updated System Unsupported/Fake Internet Explorer Version MSIE 5.", "Win.Dropper.LokiBot-9975730-0", "Win.Dropper.LokiBot-9975730-0 FileHash-SHA256 8f65d7817731cf1b7fada1be16d85464383813dd1f0388a933cec2abbeda4ba9", "IDS Detections: TLS Handshake Failure Yara Detections: Nullsoft_NSIS", "Alerts: network_icmp modifies_proxy_wpad multiple_useragents injection_resumethread", "Win.Keylogger.Banbra FileHash-SHA256 94517bb37a8ebe48a06a64b20237e287101bc93bbc840bf6e1ab7dfb28a2da5a", "Yara Detections: Delphi", "IDS Detections: Win32/Adware.Ymeta.A CnC Beacon Win32/Adware.Ymeta.A CnC Win32/Adware.Ymeta Variant Activity", "IDS Detections: Observed Suspicious UA (Mozilla/5.0) Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)", "Query to a *.top domain - Likely Hostile Query for .cc TLD", "Alerts: dead_host network_icmp nolookup_communication disables_proxy modifies_certificates modifies_proxy_wpad", "Alerts: ransomware_dropped_files ransomware_mass_file_delete antivm_vmware_in_instruction", "Unix.Malware.Generic: IDS Detections Generic.Go.Bruteforcer CnC Beacon Generic.Go.Bruteforcer Receiving Config", "Unix.Malware.Generic: Observed DNS Query for Israel Domain (.il) | Alerts: cape_detected_threat", "Unix.Malware.Generic: Yara Detections: is__elf , UPXProtectorv10x2 , UPX , ELFHighEntropy , ElfUPX , elf_empty_sections", "Unix.Malware.Generic:", "Unix.Malware.Generic:", "networkservice.exe: Matches rule SERVER-OTHER Spring Data Commons remote code execution attempt", "wallet.mewards.bing.com | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net | wallpapers-nature.com", "Malware Families: Win.Dropper.LokiBot-9975730-0 #LowFiEnableDTContinueAfterUnpacking #LowFiMalf_gen Worm:Win32/Mofksys", "Malware Families: ALF:PUA:Block:IObit ALF:Program:Win32/Webcompanion ALF:Ransom:Win32/Babax Win.Keylogger.Banbra-9936388-0", "Malware Families: ALF:Trojan:Win32/FormBook AWS PDF:UrlMal-inf\\ [Trj] Trojan:Win32/Qbot Unix.Malware.Generic-9875933-0", "Malware Families: VirTool:Win32/Injector TrojanDownloader:Win32/Upatre Unix VirTool:Win32/Obfuscator Win.Dropper.LokiBot-9975730-0" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win.Keylogger.Banbra-9936388-0", "display_name": "Win.Keylogger.Banbra-9936388-0", "target": null }, { "id": "#LowFiMalf_gen", "display_name": "#LowFiMalf_gen", "target": null }, { "id": "Trojan:Win32/Qbot", "display_name": "Trojan:Win32/Qbot", "target": "/malware/Trojan:Win32/Qbot" }, { "id": "ALF:Ransom:Win32/Babax", "display_name": "ALF:Ransom:Win32/Babax", "target": null }, { "id": "Worm:Win32/Mofksys", "display_name": "Worm:Win32/Mofksys", "target": "/malware/Worm:Win32/Mofksys" }, { "id": "ALF:Program:Win32/Webcompanion", "display_name": "ALF:Program:Win32/Webcompanion", "target": null }, { "id": "ALF:PUA:Block:IObit", "display_name": "ALF:PUA:Block:IObit", "target": null }, { "id": "Win.Dropper.LokiBot-9975730-0", "display_name": "Win.Dropper.LokiBot-9975730-0", "target": null }, { "id": "Win.Dropper.LokiBot-9975730-0", "display_name": "Win.Dropper.LokiBot-9975730-0", "target": null }, { "id": "VirTool:Win32/Obfuscator", "display_name": "VirTool:Win32/Obfuscator", "target": "/malware/VirTool:Win32/Obfuscator" }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" }, { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "Unix.Malware.Generic-9875933-0", "display_name": "Unix.Malware.Generic-9875933-0", "target": null }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Unix", "display_name": "Unix", "target": null }, { "id": "AWS", "display_name": "AWS", "target": null }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "PDF:UrlMal-inf\\ [Trj]", "display_name": "PDF:UrlMal-inf\\ [Trj]", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1510", "name": "Clipboard Modification", "display_name": "T1510 - Clipboard Modification" }, { "id": "T1414", "name": "Capture Clipboard Data", "display_name": "T1414 - Capture Clipboard Data" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1644, "FileHash-SHA1": 1614, "FileHash-SHA256": 2742, "URL": 2708, "domain": 2150, "hostname": 2508, "email": 21, "SSLCertFingerprint": 33, "CVE": 2 }, "indicator_count": 13422, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "553 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d49947eaaf6c57bec78719", "name": "Ransom.Win32.Birele.gsg: affecting a global cyber security entity", "description": "", "modified": "2024-10-01T16:04:13.437000", "created": "2024-09-01T16:41:43.676000", "tags": [ "no expiration", "domain", "expiration", "hostname", "filehashsha256", "url http", "ipv4", "url https", "iocs", "email abuse", "next", "all scoreblue", "create new", "pulse provide", "public tlp", "green", "adversary tags", "x509v3", "trojan", "virtool", "backdoor", "antivirus", "united", "et trojan", "possible", "sinkhole cookie", "et", "checkin win32/expressdownloader", "kw1ethical", "kw2ip", "kw3cloud", "kw4augmented", "filehashsha1", "filehashmd5", "termsurlhttp", "privacyurlhttp", "download", "ipv6", "versionid1", "pulse use", "pdf report", "pcap", "stix", "contact", "contacted", "adversaries", "adload", "dns", "activity", "acint", "aaaa", "analysis", "all scoreblue", "agent algorithm", "alexa top", "agent", "analyzer", "alexa", "alerts", "threat", "c!mtb", "win32.birele.gsg", "add malware", "ck t1027", "files", "xrat xtrat", "yara", "ransomware", "virus", "phishing", "paste analyzer", "threat anonymizer", "level as4230", "as32421", "gigenet", "as32181", "ntt", "as2914", "as20940", "as133618", "asyncrat", "ascii text", "claro", "babe", "pornhub", "av detections", "avast avg", "avatier ccir", "crack", "copy", "contact phone", "conduit", "command decode", "cnc", "command", "code command", "cobalt strike", "dos", "cnwe1 validity", "click", "cleaner", "ck techniques", "ck matrix", "backdoor", "ck id", "cisco umbrella", "choke", "bq jul", "body", "blacklist http", "module behav", "bcrypt", "bank", "zeus derivative", "yara rule", "yara detections", "crowdstrike", "xtrat", "xrat", "x509v3 key", "write", "worm", "windows nt", "win64", "win32", "network w", "network", "virus", "virtool virus", "validity", "v3 serial", "cus", "ogoogle", "cus olet", "cyber threat", "upxoepplace url", "upx alerts", "unsafe", "unknown", "united", "union", "twitter", "ttl value", "tsunami", "trust", "trojanspy", "trojan", "trident", "data redacted", "hash", "deepscan", "detection list", "malware", "potential ip", "exploit", "facebook", "false", "possible postal code", "files location", "port", "porno", "pink", "phishing site", "phishing", "files matching", "files related", "filetour", "firehol", "first", "flag united", "full name", "fusioncor", "genkryptik", "get na", "girlfriend", "hackers", "heur", "high", "high priority", "hostile", "html", "http spammer", "hybrid identifier", "ids detections", "iframe", "resource phish", "injection", "pattern match", "pe", "patcher", "passive dns", "null number", "nuance china", "nsis245zlib", "notice nsis", "no data", "nircmd", "namecheap inc", "name tactics", "name servers", "indicator", "informative", "installcore", "installpack", "invalid url", "iocs ip", "iocs ip", "ip summary", "ipv4", "javascript", "key algorithm", "key identifier", "key info", "crowdstrike", "known tor", "local", "luna host", "malicious", "malicious host", "malicious site", "malware", "malware site", "memscan", "meta", "million", "misc attack", "mitre att", "module load", "msdos", "mtb" ], "references": [ "crowdstrike.com \u00bb 7notrump.com contains pornhub.com and pastebin.com", "192.184.12.62 - Verdict: Suspicious Location: Los Angeles, United States of America ASN AS32421 Level 3 Parent Llc", "7notrump.com@privacy.above.com | Why are YOU hiding? Aren't you proud of your hateful and damaging works?", "Backdoor:Linux/Tsunami.C!MTB: FileHash-SHA256 94f82ebb09bc3ac922789af2ce272ecbf9fe303e5220c7ab3a31d6db1bea8ec4", "Backdoor:Linux/Tsunami.C!MTB: FileHash-MD5 c721d0c9d0daba37cc3e0d06331f7493", "Backdoor:Linux/Tsunami.C!MTB: FileHash-SHA1 8fceac50c534ddf1fc8d1c84b9f7fa06e41d891c", "Antivirus Detections: Win.Trojan.Tsunami-5 , Backdoor:Linux/Tsunami.C!MTB", "IDS Detections: Query to a .tk domain - Likely Hostile Yara Detections: is__elf , LinuxTsunami Alerts: suricata_alert", "VirTool:Win32/CeeInject.SN!bit: FileHash-MD5 d90dc74c1377355f3a58e3883fa8e38f", "VirTool:Win32/CeeInject.SN!bit: FileHash-SHA1 a6df4e57a54c4f9ecc5ed0d0759c57d8702f270f", "VirTool:Win32/CeeInject.SN!bit: FileHash-SHA256 9ae6df6d6c273c3037b083d3b3a78ed8329802f3ca065ceef644f5b1f7311269", "Antivirus Detections: Win32:TrojanX-gen\\ [Trj] , Win.Trojan.BlackMoon-7136668-0 , VirTool:Win32/CeeInject.SN!bit", "Hacktools_CN_WinEggDrop , CN_Portscan , Ping_Command_in_EXE More | Alerts: dead_host network_icmp persistence_autorun recon_beacon injection_resumethread creates_exe creates_service", "IDS Detections: ET TROJAN Win32/PurpleFox Related Domain in DNS Lookup Yara Detections: mimikatz , Mimikatz_Strings ,", "IDS Detections: Adware/Gertokr.C Variant Checkin MSIL/Linkury Toolbar Activity PUP.Win32.BoBrowser User-Agent (VersionDwl)", "IDS Detections: Rogue.Win32/FakeRean Checkin Win32/ExpressDownloader Variant CnC Beacon 1", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://hybrid-analysis.com/sample/db695a96adb70d5f6246273f4e6c218b2c44f02b3726c3dee4d56b6428bb0ddf", "Ransom.Win32.Birele.gsg: FileHash-MD5 06c2c738f40c310fb9eb2b6c35afe18d", "Ransom.Win32.Birele.gsg: FileHash-SHA1 51995c8b1002cf27d22a2026a825f1f4fedca280 955549cbca6acdbd617aebade070259efaf6cec6", "Ransom.Win32.Birele.gsg: FileHash-SHA256 00e1b6c35691a64a327eb642c80321e7c54956de106a254688062cdda3d265a9", "T1027 - Obfuscated Files or Information T1031 - Modify Existing Service T1040 - Network Sniffing T1045 - Software Packing T1057 - Process Discovery T1059 - Command and Scripting Interpreter T1059.007 - JavaScript T1060 - Registry Run Keys / Startup Folder T1071 - Application Layer Protocol T1071.001 - Web Protocols T1071.004 - DNS T1105 - Ingress Tool Transfer T1114 - Email Collection T1129 - Shared Modules T1132 - Data Encoding T1132.001 - Standard Encoding T1140 - Deobfuscate/Decode Files or Information T", "Antivirus Detections: Win32:Buterat-WQ\\ [Trj] , Win.Malware.Ulise-7170100-0 , Trojan:Win32/Neconyd.A", "IDS Detections: Ransom.Win32.Birele.gsg Checkin Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "ET TROJAN Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst", "Alerts: network_icmp creates_user_folder_exe disables_proxy modifies_proxy_wpad creates_exe", "Alerts: antivm_network_adapters packer_polymorphic network_cnc_http network_http" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Australia", "Brazil" ], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null }, { "id": "Checkin Win32/ExpressDownloader", "display_name": "Checkin Win32/ExpressDownloader", "target": null }, { "id": "Backdoor:Linux/Tsunami.C!MTB Ransom.Win32.Birele.gsg Trojan:Win32/Neconyd.A VirTool:Win32/CeeInject.SN!bit", "display_name": "Backdoor:Linux/Tsunami.C!MTB Ransom.Win32.Birele.gsg Trojan:Win32/Neconyd.A VirTool:Win32/CeeInject.SN!bit", "target": null }, { "id": "Win.Worm.Mydoom-5", "display_name": "Win.Worm.Mydoom-5", "target": null }, { "id": "Ransom.Win32.Birele.gsg", "display_name": "Ransom.Win32.Birele.gsg", "target": null }, { "id": "VirTool:Win32/CeeInject.SN!bit", "display_name": "VirTool:Win32/CeeInject.SN!bit", "target": "/malware/VirTool:Win32/CeeInject.SN!bit" }, { "id": "Trojan:Win32/Neconyd.A", "display_name": "Trojan:Win32/Neconyd.A", "target": "/malware/Trojan:Win32/Neconyd.A" }, { "id": "Backdoor:Linux/Tsunami.C!MTB", "display_name": "Backdoor:Linux/Tsunami.C!MTB", "target": "/malware/Backdoor:Linux/Tsunami.C!MTB" }, { "id": "C!MTB", "display_name": "C!MTB", "target": null }, { "id": "Win32.Birele.gsg", "display_name": "Win32.Birele.gsg", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" } ], "industries": [ "Media", "Technology", "Government" ], "TLP": "white", "cloned_from": "66ac1de146fa19aeb4bb119a", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2164, "FileHash-MD5": 2939, "FileHash-SHA1": 2271, "FileHash-SHA256": 3553, "domain": 1075, "email": 13, "hostname": 1064, "CVE": 8 }, "indicator_count": 13087, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "564 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://d4twhgtvn0ff5.cloudfront.net/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://d4twhgtvn0ff5.cloudfront.net/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776612972.218328 }