{ "type": "URL", "indicator": "https://dan.remotedev.org", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://dan.remotedev.org", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3978301633, "indicator": "https://dan.remotedev.org", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "686adf91f725a8b7f9850192", "name": "Dystopian Life & Death of an American Crime Victim | Boldy predicted how she will die", "description": "Palantir - a data analytics company, known as a military intelligence tool. co-founded by billionaire investor , Trump supporter and Republican mega donor Musk aligned; Peter Thiel, as per New York. \n\nFounded in 2003, known for its data analytics platforms - Palantir Gotham & Palantir Foundry are used by government & private sectors for various applications, including defense & healthcare. The company faces criticism for its role in government surveillance & data privacy concerns.\nPalantir can be linked to malicious, malware packed , compromised malvertisements about victim allegedly SA\u2019d by her physical therapist Jeffrey Scott Reimer DPT. Apparently target was paid a small settlement via lengthy phone battle by a man representing himself as Brian Sabey ,Esq of Hall Render. \n Palantir, admittedly designs cyber weapon that \u2018kills people\u2019. Are governments abusing to terrorize, silence & even harm/kill American citizens. Is this an elaborate hoax?\nTeam 8 \n#rip #plantantir #Hosanna #dystopian #targeted", "modified": "2025-08-05T15:03:36.451000", "created": "2025-07-06T20:41:53.748000", "tags": [ "url https", "type indicator", "role title", "added active", "related pulses", "url http", "showing", "entries", "indicator role", "title added", "active related", "pulses url", "ipv4", "filehashmd5", "filehashsha1", "filehashsha256", "indicators show", "search", "reputation", "et att", "ck id", "t1060", "run keys", "startup", "folder", "scan", "iocs", "learn more", "hostname", "types of", "pagehrsappjbpst", "actionu", "focusapplicant", "siteid1", "postingseq1", "t1036", "t1043", "port", "t1085", "rundll32", "t1114", "t1179", "fbi flash", "cu000163mw", "compromise", "found", "uunet", "code", "reverse domain", "lookup", "ragnar", "locker", "ragnar locker", "cidr", "pulses", "types", "windows", "linux", "united", "trojandropper", "mtb jun", "trojan", "win32upatre aug", "mtb may", "gmt server", "ecacc", "files", "suspicious", "body", "data upload", "extraction", "cve cve20170147", "cve cve20178570", "cve cve20178977", "url feb", "pulses hostname", "a1sticas", "next associated", "present mar", "present jun", "present may", "france", "date", "ip address", "present apr", "virtool", "name servers", "value emails", "name john", "shipton", "dynadot privacy", "po box", "city san", "mateo country", "us creation", "news videos", "maps assist", "search settings", "safe search", "date more", "images bae", "systems defense", "bae systems", "london", "britain", "akamai rank", "script urls", "status", "a domains", "accept encoding", "unknown ns", "meta", "encrypt", "https", "report spam", "created", "year ago", "modified", "octoseek public", "cyber attack", "pegasus", "westlaw", "hallrender", "front", "sabey", "enter s", "include review", "exclude sugges", "failed", "sc type", "extr included", "manually add", "puls", "excludedocs", "sugges data", "phishing", "apple pegasus", "detections", "references", "stranger things", "http", "yara", "upx alerts", "fort collins", "help4u", "communications", "orgtechhandle", "domain", "no entries", "cchk asnas26658", "vj92", "search filter", "time sabey", "x show", "indicator type", "email", "filehashimphash", "filehashpehash", "backdoor", "ransom", "checkin", "alphacrypt cnc", "beacon", "jeffrey scott", "terse http", "possible", "accept", "xorddos", "ck ids", "t1512", "camera", "t1071", "protocol", "ta0001", "access", "ta0002", "ta0003", "ta0004", "cookie", "show", "ally", "melika", "part1", "trojanclicker", "bayrob", "android", "ransomware", "sakula rat", "t1125", "video capture", "t1566", "t1068", "t1190", "application", "t1472", "t1457", "media content", "social media", "doppelgnging", "t1080", "shared content", "t1449", "exploit ss7", "phone callssms", "enter sc", "type", "no expiration", "expiration", "months ago", "expiration http", "reimer dpt", "r role", "sa victim", "daisy coleman", "source", "weeks ago", "tbmvid", "sourcelnms", "zx1724209326040", "ahtrnaah typ", "url url", "url domain", "pulse sthow", "ah types", "ind indicator", "data uptoad", "extrachttp", "dulce sphown", "aho data", "typ url", "url dom", "hos hostname", "hos host", "dom dom" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1085", "name": "Rundll32", "display_name": "T1085 - Rundll32" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1051", "name": "Shared Webroot", "display_name": "T1051 - Shared Webroot" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1506", "name": "Web Session Cookie", "display_name": "T1506 - Web Session Cookie" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8149, "domain": 1067, "hostname": 2103, "FileHash-SHA256": 1617, "URI": 1, "FilePath": 1, "FileHash-MD5": 412, "FileHash-SHA1": 368, "CIDR": 4, "CVE": 6, "email": 10 }, "indicator_count": 13738, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "299 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "686c676bcc053e0fc51f01b2", "name": "ALL T8 research led to Firm_IP\u2019s = BoFa , WikiLeaks, United Healthcare, HCA, T-Mobile, Dish , AT&T, Apple,+ Breaches despite other speculations with 0 relations", "description": "", "modified": "2025-08-05T15:03:36.451000", "created": "2025-07-08T00:33:47.021000", "tags": [ "url https", "type indicator", "role title", "added active", "related pulses", "url http", "showing", "entries", "indicator role", "title added", "active related", "pulses url", "ipv4", "filehashmd5", "filehashsha1", "filehashsha256", "indicators show", "search", "reputation", "et att", "ck id", "t1060", "run keys", "startup", "folder", "scan", "iocs", "learn more", "hostname", "types of", "pagehrsappjbpst", "actionu", "focusapplicant", "siteid1", "postingseq1", "t1036", "t1043", "port", "t1085", "rundll32", "t1114", "t1179", "fbi flash", "cu000163mw", "compromise", "found", "uunet", "code", "reverse domain", "lookup", "ragnar", "locker", "ragnar locker", "cidr", "pulses", "types", "windows", "linux", "united", "trojandropper", "mtb jun", "trojan", "win32upatre aug", "mtb may", "gmt server", "ecacc", "files", "suspicious", "body", "data upload", "extraction", "cve cve20170147", "cve cve20178570", "cve cve20178977", "url feb", "pulses hostname", "a1sticas", "next associated", "present mar", "present jun", "present may", "france", "date", "ip address", "present apr", "virtool", "name servers", "value emails", "name john", "shipton", "dynadot privacy", "po box", "city san", "mateo country", "us creation", "news videos", "maps assist", "search settings", "safe search", "date more", "images bae", "systems defense", "bae systems", "london", "britain", "akamai rank", "script urls", "status", "a domains", "accept encoding", "unknown ns", "meta", "encrypt", "https", "report spam", "created", "year ago", "modified", "octoseek public", "cyber attack", "pegasus", "westlaw", "hallrender", "front", "sabey", "enter s", "include review", "exclude sugges", "failed", "sc type", "extr included", "manually add", "puls", "excludedocs", "sugges data", "phishing", "apple pegasus", "detections", "references", "stranger things", "http", "yara", "upx alerts", "fort collins", "help4u", "communications", "orgtechhandle", "domain", "no entries", "cchk asnas26658", "vj92", "search filter", "time sabey", "x show", "indicator type", "email", "filehashimphash", "filehashpehash", "backdoor", "ransom", "checkin", "alphacrypt cnc", "beacon", "jeffrey scott", "terse http", "possible", "accept", "xorddos", "ck ids", "t1512", "camera", "t1071", "protocol", "ta0001", "access", "ta0002", "ta0003", "ta0004", "cookie", "show", "ally", "melika", "part1", "trojanclicker", "bayrob", "android", "ransomware", "sakula rat", "t1125", "video capture", "t1566", "t1068", "t1190", "application", "t1472", "t1457", "media content", "social media", "doppelgnging", "t1080", "shared content", "t1449", "exploit ss7", "phone callssms", "enter sc", "type", "no expiration", "expiration", "months ago", "expiration http", "reimer dpt", "r role", "sa victim", "daisy coleman", "source", "weeks ago", "tbmvid", "sourcelnms", "zx1724209326040", "ahtrnaah typ", "url url", "url domain", "pulse sthow", "ah types", "ind indicator", "data uptoad", "extrachttp", "dulce sphown", "aho data", "typ url", "url dom", "hos hostname", "hos host", "dom dom" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1085", "name": "Rundll32", "display_name": "T1085 - Rundll32" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1051", "name": "Shared Webroot", "display_name": "T1051 - Shared Webroot" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1506", "name": "Web Session Cookie", "display_name": "T1506 - Web Session Cookie" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "686adf91f725a8b7f9850192", "export_count": 56, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8149, "domain": 1067, "hostname": 2103, "FileHash-SHA256": 1617, "URI": 1, "FilePath": 1, "FileHash-MD5": 412, "FileHash-SHA1": 368, "CIDR": 4, "CVE": 6, "email": 10 }, "indicator_count": 13738, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "299 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "676c51660af3ce9abea3524e", "name": "Caommw", "description": "", "modified": "2025-01-24T18:03:38.470000", "created": "2024-12-25T18:39:34.531000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United Kingdom of Great Britain and Northern Ireland", "United States of America", "Taiwan", "Japan" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 622, "URL": 453, "domain": 281, "FileHash-SHA256": 84, "CVE": 1 }, "indicator_count": 1441, "is_author": false, "is_subscribing": null, "subscriber_count": 182, "modified_text": "492 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66eb1585832bcf4f494f0335", "name": "Telco - Swipper | Emotet and other malware spreader. BGP Bridging", "description": "", "modified": "2024-10-20T13:04:44.866000", "created": "2024-09-18T18:01:41.013000", "tags": [ "net152", "net1520000", "loudoun county", "ans core", "nethandle", "as1321", "parkway city", "as701 orgnocref", "swipper", "verizon", "high", "intel", "icmp traffic", "dns query", "object", "all scoreblue", "filehash", "malware", "comcast", "cve1102", "actors", "investigation", "bad domains", "emotet am", "iocs", "first", "utc submissions", "submitters", "summary iocs", "graph community", "webcc", "gmo internet", "csc corporate", "domains", "alibaba cloud", "computing", "beijing", "dynadot", "ltd dba", "china telecom", "group", "google", "cloudflarenet", "kb txtresse", "mb smartsaver", "admin cmd", "mb threatsniper", "mb history", "mb gadget", "installer", "referrer", "styes worm", "historical ssl", "script script", "i span", "ie script", "win64", "span", "urls", "levelblue labs", "pulses", "nastya", "meta", "open", "date", "vj92", "uagdaaeqcqaaaag", "ukgbagaqcqaaaae", "slfrd1", "hostnames", "urls http", "ukgbagaqcq", "jid1886833764", "jid882556742", "samples", "unknown", "united", "as20940", "as2914 ntt", "nxdomain", "status", "as6461 zayo", "united kingdom", "as15169 google", "as33438", "search", "creation date", "name servers", "showing", "hungary unknown", "entries", "scan endpoints", "next", "cape", "show", "copy", "emotet malware", "read", "write", "delete", "june", "emotet", "as14627", "passive dns", "ipv4", "pulse pulses", "win32", "months ago", "created", "modified", "email", "glupteba", "hostname", "cyber", "read c", "port", "medium", "msie", "windows nt", "wow64", "slcc2", "media center", "dock", "execution", "method status", "url hostname", "ip country", "type get", "cachecontrol", "location https", "date thu", "gmt server", "code", "ve234 server", "aaaa", "whitelisted", "as44273 host", "as46691", "domain", "script urls", "path max", "age86400 set", "cookie", "script domains", "trojan", "body" ], "references": [ "Stranger Things | http://hopto.org/colocrossing/192.3.13.56/telco", "Antivirus Detections: Other:Malware-gen\\ [Trj]", "Yara Detections: UPXProtectorv10x2 , UPX Alerts dead_host network_icmp nolookup_communication", "Antivirus Detections: Other:Malware-gen\\ [Trj] , Win.Trojan.Emotet-9951800-0", "Yara Detections: osx_GoLang", ".trino-11062202-1d32.stress-11061903-3b4c.westus2.projecthilo.net\tprojecthilo.net", "0-courier.push.apple.com | https://apple-accouut.sytes.net/ | appupdate-logapple.ddnsking.com | appleidi-iforgot.3utilities.com", "http://appleidi-iforgot.3utilities.com/\t | https://appupdate-logapple.ddnsking.com/?reset | http://appleidi-iforgot.3utilities.com/Upload-Identity.php |", "http://appleidi-iforgot.3utilities.com/Verify.php", "device-ccf717a6-ed4f-4771-abfa-ccaafbfb6526.remotewd.com | device-local-359704df-0b29-4ae8-bbc5-f48b0a4de73c.remotewd.com | remotedev.org | dan.remotedev.org", "152.199.171.19 : USDA Fort Collins, Colorado", "Swipper: swipper@verizonbusiness.com | help4u@verizonbusiness.com", "152.199.161.19: ANS Communications, Inc (ANS)", "OrgTechHandle: SWIPP-ARIN OrgTechName: swipper OrgTechPhone: +1-800-900-0241 OrgTechEmail: swipper@verizonbusiness.com", "http://bat.bing.com/bat.js | bounceme.net | bounceme.net | hopto.org | hopto.org |,serveblog.net | serveblog.net", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://hopto.org/colocrossing/192.3.13.56/telco", "Emotet: FileHash-SHA256 9c9459e9a5f0102c034ec013b9d801d38ed474bcd73b7aeded931e5c2a4f75cc", "Win.Virus.PolyRansom-5704625-0: FileHash-SHA256 f46de5d0c5dd13f5de6114372542efd1ea048e14f051b64b34c33e96c175cb09", "Other:Malware-gen\\ [Trj: FileHash-SHA256 4ef29fd29fd95990a36379ad7a4320f04da64e7ec63546e047e2491e533c71a3", "Injection Source: www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Injection Source: http://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Injection Source: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "SLF:Trojan:Win32/Grandoreiro.A", "display_name": "SLF:Trojan:Win32/Grandoreiro.A", "target": null }, { "id": "Other:Malware-gen\\ [Trj]", "display_name": "Other:Malware-gen\\ [Trj]", "target": null }, { "id": "Win.Trojan.Emotet-9951800-0", "display_name": "Win.Trojan.Emotet-9951800-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": "66ca37ac60cb425a2b3856c6", "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 2, "URL": 4635, "domain": 771, "email": 11, "hostname": 1993, "FileHash-SHA256": 3185, "FileHash-MD5": 113, "FileHash-SHA1": 101, "CVE": 3 }, "indicator_count": 10814, "is_author": false, "is_subscribing": null, "subscriber_count": 236, "modified_text": "588 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Yara Detections: UPXProtectorv10x2 , UPX Alerts dead_host network_icmp nolookup_communication", "Injection Source: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Injection Source: http://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Other:Malware-gen\\ [Trj: FileHash-SHA256 4ef29fd29fd95990a36379ad7a4320f04da64e7ec63546e047e2491e533c71a3", "Antivirus Detections: Other:Malware-gen\\ [Trj] , Win.Trojan.Emotet-9951800-0", "Swipper: swipper@verizonbusiness.com | help4u@verizonbusiness.com", "http://bat.bing.com/bat.js | bounceme.net | bounceme.net | hopto.org | hopto.org |,serveblog.net | serveblog.net", "Win.Virus.PolyRansom-5704625-0: FileHash-SHA256 f46de5d0c5dd13f5de6114372542efd1ea048e14f051b64b34c33e96c175cb09", "Antivirus Detections: Other:Malware-gen\\ [Trj]", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://hopto.org/colocrossing/192.3.13.56/telco", "Emotet: FileHash-SHA256 9c9459e9a5f0102c034ec013b9d801d38ed474bcd73b7aeded931e5c2a4f75cc", "device-ccf717a6-ed4f-4771-abfa-ccaafbfb6526.remotewd.com | device-local-359704df-0b29-4ae8-bbc5-f48b0a4de73c.remotewd.com | remotedev.org | dan.remotedev.org", "Yara Detections: osx_GoLang", "Injection Source: www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "OrgTechHandle: SWIPP-ARIN OrgTechName: swipper OrgTechPhone: +1-800-900-0241 OrgTechEmail: swipper@verizonbusiness.com", "0-courier.push.apple.com | https://apple-accouut.sytes.net/ | appupdate-logapple.ddnsking.com | appleidi-iforgot.3utilities.com", "http://appleidi-iforgot.3utilities.com/Verify.php", ".trino-11062202-1d32.stress-11061903-3b4c.westus2.projecthilo.net\tprojecthilo.net", "Stranger Things | http://hopto.org/colocrossing/192.3.13.56/telco", "152.199.171.19 : USDA Fort Collins, Colorado", "http://appleidi-iforgot.3utilities.com/\t | https://appupdate-logapple.ddnsking.com/?reset | http://appleidi-iforgot.3utilities.com/Upload-Identity.php |", "152.199.161.19: ANS Communications, Inc (ANS)" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Win.trojan.emotet-9951800-0", "Slf:trojan:win32/grandoreiro.a", "Other:malware-gen\\ [trj]", "Virtool:win32/injector" ], "industries": [], "unique_indicators": 25886 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/remotedev.org", "whois": "http://whois.domaintools.com/remotedev.org", "domain": "remotedev.org", "hostname": "dan.remotedev.org" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "686adf91f725a8b7f9850192", "name": "Dystopian Life & Death of an American Crime Victim | Boldy predicted how she will die", "description": "Palantir - a data analytics company, known as a military intelligence tool. co-founded by billionaire investor , Trump supporter and Republican mega donor Musk aligned; Peter Thiel, as per New York. \n\nFounded in 2003, known for its data analytics platforms - Palantir Gotham & Palantir Foundry are used by government & private sectors for various applications, including defense & healthcare. The company faces criticism for its role in government surveillance & data privacy concerns.\nPalantir can be linked to malicious, malware packed , compromised malvertisements about victim allegedly SA\u2019d by her physical therapist Jeffrey Scott Reimer DPT. Apparently target was paid a small settlement via lengthy phone battle by a man representing himself as Brian Sabey ,Esq of Hall Render. \n Palantir, admittedly designs cyber weapon that \u2018kills people\u2019. Are governments abusing to terrorize, silence & even harm/kill American citizens. Is this an elaborate hoax?\nTeam 8 \n#rip #plantantir #Hosanna #dystopian #targeted", "modified": "2025-08-05T15:03:36.451000", "created": "2025-07-06T20:41:53.748000", "tags": [ "url https", "type indicator", "role title", "added active", "related pulses", "url http", "showing", "entries", "indicator role", "title added", "active related", "pulses url", "ipv4", "filehashmd5", "filehashsha1", "filehashsha256", "indicators show", "search", "reputation", "et att", "ck id", "t1060", "run keys", "startup", "folder", "scan", "iocs", "learn more", "hostname", "types of", "pagehrsappjbpst", "actionu", "focusapplicant", "siteid1", "postingseq1", "t1036", "t1043", "port", "t1085", "rundll32", "t1114", "t1179", "fbi flash", "cu000163mw", "compromise", "found", "uunet", "code", "reverse domain", "lookup", "ragnar", "locker", "ragnar locker", "cidr", "pulses", "types", "windows", "linux", "united", "trojandropper", "mtb jun", "trojan", "win32upatre aug", "mtb may", "gmt server", "ecacc", "files", "suspicious", "body", "data upload", "extraction", "cve cve20170147", "cve cve20178570", "cve cve20178977", "url feb", "pulses hostname", "a1sticas", "next associated", "present mar", "present jun", "present may", "france", "date", "ip address", "present apr", "virtool", "name servers", "value emails", "name john", "shipton", "dynadot privacy", "po box", "city san", "mateo country", "us creation", "news videos", "maps assist", "search settings", "safe search", "date more", "images bae", "systems defense", "bae systems", "london", "britain", "akamai rank", "script urls", "status", "a domains", "accept encoding", "unknown ns", "meta", "encrypt", "https", "report spam", "created", "year ago", "modified", "octoseek public", "cyber attack", "pegasus", "westlaw", "hallrender", "front", "sabey", "enter s", "include review", "exclude sugges", "failed", "sc type", "extr included", "manually add", "puls", "excludedocs", "sugges data", "phishing", "apple pegasus", "detections", "references", "stranger things", "http", "yara", "upx alerts", "fort collins", "help4u", "communications", "orgtechhandle", "domain", "no entries", "cchk asnas26658", "vj92", "search filter", "time sabey", "x show", "indicator type", "email", "filehashimphash", "filehashpehash", "backdoor", "ransom", "checkin", "alphacrypt cnc", "beacon", "jeffrey scott", "terse http", "possible", "accept", "xorddos", "ck ids", "t1512", "camera", "t1071", "protocol", "ta0001", "access", "ta0002", "ta0003", "ta0004", "cookie", "show", "ally", "melika", "part1", "trojanclicker", "bayrob", "android", "ransomware", "sakula rat", "t1125", "video capture", "t1566", "t1068", "t1190", "application", "t1472", "t1457", "media content", "social media", "doppelgnging", "t1080", "shared content", "t1449", "exploit ss7", "phone callssms", "enter sc", "type", "no expiration", "expiration", "months ago", "expiration http", "reimer dpt", "r role", "sa victim", "daisy coleman", "source", "weeks ago", "tbmvid", "sourcelnms", "zx1724209326040", "ahtrnaah typ", "url url", "url domain", "pulse sthow", "ah types", "ind indicator", "data uptoad", "extrachttp", "dulce sphown", "aho data", "typ url", "url dom", "hos hostname", "hos host", "dom dom" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1085", "name": "Rundll32", "display_name": "T1085 - Rundll32" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1051", "name": "Shared Webroot", "display_name": "T1051 - Shared Webroot" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1506", "name": "Web Session Cookie", "display_name": "T1506 - Web Session Cookie" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8149, "domain": 1067, "hostname": 2103, "FileHash-SHA256": 1617, "URI": 1, "FilePath": 1, "FileHash-MD5": 412, "FileHash-SHA1": 368, "CIDR": 4, "CVE": 6, "email": 10 }, "indicator_count": 13738, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "299 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "686c676bcc053e0fc51f01b2", "name": "ALL T8 research led to Firm_IP\u2019s = BoFa , WikiLeaks, United Healthcare, HCA, T-Mobile, Dish , AT&T, Apple,+ Breaches despite other speculations with 0 relations", "description": "", "modified": "2025-08-05T15:03:36.451000", "created": "2025-07-08T00:33:47.021000", "tags": [ "url https", "type indicator", "role title", "added active", "related pulses", "url http", "showing", "entries", "indicator role", "title added", "active related", "pulses url", "ipv4", "filehashmd5", "filehashsha1", "filehashsha256", "indicators show", "search", "reputation", "et att", "ck id", "t1060", "run keys", "startup", "folder", "scan", "iocs", "learn more", "hostname", "types of", "pagehrsappjbpst", "actionu", "focusapplicant", "siteid1", "postingseq1", "t1036", "t1043", "port", "t1085", "rundll32", "t1114", "t1179", "fbi flash", "cu000163mw", "compromise", "found", "uunet", "code", "reverse domain", "lookup", "ragnar", "locker", "ragnar locker", "cidr", "pulses", "types", "windows", "linux", "united", "trojandropper", "mtb jun", "trojan", "win32upatre aug", "mtb may", "gmt server", "ecacc", "files", "suspicious", "body", "data upload", "extraction", "cve cve20170147", "cve cve20178570", "cve cve20178977", "url feb", "pulses hostname", "a1sticas", "next associated", "present mar", "present jun", "present may", "france", "date", "ip address", "present apr", "virtool", "name servers", "value emails", "name john", "shipton", "dynadot privacy", "po box", "city san", "mateo country", "us creation", "news videos", "maps assist", "search settings", "safe search", "date more", "images bae", "systems defense", "bae systems", "london", "britain", "akamai rank", "script urls", "status", "a domains", "accept encoding", "unknown ns", "meta", "encrypt", "https", "report spam", "created", "year ago", "modified", "octoseek public", "cyber attack", "pegasus", "westlaw", "hallrender", "front", "sabey", "enter s", "include review", "exclude sugges", "failed", "sc type", "extr included", "manually add", "puls", "excludedocs", "sugges data", "phishing", "apple pegasus", "detections", "references", "stranger things", "http", "yara", "upx alerts", "fort collins", "help4u", "communications", "orgtechhandle", "domain", "no entries", "cchk asnas26658", "vj92", "search filter", "time sabey", "x show", "indicator type", "email", "filehashimphash", "filehashpehash", "backdoor", "ransom", "checkin", "alphacrypt cnc", "beacon", "jeffrey scott", "terse http", "possible", "accept", "xorddos", "ck ids", "t1512", "camera", "t1071", "protocol", "ta0001", "access", "ta0002", "ta0003", "ta0004", "cookie", "show", "ally", "melika", "part1", "trojanclicker", "bayrob", "android", "ransomware", "sakula rat", "t1125", "video capture", "t1566", "t1068", "t1190", "application", "t1472", "t1457", "media content", "social media", "doppelgnging", "t1080", "shared content", "t1449", "exploit ss7", "phone callssms", "enter sc", "type", "no expiration", "expiration", "months ago", "expiration http", "reimer dpt", "r role", "sa victim", "daisy coleman", "source", "weeks ago", "tbmvid", "sourcelnms", "zx1724209326040", "ahtrnaah typ", "url url", "url domain", "pulse sthow", "ah types", "ind indicator", "data uptoad", "extrachttp", "dulce sphown", "aho data", "typ url", "url dom", "hos hostname", "hos host", "dom dom" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1085", "name": "Rundll32", "display_name": "T1085 - Rundll32" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1051", "name": "Shared Webroot", "display_name": "T1051 - Shared Webroot" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1506", "name": "Web Session Cookie", "display_name": "T1506 - Web Session Cookie" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "686adf91f725a8b7f9850192", "export_count": 56, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8149, "domain": 1067, "hostname": 2103, "FileHash-SHA256": 1617, "URI": 1, "FilePath": 1, "FileHash-MD5": 412, "FileHash-SHA1": 368, "CIDR": 4, "CVE": 6, "email": 10 }, "indicator_count": 13738, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "299 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "676c51660af3ce9abea3524e", "name": "Caommw", "description": "", "modified": "2025-01-24T18:03:38.470000", "created": "2024-12-25T18:39:34.531000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United Kingdom of Great Britain and Northern Ireland", "United States of America", "Taiwan", "Japan" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 622, "URL": 453, "domain": 281, "FileHash-SHA256": 84, "CVE": 1 }, "indicator_count": 1441, "is_author": false, "is_subscribing": null, "subscriber_count": 182, "modified_text": "492 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66eb1585832bcf4f494f0335", "name": "Telco - Swipper | Emotet and other malware spreader. BGP Bridging", "description": "", "modified": "2024-10-20T13:04:44.866000", "created": "2024-09-18T18:01:41.013000", "tags": [ "net152", "net1520000", "loudoun county", "ans core", "nethandle", "as1321", "parkway city", "as701 orgnocref", "swipper", "verizon", "high", "intel", "icmp traffic", "dns query", "object", "all scoreblue", "filehash", "malware", "comcast", "cve1102", "actors", "investigation", "bad domains", "emotet am", "iocs", "first", "utc submissions", "submitters", "summary iocs", "graph community", "webcc", "gmo internet", "csc corporate", "domains", "alibaba cloud", "computing", "beijing", "dynadot", "ltd dba", "china telecom", "group", "google", "cloudflarenet", "kb txtresse", "mb smartsaver", "admin cmd", "mb threatsniper", "mb history", "mb gadget", "installer", "referrer", "styes worm", "historical ssl", "script script", "i span", "ie script", "win64", "span", "urls", "levelblue labs", "pulses", "nastya", "meta", "open", "date", "vj92", "uagdaaeqcqaaaag", "ukgbagaqcqaaaae", "slfrd1", "hostnames", "urls http", "ukgbagaqcq", "jid1886833764", "jid882556742", "samples", "unknown", "united", "as20940", "as2914 ntt", "nxdomain", "status", "as6461 zayo", "united kingdom", "as15169 google", "as33438", "search", "creation date", "name servers", "showing", "hungary unknown", "entries", "scan endpoints", "next", "cape", "show", "copy", "emotet malware", "read", "write", "delete", "june", "emotet", "as14627", "passive dns", "ipv4", "pulse pulses", "win32", "months ago", "created", "modified", "email", "glupteba", "hostname", "cyber", "read c", "port", "medium", "msie", "windows nt", "wow64", "slcc2", "media center", "dock", "execution", "method status", "url hostname", "ip country", "type get", "cachecontrol", "location https", "date thu", "gmt server", "code", "ve234 server", "aaaa", "whitelisted", "as44273 host", "as46691", "domain", "script urls", "path max", "age86400 set", "cookie", "script domains", "trojan", "body" ], "references": [ "Stranger Things | http://hopto.org/colocrossing/192.3.13.56/telco", "Antivirus Detections: Other:Malware-gen\\ [Trj]", "Yara Detections: UPXProtectorv10x2 , UPX Alerts dead_host network_icmp nolookup_communication", "Antivirus Detections: Other:Malware-gen\\ [Trj] , Win.Trojan.Emotet-9951800-0", "Yara Detections: osx_GoLang", ".trino-11062202-1d32.stress-11061903-3b4c.westus2.projecthilo.net\tprojecthilo.net", "0-courier.push.apple.com | https://apple-accouut.sytes.net/ | appupdate-logapple.ddnsking.com | appleidi-iforgot.3utilities.com", "http://appleidi-iforgot.3utilities.com/\t | https://appupdate-logapple.ddnsking.com/?reset | http://appleidi-iforgot.3utilities.com/Upload-Identity.php |", "http://appleidi-iforgot.3utilities.com/Verify.php", "device-ccf717a6-ed4f-4771-abfa-ccaafbfb6526.remotewd.com | device-local-359704df-0b29-4ae8-bbc5-f48b0a4de73c.remotewd.com | remotedev.org | dan.remotedev.org", "152.199.171.19 : USDA Fort Collins, Colorado", "Swipper: swipper@verizonbusiness.com | help4u@verizonbusiness.com", "152.199.161.19: ANS Communications, Inc (ANS)", "OrgTechHandle: SWIPP-ARIN OrgTechName: swipper OrgTechPhone: +1-800-900-0241 OrgTechEmail: swipper@verizonbusiness.com", "http://bat.bing.com/bat.js | bounceme.net | bounceme.net | hopto.org | hopto.org |,serveblog.net | serveblog.net", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://hopto.org/colocrossing/192.3.13.56/telco", "Emotet: FileHash-SHA256 9c9459e9a5f0102c034ec013b9d801d38ed474bcd73b7aeded931e5c2a4f75cc", "Win.Virus.PolyRansom-5704625-0: FileHash-SHA256 f46de5d0c5dd13f5de6114372542efd1ea048e14f051b64b34c33e96c175cb09", "Other:Malware-gen\\ [Trj: FileHash-SHA256 4ef29fd29fd95990a36379ad7a4320f04da64e7ec63546e047e2491e533c71a3", "Injection Source: www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Injection Source: http://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Injection Source: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "SLF:Trojan:Win32/Grandoreiro.A", "display_name": "SLF:Trojan:Win32/Grandoreiro.A", "target": null }, { "id": "Other:Malware-gen\\ [Trj]", "display_name": "Other:Malware-gen\\ [Trj]", "target": null }, { "id": "Win.Trojan.Emotet-9951800-0", "display_name": "Win.Trojan.Emotet-9951800-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": "66ca37ac60cb425a2b3856c6", "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 2, "URL": 4635, "domain": 771, "email": 11, "hostname": 1993, "FileHash-SHA256": 3185, "FileHash-MD5": 113, "FileHash-SHA1": 101, "CVE": 3 }, "indicator_count": 10814, "is_author": false, "is_subscribing": null, "subscriber_count": 236, "modified_text": "588 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://dan.remotedev.org", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://dan.remotedev.org", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780294034.1745522 }