{ "type": "URL", "indicator": "https://dev.resources.newscdn.com.au", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://dev.resources.newscdn.com.au", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3814645501, "indicator": "https://dev.resources.newscdn.com.au", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "65d167a8cf2e7966af16a671", "name": "Mirai \u2022 Emotet \u2022 Injection VT & AlienVault reports deleted & modified", "description": "Remote actor uses injection, brute force and remote logins to delete incriminating pulse , virustotal and otx.alienvault pulses, nodes and/or graphs.\n\u2192https://myaccount.uscis.gov/- Immigration (DHS) Login. For years many tactics, social engineering and fraudulent activities persisted. Contact is made to American born citizens, to get in touch. A website is provided, homepage on affected devices is bogus, you have to call to address bogus government concern. Target calls redirected to a call center where they're told they have reached immigration, to verify PII, next told it's a mistake as they are not in the system. At some point meritless notification of Patriot Act violation is received. Identity theft occurs. Credit, bank and other accounts are cancelled. Likely away to gain legal access to spy on targets.", "modified": "2024-03-18T21:03:15.841000", "created": "2024-02-18T02:12:56.143000", "tags": [ "ssl certificate", "resolutions", "communicating", "historical ssl", "referrer", "united", "unknown", "passive dns", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "win32", "body", "read c", "write c", "show", "delete", "msie", "windows nt", "search", "read", "write", "default", "malware", "copy", "contacted", "execution", "contacted urls", "whois sslcert", "emotet", "creation date", "meta", "cookie", "pragma", "mozilla", "ms windows", "intel", "regsetvalueexa", "nsisinetc", "pe32", "class", "persistence", "code", "explorer", "toolbar", "next", "self", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "httponly", "html info", "us citizenship", "meta tags", "citizenship", "immigration", "trackers new", "relic na", "utc google", "tag manager", "gtm5h8hdq3", "ids detections", "title", "date", "entries", "content type", "a domains", "gmt server", "apache x", "path", "win32dh", "as46606", "slcc2", "media center", "temple", "port", "destination", "as29873 newfold", "digital", "as15169 google", "otx telemetry", "trojandropper", "trojan", "backdoor", "wabot", "apanas", "south korea", "as9318 sk", "as3786 lg", "china as4134", "get hello", "as4766 korea", "dlink router", "dsl2750b rce", "exploit", "mirai", "as21928", "china as4837", "gafgyt", "strings", "high priority", "pulses", "related tags", "file type", "sysv", "external", "virustotal", "as39962 pretecs", "canada unknown", "moved", "present dec", "server", "lifeweb server", "lifeweb", "encrypt", "accept", "malware infection", "yara detections", "icmp traffic", "top source", "top destination", "source source", "policy http", "client body", "wordpress login", "brain sabey", "hall render", "government", "https://myaccount.uscis.gov/", "attempted brute forcing", "remote handler", "junk data stuffing", "cyber threat", "human rights threat", "basic human rights", "collision", "collusion", "cultureneutral", "et trojan", "known hostile", "etpro trojan", "possible virut", "error", "stream", "vitro", "delphi", "form", "canvas" ], "references": [ "https://myaccount.uscis.gov/ \u2022 Immigration (DHS) Login \u2022", "https://otx.alienvault.com/indicator/url/https://myaccount.uscis.gov/", "https://otx.alienvault.com/indicator/file/e1bac17d00f49b033b745ebede6561a5d4f5ef573831f9a941797b5ea8894331", "High Priority IP\u2019s Contacted \u2022 network_irc nolookup_communication \u2022 network_cnc_http \u2022 network_http p2p_cnc \u2022 MethCallEngine", "Huawei Remote Command Execution - Outbound (CVE-2017-17215) \u2022 dead_host \u2022 network_icmp \u2022 osquery_detection", "Mirai Variant Checkin Response \u2022 D-LINK Router DSL-2750B RCE M2 - Outbound (metasploit version) \u2022 Domains Contacted ntp.ubuntu.com", "Yara Detections: GlassesCode" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Ireland", "Cyprus", "Sweden", "Australia", "Canada", "Hong Kong", "India", "Japan" ], "malware_families": [ { "id": "Win.Trojan.6977536-1", "display_name": "Win.Trojan.6977536-1", "target": null }, { "id": "Nebuler/Dialer.qn", "display_name": "Nebuler/Dialer.qn", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "NSIS", "display_name": "NSIS", "target": null }, { "id": "Win32/DH{gVIJAw?}", "display_name": "Win32/DH{gVIJAw?}", "target": null }, { "id": "ELF:DDoS-Y\\ [Trj]", "display_name": "ELF:DDoS-Y\\ [Trj]", "target": null }, { "id": "DDoS:Linux/Mirai", "display_name": "DDoS:Linux/Mirai", "target": "/malware/DDoS:Linux/Mirai" }, { "id": "Trojan:Win32/Tinba!rfn", "display_name": "Trojan:Win32/Tinba!rfn", "target": "/malware/Trojan:Win32/Tinba!rfn" }, { "id": "Win32:Emotet-AI\\ [Trj]", "display_name": "Win32:Emotet-AI\\ [Trj]", "target": null }, { "id": "Win.Trojan.Generic-6333842-0", "display_name": "Win.Trojan.Generic-6333842-0", "target": null }, { "id": "Win32/CMSBrute/Pifagor", "display_name": "Win32/CMSBrute/Pifagor", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32:Vitro", "display_name": "Win32:Vitro", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7636, "URL": 4080, "domain": 3917, "hostname": 1617, "FileHash-MD5": 1284, "FileHash-SHA1": 1213, "SSLCertFingerprint": 3, "CVE": 1 }, "indicator_count": 19751, "is_author": false, "is_subscribing": null, "subscriber_count": 234, "modified_text": "762 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65d167a9c59fe757dc56b395", "name": "Mirai \u2022 Emotet \u2022 Injection VT & AlienVault reports deleted & modified", "description": "Remote actor uses injection, brute force and remote logins to delete incriminating pulse , virustotal and otx.alienvault pulses, nodes and/or graphs.\n\u2192https://myaccount.uscis.gov/- Immigration (DHS) Login. For years many tactics, social engineering and fraudulent activities persisted. Contact is made to American born citizens, to get in touch. A website is provided, homepage on affected devices is bogus, you have to call to address bogus government concern. Target calls redirected to a call center where they're told they have reached immigration, to verify PII, next told it's a mistake as they are not in the system. At some point meritless notification of Patriot Act violation is received. Identity theft occurs. Credit, bank and other accounts are cancelled. Likely away to gain legal access to spy on targets.", "modified": "2024-03-18T21:03:15.841000", "created": "2024-02-18T02:12:57.917000", "tags": [ "ssl certificate", "resolutions", "communicating", "historical ssl", "referrer", "united", "unknown", "passive dns", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "win32", "body", "read c", "write c", "show", "delete", "msie", "windows nt", "search", "read", "write", "default", "malware", "copy", "contacted", "execution", "contacted urls", "whois sslcert", "emotet", "creation date", "meta", "cookie", "pragma", "mozilla", "ms windows", "intel", "regsetvalueexa", "nsisinetc", "pe32", "class", "persistence", "code", "explorer", "toolbar", "next", "self", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "httponly", "html info", "us citizenship", "meta tags", "citizenship", "immigration", "trackers new", "relic na", "utc google", "tag manager", "gtm5h8hdq3", "ids detections", "title", "date", "entries", "content type", "a domains", "gmt server", "apache x", "path", "win32dh", "as46606", "slcc2", "media center", "temple", "port", "destination", "as29873 newfold", "digital", "as15169 google", "otx telemetry", "trojandropper", "trojan", "backdoor", "wabot", "apanas", "south korea", "as9318 sk", "as3786 lg", "china as4134", "get hello", "as4766 korea", "dlink router", "dsl2750b rce", "exploit", "mirai", "as21928", "china as4837", "gafgyt", "strings", "high priority", "pulses", "related tags", "file type", "sysv", "external", "virustotal", "as39962 pretecs", "canada unknown", "moved", "present dec", "server", "lifeweb server", "lifeweb", "encrypt", "accept", "malware infection", "yara detections", "icmp traffic", "top source", "top destination", "source source", "policy http", "client body", "wordpress login", "brain sabey", "hall render", "government", "https://myaccount.uscis.gov/", "attempted brute forcing", "remote handler", "junk data stuffing", "cyber threat", "human rights threat", "basic human rights", "collision", "collusion", "cultureneutral", "et trojan", "known hostile", "etpro trojan", "possible virut", "error", "stream", "vitro", "delphi", "form", "canvas" ], "references": [ "https://myaccount.uscis.gov/ \u2022 Immigration (DHS) Login \u2022", "https://otx.alienvault.com/indicator/url/https://myaccount.uscis.gov/", "https://otx.alienvault.com/indicator/file/e1bac17d00f49b033b745ebede6561a5d4f5ef573831f9a941797b5ea8894331", "High Priority IP\u2019s Contacted \u2022 network_irc nolookup_communication \u2022 network_cnc_http \u2022 network_http p2p_cnc \u2022 MethCallEngine", "Huawei Remote Command Execution - Outbound (CVE-2017-17215) \u2022 dead_host \u2022 network_icmp \u2022 osquery_detection", "Mirai Variant Checkin Response \u2022 D-LINK Router DSL-2750B RCE M2 - Outbound (metasploit version) \u2022 Domains Contacted ntp.ubuntu.com", "Yara Detections: GlassesCode" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Ireland", "Cyprus", "Sweden", "Australia", "Canada", "Hong Kong", "India", "Japan" ], "malware_families": [ { "id": "Win.Trojan.6977536-1", "display_name": "Win.Trojan.6977536-1", "target": null }, { "id": "Nebuler/Dialer.qn", "display_name": "Nebuler/Dialer.qn", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "NSIS", "display_name": "NSIS", "target": null }, { "id": "Win32/DH{gVIJAw?}", "display_name": "Win32/DH{gVIJAw?}", "target": null }, { "id": "ELF:DDoS-Y\\ [Trj]", "display_name": "ELF:DDoS-Y\\ [Trj]", "target": null }, { "id": "DDoS:Linux/Mirai", "display_name": "DDoS:Linux/Mirai", "target": "/malware/DDoS:Linux/Mirai" }, { "id": "Trojan:Win32/Tinba!rfn", "display_name": "Trojan:Win32/Tinba!rfn", "target": "/malware/Trojan:Win32/Tinba!rfn" }, { "id": "Win32:Emotet-AI\\ [Trj]", "display_name": "Win32:Emotet-AI\\ [Trj]", "target": null }, { "id": "Win.Trojan.Generic-6333842-0", "display_name": "Win.Trojan.Generic-6333842-0", "target": null }, { "id": "Win32/CMSBrute/Pifagor", "display_name": "Win32/CMSBrute/Pifagor", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32:Vitro", "display_name": "Win32:Vitro", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7636, "URL": 4080, "domain": 3917, "hostname": 1617, "FileHash-MD5": 1284, "FileHash-SHA1": 1213, "SSLCertFingerprint": 3, "CVE": 1 }, "indicator_count": 19751, "is_author": false, "is_subscribing": null, "subscriber_count": 234, "modified_text": "762 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65d3ae057e25854811cc1395", "name": "Mirai \u2022 Injection VT & AlienVault reports deleted & modified", "description": "", "modified": "2024-03-18T21:03:15.841000", "created": "2024-02-19T19:37:41.208000", "tags": [ "ssl certificate", "resolutions", "communicating", "historical ssl", "referrer", "united", "unknown", "passive dns", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "win32", "body", "read c", "write c", "show", "delete", "msie", "windows nt", "search", "read", "write", "default", "malware", "copy", "contacted", "execution", "contacted urls", "whois sslcert", "emotet", "creation date", "meta", "cookie", "pragma", "mozilla", "ms windows", "intel", "regsetvalueexa", "nsisinetc", "pe32", "class", "persistence", "code", "explorer", "toolbar", "next", "self", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "httponly", "html info", "us citizenship", "meta tags", "citizenship", "immigration", "trackers new", "relic na", "utc google", "tag manager", "gtm5h8hdq3", "ids detections", "title", "date", "entries", "content type", "a domains", "gmt server", "apache x", "path", "win32dh", "as46606", "slcc2", "media center", "temple", "port", "destination", "as29873 newfold", "digital", "as15169 google", "otx telemetry", "trojandropper", "trojan", "backdoor", "wabot", "apanas", "south korea", "as9318 sk", "as3786 lg", "china as4134", "get hello", "as4766 korea", "dlink router", "dsl2750b rce", "exploit", "mirai", "as21928", "china as4837", "gafgyt", "strings", "high priority", "pulses", "related tags", "file type", "sysv", "external", "virustotal", "as39962 pretecs", "canada unknown", "moved", "present dec", "server", "lifeweb server", "lifeweb", "encrypt", "accept", "malware infection", "yara detections", "icmp traffic", "top source", "top destination", "source source", "policy http", "client body", "wordpress login", "brain sabey", "hall render", "government", "https://myaccount.uscis.gov/", "attempted brute forcing", "remote handler", "junk data stuffing", "cyber threat", "human rights threat", "basic human rights", "collision", "collusion", "cultureneutral", "et trojan", "known hostile", "etpro trojan", "possible virut", "error", "stream", "vitro", "delphi", "form", "canvas" ], "references": [ "https://myaccount.uscis.gov/ \u2022 Immigration (DHS) Login \u2022", "https://otx.alienvault.com/indicator/url/https://myaccount.uscis.gov/", "https://otx.alienvault.com/indicator/file/e1bac17d00f49b033b745ebede6561a5d4f5ef573831f9a941797b5ea8894331", "High Priority IP\u2019s Contacted \u2022 network_irc nolookup_communication \u2022 network_cnc_http \u2022 network_http p2p_cnc \u2022 MethCallEngine", "Huawei Remote Command Execution - Outbound (CVE-2017-17215) \u2022 dead_host \u2022 network_icmp \u2022 osquery_detection", "Mirai Variant Checkin Response \u2022 D-LINK Router DSL-2750B RCE M2 - Outbound (metasploit version) \u2022 Domains Contacted ntp.ubuntu.com", "Yara Detections: GlassesCode" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Ireland", "Cyprus", "Sweden", "Australia", "Canada", "Hong Kong", "India", "Japan" ], "malware_families": [ { "id": "Win.Trojan.6977536-1", "display_name": "Win.Trojan.6977536-1", "target": null }, { "id": "Nebuler/Dialer.qn", "display_name": "Nebuler/Dialer.qn", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "NSIS", "display_name": "NSIS", "target": null }, { "id": "Win32/DH{gVIJAw?}", "display_name": "Win32/DH{gVIJAw?}", "target": null }, { "id": "ELF:DDoS-Y\\ [Trj]", "display_name": "ELF:DDoS-Y\\ [Trj]", "target": null }, { "id": "DDoS:Linux/Mirai", "display_name": "DDoS:Linux/Mirai", "target": "/malware/DDoS:Linux/Mirai" }, { "id": "Trojan:Win32/Tinba!rfn", "display_name": "Trojan:Win32/Tinba!rfn", "target": "/malware/Trojan:Win32/Tinba!rfn" }, { "id": "Win32:Emotet-AI\\ [Trj]", "display_name": "Win32:Emotet-AI\\ [Trj]", "target": null }, { "id": "Win.Trojan.Generic-6333842-0", "display_name": "Win.Trojan.Generic-6333842-0", "target": null }, { "id": "Win32/CMSBrute/Pifagor", "display_name": "Win32/CMSBrute/Pifagor", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32:Vitro", "display_name": "Win32:Vitro", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "Civil Society" ], "TLP": "white", "cloned_from": "65d167a9c59fe757dc56b395", "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7636, "URL": 4080, "domain": 3917, "hostname": 1617, "FileHash-MD5": 1284, "FileHash-SHA1": 1213, "SSLCertFingerprint": 3, "CVE": 1 }, "indicator_count": 19751, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "762 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658dd276d03bca9b7a93b724", "name": "Makop | Lazarus | Spyware", "description": "Privilege abuse. Spyware and miscellaneous cyber attacks leveraged against various individuals using escalated privileges. Pegasus was found, not thoroughly explored.", "modified": "2024-01-27T18:02:23.517000", "created": "2023-12-28T19:54:30.287000", "tags": [ "no expiration", "domain", "hostname", "expiration", "iocs", "ipv4", "filehashmd5", "next", "scan endpoints", "all octoseek", "url http", "url https", "create new", "deptid24124", "deptid23922", "deptid23936", "sid339", "filehashsha256", "navmode3", "ommidsf3558", "usbuy no", "type33554433", "guid", "smauthreason0", "methodhead", "targetsmhttps", "exact", "a9 no", "langid1", "actmsgs1", "christmas", "pinlbtn", "pinl2", "uidtokenhttps", "pulse use", "pdf report", "pcap", "stix", "filehashsha1", "email", "contact", "contacted", "pegasus", "T1622 - Debugger Evasion", "wmi string", "windows nt", "request email", "apple", "search", "server", "resolutions", "san francisco", "route", "server ca", "sha2 secure", "show technique", "sign", "sprint personal", "status", "ssl certificate", "stateprovince", "text", "test", "subdomains", "surry hills", "teams api", "uknown", "threat analyzer", "threat", "target", "tsara brashears", "united", "urls", "win64", "windir", "urls http", "v3 serial", "validity", "referrer", "registrar abuse", "report", "report registrar abuse", "ransomware", "record value", "programfiles", "priority", "port scan", "pe32", "pegasus", "pe resource", "path", "paste", "passive dns", "password", "orgtechhandle", "orgtechphone", "orgtechref", "open", "orgabusehandle", "orgabuseref", "asn asn", "asn database", "bernhardplein", "big tech", "body xml", "body", "xml", "ck id", "cloudflare", "as8100", "akamai as36786", "as16625", "arin", "analyze", "api ip", "amazons3", "akamaias", "akamai", "aibv hostmaster", "access type", "abuse contact", "audiologist inc", "nothing number", "united", "brashears", "verdict", "net10464001", "new ioc", "next noc", "bv", "bv orgid cambridge", "cambridge", "certificate", "certificate city", "ck id", "city", "brute force", "communicating", "copy core", "copy", "core", "cus", "cndigicert", "date", "detections", "detection type", "dhs discover", "dns", "discover", "hallrender", "briansabey", "brian sabey", "hall render", "dhs", "domain name", "download", "download sample", "email", "europeberlin", "execution", "falcon", "falcon sandbox", "false", "feeds", "feeds ioc", "first", "form", "frankfurt", "full name", "gameskinny", "gecko", "germany", "getprocaddress", "hacktool", "historical ssl", "hostnames", "hybrid", "ibm", "ibm business", "installer", "installer internet", "ioc search", "iocs", "ip address", "ip geolocation", "stealer", "ipinfo", "issuer", "javascript", "jb", "jb country", "khtml", "lazarus", "little", "lolkek", "main", "makop", "markmonitor", "microsoft", "mitre att", "ms windows", "name name" ], "references": [ "uat.identityssl.newscdn.com.au", "gameskinny.com", "https://hybrid-analysis.com/sample/7ba985d328ac4d9be47826ae3f98b513ca00b1609d82fe1d4aa365e7cfb54f48", "https://hybrid-analysis.com/sample/55af17e7ea6e0884ed102bb2cb21844ab2bf3330dd46aace4c736be5c55b0257/658d97df7e57b7b66c00b342" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "BRASHEARS", "display_name": "BRASHEARS", "target": null }, { "id": "Makop Ransomware", "display_name": "Makop Ransomware", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Lazarus", "display_name": "Lazarus", "target": null }, { "id": "Little", "display_name": "Little", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2108, "FileHash-SHA1": 1248, "domain": 668, "hostname": 1340, "URL": 2652, "FileHash-SHA256": 1070, "email": 25, "CIDR": 4 }, "indicator_count": 9115, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "813 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658ef84e3324dfdb9d16bd73", "name": "Makop | Lazarus | Spyware (if it looks like a Pegasus...)", "description": "", "modified": "2024-01-27T18:02:23.517000", "created": "2023-12-29T16:48:15", "tags": [ "no expiration", "domain", "hostname", "expiration", "iocs", "ipv4", "filehashmd5", "next", "scan endpoints", "all octoseek", "url http", "url https", "create new", "deptid24124", "deptid23922", "deptid23936", "sid339", "filehashsha256", "navmode3", "ommidsf3558", "usbuy no", "type33554433", "guid", "smauthreason0", "methodhead", "targetsmhttps", "exact", "a9 no", "langid1", "actmsgs1", "christmas", "pinlbtn", "pinl2", "uidtokenhttps", "pulse use", "pdf report", "pcap", "stix", "filehashsha1", "email", "contact", "contacted", "pegasus", "T1622 - Debugger Evasion", "wmi string", "windows nt", "request email", "apple", "search", "server", "resolutions", "san francisco", "route", "server ca", "sha2 secure", "show technique", "sign", "sprint personal", "status", "ssl certificate", "stateprovince", "text", "test", "subdomains", "surry hills", "teams api", "uknown", "threat analyzer", "threat", "target", "tsara brashears", "united", "urls", "win64", "windir", "urls http", "v3 serial", "validity", "referrer", "registrar abuse", "report", "report registrar abuse", "ransomware", "record value", "programfiles", "priority", "port scan", "pe32", "pegasus", "pe resource", "path", "paste", "passive dns", "password", "orgtechhandle", "orgtechphone", "orgtechref", "open", "orgabusehandle", "orgabuseref", "asn asn", "asn database", "bernhardplein", "big tech", "body xml", "body", "xml", "ck id", "cloudflare", "as8100", "akamai as36786", "as16625", "arin", "analyze", "api ip", "amazons3", "akamaias", "akamai", "aibv hostmaster", "access type", "abuse contact", "audiologist inc", "nothing number", "united", "brashears", "verdict", "net10464001", "new ioc", "next noc", "bv", "bv orgid cambridge", "cambridge", "certificate", "certificate city", "ck id", "city", "brute force", "communicating", "copy core", "copy", "core", "cus", "cndigicert", "date", "detections", "detection type", "dhs discover", "dns", "discover", "hallrender", "briansabey", "brian sabey", "hall render", "dhs", "domain name", "download", "download sample", "email", "europeberlin", "execution", "falcon", "falcon sandbox", "false", "feeds", "feeds ioc", "first", "form", "frankfurt", "full name", "gameskinny", "gecko", "germany", "getprocaddress", "hacktool", "historical ssl", "hostnames", "hybrid", "ibm", "ibm business", "installer", "installer internet", "ioc search", "iocs", "ip address", "ip geolocation", "stealer", "ipinfo", "issuer", "javascript", "jb", "jb country", "khtml", "lazarus", "little", "lolkek", "main", "makop", "markmonitor", "microsoft", "mitre att", "ms windows", "name name" ], "references": [ "uat.identityssl.newscdn.com.au", "gameskinny.com", "https://hybrid-analysis.com/sample/7ba985d328ac4d9be47826ae3f98b513ca00b1609d82fe1d4aa365e7cfb54f48", "https://hybrid-analysis.com/sample/55af17e7ea6e0884ed102bb2cb21844ab2bf3330dd46aace4c736be5c55b0257/658d97df7e57b7b66c00b342" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "BRASHEARS", "display_name": "BRASHEARS", "target": null }, { "id": "Makop Ransomware", "display_name": "Makop Ransomware", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Lazarus", "display_name": "Lazarus", "target": null }, { "id": "Little", "display_name": "Little", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" } ], "industries": [], "TLP": "white", "cloned_from": "658dd276d03bca9b7a93b724", "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2108, "FileHash-SHA1": 1248, "domain": 668, "hostname": 1340, "URL": 2652, "FileHash-SHA256": 1070, "email": 25, "CIDR": 4 }, "indicator_count": 9115, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "813 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Huawei Remote Command Execution - Outbound (CVE-2017-17215) \u2022 dead_host \u2022 network_icmp \u2022 osquery_detection", "Mirai Variant Checkin Response \u2022 D-LINK Router DSL-2750B RCE M2 - Outbound (metasploit version) \u2022 Domains Contacted ntp.ubuntu.com", "High Priority IP\u2019s Contacted \u2022 network_irc nolookup_communication \u2022 network_cnc_http \u2022 network_http p2p_cnc \u2022 MethCallEngine", "https://otx.alienvault.com/indicator/file/e1bac17d00f49b033b745ebede6561a5d4f5ef573831f9a941797b5ea8894331", "https://otx.alienvault.com/indicator/url/https://myaccount.uscis.gov/", "https://hybrid-analysis.com/sample/55af17e7ea6e0884ed102bb2cb21844ab2bf3330dd46aace4c736be5c55b0257/658d97df7e57b7b66c00b342", "uat.identityssl.newscdn.com.au", "gameskinny.com", "Yara Detections: GlassesCode", "https://myaccount.uscis.gov/ \u2022 Immigration (DHS) Login \u2022", "https://hybrid-analysis.com/sample/7ba985d328ac4d9be47826ae3f98b513ca00b1609d82fe1d4aa365e7cfb54f48" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Sabey", "Little", "Et", "Win32:vitro", "Win.trojan.6977536-1", "Hallrender", "Win32:trojan-gen", "Ddos:linux/mirai", "Nebuler/dialer.qn", "Trojan:win32/tinba!rfn", "Elf:ddos-y\\ [trj]", "Hacktool", "Lolkek", "Nsis", "Makop ransomware", "Win32:emotet-ai\\ [trj]", "Ransomware", "Win.trojan.generic-6333842-0", "Win32/cmsbrute/pifagor", "Win32/dh{gvijaw?}", "Lazarus", "Brashears" ], "industries": [ "Civil society" ], "unique_indicators": 30087 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/newscdn.com.au", "whois": "http://whois.domaintools.com/newscdn.com.au", "domain": "newscdn.com.au", "hostname": "dev.resources.newscdn.com.au" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "65d167a8cf2e7966af16a671", "name": "Mirai \u2022 Emotet \u2022 Injection VT & AlienVault reports deleted & modified", "description": "Remote actor uses injection, brute force and remote logins to delete incriminating pulse , virustotal and otx.alienvault pulses, nodes and/or graphs.\n\u2192https://myaccount.uscis.gov/- Immigration (DHS) Login. For years many tactics, social engineering and fraudulent activities persisted. Contact is made to American born citizens, to get in touch. A website is provided, homepage on affected devices is bogus, you have to call to address bogus government concern. Target calls redirected to a call center where they're told they have reached immigration, to verify PII, next told it's a mistake as they are not in the system. At some point meritless notification of Patriot Act violation is received. Identity theft occurs. Credit, bank and other accounts are cancelled. Likely away to gain legal access to spy on targets.", "modified": "2024-03-18T21:03:15.841000", "created": "2024-02-18T02:12:56.143000", "tags": [ "ssl certificate", "resolutions", "communicating", "historical ssl", "referrer", "united", "unknown", "passive dns", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "win32", "body", "read c", "write c", "show", "delete", "msie", "windows nt", "search", "read", "write", "default", "malware", "copy", "contacted", "execution", "contacted urls", "whois sslcert", "emotet", "creation date", "meta", "cookie", "pragma", "mozilla", "ms windows", "intel", "regsetvalueexa", "nsisinetc", "pe32", "class", "persistence", "code", "explorer", "toolbar", "next", "self", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "httponly", "html info", "us citizenship", "meta tags", "citizenship", "immigration", "trackers new", "relic na", "utc google", "tag manager", "gtm5h8hdq3", "ids detections", "title", "date", "entries", "content type", "a domains", "gmt server", "apache x", "path", "win32dh", "as46606", "slcc2", "media center", "temple", "port", "destination", "as29873 newfold", "digital", "as15169 google", "otx telemetry", "trojandropper", "trojan", "backdoor", "wabot", "apanas", "south korea", "as9318 sk", "as3786 lg", "china as4134", "get hello", "as4766 korea", "dlink router", "dsl2750b rce", "exploit", "mirai", "as21928", "china as4837", "gafgyt", "strings", "high priority", "pulses", "related tags", "file type", "sysv", "external", "virustotal", "as39962 pretecs", "canada unknown", "moved", "present dec", "server", "lifeweb server", "lifeweb", "encrypt", "accept", "malware infection", "yara detections", "icmp traffic", "top source", "top destination", "source source", "policy http", "client body", "wordpress login", "brain sabey", "hall render", "government", "https://myaccount.uscis.gov/", "attempted brute forcing", "remote handler", "junk data stuffing", "cyber threat", "human rights threat", "basic human rights", "collision", "collusion", "cultureneutral", "et trojan", "known hostile", "etpro trojan", "possible virut", "error", "stream", "vitro", "delphi", "form", "canvas" ], "references": [ "https://myaccount.uscis.gov/ \u2022 Immigration (DHS) Login \u2022", "https://otx.alienvault.com/indicator/url/https://myaccount.uscis.gov/", "https://otx.alienvault.com/indicator/file/e1bac17d00f49b033b745ebede6561a5d4f5ef573831f9a941797b5ea8894331", "High Priority IP\u2019s Contacted \u2022 network_irc nolookup_communication \u2022 network_cnc_http \u2022 network_http p2p_cnc \u2022 MethCallEngine", "Huawei Remote Command Execution - Outbound (CVE-2017-17215) \u2022 dead_host \u2022 network_icmp \u2022 osquery_detection", "Mirai Variant Checkin Response \u2022 D-LINK Router DSL-2750B RCE M2 - Outbound (metasploit version) \u2022 Domains Contacted ntp.ubuntu.com", "Yara Detections: GlassesCode" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Ireland", "Cyprus", "Sweden", "Australia", "Canada", "Hong Kong", "India", "Japan" ], "malware_families": [ { "id": "Win.Trojan.6977536-1", "display_name": "Win.Trojan.6977536-1", "target": null }, { "id": "Nebuler/Dialer.qn", "display_name": "Nebuler/Dialer.qn", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "NSIS", "display_name": "NSIS", "target": null }, { "id": "Win32/DH{gVIJAw?}", "display_name": "Win32/DH{gVIJAw?}", "target": null }, { "id": "ELF:DDoS-Y\\ [Trj]", "display_name": "ELF:DDoS-Y\\ [Trj]", "target": null }, { "id": "DDoS:Linux/Mirai", "display_name": "DDoS:Linux/Mirai", "target": "/malware/DDoS:Linux/Mirai" }, { "id": "Trojan:Win32/Tinba!rfn", "display_name": "Trojan:Win32/Tinba!rfn", "target": "/malware/Trojan:Win32/Tinba!rfn" }, { "id": "Win32:Emotet-AI\\ [Trj]", "display_name": "Win32:Emotet-AI\\ [Trj]", "target": null }, { "id": "Win.Trojan.Generic-6333842-0", "display_name": "Win.Trojan.Generic-6333842-0", "target": null }, { "id": "Win32/CMSBrute/Pifagor", "display_name": "Win32/CMSBrute/Pifagor", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32:Vitro", "display_name": "Win32:Vitro", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7636, "URL": 4080, "domain": 3917, "hostname": 1617, "FileHash-MD5": 1284, "FileHash-SHA1": 1213, "SSLCertFingerprint": 3, "CVE": 1 }, "indicator_count": 19751, "is_author": false, "is_subscribing": null, "subscriber_count": 234, "modified_text": "762 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65d167a9c59fe757dc56b395", "name": "Mirai \u2022 Emotet \u2022 Injection VT & AlienVault reports deleted & modified", "description": "Remote actor uses injection, brute force and remote logins to delete incriminating pulse , virustotal and otx.alienvault pulses, nodes and/or graphs.\n\u2192https://myaccount.uscis.gov/- Immigration (DHS) Login. For years many tactics, social engineering and fraudulent activities persisted. Contact is made to American born citizens, to get in touch. A website is provided, homepage on affected devices is bogus, you have to call to address bogus government concern. Target calls redirected to a call center where they're told they have reached immigration, to verify PII, next told it's a mistake as they are not in the system. At some point meritless notification of Patriot Act violation is received. Identity theft occurs. Credit, bank and other accounts are cancelled. Likely away to gain legal access to spy on targets.", "modified": "2024-03-18T21:03:15.841000", "created": "2024-02-18T02:12:57.917000", "tags": [ "ssl certificate", "resolutions", "communicating", "historical ssl", "referrer", "united", "unknown", "passive dns", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "win32", "body", "read c", "write c", "show", "delete", "msie", "windows nt", "search", "read", "write", "default", "malware", "copy", "contacted", "execution", "contacted urls", "whois sslcert", "emotet", "creation date", "meta", "cookie", "pragma", "mozilla", "ms windows", "intel", "regsetvalueexa", "nsisinetc", "pe32", "class", "persistence", "code", "explorer", "toolbar", "next", "self", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "httponly", "html info", "us citizenship", "meta tags", "citizenship", "immigration", "trackers new", "relic na", "utc google", "tag manager", "gtm5h8hdq3", "ids detections", "title", "date", "entries", "content type", "a domains", "gmt server", "apache x", "path", "win32dh", "as46606", "slcc2", "media center", "temple", "port", "destination", "as29873 newfold", "digital", "as15169 google", "otx telemetry", "trojandropper", "trojan", "backdoor", "wabot", "apanas", "south korea", "as9318 sk", "as3786 lg", "china as4134", "get hello", "as4766 korea", "dlink router", "dsl2750b rce", "exploit", "mirai", "as21928", "china as4837", "gafgyt", "strings", "high priority", "pulses", "related tags", "file type", "sysv", "external", "virustotal", "as39962 pretecs", "canada unknown", "moved", "present dec", "server", "lifeweb server", "lifeweb", "encrypt", "accept", "malware infection", "yara detections", "icmp traffic", "top source", "top destination", "source source", "policy http", "client body", "wordpress login", "brain sabey", "hall render", "government", "https://myaccount.uscis.gov/", "attempted brute forcing", "remote handler", "junk data stuffing", "cyber threat", "human rights threat", "basic human rights", "collision", "collusion", "cultureneutral", "et trojan", "known hostile", "etpro trojan", "possible virut", "error", "stream", "vitro", "delphi", "form", "canvas" ], "references": [ "https://myaccount.uscis.gov/ \u2022 Immigration (DHS) Login \u2022", "https://otx.alienvault.com/indicator/url/https://myaccount.uscis.gov/", "https://otx.alienvault.com/indicator/file/e1bac17d00f49b033b745ebede6561a5d4f5ef573831f9a941797b5ea8894331", "High Priority IP\u2019s Contacted \u2022 network_irc nolookup_communication \u2022 network_cnc_http \u2022 network_http p2p_cnc \u2022 MethCallEngine", "Huawei Remote Command Execution - Outbound (CVE-2017-17215) \u2022 dead_host \u2022 network_icmp \u2022 osquery_detection", "Mirai Variant Checkin Response \u2022 D-LINK Router DSL-2750B RCE M2 - Outbound (metasploit version) \u2022 Domains Contacted ntp.ubuntu.com", "Yara Detections: GlassesCode" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Ireland", "Cyprus", "Sweden", "Australia", "Canada", "Hong Kong", "India", "Japan" ], "malware_families": [ { "id": "Win.Trojan.6977536-1", "display_name": "Win.Trojan.6977536-1", "target": null }, { "id": "Nebuler/Dialer.qn", "display_name": "Nebuler/Dialer.qn", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "NSIS", "display_name": "NSIS", "target": null }, { "id": "Win32/DH{gVIJAw?}", "display_name": "Win32/DH{gVIJAw?}", "target": null }, { "id": "ELF:DDoS-Y\\ [Trj]", "display_name": "ELF:DDoS-Y\\ [Trj]", "target": null }, { "id": "DDoS:Linux/Mirai", "display_name": "DDoS:Linux/Mirai", "target": "/malware/DDoS:Linux/Mirai" }, { "id": "Trojan:Win32/Tinba!rfn", "display_name": "Trojan:Win32/Tinba!rfn", "target": "/malware/Trojan:Win32/Tinba!rfn" }, { "id": "Win32:Emotet-AI\\ [Trj]", "display_name": "Win32:Emotet-AI\\ [Trj]", "target": null }, { "id": "Win.Trojan.Generic-6333842-0", "display_name": "Win.Trojan.Generic-6333842-0", "target": null }, { "id": "Win32/CMSBrute/Pifagor", "display_name": "Win32/CMSBrute/Pifagor", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32:Vitro", "display_name": "Win32:Vitro", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7636, "URL": 4080, "domain": 3917, "hostname": 1617, "FileHash-MD5": 1284, "FileHash-SHA1": 1213, "SSLCertFingerprint": 3, "CVE": 1 }, "indicator_count": 19751, "is_author": false, "is_subscribing": null, "subscriber_count": 234, "modified_text": "762 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65d3ae057e25854811cc1395", "name": "Mirai \u2022 Injection VT & AlienVault reports deleted & modified", "description": "", "modified": "2024-03-18T21:03:15.841000", "created": "2024-02-19T19:37:41.208000", "tags": [ "ssl certificate", "resolutions", "communicating", "historical ssl", "referrer", "united", "unknown", "passive dns", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "win32", "body", "read c", "write c", "show", "delete", "msie", "windows nt", "search", "read", "write", "default", "malware", "copy", "contacted", "execution", "contacted urls", "whois sslcert", "emotet", "creation date", "meta", "cookie", "pragma", "mozilla", "ms windows", "intel", "regsetvalueexa", "nsisinetc", "pe32", "class", "persistence", "code", "explorer", "toolbar", "next", "self", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "httponly", "html info", "us citizenship", "meta tags", "citizenship", "immigration", "trackers new", "relic na", "utc google", "tag manager", "gtm5h8hdq3", "ids detections", "title", "date", "entries", "content type", "a domains", "gmt server", "apache x", "path", "win32dh", "as46606", "slcc2", "media center", "temple", "port", "destination", "as29873 newfold", "digital", "as15169 google", "otx telemetry", "trojandropper", "trojan", "backdoor", "wabot", "apanas", "south korea", "as9318 sk", "as3786 lg", "china as4134", "get hello", "as4766 korea", "dlink router", "dsl2750b rce", "exploit", "mirai", "as21928", "china as4837", "gafgyt", "strings", "high priority", "pulses", "related tags", "file type", "sysv", "external", "virustotal", "as39962 pretecs", "canada unknown", "moved", "present dec", "server", "lifeweb server", "lifeweb", "encrypt", "accept", "malware infection", "yara detections", "icmp traffic", "top source", "top destination", "source source", "policy http", "client body", "wordpress login", "brain sabey", "hall render", "government", "https://myaccount.uscis.gov/", "attempted brute forcing", "remote handler", "junk data stuffing", "cyber threat", "human rights threat", "basic human rights", "collision", "collusion", "cultureneutral", "et trojan", "known hostile", "etpro trojan", "possible virut", "error", "stream", "vitro", "delphi", "form", "canvas" ], "references": [ "https://myaccount.uscis.gov/ \u2022 Immigration (DHS) Login \u2022", "https://otx.alienvault.com/indicator/url/https://myaccount.uscis.gov/", "https://otx.alienvault.com/indicator/file/e1bac17d00f49b033b745ebede6561a5d4f5ef573831f9a941797b5ea8894331", "High Priority IP\u2019s Contacted \u2022 network_irc nolookup_communication \u2022 network_cnc_http \u2022 network_http p2p_cnc \u2022 MethCallEngine", "Huawei Remote Command Execution - Outbound (CVE-2017-17215) \u2022 dead_host \u2022 network_icmp \u2022 osquery_detection", "Mirai Variant Checkin Response \u2022 D-LINK Router DSL-2750B RCE M2 - Outbound (metasploit version) \u2022 Domains Contacted ntp.ubuntu.com", "Yara Detections: GlassesCode" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Ireland", "Cyprus", "Sweden", "Australia", "Canada", "Hong Kong", "India", "Japan" ], "malware_families": [ { "id": "Win.Trojan.6977536-1", "display_name": "Win.Trojan.6977536-1", "target": null }, { "id": "Nebuler/Dialer.qn", "display_name": "Nebuler/Dialer.qn", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "NSIS", "display_name": "NSIS", "target": null }, { "id": "Win32/DH{gVIJAw?}", "display_name": "Win32/DH{gVIJAw?}", "target": null }, { "id": "ELF:DDoS-Y\\ [Trj]", "display_name": "ELF:DDoS-Y\\ [Trj]", "target": null }, { "id": "DDoS:Linux/Mirai", "display_name": "DDoS:Linux/Mirai", "target": "/malware/DDoS:Linux/Mirai" }, { "id": "Trojan:Win32/Tinba!rfn", "display_name": "Trojan:Win32/Tinba!rfn", "target": "/malware/Trojan:Win32/Tinba!rfn" }, { "id": "Win32:Emotet-AI\\ [Trj]", "display_name": "Win32:Emotet-AI\\ [Trj]", "target": null }, { "id": "Win.Trojan.Generic-6333842-0", "display_name": "Win.Trojan.Generic-6333842-0", "target": null }, { "id": "Win32/CMSBrute/Pifagor", "display_name": "Win32/CMSBrute/Pifagor", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32:Vitro", "display_name": "Win32:Vitro", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "Civil Society" ], "TLP": "white", "cloned_from": "65d167a9c59fe757dc56b395", "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7636, "URL": 4080, "domain": 3917, "hostname": 1617, "FileHash-MD5": 1284, "FileHash-SHA1": 1213, "SSLCertFingerprint": 3, "CVE": 1 }, "indicator_count": 19751, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "762 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658dd276d03bca9b7a93b724", "name": "Makop | Lazarus | Spyware", "description": "Privilege abuse. Spyware and miscellaneous cyber attacks leveraged against various individuals using escalated privileges. Pegasus was found, not thoroughly explored.", "modified": "2024-01-27T18:02:23.517000", "created": "2023-12-28T19:54:30.287000", "tags": [ "no expiration", "domain", "hostname", "expiration", "iocs", "ipv4", "filehashmd5", "next", "scan endpoints", "all octoseek", "url http", "url https", "create new", "deptid24124", "deptid23922", "deptid23936", "sid339", "filehashsha256", "navmode3", "ommidsf3558", "usbuy no", "type33554433", "guid", "smauthreason0", "methodhead", "targetsmhttps", "exact", "a9 no", "langid1", "actmsgs1", "christmas", "pinlbtn", "pinl2", "uidtokenhttps", "pulse use", "pdf report", "pcap", "stix", "filehashsha1", "email", "contact", "contacted", "pegasus", "T1622 - Debugger Evasion", "wmi string", "windows nt", "request email", "apple", "search", "server", "resolutions", "san francisco", "route", "server ca", "sha2 secure", "show technique", "sign", "sprint personal", "status", "ssl certificate", "stateprovince", "text", "test", "subdomains", "surry hills", "teams api", "uknown", "threat analyzer", "threat", "target", "tsara brashears", "united", "urls", "win64", "windir", "urls http", "v3 serial", "validity", "referrer", "registrar abuse", "report", "report registrar abuse", "ransomware", "record value", "programfiles", "priority", "port scan", "pe32", "pegasus", "pe resource", "path", "paste", "passive dns", "password", "orgtechhandle", "orgtechphone", "orgtechref", "open", "orgabusehandle", "orgabuseref", "asn asn", "asn database", "bernhardplein", "big tech", "body xml", "body", "xml", "ck id", "cloudflare", "as8100", "akamai as36786", "as16625", "arin", "analyze", "api ip", "amazons3", "akamaias", "akamai", "aibv hostmaster", "access type", "abuse contact", "audiologist inc", "nothing number", "united", "brashears", "verdict", "net10464001", "new ioc", "next noc", "bv", "bv orgid cambridge", "cambridge", "certificate", "certificate city", "ck id", "city", "brute force", "communicating", "copy core", "copy", "core", "cus", "cndigicert", "date", "detections", "detection type", "dhs discover", "dns", "discover", "hallrender", "briansabey", "brian sabey", "hall render", "dhs", "domain name", "download", "download sample", "email", "europeberlin", "execution", "falcon", "falcon sandbox", "false", "feeds", "feeds ioc", "first", "form", "frankfurt", "full name", "gameskinny", "gecko", "germany", "getprocaddress", "hacktool", "historical ssl", "hostnames", "hybrid", "ibm", "ibm business", "installer", "installer internet", "ioc search", "iocs", "ip address", "ip geolocation", "stealer", "ipinfo", "issuer", "javascript", "jb", "jb country", "khtml", "lazarus", "little", "lolkek", "main", "makop", "markmonitor", "microsoft", "mitre att", "ms windows", "name name" ], "references": [ "uat.identityssl.newscdn.com.au", "gameskinny.com", "https://hybrid-analysis.com/sample/7ba985d328ac4d9be47826ae3f98b513ca00b1609d82fe1d4aa365e7cfb54f48", "https://hybrid-analysis.com/sample/55af17e7ea6e0884ed102bb2cb21844ab2bf3330dd46aace4c736be5c55b0257/658d97df7e57b7b66c00b342" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "BRASHEARS", "display_name": "BRASHEARS", "target": null }, { "id": "Makop Ransomware", "display_name": "Makop Ransomware", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Lazarus", "display_name": "Lazarus", "target": null }, { "id": "Little", "display_name": "Little", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2108, "FileHash-SHA1": 1248, "domain": 668, "hostname": 1340, "URL": 2652, "FileHash-SHA256": 1070, "email": 25, "CIDR": 4 }, "indicator_count": 9115, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "813 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658ef84e3324dfdb9d16bd73", "name": "Makop | Lazarus | Spyware (if it looks like a Pegasus...)", "description": "", "modified": "2024-01-27T18:02:23.517000", "created": "2023-12-29T16:48:15", "tags": [ "no expiration", "domain", "hostname", "expiration", "iocs", "ipv4", "filehashmd5", "next", "scan endpoints", "all octoseek", "url http", "url https", "create new", "deptid24124", "deptid23922", "deptid23936", "sid339", "filehashsha256", "navmode3", "ommidsf3558", "usbuy no", "type33554433", "guid", "smauthreason0", "methodhead", "targetsmhttps", "exact", "a9 no", "langid1", "actmsgs1", "christmas", "pinlbtn", "pinl2", "uidtokenhttps", "pulse use", "pdf report", "pcap", "stix", "filehashsha1", "email", "contact", "contacted", "pegasus", "T1622 - Debugger Evasion", "wmi string", "windows nt", "request email", "apple", "search", "server", "resolutions", "san francisco", "route", "server ca", "sha2 secure", "show technique", "sign", "sprint personal", "status", "ssl certificate", "stateprovince", "text", "test", "subdomains", "surry hills", "teams api", "uknown", "threat analyzer", "threat", "target", "tsara brashears", "united", "urls", "win64", "windir", "urls http", "v3 serial", "validity", "referrer", "registrar abuse", "report", "report registrar abuse", "ransomware", "record value", "programfiles", "priority", "port scan", "pe32", "pegasus", "pe resource", "path", "paste", "passive dns", "password", "orgtechhandle", "orgtechphone", "orgtechref", "open", "orgabusehandle", "orgabuseref", "asn asn", "asn database", "bernhardplein", "big tech", "body xml", "body", "xml", "ck id", "cloudflare", "as8100", "akamai as36786", "as16625", "arin", "analyze", "api ip", "amazons3", "akamaias", "akamai", "aibv hostmaster", "access type", "abuse contact", "audiologist inc", "nothing number", "united", "brashears", "verdict", "net10464001", "new ioc", "next noc", "bv", "bv orgid cambridge", "cambridge", "certificate", "certificate city", "ck id", "city", "brute force", "communicating", "copy core", "copy", "core", "cus", "cndigicert", "date", "detections", "detection type", "dhs discover", "dns", "discover", "hallrender", "briansabey", "brian sabey", "hall render", "dhs", "domain name", "download", "download sample", "email", "europeberlin", "execution", "falcon", "falcon sandbox", "false", "feeds", "feeds ioc", "first", "form", "frankfurt", "full name", "gameskinny", "gecko", "germany", "getprocaddress", "hacktool", "historical ssl", "hostnames", "hybrid", "ibm", "ibm business", "installer", "installer internet", "ioc search", "iocs", "ip address", "ip geolocation", "stealer", "ipinfo", "issuer", "javascript", "jb", "jb country", "khtml", "lazarus", "little", "lolkek", "main", "makop", "markmonitor", "microsoft", "mitre att", "ms windows", "name name" ], "references": [ "uat.identityssl.newscdn.com.au", "gameskinny.com", "https://hybrid-analysis.com/sample/7ba985d328ac4d9be47826ae3f98b513ca00b1609d82fe1d4aa365e7cfb54f48", "https://hybrid-analysis.com/sample/55af17e7ea6e0884ed102bb2cb21844ab2bf3330dd46aace4c736be5c55b0257/658d97df7e57b7b66c00b342" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "BRASHEARS", "display_name": "BRASHEARS", "target": null }, { "id": "Makop Ransomware", "display_name": "Makop Ransomware", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Lazarus", "display_name": "Lazarus", "target": null }, { "id": "Little", "display_name": "Little", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" } ], "industries": [], "TLP": "white", "cloned_from": "658dd276d03bca9b7a93b724", "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2108, "FileHash-SHA1": 1248, "domain": 668, "hostname": 1340, "URL": 2652, "FileHash-SHA256": 1070, "email": 25, "CIDR": 4 }, "indicator_count": 9115, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "813 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://dev.resources.newscdn.com.au", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://dev.resources.newscdn.com.au", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776639738.2583983 }