{ "type": "URL", "indicator": "https://dev.shopdeveloper.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://dev.shopdeveloper.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3819190434, "indicator": "https://dev.shopdeveloper.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "66d3264283628d23b8f28b9d", "name": "x.com - That's what friends are for!", "description": "Original pulses modified, unknown stealer, junk data stuffing sifted through. Careful notes have been taken regarding ultra significant pulses. I've done the best I can to analyze compare, compile from all record of original pulse. | Further analysis shows an effort to destroy quite a bit of pertinent evidence. | I consider the target, family and associates to be especially endangered. Target has become isolated from most people target associated with, mostly by force as not to spread the malicious vulnerabilities that ha e affected many.\nTarget & associated have been interacting with and work with \n, hiring (not everyone they know) those involved. | There has been significant modification and degradation of the origin of information collected. | Who can you report to if the perpetrator is the Law. | This has always been the reason. | Don't hire another hit. What's the point? To uphold a fake integrity as a legacy?", "modified": "2024-09-30T10:01:49.889000", "created": "2024-08-31T14:18:42.621000", "tags": [ "referrer", "historical ssl", "united", "as13414 twitter", "nxdomain", "whitelisted", "cname", "a nxdomain", "status", "aaaa", "as15133 verizon", "search", "date", "twitter", "spoofed", "qbot qakbot", "qbot", "information", "t1027", "files", "t1036", "t1041", "c2 channel", "t1056", "capture", "t1057", "discovery", "memcommit", "process32nextw", "regsetvalueexa", "regdword", "module load", "t1129", "show", "intel", "ms windows", "trojan", "copy", "write", "win64", "next", "url https", "qbot type", "indicator role", "title added", "active related", "pulses url", "url http", "showing", "entries", "msie", "windows nt", "formsecnen", "read", "read c", "russia as48848", "qmount", "unknown", "pecompact", "malware", "role title", "added active", "related pulses", "type indicator", "as44273 host", "name servers", "as47846", "germany unknown", "443 ma2592000", "scan endpoints", "passive dns", "urls", "creation date", "all scoreblue", "hostname", "filehashsha256", "filehashsha1", "filehashmd5", "months ago", "ipv4", "report spam", "tinynote", "cobalt strike", "ransomexx", "quackbot", "comspec", "prefetch8", "pattern match", "prefetch1", "mitre att", "ck id", "show technique", "ck matrix", "null", "path", "hybrid", "general", "click", "strings", "langchinese", "icmp traffic", "pe resource", "pe section", "companyname gm", "win32", "push", "fakedout threat", "analyzer paste", "iocs", "hostnames", "urls https", "overview ip", "address", "related nids", "files hostname", "files domain", "files related", "pulses none", "related tags", "virustotal", "china unknown", "as4837 china", "redacted for", "as4835 china", "douglas county", "co sheriff", "office", "pegasus attacks", "sa victim", "cve type", "cve cve20170147", "no expiration", "expiration", "domain", "create new", "subsys00000000", "as16625 akamai", "as20940", "as39960", "as6762 telecom", "united kingdom", "emails", "span", "created", "white", "formatpng feb", "refererparam", "classid1", "login0", "typeid1", "style1", "dynamicloader", "high", "yara rule", "neshta", "neshta virus", "myapp", "ids detections", "yara detections", "alerts", "worm", "delphi", "ip address", "files location", "china flag", "china domain", "pulses otx", "pulses", "as45102 alibaba", "japan unknown", "as32934", "as19679 dropbox", "pulse pulses", "google safe", "browsing", "hosting", "body", "as7018 att", "verdict vpn", "as9009 m247", "canada unknown", "as174 cogent", "israel unknown", "as12310", "romania unknown", "as48945", "as64286", "b3viles0 feb", "modified", "siteid290", "org7", "novno jan", "siteid289", "org4", "org9", "locuo", "siteid969", "https", "http", "rims https", "evader", "message", "jeffrey scott", "reimer dpt", "pegasus", "pinterest", "amadey", "quasar rat", "eternalblue", "service", "sahil", "andcustomer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "Netherlands", "Italy", "United Kingdom of Great Britain and Northern Ireland", "Japan", "Korea, Republic of", "France", "Malaysia" ], "malware_families": [ { "id": "Qbot", "display_name": "Qbot", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2161, "FileHash-SHA1": 2073, "FileHash-SHA256": 7032, "domain": 3959, "hostname": 7581, "email": 22, "URL": 17579, "SSLCertFingerprint": 3, "CVE": 2 }, "indicator_count": 40412, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "566 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d32648280eb859dfca1c19", "name": "x.com - That's what friends are for!", "description": "Original pulses modified, unknown stealer, junk data stuffing sifted through. Careful notes have been taken regarding ultra significant pulses. I've done the best I can to analyze compare, compile from all record of original pulse. | Further analysis shows an effort to destroy quite a bit of pertinent evidence. | I consider the target, family and associates to be especially endangered. Target has become isolated from most people target associated with, mostly by force as not to spread the malicious vulnerabilities that ha e affected many.\nTarget & associated have been interacting with and work with \n, hiring (not everyone they know) those involved. | There has been significant modification and degradation of the origin of information collected. | Who can you report to if the perpetrator is the Law. | This has always been the reason. | Don't hire another hit. What's the point? To uphold a fake integrity as a legacy?", "modified": "2024-09-30T10:01:49.889000", "created": "2024-08-31T14:18:48.037000", "tags": [ "referrer", "historical ssl", "united", "as13414 twitter", "nxdomain", "whitelisted", "cname", "a nxdomain", "status", "aaaa", "as15133 verizon", "search", "date", "twitter", "spoofed", "qbot qakbot", "qbot", "information", "t1027", "files", "t1036", "t1041", "c2 channel", "t1056", "capture", "t1057", "discovery", "memcommit", "process32nextw", "regsetvalueexa", "regdword", "module load", "t1129", "show", "intel", "ms windows", "trojan", "copy", "write", "win64", "next", "url https", "qbot type", "indicator role", "title added", "active related", "pulses url", "url http", "showing", "entries", "msie", "windows nt", "formsecnen", "read", "read c", "russia as48848", "qmount", "unknown", "pecompact", "malware", "role title", "added active", "related pulses", "type indicator", "as44273 host", "name servers", "as47846", "germany unknown", "443 ma2592000", "scan endpoints", "passive dns", "urls", "creation date", "all scoreblue", "hostname", "filehashsha256", "filehashsha1", "filehashmd5", "months ago", "ipv4", "report spam", "tinynote", "cobalt strike", "ransomexx", "quackbot", "comspec", "prefetch8", "pattern match", "prefetch1", "mitre att", "ck id", "show technique", "ck matrix", "null", "path", "hybrid", "general", "click", "strings", "langchinese", "icmp traffic", "pe resource", "pe section", "companyname gm", "win32", "push", "fakedout threat", "analyzer paste", "iocs", "hostnames", "urls https", "overview ip", "address", "related nids", "files hostname", "files domain", "files related", "pulses none", "related tags", "virustotal", "china unknown", "as4837 china", "redacted for", "as4835 china", "douglas county", "co sheriff", "office", "pegasus attacks", "sa victim", "cve type", "cve cve20170147", "no expiration", "expiration", "domain", "create new", "subsys00000000", "as16625 akamai", "as20940", "as39960", "as6762 telecom", "united kingdom", "emails", "span", "created", "white", "formatpng feb", "refererparam", "classid1", "login0", "typeid1", "style1", "dynamicloader", "high", "yara rule", "neshta", "neshta virus", "myapp", "ids detections", "yara detections", "alerts", "worm", "delphi", "ip address", "files location", "china flag", "china domain", "pulses otx", "pulses", "as45102 alibaba", "japan unknown", "as32934", "as19679 dropbox", "pulse pulses", "google safe", "browsing", "hosting", "body", "as7018 att", "verdict vpn", "as9009 m247", "canada unknown", "as174 cogent", "israel unknown", "as12310", "romania unknown", "as48945", "as64286", "b3viles0 feb", "modified", "siteid290", "org7", "novno jan", "siteid289", "org4", "org9", "locuo", "siteid969", "https", "http", "rims https", "evader", "message", "jeffrey scott", "reimer dpt", "pegasus", "pinterest", "amadey", "quasar rat", "eternalblue", "service", "sahil", "andcustomer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "Netherlands", "Italy", "United Kingdom of Great Britain and Northern Ireland", "Japan", "Korea, Republic of", "France", "Malaysia" ], "malware_families": [ { "id": "Qbot", "display_name": "Qbot", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2161, "FileHash-SHA1": 2073, "FileHash-SHA256": 7032, "domain": 3959, "hostname": 7581, "email": 22, "URL": 17579, "SSLCertFingerprint": 3, "CVE": 2 }, "indicator_count": 40412, "is_author": false, "is_subscribing": null, "subscriber_count": 234, "modified_text": "566 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c7b86fa120d19bbc88f367", "name": "Hijacker", "description": "Hackers hired to humiliate, threaten,steal data, evidence, recordings , spy and intimidate.", "modified": "2024-03-11T17:01:59.026000", "created": "2024-02-10T17:54:55.243000", "tags": [ "ssl certificate", "whois record", "contacted", "tsara brashears", "referrer", "communicating", "resolutions", "historical ssl", "high level", "hackers", "hacktool", "download", "malware", "crypto", "hijacker", "monitoring", "installer", "tofsee", "domains domains", "domains files", "files files", "script", "kgs0", "kls0", "relic", "iframe", "pe32 executable", "ms windows", "intel", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "rticon neutral", "info compiler", "products id", "header intel", "name md5", "contained", "type", "language", "ico rtgroupicon", "neutral", "first", "utc submissions", "submitters", "company limited", "computer", "amazonaes", "china telecom", "group", "csc corporate", "domains", "malware spreading evader", "cnc", "malvertizing", "milehighmedia", "trojandropper", "moved", "passive dns", "urls", "as14576", "backdoor", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "trojan", "encrypt", "body", "date", "date hash", "avast avg", "mtb may", "kratona", "threat", "paste", "iocs", "analyze", "hostnames", "urls https", "script urls", "united", "meta", "unknown", "emails", "name servers", "search", "as62597 nsone", "a domains", "as397241", "media", "next", "december", "unlocker", "threat round", "apple ios", "apple phone", "project", "blister", "agent tesla", "open", "execution", "videos", "strong", "porn videos", "watch", "daddy", "free", "top rated", "most viewed", "cancel anytime", "views", "play", "black", "enjoy", "czech", "hunk", "virtool", "cryp", "creation date", "otx telemetry", "expiration date", "servers", "status", "win32", "showing", "domain", "nxdomain", "as8075", "shell code", "threat", "cyber espionage", "cyber stalking", "danger", "critical", "attack", "treats", "as15169 google", "aaaa", "record value", "error", "entries", "hostname", "url http", "http", "files domain", "files related", "shinjiru msc", "sdn bhd", "dnssec", "protect", "as54455 madeit", "phishing", "backdoor", "contextualizing", "elevated exposure", "malvertizing", "ransom", "msil", "hackers for hire", "hashes", "http method", "get http", "http requests", "get dns", "ip traffic", "memory pattern", "pattern ips", "@emreimer", "iextract2", "cp cyber", "denver", "security", "siem compliance", "skip", "cybersecurity", "larimer st", "suite", "resources cyber", "risk assessment", "bill", "mind", "delaware", "pa", "arizona", "colorado", "stalkers", "deuteronomy 28:7", "hitmen" ], "references": [ "honey.exe", "0001c8afa9ca148752e1439140fadb6571b27f455ad1474d85625bcddfb63550", "CS Sigma Rules: Suspicious Remote Thread Created by Perez Diego (@darkquassar), oscd.community", "CS Sigma Rules: Python Initiated Connection by frack113", "CS Sigma Rules: Use Remove-Item to Delete File by frack113", "CS Sigma Rules: Suspicious Userinit Child Process by Florian Roth (rule), Samir Bousseaden (idea)", "Relationship: http://www.cpmfun.com/go.php?i=Zml0sXNlQhR0gRzjdXpLNlz4&p=71408&s=1&m=1&ua=mozilla/5.0+(linux;+android+4.4.2;+ast21+build/kvt49l)+", "api.login.live.com", "http://appleid.icloud.com-website33.org/", "https://www.milehighmedia.com/legal/2257 [phishing \u2022 Brazzers porn]", "FileHash-SHA256 c030b0a1be8745d192f45.159.189.105743b3c4f4094f33507a5904c184c8db0bde1a91efccb5 [tracking]", "http://45.159.189.105/bot/regex [Tracking Tsara Brashears involves in person following and or harassment as well]", "message.htm.com", "http://pornhub.com/gay/video/search", "CnC IP's: 206.189.61.126 \u2022 217.74.65.23 \u2022 46.8.8.100 \u2022 64.190.63.111", "stop following, stalking, hacking, talking, modifying, hijacking, threatening, contacting, sending people to harass target, threats", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "W32.Sality.PE", "display_name": "W32.Sality.PE", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Virus.Win32.Virut.q", "display_name": "Virus.Win32.Virut.q", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null }, { "id": "TrojanDropper:Win32", "display_name": "TrojanDropper:Win32", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 54, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6303, "FileHash-MD5": 215, "FileHash-SHA1": 192, "FileHash-SHA256": 2663, "domain": 2673, "hostname": 2686, "CVE": 2, "email": 16 }, "indicator_count": 14750, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "769 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6597f9c7542ffc6fffaecb30", "name": "Injection (RunPE) |Win.Packer - https://myminiweb.com", "description": "polypragmonic, dns, win.packer, ig hacking, network bind, tracking", "modified": "2024-02-04T12:05:19.275000", "created": "2024-01-05T12:44:55.030000", "tags": [ "ciphersuite", "delete c", "search", "entries", "united", "stcalifornia", "lmenlo park", "ometa platforms", "odigicert inc", "cndigicert sha2", "copy", "write", "unknown", "no expiration", "expiration", "filehashsha256", "hostname", "domain", "ipv4", "url http", "url https", "filehashmd5", "filehashsha1", "next", "iocs", "pdf report", "pcap", "scan endpoints", "win64", "stix", "openioc", "enter", "ssl certificate", "whois record", "apple ios", "communicating", "referrer", "contacted", "resolutions", "threat roundup", "password", "networks", "hacktool", "crypto", "twitter", "june", "probe", "ransomware", "malware", "tsara brashears", "botnet campaign", "january", "content reputation", "et" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2469, "FileHash-SHA1": 2295, "FileHash-SHA256": 4925, "SSLCertFingerprint": 2, "URL": 4484, "domain": 2044, "hostname": 2375, "email": 18, "CVE": 4 }, "indicator_count": 18616, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "805 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6597fa4d4b5e060fb8a606a8", "name": "Botnet Campaign", "description": "", "modified": "2024-02-04T12:05:19.275000", "created": "2024-01-05T12:47:09.403000", "tags": [ "ciphersuite", "delete c", "search", "entries", "united", "stcalifornia", "lmenlo park", "ometa platforms", "odigicert inc", "cndigicert sha2", "copy", "write", "unknown", "no expiration", "expiration", "filehashsha256", "hostname", "domain", "ipv4", "url http", "url https", "filehashmd5", "filehashsha1", "next", "iocs", "pdf report", "pcap", "scan endpoints", "win64", "stix", "openioc", "enter", "ssl certificate", "whois record", "apple ios", "communicating", "referrer", "contacted", "resolutions", "threat roundup", "password", "networks", "hacktool", "crypto", "twitter", "june", "probe", "ransomware", "malware", "tsara brashears", "botnet campaign", "january", "content reputation", "et" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": "6597f9c7542ffc6fffaecb30", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2469, "FileHash-SHA1": 2295, "FileHash-SHA256": 4925, "SSLCertFingerprint": 2, "URL": 4484, "domain": 2044, "hostname": 2375, "email": 18, "CVE": 4 }, "indicator_count": 18616, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "805 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6597fa4da16bd99cc5c02528", "name": "Botnet Campaign", "description": "", "modified": "2024-02-04T12:05:19.275000", "created": "2024-01-05T12:47:09.406000", "tags": [ "ciphersuite", "delete c", "search", "entries", "united", "stcalifornia", "lmenlo park", "ometa platforms", "odigicert inc", "cndigicert sha2", "copy", "write", "unknown", "no expiration", "expiration", "filehashsha256", "hostname", "domain", "ipv4", "url http", "url https", "filehashmd5", "filehashsha1", "next", "iocs", "pdf report", "pcap", "scan endpoints", "win64", "stix", "openioc", "enter", "ssl certificate", "whois record", "apple ios", "communicating", "referrer", "contacted", "resolutions", "threat roundup", "password", "networks", "hacktool", "crypto", "twitter", "june", "probe", "ransomware", "malware", "tsara brashears", "botnet campaign", "january", "content reputation", "et" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": "6597f9c7542ffc6fffaecb30", "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2469, "FileHash-SHA1": 2295, "FileHash-SHA256": 4925, "SSLCertFingerprint": 2, "URL": 4484, "domain": 2044, "hostname": 2375, "email": 18, "CVE": 4 }, "indicator_count": 18616, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "805 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "api.login.live.com", "http://pornhub.com/gay/video/search", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "http://appleid.icloud.com-website33.org/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "CnC IP's: 206.189.61.126 \u2022 217.74.65.23 \u2022 46.8.8.100 \u2022 64.190.63.111", "honey.exe", "CS Sigma Rules: Suspicious Remote Thread Created by Perez Diego (@darkquassar), oscd.community", "stop following, stalking, hacking, talking, modifying, hijacking, threatening, contacting, sending people to harass target, threats", "CS Sigma Rules: Use Remove-Item to Delete File by frack113", "Relationship: http://www.cpmfun.com/go.php?i=Zml0sXNlQhR0gRzjdXpLNlz4&p=71408&s=1&m=1&ua=mozilla/5.0+(linux;+android+4.4.2;+ast21+build/kvt49l)+", "https://www.milehighmedia.com/legal/2257 [phishing \u2022 Brazzers porn]", "CS Sigma Rules: Python Initiated Connection by frack113", "FileHash-SHA256 c030b0a1be8745d192f45.159.189.105743b3c4f4094f33507a5904c184c8db0bde1a91efccb5 [tracking]", "CS Sigma Rules: Suspicious Userinit Child Process by Florian Roth (rule), Samir Bousseaden (idea)", "http://45.159.189.105/bot/regex [Tracking Tsara Brashears involves in person following and or harassment as well]", "message.htm.com", "0001c8afa9ca148752e1439140fadb6571b27f455ad1474d85625bcddfb63550" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Trojanspy", "Virtool", "Content reputation", "Relic", "Qbot", "Tofsee", "W32.sality.pe", "Virus.win32.virut.q", "Et", "Hacktool", "Trojandropper:win32" ], "industries": [], "unique_indicators": 72823 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/shopdeveloper.com", "whois": "http://whois.domaintools.com/shopdeveloper.com", "domain": "shopdeveloper.com", "hostname": "dev.shopdeveloper.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "66d3264283628d23b8f28b9d", "name": "x.com - That's what friends are for!", "description": "Original pulses modified, unknown stealer, junk data stuffing sifted through. Careful notes have been taken regarding ultra significant pulses. I've done the best I can to analyze compare, compile from all record of original pulse. | Further analysis shows an effort to destroy quite a bit of pertinent evidence. | I consider the target, family and associates to be especially endangered. Target has become isolated from most people target associated with, mostly by force as not to spread the malicious vulnerabilities that ha e affected many.\nTarget & associated have been interacting with and work with \n, hiring (not everyone they know) those involved. | There has been significant modification and degradation of the origin of information collected. | Who can you report to if the perpetrator is the Law. | This has always been the reason. | Don't hire another hit. What's the point? To uphold a fake integrity as a legacy?", "modified": "2024-09-30T10:01:49.889000", "created": "2024-08-31T14:18:42.621000", "tags": [ "referrer", "historical ssl", "united", "as13414 twitter", "nxdomain", "whitelisted", "cname", "a nxdomain", "status", "aaaa", "as15133 verizon", "search", "date", "twitter", "spoofed", "qbot qakbot", "qbot", "information", "t1027", "files", "t1036", "t1041", "c2 channel", "t1056", "capture", "t1057", "discovery", "memcommit", "process32nextw", "regsetvalueexa", "regdword", "module load", "t1129", "show", "intel", "ms windows", "trojan", "copy", "write", "win64", "next", "url https", "qbot type", "indicator role", "title added", "active related", "pulses url", "url http", "showing", "entries", "msie", "windows nt", "formsecnen", "read", "read c", "russia as48848", "qmount", "unknown", "pecompact", "malware", "role title", "added active", "related pulses", "type indicator", "as44273 host", "name servers", "as47846", "germany unknown", "443 ma2592000", "scan endpoints", "passive dns", "urls", "creation date", "all scoreblue", "hostname", "filehashsha256", "filehashsha1", "filehashmd5", "months ago", "ipv4", "report spam", "tinynote", "cobalt strike", "ransomexx", "quackbot", "comspec", "prefetch8", "pattern match", "prefetch1", "mitre att", "ck id", "show technique", "ck matrix", "null", "path", "hybrid", "general", "click", "strings", "langchinese", "icmp traffic", "pe resource", "pe section", "companyname gm", "win32", "push", "fakedout threat", "analyzer paste", "iocs", "hostnames", "urls https", "overview ip", "address", "related nids", "files hostname", "files domain", "files related", "pulses none", "related tags", "virustotal", "china unknown", "as4837 china", "redacted for", "as4835 china", "douglas county", "co sheriff", "office", "pegasus attacks", "sa victim", "cve type", "cve cve20170147", "no expiration", "expiration", "domain", "create new", "subsys00000000", "as16625 akamai", "as20940", "as39960", "as6762 telecom", "united kingdom", "emails", "span", "created", "white", "formatpng feb", "refererparam", "classid1", "login0", "typeid1", "style1", "dynamicloader", "high", "yara rule", "neshta", "neshta virus", "myapp", "ids detections", "yara detections", "alerts", "worm", "delphi", "ip address", "files location", "china flag", "china domain", "pulses otx", "pulses", "as45102 alibaba", "japan unknown", "as32934", "as19679 dropbox", "pulse pulses", "google safe", "browsing", "hosting", "body", "as7018 att", "verdict vpn", "as9009 m247", "canada unknown", "as174 cogent", "israel unknown", "as12310", "romania unknown", "as48945", "as64286", "b3viles0 feb", "modified", "siteid290", "org7", "novno jan", "siteid289", "org4", "org9", "locuo", "siteid969", "https", "http", "rims https", "evader", "message", "jeffrey scott", "reimer dpt", "pegasus", "pinterest", "amadey", "quasar rat", "eternalblue", "service", "sahil", "andcustomer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "Netherlands", "Italy", "United Kingdom of Great Britain and Northern Ireland", "Japan", "Korea, Republic of", "France", "Malaysia" ], "malware_families": [ { "id": "Qbot", "display_name": "Qbot", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2161, "FileHash-SHA1": 2073, "FileHash-SHA256": 7032, "domain": 3959, "hostname": 7581, "email": 22, "URL": 17579, "SSLCertFingerprint": 3, "CVE": 2 }, "indicator_count": 40412, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "566 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d32648280eb859dfca1c19", "name": "x.com - That's what friends are for!", "description": "Original pulses modified, unknown stealer, junk data stuffing sifted through. Careful notes have been taken regarding ultra significant pulses. I've done the best I can to analyze compare, compile from all record of original pulse. | Further analysis shows an effort to destroy quite a bit of pertinent evidence. | I consider the target, family and associates to be especially endangered. Target has become isolated from most people target associated with, mostly by force as not to spread the malicious vulnerabilities that ha e affected many.\nTarget & associated have been interacting with and work with \n, hiring (not everyone they know) those involved. | There has been significant modification and degradation of the origin of information collected. | Who can you report to if the perpetrator is the Law. | This has always been the reason. | Don't hire another hit. What's the point? To uphold a fake integrity as a legacy?", "modified": "2024-09-30T10:01:49.889000", "created": "2024-08-31T14:18:48.037000", "tags": [ "referrer", "historical ssl", "united", "as13414 twitter", "nxdomain", "whitelisted", "cname", "a nxdomain", "status", "aaaa", "as15133 verizon", "search", "date", "twitter", "spoofed", "qbot qakbot", "qbot", "information", "t1027", "files", "t1036", "t1041", "c2 channel", "t1056", "capture", "t1057", "discovery", "memcommit", "process32nextw", "regsetvalueexa", "regdword", "module load", "t1129", "show", "intel", "ms windows", "trojan", "copy", "write", "win64", "next", "url https", "qbot type", "indicator role", "title added", "active related", "pulses url", "url http", "showing", "entries", "msie", "windows nt", "formsecnen", "read", "read c", "russia as48848", "qmount", "unknown", "pecompact", "malware", "role title", "added active", "related pulses", "type indicator", "as44273 host", "name servers", "as47846", "germany unknown", "443 ma2592000", "scan endpoints", "passive dns", "urls", "creation date", "all scoreblue", "hostname", "filehashsha256", "filehashsha1", "filehashmd5", "months ago", "ipv4", "report spam", "tinynote", "cobalt strike", "ransomexx", "quackbot", "comspec", "prefetch8", "pattern match", "prefetch1", "mitre att", "ck id", "show technique", "ck matrix", "null", "path", "hybrid", "general", "click", "strings", "langchinese", "icmp traffic", "pe resource", "pe section", "companyname gm", "win32", "push", "fakedout threat", "analyzer paste", "iocs", "hostnames", "urls https", "overview ip", "address", "related nids", "files hostname", "files domain", "files related", "pulses none", "related tags", "virustotal", "china unknown", "as4837 china", "redacted for", "as4835 china", "douglas county", "co sheriff", "office", "pegasus attacks", "sa victim", "cve type", "cve cve20170147", "no expiration", "expiration", "domain", "create new", "subsys00000000", "as16625 akamai", "as20940", "as39960", "as6762 telecom", "united kingdom", "emails", "span", "created", "white", "formatpng feb", "refererparam", "classid1", "login0", "typeid1", "style1", "dynamicloader", "high", "yara rule", "neshta", "neshta virus", "myapp", "ids detections", "yara detections", "alerts", "worm", "delphi", "ip address", "files location", "china flag", "china domain", "pulses otx", "pulses", "as45102 alibaba", "japan unknown", "as32934", "as19679 dropbox", "pulse pulses", "google safe", "browsing", "hosting", "body", "as7018 att", "verdict vpn", "as9009 m247", "canada unknown", "as174 cogent", "israel unknown", "as12310", "romania unknown", "as48945", "as64286", "b3viles0 feb", "modified", "siteid290", "org7", "novno jan", "siteid289", "org4", "org9", "locuo", "siteid969", "https", "http", "rims https", "evader", "message", "jeffrey scott", "reimer dpt", "pegasus", "pinterest", "amadey", "quasar rat", "eternalblue", "service", "sahil", "andcustomer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "Netherlands", "Italy", "United Kingdom of Great Britain and Northern Ireland", "Japan", "Korea, Republic of", "France", "Malaysia" ], "malware_families": [ { "id": "Qbot", "display_name": "Qbot", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2161, "FileHash-SHA1": 2073, "FileHash-SHA256": 7032, "domain": 3959, "hostname": 7581, "email": 22, "URL": 17579, "SSLCertFingerprint": 3, "CVE": 2 }, "indicator_count": 40412, "is_author": false, "is_subscribing": null, "subscriber_count": 234, "modified_text": "566 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c7b86fa120d19bbc88f367", "name": "Hijacker", "description": "Hackers hired to humiliate, threaten,steal data, evidence, recordings , spy and intimidate.", "modified": "2024-03-11T17:01:59.026000", "created": "2024-02-10T17:54:55.243000", "tags": [ "ssl certificate", "whois record", "contacted", "tsara brashears", "referrer", "communicating", "resolutions", "historical ssl", "high level", "hackers", "hacktool", "download", "malware", "crypto", "hijacker", "monitoring", "installer", "tofsee", "domains domains", "domains files", "files files", "script", "kgs0", "kls0", "relic", "iframe", "pe32 executable", "ms windows", "intel", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "rticon neutral", "info compiler", "products id", "header intel", "name md5", "contained", "type", "language", "ico rtgroupicon", "neutral", "first", "utc submissions", "submitters", "company limited", "computer", "amazonaes", "china telecom", "group", "csc corporate", "domains", "malware spreading evader", "cnc", "malvertizing", "milehighmedia", "trojandropper", "moved", "passive dns", "urls", "as14576", "backdoor", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "trojan", "encrypt", "body", "date", "date hash", "avast avg", "mtb may", "kratona", "threat", "paste", "iocs", "analyze", "hostnames", "urls https", "script urls", "united", "meta", "unknown", "emails", "name servers", "search", "as62597 nsone", "a domains", "as397241", "media", "next", "december", "unlocker", "threat round", "apple ios", "apple phone", "project", "blister", "agent tesla", "open", "execution", "videos", "strong", "porn videos", "watch", "daddy", "free", "top rated", "most viewed", "cancel anytime", "views", "play", "black", "enjoy", "czech", "hunk", "virtool", "cryp", "creation date", "otx telemetry", "expiration date", "servers", "status", "win32", "showing", "domain", "nxdomain", "as8075", "shell code", "threat", "cyber espionage", "cyber stalking", "danger", "critical", "attack", "treats", "as15169 google", "aaaa", "record value", "error", "entries", "hostname", "url http", "http", "files domain", "files related", "shinjiru msc", "sdn bhd", "dnssec", "protect", "as54455 madeit", "phishing", "backdoor", "contextualizing", "elevated exposure", "malvertizing", "ransom", "msil", "hackers for hire", "hashes", "http method", "get http", "http requests", "get dns", "ip traffic", "memory pattern", "pattern ips", "@emreimer", "iextract2", "cp cyber", "denver", "security", "siem compliance", "skip", "cybersecurity", "larimer st", "suite", "resources cyber", "risk assessment", "bill", "mind", "delaware", "pa", "arizona", "colorado", "stalkers", "deuteronomy 28:7", "hitmen" ], "references": [ "honey.exe", "0001c8afa9ca148752e1439140fadb6571b27f455ad1474d85625bcddfb63550", "CS Sigma Rules: Suspicious Remote Thread Created by Perez Diego (@darkquassar), oscd.community", "CS Sigma Rules: Python Initiated Connection by frack113", "CS Sigma Rules: Use Remove-Item to Delete File by frack113", "CS Sigma Rules: Suspicious Userinit Child Process by Florian Roth (rule), Samir Bousseaden (idea)", "Relationship: http://www.cpmfun.com/go.php?i=Zml0sXNlQhR0gRzjdXpLNlz4&p=71408&s=1&m=1&ua=mozilla/5.0+(linux;+android+4.4.2;+ast21+build/kvt49l)+", "api.login.live.com", "http://appleid.icloud.com-website33.org/", "https://www.milehighmedia.com/legal/2257 [phishing \u2022 Brazzers porn]", "FileHash-SHA256 c030b0a1be8745d192f45.159.189.105743b3c4f4094f33507a5904c184c8db0bde1a91efccb5 [tracking]", "http://45.159.189.105/bot/regex [Tracking Tsara Brashears involves in person following and or harassment as well]", "message.htm.com", "http://pornhub.com/gay/video/search", "CnC IP's: 206.189.61.126 \u2022 217.74.65.23 \u2022 46.8.8.100 \u2022 64.190.63.111", "stop following, stalking, hacking, talking, modifying, hijacking, threatening, contacting, sending people to harass target, threats", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "W32.Sality.PE", "display_name": "W32.Sality.PE", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Virus.Win32.Virut.q", "display_name": "Virus.Win32.Virut.q", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null }, { "id": "TrojanDropper:Win32", "display_name": "TrojanDropper:Win32", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 54, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6303, "FileHash-MD5": 215, "FileHash-SHA1": 192, "FileHash-SHA256": 2663, "domain": 2673, "hostname": 2686, "CVE": 2, "email": 16 }, "indicator_count": 14750, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "769 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6597f9c7542ffc6fffaecb30", "name": "Injection (RunPE) |Win.Packer - https://myminiweb.com", "description": "polypragmonic, dns, win.packer, ig hacking, network bind, tracking", "modified": "2024-02-04T12:05:19.275000", "created": "2024-01-05T12:44:55.030000", "tags": [ "ciphersuite", "delete c", "search", "entries", "united", "stcalifornia", "lmenlo park", "ometa platforms", "odigicert inc", "cndigicert sha2", "copy", "write", "unknown", "no expiration", "expiration", "filehashsha256", "hostname", "domain", "ipv4", "url http", "url https", "filehashmd5", "filehashsha1", "next", "iocs", "pdf report", "pcap", "scan endpoints", "win64", "stix", "openioc", "enter", "ssl certificate", "whois record", "apple ios", "communicating", "referrer", "contacted", "resolutions", "threat roundup", "password", "networks", "hacktool", "crypto", "twitter", "june", "probe", "ransomware", "malware", "tsara brashears", "botnet campaign", "january", "content reputation", "et" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2469, "FileHash-SHA1": 2295, "FileHash-SHA256": 4925, "SSLCertFingerprint": 2, "URL": 4484, "domain": 2044, "hostname": 2375, "email": 18, "CVE": 4 }, "indicator_count": 18616, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "805 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6597fa4d4b5e060fb8a606a8", "name": "Botnet Campaign", "description": "", "modified": "2024-02-04T12:05:19.275000", "created": "2024-01-05T12:47:09.403000", "tags": [ "ciphersuite", "delete c", "search", "entries", "united", "stcalifornia", "lmenlo park", "ometa platforms", "odigicert inc", "cndigicert sha2", "copy", "write", "unknown", "no expiration", "expiration", "filehashsha256", "hostname", "domain", "ipv4", "url http", "url https", "filehashmd5", "filehashsha1", "next", "iocs", "pdf report", "pcap", "scan endpoints", "win64", "stix", "openioc", "enter", "ssl certificate", "whois record", "apple ios", "communicating", "referrer", "contacted", "resolutions", "threat roundup", "password", "networks", "hacktool", "crypto", "twitter", "june", "probe", "ransomware", "malware", "tsara brashears", "botnet campaign", "january", "content reputation", "et" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": "6597f9c7542ffc6fffaecb30", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2469, "FileHash-SHA1": 2295, "FileHash-SHA256": 4925, "SSLCertFingerprint": 2, "URL": 4484, "domain": 2044, "hostname": 2375, "email": 18, "CVE": 4 }, "indicator_count": 18616, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "805 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6597fa4da16bd99cc5c02528", "name": "Botnet Campaign", "description": "", "modified": "2024-02-04T12:05:19.275000", "created": "2024-01-05T12:47:09.406000", "tags": [ "ciphersuite", "delete c", "search", "entries", "united", "stcalifornia", "lmenlo park", "ometa platforms", "odigicert inc", "cndigicert sha2", "copy", "write", "unknown", "no expiration", "expiration", "filehashsha256", "hostname", "domain", "ipv4", "url http", "url https", "filehashmd5", "filehashsha1", "next", "iocs", "pdf report", "pcap", "scan endpoints", "win64", "stix", "openioc", "enter", "ssl certificate", "whois record", "apple ios", "communicating", "referrer", "contacted", "resolutions", "threat roundup", "password", "networks", "hacktool", "crypto", "twitter", "june", "probe", "ransomware", "malware", "tsara brashears", "botnet campaign", "january", "content reputation", "et" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": "6597f9c7542ffc6fffaecb30", "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2469, "FileHash-SHA1": 2295, "FileHash-SHA256": 4925, "SSLCertFingerprint": 2, "URL": 4484, "domain": 2044, "hostname": 2375, "email": 18, "CVE": 4 }, "indicator_count": 18616, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "805 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://dev.shopdeveloper.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://dev.shopdeveloper.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776662217.4381917 }