{ "type": "URL", "indicator": "https://dv.edoctransfer.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://dv.edoctransfer.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3898343849, "indicator": "https://dv.edoctransfer.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 17, "pulses": [ { "id": "66fc29a49b5ac693c8d75122", "name": "Medical Campus - Aurora, Co | Recheck", "description": "This weekend we found a busybox MIORI Hackers - serious attack Aurora, Medical Campus -Mirai. This recheck is generic. All results generated automatically by LevelBlue, sourced by ScoreBlue.\nMaybe it will be clean today. Complaints of pop up auto logins on locked screens and autonomous system running alongside actual system. System root.\nMalware Families:\nTrojanDownloader:Win32/Bulilit, ELF:Mirai-TO\\ [Trj], Backdoor:Linux/Mirai.B, TELPER:HSTR:DotCisOffer, TrojanSpy:Win32/Nivdort, Backdoor:Win32/Bladabindi, ALF:E5, Win.Malware.Midie-9950743-0, Trojan:Win32/Emotet.ARJ!MTB", "modified": "2024-10-31T16:03:52.240000", "created": "2024-10-01T16:56:04.004000", "tags": [ "united", "as397240", "search", "showing", "as54113", "as397241", "unknown", "moved", "creation date", "record value", "next", "date", "body", "a domains", "passive dns", "formbook cnc", "checkin", "entries", "github pages", "sea x", "accept", "status", "name servers", "certificate", "urls", "aaaa", "cname", "meta", "whitelisted ip", "address", "location united", "asn as36459", "github", "less whois", "registrar", "markmonitor", "related tags", "as36459", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "files", "ninite", "expiration date", "domain", "hostname", "sha256", "sha1", "ascii text", "pattern match", "document file", "v2 document", "utf8", "crlf line", "beginstring", "size", "null", "hybrid", "refresh", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "url https", "tulach type", "role title", "added active", "pulses url", "url http", "nextc type", "type indicator", "related pulses", "filehashsha256", "copyright", "ipv6", "germany", "italy", "trojan", "trojanspy", "worm", "trojanclicker", "virtool", "service", "linux x8664", "khtml", "gecko", "veryhigh", "redirect", "httpsupgrades", "collisionbox", "runner", "gameoverpanel", "trex", "orgtechhandle", "orgtechref", "director", "university", "nethandle", "net168", "net1680000", "ucha", "orgid", "east", "report spam", "as8075", "servers", "secure server", "error all", "typeof", "error f", "crazy doll", "created", "filehashmd5", "types of", "russia", "emotet type", "mirai type", "mirai", "mtb description", "win32 type", "as31034 aruba", "italy unknown", "as19527 google", "encrypt", "health type", "miori hackers", "brute force", "backdoor", "aurora", "ip address", "path", "unis", "dotcisoffer", "bladabindi", "artro", "script urls", "as46606", "brazil unknown", "as11284", "as10906", "apache", "lanc type", "telper", "win32", "win64", "pulses email", "as9009 m247", "as7296 alchemy", "as14061", "as16276", "trojandropper", "ransom", "mtb sep", "msie", "chrome", "ip check", "gmt content", "pulse submit", "url analysis", "files ip", "aaaa nxdomain", "nxdomain", "a nxdomain", "as22612", "dnssec", "meta http", "accept encoding", "request id", "united kingdom", "div div", "arial helvetica", "emails", "as15169 google", "cryp", "gmt cache", "sameorigin", "domain name", "code", "false", "command type", "roleselfservice", "mcig sep", "all search", "author avatar", "days ago", "http", "related nids", "files location", "as30081", "gmt contenttype", "mozilla", "as15133 verizon", "whitelisted", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "request", "softcnapp", "overview ip", "flag united", "files related", "as62597 nsone", "as31898 oracle", "mtb aug", "class", "twitter", "april", "secure", "httponly", "expiresthu", "pragma", "as13414 twitter", "smoke loader", "reverse dns", "asnone united", "idlogin sep", "uid38009", "expiration", "hack type", "porn type" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Italy", "Aruba" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3850, "FileHash-MD5": 6012, "FileHash-SHA1": 5906, "domain": 3329, "email": 33, "hostname": 4231, "CVE": 2, "FileHash-SHA256": 8407, "CIDR": 2, "SSLCertFingerprint": 7 }, "indicator_count": 31779, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "535 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66f100d791f9f9f6ab7b4f24", "name": "Cerber \u00bb Charter Communications \u00bb Spectrum Denver", "description": "[107.14.73.70] IP address range owned by Charter Communications Inc and located in Denver, Co United States.\n\nTargets & family neighborhood ISP's attacked again. Internet and targets devices attacked , Internet had to be reset twice by tech teams. Our team was able to track comprises directed towards target and families devices, which they are destroying. Stolen passwords, leaks, forced content, dumping. Both Spectrum & Quantum fiber positive for malicious activity within targeted devices. Fake iOS update pushed to a device. It comes with an agreement from Apple Singapore, LTD. \n\nMalware Families ,\nBackdoor:Win32/Tofse , \nCerber Ransomware ,\nET. \nETPRO ,\nInject3.QGY ,\nKelihos ,\nNIDS ,\nNOD32 ,\nSf:ShellCode-AU\\ [Trj] , \nTrojan:Win32/Glupteba ,\nTrojanDownloader:Win32/Cutwail ,\nVirTool:Win32/Obfuscator", "modified": "2024-10-23T05:03:21.045000", "created": "2024-09-23T05:47:03.625000", "tags": [ "isp charter", "usage type", "fixed line", "isp hostname", "domain name", "country united", "america city", "denver", "colorado", "ip address", "whois", "check", "information isp", "inc usage", "type fixed", "line isp", "hostname", "plesk forum", "centos web", "panel forum", "whois lookup", "netrange", "nethandle", "net107", "net1070000", "cc3517", "inc orgid", "dr city", "stateprov", "postalcode", "status", "as7843 charter", "united", "name servers", "passive dns", "urls", "domain", "search", "emails", "unknown", "scan endpoints", "all scoreblue", "ipv4", "files", "reverse dns", "location united", "win32", "abuseipdb", "read", "write", "read c", "server header", "show", "suspicious", "kelihos", "trojan", "artemis", "virustotal", "download", "drweb", "vipre", "panda", "malware", "specified", "next", "et trojan", "et info", "medium", "http", "ids detections", "yara detections", "e98c1cec8156", "as11426 charter", "as20001 charter", "as11427 charter", "as11351 charter", "as16787 charter", "as33363 charter", "as20115 charter", "as10796 charter", "as12271 charter", "body", "servers", "all search", "entries", "intel", "ms windows", "windows nt", "destination", "port", "asnone", "heurunsec", "etpro trojan", "nxdomain", "a nxdomain", "aaaa", "asnone united", "aaaa nxdomain", "backdoor", "pulse submit", "url analysis", "location oxford", "as3456 charter", "moved", "showing", "body doctype", "html public", "ietfdtd html", "as6976 verizon", "as701 verizon", "file samples", "files matching", "date hash", "copyright", "levelblue", "related pulses", "pulse pulses", "kryptikpii", "msr apr", "date", "creation date", "analyzer paste", "iocs", "samples", "secure server", "cname", "as5742", "body head", "object moved", "content length", "content type", "cookie", "as15133 verizon", "lowfi", "gmt server", "ecacc", "record value", "oxford", "michigan", "ns nxdomain", "soa nxdomain", "url http", "mitre att", "evasion ta0005", "creates", "discovery t1082", "reads software", "file", "t1083 reads", "jujubox", "zenbox", "get http", "request", "host", "win64", "khtml", "gecko", "response", "cus cndigicert", "tls rsa", "user", "javascript c", "doscom c", "text c", "files c", "storage", "file system", "filesadobe c", "appdata", "appdatalocal", "hostnames", "ta0002 command", "t1059 very", "t1064", "javascript", "modules t1129", "ta0003 create", "modify system", "process t1543", "windows service", "cisco umbrella", "blacklist", "safe site", "filerepmalware", "microsoft", "phishing bank", "sgeneric", "malware site", "unsafe", "number", "cus cngts", "ogoogle trust", "subject", "algorithm", "cus ouserver", "ouserver ca", "record type", "ttl value", "msms86718722", "query", "open", "capa", "create process", "windows create", "delete file", "write file", "windows check", "os version", "enumerate", "hashes", "signals mutexes", "mutexes", "open threat", "location los", "emails info", "expiration date", "write c", "process32nextw", "regsetvalueexa", "regdword", "module load", "t1129", "as51167 contabo", "germany unknown", "as40021 contabo", "encrypt", "hosting", "netherlands asn", "as204601 zomro", "pulses", "tags", "related tags", "indicator facts", "historical otx", "files ip", "asnone germany", "as174 cogent", "czechia unknown", "whitelisted", "certificate", "bittorrent dht", "post http", "et p2p", "cryptexportkey", "invalid pointer", "delete c", "post utcore", "benchhttp", "mozilla", "maldoc", "service", "tools", "nids", "et", "x95xd3xa4", "regbinary", "hx88x89", "kx82xd3x11", "xb9x8b", "x8dxb7xb7", "hx88x9ax1e", "mx81xd1r", "x92xac", "stream", "persistence", "execution", "dynamicloader", "contacted", "domains", "yara rule", "high", "dynamic", "pcap", "pushdo", "msie", "activity beacon", "malware beacon", "default", "redacted for", "for privacy", "as3379 kaiser", "server", "gmt content", "type", "x frame", "entries http", "scans show", "domain related", "no data", "tag count", "fakedout threat", "analyzer threat", "url summary", "ip summary", "summary", "sample", "detection list", "components", "zune", "etpro", "nod32", "avast avg", "next http", "example domain", "title meta", "invalid url", "akamai", "urls http", "as20940", "as16625 akamai", "netherlands", "germany", "france", "virtool", "rock", "address", "apache", "accept", "as8075", "pulse http", "related nids", "files location", "moldova related", "pulses none", "as31898 oracle", "title", "kryptiklfq", "win32dh", "vitro", "shutdown", "erase", "find", "close", "as53418", "hat server", "as797 att", "script urls", "a domains", "as10753 level", "script script", "meta", "path", "null", "stop", "as54113", "chrome", "as7018 att", "as28521", "mexico unknown", "fastly error", "please", "sea p", "object", "set cookie", "pragma", "as19536 directv", "united kingdom", "as60664 xion", "trojan features", "moldova unknown", "susp", "breaking news", "business", "finance", "entertainment", "sports", "games", "trending videos", "weather", "home", "as396982 google", "url https", "type indicator", "role title", "added active", "cyberfolks", ".pl", "level 3" ], "references": [ "ISP: Charter Communications Inc Usage Type\tFixed Line ISP", "dnvrco-pub-iedge-vip.email.rr.com \tspectrum.com Denver, Colorado USA", "dnscache2b.cdptpa dnvrco-oms2ims-mta-svip-01.email dnvrco-queue04-ac.email dnvrco-ring-a62.email dnvrco-smss-f01-ac.email dnvrco-west-dhcpw-02.", "Reverse DNS dnvrco-pub-iedge-vip.email.rr.com", "Crypt3.COYL FileHash - SHA256 cb536e2e5eb3b23a74702f80832ab964e7dfe07763300437b5ba581f464a108e", "IDS Detections: Suspicious double Server Header Possible Kelihos", "IDS Detections: Possible Kelihos Infection Executable Download With Malformed Header", "telemetry-incoming.r53-2.services.mozilla.com", "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel", "http://www.door.net/ARISBE/arisbe.htm", "talk.plesk.com | 4evermusic.pl | nist.gov | alaska.gov.inbound10.mxlogic.net | publicfiles.fcc.gov", "https://cdns.directv.com/resources/js/dtv/framework/plugins/jquery.placeholder.min.js | peri.com.pl" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "Hungary", "Ukraine", "Spain", "Brazil", "Russian Federation", "Moldova, Republic of", "Japan", "Ireland", "Luxembourg", "Canada" ], "malware_families": [ { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" }, { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "Cerber Ransomware", "display_name": "Cerber Ransomware", "target": null }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Inject3.QGY", "display_name": "Inject3.QGY", "target": null }, { "id": "Kelihos", "display_name": "Kelihos", "target": null }, { "id": "ETPRO", "display_name": "ETPRO", "target": null }, { "id": "NOD32", "display_name": "NOD32", "target": null }, { "id": "VirTool:Win32/Obfuscator", "display_name": "VirTool:Win32/Obfuscator", "target": "/malware/VirTool:Win32/Obfuscator" }, { "id": "Sf:ShellCode-AU\\ [Trj]", "display_name": "Sf:ShellCode-AU\\ [Trj]", "target": null }, { "id": "Trojan:Win32/Glupteba", "display_name": "Trojan:Win32/Glupteba", "target": "/malware/Trojan:Win32/Glupteba" } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2060, "hostname": 3067, "CIDR": 4, "URL": 1300, "email": 29, "FileHash-MD5": 3181, "FileHash-SHA1": 1994, "FileHash-SHA256": 3228, "CVE": 2, "SSLCertFingerprint": 1 }, "indicator_count": 14866, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "543 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66b75a315eac0ff46fa4510d", "name": "Yoda Crypter | Vtapi Virustotal Ransomware | X.Com | Twitter | Remote Job", "description": "Miscellaneous Virustotal attack found. A malicious hash found while researching a malicious Twitter template regarding post found re: otx.alienvault.com pulse.\nFound BorpaToken [moved] attacking X Vercel servers, impacting Azure, impacts X.com, Google.com, YouTube, androids, apple id, (otx seems impacted) with and /w/o header and every versions of related links, Malicious x.com 'REMOTELY' redirects to malicious Twitter templates with recognized names.", "modified": "2024-10-08T11:00:59.828000", "created": "2024-08-10T12:16:49.869000", "tags": [ "win32 exe", "pe32", "intel", "ms windows", "yoda", "crypter", "win16 ne", "os2 executable", "sections", "md5 upx0", "upx1", "upx2", "downloads", "http posts", "mitre att", "evasion ta0005", "ta0006 input", "capture t1056", "remote system", "discovery t1018", "reads", "discovery t1082", "windows nt", "get http", "request", "pragma", "response", "memory pattern", "g2 tls", "rsa sha256", "ca1 odigicert", "inc cus", "hashes", "peexe", "deleted c", "files dropped", "json", "registry keys", "ssl protocol", "de ff", "c4 a6", "fe b9", "d7 e8", "ed f6", "c5 c1", "dd f1", "e0 ee", "dword", "samplepath", "process", "created", "shell commands", "windir", "runtime modules", "urls", "ip detections", "country", "us a83f81100", "microsoft stuff", "malicious proxy", "june", "referrer", "historical ssl", "threat roundup", "domains", "threat network", "tracker radar", "hunting service", "vt ransomware", "malicious", "ermac", "probe", "vhash", "authentihash", "rich pe", "ssdeep", "magic pe32", "trid upx", "portable", "info compiler", "products", "vs2008", "vs2010 sp1", "vs2010", "header target", "machine intel", "utc entry", "point", "registrar", "csc corporate", "markmonitor inc", "ta0009 command", "control ta0011", "catalog tree", "analysis ob0001", "analysis ob0002", "command", "control ob0004", "defense evasion", "sample", "upx software", "upx packed", "evasion t1497", "may sleep", "packing f0001", "evasion b0003", "f0001 upx", "ob0006 software", "file", "post http", "hashes c2ae", "capa", "cape sandbox", "zenbox", "user", "files deleted", "files", "calls", "as15169 google", "united", "status", "date", "name servers", "cname", "passive dns", "search", "record value", "next", "error", "code", "unknown", "trojan", "found", "gmt contenttype", "sameorigin", "all scoreblue", "trojandropper", "matches rule", "et info", "generic http", "exe upload", "vtapi", "emails", "servers", "aaaa", "domain", "as13414 twitter", "backdoor", "ipv4", "pulse pulses", "virtool", "mirai", "analyzer paste", "iocs", "hostnames", "urls https", "borpa loading", "expiration", "url https", "akamai rank", "hostname", "twitter", "tsara brashears", "ip address", "pe resource", "apple ios", "threats", "malware", "scripts", "norton", "excel", "hacktool", "problem", "njrat", "ransomware", "open", "samples", "url http", "vercel", "server attack", "yara detections", "push", "scan endpoints", "filehash", "av detections", "ids detections", "alerts", "analysis date", "code overlap", "related pulses", "top source", "top destination", "source source", "copy", "host", "contentlength", "malware beacon", "show", "entries", "cape", "write", "expiration date", "tulach topic", "brian sabey", "hallrender", "apple id", "malicious url", "tag count", "tld count", "detection list", "blacklist https", "count blacklist", "tag tag", "no data", "tld aggregation", "combined", "contact", "as206834 team", "canada unknown", "div div", "redacted for", "unknown xn", "script script", "msie", "chrome", "precondition", "mtb oct", "body", "worm", "trojanspy", "xpire.info", "searchmeup", "as61969 team", "creation date", "domain robot", "win32", "et smtp", "message", "high", "mailrubar", "trojanclicker", "parking crew", "parking logic", "category", "trojan features", "file samples", "files matching", "date hash", "showing", "creates largekey", "threat sniper", "crouching yeti", "kitten", "camaro dragon", "google phish", "macros", "hiddentear", "plugins", "removes headers", "hitmen" ], "references": [ "trojan.vtflooder/vflooder FileHash-SHA256 e8d7208330c634fad06d1b12bfea92435cdd7e63d01fde5ed8f3493b9deefad4", "Crowdsourced IDS rules: Matches rule MALWARE-CNC Win.Trojan.Occamy variant outbound connection", "Crowdsourced IDS rules: Matches rule ET INFO Generic HTTP EXE Upload Outbound", "Crowdsourced IDS rules: Matches rule (stream_tcp) data sent on stream not accepting data", "Crowdsourced YARA rules: Matches rule UPX from ruleset UPX by kevoreilly", "https://fixupx.com/Yoda4ever/status/1819058165264404527", "Malicious IP: 1.3.6.1 ASNone Generic.Malware has also been named in ransomware and other highly malicious attacks.", "http://borpatoken.com/ borpatoken.com", "Sourced: https://twitter.com/ootiosum/status/1812208222150726029a4dmHAxV0M0QIHawADl4Qr4kDegUI-QEQAA&usg=AOvVaw37yALadqlgoR9_xlQ5B4Hm", "This IP carried out Apache Log4j RCE attempt(s) (also known as CVE-2021-44228 or Log4Shell). @parthmaniar on Twitter", "For more information, or to report interesting/incorrect findings, give me a shoutout on @parthmaniar on Twitter.", "analytics.x.com | https://analytics.x.com | https://localhost.twitter.com:3443", "X Vercel Servers", "FileHash-MD5: b7e1dc2c46a9b972943a08b09c4dd6db", "FileHash-SHA1: d20959337b099526ed5250b60d9250ab865a7c6c", "FileHash-SHA256: 7b749ef9d91c1f0fe7513ece148409f2254317be8b0487603a2b333ebbb927ae", "Yara: RansomWin32Betisrypt , TrojanClickerWin32NightClick , TrojanDropperWin32Jscrpt , TrojanWin32Notepices TrojanClickerWin32NightClick", "apple.twitter.com | https://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js | vine.co | appleid.cdn-apple.com", "Vtapi: scanter.comwww.twitter.comx.com", "IDS Detections: ETPRO TROJAN Possible Win32/Zbot.AHJ CnC Traffic ET SMTP Abuseat.org Block Message", "IDS Detections: ET TROJAN Pushdo v3 Checkin ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain", "Crypt3.BWVY: FileHash-SHA256 9235583481d06530ef1ce04fa4f9a3bf3b6735dcdef0486cf6181c7868c9c249", "Crypt3.BWVY: FileHash-SHA1 4c60cf6b7e2981f1c05c5a34f880c6020923014c", "Crypt3.BWVY: FileHash-MD5 947f28c8ab697548aca370c080187e6e" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Win.Trojan.Occamy", "display_name": "Win.Trojan.Occamy", "target": null }, { "id": "W32.AIDetectMalware", "display_name": "W32.AIDetectMalware", "target": null }, { "id": "Trojan.Vtflooder/Vflooder", "display_name": "Trojan.Vtflooder/Vflooder", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Trojan:Win32/Vflooder.A", "display_name": "Trojan:Win32/Vflooder.A", "target": "/malware/Trojan:Win32/Vflooder.A" }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Xpire.info", "display_name": "Xpire.info", "target": null }, { "id": "Searchmeup", "display_name": "Searchmeup", "target": null }, { "id": "Trojan:Win32/Trickler", "display_name": "Trojan:Win32/Trickler", "target": "/malware/Trojan:Win32/Trickler" }, { "id": "Trojan:Win32/Comame", "display_name": "Trojan:Win32/Comame", "target": "/malware/Trojan:Win32/Comame" }, { "id": "#VirTool:Win32/Obfuscator", "display_name": "#VirTool:Win32/Obfuscator", "target": "/malware/#VirTool:Win32/Obfuscator" }, { "id": "Trojan:Win32/Pariham", "display_name": "Trojan:Win32/Pariham", "target": "/malware/Trojan:Win32/Pariham" } ], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 57, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1943, "FileHash-SHA1": 1637, "FileHash-SHA256": 3321, "URL": 1030, "domain": 646, "hostname": 1473, "email": 7, "CVE": 2 }, "indicator_count": 10059, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "558 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66b759cf57d491a9dcca8c17", "name": "Yoda Crypter | Vtapi Virustotal Ransomware | X.Com | Twitter | Remote Job", "description": "Miscellaneous Virustotal attack found. A malicious hash found while researching a malicious Twitter template regarding post found re: otx.alienvault.com pulse.\nFound BorpaToken [moved] attacking X Vercel servers, impacting Azure, impacts X.com, Google.com, YouTube, androids, apple id, (otx seems impacted) with and /w/o header and every versions of related links, Malicious x.com 'REMOTELY' redirects to malicious Twitter templates with recognized names.", "modified": "2024-10-08T11:00:59.828000", "created": "2024-08-10T12:15:11.526000", "tags": [ "win32 exe", "pe32", "intel", "ms windows", "yoda", "crypter", "win16 ne", "os2 executable", "sections", "md5 upx0", "upx1", "upx2", "downloads", "http posts", "mitre att", "evasion ta0005", "ta0006 input", "capture t1056", "remote system", "discovery t1018", "reads", "discovery t1082", "windows nt", "get http", "request", "pragma", "response", "memory pattern", "g2 tls", "rsa sha256", "ca1 odigicert", "inc cus", "hashes", "peexe", "deleted c", "files dropped", "json", "registry keys", "ssl protocol", "de ff", "c4 a6", "fe b9", "d7 e8", "ed f6", "c5 c1", "dd f1", "e0 ee", "dword", "samplepath", "process", "created", "shell commands", "windir", "runtime modules", "urls", "ip detections", "country", "us a83f81100", "microsoft stuff", "malicious proxy", "june", "referrer", "historical ssl", "threat roundup", "domains", "threat network", "tracker radar", "hunting service", "vt ransomware", "malicious", "ermac", "probe", "vhash", "authentihash", "rich pe", "ssdeep", "magic pe32", "trid upx", "portable", "info compiler", "products", "vs2008", "vs2010 sp1", "vs2010", "header target", "machine intel", "utc entry", "point", "registrar", "csc corporate", "markmonitor inc", "ta0009 command", "control ta0011", "catalog tree", "analysis ob0001", "analysis ob0002", "command", "control ob0004", "defense evasion", "sample", "upx software", "upx packed", "evasion t1497", "may sleep", "packing f0001", "evasion b0003", "f0001 upx", "ob0006 software", "file", "post http", "hashes c2ae", "capa", "cape sandbox", "zenbox", "user", "files deleted", "files", "calls", "as15169 google", "united", "status", "date", "name servers", "cname", "passive dns", "search", "record value", "next", "error", "code", "unknown", "trojan", "found", "gmt contenttype", "sameorigin", "all scoreblue", "trojandropper", "matches rule", "et info", "generic http", "exe upload", "vtapi", "emails", "servers", "aaaa", "domain", "as13414 twitter", "backdoor", "ipv4", "pulse pulses", "virtool", "mirai", "analyzer paste", "iocs", "hostnames", "urls https", "borpa loading", "expiration", "url https", "akamai rank", "hostname", "twitter", "tsara brashears", "ip address", "pe resource", "apple ios", "threats", "malware", "scripts", "norton", "excel", "hacktool", "problem", "njrat", "ransomware", "open", "samples", "url http", "vercel", "server attack", "yara detections", "push", "scan endpoints", "filehash", "av detections", "ids detections", "alerts", "analysis date", "code overlap", "related pulses", "top source", "top destination", "source source", "copy", "host", "contentlength", "malware beacon", "show", "entries", "cape", "write", "expiration date", "tulach topic", "brian sabey", "hallrender", "apple id", "malicious url", "tag count", "tld count", "detection list", "blacklist https", "count blacklist", "tag tag", "no data", "tld aggregation", "combined", "contact", "as206834 team", "canada unknown", "div div", "redacted for", "unknown xn", "script script", "msie", "chrome", "precondition", "mtb oct", "body", "worm", "trojanspy", "xpire.info", "searchmeup", "as61969 team", "creation date", "domain robot", "win32", "et smtp", "message", "high", "mailrubar", "trojanclicker", "parking crew", "parking logic", "category", "trojan features", "file samples", "files matching", "date hash", "showing", "creates largekey", "threat sniper", "crouching yeti", "kitten", "camaro dragon", "google phish", "macros", "hiddentear", "plugins", "removes headers", "hitmen" ], "references": [ "trojan.vtflooder/vflooder FileHash-SHA256 e8d7208330c634fad06d1b12bfea92435cdd7e63d01fde5ed8f3493b9deefad4", "Crowdsourced IDS rules: Matches rule MALWARE-CNC Win.Trojan.Occamy variant outbound connection", "Crowdsourced IDS rules: Matches rule ET INFO Generic HTTP EXE Upload Outbound", "Crowdsourced IDS rules: Matches rule (stream_tcp) data sent on stream not accepting data", "Crowdsourced YARA rules: Matches rule UPX from ruleset UPX by kevoreilly", "https://fixupx.com/Yoda4ever/status/1819058165264404527", "Malicious IP: 1.3.6.1 ASNone Generic.Malware has also been named in ransomware and other highly malicious attacks.", "http://borpatoken.com/ borpatoken.com", "Sourced: https://twitter.com/ootiosum/status/1812208222150726029a4dmHAxV0M0QIHawADl4Qr4kDegUI-QEQAA&usg=AOvVaw37yALadqlgoR9_xlQ5B4Hm", "This IP carried out Apache Log4j RCE attempt(s) (also known as CVE-2021-44228 or Log4Shell). @parthmaniar on Twitter", "For more information, or to report interesting/incorrect findings, give me a shoutout on @parthmaniar on Twitter.", "analytics.x.com | https://analytics.x.com | https://localhost.twitter.com:3443", "X Vercel Servers", "FileHash-MD5: b7e1dc2c46a9b972943a08b09c4dd6db", "FileHash-SHA1: d20959337b099526ed5250b60d9250ab865a7c6c", "FileHash-SHA256: 7b749ef9d91c1f0fe7513ece148409f2254317be8b0487603a2b333ebbb927ae", "Yara: RansomWin32Betisrypt , TrojanClickerWin32NightClick , TrojanDropperWin32Jscrpt , TrojanWin32Notepices TrojanClickerWin32NightClick", "apple.twitter.com | https://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js | vine.co | appleid.cdn-apple.com", "Vtapi: scanter.comwww.twitter.comx.com", "IDS Detections: ETPRO TROJAN Possible Win32/Zbot.AHJ CnC Traffic ET SMTP Abuseat.org Block Message", "IDS Detections: ET TROJAN Pushdo v3 Checkin ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain", "Crypt3.BWVY: FileHash-SHA256 9235583481d06530ef1ce04fa4f9a3bf3b6735dcdef0486cf6181c7868c9c249", "Crypt3.BWVY: FileHash-SHA1 4c60cf6b7e2981f1c05c5a34f880c6020923014c", "Crypt3.BWVY: FileHash-MD5 947f28c8ab697548aca370c080187e6e" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Win.Trojan.Occamy", "display_name": "Win.Trojan.Occamy", "target": null }, { "id": "W32.AIDetectMalware", "display_name": "W32.AIDetectMalware", "target": null }, { "id": "Trojan.Vtflooder/Vflooder", "display_name": "Trojan.Vtflooder/Vflooder", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Trojan:Win32/Vflooder.A", "display_name": "Trojan:Win32/Vflooder.A", "target": "/malware/Trojan:Win32/Vflooder.A" }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Xpire.info", "display_name": "Xpire.info", "target": null }, { "id": "Searchmeup", "display_name": "Searchmeup", "target": null }, { "id": "Trojan:Win32/Trickler", "display_name": "Trojan:Win32/Trickler", "target": "/malware/Trojan:Win32/Trickler" }, { "id": "Trojan:Win32/Comame", "display_name": "Trojan:Win32/Comame", "target": "/malware/Trojan:Win32/Comame" }, { "id": "#VirTool:Win32/Obfuscator", "display_name": "#VirTool:Win32/Obfuscator", "target": "/malware/#VirTool:Win32/Obfuscator" }, { "id": "Trojan:Win32/Pariham", "display_name": "Trojan:Win32/Pariham", "target": "/malware/Trojan:Win32/Pariham" } ], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 55, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1943, "FileHash-SHA1": 1637, "FileHash-SHA256": 3321, "URL": 1014, "domain": 645, "hostname": 1472, "email": 7, "CVE": 2 }, "indicator_count": 10041, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "558 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66eb1903bb12a0d4b524a0fb", "name": "HCA Healthcloid | Cellco\u00bb Adversary in the Middle | Swipper Verizon Block ", "description": "", "modified": "2024-09-18T18:16:35.396000", "created": "2024-09-18T18:16:35.396000", "tags": [ "swipp9-arin", "swipper", "swipp", "verizon", "cellcopart", "swipper", "ongoing", "get e sim", "as16276", "france unknown", "unknown", "as6167", "org verizon", "passive dns", "all scoreblue", "as8075", "cellco", "javascript", "help center", "please", "service privacy", "policy cookie", "policy imprint", "ads info", "cms", "express", "tsa b", "self", "server", "get esim", "wirelessdatanetwork", "netrange", "nethandle", "net174", "net1740000", "mcics", "orgid", "mcics address", "loudoun county", "android", "generic http", "exe upload", "windows nt", "outbound", "host", "malware beacon", "cape", "trojan", "copy", "write", "malware", "inbound", "impash", "post na", "search", "delete", "related pulses", "top source", "top destination", "source source", "filehash", "contentlength", "activity", "dns lookup", "flooder", "et", "aaaa", "nxdomain", "domain", "ipv4", "url analysis", "files", "malicious", "network", "historical ssl", "epsilon stealer", "traces aided", "dns intel", "remote job", "keeper", "snatch", "ransomware", "united states", "as8068", "entries", "mtb jan", "body", "x msedge", "scan endpoints", "trojandropper", "slf features", "file samples", "files matching", "date hash", "next", "win64", "win32", "copyright", "levelblue", "showing", "a domains", "as54113", "script domains", "script urls", "script script", "date", "meta", "window", "cookie", "trojan features", "worm", "show", "alf features", "hca", "target tsara brashears", "hostname", "expiration", "no expiration", "hca health", "eva120", "jody huffines", "jody alaska", "stephen r 'middleton'", "phone clone", "adversary in the middle", "known threat", "android attack", "web attack", "network", "dns", "florence co", "ddos", "google", "ip address", "ip range", "whois", "spam stats", "as6167 network", "cleantalk ip", "email abuse", "reports", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "suricata", "et intelligence", "known malicious ip", "spoof", "twitter", "x", "hackers" ], "references": [ "Researched: 174.192.0.0 AS 6167 (CELLCO-PART) US | Swipper | Loudon County, Va | Ongoing attacks 174.215.26.0", "uat.drw.hcahealthcare.cloud US Admin Email: cd2fa1f805494bc7s@ehc.com Admin Organization: HCA - Information Technology & Services, Inc.", "OrgTechEmail: swipper@verizonbusiness.com domains@microsotseft.com kenneth.reeb@verizonwireless.com msnhst@microsoft.com", "stephen.r.middleton@verizon.com sysmgr@verizon.com CIDR 174.192.0.0/10", "Antivirus Detections: Win.Malware.Vtflooder-9783271-0 , Trojan:Win32/Vflooder.B", "IDS Detections: Win32/Vflooder.B Checkin Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound", "Yara Detections: SUSP_Imphash_Mar23_2", "Alerts: cape_detected_threat", "http://www.govexec.com/dailyfed/0906/091806ol.htm", "Researched: trueupdater.exe - FileHash-SHA256 000381f55a6406f9448533be6c87481da162f0efe7da60d6f3d8a5401ef6f66b", "*https://identity.cnw.hcahealthcare.cloud/Account/ForgotPassword * identity.cnw.hcahealthcare.cloud *uat.drw.hcahealthcare.cloud", "\"NetRange: 174.192.0.0 - 174.255.255.255 CIDR: 174.192.0.0/10 NetName: WIRELESSDATANETWORK", "*NetHandle: NET-174-192-0-0-1 Parent: NET174 (NET-174-0-0-0-0) NetType: Direct Allocation Organization: Verizon Business (MCICS)", "*RegDate: 2008-12-16 Updated: 2022-05-31 Ref: https://rdap.arin.net/registry/ip/174.192.0.0 OrgName: Verizon Business", "*OrgId: MCICS Address: 22001 Loudoun County Pkwy City: Ashburn StateProv: VA PostalCode: 20147 Country:", "*US RegDate: 2006-05-30 Updated: 2024-02-12 Ref: https://rdap.arin.net/registry/entity/MCICS", "*OrgAbuseHandle: ABUSE3-ARIN OrgAbuseName: abuse OrgAbusePhone: +1-800-900-0241 OrgAbuseEmail: abuse@verizon.net", "*OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE3-ARIN OrgDNSHandle: VZDNS1-ARIN OrgDNSName: VZ-DNSADMIN", "*OrgDNSPhone: +1-800-900-0241 OrgDNSEmail: dnsadmin@verizon.com", "*OrgTechEmail: swipper@verizonbusiness.com OrgTechRef: https://rdap.arin.net/registry/entity/SWIPP9-ARIN", "*OrgDNSRef: https://rdap.arin.net/registry/entity/VZDNS1-ARIN OrgAbuseHandle: ABUSE5603-ARIN OrgAbuseName" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Vflooder.A", "display_name": "Trojan:Win32/Vflooder.A", "target": "/malware/Trojan:Win32/Vflooder.A" }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Flooder", "display_name": "Flooder", "target": null }, { "id": "Trojan.Upatre/Waski", "display_name": "Trojan.Upatre/Waski", "target": null }, { "id": "SLF:Win64/CobPipe", "display_name": "SLF:Win64/CobPipe", "target": "/malware/SLF:Win64/CobPipe" }, { "id": "TrojanDropper:Win32/Muldrop.V!MTB", "display_name": "TrojanDropper:Win32/Muldrop.V!MTB", "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB" }, { "id": "Worm:Win32/AutoRun", "display_name": "Worm:Win32/AutoRun", "target": "/malware/Worm:Win32/AutoRun" }, { "id": "ALF:Program:Win32/Webcompanion", "display_name": "ALF:Program:Win32/Webcompanion", "target": null }, { "id": "Trojan:Win32/Antavmu", "display_name": "Trojan:Win32/Antavmu", "target": "/malware/Trojan:Win32/Antavmu" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1212", "name": "Exploitation for Credential Access", "display_name": "T1212 - Exploitation for Credential Access" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1198", "name": "SIP and Trust Provider Hijacking", "display_name": "T1198 - SIP and Trust Provider Hijacking" }, { "id": "T1460", "name": "Biometric Spoofing", "display_name": "T1460 - Biometric Spoofing" }, { "id": "T1502", "name": "Parent PID Spoofing", "display_name": "T1502 - Parent PID Spoofing" }, { "id": "T1205.001", "name": "Port Knocking", "display_name": "T1205.001 - Port Knocking" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Healthcare", "Government", "Civilian Society" ], "TLP": "white", "cloned_from": "66ba9198fd69c93fabece38d", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 51, "CIDR": 11, "URL": 280, "hostname": 426, "FileHash-SHA256": 4334, "domain": 180, "FileHash-MD5": 2244, "FileHash-SHA1": 2244, "CVE": 1 }, "indicator_count": 9771, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "578 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66ba9198fd69c93fabece38d", "name": "Adversary in the Middle | Cellco | Targeting | Phone Cloner | Monitoring", "description": "Linked to X.com research. Remotely spoofs, Ddos, blocks, intercepts, redirects, all activity of vicrim. At one time same Handle: Swipper had a malicious link attached to targets Apple notepads. The link connected to a website with targets name with photo of a jubilant arrest , or death threat. Site linked to Loudoun County, Swipper claiming to be the FBI.", "modified": "2024-09-18T18:12:03.438000", "created": "2024-08-12T22:50:00.127000", "tags": [ "swipp9-arin", "swipper", "swipp", "verizon", "cellcopart", "swipper", "ongoing", "get e sim", "as16276", "france unknown", "unknown", "as6167", "org verizon", "passive dns", "all scoreblue", "as8075", "cellco", "javascript", "help center", "please", "service privacy", "policy cookie", "policy imprint", "ads info", "cms", "express", "tsa b", "self", "server", "get esim", "wirelessdatanetwork", "netrange", "nethandle", "net174", "net1740000", "mcics", "orgid", "mcics address", "loudoun county", "android", "generic http", "exe upload", "windows nt", "outbound", "host", "malware beacon", "cape", "trojan", "copy", "write", "malware", "inbound", "impash", "post na", "search", "delete", "related pulses", "top source", "top destination", "source source", "filehash", "contentlength", "activity", "dns lookup", "flooder", "et", "aaaa", "nxdomain", "domain", "ipv4", "url analysis", "files", "malicious", "network", "historical ssl", "epsilon stealer", "traces aided", "dns intel", "remote job", "keeper", "snatch", "ransomware", "united states", "as8068", "entries", "mtb jan", "body", "x msedge", "scan endpoints", "trojandropper", "slf features", "file samples", "files matching", "date hash", "next", "win64", "win32", "copyright", "levelblue", "showing", "a domains", "as54113", "script domains", "script urls", "script script", "date", "meta", "window", "cookie", "trojan features", "worm", "show", "alf features", "hca", "target tsara brashears", "hostname", "expiration", "no expiration", "hca health", "eva120", "jody huffines", "jody alaska", "stephen r 'middleton'", "phone clone", "adversary in the middle", "known threat", "android attack", "web attack", "network", "dns", "florence co", "ddos", "google", "ip address", "ip range", "whois", "spam stats", "as6167 network", "cleantalk ip", "email abuse", "reports", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "suricata", "et intelligence", "known malicious ip", "spoof", "twitter", "x", "hackers" ], "references": [ "Researched: 174.192.0.0 AS 6167 (CELLCO-PART) US | Swipper | Loudon County, Va | Ongoing attacks 174.215.26.0", "uat.drw.hcahealthcare.cloud US Admin Email: cd2fa1f805494bc7s@ehc.com Admin Organization: HCA - Information Technology & Services, Inc.", "OrgTechEmail: swipper@verizonbusiness.com domains@microsotseft.com kenneth.reeb@verizonwireless.com msnhst@microsoft.com", "stephen.r.middleton@verizon.com sysmgr@verizon.com CIDR 174.192.0.0/10", "Antivirus Detections: Win.Malware.Vtflooder-9783271-0 , Trojan:Win32/Vflooder.B", "IDS Detections: Win32/Vflooder.B Checkin Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound", "Yara Detections: SUSP_Imphash_Mar23_2", "Alerts: cape_detected_threat", "http://www.govexec.com/dailyfed/0906/091806ol.htm", "Researched: trueupdater.exe - FileHash-SHA256 000381f55a6406f9448533be6c87481da162f0efe7da60d6f3d8a5401ef6f66b", "*https://identity.cnw.hcahealthcare.cloud/Account/ForgotPassword * identity.cnw.hcahealthcare.cloud *uat.drw.hcahealthcare.cloud", "\"NetRange: 174.192.0.0 - 174.255.255.255 CIDR: 174.192.0.0/10 NetName: WIRELESSDATANETWORK", "*NetHandle: NET-174-192-0-0-1 Parent: NET174 (NET-174-0-0-0-0) NetType: Direct Allocation Organization: Verizon Business (MCICS)", "*RegDate: 2008-12-16 Updated: 2022-05-31 Ref: https://rdap.arin.net/registry/ip/174.192.0.0 OrgName: Verizon Business", "*OrgId: MCICS Address: 22001 Loudoun County Pkwy City: Ashburn StateProv: VA PostalCode: 20147 Country:", "*US RegDate: 2006-05-30 Updated: 2024-02-12 Ref: https://rdap.arin.net/registry/entity/MCICS", "*OrgAbuseHandle: ABUSE3-ARIN OrgAbuseName: abuse OrgAbusePhone: +1-800-900-0241 OrgAbuseEmail: abuse@verizon.net", "*OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE3-ARIN OrgDNSHandle: VZDNS1-ARIN OrgDNSName: VZ-DNSADMIN", "*OrgDNSPhone: +1-800-900-0241 OrgDNSEmail: dnsadmin@verizon.com", "*OrgTechEmail: swipper@verizonbusiness.com OrgTechRef: https://rdap.arin.net/registry/entity/SWIPP9-ARIN", "*OrgDNSRef: https://rdap.arin.net/registry/entity/VZDNS1-ARIN OrgAbuseHandle: ABUSE5603-ARIN OrgAbuseName" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Vflooder.A", "display_name": "Trojan:Win32/Vflooder.A", "target": "/malware/Trojan:Win32/Vflooder.A" }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Flooder", "display_name": "Flooder", "target": null }, { "id": "Trojan.Upatre/Waski", "display_name": "Trojan.Upatre/Waski", "target": null }, { "id": "SLF:Win64/CobPipe", "display_name": "SLF:Win64/CobPipe", "target": "/malware/SLF:Win64/CobPipe" }, { "id": "TrojanDropper:Win32/Muldrop.V!MTB", "display_name": "TrojanDropper:Win32/Muldrop.V!MTB", "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB" }, { "id": "Worm:Win32/AutoRun", "display_name": "Worm:Win32/AutoRun", "target": "/malware/Worm:Win32/AutoRun" }, { "id": "ALF:Program:Win32/Webcompanion", "display_name": "ALF:Program:Win32/Webcompanion", "target": null }, { "id": "Trojan:Win32/Antavmu", "display_name": "Trojan:Win32/Antavmu", "target": "/malware/Trojan:Win32/Antavmu" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1212", "name": "Exploitation for Credential Access", "display_name": "T1212 - Exploitation for Credential Access" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1198", "name": "SIP and Trust Provider Hijacking", "display_name": "T1198 - SIP and Trust Provider Hijacking" }, { "id": "T1460", "name": "Biometric Spoofing", "display_name": "T1460 - Biometric Spoofing" }, { "id": "T1502", "name": "Parent PID Spoofing", "display_name": "T1502 - Parent PID Spoofing" }, { "id": "T1205.001", "name": "Port Knocking", "display_name": "T1205.001 - Port Knocking" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Healthcare", "Government", "Civilian Society" ], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 51, "CIDR": 11, "URL": 280, "hostname": 426, "FileHash-SHA256": 4334, "domain": 180, "FileHash-MD5": 2244, "FileHash-SHA1": 2244, "CVE": 1 }, "indicator_count": 9771, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "578 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66cb6092ed7d61b3a370d6cd", "name": "Adversary in the Middle | Cellco DBA Verizon Wireless | SWIPPER | BGP Hurricane Electric ", "description": "", "modified": "2024-09-12T00:41:55.890000", "created": "2024-08-25T16:49:22.975000", "tags": [ "swipp9-arin", "swipper", "swipp", "verizon", "cellcopart", "swipper", "ongoing", "get e sim", "as16276", "france unknown", "unknown", "as6167", "org verizon", "passive dns", "all scoreblue", "as8075", "cellco", "javascript", "help center", "please", "service privacy", "policy cookie", "policy imprint", "ads info", "cms", "express", "tsa b", "self", "server", "get esim", "wirelessdatanetwork", "netrange", "nethandle", "net174", "net1740000", "mcics", "orgid", "mcics address", "loudoun county", "android", "generic http", "exe upload", "windows nt", "outbound", "host", "malware beacon", "cape", "trojan", "copy", "write", "malware", "inbound", "impash", "post na", "search", "delete", "related pulses", "top source", "top destination", "source source", "filehash", "contentlength", "activity", "dns lookup", "flooder", "et", "aaaa", "nxdomain", "domain", "ipv4", "url analysis", "files", "malicious", "network", "historical ssl", "epsilon stealer", "traces aided", "dns intel", "remote job", "keeper", "snatch", "ransomware", "united states", "as8068", "entries", "mtb jan", "body", "x msedge", "scan endpoints", "trojandropper", "slf features", "file samples", "files matching", "date hash", "next", "win64", "win32", "copyright", "levelblue", "showing", "a domains", "as54113", "script domains", "script urls", "script script", "date", "meta", "window", "cookie", "trojan features", "worm", "show", "alf features", "hca", "target tsara brashears", "hostname", "expiration", "no expiration", "hca health", "eva120", "jody huffines", "jody alaska", "stephen r 'middleton'", "phone clone", "adversary in the middle", "known threat", "android attack", "web attack", "network", "dns", "florence co", "ddos", "google", "ip address", "ip range", "whois", "spam stats", "as6167 network", "cleantalk ip", "email abuse", "reports", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "suricata", "et intelligence", "known malicious ip", "spoof", "twitter", "x", "hackers" ], "references": [ "Researched: 174.192.0.0 AS 6167 (CELLCO-PART) US | Swipper | Loudon County, Va | Ongoing attacks 174.215.26.0", "uat.drw.hcahealthcare.cloud US Admin Email: cd2fa1f805494bc7s@ehc.com Admin Organization: HCA - Information Technology & Services, Inc.", "OrgTechEmail: swipper@verizonbusiness.com domains@microsotseft.com kenneth.reeb@verizonwireless.com msnhst@microsoft.com", "stephen.r.middleton@verizon.com sysmgr@verizon.com CIDR 174.192.0.0/10", "Antivirus Detections: Win.Malware.Vtflooder-9783271-0 , Trojan:Win32/Vflooder.B", "IDS Detections: Win32/Vflooder.B Checkin Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound", "Yara Detections: SUSP_Imphash_Mar23_2", "Alerts: cape_detected_threat", "http://www.govexec.com/dailyfed/0906/091806ol.htm", "Researched: trueupdater.exe - FileHash-SHA256 000381f55a6406f9448533be6c87481da162f0efe7da60d6f3d8a5401ef6f66b", "*https://identity.cnw.hcahealthcare.cloud/Account/ForgotPassword * identity.cnw.hcahealthcare.cloud *uat.drw.hcahealthcare.cloud", "\"NetRange: 174.192.0.0 - 174.255.255.255 CIDR: 174.192.0.0/10 NetName: WIRELESSDATANETWORK", "*NetHandle: NET-174-192-0-0-1 Parent: NET174 (NET-174-0-0-0-0) NetType: Direct Allocation Organization: Verizon Business (MCICS)", "*RegDate: 2008-12-16 Updated: 2022-05-31 Ref: https://rdap.arin.net/registry/ip/174.192.0.0 OrgName: Verizon Business", "*OrgId: MCICS Address: 22001 Loudoun County Pkwy City: Ashburn StateProv: VA PostalCode: 20147 Country:", "*US RegDate: 2006-05-30 Updated: 2024-02-12 Ref: https://rdap.arin.net/registry/entity/MCICS", "*OrgAbuseHandle: ABUSE3-ARIN OrgAbuseName: abuse OrgAbusePhone: +1-800-900-0241 OrgAbuseEmail: abuse@verizon.net", "*OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE3-ARIN OrgDNSHandle: VZDNS1-ARIN OrgDNSName: VZ-DNSADMIN", "*OrgDNSPhone: +1-800-900-0241 OrgDNSEmail: dnsadmin@verizon.com", "*OrgTechEmail: swipper@verizonbusiness.com OrgTechRef: https://rdap.arin.net/registry/entity/SWIPP9-ARIN", "*OrgDNSRef: https://rdap.arin.net/registry/entity/VZDNS1-ARIN OrgAbuseHandle: ABUSE5603-ARIN OrgAbuseName" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Vflooder.A", "display_name": "Trojan:Win32/Vflooder.A", "target": "/malware/Trojan:Win32/Vflooder.A" }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Flooder", "display_name": "Flooder", "target": null }, { "id": "Trojan.Upatre/Waski", "display_name": "Trojan.Upatre/Waski", "target": null }, { "id": "SLF:Win64/CobPipe", "display_name": "SLF:Win64/CobPipe", "target": "/malware/SLF:Win64/CobPipe" }, { "id": "TrojanDropper:Win32/Muldrop.V!MTB", "display_name": "TrojanDropper:Win32/Muldrop.V!MTB", "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB" }, { "id": "Worm:Win32/AutoRun", "display_name": "Worm:Win32/AutoRun", "target": "/malware/Worm:Win32/AutoRun" }, { "id": "ALF:Program:Win32/Webcompanion", "display_name": "ALF:Program:Win32/Webcompanion", "target": null }, { "id": "Trojan:Win32/Antavmu", "display_name": "Trojan:Win32/Antavmu", "target": "/malware/Trojan:Win32/Antavmu" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1212", "name": "Exploitation for Credential Access", "display_name": "T1212 - Exploitation for Credential Access" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1198", "name": "SIP and Trust Provider Hijacking", "display_name": "T1198 - SIP and Trust Provider Hijacking" }, { "id": "T1460", "name": "Biometric Spoofing", "display_name": "T1460 - Biometric Spoofing" }, { "id": "T1502", "name": "Parent PID Spoofing", "display_name": "T1502 - Parent PID Spoofing" }, { "id": "T1205.001", "name": "Port Knocking", "display_name": "T1205.001 - Port Knocking" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Healthcare", "Government", "Civilian Society" ], "TLP": "white", "cloned_from": "66ba9198fd69c93fabece38d", "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 24, "CIDR": 8, "URL": 190, "hostname": 370, "FileHash-SHA256": 4319, "domain": 176, "FileHash-MD5": 2244, "FileHash-SHA1": 2244, "CVE": 1 }, "indicator_count": 9576, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "584 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d496e04d8fa0cc8d528941", "name": "Adversary in the Middle | Cellco DBA Verizon Wireless | SWIPPER | BGP Hurricane Electric ", "description": "", "modified": "2024-09-12T00:25:51.199000", "created": "2024-09-01T16:31:28.909000", "tags": [ "swipp9-arin", "swipper", "swipp", "verizon", "cellcopart", "swipper", "ongoing", "get e sim", "as16276", "france unknown", "unknown", "as6167", "org verizon", "passive dns", "all scoreblue", "as8075", "cellco", "javascript", "help center", "please", "service privacy", "policy cookie", "policy imprint", "ads info", "cms", "express", "tsa b", "self", "server", "get esim", "wirelessdatanetwork", "netrange", "nethandle", "net174", "net1740000", "mcics", "orgid", "mcics address", "loudoun county", "android", "generic http", "exe upload", "windows nt", "outbound", "host", "malware beacon", "cape", "trojan", "copy", "write", "malware", "inbound", "impash", "post na", "search", "delete", "related pulses", "top source", "top destination", "source source", "filehash", "contentlength", "activity", "dns lookup", "flooder", "et", "aaaa", "nxdomain", "domain", "ipv4", "url analysis", "files", "malicious", "network", "historical ssl", "epsilon stealer", "traces aided", "dns intel", "remote job", "keeper", "snatch", "ransomware", "united states", "as8068", "entries", "mtb jan", "body", "x msedge", "scan endpoints", "trojandropper", "slf features", "file samples", "files matching", "date hash", "next", "win64", "win32", "copyright", "levelblue", "showing", "a domains", "as54113", "script domains", "script urls", "script script", "date", "meta", "window", "cookie", "trojan features", "worm", "show", "alf features", "hca", "target tsara brashears", "hostname", "expiration", "no expiration", "hca health", "eva120", "jody huffines", "jody alaska", "stephen r 'middleton'", "phone clone", "adversary in the middle", "known threat", "android attack", "web attack", "network", "dns", "florence co", "ddos", "google", "ip address", "ip range", "whois", "spam stats", "as6167 network", "cleantalk ip", "email abuse", "reports", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "suricata", "et intelligence", "known malicious ip", "spoof", "twitter", "x", "hackers" ], "references": [ "Researched: 174.192.0.0 AS 6167 (CELLCO-PART) US | Swipper | Loudon County, Va | Ongoing attacks 174.215.26.0", "uat.drw.hcahealthcare.cloud US Admin Email: cd2fa1f805494bc7s@ehc.com Admin Organization: HCA - Information Technology & Services, Inc.", "OrgTechEmail: swipper@verizonbusiness.com domains@microsotseft.com kenneth.reeb@verizonwireless.com msnhst@microsoft.com", "stephen.r.middleton@verizon.com sysmgr@verizon.com CIDR 174.192.0.0/10", "Antivirus Detections: Win.Malware.Vtflooder-9783271-0 , Trojan:Win32/Vflooder.B", "IDS Detections: Win32/Vflooder.B Checkin Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound", "Yara Detections: SUSP_Imphash_Mar23_2", "Alerts: cape_detected_threat", "http://www.govexec.com/dailyfed/0906/091806ol.htm", "Researched: trueupdater.exe - FileHash-SHA256 000381f55a6406f9448533be6c87481da162f0efe7da60d6f3d8a5401ef6f66b", "*https://identity.cnw.hcahealthcare.cloud/Account/ForgotPassword * identity.cnw.hcahealthcare.cloud *uat.drw.hcahealthcare.cloud", "\"NetRange: 174.192.0.0 - 174.255.255.255 CIDR: 174.192.0.0/10 NetName: WIRELESSDATANETWORK", "*NetHandle: NET-174-192-0-0-1 Parent: NET174 (NET-174-0-0-0-0) NetType: Direct Allocation Organization: Verizon Business (MCICS)", "*RegDate: 2008-12-16 Updated: 2022-05-31 Ref: https://rdap.arin.net/registry/ip/174.192.0.0 OrgName: Verizon Business", "*OrgId: MCICS Address: 22001 Loudoun County Pkwy City: Ashburn StateProv: VA PostalCode: 20147 Country:", "*US RegDate: 2006-05-30 Updated: 2024-02-12 Ref: https://rdap.arin.net/registry/entity/MCICS", "*OrgAbuseHandle: ABUSE3-ARIN OrgAbuseName: abuse OrgAbusePhone: +1-800-900-0241 OrgAbuseEmail: abuse@verizon.net", "*OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE3-ARIN OrgDNSHandle: VZDNS1-ARIN OrgDNSName: VZ-DNSADMIN", "*OrgDNSPhone: +1-800-900-0241 OrgDNSEmail: dnsadmin@verizon.com", "*OrgTechEmail: swipper@verizonbusiness.com OrgTechRef: https://rdap.arin.net/registry/entity/SWIPP9-ARIN", "*OrgDNSRef: https://rdap.arin.net/registry/entity/VZDNS1-ARIN OrgAbuseHandle: ABUSE5603-ARIN OrgAbuseName" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Vflooder.A", "display_name": "Trojan:Win32/Vflooder.A", "target": "/malware/Trojan:Win32/Vflooder.A" }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Flooder", "display_name": "Flooder", "target": null }, { "id": "Trojan.Upatre/Waski", "display_name": "Trojan.Upatre/Waski", "target": null }, { "id": "SLF:Win64/CobPipe", "display_name": "SLF:Win64/CobPipe", "target": "/malware/SLF:Win64/CobPipe" }, { "id": "TrojanDropper:Win32/Muldrop.V!MTB", "display_name": "TrojanDropper:Win32/Muldrop.V!MTB", "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB" }, { "id": "Worm:Win32/AutoRun", "display_name": "Worm:Win32/AutoRun", "target": "/malware/Worm:Win32/AutoRun" }, { "id": "ALF:Program:Win32/Webcompanion", "display_name": "ALF:Program:Win32/Webcompanion", "target": null }, { "id": "Trojan:Win32/Antavmu", "display_name": "Trojan:Win32/Antavmu", "target": "/malware/Trojan:Win32/Antavmu" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1212", "name": "Exploitation for Credential Access", "display_name": "T1212 - Exploitation for Credential Access" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1198", "name": "SIP and Trust Provider Hijacking", "display_name": "T1198 - SIP and Trust Provider Hijacking" }, { "id": "T1460", "name": "Biometric Spoofing", "display_name": "T1460 - Biometric Spoofing" }, { "id": "T1502", "name": "Parent PID Spoofing", "display_name": "T1502 - Parent PID Spoofing" }, { "id": "T1205.001", "name": "Port Knocking", "display_name": "T1205.001 - Port Knocking" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Healthcare", "Government", "Civilian Society" ], "TLP": "white", "cloned_from": "66cb6092ed7d61b3a370d6cd", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 33, "CIDR": 9, "URL": 221, "hostname": 390, "FileHash-SHA256": 4343, "domain": 177, "FileHash-MD5": 2244, "FileHash-SHA1": 2244, "CVE": 1 }, "indicator_count": 9662, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "584 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "665bb7679843a6dabe4560e3", "name": "USZoom [New York , USA] | iPostal1 | Where's my check & mailbox?", "description": "According to some victims, malicious activities including/ not limited to mail filtering fulfillment center resulting in lost, tampered with, opened and glue sealed mail. Missing private documents, payment scams, needless recurring monthly fees, CSR call redirections to unaffiliated personnel. The system has been in the DW for several years. This is due to no fault of franchise owners. Bounty hunters, hackers, and cyber and mail thieves, potential aggressive law enforcement tacticts. Some use mailbox addresses for nefarious purposes, while others use it for business and address confidentiality. \n\nAuto generated: iPostal1 is the largest digital mailbox provider in the world, providing secure, easy-to-use digital mail solutions for individuals, small businesses and large businesses, and driving revenue for Workspaces.", "modified": "2024-09-05T06:11:17.325000", "created": "2024-06-02T00:05:59.160000", "tags": [ "strong", "story contact", "us leadership", "open menu", "close menu", "digital", "thank", "us zoom", "skip", "content home", "enterprise", "contact", "threat roundup", "august", "historical ssl", "april", "referrer", "formbook", "ip check", "vt graph", "relacionada", "cobalt strike", "hiddentear", "life", "malware", "open", "mumblehard", "sparkrat", "attack", "uszoom og", "submission", "analysis", "utc http", "response final", "url https", "ip address", "status code", "body length", "kb body", "graph api", "status", "content type", "date", "anchor hrefs", "hrefs", "cart contact", "leadership", "html info", "title uszoom", "meta tags", "uszoom twitter", "script tags", "vhash htm", "ssdeep", "file type", "html internet", "magic html", "ascii text", "trid file", "magika cttxt", "file size", "united", "as20940", "aaaa", "canada", "search", "showing", "cname", "as35994 akamai", "passive dns", "next", "as21928", "unknown", "urls", "domain", "creation date", "emails", "ipcounsel", "scan endpoints", "all scoreblue", "ipv4", "pulse submit", "url analysis", "files", "invalid url", "body", "name servers", "akamai", "expiration date", "asnone united", "a nxdomain", "india", "as15224 adobe", "bdclid", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "yara rule", "high", "explorer", "alerts", "less see", "contacted", "service", "attempts", "guard", "url http", "pulse pulses", "http", "related nids", "files location", "ip related", "hostname", "files ip", "address domain", "as46606", "td td", "script script", "gmt path", "create", "website", "set cookie", "a td", "win32", "flash", "pragma", "cookie", "xmpmm", "png image", "rgba", "documentid", "instanceid", "creatortool", "pattern match", "adobe photoshop", "macintosh", "june", "hybrid", "local", "encrypt", "click", "strings", "anomalous_deletefile", "info_stealer", "et trojan", "banload http", "banload", "ids detections", "yara detections", "bancos variant", "c2 checkin", "ntkrnlpacker", "copy", "meredrop", "injection", "e0e2edee", "push", "read", "write", "delete", "entries", "crlf line", "anomalous file", "medium", "filehash", "av detections", "analysis date", "file score", "medium risk", "detections none", "related pulses", "apple", "apple id", "apple private data collection", "apple staging", "t-mobile", "metroby", "keylogger" ], "references": [ "https://uszoom.com/", "http://www.dead-speak.com/ElectronicVoicePhenomena_EVP.htm", "Malicious Score: 10", "Yara Detections: DotNET_Reactor", "Alerts: procmem_yara antisandbox_sleep persistence_autorun cape_detected_threat infostealer_cookies recon_fingerprint", "Alerts: stealth_hidden_extension stealth_hiddenreg antidebug_guardpages dead_connect", "Alerts: encrypted_ioc http_request powershell_download powershell_request dynamic_function_loading cape_extracted_content", "Alerts: dropper injection_rwx network_dns_doh_tls network_http", "DotNET_Reactor: System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography", "DotNET_Reactor: System.Security.Cryptography ICryptoTransform", "High Priority Check-ins: Banload HTTP Checkin Detected (envia.php) Win32.Meredrop Checkin Bancos Variant C2 Checkin 1", "High Priority Alerts: spawns_dev_util modify_proxy infostealer_cookies", "Yara Detections: NTKrnlPacker, NTkrnlSecureSuite01015NTkrnlSoftware, NTkrnlSecureSuiteNTkrnlteam", "https://otx.alienvault.com/indicator/file/01accdb2c75f7b75e5f9744461fe927e6e1378e3bc1f943d02b0aa441bf65317", "https://www.hybrid-analysis.com/sample/79cab9c299164fb9a6d8f009adc2529ee79feeb0b4ad383eedee0c36bbe041ec/665b7ebee6b33f252d0e64ec", "Yara Detections stack_string , Armadillov1xxv2xx", "https://otx.alienvault.com/indicator/file/4d1dbf5ccc25a7f5fa24bd48d92987ff6d4dba35", "apple.finder-idevice.com | nr-data.net | https://appleid.com-dispositivo-perdido.com/ |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Keylogger.Susppack-9876601-0", "display_name": "Win.Keylogger.Susppack-9876601-0", "target": null }, { "id": "Win.Trojan.Sdum-9807706-0", "display_name": "Win.Trojan.Sdum-9807706-0", "target": null }, { "id": "Win32.Meredrop Checkin", "display_name": "Win32.Meredrop Checkin", "target": null }, { "id": "#Lowfi:HSTR:TrojanSpy:Win32/Bancos", "display_name": "#Lowfi:HSTR:TrojanSpy:Win32/Bancos", "target": null }, { "id": "Pdf.Phishing.TtraffRobotInstall-7605656-0", "display_name": "Pdf.Phishing.TtraffRobotInstall-7605656-0", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1048.002", "name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "display_name": "T1048.002 - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1198", "name": "SIP and Trust Provider Hijacking", "display_name": "T1198 - SIP and Trust Provider Hijacking" }, { "id": "T1416", "name": "URI Hijacking", "display_name": "T1416 - URI Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1434", "name": "App Delivered via Email Attachment", "display_name": "T1434 - App Delivered via Email Attachment" } ], "industries": [ "Technology", "Telecommunications", "Civil Society" ], "TLP": "green", "cloned_from": null, "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 8, "FileHash-MD5": 167, "FileHash-SHA1": 129, "FileHash-SHA256": 2008, "URL": 11241, "domain": 1853, "hostname": 4198, "SSLCertFingerprint": 10, "CVE": 1 }, "indicator_count": 19615, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "591 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "669e42fea462f0c8f8db32a1", "name": "Worm:Win32/Ganelp.A - Malicious IP: 148.163.152.21", "description": "Malicious IP found in disastrous attack against a mid level media marketing firm that the healthcare, travel, corporate event industry. \nEmployee phones are 'zombies' some laptops likely impacted by the Crowd Strike issue, (blue screen). Excessive tracking, monitoring, active botnets, power outage, and more. Research of IP and other IoC's found. Unfortunately, many of the clients are also sucked into issue. It appears that the issue has persisted for several years. The outage just made us work every angle. The attack goes beyond the CS 'update' outage, as the seemingly well cyber manged firm was under a very targeted, ongoing cyber attack that has kept company from rebounding. Red Team behavior seen.", "modified": "2024-08-21T11:03:59.106000", "created": "2024-07-22T11:31:10.391000", "tags": [ "historical ssl", "referrer", "fancy bear", "scan endpoints", "all search", "otx scoreblue", "ipv4", "pulse submit", "url analysis", "passive dns", "urls", "files", "reverse dns", "open", "status", "name servers", "creation date", "search", "proofpoint", "expiration date", "div div", "date", "accept", "next", "united", "cname", "asnone united", "a nxdomain", "domain", "united kingdom", "servers", "showing", "nxdomain", "dname", "whitelisted", "aaaa", "script urls", "costa rica", "script domains", "msie", "chrome", "unknown", "body", "gmt content", "all scoreblue", "pulse pulses", "entries", "as8987 amazon", "as20940", "hostname", "gartner", "crowdstrike", "business value", "magic quadrant", "customer", "realized", "assessment", "economic impact", "complete", "february", "utc na", "ver2", "msclkidn", "html info", "meta tags", "mobileoptimized", "adobe dynamic", "tag management", "utc bing", "cobalt strike", "communications", "android device", "neutral", "win32 exe", "pe32", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "sections", "rticon neutral", "ico rtgroupicon", "xml rtmanifest", "overlay", "threat roundup", "pandas", "attacks against", "southeast", "wannacry kill", "switch dns", "query", "high level", "hackers", "unknown win", "core", "ascii text", "sha256", "sha1", "size", "pattern match", "suricata stream", "command decode", "utf8 text", "mitre att", "path", "hybrid", "starfield", "meta", "general", "target", "local", "click", "strings", "trident", "legacy", "main", "contact", "flow t1574", "dll sideloading", "create", "modify system", "process t1543", "windows service", "t1055 system", "pe file", "t1497 query", "may sleep", "allocate rwx", "get file", "access", "windows event", "allocate", "link function", "windows link", "contains pdb", "dns resolutions", "ip traffic", "pattern domains", "memory pattern", "urls tcp", "hashes", "user", "file system", "written c", "samplepath", "files dropped", "userprofile", "registry keys", "registry", "set registrya", "conhost", "comspec", "created", "temp", "windows", "displayname", "process", "commands", "signals mutexes", "mutexes", "full name", "data", "v3 serial", "number", "cus cndigicert", "tls rsa", "ca1 odigicert", "inc validity", "subject public", "certificate", "whois lookup", "netrange", "nethandle", "net148", "net1480000", "as16509", "as22843", "as13916", "form", "server", "registrar abuse", "email", "request email", "verisign", "icann whois", "tech", "first", "project skynet", "cyber army", "dynamicloader", "high", "delete c", "show", "username", "medium", "default", "yara detections", "worm", "copy", "write", "duptwux", "malware", "x82xd4", "kx81xdbx0f", "x86xd3", "xa1xf1", "xe8xc2x14", "wx99xcdx11", "regsetvalueexa", "regbinary", "xe8xc6x13", "hx88x9ax1e", "stream", "win32", "persistence", "execution", "av detections", "ids detections", "alerts", "analysis date", "file score", "ftp username", "contacted", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "severity", "null", "refresh", "span", "error", "tools", "look", "verify", "restart", "robtex", "apple ios", "apple", "domains", "co number", "virtual mobile", "logistics", "cyber defense", "twitter", "read c", "artemis", "intel", "steals", "virustotal", "python", "panda", "falcon sandbox", "analysis", "hybrid analysis", "submission name", "av detection", "multi scan", "highest", "ability", "execute", "upgrade", "intelligence", "learn", "reports", "logo analysis", "size17kib type", "command", "found", "layer protocol", "osi application", "ip address", "t1105 ingress", "tool transfer", "problems", "threat network", "infrastructure", "domains part", "domain tracker", "roundup", "new problems", "startpage", "e1203 windows", "catalog tree", "analysis ob0001", "b0001 process", "b0003 delayed", "analysis ob0002", "evasion ob0006", "ob0007 system", "e1082 file", "e1083 impact", "data manipulation", "remote system", "discovery", "t1059 accept", "modules t1129", "enumerate", "as2914 ntt", "access denied", "as16625 akamai", "germany unknown", "csccorpdomains", "as31109", "invalid url", "mirai", "port", "destination", "bad login", "suspicious path", "nids", "tcp syn", "root account", "cve20185723", "as8068", "please", "x msedge", "embeddedwb", "windows nt", "tofsee", "push", "as54113", "as396982 google", "as31898 oracle", "moved", "encrypt" ], "references": [ "148.163.152.21 AS 22843 (PROOFPOINT-ASN-US-EAST) US | www.robtex.com | www.spf-record.com |", "Crowdsourced Sigma Rules: Suspicious New Service Creation by Nasreddine Bencherchali (Nextron Systems)", "Crowdsourced Sigma Rules: Matches rule Suspicious Svchost Process by Florian Roth (Nextron Systems)", "Crowdsourced Sigma Rules: Matches rule Suspect Svchost Activity by David Burkett, @signalblur", "Crowdsourced Sigma Rules: Matches rule Suspicious Outbound SMTP Connections by frack113", "Crowdsourced Sigma Rules: Matches rule Creation of an Executable by an Executable by frack113", "https://www.virustotal.com/gui/file/dcd0812ed0b280cee38a3f8a68e5fde900f0a9f832ca53167d38d96f105eb9b9/detection", "Antivirus Detections Win.Trojan.Sality-1047 , Worm:Win32/Ganelp.A IDS Detections W32.Duptwux/Ganelp FTP Username - onthelinux Yara Detections InstallShield2000 Alerts persistence_autorun_tasks cape_detected_threat bypass_firewall suricata_alert dynamic_function_loading dropper injection_rwx IP\u2019s Contacted 209.202.252.54", "ELF:Mirai-GH\\ [Trj] 91b62309447ba8db2a456b546d02cee07f1fd1027a0dd23b0ad87bec18b5acee", "https://hybrid-analysis.com/sample/b31067b40534bc4a9d68ac2f13f6090956d171d23c3d3f7a8c92a8745aed4db3", "https://otx.alienvault.com/indicator/file/00001054e41d89822267a38856e76eafc2c2e2f20c3f17a392e417f8b87e4ce1", "trojan.shellrunner/emailworm: FileHash-SHA256 f9527077fe3699a17a45276e3b15d65014b5c1d2d10c09f476a21b90fbd0bf67", "https://www.virustotal.com/gui/file/f9527077fe3699a17a45276e3b15d65014b5c1d2d10c09f476a21b90fbd0bf67/detection", "Trojan.Agent.FRYX: http://email.bidayati.com/c/eJwkkc1ygjoYQJ8Gd3TClwTIwgUR0Aq12BbBbu5EfuQnioVQwKe_03v3Z-bMnJOvbUwtS6yKtWEZjNmMULyq1oAMYto2zZhd2IbIGb6UBdiYCqMoC", "Worm:Win32/Ganelp.A: FileHash-SHA256 00001054e41d89822267a38856e76eafc2c2e2f20c3f17a392e417f8b87e4ce1", "Worm:Win32/Ganelp.A: FileHash-SHA1 0eed684aef678aeffb43866bd2c975876e82eeab", "Worm:Win32/Ganelp.A: FileHash-MD5 b5e26ac3b7518b77631ab7bcefae10fe", "Trojan.Crypted-6 | infostealer_browser : https://otx.alienvault.com/indicator/file/29971e4a9ce229d79fae4cbdff1b32d2", "Falcon-FileVantage.exe | trojan.redcap/python: FileHash-SHA256 06d4c16f64fc377b7dd5d8dff8bc6b11728d4cbbf3dcb42a9b819cc028afc328", "https://www.virustotal.com/gui/file/06d4c16f64fc377b7dd5d8dff8bc6b11728d4cbbf3dcb42a9b819cc028afc328/detection", "apple-carry-relay.cloudflare.com | apple-dns.net | emails.redvue.com | https://arduboy.com/bad-apple-demo-is-good | 67.199.248.12", "https://tools.totaleconomicimpact.com/go/apple/TEI/docs/TEI-of-Mac-in-Enterprise.pdf | 79appleway.com | technoapple.com", "http://image.nationwide-service.co.uk/lib/fe9515737163077971/m/1/spacer_ApplePay.gif bum?id=326459173&s=143441 | mails.redvue.com", "http://www.rvrb.me/fan_reach/pt?eid=A429942_17490857_19605431_lnk1018&url=http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewAl", "Antivirus Detections ELF:Mirai-GH\\ [Trj]", "IDS Detections Master IP CAM 01 Hardcoded Password for Root Account (CVE-2018-5723) Juniper ScreenOS telnet Backdoor Default Password Attempt SUSPICIOUS Path to BusyBox Possible Linux.Mirai Login Attempt (meinsm) Actiontec C1000A backdoor account M2", "IDS Detections Win32/Tofsee.AX google.com connectivity check External IP Lookup www.trackip.net Possible", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian - is this a must?", "http://images.contact.acams.org/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "Trojan.Agent.FRYX", "display_name": "Trojan.Agent.FRYX", "target": null }, { "id": "Win32:AceCrypter-B [Cryp]", "display_name": "Win32:AceCrypter-B [Cryp]", "target": null }, { "id": "Mal_Tofsee", "display_name": "Mal_Tofsee", "target": null }, { "id": "Ransom.StopcryptPMF.", "display_name": "Ransom.StopcryptPMF.", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Worm:Win32/Ganelp.A", "display_name": "Worm:Win32/Ganelp.A", "target": "/malware/Worm:Win32/Ganelp.A" }, { "id": "trojan.shellrunner/emailworm", "display_name": "trojan.shellrunner/emailworm", "target": null }, { "id": "trojan.redcap/python", "display_name": "trojan.redcap/python", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "NIDS", "display_name": "NIDS", "target": null } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1565", "name": "Data Manipulation", "display_name": "T1565 - Data Manipulation" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" } ], "industries": [ "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 890, "FileHash-SHA1": 853, "FileHash-SHA256": 7215, "domain": 2771, "hostname": 5544, "URL": 13393, "email": 12, "SSLCertFingerprint": 15, "CIDR": 1, "CVE": 3 }, "indicator_count": 30697, "is_author": false, "is_subscribing": null, "subscriber_count": 237, "modified_text": "606 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66994bda3e150656cd5ac9dd", "name": "Browser Session Hijacking Various MyChart Phishing Scams", "description": "Ongoing issues with medical information hijacking. Various medical corporations affected. Tracking, medical, injection process, records retrieval, botnets.", "modified": "2024-08-17T16:01:11.866000", "created": "2024-07-18T17:07:38.719000", "tags": [ "historical ssl", "referrer", "domains", "august", "phishingscams", "domains part", "domain tracker", "roundup", "new problems", "privacy badger", "startpage", "self", "httponly", "samesitenone", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "pragma", "mychartlocale", "urls", "ip detections", "country", "contacted", "files", "file type", "name file", "gmbh", "cloudflare", "tucows", "ii llc", "alibaba cloud", "computing", "sample", "media t1091", "t1497 may", "mitre att", "access ta0001", "replication", "ta0004 process", "injection t1055", "defense evasion", "http requests", "get http", "request", "host", "dns resolutions", "ip traffic", "hashes", "tsara brashears", "red team", "hackers", "highly targeted", "critical risk", "cyberstalking", "apple", "apple ios", "logistics", "cyber defense", "guloader", "hacktool", "emotet", "phishing", "facebook", "malware", "hiddentear", "maze", "server", "domain status", "date", "algorithm", "google llc", "registrar abuse", "registrar", "record type", "ttl value", "aaaa", "whois lookup", "admin country", "ca creation", "dnssec", "markmonitor", "siblings", "whois lookups", "expiration date", "registrar iana", "creation date", "first", "united", "as15169 google", "cname", "status", "virtool", "cryp", "as396982 google", "search", "name servers", "win32", "remote" ], "references": [ "MyChart Phishing Scams", "exploit_source IP's: 20.99.186.246 , 40.126.24.147 , 40.126.24.149 , 40.126.24.81 , 40.126.24.82", "VirTool:Win32/Obfuscator: 0.googleusercontent.com [hacking]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/\t URL\thttp://45.159.189.105/bot/regex |\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win64-Trojan/Pakes.Exp", "display_name": "Win64-Trojan/Pakes.Exp", "target": null }, { "id": "Win64:RansomX-gen", "display_name": "Win64:RansomX-gen", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [ "Healthcare", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 37, "FileHash-SHA1": 33, "FileHash-SHA256": 3473, "domain": 693, "URL": 4384, "hostname": 1610, "CVE": 2, "email": 3 }, "indicator_count": 10235, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "610 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6681f340f8c0223ae0ce199d", "name": "Bitdefender Ransomware| | Sony Music | Lazarus Affiliated", "description": "", "modified": "2024-07-22T01:04:09.406000", "created": "2024-07-01T00:07:28.402000", "tags": [ "url https", "url http", "active related", "pulses hostname", "ipv4", "showing", "entries", "active", "passive dns", "as2527 sony", "all scoreblue", "pulse pulses", "urls", "files", "reverse dns", "location chiba", "united", "unknown", "date", "moved", "search", "gmt content", "domain", "body", "encrypt", "as58061 scalaxy", "asn as58061", "dns resolutions", "expiration", "no expiration", "hostname", "iocs", "filehashsha256", "scan endpoints", "next", "report spam", "lazarus created", "minutes ago", "amber tags", "filehashsha1", "group", "tip oriented", "threat research", "android10", "type indicator", "role title", "creation date", "emails", "pulse submit", "url analysis", "germany unknown", "aaaa", "cname", "as209453 gandi", "as209453", "france unknown", "ireland unknown", "susp", "backdoor", "win32", "meta", "cookie", "pragma", "open ports", "as20940", "status", "certificate", "rsa sha256", "record value", "historical ssl", "referrer", "collection", "vt graph", "glaxosmithkline", "cyber threat", "heur", "phishing", "team", "malicious site", "control server", "coalition", "team phishing", "engineering", "emotet", "malware", "malicious", "download", "cobalt strike", "binder", "dropper", "formbook", "facebook", "artemis", "azorult", "bank", "site", "cisco umbrella", "alexa top", "million", "alexa", "hostnames", "detection list", "blacklist", "a domains", "bitdefender", "leader", "as15133 verizon", "melbourne it", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "headers date", "gmt contenttype", "connection", "ip address", "web redirection", "sha1", "ascii text", "sha256", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "pattern match", "hybrid", "starfield", "format", "june", "local", "click", "strings", "contact", "loki" ], "references": [ "https://otx.alienvault.com/indicator/url/http://accounts-upadates-informations-services-login-customer-id.marketingplus1.com/itunes", "Relationship: Louisiana Cyber Investigators Alliance (LCIA)", "https://otx.alienvault.com/indicator/url/http://dashboard.loki.com/files/LokiApplet.jar", "Ransomware: https://www.bitdefender.com.au/blog/businessinsights/hive-ransomwares-offspring-hunters-international-takes-the-stage", "Emotet: IPv4 104.18.41.100 | IPv4 104.18.45.108", "Server: Web redirection - http://loki.com/download", "Phishing: http://forms.sonymusicfans.com/campaign/old-dominion-newsletter-sign-up/?ss=0", "Phishing: https://forms.sonymusicfans.com/campaign/jazmine-sullivan-heaux-tails-pre-save/", "Phishing: https://forms.sonymusicfans.com/campaign/jazmine-sullivan-heaux-tails-pre-save/", "Phishing: http://forms.sonymusicfans.com/campaign/old-dominion-newsletter-sign-up/?ss=0" ], "public": 1, "adversary": "Lazarus Group", "targeted_countries": [], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Win.Trojan.DarkKomet-1", "display_name": "Win.Trojan.DarkKomet-1", "target": null }, { "id": "VirTool:Win32/CeeInject", "display_name": "VirTool:Win32/CeeInject", "target": "/malware/VirTool:Win32/CeeInject" }, { "id": "Backdoor:MSIL/Bladabindi", "display_name": "Backdoor:MSIL/Bladabindi", "target": "/malware/Backdoor:MSIL/Bladabindi" }, { "id": "Win32:Evo-gen", "display_name": "Win32:Evo-gen", "target": null }, { "id": "Win32:Evo-gen\\ [Susp]", "display_name": "Win32:Evo-gen\\ [Susp]", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [ "Entertainment", "Technology", "Media" ], "TLP": "green", "cloned_from": "667648f0bc130bdaa294ea19", "export_count": 6847, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3528, "domain": 1453, "hostname": 1542, "FileHash-SHA256": 757, "FileHash-SHA1": 66, "FileHash-MD5": 79, "email": 5, "CVE": 4, "SSLCertFingerprint": 14 }, "indicator_count": 7448, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "636 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "667648f0bc130bdaa294ea19", "name": "Sony Music | Emotet - Lazarus Affiliated", "description": "", "modified": "2024-07-22T01:04:09.406000", "created": "2024-06-22T03:45:52.401000", "tags": [ "url https", "url http", "active related", "pulses hostname", "ipv4", "showing", "entries", "active", "passive dns", "as2527 sony", "all scoreblue", "pulse pulses", "urls", "files", "reverse dns", "location chiba", "united", "unknown", "date", "moved", "search", "gmt content", "domain", "body", "encrypt", "as58061 scalaxy", "asn as58061", "dns resolutions", "expiration", "no expiration", "hostname", "iocs", "filehashsha256", "scan endpoints", "next", "report spam", "lazarus created", "minutes ago", "amber tags", "filehashsha1", "group", "tip oriented", "threat research", "android10", "type indicator", "role title", "creation date", "emails", "pulse submit", "url analysis", "germany unknown", "aaaa", "cname", "as209453 gandi", "as209453", "france unknown", "ireland unknown", "susp", "backdoor", "win32", "meta", "cookie", "pragma", "open ports", "as20940", "status", "certificate", "rsa sha256", "record value", "historical ssl", "referrer", "collection", "vt graph", "glaxosmithkline", "cyber threat", "heur", "phishing", "team", "malicious site", "control server", "coalition", "team phishing", "engineering", "emotet", "malware", "malicious", "download", "cobalt strike", "binder", "dropper", "formbook", "facebook", "artemis", "azorult", "bank", "site", "cisco umbrella", "alexa top", "million", "alexa", "hostnames", "detection list", "blacklist", "a domains", "bitdefender", "leader", "as15133 verizon", "melbourne it", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "headers date", "gmt contenttype", "connection", "ip address", "web redirection", "sha1", "ascii text", "sha256", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "pattern match", "hybrid", "starfield", "format", "june", "local", "click", "strings", "contact", "loki" ], "references": [ "https://otx.alienvault.com/indicator/url/http://accounts-upadates-informations-services-login-customer-id.marketingplus1.com/itunes", "Relationship: Louisiana Cyber Investigators Alliance (LCIA)", "https://otx.alienvault.com/indicator/url/http://dashboard.loki.com/files/LokiApplet.jar", "Ransomware: https://www.bitdefender.com.au/blog/businessinsights/hive-ransomwares-offspring-hunters-international-takes-the-stage", "Emotet: IPv4 104.18.41.100 | IPv4 104.18.45.108", "Server: Web redirection - http://loki.com/download", "Phishing: http://forms.sonymusicfans.com/campaign/old-dominion-newsletter-sign-up/?ss=0", "Phishing: https://forms.sonymusicfans.com/campaign/jazmine-sullivan-heaux-tails-pre-save/", "Phishing: https://forms.sonymusicfans.com/campaign/jazmine-sullivan-heaux-tails-pre-save/", "Phishing: http://forms.sonymusicfans.com/campaign/old-dominion-newsletter-sign-up/?ss=0" ], "public": 1, "adversary": "Lazarus Group", "targeted_countries": [], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Win.Trojan.DarkKomet-1", "display_name": "Win.Trojan.DarkKomet-1", "target": null }, { "id": "VirTool:Win32/CeeInject", "display_name": "VirTool:Win32/CeeInject", "target": "/malware/VirTool:Win32/CeeInject" }, { "id": "Backdoor:MSIL/Bladabindi", "display_name": "Backdoor:MSIL/Bladabindi", "target": "/malware/Backdoor:MSIL/Bladabindi" }, { "id": "Win32:Evo-gen", "display_name": "Win32:Evo-gen", "target": null }, { "id": "Win32:Evo-gen\\ [Susp]", "display_name": "Win32:Evo-gen\\ [Susp]", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [ "Entertainment", "Technology", "Media" ], "TLP": "green", "cloned_from": "66762a4ccb10185d774ddbde", "export_count": 47, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3528, "domain": 1453, "hostname": 1542, "FileHash-SHA256": 757, "FileHash-SHA1": 66, "FileHash-MD5": 79, "email": 5, "CVE": 4, "SSLCertFingerprint": 14 }, "indicator_count": 7448, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "636 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66762a4ccb10185d774ddbde", "name": "Lazarus Group - Emotet | Sony Music", "description": "Is the Lazarus Group still attacking Sony Music, affiliated, former, contacts, aspiring prospects and independent artists?\n\nA Denver Studio owner had former Sony leadership role was fully infected with Pegasus, Mirai and a Lazarus Group affiliation seen. An independent Denver publishing company and artists were greatly targeted and continue to be. A songwriter known to have recorded at Denver Studio had songs pirated. Tori Kelly and Justin Bieber recorded over chops copy written by artist. Strangely legally affiliated. A rumor suggests Lazarus group & Anonymous are hacker made up of government employees, police officers, attorneys and PI's. The government affiliated IP's are give rumors some weight. Hackers will hack anything, \nMost popular beliefs are artist was targeted and therefore the studio where she target worked from often. Denver Studio report scrubbed by HistoryKillerPro & other Unknown Stealers.", "modified": "2024-07-22T01:04:09.406000", "created": "2024-06-22T01:35:08.834000", "tags": [ "url https", "url http", "active related", "pulses hostname", "ipv4", "showing", "entries", "active", "passive dns", "as2527 sony", "all scoreblue", "pulse pulses", "urls", "files", "reverse dns", "location chiba", "united", "unknown", "date", "moved", "search", "gmt content", "domain", "body", "encrypt", "as58061 scalaxy", "asn as58061", "dns resolutions", "expiration", "no expiration", "hostname", "iocs", "filehashsha256", "scan endpoints", "next", "report spam", "lazarus created", "minutes ago", "amber tags", "filehashsha1", "group", "tip oriented", "threat research", "android10", "type indicator", "role title", "creation date", "emails", "pulse submit", "url analysis", "germany unknown", "aaaa", "cname", "as209453 gandi", "as209453", "france unknown", "ireland unknown", "susp", "backdoor", "win32", "meta", "cookie", "pragma", "open ports", "as20940", "status", "certificate", "rsa sha256", "record value", "historical ssl", "referrer", "collection", "vt graph", "glaxosmithkline", "cyber threat", "heur", "phishing", "team", "malicious site", "control server", "coalition", "team phishing", "engineering", "emotet", "malware", "malicious", "download", "cobalt strike", "binder", "dropper", "formbook", "facebook", "artemis", "azorult", "bank", "site", "cisco umbrella", "alexa top", "million", "alexa", "hostnames", "detection list", "blacklist", "a domains", "bitdefender", "leader", "as15133 verizon", "melbourne it", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "headers date", "gmt contenttype", "connection", "ip address", "web redirection", "sha1", "ascii text", "sha256", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "pattern match", "hybrid", "starfield", "format", "june", "local", "click", "strings", "contact", "loki" ], "references": [ "https://otx.alienvault.com/indicator/url/http://accounts-upadates-informations-services-login-customer-id.marketingplus1.com/itunes", "Relationship: Louisiana Cyber Investigators Alliance (LCIA)", "https://otx.alienvault.com/indicator/url/http://dashboard.loki.com/files/LokiApplet.jar", "Ransomware: https://www.bitdefender.com.au/blog/businessinsights/hive-ransomwares-offspring-hunters-international-takes-the-stage", "Emotet: IPv4 104.18.41.100 | IPv4 104.18.45.108", "Server: Web redirection - http://loki.com/download", "Phishing: http://forms.sonymusicfans.com/campaign/old-dominion-newsletter-sign-up/?ss=0", "Phishing: https://forms.sonymusicfans.com/campaign/jazmine-sullivan-heaux-tails-pre-save/", "Phishing: https://forms.sonymusicfans.com/campaign/jazmine-sullivan-heaux-tails-pre-save/", "Phishing: http://forms.sonymusicfans.com/campaign/old-dominion-newsletter-sign-up/?ss=0" ], "public": 1, "adversary": "Lazarus Group", "targeted_countries": [], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Win.Trojan.DarkKomet-1", "display_name": "Win.Trojan.DarkKomet-1", "target": null }, { "id": "VirTool:Win32/CeeInject", "display_name": "VirTool:Win32/CeeInject", "target": "/malware/VirTool:Win32/CeeInject" }, { "id": "Backdoor:MSIL/Bladabindi", "display_name": "Backdoor:MSIL/Bladabindi", "target": "/malware/Backdoor:MSIL/Bladabindi" }, { "id": "Win32:Evo-gen", "display_name": "Win32:Evo-gen", "target": null }, { "id": "Win32:Evo-gen\\ [Susp]", "display_name": "Win32:Evo-gen\\ [Susp]", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [ "Entertainment", "Technology", "Media" ], "TLP": "green", "cloned_from": null, "export_count": 50, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3528, "domain": 1453, "hostname": 1542, "FileHash-SHA256": 757, "FileHash-SHA1": 66, "FileHash-MD5": 79, "email": 5, "CVE": 4, "SSLCertFingerprint": 14 }, "indicator_count": 7448, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "636 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6671e5844c155814e69ba4dd", "name": "Mirai Botnet Injection affecting Alienvault.", "description": "It's unclear if some users or service itself is injecting users or if service is under a Mirai attack. I found evidence of both outbound & inbound activities. *Crowdsourced context: Activity related to MIRAI - according to source Cluster25 - \nThis IPV4 is used by MIRAI. Mirai is a malware that created a big botnet of networked devices running Linux making them remotely controlled bots that can be used for large-scale network attacks. It primarily targets online consumer devices such as IP cameras and home routers.\n#zbetcheckin tracker\nDownloaded on 2023-11-07 19:34:59 UTC\nSRC URL : http://171.228.209.167/x86_64\nIP : 171.228.209.167\nAS : AS7552 Viettel Group\nYARA : #contentis_base64 #debuggerpattern__rdtsc #ip #math_entropy_6 #is__elf #http #ft_elf #executable_elf64", "modified": "2024-07-18T19:02:50.386000", "created": "2024-06-18T19:52:36.849000", "tags": [ "problems", "threat network", "infrastructure", "historical ssl", "microsoft stuff", "domain check", "referrer", "generic malware", "injector", "no data", "tag count", "fri mar", "analyzer threat", "ip summary", "url summary", "summary", "downloader", "generic", "united", "as14315", "passive dns", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "urls", "files", "america asn", "unknown", "ransom", "body", "coinminer", "malware generic", "wed jan", "first", "status", "creation date", "search", "date", "expiration date", "name servers", "next", "mirai", "yara detections", "filehash", "av detections", "ids detections", "alerts", "analysis date", "file score", "reverse dns", "location lao", "viet nam", "domain", "all search", "otx scoreblue", "hostname", "files ip", "lazarus", "as7552 viettel", "vietnam unknown", "win32", "worm", "win32sfone jul", "vietnam", "etag", "telecom", "as16625 akamai", "as20940", "germany", "united kingdom", "singapore", "as20546 soprado", "hong kong", "as45102 alibaba", "taobao network", "cname", "aaaa", "entries", "showing", "a domains", "as38731 vietel", "plesk", "a li", "default page", "plesk a", "mirai variant", "useragent", "apache", "accept", "hello", "create c", "read c", "delete", "write", "default", "create", "show", "medium", "dock", "execution", "copy", "xport", "address", "as131392", "cape", "orsam", "malware", "script urls", "moved", "record value", "cisco umbrella", "site", "heur", "alexa top", "safe site", "million", "malicious site", "phishing site", "malicious url", "opencandy", "exploit", "agent", "phishing", "acint", "iframe", "crack", "conduit", "artemis", "riskware", "mimikatz", "swrort", "downldr", "systweak", "behav", "tiggre", "genkryptik", "presenoker", "filetour", "cleaner", "wacatac", "outbreak", "installcore", "iobit", "rostpay", "dropper", "mediaget", "related pulses", "whois", "related", "msil", "zombie", "dridex", "location viet", "pulse submit", "url analysis", "content", "google tag", "utc gcfezl5ynvb", "utc na", "utc google", "analytics na", "utc linkedin", "insight tag", "deep malware", "iframes", "trackers", "external-resources", "text/html", "elf info", "header class", "elf64 data", "header version", "os abi", "unix", "v object", "file type", "exec", "executable file", "progbits", "type address", "offset size", "flags", "null", "nobits", "strtab", "ip detections", "country", "us bundled", "detections file", "name", "graph summary", "get hello", "jaws webserver", "outbound", "mvpower dvr", "shell uce", "inbound", "activity mirai", "mirai", "info", "performs dns", "mitre att", "access ta0006", "os credential", "dumping t1003", "enumerates", "command", "control ta0011", "protocol t1071", "protocol t1095", "relacionada", "mirai malware", "mirai 04022024", "nciipc", "ip reputaion", "msie", "windows nt", "slcc2", "media center", "china as37963", "simplified", "trojanspy", "virustotal", "panda", "detections type", "shell", "javascript", "dns replication", "files referring", "lookups", "as7552", "vhash", "ssdeep", "magic elf", "sysv", "trid elf", "executable", "linux", "elf executable", "loccel1", "echobot", "bashlite", "malwarebazaar", "echobot malware", "win32 exe", "magic msdos", "pe32 executable", "intel", "ms windows", "trid dos", "compiler", "delphi", "serial number", "algorithm", "thumbprint", "valid from", "code signing", "from", "microsoft root", "name microsoft", "verisign time", "stamping", "contained", "info sections", "name virtual", "address virtual", "size raw", "size entropy", "md5 chi2", "regsetvalueexa", "type rtrcdata", "sha256 file", "threat roundup", "october", "august", "june", "september", "highly targeted", "cyberstalking", "round", "december", "sneaky server", "facebook", "stealer", "agent tesla", "pony", "april", "whitelisted", "encrypt", "targeting", "tsara brashears", "otx", "alienvault", "memcommit", "regsz", "regopenkeyexw", "english", "module load", "t1129", "t1082", "windows module", "dlls", "redline stealer", "updater", "v3 serial", "number", "subject public", "key info", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "data redacted", "cloudflare", "redacted", "for privacy", "code", "server", "registrar abuse", "redacted for", "postal code", "registrant name", "red team", "shit", "logistics", "cyber defense", "gootloader", "march", "sinkhole", "just", "ramnit", "netsupport rat", "microsoft", "vault", "karen", "gifts", "hidden privacy", "threats", "malicious", "darkgate", "core", "hacktool", "emotet" ], "references": [ "https://botnet.ngocronglau.xyz > link discovered by an Alienvault user who notified me they found it researching message from am active user.", "https://otx.alienvault.com/indicator/file/02b19639ad1efa59e77f45d130447c05bd2466e26a657cb9cc6ac2e8b30a0026", "https://otx.alienvault.com/indicator/file/001546d210a35b7c4c072b6c265f621cf4a9abdd152741d9b58deae2be204355", "https://otx.alienvault.com/indicator/hostname/botnet.ngocronglau.xyz", "Unix.Mirai Botnet: https://otx.alienvault.com/indicator/hostname/botnet.ngocronglau.xyz", "CnC IP: https://otx.alienvault.com/indicator/ip/142.202.242.45", "https://otx.alienvault.com/indicator/domain/bunny.net", "https://otx.alienvault.com/indicator/ip/210.211.117.205", "https://otx.alienvault.com/indicator/ip/143.244.50.212", "https://otx.alienvault.com/indicator/ip/125.235.4.59", "AV Detection: ELF:Mirai-GH\\ [Trj]", "IDS Detections: MVPower DVR Shell UCE Mirai | Variant User-Agent (Outbound) JAWS Webserver Unauthenticated Shell Command Execution", "IDS Detections: Huawei Remote Command Execution (CVE-2017-17215) Huawei Remote Command Execution - Outbound (CVE-2017-17215) Huawei HG532 RCE Vulnerability (CVE-2017-17215) Mirai Variant User-Agent (Inbound) HackingTrio UA (Hello, World) 401TRG Generic Webshell Request - POST with wget in body HTTP traffic on port 443 (POST", "IDS Detections: Mirai Variant User-Agent (Inbound) HackingTrio UA (Hello, World)", "IDS Detections: 401TRG Generic Webshell Request - POST with wget in body HTTP traffic on port 443 (POST) ...", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication network_cnc_http network_http p2p_cnc writes_to_stdout", "Matches rule Linux_Trojan_Mirai_6a77af0f from ruleset Linux_Trojan_Mirai by Elastic Security | botnet.ngocronglau.xyz", "https://otx.alienvault.com/indicator/file/2b5deac6176124ee1f7d237f070c39b03c964fce9a9fba0aaa1bce102710d2e0", "cu-payment-porch.pdv-3.ap-southeast-2.production.jet-external.com | qa.proxy.cognito.tigomoney.io | https://trackon.fr/track/clique", "Crowdsourced YARA rules Matches: rule INDICATOR_EXE_Packed_MEW from ruleset indicator_packed by ditekSHen", "Crowdsourced YARA rules Matches: INDICATOR_EXE_Packed_MEW from ruleset indicator_packed by ditekSHen", "Crowdsourced YARA rules Matches: SUSP_Unsigned_OSPPSVC from ruleset gen_sign_anomalies by Florian Roth (Nextron Systems", "Crowdsourced YARA rules Matches: IMPLANT_4_v3_AlternativeRule from ruleset apt_grizzlybear_uscert by Florian Roth (Nextron Systems)", "Crowdsourced YARA rules Matches: Matches rule IMPLANT_4_v3_AlternativeRule from ruleset apt_grizzlybear_uscert by Florian Roth (Nextron Systems", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "wallpapers-nature.com", "Was anyone else notified? I'm not sure why I was.", "Through research I did notice many references to target I'm researching for. Phishing/Injection attempt? I didn't click on links.", "CS Sigma: Matches rule Python Initiated Connection by frack113" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Unix.Trojan.Mirai-9441505-0", "display_name": "Unix.Trojan.Mirai-9441505-0", "target": null }, { "id": "ALF:E5.SpikeAex.rhh_mcv", "display_name": "ALF:E5.SpikeAex.rhh_mcv", "target": null }, { "id": "Win.Dropper.Bulz-9910065-0", "display_name": "Win.Dropper.Bulz-9910065-0", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "Win.Dropper.Autoit-6688751-0", "display_name": "Win.Dropper.Autoit-6688751-0", "target": null }, { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Win.Dropper.Dridex-9986041-0", "display_name": "Win.Dropper.Dridex-9986041-0", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/Zombie", "display_name": "ALF:HeraklezEval:Trojan:Win32/Zombie", "target": null }, { "id": "Win.Packer.pkr_ce1a-9980177-0", "display_name": "Win.Packer.pkr_ce1a-9980177-0", "target": null }, { "id": "Worm:Win32/Sfone.A", "display_name": "Worm:Win32/Sfone.A", "target": "/malware/Worm:Win32/Sfone.A" }, { "id": "Worm:Win32/Sfone", "display_name": "Worm:Win32/Sfone", "target": "/malware/Worm:Win32/Sfone" }, { "id": "Win.Malware.Bbabdcdc-7358312-0", "display_name": "Win.Malware.Bbabdcdc-7358312-0", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "trojan.mirai/fszhh", "display_name": "trojan.mirai/fszhh", "target": null }, { "id": "DDOS:Linux/Mirai", "display_name": "DDOS:Linux/Mirai", "target": "/malware/DDOS:Linux/Mirai" }, { "id": "ANDROID/AVE.Mirai.fszhh", "display_name": "ANDROID/AVE.Mirai.fszhh", "target": null }, { "id": "Flyagent L", "display_name": "Flyagent L", "target": null }, { "id": "Win-Trojan/Malpacked5.Gen", "display_name": "Win-Trojan/Malpacked5.Gen", "target": null }, { "id": "Atros3.LDJ", "display_name": "Atros3.LDJ", "target": null }, { "id": "a variant of Win32/FlyStudio.Packed.AD potentially unwanted", "display_name": "a variant of Win32/FlyStudio.Packed.AD potentially unwanted", "target": null }, { "id": "TrojanSpy:Win32/Gucotut.A", "display_name": "TrojanSpy:Win32/Gucotut.A", "target": "/malware/TrojanSpy:Win32/Gucotut.A" }, { "id": "W32/Pidgeon-A", "display_name": "W32/Pidgeon-A", "target": null }, { "id": "Variant.Zusy.151902", "display_name": "Variant.Zusy.151902", "target": null }, { "id": "trojan.mirai/fedr", "display_name": "trojan.mirai/fedr", "target": null }, { "id": "Win.Malware.Trojanx-9862538-0", "display_name": "Win.Malware.Trojanx-9862538-0", "target": null }, { "id": "Win32:PWSX-gen\\ [Trj]", "display_name": "Win32:PWSX-gen\\ [Trj]", "target": null }, { "id": "virus.ramnit/nimnul", "display_name": "virus.ramnit/nimnul", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 351, "FileHash-SHA1": 349, "FileHash-SHA256": 3715, "domain": 3326, "hostname": 5200, "URL": 13151, "email": 9, "CVE": 7, "CIDR": 2 }, "indicator_count": 26110, "is_author": false, "is_subscribing": null, "subscriber_count": 243, "modified_text": "640 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "665ec0cfd110b0694c51fbe2", "name": "Eset - Dorkbot", "description": "Dorkbot a self-propagating program that can spread itself from one computer to another threatening to perform numerous f actions of a malicious hacker's choice on PC. Found on an updated windows machine. Hacker named machine, installed apple viewing software programs, partitioned 'zombie' machine. Network of compromised, sketchy remote transfer agents of a professional in the service industry. Serious impact on or companies impact on remote workers contracted by company in question due to the abrupt cessation of business of a recognized brand it's industry. Unfortunately, the documentation of this Eset programs behavior has been misplaced. From recall. this install identified and allowed threats, d. It was a weird see with the names eye experience. Incoming request/ Remote operators, disallowed many transactions and other basic use of software. Workers potentially working a database from individuals whose PII & PHI was leaked.", "modified": "2024-07-04T06:01:28.799000", "created": "2024-06-04T07:22:55.572000", "tags": [ "historical ssl", "referrer", "algorithm", "v3 serial", "number", "cus cnamazon", "validity", "subject public", "key info", "key algorithm", "key identifier", "subject key", "first", "server", "registrar abuse", "date", "csl computer", "gmbh dba", "contact phone", "domain status", "registrar url", "registrar whois", "contact email", "code", "united", "unknown", "aaaa", "as14061", "cname", "search", "emails", "dnssec", "showing", "win32", "title error", "passive dns", "open ports", "trojan", "body doctype", "html public", "w3cdtd html", "body", "dns replication", "domain", "lookups", "email", "name server", "slovensko", "tech contact", "valid", "admin contact", "a domains", "a li", "span h3", "header link", "option option", "united kingdom", "test", "april", "meta", "paris", "eset", "yara detections", "nod32", "amon", "internalname", "online payment", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "amz cf", "creation date", "record value", "expiration date", "name servers", "servers", "status", "next", "asnone united", "moved", "certificate", "ipv4", "urls", "files", "av detections", "ids detections", "alerts", "analysis date", "cf2a", "xaax04x00", "high", "dns reply", "noip domain", "et trojan", "createsuspended", "malware traffic", "dorkbot", "malware", "copy", "name verdict", "falcon sandbox", "windows nt", "appdata", "png image", "pattern match", "indicator", "ascii text", "rgba", "get collect", "vj98", "hybrid", "general", "local", "click", "strings", "path", "ms windows", "pe32", "intel", "microsoft asf", "pe32 executable", "database", "english", "installer", "template", "tue jun", "service", "crlf line", "url https", "http", "ip address", "related nids", "files location", "tip" ], "references": [ "bpp.eset.com", "IDS Detections: Win32/IRCBrute/Floder.ej/TKcik.A Checkin Dorkbot GeoIP Lookup to wipmania DNS Reply Sinkhole Microsoft NO-IP", "IDS Detections: Domain Win32/IRCBrute/Floder.ej/TKcik.A Pass Checkin External IP Lookup Attempt To Wipmania Suspicious Mozilla User-Agent - Likely Fake", "High Priority Alerts: nids_malware_alert injection_runpe network_icmp dumped_buffer2 network_irc nolookup_communication", "High Priority Alerts: allocates_execute_remote_process persistence_autorun injection_createremotethread injection_modifies_memory", "High Priority Alerts: injection_write_memory injection_write_memory_exe modifies_proxy_wpad injection_ntsetcontextthread injection_resumethread dumped_buffer network_http nids_alert suspicious_tld allocates_rwx .", "IP\u2019s Contacted: 172.217.14.226 172.217.14.234 162.217.99.134 204.95.99.243 212.83.168.196 216.58.193.67 216.58.217.42 99.86.38.99", "Domains Contacted: n.jntbxduhz.ru n.yqqufklho.ru n.lotys.ru api.wipmania.com n.vbemnggcj.ru n.hmiblgoja.ru dns.msftncsi.com n.ezjhyxxbf.ru", "https://otx.alienvault.com/indicator/file/8ad6f89c763315bf59bc3619139f8478f6bcc57d902123c8b5c413f251ff8778", "Alerts: dead_host network_icmp nolookup_communication packer_polymorphic origin_langid peid_packer", "https://healthinsurancecompanion.com/affordable-health-insurance?Landing_Page=https://healthinsurancecompanion.com/affordable-health-insurance&SRC=iDr_E", "appleremotesupport.com | http://thickapple.net/index.php", "https://normalexchange.com/v/155e44b6-11dc-11e8-9dff-01407350b0f6/c/1e289258-e09c-11e5-bea8-021988c520a1/?clickid=9023100005531544085-201802-3", "https://asserts.turbovpn.co/web/images/download/icons/apple-icon.png", "https://appleid-verify.servecounterstrike.com/", "http://schoolgirl.uxxxporn.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:GenMalicious-KAG\\ [Trj]", "display_name": "Win32:GenMalicious-KAG\\ [Trj]", "target": null }, { "id": ", Win.Trojan.Agent-1286703", "display_name": ", Win.Trojan.Agent-1286703", "target": null }, { "id": "Trojan:Win32/DorkBot.DU", "display_name": "Trojan:Win32/DorkBot.DU", "target": "/malware/Trojan:Win32/DorkBot.DU" }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Trojan.Cosmu-1058", "display_name": "Win.Trojan.Cosmu-1058", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [ "Finance", "Healthcare", "Telecommunications", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 758, "FileHash-SHA1": 478, "FileHash-SHA256": 2561, "URL": 8210, "domain": 2202, "hostname": 2760, "email": 22, "CVE": 3 }, "indicator_count": 16994, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "654 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6681f6738d3aa876f83738d0", "name": "USZoom [New York , USA] | iPostal1", "description": "", "modified": "2024-07-01T23:00:42.052000", "created": "2024-07-01T00:21:07.491000", "tags": [ "strong", "story contact", "us leadership", "open menu", "close menu", "digital", "thank", "us zoom", "skip", "content home", "enterprise", "contact", "threat roundup", "august", "historical ssl", "april", "referrer", "formbook", "ip check", "vt graph", "relacionada", "cobalt strike", "hiddentear", "life", "malware", "open", "mumblehard", "sparkrat", "attack", "uszoom og", "submission", "analysis", "utc http", "response final", "url https", "ip address", "status code", "body length", "kb body", "graph api", "status", "content type", "date", "anchor hrefs", "hrefs", "cart contact", "leadership", "html info", "title uszoom", "meta tags", "uszoom twitter", "script tags", "vhash htm", "ssdeep", "file type", "html internet", "magic html", "ascii text", "trid file", "magika cttxt", "file size", "united", "as20940", "aaaa", "canada", "search", "showing", "cname", "as35994 akamai", "passive dns", "next", "as21928", "unknown", "urls", "domain", "creation date", "emails", "ipcounsel", "scan endpoints", "all scoreblue", "ipv4", "pulse submit", "url analysis", "files", "invalid url", "body", "name servers", "akamai", "expiration date", "asnone united", "a nxdomain", "india", "as15224 adobe", "bdclid", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "yara rule", "high", "explorer", "alerts", "less see", "contacted", "service", "attempts", "guard", "url http", "pulse pulses", "http", "related nids", "files location", "ip related", "hostname", "files ip", "address domain", "as46606", "td td", "script script", "gmt path", "create", "website", "set cookie", "a td", "win32", "flash", "pragma", "cookie", "xmpmm", "png image", "rgba", "documentid", "instanceid", "creatortool", "pattern match", "adobe photoshop", "macintosh", "june", "hybrid", "local", "encrypt", "click", "strings", "anomalous_deletefile", "info_stealer", "et trojan", "banload http", "banload", "ids detections", "yara detections", "bancos variant", "c2 checkin", "ntkrnlpacker", "copy", "meredrop", "injection", "e0e2edee", "push", "read", "write", "delete", "entries", "crlf line", "anomalous file", "medium", "filehash", "av detections", "analysis date", "file score", "medium risk", "detections none", "related pulses", "apple", "apple id", "apple private data collection", "apple staging", "t-mobile", "metroby", "keylogger" ], "references": [ "https://uszoom.com/", "http://www.dead-speak.com/ElectronicVoicePhenomena_EVP.htm", "Malicious Score: 10", "Yara Detections: DotNET_Reactor", "Alerts: procmem_yara antisandbox_sleep persistence_autorun cape_detected_threat infostealer_cookies recon_fingerprint", "Alerts: stealth_hidden_extension stealth_hiddenreg antidebug_guardpages dead_connect", "Alerts: encrypted_ioc http_request powershell_download powershell_request dynamic_function_loading cape_extracted_content", "Alerts: dropper injection_rwx network_dns_doh_tls network_http", "DotNET_Reactor: System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography", "DotNET_Reactor: System.Security.Cryptography ICryptoTransform", "High Priority Check-ins: Banload HTTP Checkin Detected (envia.php) Win32.Meredrop Checkin Bancos Variant C2 Checkin 1", "High Priority Alerts: spawns_dev_util modify_proxy infostealer_cookies", "Yara Detections: NTKrnlPacker, NTkrnlSecureSuite01015NTkrnlSoftware, NTkrnlSecureSuiteNTkrnlteam", "https://otx.alienvault.com/indicator/file/01accdb2c75f7b75e5f9744461fe927e6e1378e3bc1f943d02b0aa441bf65317", "https://www.hybrid-analysis.com/sample/79cab9c299164fb9a6d8f009adc2529ee79feeb0b4ad383eedee0c36bbe041ec/665b7ebee6b33f252d0e64ec", "Yara Detections stack_string , Armadillov1xxv2xx", "https://otx.alienvault.com/indicator/file/4d1dbf5ccc25a7f5fa24bd48d92987ff6d4dba35", "apple.finder-idevice.com | nr-data.net | https://appleid.com-dispositivo-perdido.com/ |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Keylogger.Susppack-9876601-0", "display_name": "Win.Keylogger.Susppack-9876601-0", "target": null }, { "id": "Win.Trojan.Sdum-9807706-0", "display_name": "Win.Trojan.Sdum-9807706-0", "target": null }, { "id": "Win32.Meredrop Checkin", "display_name": "Win32.Meredrop Checkin", "target": null }, { "id": "#Lowfi:HSTR:TrojanSpy:Win32/Bancos", "display_name": "#Lowfi:HSTR:TrojanSpy:Win32/Bancos", "target": null }, { "id": "Pdf.Phishing.TtraffRobotInstall-7605656-0", "display_name": "Pdf.Phishing.TtraffRobotInstall-7605656-0", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1048.002", "name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "display_name": "T1048.002 - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1198", "name": "SIP and Trust Provider Hijacking", "display_name": "T1198 - SIP and Trust Provider Hijacking" }, { "id": "T1416", "name": "URI Hijacking", "display_name": "T1416 - URI Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1434", "name": "App Delivered via Email Attachment", "display_name": "T1434 - App Delivered via Email Attachment" } ], "industries": [ "Technology", "Telecommunications", "Civil Society" ], "TLP": "green", "cloned_from": "665bb7679843a6dabe4560e3", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 8, "FileHash-MD5": 167, "FileHash-SHA1": 129, "FileHash-SHA256": 1890, "URL": 10360, "domain": 1799, "hostname": 3994, "SSLCertFingerprint": 10, "CVE": 1 }, "indicator_count": 18358, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "656 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "IDS Detections: MVPower DVR Shell UCE Mirai | Variant User-Agent (Outbound) JAWS Webserver Unauthenticated Shell Command Execution", "Worm:Win32/Ganelp.A: FileHash-SHA256 00001054e41d89822267a38856e76eafc2c2e2f20c3f17a392e417f8b87e4ce1", "Crowdsourced Sigma Rules: Matches rule Creation of an Executable by an Executable by frack113", "Relationship: Louisiana Cyber Investigators Alliance (LCIA)", "High Priority Alerts: nids_malware_alert injection_runpe network_icmp dumped_buffer2 network_irc nolookup_communication", "Crowdsourced Sigma Rules: Matches rule Suspicious Svchost Process by Florian Roth (Nextron Systems)", "Crowdsourced IDS rules: Matches rule MALWARE-CNC Win.Trojan.Occamy variant outbound connection", "Researched: 174.192.0.0 AS 6167 (CELLCO-PART) US | Swipper | Loudon County, Va | Ongoing attacks 174.215.26.0", "FileHash-MD5: b7e1dc2c46a9b972943a08b09c4dd6db", "*NetHandle: NET-174-192-0-0-1 Parent: NET174 (NET-174-0-0-0-0) NetType: Direct Allocation Organization: Verizon Business (MCICS)", "Alerts: procmem_yara antisandbox_sleep persistence_autorun cape_detected_threat infostealer_cookies recon_fingerprint", "Server: Web redirection - http://loki.com/download", "IDS Detections: 401TRG Generic Webshell Request - POST with wget in body HTTP traffic on port 443 (POST) ...", "https://www.hybrid-analysis.com/sample/79cab9c299164fb9a6d8f009adc2529ee79feeb0b4ad383eedee0c36bbe041ec/665b7ebee6b33f252d0e64ec", "trojan.vtflooder/vflooder FileHash-SHA256 e8d7208330c634fad06d1b12bfea92435cdd7e63d01fde5ed8f3493b9deefad4", "*OrgId: MCICS Address: 22001 Loudoun County Pkwy City: Ashburn StateProv: VA PostalCode: 20147 Country:", "cu-payment-porch.pdv-3.ap-southeast-2.production.jet-external.com | qa.proxy.cognito.tigomoney.io | https://trackon.fr/track/clique", "ELF:Mirai-GH\\ [Trj] 91b62309447ba8db2a456b546d02cee07f1fd1027a0dd23b0ad87bec18b5acee", "https://healthinsurancecompanion.com/affordable-health-insurance?Landing_Page=https://healthinsurancecompanion.com/affordable-health-insurance&SRC=iDr_E", "Crowdsourced YARA rules: Matches rule UPX from ruleset UPX by kevoreilly", "http://image.nationwide-service.co.uk/lib/fe9515737163077971/m/1/spacer_ApplePay.gif bum?id=326459173&s=143441 | mails.redvue.com", "IP\u2019s Contacted: 172.217.14.226 172.217.14.234 162.217.99.134 204.95.99.243 212.83.168.196 216.58.193.67 216.58.217.42 99.86.38.99", "AV Detection: ELF:Mirai-GH\\ [Trj]", "Yara: RansomWin32Betisrypt , TrojanClickerWin32NightClick , TrojanDropperWin32Jscrpt , TrojanWin32Notepices TrojanClickerWin32NightClick", "dnscache2b.cdptpa dnvrco-oms2ims-mta-svip-01.email dnvrco-queue04-ac.email dnvrco-ring-a62.email dnvrco-smss-f01-ac.email dnvrco-west-dhcpw-02.", "Crypt3.COYL FileHash - SHA256 cb536e2e5eb3b23a74702f80832ab964e7dfe07763300437b5ba581f464a108e", "apple-carry-relay.cloudflare.com | apple-dns.net | emails.redvue.com | https://arduboy.com/bad-apple-demo-is-good | 67.199.248.12", "IDS Detections: Suspicious double Server Header Possible Kelihos", "Through research I did notice many references to target I'm researching for. Phishing/Injection attempt? I didn't click on links.", "DotNET_Reactor: System.Security.Cryptography ICryptoTransform", "https://otx.alienvault.com/indicator/file/02b19639ad1efa59e77f45d130447c05bd2466e26a657cb9cc6ac2e8b30a0026", "https://otx.alienvault.com/indicator/file/4d1dbf5ccc25a7f5fa24bd48d92987ff6d4dba35", "Crowdsourced Sigma Rules: Matches rule Suspicious Outbound SMTP Connections by frack113", "Alerts: dead_host network_icmp nolookup_communication packer_polymorphic origin_langid peid_packer", "*OrgAbuseHandle: ABUSE3-ARIN OrgAbuseName: abuse OrgAbusePhone: +1-800-900-0241 OrgAbuseEmail: abuse@verizon.net", "https://otx.alienvault.com/indicator/file/001546d210a35b7c4c072b6c265f621cf4a9abdd152741d9b58deae2be204355", "IDS Detections Win32/Tofsee.AX google.com connectivity check External IP Lookup www.trackip.net Possible", "Unix.Mirai Botnet: https://otx.alienvault.com/indicator/hostname/botnet.ngocronglau.xyz", "analytics.x.com | https://analytics.x.com | https://localhost.twitter.com:3443", "*OrgTechEmail: swipper@verizonbusiness.com OrgTechRef: https://rdap.arin.net/registry/entity/SWIPP9-ARIN", "High Priority Alerts: injection_write_memory injection_write_memory_exe modifies_proxy_wpad injection_ntsetcontextthread injection_resumethread dumped_buffer network_http nids_alert suspicious_tld allocates_rwx .", "telemetry-incoming.r53-2.services.mozilla.com", "https://uszoom.com/", "https://otx.alienvault.com/indicator/file/00001054e41d89822267a38856e76eafc2c2e2f20c3f17a392e417f8b87e4ce1", "Matches rule Linux_Trojan_Mirai_6a77af0f from ruleset Linux_Trojan_Mirai by Elastic Security | botnet.ngocronglau.xyz", "Emotet: IPv4 104.18.41.100 | IPv4 104.18.45.108", "Yara Detections: NTKrnlPacker, NTkrnlSecureSuite01015NTkrnlSoftware, NTkrnlSecureSuiteNTkrnlteam", "https://otx.alienvault.com/indicator/domain/bunny.net", "Crowdsourced YARA rules Matches: SUSP_Unsigned_OSPPSVC from ruleset gen_sign_anomalies by Florian Roth (Nextron Systems", "Ransomware: https://www.bitdefender.com.au/blog/businessinsights/hive-ransomwares-offspring-hunters-international-takes-the-stage", "*https://identity.cnw.hcahealthcare.cloud/Account/ForgotPassword * identity.cnw.hcahealthcare.cloud *uat.drw.hcahealthcare.cloud", "https://www.anyxxxtube.net/search-porn/tsara-brashears/\t URL\thttp://45.159.189.105/bot/regex |\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Sourced: https://twitter.com/ootiosum/status/1812208222150726029a4dmHAxV0M0QIHawADl4Qr4kDegUI-QEQAA&usg=AOvVaw37yALadqlgoR9_xlQ5B4Hm", "IDS Detections: Huawei Remote Command Execution (CVE-2017-17215) Huawei Remote Command Execution - Outbound (CVE-2017-17215) Huawei HG532 RCE Vulnerability (CVE-2017-17215) Mirai Variant User-Agent (Inbound) HackingTrio UA (Hello, World) 401TRG Generic Webshell Request - POST with wget in body HTTP traffic on port 443 (POST", "CnC IP: https://otx.alienvault.com/indicator/ip/142.202.242.45", "trojan.shellrunner/emailworm: FileHash-SHA256 f9527077fe3699a17a45276e3b15d65014b5c1d2d10c09f476a21b90fbd0bf67", "appleremotesupport.com | http://thickapple.net/index.php", "IDS Detections: Mirai Variant User-Agent (Inbound) HackingTrio UA (Hello, World)", "http://www.door.net/ARISBE/arisbe.htm", "Crowdsourced YARA rules Matches: INDICATOR_EXE_Packed_MEW from ruleset indicator_packed by ditekSHen", "https://otx.alienvault.com/indicator/file/8ad6f89c763315bf59bc3619139f8478f6bcc57d902123c8b5c413f251ff8778", "Vtapi: scanter.comwww.twitter.comx.com", "https://otx.alienvault.com/indicator/file/01accdb2c75f7b75e5f9744461fe927e6e1378e3bc1f943d02b0aa441bf65317", "https://hybrid-analysis.com/sample/b31067b40534bc4a9d68ac2f13f6090956d171d23c3d3f7a8c92a8745aed4db3", "Reverse DNS dnvrco-pub-iedge-vip.email.rr.com", "Crowdsourced YARA rules Matches: IMPLANT_4_v3_AlternativeRule from ruleset apt_grizzlybear_uscert by Florian Roth (Nextron Systems)", "Was anyone else notified? I'm not sure why I was.", "http://schoolgirl.uxxxporn.com", "Antivirus Detections ELF:Mirai-GH\\ [Trj]", "Crypt3.BWVY: FileHash-SHA256 9235583481d06530ef1ce04fa4f9a3bf3b6735dcdef0486cf6181c7868c9c249", "Yara Detections stack_string , Armadillov1xxv2xx", "dnvrco-pub-iedge-vip.email.rr.com \tspectrum.com Denver, Colorado USA", "Phishing: https://forms.sonymusicfans.com/campaign/jazmine-sullivan-heaux-tails-pre-save/", "FileHash-SHA1: d20959337b099526ed5250b60d9250ab865a7c6c", "https://otx.alienvault.com/indicator/url/http://accounts-upadates-informations-services-login-customer-id.marketingplus1.com/itunes", "Crypt3.BWVY: FileHash-MD5 947f28c8ab697548aca370c080187e6e", "IDS Detections: ETPRO TROJAN Possible Win32/Zbot.AHJ CnC Traffic ET SMTP Abuseat.org Block Message", "https://normalexchange.com/v/155e44b6-11dc-11e8-9dff-01407350b0f6/c/1e289258-e09c-11e5-bea8-021988c520a1/?clickid=9023100005531544085-201802-3", "Antivirus Detections: Win.Malware.Vtflooder-9783271-0 , Trojan:Win32/Vflooder.B", "CS Sigma: Matches rule Python Initiated Connection by frack113", "Crypt3.BWVY: FileHash-SHA1 4c60cf6b7e2981f1c05c5a34f880c6020923014c", "IDS Detections: Win32/IRCBrute/Floder.ej/TKcik.A Checkin Dorkbot GeoIP Lookup to wipmania DNS Reply Sinkhole Microsoft NO-IP", "Yara Detections: DotNET_Reactor", "stephen.r.middleton@verizon.com sysmgr@verizon.com CIDR 174.192.0.0/10", "https://www.virustotal.com/gui/file/06d4c16f64fc377b7dd5d8dff8bc6b11728d4cbbf3dcb42a9b819cc028afc328/detection", "Alerts: stealth_hidden_extension stealth_hiddenreg antidebug_guardpages dead_connect", "https://botnet.ngocronglau.xyz > link discovered by an Alienvault user who notified me they found it researching message from am active user.", "Phishing: http://forms.sonymusicfans.com/campaign/old-dominion-newsletter-sign-up/?ss=0", "Crowdsourced YARA rules Matches: rule INDICATOR_EXE_Packed_MEW from ruleset indicator_packed by ditekSHen", "DotNET_Reactor: System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography", "apple.finder-idevice.com | nr-data.net | https://appleid.com-dispositivo-perdido.com/ |", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication network_cnc_http network_http p2p_cnc writes_to_stdout", "Researched: trueupdater.exe - FileHash-SHA256 000381f55a6406f9448533be6c87481da162f0efe7da60d6f3d8a5401ef6f66b", "https://fixupx.com/Yoda4ever/status/1819058165264404527", "Worm:Win32/Ganelp.A: FileHash-SHA1 0eed684aef678aeffb43866bd2c975876e82eeab", "For more information, or to report interesting/incorrect findings, give me a shoutout on @parthmaniar on Twitter.", "Antivirus Detections Win.Trojan.Sality-1047 , Worm:Win32/Ganelp.A IDS Detections W32.Duptwux/Ganelp FTP Username - onthelinux Yara Detections InstallShield2000 Alerts persistence_autorun_tasks cape_detected_threat bypass_firewall suricata_alert dynamic_function_loading dropper injection_rwx IP\u2019s Contacted 209.202.252.54", "ISP: Charter Communications Inc Usage Type\tFixed Line ISP", "https://tools.totaleconomicimpact.com/go/apple/TEI/docs/TEI-of-Mac-in-Enterprise.pdf | 79appleway.com | technoapple.com", "OrgTechEmail: swipper@verizonbusiness.com domains@microsotseft.com kenneth.reeb@verizonwireless.com msnhst@microsoft.com", "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel", "High Priority Check-ins: Banload HTTP Checkin Detected (envia.php) Win32.Meredrop Checkin Bancos Variant C2 Checkin 1", "IDS Detections Master IP CAM 01 Hardcoded Password for Root Account (CVE-2018-5723) Juniper ScreenOS telnet Backdoor Default Password Attempt SUSPICIOUS Path to BusyBox Possible Linux.Mirai Login Attempt (meinsm) Actiontec C1000A backdoor account M2", "https://www.virustotal.com/gui/file/f9527077fe3699a17a45276e3b15d65014b5c1d2d10c09f476a21b90fbd0bf67/detection", "\"NetRange: 174.192.0.0 - 174.255.255.255 CIDR: 174.192.0.0/10 NetName: WIRELESSDATANETWORK", "*RegDate: 2008-12-16 Updated: 2022-05-31 Ref: https://rdap.arin.net/registry/ip/174.192.0.0 OrgName: Verizon Business", "Trojan.Agent.FRYX: http://email.bidayati.com/c/eJwkkc1ygjoYQJ8Gd3TClwTIwgUR0Aq12BbBbu5EfuQnioVQwKe_03v3Z-bMnJOvbUwtS6yKtWEZjNmMULyq1oAMYto2zZhd2IbIGb6UBdiYCqMoC", "bpp.eset.com", "Alerts: encrypted_ioc http_request powershell_download powershell_request dynamic_function_loading cape_extracted_content", "Alerts: cape_detected_threat", "Crowdsourced IDS rules: Matches rule ET INFO Generic HTTP EXE Upload Outbound", "http://www.rvrb.me/fan_reach/pt?eid=A429942_17490857_19605431_lnk1018&url=http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewAl", "uat.drw.hcahealthcare.cloud US Admin Email: cd2fa1f805494bc7s@ehc.com Admin Organization: HCA - Information Technology & Services, Inc.", "Crowdsourced YARA rules Matches: Matches rule IMPLANT_4_v3_AlternativeRule from ruleset apt_grizzlybear_uscert by Florian Roth (Nextron Systems", "*US RegDate: 2006-05-30 Updated: 2024-02-12 Ref: https://rdap.arin.net/registry/entity/MCICS", "IDS Detections: Domain Win32/IRCBrute/Floder.ej/TKcik.A Pass Checkin External IP Lookup Attempt To Wipmania Suspicious Mozilla User-Agent - Likely Fake", "https://cdns.directv.com/resources/js/dtv/framework/plugins/jquery.placeholder.min.js | peri.com.pl", "http://www.dead-speak.com/ElectronicVoicePhenomena_EVP.htm", "https://otx.alienvault.com/indicator/hostname/botnet.ngocronglau.xyz", "talk.plesk.com | 4evermusic.pl | nist.gov | alaska.gov.inbound10.mxlogic.net | publicfiles.fcc.gov", "Domains Contacted: n.jntbxduhz.ru n.yqqufklho.ru n.lotys.ru api.wipmania.com n.vbemnggcj.ru n.hmiblgoja.ru dns.msftncsi.com n.ezjhyxxbf.ru", "Crowdsourced IDS rules: Matches rule (stream_tcp) data sent on stream not accepting data", "https://asserts.turbovpn.co/web/images/download/icons/apple-icon.png", "FileHash-SHA256: 7b749ef9d91c1f0fe7513ece148409f2254317be8b0487603a2b333ebbb927ae", "https://appleid-verify.servecounterstrike.com/", "https://otx.alienvault.com/indicator/ip/125.235.4.59", "Falcon-FileVantage.exe | trojan.redcap/python: FileHash-SHA256 06d4c16f64fc377b7dd5d8dff8bc6b11728d4cbbf3dcb42a9b819cc028afc328", "Crowdsourced Sigma Rules: Matches rule Suspect Svchost Activity by David Burkett, @signalblur", "https://otx.alienvault.com/indicator/file/2b5deac6176124ee1f7d237f070c39b03c964fce9a9fba0aaa1bce102710d2e0", "IDS Detections: Win32/Vflooder.B Checkin Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound", "Trojan.Crypted-6 | infostealer_browser : https://otx.alienvault.com/indicator/file/29971e4a9ce229d79fae4cbdff1b32d2", "Worm:Win32/Ganelp.A: FileHash-MD5 b5e26ac3b7518b77631ab7bcefae10fe", "Crowdsourced Sigma Rules: Suspicious New Service Creation by Nasreddine Bencherchali (Nextron Systems)", "*OrgDNSRef: https://rdap.arin.net/registry/entity/VZDNS1-ARIN OrgAbuseHandle: ABUSE5603-ARIN OrgAbuseName", "X Vercel Servers", "*OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE3-ARIN OrgDNSHandle: VZDNS1-ARIN OrgDNSName: VZ-DNSADMIN", "High Priority Alerts: allocates_execute_remote_process persistence_autorun injection_createremotethread injection_modifies_memory", "IDS Detections: ET TROJAN Pushdo v3 Checkin ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain", "IDS Detections: Possible Kelihos Infection Executable Download With Malformed Header", "Yara Detections: SUSP_Imphash_Mar23_2", "*OrgDNSPhone: +1-800-900-0241 OrgDNSEmail: dnsadmin@verizon.com", "http://images.contact.acams.org/", "MyChart Phishing Scams", "VirTool:Win32/Obfuscator: 0.googleusercontent.com [hacking]", "https://otx.alienvault.com/indicator/url/http://dashboard.loki.com/files/LokiApplet.jar", "Malicious IP: 1.3.6.1 ASNone Generic.Malware has also been named in ransomware and other highly malicious attacks.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian - is this a must?", "https://otx.alienvault.com/indicator/ip/143.244.50.212", "148.163.152.21 AS 22843 (PROOFPOINT-ASN-US-EAST) US | www.robtex.com | www.spf-record.com |", "Malicious Score: 10", "wallpapers-nature.com", "Alerts: dropper injection_rwx network_dns_doh_tls network_http", "High Priority Alerts: spawns_dev_util modify_proxy infostealer_cookies", "http://borpatoken.com/ borpatoken.com", "http://www.govexec.com/dailyfed/0906/091806ol.htm", "exploit_source IP's: 20.99.186.246 , 40.126.24.147 , 40.126.24.149 , 40.126.24.81 , 40.126.24.82", "https://otx.alienvault.com/indicator/ip/210.211.117.205", "https://www.virustotal.com/gui/file/dcd0812ed0b280cee38a3f8a68e5fde900f0a9f832ca53167d38d96f105eb9b9/detection", "This IP carried out Apache Log4j RCE attempt(s) (also known as CVE-2021-44228 or Log4Shell). @parthmaniar on Twitter", "apple.twitter.com | https://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js | vine.co | appleid.cdn-apple.com" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Lazarus Group" ], "malware_families": [ "Trojan.vtflooder/vflooder", "Nids", "#lowfi:hstr:trojanspy:win32/bancos", "Flooder", "Worm:win32/sfone", "Win.malware.trojanx-9862538-0", "Win32:genmalicious-kag\\ [trj]", "Alf:e5.spikeaex.rhh_mcv", "Elf:mirai-gh\\ [trj]", "Trojan:win32/comame", "Cerber ransomware", "A variant of win32/flystudio.packed.ad potentially unwanted", "Worm:win32/autorun", "Atros3.ldj", "Kelihos", "#virtool:win32/obfuscator", "Xpire.info", "Win.packer.pkr_ce1a-9980177-0", "Et", "Trojan.agent.fryx", "Trojan:win32/glupteba", "Pdf.phishing.ttraffrobotinstall-7605656-0", "Trojan.upatre/waski", "Sf:shellcode-au\\ [trj]", "Malware", "Trojandropper:win32/muldrop.v!mtb", "Trojan.redcap/python", "W32.aidetectmalware", "Win64:ransomx-gen", "Searchmeup", "Trojan:win32/pariham", "Alf:program:win32/webcompanion", "Trojandownloader:win32/cutwail", "Win32.meredrop checkin", "Virtool:win32/ceeinject", "Ransom.stopcryptpmf.", "Mirai", "Worm:win32/sfone.a", "Win-trojan/malpacked5.gen", "Win.trojan.cosmu-1058", "Win.trojan.occamy", "Win32:evo-gen", "Win.dropper.dridex-9986041-0", "Trojan.shellrunner/emailworm", "Slf:win64/cobpipe", "Trojan.mirai/fszhh", "Win.trojan.darkkomet-1", "Trojanspy", "Win.trojan.sdum-9807706-0", "Win32:evo-gen\\ [susp]", ", win.trojan.agent-1286703", "Backdoor:win32/tofsee.t", "Inject3.qgy", "Win32:acecrypter-b [cryp]", "Mal_tofsee", "Trojan:win32/antavmu", "Worm:win32/ganelp.a", "Win32:malware-gen", "Virus.ramnit/nimnul", "Generic", "Win.keylogger.susppack-9876601-0", "Win64-trojan/pakes.exp", "Ddos:linux/mirai", "Trojan.mirai/fedr", "Unix.trojan.mirai-9441505-0", "Trojanspy:win32/gucotut.a", "Alf:heraklezeval:trojan:win32/clipbanker", "Alf:heraklezeval:trojan:win32/zombie", "Backdoor:msil/bladabindi", "Backdoor:win32/tofsee", "Win.malware.bbabdcdc-7358312-0", "Etpro", "Win.dropper.autoit-6688751-0", "Trojan:win32/trickler", "Variant.zusy.151902", "Trojan:win32/zombie.a", "Virtool:win32/obfuscator", "Nod32", "Win.dropper.bulz-9910065-0", "Flyagent l", "Win32:trojan-gen", "Win32:pwsx-gen\\ [trj]", "Artro", "Android/ave.mirai.fszhh", "Trojan:win32/vflooder.a", "Trojan:win32/dorkbot.du", "W32/pidgeon-a" ], "industries": [ "Healthcare", "Civil society", "Government", "Finance", "Technology", "Civilian society", "Entertainment", "Media", "Telecommunications" ], "unique_indicators": 172020 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/edoctransfer.com", "whois": "http://whois.domaintools.com/edoctransfer.com", "domain": "edoctransfer.com", "hostname": "dv.edoctransfer.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 17, "pulses": [ { "id": "66fc29a49b5ac693c8d75122", "name": "Medical Campus - Aurora, Co | Recheck", "description": "This weekend we found a busybox MIORI Hackers - serious attack Aurora, Medical Campus -Mirai. This recheck is generic. All results generated automatically by LevelBlue, sourced by ScoreBlue.\nMaybe it will be clean today. Complaints of pop up auto logins on locked screens and autonomous system running alongside actual system. System root.\nMalware Families:\nTrojanDownloader:Win32/Bulilit, ELF:Mirai-TO\\ [Trj], Backdoor:Linux/Mirai.B, TELPER:HSTR:DotCisOffer, TrojanSpy:Win32/Nivdort, Backdoor:Win32/Bladabindi, ALF:E5, Win.Malware.Midie-9950743-0, Trojan:Win32/Emotet.ARJ!MTB", "modified": "2024-10-31T16:03:52.240000", "created": "2024-10-01T16:56:04.004000", "tags": [ "united", "as397240", "search", "showing", "as54113", "as397241", "unknown", "moved", "creation date", "record value", "next", "date", "body", "a domains", "passive dns", "formbook cnc", "checkin", "entries", "github pages", "sea x", "accept", "status", "name servers", "certificate", "urls", "aaaa", "cname", "meta", "whitelisted ip", "address", "location united", "asn as36459", "github", "less whois", "registrar", "markmonitor", "related tags", "as36459", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "files", "ninite", "expiration date", "domain", "hostname", "sha256", "sha1", "ascii text", "pattern match", "document file", "v2 document", "utf8", "crlf line", "beginstring", "size", "null", "hybrid", "refresh", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "url https", "tulach type", "role title", "added active", "pulses url", "url http", "nextc type", "type indicator", "related pulses", "filehashsha256", "copyright", "ipv6", "germany", "italy", "trojan", "trojanspy", "worm", "trojanclicker", "virtool", "service", "linux x8664", "khtml", "gecko", "veryhigh", "redirect", "httpsupgrades", "collisionbox", "runner", "gameoverpanel", "trex", "orgtechhandle", "orgtechref", "director", "university", "nethandle", "net168", "net1680000", "ucha", "orgid", "east", "report spam", "as8075", "servers", "secure server", "error all", "typeof", "error f", "crazy doll", "created", "filehashmd5", "types of", "russia", "emotet type", "mirai type", "mirai", "mtb description", "win32 type", "as31034 aruba", "italy unknown", "as19527 google", "encrypt", "health type", "miori hackers", "brute force", "backdoor", "aurora", "ip address", "path", "unis", "dotcisoffer", "bladabindi", "artro", "script urls", "as46606", "brazil unknown", "as11284", "as10906", "apache", "lanc type", "telper", "win32", "win64", "pulses email", "as9009 m247", "as7296 alchemy", "as14061", "as16276", "trojandropper", "ransom", "mtb sep", "msie", "chrome", "ip check", "gmt content", "pulse submit", "url analysis", "files ip", "aaaa nxdomain", "nxdomain", "a nxdomain", "as22612", "dnssec", "meta http", "accept encoding", "request id", "united kingdom", "div div", "arial helvetica", "emails", "as15169 google", "cryp", "gmt cache", "sameorigin", "domain name", "code", "false", "command type", "roleselfservice", "mcig sep", "all search", "author avatar", "days ago", "http", "related nids", "files location", "as30081", "gmt contenttype", "mozilla", "as15133 verizon", "whitelisted", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "request", "softcnapp", "overview ip", "flag united", "files related", "as62597 nsone", "as31898 oracle", "mtb aug", "class", "twitter", "april", "secure", "httponly", "expiresthu", "pragma", "as13414 twitter", "smoke loader", "reverse dns", "asnone united", "idlogin sep", "uid38009", "expiration", "hack type", "porn type" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Italy", "Aruba" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3850, "FileHash-MD5": 6012, "FileHash-SHA1": 5906, "domain": 3329, "email": 33, "hostname": 4231, "CVE": 2, "FileHash-SHA256": 8407, "CIDR": 2, "SSLCertFingerprint": 7 }, "indicator_count": 31779, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "535 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66f100d791f9f9f6ab7b4f24", "name": "Cerber \u00bb Charter Communications \u00bb Spectrum Denver", "description": "[107.14.73.70] IP address range owned by Charter Communications Inc and located in Denver, Co United States.\n\nTargets & family neighborhood ISP's attacked again. Internet and targets devices attacked , Internet had to be reset twice by tech teams. Our team was able to track comprises directed towards target and families devices, which they are destroying. Stolen passwords, leaks, forced content, dumping. Both Spectrum & Quantum fiber positive for malicious activity within targeted devices. Fake iOS update pushed to a device. It comes with an agreement from Apple Singapore, LTD. \n\nMalware Families ,\nBackdoor:Win32/Tofse , \nCerber Ransomware ,\nET. \nETPRO ,\nInject3.QGY ,\nKelihos ,\nNIDS ,\nNOD32 ,\nSf:ShellCode-AU\\ [Trj] , \nTrojan:Win32/Glupteba ,\nTrojanDownloader:Win32/Cutwail ,\nVirTool:Win32/Obfuscator", "modified": "2024-10-23T05:03:21.045000", "created": "2024-09-23T05:47:03.625000", "tags": [ "isp charter", "usage type", "fixed line", "isp hostname", "domain name", "country united", "america city", "denver", "colorado", "ip address", "whois", "check", "information isp", "inc usage", "type fixed", "line isp", "hostname", "plesk forum", "centos web", "panel forum", "whois lookup", "netrange", "nethandle", "net107", "net1070000", "cc3517", "inc orgid", "dr city", "stateprov", "postalcode", "status", "as7843 charter", "united", "name servers", "passive dns", "urls", "domain", "search", "emails", "unknown", "scan endpoints", "all scoreblue", "ipv4", "files", "reverse dns", "location united", "win32", "abuseipdb", "read", "write", "read c", "server header", "show", "suspicious", "kelihos", "trojan", "artemis", "virustotal", "download", "drweb", "vipre", "panda", "malware", "specified", "next", "et trojan", "et info", "medium", "http", "ids detections", "yara detections", "e98c1cec8156", "as11426 charter", "as20001 charter", "as11427 charter", "as11351 charter", "as16787 charter", "as33363 charter", "as20115 charter", "as10796 charter", "as12271 charter", "body", "servers", "all search", "entries", "intel", "ms windows", "windows nt", "destination", "port", "asnone", "heurunsec", "etpro trojan", "nxdomain", "a nxdomain", "aaaa", "asnone united", "aaaa nxdomain", "backdoor", "pulse submit", "url analysis", "location oxford", "as3456 charter", "moved", "showing", "body doctype", "html public", "ietfdtd html", "as6976 verizon", "as701 verizon", "file samples", "files matching", "date hash", "copyright", "levelblue", "related pulses", "pulse pulses", "kryptikpii", "msr apr", "date", "creation date", "analyzer paste", "iocs", "samples", "secure server", "cname", "as5742", "body head", "object moved", "content length", "content type", "cookie", "as15133 verizon", "lowfi", "gmt server", "ecacc", "record value", "oxford", "michigan", "ns nxdomain", "soa nxdomain", "url http", "mitre att", "evasion ta0005", "creates", "discovery t1082", "reads software", "file", "t1083 reads", "jujubox", "zenbox", "get http", "request", "host", "win64", "khtml", "gecko", "response", "cus cndigicert", "tls rsa", "user", "javascript c", "doscom c", "text c", "files c", "storage", "file system", "filesadobe c", "appdata", "appdatalocal", "hostnames", "ta0002 command", "t1059 very", "t1064", "javascript", "modules t1129", "ta0003 create", "modify system", "process t1543", "windows service", "cisco umbrella", "blacklist", "safe site", "filerepmalware", "microsoft", "phishing bank", "sgeneric", "malware site", "unsafe", "number", "cus cngts", "ogoogle trust", "subject", "algorithm", "cus ouserver", "ouserver ca", "record type", "ttl value", "msms86718722", "query", "open", "capa", "create process", "windows create", "delete file", "write file", "windows check", "os version", "enumerate", "hashes", "signals mutexes", "mutexes", "open threat", "location los", "emails info", "expiration date", "write c", "process32nextw", "regsetvalueexa", "regdword", "module load", "t1129", "as51167 contabo", "germany unknown", "as40021 contabo", "encrypt", "hosting", "netherlands asn", "as204601 zomro", "pulses", "tags", "related tags", "indicator facts", "historical otx", "files ip", "asnone germany", "as174 cogent", "czechia unknown", "whitelisted", "certificate", "bittorrent dht", "post http", "et p2p", "cryptexportkey", "invalid pointer", "delete c", "post utcore", "benchhttp", "mozilla", "maldoc", "service", "tools", "nids", "et", "x95xd3xa4", "regbinary", "hx88x89", "kx82xd3x11", "xb9x8b", "x8dxb7xb7", "hx88x9ax1e", "mx81xd1r", "x92xac", "stream", "persistence", "execution", "dynamicloader", "contacted", "domains", "yara rule", "high", "dynamic", "pcap", "pushdo", "msie", "activity beacon", "malware beacon", "default", "redacted for", "for privacy", "as3379 kaiser", "server", "gmt content", "type", "x frame", "entries http", "scans show", "domain related", "no data", "tag count", "fakedout threat", "analyzer threat", "url summary", "ip summary", "summary", "sample", "detection list", "components", "zune", "etpro", "nod32", "avast avg", "next http", "example domain", "title meta", "invalid url", "akamai", "urls http", "as20940", "as16625 akamai", "netherlands", "germany", "france", "virtool", "rock", "address", "apache", "accept", "as8075", "pulse http", "related nids", "files location", "moldova related", "pulses none", "as31898 oracle", "title", "kryptiklfq", "win32dh", "vitro", "shutdown", "erase", "find", "close", "as53418", "hat server", "as797 att", "script urls", "a domains", "as10753 level", "script script", "meta", "path", "null", "stop", "as54113", "chrome", "as7018 att", "as28521", "mexico unknown", "fastly error", "please", "sea p", "object", "set cookie", "pragma", "as19536 directv", "united kingdom", "as60664 xion", "trojan features", "moldova unknown", "susp", "breaking news", "business", "finance", "entertainment", "sports", "games", "trending videos", "weather", "home", "as396982 google", "url https", "type indicator", "role title", "added active", "cyberfolks", ".pl", "level 3" ], "references": [ "ISP: Charter Communications Inc Usage Type\tFixed Line ISP", "dnvrco-pub-iedge-vip.email.rr.com \tspectrum.com Denver, Colorado USA", "dnscache2b.cdptpa dnvrco-oms2ims-mta-svip-01.email dnvrco-queue04-ac.email dnvrco-ring-a62.email dnvrco-smss-f01-ac.email dnvrco-west-dhcpw-02.", "Reverse DNS dnvrco-pub-iedge-vip.email.rr.com", "Crypt3.COYL FileHash - SHA256 cb536e2e5eb3b23a74702f80832ab964e7dfe07763300437b5ba581f464a108e", "IDS Detections: Suspicious double Server Header Possible Kelihos", "IDS Detections: Possible Kelihos Infection Executable Download With Malformed Header", "telemetry-incoming.r53-2.services.mozilla.com", "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel", "http://www.door.net/ARISBE/arisbe.htm", "talk.plesk.com | 4evermusic.pl | nist.gov | alaska.gov.inbound10.mxlogic.net | publicfiles.fcc.gov", "https://cdns.directv.com/resources/js/dtv/framework/plugins/jquery.placeholder.min.js | peri.com.pl" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "Hungary", "Ukraine", "Spain", "Brazil", "Russian Federation", "Moldova, Republic of", "Japan", "Ireland", "Luxembourg", "Canada" ], "malware_families": [ { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" }, { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "Cerber Ransomware", "display_name": "Cerber Ransomware", "target": null }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Inject3.QGY", "display_name": "Inject3.QGY", "target": null }, { "id": "Kelihos", "display_name": "Kelihos", "target": null }, { "id": "ETPRO", "display_name": "ETPRO", "target": null }, { "id": "NOD32", "display_name": "NOD32", "target": null }, { "id": "VirTool:Win32/Obfuscator", "display_name": "VirTool:Win32/Obfuscator", "target": "/malware/VirTool:Win32/Obfuscator" }, { "id": "Sf:ShellCode-AU\\ [Trj]", "display_name": "Sf:ShellCode-AU\\ [Trj]", "target": null }, { "id": "Trojan:Win32/Glupteba", "display_name": "Trojan:Win32/Glupteba", "target": "/malware/Trojan:Win32/Glupteba" } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2060, "hostname": 3067, "CIDR": 4, "URL": 1300, "email": 29, "FileHash-MD5": 3181, "FileHash-SHA1": 1994, "FileHash-SHA256": 3228, "CVE": 2, "SSLCertFingerprint": 1 }, "indicator_count": 14866, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "543 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66b75a315eac0ff46fa4510d", "name": "Yoda Crypter | Vtapi Virustotal Ransomware | X.Com | Twitter | Remote Job", "description": "Miscellaneous Virustotal attack found. A malicious hash found while researching a malicious Twitter template regarding post found re: otx.alienvault.com pulse.\nFound BorpaToken [moved] attacking X Vercel servers, impacting Azure, impacts X.com, Google.com, YouTube, androids, apple id, (otx seems impacted) with and /w/o header and every versions of related links, Malicious x.com 'REMOTELY' redirects to malicious Twitter templates with recognized names.", "modified": "2024-10-08T11:00:59.828000", "created": "2024-08-10T12:16:49.869000", "tags": [ "win32 exe", "pe32", "intel", "ms windows", "yoda", "crypter", "win16 ne", "os2 executable", "sections", "md5 upx0", "upx1", "upx2", "downloads", "http posts", "mitre att", "evasion ta0005", "ta0006 input", "capture t1056", "remote system", "discovery t1018", "reads", "discovery t1082", "windows nt", "get http", "request", "pragma", "response", "memory pattern", "g2 tls", "rsa sha256", "ca1 odigicert", "inc cus", "hashes", "peexe", "deleted c", "files dropped", "json", "registry keys", "ssl protocol", "de ff", "c4 a6", "fe b9", "d7 e8", "ed f6", "c5 c1", "dd f1", "e0 ee", "dword", "samplepath", "process", "created", "shell commands", "windir", "runtime modules", "urls", "ip detections", "country", "us a83f81100", "microsoft stuff", "malicious proxy", "june", "referrer", "historical ssl", "threat roundup", "domains", "threat network", "tracker radar", "hunting service", "vt ransomware", "malicious", "ermac", "probe", "vhash", "authentihash", "rich pe", "ssdeep", "magic pe32", "trid upx", "portable", "info compiler", "products", "vs2008", "vs2010 sp1", "vs2010", "header target", "machine intel", "utc entry", "point", "registrar", "csc corporate", "markmonitor inc", "ta0009 command", "control ta0011", "catalog tree", "analysis ob0001", "analysis ob0002", "command", "control ob0004", "defense evasion", "sample", "upx software", "upx packed", "evasion t1497", "may sleep", "packing f0001", "evasion b0003", "f0001 upx", "ob0006 software", "file", "post http", "hashes c2ae", "capa", "cape sandbox", "zenbox", "user", "files deleted", "files", "calls", "as15169 google", "united", "status", "date", "name servers", "cname", "passive dns", "search", "record value", "next", "error", "code", "unknown", "trojan", "found", "gmt contenttype", "sameorigin", "all scoreblue", "trojandropper", "matches rule", "et info", "generic http", "exe upload", "vtapi", "emails", "servers", "aaaa", "domain", "as13414 twitter", "backdoor", "ipv4", "pulse pulses", "virtool", "mirai", "analyzer paste", "iocs", "hostnames", "urls https", "borpa loading", "expiration", "url https", "akamai rank", "hostname", "twitter", "tsara brashears", "ip address", "pe resource", "apple ios", "threats", "malware", "scripts", "norton", "excel", "hacktool", "problem", "njrat", "ransomware", "open", "samples", "url http", "vercel", "server attack", "yara detections", "push", "scan endpoints", "filehash", "av detections", "ids detections", "alerts", "analysis date", "code overlap", "related pulses", "top source", "top destination", "source source", "copy", "host", "contentlength", "malware beacon", "show", "entries", "cape", "write", "expiration date", "tulach topic", "brian sabey", "hallrender", "apple id", "malicious url", "tag count", "tld count", "detection list", "blacklist https", "count blacklist", "tag tag", "no data", "tld aggregation", "combined", "contact", "as206834 team", "canada unknown", "div div", "redacted for", "unknown xn", "script script", "msie", "chrome", "precondition", "mtb oct", "body", "worm", "trojanspy", "xpire.info", "searchmeup", "as61969 team", "creation date", "domain robot", "win32", "et smtp", "message", "high", "mailrubar", "trojanclicker", "parking crew", "parking logic", "category", "trojan features", "file samples", "files matching", "date hash", "showing", "creates largekey", "threat sniper", "crouching yeti", "kitten", "camaro dragon", "google phish", "macros", "hiddentear", "plugins", "removes headers", "hitmen" ], "references": [ "trojan.vtflooder/vflooder FileHash-SHA256 e8d7208330c634fad06d1b12bfea92435cdd7e63d01fde5ed8f3493b9deefad4", "Crowdsourced IDS rules: Matches rule MALWARE-CNC Win.Trojan.Occamy variant outbound connection", "Crowdsourced IDS rules: Matches rule ET INFO Generic HTTP EXE Upload Outbound", "Crowdsourced IDS rules: Matches rule (stream_tcp) data sent on stream not accepting data", "Crowdsourced YARA rules: Matches rule UPX from ruleset UPX by kevoreilly", "https://fixupx.com/Yoda4ever/status/1819058165264404527", "Malicious IP: 1.3.6.1 ASNone Generic.Malware has also been named in ransomware and other highly malicious attacks.", "http://borpatoken.com/ borpatoken.com", "Sourced: https://twitter.com/ootiosum/status/1812208222150726029a4dmHAxV0M0QIHawADl4Qr4kDegUI-QEQAA&usg=AOvVaw37yALadqlgoR9_xlQ5B4Hm", "This IP carried out Apache Log4j RCE attempt(s) (also known as CVE-2021-44228 or Log4Shell). @parthmaniar on Twitter", "For more information, or to report interesting/incorrect findings, give me a shoutout on @parthmaniar on Twitter.", "analytics.x.com | https://analytics.x.com | https://localhost.twitter.com:3443", "X Vercel Servers", "FileHash-MD5: b7e1dc2c46a9b972943a08b09c4dd6db", "FileHash-SHA1: d20959337b099526ed5250b60d9250ab865a7c6c", "FileHash-SHA256: 7b749ef9d91c1f0fe7513ece148409f2254317be8b0487603a2b333ebbb927ae", "Yara: RansomWin32Betisrypt , TrojanClickerWin32NightClick , TrojanDropperWin32Jscrpt , TrojanWin32Notepices TrojanClickerWin32NightClick", "apple.twitter.com | https://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js | vine.co | appleid.cdn-apple.com", "Vtapi: scanter.comwww.twitter.comx.com", "IDS Detections: ETPRO TROJAN Possible Win32/Zbot.AHJ CnC Traffic ET SMTP Abuseat.org Block Message", "IDS Detections: ET TROJAN Pushdo v3 Checkin ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain", "Crypt3.BWVY: FileHash-SHA256 9235583481d06530ef1ce04fa4f9a3bf3b6735dcdef0486cf6181c7868c9c249", "Crypt3.BWVY: FileHash-SHA1 4c60cf6b7e2981f1c05c5a34f880c6020923014c", "Crypt3.BWVY: FileHash-MD5 947f28c8ab697548aca370c080187e6e" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Win.Trojan.Occamy", "display_name": "Win.Trojan.Occamy", "target": null }, { "id": "W32.AIDetectMalware", "display_name": "W32.AIDetectMalware", "target": null }, { "id": "Trojan.Vtflooder/Vflooder", "display_name": "Trojan.Vtflooder/Vflooder", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Trojan:Win32/Vflooder.A", "display_name": "Trojan:Win32/Vflooder.A", "target": "/malware/Trojan:Win32/Vflooder.A" }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Xpire.info", "display_name": "Xpire.info", "target": null }, { "id": "Searchmeup", "display_name": "Searchmeup", "target": null }, { "id": "Trojan:Win32/Trickler", "display_name": "Trojan:Win32/Trickler", "target": "/malware/Trojan:Win32/Trickler" }, { "id": "Trojan:Win32/Comame", "display_name": "Trojan:Win32/Comame", "target": "/malware/Trojan:Win32/Comame" }, { "id": "#VirTool:Win32/Obfuscator", "display_name": "#VirTool:Win32/Obfuscator", "target": "/malware/#VirTool:Win32/Obfuscator" }, { "id": "Trojan:Win32/Pariham", "display_name": "Trojan:Win32/Pariham", "target": "/malware/Trojan:Win32/Pariham" } ], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 57, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1943, "FileHash-SHA1": 1637, "FileHash-SHA256": 3321, "URL": 1030, "domain": 646, "hostname": 1473, "email": 7, "CVE": 2 }, "indicator_count": 10059, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "558 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66b759cf57d491a9dcca8c17", "name": "Yoda Crypter | Vtapi Virustotal Ransomware | X.Com | Twitter | Remote Job", "description": "Miscellaneous Virustotal attack found. A malicious hash found while researching a malicious Twitter template regarding post found re: otx.alienvault.com pulse.\nFound BorpaToken [moved] attacking X Vercel servers, impacting Azure, impacts X.com, Google.com, YouTube, androids, apple id, (otx seems impacted) with and /w/o header and every versions of related links, Malicious x.com 'REMOTELY' redirects to malicious Twitter templates with recognized names.", "modified": "2024-10-08T11:00:59.828000", "created": "2024-08-10T12:15:11.526000", "tags": [ "win32 exe", "pe32", "intel", "ms windows", "yoda", "crypter", "win16 ne", "os2 executable", "sections", "md5 upx0", "upx1", "upx2", "downloads", "http posts", "mitre att", "evasion ta0005", "ta0006 input", "capture t1056", "remote system", "discovery t1018", "reads", "discovery t1082", "windows nt", "get http", "request", "pragma", "response", "memory pattern", "g2 tls", "rsa sha256", "ca1 odigicert", "inc cus", "hashes", "peexe", "deleted c", "files dropped", "json", "registry keys", "ssl protocol", "de ff", "c4 a6", "fe b9", "d7 e8", "ed f6", "c5 c1", "dd f1", "e0 ee", "dword", "samplepath", "process", "created", "shell commands", "windir", "runtime modules", "urls", "ip detections", "country", "us a83f81100", "microsoft stuff", "malicious proxy", "june", "referrer", "historical ssl", "threat roundup", "domains", "threat network", "tracker radar", "hunting service", "vt ransomware", "malicious", "ermac", "probe", "vhash", "authentihash", "rich pe", "ssdeep", "magic pe32", "trid upx", "portable", "info compiler", "products", "vs2008", "vs2010 sp1", "vs2010", "header target", "machine intel", "utc entry", "point", "registrar", "csc corporate", "markmonitor inc", "ta0009 command", "control ta0011", "catalog tree", "analysis ob0001", "analysis ob0002", "command", "control ob0004", "defense evasion", "sample", "upx software", "upx packed", "evasion t1497", "may sleep", "packing f0001", "evasion b0003", "f0001 upx", "ob0006 software", "file", "post http", "hashes c2ae", "capa", "cape sandbox", "zenbox", "user", "files deleted", "files", "calls", "as15169 google", "united", "status", "date", "name servers", "cname", "passive dns", "search", "record value", "next", "error", "code", "unknown", "trojan", "found", "gmt contenttype", "sameorigin", "all scoreblue", "trojandropper", "matches rule", "et info", "generic http", "exe upload", "vtapi", "emails", "servers", "aaaa", "domain", "as13414 twitter", "backdoor", "ipv4", "pulse pulses", "virtool", "mirai", "analyzer paste", "iocs", "hostnames", "urls https", "borpa loading", "expiration", "url https", "akamai rank", "hostname", "twitter", "tsara brashears", "ip address", "pe resource", "apple ios", "threats", "malware", "scripts", "norton", "excel", "hacktool", "problem", "njrat", "ransomware", "open", "samples", "url http", "vercel", "server attack", "yara detections", "push", "scan endpoints", "filehash", "av detections", "ids detections", "alerts", "analysis date", "code overlap", "related pulses", "top source", "top destination", "source source", "copy", "host", "contentlength", "malware beacon", "show", "entries", "cape", "write", "expiration date", "tulach topic", "brian sabey", "hallrender", "apple id", "malicious url", "tag count", "tld count", "detection list", "blacklist https", "count blacklist", "tag tag", "no data", "tld aggregation", "combined", "contact", "as206834 team", "canada unknown", "div div", "redacted for", "unknown xn", "script script", "msie", "chrome", "precondition", "mtb oct", "body", "worm", "trojanspy", "xpire.info", "searchmeup", "as61969 team", "creation date", "domain robot", "win32", "et smtp", "message", "high", "mailrubar", "trojanclicker", "parking crew", "parking logic", "category", "trojan features", "file samples", "files matching", "date hash", "showing", "creates largekey", "threat sniper", "crouching yeti", "kitten", "camaro dragon", "google phish", "macros", "hiddentear", "plugins", "removes headers", "hitmen" ], "references": [ "trojan.vtflooder/vflooder FileHash-SHA256 e8d7208330c634fad06d1b12bfea92435cdd7e63d01fde5ed8f3493b9deefad4", "Crowdsourced IDS rules: Matches rule MALWARE-CNC Win.Trojan.Occamy variant outbound connection", "Crowdsourced IDS rules: Matches rule ET INFO Generic HTTP EXE Upload Outbound", "Crowdsourced IDS rules: Matches rule (stream_tcp) data sent on stream not accepting data", "Crowdsourced YARA rules: Matches rule UPX from ruleset UPX by kevoreilly", "https://fixupx.com/Yoda4ever/status/1819058165264404527", "Malicious IP: 1.3.6.1 ASNone Generic.Malware has also been named in ransomware and other highly malicious attacks.", "http://borpatoken.com/ borpatoken.com", "Sourced: https://twitter.com/ootiosum/status/1812208222150726029a4dmHAxV0M0QIHawADl4Qr4kDegUI-QEQAA&usg=AOvVaw37yALadqlgoR9_xlQ5B4Hm", "This IP carried out Apache Log4j RCE attempt(s) (also known as CVE-2021-44228 or Log4Shell). @parthmaniar on Twitter", "For more information, or to report interesting/incorrect findings, give me a shoutout on @parthmaniar on Twitter.", "analytics.x.com | https://analytics.x.com | https://localhost.twitter.com:3443", "X Vercel Servers", "FileHash-MD5: b7e1dc2c46a9b972943a08b09c4dd6db", "FileHash-SHA1: d20959337b099526ed5250b60d9250ab865a7c6c", "FileHash-SHA256: 7b749ef9d91c1f0fe7513ece148409f2254317be8b0487603a2b333ebbb927ae", "Yara: RansomWin32Betisrypt , TrojanClickerWin32NightClick , TrojanDropperWin32Jscrpt , TrojanWin32Notepices TrojanClickerWin32NightClick", "apple.twitter.com | https://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js | vine.co | appleid.cdn-apple.com", "Vtapi: scanter.comwww.twitter.comx.com", "IDS Detections: ETPRO TROJAN Possible Win32/Zbot.AHJ CnC Traffic ET SMTP Abuseat.org Block Message", "IDS Detections: ET TROJAN Pushdo v3 Checkin ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain", "Crypt3.BWVY: FileHash-SHA256 9235583481d06530ef1ce04fa4f9a3bf3b6735dcdef0486cf6181c7868c9c249", "Crypt3.BWVY: FileHash-SHA1 4c60cf6b7e2981f1c05c5a34f880c6020923014c", "Crypt3.BWVY: FileHash-MD5 947f28c8ab697548aca370c080187e6e" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Win.Trojan.Occamy", "display_name": "Win.Trojan.Occamy", "target": null }, { "id": "W32.AIDetectMalware", "display_name": "W32.AIDetectMalware", "target": null }, { "id": "Trojan.Vtflooder/Vflooder", "display_name": "Trojan.Vtflooder/Vflooder", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Trojan:Win32/Vflooder.A", "display_name": "Trojan:Win32/Vflooder.A", "target": "/malware/Trojan:Win32/Vflooder.A" }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Xpire.info", "display_name": "Xpire.info", "target": null }, { "id": "Searchmeup", "display_name": "Searchmeup", "target": null }, { "id": "Trojan:Win32/Trickler", "display_name": "Trojan:Win32/Trickler", "target": "/malware/Trojan:Win32/Trickler" }, { "id": "Trojan:Win32/Comame", "display_name": "Trojan:Win32/Comame", "target": "/malware/Trojan:Win32/Comame" }, { "id": "#VirTool:Win32/Obfuscator", "display_name": "#VirTool:Win32/Obfuscator", "target": "/malware/#VirTool:Win32/Obfuscator" }, { "id": "Trojan:Win32/Pariham", "display_name": "Trojan:Win32/Pariham", "target": "/malware/Trojan:Win32/Pariham" } ], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 55, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1943, "FileHash-SHA1": 1637, "FileHash-SHA256": 3321, "URL": 1014, "domain": 645, "hostname": 1472, "email": 7, "CVE": 2 }, "indicator_count": 10041, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "558 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66eb1903bb12a0d4b524a0fb", "name": "HCA Healthcloid | Cellco\u00bb Adversary in the Middle | Swipper Verizon Block ", "description": "", "modified": "2024-09-18T18:16:35.396000", "created": "2024-09-18T18:16:35.396000", "tags": [ "swipp9-arin", "swipper", "swipp", "verizon", "cellcopart", "swipper", "ongoing", "get e sim", "as16276", "france unknown", "unknown", "as6167", "org verizon", "passive dns", "all scoreblue", "as8075", "cellco", "javascript", "help center", "please", "service privacy", "policy cookie", "policy imprint", "ads info", "cms", "express", "tsa b", "self", "server", "get esim", "wirelessdatanetwork", "netrange", "nethandle", "net174", "net1740000", "mcics", "orgid", "mcics address", "loudoun county", "android", "generic http", "exe upload", "windows nt", "outbound", "host", "malware beacon", "cape", "trojan", "copy", "write", "malware", "inbound", "impash", "post na", "search", "delete", "related pulses", "top source", "top destination", "source source", "filehash", "contentlength", "activity", "dns lookup", "flooder", "et", "aaaa", "nxdomain", "domain", "ipv4", "url analysis", "files", "malicious", "network", "historical ssl", "epsilon stealer", "traces aided", "dns intel", "remote job", "keeper", "snatch", "ransomware", "united states", "as8068", "entries", "mtb jan", "body", "x msedge", "scan endpoints", "trojandropper", "slf features", "file samples", "files matching", "date hash", "next", "win64", "win32", "copyright", "levelblue", "showing", "a domains", "as54113", "script domains", "script urls", "script script", "date", "meta", "window", "cookie", "trojan features", "worm", "show", "alf features", "hca", "target tsara brashears", "hostname", "expiration", "no expiration", "hca health", "eva120", "jody huffines", "jody alaska", "stephen r 'middleton'", "phone clone", "adversary in the middle", "known threat", "android attack", "web attack", "network", "dns", "florence co", "ddos", "google", "ip address", "ip range", "whois", "spam stats", "as6167 network", "cleantalk ip", "email abuse", "reports", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "suricata", "et intelligence", "known malicious ip", "spoof", "twitter", "x", "hackers" ], "references": [ "Researched: 174.192.0.0 AS 6167 (CELLCO-PART) US | Swipper | Loudon County, Va | Ongoing attacks 174.215.26.0", "uat.drw.hcahealthcare.cloud US Admin Email: cd2fa1f805494bc7s@ehc.com Admin Organization: HCA - Information Technology & Services, Inc.", "OrgTechEmail: swipper@verizonbusiness.com domains@microsotseft.com kenneth.reeb@verizonwireless.com msnhst@microsoft.com", "stephen.r.middleton@verizon.com sysmgr@verizon.com CIDR 174.192.0.0/10", "Antivirus Detections: Win.Malware.Vtflooder-9783271-0 , Trojan:Win32/Vflooder.B", "IDS Detections: Win32/Vflooder.B Checkin Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound", "Yara Detections: SUSP_Imphash_Mar23_2", "Alerts: cape_detected_threat", "http://www.govexec.com/dailyfed/0906/091806ol.htm", "Researched: trueupdater.exe - FileHash-SHA256 000381f55a6406f9448533be6c87481da162f0efe7da60d6f3d8a5401ef6f66b", "*https://identity.cnw.hcahealthcare.cloud/Account/ForgotPassword * identity.cnw.hcahealthcare.cloud *uat.drw.hcahealthcare.cloud", "\"NetRange: 174.192.0.0 - 174.255.255.255 CIDR: 174.192.0.0/10 NetName: WIRELESSDATANETWORK", "*NetHandle: NET-174-192-0-0-1 Parent: NET174 (NET-174-0-0-0-0) NetType: Direct Allocation Organization: Verizon Business (MCICS)", "*RegDate: 2008-12-16 Updated: 2022-05-31 Ref: https://rdap.arin.net/registry/ip/174.192.0.0 OrgName: Verizon Business", "*OrgId: MCICS Address: 22001 Loudoun County Pkwy City: Ashburn StateProv: VA PostalCode: 20147 Country:", "*US RegDate: 2006-05-30 Updated: 2024-02-12 Ref: https://rdap.arin.net/registry/entity/MCICS", "*OrgAbuseHandle: ABUSE3-ARIN OrgAbuseName: abuse OrgAbusePhone: +1-800-900-0241 OrgAbuseEmail: abuse@verizon.net", "*OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE3-ARIN OrgDNSHandle: VZDNS1-ARIN OrgDNSName: VZ-DNSADMIN", "*OrgDNSPhone: +1-800-900-0241 OrgDNSEmail: dnsadmin@verizon.com", "*OrgTechEmail: swipper@verizonbusiness.com OrgTechRef: https://rdap.arin.net/registry/entity/SWIPP9-ARIN", "*OrgDNSRef: https://rdap.arin.net/registry/entity/VZDNS1-ARIN OrgAbuseHandle: ABUSE5603-ARIN OrgAbuseName" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Vflooder.A", "display_name": "Trojan:Win32/Vflooder.A", "target": "/malware/Trojan:Win32/Vflooder.A" }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Flooder", "display_name": "Flooder", "target": null }, { "id": "Trojan.Upatre/Waski", "display_name": "Trojan.Upatre/Waski", "target": null }, { "id": "SLF:Win64/CobPipe", "display_name": "SLF:Win64/CobPipe", "target": "/malware/SLF:Win64/CobPipe" }, { "id": "TrojanDropper:Win32/Muldrop.V!MTB", "display_name": "TrojanDropper:Win32/Muldrop.V!MTB", "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB" }, { "id": "Worm:Win32/AutoRun", "display_name": "Worm:Win32/AutoRun", "target": "/malware/Worm:Win32/AutoRun" }, { "id": "ALF:Program:Win32/Webcompanion", "display_name": "ALF:Program:Win32/Webcompanion", "target": null }, { "id": "Trojan:Win32/Antavmu", "display_name": "Trojan:Win32/Antavmu", "target": "/malware/Trojan:Win32/Antavmu" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1212", "name": "Exploitation for Credential Access", "display_name": "T1212 - Exploitation for Credential Access" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1198", "name": "SIP and Trust Provider Hijacking", "display_name": "T1198 - SIP and Trust Provider Hijacking" }, { "id": "T1460", "name": "Biometric Spoofing", "display_name": "T1460 - Biometric Spoofing" }, { "id": "T1502", "name": "Parent PID Spoofing", "display_name": "T1502 - Parent PID Spoofing" }, { "id": "T1205.001", "name": "Port Knocking", "display_name": "T1205.001 - Port Knocking" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Healthcare", "Government", "Civilian Society" ], "TLP": "white", "cloned_from": "66ba9198fd69c93fabece38d", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 51, "CIDR": 11, "URL": 280, "hostname": 426, "FileHash-SHA256": 4334, "domain": 180, "FileHash-MD5": 2244, "FileHash-SHA1": 2244, "CVE": 1 }, "indicator_count": 9771, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "578 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66ba9198fd69c93fabece38d", "name": "Adversary in the Middle | Cellco | Targeting | Phone Cloner | Monitoring", "description": "Linked to X.com research. Remotely spoofs, Ddos, blocks, intercepts, redirects, all activity of vicrim. At one time same Handle: Swipper had a malicious link attached to targets Apple notepads. The link connected to a website with targets name with photo of a jubilant arrest , or death threat. Site linked to Loudoun County, Swipper claiming to be the FBI.", "modified": "2024-09-18T18:12:03.438000", "created": "2024-08-12T22:50:00.127000", "tags": [ "swipp9-arin", "swipper", "swipp", "verizon", "cellcopart", "swipper", "ongoing", "get e sim", "as16276", "france unknown", "unknown", "as6167", "org verizon", "passive dns", "all scoreblue", "as8075", "cellco", "javascript", "help center", "please", "service privacy", "policy cookie", "policy imprint", "ads info", "cms", "express", "tsa b", "self", "server", "get esim", "wirelessdatanetwork", "netrange", "nethandle", "net174", "net1740000", "mcics", "orgid", "mcics address", "loudoun county", "android", "generic http", "exe upload", "windows nt", "outbound", "host", "malware beacon", "cape", "trojan", "copy", "write", "malware", "inbound", "impash", "post na", "search", "delete", "related pulses", "top source", "top destination", "source source", "filehash", "contentlength", "activity", "dns lookup", "flooder", "et", "aaaa", "nxdomain", "domain", "ipv4", "url analysis", "files", "malicious", "network", "historical ssl", "epsilon stealer", "traces aided", "dns intel", "remote job", "keeper", "snatch", "ransomware", "united states", "as8068", "entries", "mtb jan", "body", "x msedge", "scan endpoints", "trojandropper", "slf features", "file samples", "files matching", "date hash", "next", "win64", "win32", "copyright", "levelblue", "showing", "a domains", "as54113", "script domains", "script urls", "script script", "date", "meta", "window", "cookie", "trojan features", "worm", "show", "alf features", "hca", "target tsara brashears", "hostname", "expiration", "no expiration", "hca health", "eva120", "jody huffines", "jody alaska", "stephen r 'middleton'", "phone clone", "adversary in the middle", "known threat", "android attack", "web attack", "network", "dns", "florence co", "ddos", "google", "ip address", "ip range", "whois", "spam stats", "as6167 network", "cleantalk ip", "email abuse", "reports", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "suricata", "et intelligence", "known malicious ip", "spoof", "twitter", "x", "hackers" ], "references": [ "Researched: 174.192.0.0 AS 6167 (CELLCO-PART) US | Swipper | Loudon County, Va | Ongoing attacks 174.215.26.0", "uat.drw.hcahealthcare.cloud US Admin Email: cd2fa1f805494bc7s@ehc.com Admin Organization: HCA - Information Technology & Services, Inc.", "OrgTechEmail: swipper@verizonbusiness.com domains@microsotseft.com kenneth.reeb@verizonwireless.com msnhst@microsoft.com", "stephen.r.middleton@verizon.com sysmgr@verizon.com CIDR 174.192.0.0/10", "Antivirus Detections: Win.Malware.Vtflooder-9783271-0 , Trojan:Win32/Vflooder.B", "IDS Detections: Win32/Vflooder.B Checkin Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound", "Yara Detections: SUSP_Imphash_Mar23_2", "Alerts: cape_detected_threat", "http://www.govexec.com/dailyfed/0906/091806ol.htm", "Researched: trueupdater.exe - FileHash-SHA256 000381f55a6406f9448533be6c87481da162f0efe7da60d6f3d8a5401ef6f66b", "*https://identity.cnw.hcahealthcare.cloud/Account/ForgotPassword * identity.cnw.hcahealthcare.cloud *uat.drw.hcahealthcare.cloud", "\"NetRange: 174.192.0.0 - 174.255.255.255 CIDR: 174.192.0.0/10 NetName: WIRELESSDATANETWORK", "*NetHandle: NET-174-192-0-0-1 Parent: NET174 (NET-174-0-0-0-0) NetType: Direct Allocation Organization: Verizon Business (MCICS)", "*RegDate: 2008-12-16 Updated: 2022-05-31 Ref: https://rdap.arin.net/registry/ip/174.192.0.0 OrgName: Verizon Business", "*OrgId: MCICS Address: 22001 Loudoun County Pkwy City: Ashburn StateProv: VA PostalCode: 20147 Country:", "*US RegDate: 2006-05-30 Updated: 2024-02-12 Ref: https://rdap.arin.net/registry/entity/MCICS", "*OrgAbuseHandle: ABUSE3-ARIN OrgAbuseName: abuse OrgAbusePhone: +1-800-900-0241 OrgAbuseEmail: abuse@verizon.net", "*OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE3-ARIN OrgDNSHandle: VZDNS1-ARIN OrgDNSName: VZ-DNSADMIN", "*OrgDNSPhone: +1-800-900-0241 OrgDNSEmail: dnsadmin@verizon.com", "*OrgTechEmail: swipper@verizonbusiness.com OrgTechRef: https://rdap.arin.net/registry/entity/SWIPP9-ARIN", "*OrgDNSRef: https://rdap.arin.net/registry/entity/VZDNS1-ARIN OrgAbuseHandle: ABUSE5603-ARIN OrgAbuseName" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Vflooder.A", "display_name": "Trojan:Win32/Vflooder.A", "target": "/malware/Trojan:Win32/Vflooder.A" }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Flooder", "display_name": "Flooder", "target": null }, { "id": "Trojan.Upatre/Waski", "display_name": "Trojan.Upatre/Waski", "target": null }, { "id": "SLF:Win64/CobPipe", "display_name": "SLF:Win64/CobPipe", "target": "/malware/SLF:Win64/CobPipe" }, { "id": "TrojanDropper:Win32/Muldrop.V!MTB", "display_name": "TrojanDropper:Win32/Muldrop.V!MTB", "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB" }, { "id": "Worm:Win32/AutoRun", "display_name": "Worm:Win32/AutoRun", "target": "/malware/Worm:Win32/AutoRun" }, { "id": "ALF:Program:Win32/Webcompanion", "display_name": "ALF:Program:Win32/Webcompanion", "target": null }, { "id": "Trojan:Win32/Antavmu", "display_name": "Trojan:Win32/Antavmu", "target": "/malware/Trojan:Win32/Antavmu" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1212", "name": "Exploitation for Credential Access", "display_name": "T1212 - Exploitation for Credential Access" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1198", "name": "SIP and Trust Provider Hijacking", "display_name": "T1198 - SIP and Trust Provider Hijacking" }, { "id": "T1460", "name": "Biometric Spoofing", "display_name": "T1460 - Biometric Spoofing" }, { "id": "T1502", "name": "Parent PID Spoofing", "display_name": "T1502 - Parent PID Spoofing" }, { "id": "T1205.001", "name": "Port Knocking", "display_name": "T1205.001 - Port Knocking" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Healthcare", "Government", "Civilian Society" ], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 51, "CIDR": 11, "URL": 280, "hostname": 426, "FileHash-SHA256": 4334, "domain": 180, "FileHash-MD5": 2244, "FileHash-SHA1": 2244, "CVE": 1 }, "indicator_count": 9771, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "578 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66cb6092ed7d61b3a370d6cd", "name": "Adversary in the Middle | Cellco DBA Verizon Wireless | SWIPPER | BGP Hurricane Electric ", "description": "", "modified": "2024-09-12T00:41:55.890000", "created": "2024-08-25T16:49:22.975000", "tags": [ "swipp9-arin", "swipper", "swipp", "verizon", "cellcopart", "swipper", "ongoing", "get e sim", "as16276", "france unknown", "unknown", "as6167", "org verizon", "passive dns", "all scoreblue", "as8075", "cellco", "javascript", "help center", "please", "service privacy", "policy cookie", "policy imprint", "ads info", "cms", "express", "tsa b", "self", "server", "get esim", "wirelessdatanetwork", "netrange", "nethandle", "net174", "net1740000", "mcics", "orgid", "mcics address", "loudoun county", "android", "generic http", "exe upload", "windows nt", "outbound", "host", "malware beacon", "cape", "trojan", "copy", "write", "malware", "inbound", "impash", "post na", "search", "delete", "related pulses", "top source", "top destination", "source source", "filehash", "contentlength", "activity", "dns lookup", "flooder", "et", "aaaa", "nxdomain", "domain", "ipv4", "url analysis", "files", "malicious", "network", "historical ssl", "epsilon stealer", "traces aided", "dns intel", "remote job", "keeper", "snatch", "ransomware", "united states", "as8068", "entries", "mtb jan", "body", "x msedge", "scan endpoints", "trojandropper", "slf features", "file samples", "files matching", "date hash", "next", "win64", "win32", "copyright", "levelblue", "showing", "a domains", "as54113", "script domains", "script urls", "script script", "date", "meta", "window", "cookie", "trojan features", "worm", "show", "alf features", "hca", "target tsara brashears", "hostname", "expiration", "no expiration", "hca health", "eva120", "jody huffines", "jody alaska", "stephen r 'middleton'", "phone clone", "adversary in the middle", "known threat", "android attack", "web attack", "network", "dns", "florence co", "ddos", "google", "ip address", "ip range", "whois", "spam stats", "as6167 network", "cleantalk ip", "email abuse", "reports", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "suricata", "et intelligence", "known malicious ip", "spoof", "twitter", "x", "hackers" ], "references": [ "Researched: 174.192.0.0 AS 6167 (CELLCO-PART) US | Swipper | Loudon County, Va | Ongoing attacks 174.215.26.0", "uat.drw.hcahealthcare.cloud US Admin Email: cd2fa1f805494bc7s@ehc.com Admin Organization: HCA - Information Technology & Services, Inc.", "OrgTechEmail: swipper@verizonbusiness.com domains@microsotseft.com kenneth.reeb@verizonwireless.com msnhst@microsoft.com", "stephen.r.middleton@verizon.com sysmgr@verizon.com CIDR 174.192.0.0/10", "Antivirus Detections: Win.Malware.Vtflooder-9783271-0 , Trojan:Win32/Vflooder.B", "IDS Detections: Win32/Vflooder.B Checkin Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound", "Yara Detections: SUSP_Imphash_Mar23_2", "Alerts: cape_detected_threat", "http://www.govexec.com/dailyfed/0906/091806ol.htm", "Researched: trueupdater.exe - FileHash-SHA256 000381f55a6406f9448533be6c87481da162f0efe7da60d6f3d8a5401ef6f66b", "*https://identity.cnw.hcahealthcare.cloud/Account/ForgotPassword * identity.cnw.hcahealthcare.cloud *uat.drw.hcahealthcare.cloud", "\"NetRange: 174.192.0.0 - 174.255.255.255 CIDR: 174.192.0.0/10 NetName: WIRELESSDATANETWORK", "*NetHandle: NET-174-192-0-0-1 Parent: NET174 (NET-174-0-0-0-0) NetType: Direct Allocation Organization: Verizon Business (MCICS)", "*RegDate: 2008-12-16 Updated: 2022-05-31 Ref: https://rdap.arin.net/registry/ip/174.192.0.0 OrgName: Verizon Business", "*OrgId: MCICS Address: 22001 Loudoun County Pkwy City: Ashburn StateProv: VA PostalCode: 20147 Country:", "*US RegDate: 2006-05-30 Updated: 2024-02-12 Ref: https://rdap.arin.net/registry/entity/MCICS", "*OrgAbuseHandle: ABUSE3-ARIN OrgAbuseName: abuse OrgAbusePhone: +1-800-900-0241 OrgAbuseEmail: abuse@verizon.net", "*OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE3-ARIN OrgDNSHandle: VZDNS1-ARIN OrgDNSName: VZ-DNSADMIN", "*OrgDNSPhone: +1-800-900-0241 OrgDNSEmail: dnsadmin@verizon.com", "*OrgTechEmail: swipper@verizonbusiness.com OrgTechRef: https://rdap.arin.net/registry/entity/SWIPP9-ARIN", "*OrgDNSRef: https://rdap.arin.net/registry/entity/VZDNS1-ARIN OrgAbuseHandle: ABUSE5603-ARIN OrgAbuseName" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Vflooder.A", "display_name": "Trojan:Win32/Vflooder.A", "target": "/malware/Trojan:Win32/Vflooder.A" }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Flooder", "display_name": "Flooder", "target": null }, { "id": "Trojan.Upatre/Waski", "display_name": "Trojan.Upatre/Waski", "target": null }, { "id": "SLF:Win64/CobPipe", "display_name": "SLF:Win64/CobPipe", "target": "/malware/SLF:Win64/CobPipe" }, { "id": "TrojanDropper:Win32/Muldrop.V!MTB", "display_name": "TrojanDropper:Win32/Muldrop.V!MTB", "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB" }, { "id": "Worm:Win32/AutoRun", "display_name": "Worm:Win32/AutoRun", "target": "/malware/Worm:Win32/AutoRun" }, { "id": "ALF:Program:Win32/Webcompanion", "display_name": "ALF:Program:Win32/Webcompanion", "target": null }, { "id": "Trojan:Win32/Antavmu", "display_name": "Trojan:Win32/Antavmu", "target": "/malware/Trojan:Win32/Antavmu" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1212", "name": "Exploitation for Credential Access", "display_name": "T1212 - Exploitation for Credential Access" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1198", "name": "SIP and Trust Provider Hijacking", "display_name": "T1198 - SIP and Trust Provider Hijacking" }, { "id": "T1460", "name": "Biometric Spoofing", "display_name": "T1460 - Biometric Spoofing" }, { "id": "T1502", "name": "Parent PID Spoofing", "display_name": "T1502 - Parent PID Spoofing" }, { "id": "T1205.001", "name": "Port Knocking", "display_name": "T1205.001 - Port Knocking" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Healthcare", "Government", "Civilian Society" ], "TLP": "white", "cloned_from": "66ba9198fd69c93fabece38d", "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 24, "CIDR": 8, "URL": 190, "hostname": 370, "FileHash-SHA256": 4319, "domain": 176, "FileHash-MD5": 2244, "FileHash-SHA1": 2244, "CVE": 1 }, "indicator_count": 9576, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "584 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d496e04d8fa0cc8d528941", "name": "Adversary in the Middle | Cellco DBA Verizon Wireless | SWIPPER | BGP Hurricane Electric ", "description": "", "modified": "2024-09-12T00:25:51.199000", "created": "2024-09-01T16:31:28.909000", "tags": [ "swipp9-arin", "swipper", "swipp", "verizon", "cellcopart", "swipper", "ongoing", "get e sim", "as16276", "france unknown", "unknown", "as6167", "org verizon", "passive dns", "all scoreblue", "as8075", "cellco", "javascript", "help center", "please", "service privacy", "policy cookie", "policy imprint", "ads info", "cms", "express", "tsa b", "self", "server", "get esim", "wirelessdatanetwork", "netrange", "nethandle", "net174", "net1740000", "mcics", "orgid", "mcics address", "loudoun county", "android", "generic http", "exe upload", "windows nt", "outbound", "host", "malware beacon", "cape", "trojan", "copy", "write", "malware", "inbound", "impash", "post na", "search", "delete", "related pulses", "top source", "top destination", "source source", "filehash", "contentlength", "activity", "dns lookup", "flooder", "et", "aaaa", "nxdomain", "domain", "ipv4", "url analysis", "files", "malicious", "network", "historical ssl", "epsilon stealer", "traces aided", "dns intel", "remote job", "keeper", "snatch", "ransomware", "united states", "as8068", "entries", "mtb jan", "body", "x msedge", "scan endpoints", "trojandropper", "slf features", "file samples", "files matching", "date hash", "next", "win64", "win32", "copyright", "levelblue", "showing", "a domains", "as54113", "script domains", "script urls", "script script", "date", "meta", "window", "cookie", "trojan features", "worm", "show", "alf features", "hca", "target tsara brashears", "hostname", "expiration", "no expiration", "hca health", "eva120", "jody huffines", "jody alaska", "stephen r 'middleton'", "phone clone", "adversary in the middle", "known threat", "android attack", "web attack", "network", "dns", "florence co", "ddos", "google", "ip address", "ip range", "whois", "spam stats", "as6167 network", "cleantalk ip", "email abuse", "reports", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "suricata", "et intelligence", "known malicious ip", "spoof", "twitter", "x", "hackers" ], "references": [ "Researched: 174.192.0.0 AS 6167 (CELLCO-PART) US | Swipper | Loudon County, Va | Ongoing attacks 174.215.26.0", "uat.drw.hcahealthcare.cloud US Admin Email: cd2fa1f805494bc7s@ehc.com Admin Organization: HCA - Information Technology & Services, Inc.", "OrgTechEmail: swipper@verizonbusiness.com domains@microsotseft.com kenneth.reeb@verizonwireless.com msnhst@microsoft.com", "stephen.r.middleton@verizon.com sysmgr@verizon.com CIDR 174.192.0.0/10", "Antivirus Detections: Win.Malware.Vtflooder-9783271-0 , Trojan:Win32/Vflooder.B", "IDS Detections: Win32/Vflooder.B Checkin Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound", "Yara Detections: SUSP_Imphash_Mar23_2", "Alerts: cape_detected_threat", "http://www.govexec.com/dailyfed/0906/091806ol.htm", "Researched: trueupdater.exe - FileHash-SHA256 000381f55a6406f9448533be6c87481da162f0efe7da60d6f3d8a5401ef6f66b", "*https://identity.cnw.hcahealthcare.cloud/Account/ForgotPassword * identity.cnw.hcahealthcare.cloud *uat.drw.hcahealthcare.cloud", "\"NetRange: 174.192.0.0 - 174.255.255.255 CIDR: 174.192.0.0/10 NetName: WIRELESSDATANETWORK", "*NetHandle: NET-174-192-0-0-1 Parent: NET174 (NET-174-0-0-0-0) NetType: Direct Allocation Organization: Verizon Business (MCICS)", "*RegDate: 2008-12-16 Updated: 2022-05-31 Ref: https://rdap.arin.net/registry/ip/174.192.0.0 OrgName: Verizon Business", "*OrgId: MCICS Address: 22001 Loudoun County Pkwy City: Ashburn StateProv: VA PostalCode: 20147 Country:", "*US RegDate: 2006-05-30 Updated: 2024-02-12 Ref: https://rdap.arin.net/registry/entity/MCICS", "*OrgAbuseHandle: ABUSE3-ARIN OrgAbuseName: abuse OrgAbusePhone: +1-800-900-0241 OrgAbuseEmail: abuse@verizon.net", "*OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE3-ARIN OrgDNSHandle: VZDNS1-ARIN OrgDNSName: VZ-DNSADMIN", "*OrgDNSPhone: +1-800-900-0241 OrgDNSEmail: dnsadmin@verizon.com", "*OrgTechEmail: swipper@verizonbusiness.com OrgTechRef: https://rdap.arin.net/registry/entity/SWIPP9-ARIN", "*OrgDNSRef: https://rdap.arin.net/registry/entity/VZDNS1-ARIN OrgAbuseHandle: ABUSE5603-ARIN OrgAbuseName" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Vflooder.A", "display_name": "Trojan:Win32/Vflooder.A", "target": "/malware/Trojan:Win32/Vflooder.A" }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Flooder", "display_name": "Flooder", "target": null }, { "id": "Trojan.Upatre/Waski", "display_name": "Trojan.Upatre/Waski", "target": null }, { "id": "SLF:Win64/CobPipe", "display_name": "SLF:Win64/CobPipe", "target": "/malware/SLF:Win64/CobPipe" }, { "id": "TrojanDropper:Win32/Muldrop.V!MTB", "display_name": "TrojanDropper:Win32/Muldrop.V!MTB", "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB" }, { "id": "Worm:Win32/AutoRun", "display_name": "Worm:Win32/AutoRun", "target": "/malware/Worm:Win32/AutoRun" }, { "id": "ALF:Program:Win32/Webcompanion", "display_name": "ALF:Program:Win32/Webcompanion", "target": null }, { "id": "Trojan:Win32/Antavmu", "display_name": "Trojan:Win32/Antavmu", "target": "/malware/Trojan:Win32/Antavmu" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1212", "name": "Exploitation for Credential Access", "display_name": "T1212 - Exploitation for Credential Access" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1198", "name": "SIP and Trust Provider Hijacking", "display_name": "T1198 - SIP and Trust Provider Hijacking" }, { "id": "T1460", "name": "Biometric Spoofing", "display_name": "T1460 - Biometric Spoofing" }, { "id": "T1502", "name": "Parent PID Spoofing", "display_name": "T1502 - Parent PID Spoofing" }, { "id": "T1205.001", "name": "Port Knocking", "display_name": "T1205.001 - Port Knocking" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Healthcare", "Government", "Civilian Society" ], "TLP": "white", "cloned_from": "66cb6092ed7d61b3a370d6cd", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 33, "CIDR": 9, "URL": 221, "hostname": 390, "FileHash-SHA256": 4343, "domain": 177, "FileHash-MD5": 2244, "FileHash-SHA1": 2244, "CVE": 1 }, "indicator_count": 9662, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "584 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "665bb7679843a6dabe4560e3", "name": "USZoom [New York , USA] | iPostal1 | Where's my check & mailbox?", "description": "According to some victims, malicious activities including/ not limited to mail filtering fulfillment center resulting in lost, tampered with, opened and glue sealed mail. Missing private documents, payment scams, needless recurring monthly fees, CSR call redirections to unaffiliated personnel. The system has been in the DW for several years. This is due to no fault of franchise owners. Bounty hunters, hackers, and cyber and mail thieves, potential aggressive law enforcement tacticts. Some use mailbox addresses for nefarious purposes, while others use it for business and address confidentiality. \n\nAuto generated: iPostal1 is the largest digital mailbox provider in the world, providing secure, easy-to-use digital mail solutions for individuals, small businesses and large businesses, and driving revenue for Workspaces.", "modified": "2024-09-05T06:11:17.325000", "created": "2024-06-02T00:05:59.160000", "tags": [ "strong", "story contact", "us leadership", "open menu", "close menu", "digital", "thank", "us zoom", "skip", "content home", "enterprise", "contact", "threat roundup", "august", "historical ssl", "april", "referrer", "formbook", "ip check", "vt graph", "relacionada", "cobalt strike", "hiddentear", "life", "malware", "open", "mumblehard", "sparkrat", "attack", "uszoom og", "submission", "analysis", "utc http", "response final", "url https", "ip address", "status code", "body length", "kb body", "graph api", "status", "content type", "date", "anchor hrefs", "hrefs", "cart contact", "leadership", "html info", "title uszoom", "meta tags", "uszoom twitter", "script tags", "vhash htm", "ssdeep", "file type", "html internet", "magic html", "ascii text", "trid file", "magika cttxt", "file size", "united", "as20940", "aaaa", "canada", "search", "showing", "cname", "as35994 akamai", "passive dns", "next", "as21928", "unknown", "urls", "domain", "creation date", "emails", "ipcounsel", "scan endpoints", "all scoreblue", "ipv4", "pulse submit", "url analysis", "files", "invalid url", "body", "name servers", "akamai", "expiration date", "asnone united", "a nxdomain", "india", "as15224 adobe", "bdclid", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "yara rule", "high", "explorer", "alerts", "less see", "contacted", "service", "attempts", "guard", "url http", "pulse pulses", "http", "related nids", "files location", "ip related", "hostname", "files ip", "address domain", "as46606", "td td", "script script", "gmt path", "create", "website", "set cookie", "a td", "win32", "flash", "pragma", "cookie", "xmpmm", "png image", "rgba", "documentid", "instanceid", "creatortool", "pattern match", "adobe photoshop", "macintosh", "june", "hybrid", "local", "encrypt", "click", "strings", "anomalous_deletefile", "info_stealer", "et trojan", "banload http", "banload", "ids detections", "yara detections", "bancos variant", "c2 checkin", "ntkrnlpacker", "copy", "meredrop", "injection", "e0e2edee", "push", "read", "write", "delete", "entries", "crlf line", "anomalous file", "medium", "filehash", "av detections", "analysis date", "file score", "medium risk", "detections none", "related pulses", "apple", "apple id", "apple private data collection", "apple staging", "t-mobile", "metroby", "keylogger" ], "references": [ "https://uszoom.com/", "http://www.dead-speak.com/ElectronicVoicePhenomena_EVP.htm", "Malicious Score: 10", "Yara Detections: DotNET_Reactor", "Alerts: procmem_yara antisandbox_sleep persistence_autorun cape_detected_threat infostealer_cookies recon_fingerprint", "Alerts: stealth_hidden_extension stealth_hiddenreg antidebug_guardpages dead_connect", "Alerts: encrypted_ioc http_request powershell_download powershell_request dynamic_function_loading cape_extracted_content", "Alerts: dropper injection_rwx network_dns_doh_tls network_http", "DotNET_Reactor: System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography", "DotNET_Reactor: System.Security.Cryptography ICryptoTransform", "High Priority Check-ins: Banload HTTP Checkin Detected (envia.php) Win32.Meredrop Checkin Bancos Variant C2 Checkin 1", "High Priority Alerts: spawns_dev_util modify_proxy infostealer_cookies", "Yara Detections: NTKrnlPacker, NTkrnlSecureSuite01015NTkrnlSoftware, NTkrnlSecureSuiteNTkrnlteam", "https://otx.alienvault.com/indicator/file/01accdb2c75f7b75e5f9744461fe927e6e1378e3bc1f943d02b0aa441bf65317", "https://www.hybrid-analysis.com/sample/79cab9c299164fb9a6d8f009adc2529ee79feeb0b4ad383eedee0c36bbe041ec/665b7ebee6b33f252d0e64ec", "Yara Detections stack_string , Armadillov1xxv2xx", "https://otx.alienvault.com/indicator/file/4d1dbf5ccc25a7f5fa24bd48d92987ff6d4dba35", "apple.finder-idevice.com | nr-data.net | https://appleid.com-dispositivo-perdido.com/ |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Keylogger.Susppack-9876601-0", "display_name": "Win.Keylogger.Susppack-9876601-0", "target": null }, { "id": "Win.Trojan.Sdum-9807706-0", "display_name": "Win.Trojan.Sdum-9807706-0", "target": null }, { "id": "Win32.Meredrop Checkin", "display_name": "Win32.Meredrop Checkin", "target": null }, { "id": "#Lowfi:HSTR:TrojanSpy:Win32/Bancos", "display_name": "#Lowfi:HSTR:TrojanSpy:Win32/Bancos", "target": null }, { "id": "Pdf.Phishing.TtraffRobotInstall-7605656-0", "display_name": "Pdf.Phishing.TtraffRobotInstall-7605656-0", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1048.002", "name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "display_name": "T1048.002 - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1198", "name": "SIP and Trust Provider Hijacking", "display_name": "T1198 - SIP and Trust Provider Hijacking" }, { "id": "T1416", "name": "URI Hijacking", "display_name": "T1416 - URI Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1434", "name": "App Delivered via Email Attachment", "display_name": "T1434 - App Delivered via Email Attachment" } ], "industries": [ "Technology", "Telecommunications", "Civil Society" ], "TLP": "green", "cloned_from": null, "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 8, "FileHash-MD5": 167, "FileHash-SHA1": 129, "FileHash-SHA256": 2008, "URL": 11241, "domain": 1853, "hostname": 4198, "SSLCertFingerprint": 10, "CVE": 1 }, "indicator_count": 19615, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "591 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "669e42fea462f0c8f8db32a1", "name": "Worm:Win32/Ganelp.A - Malicious IP: 148.163.152.21", "description": "Malicious IP found in disastrous attack against a mid level media marketing firm that the healthcare, travel, corporate event industry. \nEmployee phones are 'zombies' some laptops likely impacted by the Crowd Strike issue, (blue screen). Excessive tracking, monitoring, active botnets, power outage, and more. Research of IP and other IoC's found. Unfortunately, many of the clients are also sucked into issue. It appears that the issue has persisted for several years. The outage just made us work every angle. The attack goes beyond the CS 'update' outage, as the seemingly well cyber manged firm was under a very targeted, ongoing cyber attack that has kept company from rebounding. Red Team behavior seen.", "modified": "2024-08-21T11:03:59.106000", "created": "2024-07-22T11:31:10.391000", "tags": [ "historical ssl", "referrer", "fancy bear", "scan endpoints", "all search", "otx scoreblue", "ipv4", "pulse submit", "url analysis", "passive dns", "urls", "files", "reverse dns", "open", "status", "name servers", "creation date", "search", "proofpoint", "expiration date", "div div", "date", "accept", "next", "united", "cname", "asnone united", "a nxdomain", "domain", "united kingdom", "servers", "showing", "nxdomain", "dname", "whitelisted", "aaaa", "script urls", "costa rica", "script domains", "msie", "chrome", "unknown", "body", "gmt content", "all scoreblue", "pulse pulses", "entries", "as8987 amazon", "as20940", "hostname", "gartner", "crowdstrike", "business value", "magic quadrant", "customer", "realized", "assessment", "economic impact", "complete", "february", "utc na", "ver2", "msclkidn", "html info", "meta tags", "mobileoptimized", "adobe dynamic", "tag management", "utc bing", "cobalt strike", "communications", "android device", "neutral", "win32 exe", "pe32", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "sections", "rticon neutral", "ico rtgroupicon", "xml rtmanifest", "overlay", "threat roundup", "pandas", "attacks against", "southeast", "wannacry kill", "switch dns", "query", "high level", "hackers", "unknown win", "core", "ascii text", "sha256", "sha1", "size", "pattern match", "suricata stream", "command decode", "utf8 text", "mitre att", "path", "hybrid", "starfield", "meta", "general", "target", "local", "click", "strings", "trident", "legacy", "main", "contact", "flow t1574", "dll sideloading", "create", "modify system", "process t1543", "windows service", "t1055 system", "pe file", "t1497 query", "may sleep", "allocate rwx", "get file", "access", "windows event", "allocate", "link function", "windows link", "contains pdb", "dns resolutions", "ip traffic", "pattern domains", "memory pattern", "urls tcp", "hashes", "user", "file system", "written c", "samplepath", "files dropped", "userprofile", "registry keys", "registry", "set registrya", "conhost", "comspec", "created", "temp", "windows", "displayname", "process", "commands", "signals mutexes", "mutexes", "full name", "data", "v3 serial", "number", "cus cndigicert", "tls rsa", "ca1 odigicert", "inc validity", "subject public", "certificate", "whois lookup", "netrange", "nethandle", "net148", "net1480000", "as16509", "as22843", "as13916", "form", "server", "registrar abuse", "email", "request email", "verisign", "icann whois", "tech", "first", "project skynet", "cyber army", "dynamicloader", "high", "delete c", "show", "username", "medium", "default", "yara detections", "worm", "copy", "write", "duptwux", "malware", "x82xd4", "kx81xdbx0f", "x86xd3", "xa1xf1", "xe8xc2x14", "wx99xcdx11", "regsetvalueexa", "regbinary", "xe8xc6x13", "hx88x9ax1e", "stream", "win32", "persistence", "execution", "av detections", "ids detections", "alerts", "analysis date", "file score", "ftp username", "contacted", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "severity", "null", "refresh", "span", "error", "tools", "look", "verify", "restart", "robtex", "apple ios", "apple", "domains", "co number", "virtual mobile", "logistics", "cyber defense", "twitter", "read c", "artemis", "intel", "steals", "virustotal", "python", "panda", "falcon sandbox", "analysis", "hybrid analysis", "submission name", "av detection", "multi scan", "highest", "ability", "execute", "upgrade", "intelligence", "learn", "reports", "logo analysis", "size17kib type", "command", "found", "layer protocol", "osi application", "ip address", "t1105 ingress", "tool transfer", "problems", "threat network", "infrastructure", "domains part", "domain tracker", "roundup", "new problems", "startpage", "e1203 windows", "catalog tree", "analysis ob0001", "b0001 process", "b0003 delayed", "analysis ob0002", "evasion ob0006", "ob0007 system", "e1082 file", "e1083 impact", "data manipulation", "remote system", "discovery", "t1059 accept", "modules t1129", "enumerate", "as2914 ntt", "access denied", "as16625 akamai", "germany unknown", "csccorpdomains", "as31109", "invalid url", "mirai", "port", "destination", "bad login", "suspicious path", "nids", "tcp syn", "root account", "cve20185723", "as8068", "please", "x msedge", "embeddedwb", "windows nt", "tofsee", "push", "as54113", "as396982 google", "as31898 oracle", "moved", "encrypt" ], "references": [ "148.163.152.21 AS 22843 (PROOFPOINT-ASN-US-EAST) US | www.robtex.com | www.spf-record.com |", "Crowdsourced Sigma Rules: Suspicious New Service Creation by Nasreddine Bencherchali (Nextron Systems)", "Crowdsourced Sigma Rules: Matches rule Suspicious Svchost Process by Florian Roth (Nextron Systems)", "Crowdsourced Sigma Rules: Matches rule Suspect Svchost Activity by David Burkett, @signalblur", "Crowdsourced Sigma Rules: Matches rule Suspicious Outbound SMTP Connections by frack113", "Crowdsourced Sigma Rules: Matches rule Creation of an Executable by an Executable by frack113", "https://www.virustotal.com/gui/file/dcd0812ed0b280cee38a3f8a68e5fde900f0a9f832ca53167d38d96f105eb9b9/detection", "Antivirus Detections Win.Trojan.Sality-1047 , Worm:Win32/Ganelp.A IDS Detections W32.Duptwux/Ganelp FTP Username - onthelinux Yara Detections InstallShield2000 Alerts persistence_autorun_tasks cape_detected_threat bypass_firewall suricata_alert dynamic_function_loading dropper injection_rwx IP\u2019s Contacted 209.202.252.54", "ELF:Mirai-GH\\ [Trj] 91b62309447ba8db2a456b546d02cee07f1fd1027a0dd23b0ad87bec18b5acee", "https://hybrid-analysis.com/sample/b31067b40534bc4a9d68ac2f13f6090956d171d23c3d3f7a8c92a8745aed4db3", "https://otx.alienvault.com/indicator/file/00001054e41d89822267a38856e76eafc2c2e2f20c3f17a392e417f8b87e4ce1", "trojan.shellrunner/emailworm: FileHash-SHA256 f9527077fe3699a17a45276e3b15d65014b5c1d2d10c09f476a21b90fbd0bf67", "https://www.virustotal.com/gui/file/f9527077fe3699a17a45276e3b15d65014b5c1d2d10c09f476a21b90fbd0bf67/detection", "Trojan.Agent.FRYX: http://email.bidayati.com/c/eJwkkc1ygjoYQJ8Gd3TClwTIwgUR0Aq12BbBbu5EfuQnioVQwKe_03v3Z-bMnJOvbUwtS6yKtWEZjNmMULyq1oAMYto2zZhd2IbIGb6UBdiYCqMoC", "Worm:Win32/Ganelp.A: FileHash-SHA256 00001054e41d89822267a38856e76eafc2c2e2f20c3f17a392e417f8b87e4ce1", "Worm:Win32/Ganelp.A: FileHash-SHA1 0eed684aef678aeffb43866bd2c975876e82eeab", "Worm:Win32/Ganelp.A: FileHash-MD5 b5e26ac3b7518b77631ab7bcefae10fe", "Trojan.Crypted-6 | infostealer_browser : https://otx.alienvault.com/indicator/file/29971e4a9ce229d79fae4cbdff1b32d2", "Falcon-FileVantage.exe | trojan.redcap/python: FileHash-SHA256 06d4c16f64fc377b7dd5d8dff8bc6b11728d4cbbf3dcb42a9b819cc028afc328", "https://www.virustotal.com/gui/file/06d4c16f64fc377b7dd5d8dff8bc6b11728d4cbbf3dcb42a9b819cc028afc328/detection", "apple-carry-relay.cloudflare.com | apple-dns.net | emails.redvue.com | https://arduboy.com/bad-apple-demo-is-good | 67.199.248.12", "https://tools.totaleconomicimpact.com/go/apple/TEI/docs/TEI-of-Mac-in-Enterprise.pdf | 79appleway.com | technoapple.com", "http://image.nationwide-service.co.uk/lib/fe9515737163077971/m/1/spacer_ApplePay.gif bum?id=326459173&s=143441 | mails.redvue.com", "http://www.rvrb.me/fan_reach/pt?eid=A429942_17490857_19605431_lnk1018&url=http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewAl", "Antivirus Detections ELF:Mirai-GH\\ [Trj]", "IDS Detections Master IP CAM 01 Hardcoded Password for Root Account (CVE-2018-5723) Juniper ScreenOS telnet Backdoor Default Password Attempt SUSPICIOUS Path to BusyBox Possible Linux.Mirai Login Attempt (meinsm) Actiontec C1000A backdoor account M2", "IDS Detections Win32/Tofsee.AX google.com connectivity check External IP Lookup www.trackip.net Possible", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian - is this a must?", "http://images.contact.acams.org/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "Trojan.Agent.FRYX", "display_name": "Trojan.Agent.FRYX", "target": null }, { "id": "Win32:AceCrypter-B [Cryp]", "display_name": "Win32:AceCrypter-B [Cryp]", "target": null }, { "id": "Mal_Tofsee", "display_name": "Mal_Tofsee", "target": null }, { "id": "Ransom.StopcryptPMF.", "display_name": "Ransom.StopcryptPMF.", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Worm:Win32/Ganelp.A", "display_name": "Worm:Win32/Ganelp.A", "target": "/malware/Worm:Win32/Ganelp.A" }, { "id": "trojan.shellrunner/emailworm", "display_name": "trojan.shellrunner/emailworm", "target": null }, { "id": "trojan.redcap/python", "display_name": "trojan.redcap/python", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "NIDS", "display_name": "NIDS", "target": null } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1565", "name": "Data Manipulation", "display_name": "T1565 - Data Manipulation" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" } ], "industries": [ "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 890, "FileHash-SHA1": 853, "FileHash-SHA256": 7215, "domain": 2771, "hostname": 5544, "URL": 13393, "email": 12, "SSLCertFingerprint": 15, "CIDR": 1, "CVE": 3 }, "indicator_count": 30697, "is_author": false, "is_subscribing": null, "subscriber_count": 237, "modified_text": "606 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://dv.edoctransfer.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://dv.edoctransfer.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776629956.6659682 }