{ "type": "URL", "indicator": "https://elastic.docebosaas.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://elastic.docebosaas.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3914791421, "indicator": "https://elastic.docebosaas.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 15, "pulses": [ { "id": "6a056cacb981e6f3b2dd4647", "name": "Hijacked 'Operation Endgame' Tofsee Ransomware clone credit scoreblue", "description": "", "modified": "2026-05-14T07:28:01.780000", "created": "2026-05-14T06:33:16.946000", "tags": [ "as8075", "united", "pid425870621", "tid700443057", "tpid425870621", "slot1", "mascore2", "bcnt1", "unid88000705", "nct1", "date", "china", "china unknown", "passive dns", "body xml", "error code", "requestid", "hostid ec", "server", "gmt content", "type", "registry", "intel", "ms windows", "show", "entries", "search", "high", "pe32", "high process", "injection t1055", "salicode", "worm", "copy", "tools", "service", "write", "win32", "persistence", "execution", "april", "urls", "http", "unique", "scan endpoints", "all scoreblue", "url http", "pulse pulses", "ip address", "related nids", "code", "as54113", "unknown", "body", "fastly error", "please", "sea p", "msil", "accept", "aaaa", "nxdomain", "whitelisted", "as15169 google", "status", "as44273 host", "as46691", "domain", "url https", "files location", "info", "script urls", "path max", "age86400 set", "cookie", "script domains", "javascript", "script script", "trojanspy", "cname", "emails", "servers", "all search", "related pulses", "file samples", "files matching", "creation date", "germany unknown", "yara detections", "filehash", "av detections", "ids detections", "alerts", "analysis date", "file score", "meta", "home welcome", "write c", "delete c", "query", "local", "hostname", "a domains", "lowfi", "content type", "record value", "suite", "showing", "asnone united", "as29873", "ipv4", "pulse submit", "url analysis", "files", "pe32 executable", "potential scan", "0pgtwhu", "t1045", "port", "infection", "recon", "malware", "june", "delphi", "taobao network", "as45102 alibaba", "as4812 china", "next", "expiration date", "name servers", "dynamicloader", "dynamic", "sha256", "dynamic link", "library exe", "adobe", "incorporated", "read", "yara rule", "delete", "binary file", "push", "malicious", "july", "iocs", "levelbluelabs", "jeff4son", "adversaries", "registry run", "flow t1574", "dll sideloading", "boot", "logon autostart", "execution t1547", "keys", "startup folder", "t1497 may", "encryption", "catalog tree", "analysis ob0001", "virtual machine", "detection b0009", "check registry", "analysis ob0002", "executable code", "stack strings", "control ob0004", "get http", "http requests", "dns resolutions", "ip traffic", "pattern domains", "memory pattern", "urls http", "request", "response", "connection", "trojan", "otx scoreblue", "windows", "embeddedwb", "medium", "shellexecuteexw", "msie", "windows nt", "displayname", "tofsee", "hashes", "vhash", "authentihash", "ssdeep", "win32 exe", "magic pe32", "trid win32", "library", "read c", "file guard", "rtversion", "langchinese", "legalcopyright", "reserved", "ransom", "moved", "media", "ascii text", "default", "upack", "mike", "contacted", "x87xe1x1d", "regsetvalueexa", "x95xd3xa4", "regbinary", "x84xa8xe8i", "x8dxb7xb7", "hx88x9ax1e", "mx81xd1r", "x92xac", "xc2x84", "stream", "swipper", "pdfcreator.sf.net", "botnet", "black mercedes", "please forgive me", "therahand thouroughhand" ], "references": [ "Project Endgame - pegausintel.com -Unsjre if related to NSO Group", "Antivirus Detections: ALF:HeraklezEval:Rogue:Win32/FakeRean", "Yara Detections: compromised_site_redirector_fromcharcode , Cabinet_Archive , SFX_CAB", "Alerts: infostealer_cookies persistence_autorun recon_programs recon_fingerprint removes_zoneid_ads anomalous_deletefile", "P\u2019s Contacted: 93.184.221.240 3.33.130.190 | Domains Contacted: counterslocal.com", "compromised_site_redirector_fromcharcode fromCharCode", "Interesting Strings: http://www.interoperabilitybridges.com/wmp http://crbug.com/40902 http://crbug.com/516527", "Interesting Strings: http://service.real.com/realplayer/security/02062012_player/en/", "Interesting Strings: https://support.google.com/chrome/?p=plugin_pdf", "https://support.google.com/chrome/?p=plugin_quicktime https://chrome.google.com/", "Interesting Strings: http://schema.org/GovernmentOrganization https://support.google.com/chrome/?p=plugin_java https://crbug.com/593166", "Pdf.Phishing.TtraffRobotInstall-7605656-0 00004feb58be42ba1bd506ea89f90c5e1d83e6e1fb84841931949a454b0bb539", "Antivirus Detections Cryp_Xed-12 , Mal/Generic-S , Packed/Upack Yara Detections Upackv039finalDwing , UpackV037Dwing", "https://pin.it/ | https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Worm:Win32/Macoute.A", "display_name": "Worm:Win32/Macoute.A", "target": "/malware/Worm:Win32/Macoute.A" }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "ALF:HeraklezEval:Rogue:Win32/FakeRean", "display_name": "ALF:HeraklezEval:Rogue:Win32/FakeRean", "target": null }, { "id": "Worm:Win32/Fesber.A", "display_name": "Worm:Win32/Fesber.A", "target": "/malware/Worm:Win32/Fesber.A" }, { "id": "Ransom:Win32/Eniqma.A", "display_name": "Ransom:Win32/Eniqma.A", "target": "/malware/Ransom:Win32/Eniqma.A" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "UpackV037Dwing", "display_name": "UpackV037Dwing", "target": null }, { "id": "Cryp_Xed-12", "display_name": "Cryp_Xed-12", "target": null }, { "id": "Mal/Generic-S", "display_name": "Mal/Generic-S", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" } ], "industries": [], "TLP": "green", "cloned_from": "66eb3ef6d765187a437767e4", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1521, "FileHash-SHA1": 1395, "FileHash-SHA256": 6084, "URL": 1499, "domain": 1947, "hostname": 1361, "email": 18, "CVE": 1 }, "indicator_count": 13826, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a056cac80d9b80eb1a97e29", "name": "Hijacked 'Operation Endgame' Tofsee Ransomware clone credit scoreblue", "description": "", "modified": "2026-05-14T07:14:09.098000", "created": "2026-05-14T06:33:16.505000", "tags": [ "as8075", "united", "pid425870621", "tid700443057", "tpid425870621", "slot1", "mascore2", "bcnt1", "unid88000705", "nct1", "date", "china", "china unknown", "passive dns", "body xml", "error code", "requestid", "hostid ec", "server", "gmt content", "type", "registry", "intel", "ms windows", "show", "entries", "search", "high", "pe32", "high process", "injection t1055", "salicode", "worm", "copy", "tools", "service", "write", "win32", "persistence", "execution", "april", "urls", "http", "unique", "scan endpoints", "all scoreblue", "url http", "pulse pulses", "ip address", "related nids", "code", "as54113", "unknown", "body", "fastly error", "please", "sea p", "msil", "accept", "aaaa", "nxdomain", "whitelisted", "as15169 google", "status", "as44273 host", "as46691", "domain", "url https", "files location", "info", "script urls", "path max", "age86400 set", "cookie", "script domains", "javascript", "script script", "trojanspy", "cname", "emails", "servers", "all search", "related pulses", "file samples", "files matching", "creation date", "germany unknown", "yara detections", "filehash", "av detections", "ids detections", "alerts", "analysis date", "file score", "meta", "home welcome", "write c", "delete c", "query", "local", "hostname", "a domains", "lowfi", "content type", "record value", "suite", "showing", "asnone united", "as29873", "ipv4", "pulse submit", "url analysis", "files", "pe32 executable", "potential scan", "0pgtwhu", "t1045", "port", "infection", "recon", "malware", "june", "delphi", "taobao network", "as45102 alibaba", "as4812 china", "next", "expiration date", "name servers", "dynamicloader", "dynamic", "sha256", "dynamic link", "library exe", "adobe", "incorporated", "read", "yara rule", "delete", "binary file", "push", "malicious", "july", "iocs", "levelbluelabs", "jeff4son", "adversaries", "registry run", "flow t1574", "dll sideloading", "boot", "logon autostart", "execution t1547", "keys", "startup folder", "t1497 may", "encryption", "catalog tree", "analysis ob0001", "virtual machine", "detection b0009", "check registry", "analysis ob0002", "executable code", "stack strings", "control ob0004", "get http", "http requests", "dns resolutions", "ip traffic", "pattern domains", "memory pattern", "urls http", "request", "response", "connection", "trojan", "otx scoreblue", "windows", "embeddedwb", "medium", "shellexecuteexw", "msie", "windows nt", "displayname", "tofsee", "hashes", "vhash", "authentihash", "ssdeep", "win32 exe", "magic pe32", "trid win32", "library", "read c", "file guard", "rtversion", "langchinese", "legalcopyright", "reserved", "ransom", "moved", "media", "ascii text", "default", "upack", "mike", "contacted", "x87xe1x1d", "regsetvalueexa", "x95xd3xa4", "regbinary", "x84xa8xe8i", "x8dxb7xb7", "hx88x9ax1e", "mx81xd1r", "x92xac", "xc2x84", "stream", "swipper", "pdfcreator.sf.net", "botnet", "black mercedes", "please forgive me", "therahand thouroughhand" ], "references": [ "Project Endgame - pegausintel.com -Unsjre if related to NSO Group", "Antivirus Detections: ALF:HeraklezEval:Rogue:Win32/FakeRean", "Yara Detections: compromised_site_redirector_fromcharcode , Cabinet_Archive , SFX_CAB", "Alerts: infostealer_cookies persistence_autorun recon_programs recon_fingerprint removes_zoneid_ads anomalous_deletefile", "P\u2019s Contacted: 93.184.221.240 3.33.130.190 | Domains Contacted: counterslocal.com", "compromised_site_redirector_fromcharcode fromCharCode", "Interesting Strings: http://www.interoperabilitybridges.com/wmp http://crbug.com/40902 http://crbug.com/516527", "Interesting Strings: http://service.real.com/realplayer/security/02062012_player/en/", "Interesting Strings: https://support.google.com/chrome/?p=plugin_pdf", "https://support.google.com/chrome/?p=plugin_quicktime https://chrome.google.com/", "Interesting Strings: http://schema.org/GovernmentOrganization https://support.google.com/chrome/?p=plugin_java https://crbug.com/593166", "Pdf.Phishing.TtraffRobotInstall-7605656-0 00004feb58be42ba1bd506ea89f90c5e1d83e6e1fb84841931949a454b0bb539", "Antivirus Detections Cryp_Xed-12 , Mal/Generic-S , Packed/Upack Yara Detections Upackv039finalDwing , UpackV037Dwing", "https://pin.it/ | https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Worm:Win32/Macoute.A", "display_name": "Worm:Win32/Macoute.A", "target": "/malware/Worm:Win32/Macoute.A" }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "ALF:HeraklezEval:Rogue:Win32/FakeRean", "display_name": "ALF:HeraklezEval:Rogue:Win32/FakeRean", "target": null }, { "id": "Worm:Win32/Fesber.A", "display_name": "Worm:Win32/Fesber.A", "target": "/malware/Worm:Win32/Fesber.A" }, { "id": "Ransom:Win32/Eniqma.A", "display_name": "Ransom:Win32/Eniqma.A", "target": "/malware/Ransom:Win32/Eniqma.A" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "UpackV037Dwing", "display_name": "UpackV037Dwing", "target": null }, { "id": "Cryp_Xed-12", "display_name": "Cryp_Xed-12", "target": null }, { "id": "Mal/Generic-S", "display_name": "Mal/Generic-S", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" } ], "industries": [], "TLP": "green", "cloned_from": "66eb3ef6d765187a437767e4", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1493, "FileHash-SHA1": 1393, "FileHash-SHA256": 5881, "URL": 1499, "domain": 1947, "hostname": 1360, "email": 18, "CVE": 1 }, "indicator_count": 13592, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fc1b9d02d8ebe162913b74", "name": "Credit: OctoSeek -2yrs ago [Zombie.A \u2022 Bayrob in fake malware information website.]", "description": "", "modified": "2026-05-07T05:03:23.418000", "created": "2026-05-07T04:57:01.616000", "tags": [ "ukraine", "referrer", "deploys fake", "uue files", "fsociety", "target colombia", "judiciary", "financial", "public", "tools", "sector", "mexico", "aka xloader", "html", "html info", "title", "meta tags", "google tag", "utc gnr5gzhd545", "utc na", "utc aw944900006", "utc linkedin", "formbook", "accept", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "apache", "so funny", "click", "urls", "passive dns", "http", "unique", "scan endpoints", "all octoseek", "url http", "ip address", "related nids", "code", "united", "as54113", "unknown", "aaaa", "as15169 google", "as46691", "status", "cname", "search", "whitelisted", "body", "date", "msil", "meta", "third-party-cookies", "iframes", "external-resources", "text/html", "trackers", "end game", "name servers", "select contact", "domain holder", "nexus category", "creation date", "showing", "date hash", "avast avg", "trojan", "mtb may", "dynamicloader", "high", "medium", "yara detections", "sniffs", "attempts", "alternate data", "stream", "a foreign", "cultureneutral", "get na", "show", "delete c", "entries", "cape", "delete", "default", "copy", "nivdort", "write", "trojanspy", "bayrob", "malware", "eagle eyed", "nonads", "path max", "age86400 set", "cookie", "script urls", "type", "script script", "win32 exe", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 compiler", "exe32", "compiler", "vs98", "contained", "simplified", "info compiler", "products", "sp6 build", "header intel", "name md5", "language", "not found", "rules not", "mitre", "info ids", "found sigma", "found", "files not", "found network", "getlasterror", "icons library", "os2 executable", "files", "file type", "kb file", "name", "type name", "ip detections", "country", "gandi sas", "dynadot", "enom", "namecheap", "dynadot inc", "namecheap inc", "dynadot llc", "domains", "tucows domains", "melbourne it", "historical ssl", "realteck audio", "problems", "lemon duck", "iocs", "sneaky server", "replacement", "unauthorized", "windows", "windir", "samplepath", "user", "process", "created", "shell commands", "windefend", "created bus", "tree", "registry keys", "reports upgrade", "keys set", "upgradestart", "dword", "data registry", "keys deleted", "reports", "get http", "request", "http requests", "ip traffic", "dns resolutions", "resolutions", "mitre att", "defense evasion", "ta0007 command", "control ta0011", "impact ta0034", "impact ta0040", "graph", "bundled files", "name file", "contacted ip", "users", "number", "ascii text", "crlf line", "database", "english", "tue jun", "installer", "template", "tulach", "rexxfield", "milesit", "cp", "self deleting", "stuff", "copying", "packages found", "targeting major", "injects ads", "into search", "results", "overlay", "text", "win32 dll", "javascript", "db2maestro", "open ports", "ipv4", "pulse submit", "url analysis", "expiration date", "hostname", "next", "ten process", "utc facebook", "utc google", "title ten", "blog meta", "tags", "elastic blog", "bing ads", "as8068", "certificate", "otx telemetry", "ref b", "record value", "emails", "please", "win32", "x msedge", "pulse pulses", "no data", "tag count", "analyzer threat", "url summary", "ip summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "alexa top", "safe site", "mail spammer", "million", "malware site", "phishing site", "malicious site", "bank", "fuery", "unsafe", "malicious", "alexa", "zbot", "asn as16625", "akamai", "less", "is2osecurity", "domain name", "active", "as21342", "domain", "location israel", "asn as1680", "invalid url", "body html", "head title", "title head", "body h1", "reference", "log id", "gmtn", "digicert tls", "rsa sha256", "tls web", "full name", "digicert inc", "organization", "district", "columbia", "false", "as20940", "as16625 akamai", "as8987 amazon", "moved", "as1680 cellcom", "alerts", "related pulses", "guard", "dynamic", "reads", "https link", "as8075", "record type", "ttl value", "redacted for", "privacy tech", "privacy admin", "postal code", "stateprovince", "server", "email", "office open", "ms word", "document", "xml document", "xml spreadsheet", "email trash", "rich text", "pdf tripwire", "fall", "whois lookups", "contact email", "blind eagle", "brian sabey" ], "references": [ "https://www.blackberry.com/etc.clientlibs/bbcom/clientlibs/clientlib-etc-legacy/resources/cylance-web/global/bb-default-thumbnail-social.png", "https://otx.alienvault.com/indicator/url/www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-MD5 da9b9e892ced7ec90841d813f6e42339", "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-SHA1 48dc18f70b2dfdf554e8247eb9e4a8910e19bd3b", "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-SHA256 215fbe9cf76ccbdde60eaa66538edeecadb844078b4379e66cacb83c7ac05690", "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-SHA256 18f62aec151e9f17c55987f80ed1244d9812895018d2bc931df083fb846a52dc", "Trojan:Win32/Zombie.A: FileHash-SHA256: 72bd98a9157afcd3ae38b60a7cf3ae4f23d6bb069a7aa7be7080b6967a6cf0cc", "Trojan:Win32/Zombie.A: FileHash-MD5: 36b71d23ca7553fb9db0730e56e6bf77", "Trojan:Win32/Zombie.A: FileHash-SHA1: 1fa3519b200cf5078c1c6c7df1cf44cd747c2320", "Alerts: creates_largekey script_created_process antisandbox_mouse_hook antivm_generic_disk dead_connect", "Alerts: infostealer_cookies infostealer_keylog persistence_ads suspicious_command_tools anomalous_deletefile", "IDS Detections: Terse HTTP 1.0 Request Possible Nivdort W32/Bayrob Attempted Checkin 403 Forbidden", "Alerts: cape_detected_threat cape_extracted_content", "TrojanSpy:Win32/Nivdort.CW: FileHash-SHA256\t3744b06ebb5465c1b3601abc9899e0448c3bb53e81ad6a3101780ab94931ba69", "TrojanSpy:Win32/Nivdort.CW: FileHash-SHA1 ad560bee21bf7aefc1f1a1be2762d852c7301c07", "TrojanSpy:Win32/Nivdort.CW: FileHash-MD5\t9d6de961a498f831acb63c95e7b2ff0c", "Bayrob: FileHash-SHA256 3744b06ebb5465c1b3601abc9899e0448c3bb53e81ad6a3101780ab94931ba69", "Bayrob: FileHash-SHA1 ad560bee21bf7aefc1f1a1be2762d852c7301c07", "Bayrob: FileHash-MD5 871f1532a8f0f9cf9ec3e82b5da3a120", "Domains Contacted: bettercaught.net electricstrong.net recordtrouble.net electrictrouble.net recordpresident.net", "Domains Contacted: electricpresident.net recordcaught.net electriccaught.net streetstrong.net tradestrong.net", "https://otx.alienvault.com/indicator/file/72bd98a9157afcd3ae38b60a7cf3ae4f23d6bb069a7aa7be7080b6967a6cf0cc", "trojan.cosmu/xpiro - 960879004e1059a9e7eaca7b95f45ab9baf8f5b905e2714f1c65f92244396758", "Matches rule SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)", "Malware Behavior Catalog: Defense Evasion OB0006 \u2022 Delayed Execution B0003.003 \u2022 Move File C0063 \u2022 Process Environment Block B0001.019", "Malware Behavior Catalog: Dynamic Analysis Evasion B0003 \u2022 Create File C0016 \u2022 Create Process C0017 \u2022 Create Thread C0038", "Malware Behavior Catalog: Operating System OC0008 \u2022 Environment Variable C0034 \u2022 Self Deletion F0007 \u2022 : Tree Anti-Behavioral Analysis", "Malware Behavior Catalog: System Information Discovery E1082 \u2022 File and Directory Discovery E1083 \u2022 Execution OB0009 \u2022 File System OC0001", "Malware Behavior Catalog: COMSPEC Environment Variable F0007.001 \u2022 Install Additional Program B0023 \u2022 Delete File C0047 \u2022", "Malware Behavior Catalog: Tree Anti-Behavioral Analysis: C0017 Create Thread \u2022 C0038 Operating System \u2022 Debugger Detection B0001", "Malware Behavior Catalog: Get File Attributes C0049 \u2022 Set File Attributes C0050 \u2022 Read File C0051 \u2022 Writes File C0052", "Malware Behavior Catalog: Tree Anti-Behavioral: Environment Variable C0034 \u2022 Anti-Behavioral Analysis OB0001 \u2022 Process OC0003", "Bayrob: 3744b06ebb5465c1b3601abc9899e0448c3bb53e81ad6a3101780ab94931ba69 ef55e2c918f9678e97037d5505b0c8a3.virus", "Matches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "Matches rule ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses", "Matches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst", "Matches rule PROTOCOL-ICMP PING Windows Matches rule PROTOCOL-ICMP Unusual PING detected Matches rule PROTOCOL-ICMP", "http://Object.prototype.hasOwnProperty.call", "Tulach! It's been a minute - 114.114.114.114", "What's going on here judiciary? Karen - cisa.gov? e.final", "f.search schema.org t.final", "ACTIVE Emails: IS2OSecurity@hq.dhs.gov \u2022 CISA.GOV Status \u2022 schoolsafety.gov \u2022 power2prevent.gov \u2022 is2osecurity@hq.dhs.gov", "[https://cisa gov] https://otx.alienvault.com/indicator/ip/92.123.203.73 \u2022 https://otx.alienvault.com/indicator/hostname/hq.dhs.gov", "[cisa gov] https://otx.alienvault.com/indicator/domain/cisa.gov \u2022 [hq.dhs.gov] https://otx.alienvault.com/indicator/hostname/hq.dhs.gov", "[dhs gov] https://otx.alienvault.com/indicator/domain/dhs.gov \u2022 https://otx.alienvault.com/indicator/url/https:%2F%2Fwww.cisa.gov%2Fcybersecurity-advisories%2Fics-advisories.xml", "Alerts: (cisa gov) ransomware_file_modifications script_created_process antisandbox_mouse_hook antivm_generic_disk infostealer_cookies suspicious_command_tools antidebug_guardpages dynamic_function_loading reads_self stealth_window", "https://otx.alienvault.com/indicator/domain/asp.net \u2022 https://otx.alienvault.com/indicator/hostname/ts1.mm.bing.net", "Security Contact Email: 212d0c197dca818es@hq.dhs.gov \u2022ACTIVE Domain Name: DHS.GOV" ], "public": 1, "adversary": "Blind Eagle", "targeted_countries": [ "United States of America", "Colombia", "Netherlands", "Israel" ], "malware_families": [ { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn", "target": null }, { "id": "TrojanSpy:Win32/Nivdort.CW", "display_name": "TrojanSpy:Win32/Nivdort.CW", "target": "/malware/TrojanSpy:Win32/Nivdort.CW" }, { "id": "Bayrob", "display_name": "Bayrob", "target": null }, { "id": "trojan.bayrob/lazy", "display_name": "trojan.bayrob/lazy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0029", "name": "Privilege Escalation", "display_name": "TA0029 - Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0030", "name": "Defense Evasion", "display_name": "TA0030 - Defense Evasion" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1055.003", "name": "Thread Execution Hijacking", "display_name": "T1055.003 - Thread Execution Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1416", "name": "URI Hijacking", "display_name": "T1416 - URI Hijacking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "green", "cloned_from": "6683aae863ba601bac1a28b5", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1167, "FileHash-SHA1": 738, "FileHash-SHA256": 3074, "URL": 1019, "domain": 1640, "hostname": 973, "email": 12, "SSLCertFingerprint": 2, "URI": 2 }, "indicator_count": 8627, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "689b9b9fab42ca4f016a226f", "name": "Elastic's Al-driven Endpoint Security - Red Team Malicious (moved?)", "description": "Endgame - Unruy Activity -System infection | (Moved) Endpoint security (MOVED) from Elastic\nElastic's Al-driven security analytics empowers you with comprehensive endpoint protection. Detect, investigate, and respond to threats faster with a single agent and unified console. Gain actionable insights for a proactive defense posture. All built on the Search\nAl platform.\n| Used maliciously against monitored non-criminal targets. |\n{ virus - https://universitycenter.uccs.edu/}\n#unruy #activity #monitored_target #red_team_malicious #trojan #worm #moved\n#ai #adversarial #custom_malware #ransom #crypt #guardrails #dns #cnc #evasive #domain_generation #remote_access #devices #remotewd #virus #custom_malware #rip #endgame \n\u2022 TrojanDropper\t\t\t\n\u2022 Win32:Evo-gen\t\u2022 Cassini\n\u2022 RansomX-gen\u2022 Zombie.A\n\u2022 win32:MalwareX-gen\t\u2022 Win32:Malware-gen \u2022 Nymeria\n\u2022 Forcud +", "modified": "2025-09-11T13:03:18.814000", "created": "2025-08-12T19:53:03.953000", "tags": [ "url http", "url https", "indicator role", "title added", "active related", "pulses url", "entries", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "mitre att", "ck techniques", "evasion att", "href", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "show technique", "ck matrix", "null", "refresh", "body", "span", "general", "local", "path", "iframe", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "united", "unknown ns", "ip address", "creation date", "search", "present sep", "moved", "domain add", "encrypt", "accept", "please", "passive dns", "msie", "next associated", "html", "background", "unknown site", "div div", "trojan", "zeus", "process32nextw", "read c", "show", "shellexecuteexw", "windows nt", "wow64", "copy", "dock", "write", "malware", "unknown", "defense evasion", "t1480 execution", "file defense", "august", "hybrid", "port", "destination", "tlsv1", "as15169", "ogoogle trust", "cngts ca", "execution", "next", "persistence", "data upload", "extraction", "win32", "ransom", "trojandropper", "mtb nov", "forcud", "files show", "date hash", "avast avg" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4179, "domain": 774, "hostname": 1673, "FileHash-MD5": 169, "FileHash-SHA1": 110, "FileHash-SHA256": 2073, "email": 1, "SSLCertFingerprint": 13, "CVE": 1 }, "indicator_count": 8993, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "262 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687d18d829739be014393c59", "name": "SoundCloud - Hear the world\u2019s sounds", "description": "Social engineering included lots of contact via Facebook, Twitter, SoundCloud, Victims website, iCloud.. iCloud was erased and the hacker left the man \u2018deadmau5\u2018 . deadmau5 was used threatening posts emails and whoever they are sent photos and became overly interested in victims music. 1st to report music was not showing up on YouTube. Statements show victim had millions of views redirected. Hackers would often thank artistss for another million views. Songs pirated. Jansky on SoundCloud contacted victims daughter often, sent a photo and said he was from Great Britain. \n\u2022 ALFPER:PUA:Win32/InstallCore\n\u2022 TrojanDropper:Win32/VB.IL\n\u2022 Win.Trojan.Agent-\n|| blog.jpcert.or.jp \n\n\u2022 Registrant Org: Japan Computer Emergency Response Team Coordination Center\n\nI feel like this is very dangerous. These people are in Colorado no matter where they say they are.", "modified": "2025-08-19T14:03:11.976000", "created": "2025-07-20T16:27:04.872000", "tags": [ "read c", "search", "medium", "entries", "show", "unicode", "tls handshake", "memcommit", "delete", "crlf line", "next", "dock", "write", "execution", "malware", "copy", "no expiration", "filehashmd5", "filehashsha256", "showing", "urls", "passive dns", "http", "unique", "l add", "pulse pulses", "ip address", "related nids", "files location", "united", "code", "present jul", "present showing", "title error", "date checked", "url hostname", "server response", "google safe", "results jul", "next associated", "files show", "win32", "date", "urls show", "error", "creation date", "name servers", "value emails", "name eric", "wahlforss name", "org soundcloud", "city berlin", "country de", "dnssec unsigned", "files", "verdict", "domain", "files ip", "address", "location united", "asn as16509", "less", "results nov", "associated urls", "results jan", "present feb", "related tags", "none indicator", "facts domain", "present", "akamai external", "resources whois", "urlvoid", "related", "png image", "rgba", "alfper", "ipv4 add", "trojandropper", "present may", "present jun", "cname", "emails", "status", "servers", "less whois", "body", "fastly error", "please", "sea p", "america flag", "america asn", "trojan", "accept", "url add", "ip related", "pulses none", "cdhc", "oxq xr8w1", "fv5hc9a2l", "s showing", "next related", "domains domain", "script urls", "present sep", "cookie", "hostname add" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6020, "hostname": 1865, "FileHash-SHA256": 676, "FileHash-MD5": 106, "FileHash-SHA1": 86, "domain": 990, "email": 5 }, "indicator_count": 9748, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "285 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687d18de7177474b759ab2b7", "name": "SoundCloud - Hear the world\u2019s sounds", "description": "Social engineering included lots of contact via Facebook, Twitter, SoundCloud, Victims website, iCloud.. iCloud was erased and the hacker left the man \u2018deadmau5\u2018 . deadmau5 was used threatening posts emails and whoever they are sent photos and became overly interested in victims music. 1st to report music was not showing up on YouTube. Statements show victim had millions of views redirected. Hackers would often thank artistss for another million views. Songs pirated. Jansky on SoundCloud contacted victims daughter often, sent a photo and said he was from Great Britain. \n\u2022 ALFPER:PUA:Win32/InstallCore\n\u2022 TrojanDropper:Win32/VB.IL\n\u2022 Win.Trojan.Agent-\n|| blog.jpcert.or.jp \n\n\u2022 Registrant Org: Japan Computer Emergency Response Team Coordination Center\n\nI feel like this is very dangerous. These people are in Colorado no matter where they say they are.", "modified": "2025-08-19T14:03:11.976000", "created": "2025-07-20T16:27:10.608000", "tags": [ "read c", "search", "medium", "entries", "show", "unicode", "tls handshake", "memcommit", "delete", "crlf line", "next", "dock", "write", "execution", "malware", "copy", "no expiration", "filehashmd5", "filehashsha256", "showing", "urls", "passive dns", "http", "unique", "l add", "pulse pulses", "ip address", "related nids", "files location", "united", "code", "present jul", "present showing", "title error", "date checked", "url hostname", "server response", "google safe", "results jul", "next associated", "files show", "win32", "date", "urls show", "error", "creation date", "name servers", "value emails", "name eric", "wahlforss name", "org soundcloud", "city berlin", "country de", "dnssec unsigned", "files", "verdict", "domain", "files ip", "address", "location united", "asn as16509", "less", "results nov", "associated urls", "results jan", "present feb", "related tags", "none indicator", "facts domain", "present", "akamai external", "resources whois", "urlvoid", "related", "png image", "rgba", "alfper", "ipv4 add", "trojandropper", "present may", "present jun", "cname", "emails", "status", "servers", "less whois", "body", "fastly error", "please", "sea p", "america flag", "america asn", "trojan", "accept", "url add", "ip related", "pulses none", "cdhc", "oxq xr8w1", "fv5hc9a2l", "s showing", "next related", "domains domain", "script urls", "present sep", "cookie", "hostname add" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6020, "hostname": 1865, "FileHash-SHA256": 676, "FileHash-MD5": 106, "FileHash-SHA1": 86, "domain": 990, "email": 5 }, "indicator_count": 9748, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "285 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6862f3dfadf9868777a97d96", "name": "LokiBot \u2022 Denver Apartments & Townhomes for Rent |", "description": "| ENDGAME |\n\u2022 ALF:Trojan:MSIL/LokiBot.BY!MTBv\n\u2022 Win32:MalwareX-gen\\ [Trj\n| w3.org - 324 malicious files communicating |\n{https://otx.alienvault.com/indicator/file/4fe0a2474da348b703e074cd0e951b09b1152bb9c571eddc268e4ee82178ca0f}\n\n\u2022 Trojan:Win32/Gepys.PVS!MTB\tMalware infection\n\u2022 www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process\n\u2022 www.endgame.com/\n(Researcher: CHRIS KRAYBILL?? | Emails\tG5DEV@G5SEARCHMARKETING.COM | Chief Technology Officer of Amplion, Inc)\n! SELL.INTERNETTRAFFIC.COM !\nDescribed as Upscale living.\nMonitoring/Hacking/ Targeting/ Crime/ Keyloggers\n\nUnsafe connections & logging.\n[404/Snake/Matiex Keylogger Style External IP Check\nPossible HTTP 403 XSS Attempt (Local Source)\nDYNAMIC_DNS Query to *.duckdns. Domain]\n[https://otx.alienvault.com/indicator/file/4fe0a2474da348b703e074cd0e951b09b1152bb9c571eddc268e4ee82178ca0f]", "modified": "2025-07-30T20:03:49.035000", "created": "2025-06-30T20:30:23.414000", "tags": [ "passive dns", "urls", "files ip", "address", "moved", "script urls", "creation date", "search", "record value", "date", "body", "x cache", "hio50 c1", "x amz", "read c", "document file", "v2 document", "tls handshake", "failure", "write", "show", "port", "destination", "copy", "malware", "next", "domains show", "domain related", "memcommit", "cryptexportkey", "invalid pointer", "medium", "icmp traffic", "t1055", "http", "memreserve", "windows", "checks amount", "msie", "windows nt", "wow64", "slcc2", "media center", "hostname", "files domain", "files related", "pulses none", "related tags", "none google", "safe browsing", "no expiration", "url https", "expiration", "domain", "sec ch", "ch ua", "ua full", "ua platform", "united", "cname", "present jun", "entries", "ip address", "name servers", "showing", "domain add", "present may", "next associated", "urls show", "date checked", "url hostname", "response ip", "address google", "present sep", "present dec", "present nov", "unique", "url add", "pulse pulses", "related nids", "files location", "code", "present apr", "status", "private name", "org domains", "proxy", "llc address", "road city", "us creation", "domain name", "aaaa", "trojan", "yara detections", "alerts", "analysis date", "file score", "mtb yara", "detections none", "related pulses", "none related", "win32", "expiration date", "title error", "hostname add", "pulse submit", "entries http", "scans record", "value", "a domains", "server", "gmt content", "length", "flywheel", "sea x", "miss x", "accept", "meta", "pulses", "tags", "otx telemetry", "twitter running", "open ports", "certificate", "cookie", "flag united", "local", "unknown ns", "unknown soa", "external ip", "process32nextw", "lookup", "dyndns checkip", "address server", "response", "savbwcd", "ef3ghigj", "abxcde", "unknown", "info", "amazon", "amazon rsa", "location united", "asn as16509", "whois registrar", "none indicator", "facts otx", "referral url", "solutions", "whois server", "query", "contacted", "pulse", "av detections", "ids detections", "detections" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 576, "FileHash-SHA1": 534, "hostname": 212, "URL": 149, "domain": 683, "email": 10, "FileHash-SHA256": 1925, "SSLCertFingerprint": 1 }, "indicator_count": 4090, "is_author": false, "is_subscribing": null, "subscriber_count": 146, "modified_text": "305 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66eb1585832bcf4f494f0335", "name": "Telco - Swipper | Emotet and other malware spreader. BGP Bridging", "description": "", "modified": "2024-10-20T13:04:44.866000", "created": "2024-09-18T18:01:41.013000", "tags": [ "net152", "net1520000", "loudoun county", "ans core", "nethandle", "as1321", "parkway city", "as701 orgnocref", "swipper", "verizon", "high", "intel", "icmp traffic", "dns query", "object", "all scoreblue", "filehash", "malware", "comcast", "cve1102", "actors", "investigation", "bad domains", "emotet am", "iocs", "first", "utc submissions", "submitters", "summary iocs", "graph community", "webcc", "gmo internet", "csc corporate", "domains", "alibaba cloud", "computing", "beijing", "dynadot", "ltd dba", "china telecom", "group", "google", "cloudflarenet", "kb txtresse", "mb smartsaver", "admin cmd", "mb threatsniper", "mb history", "mb gadget", "installer", "referrer", "styes worm", "historical ssl", "script script", "i span", "ie script", "win64", "span", "urls", "levelblue labs", "pulses", "nastya", "meta", "open", "date", "vj92", "uagdaaeqcqaaaag", "ukgbagaqcqaaaae", "slfrd1", "hostnames", "urls http", "ukgbagaqcq", "jid1886833764", "jid882556742", "samples", "unknown", "united", "as20940", "as2914 ntt", "nxdomain", "status", "as6461 zayo", "united kingdom", "as15169 google", "as33438", "search", "creation date", "name servers", "showing", "hungary unknown", "entries", "scan endpoints", "next", "cape", "show", "copy", "emotet malware", "read", "write", "delete", "june", "emotet", "as14627", "passive dns", "ipv4", "pulse pulses", "win32", "months ago", "created", "modified", "email", "glupteba", "hostname", "cyber", "read c", "port", "medium", "msie", "windows nt", "wow64", "slcc2", "media center", "dock", "execution", "method status", "url hostname", "ip country", "type get", "cachecontrol", "location https", "date thu", "gmt server", "code", "ve234 server", "aaaa", "whitelisted", "as44273 host", "as46691", "domain", "script urls", "path max", "age86400 set", "cookie", "script domains", "trojan", "body" ], "references": [ "Stranger Things | http://hopto.org/colocrossing/192.3.13.56/telco", "Antivirus Detections: Other:Malware-gen\\ [Trj]", "Yara Detections: UPXProtectorv10x2 , UPX Alerts dead_host network_icmp nolookup_communication", "Antivirus Detections: Other:Malware-gen\\ [Trj] , Win.Trojan.Emotet-9951800-0", "Yara Detections: osx_GoLang", ".trino-11062202-1d32.stress-11061903-3b4c.westus2.projecthilo.net\tprojecthilo.net", "0-courier.push.apple.com | https://apple-accouut.sytes.net/ | appupdate-logapple.ddnsking.com | appleidi-iforgot.3utilities.com", "http://appleidi-iforgot.3utilities.com/\t | https://appupdate-logapple.ddnsking.com/?reset | http://appleidi-iforgot.3utilities.com/Upload-Identity.php |", "http://appleidi-iforgot.3utilities.com/Verify.php", "device-ccf717a6-ed4f-4771-abfa-ccaafbfb6526.remotewd.com | device-local-359704df-0b29-4ae8-bbc5-f48b0a4de73c.remotewd.com | remotedev.org | dan.remotedev.org", "152.199.171.19 : USDA Fort Collins, Colorado", "Swipper: swipper@verizonbusiness.com | help4u@verizonbusiness.com", "152.199.161.19: ANS Communications, Inc (ANS)", "OrgTechHandle: SWIPP-ARIN OrgTechName: swipper OrgTechPhone: +1-800-900-0241 OrgTechEmail: swipper@verizonbusiness.com", "http://bat.bing.com/bat.js | bounceme.net | bounceme.net | hopto.org | hopto.org |,serveblog.net | serveblog.net", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://hopto.org/colocrossing/192.3.13.56/telco", "Emotet: FileHash-SHA256 9c9459e9a5f0102c034ec013b9d801d38ed474bcd73b7aeded931e5c2a4f75cc", "Win.Virus.PolyRansom-5704625-0: FileHash-SHA256 f46de5d0c5dd13f5de6114372542efd1ea048e14f051b64b34c33e96c175cb09", "Other:Malware-gen\\ [Trj: FileHash-SHA256 4ef29fd29fd95990a36379ad7a4320f04da64e7ec63546e047e2491e533c71a3", "Injection Source: www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Injection Source: http://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Injection Source: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "SLF:Trojan:Win32/Grandoreiro.A", "display_name": "SLF:Trojan:Win32/Grandoreiro.A", "target": null }, { "id": "Other:Malware-gen\\ [Trj]", "display_name": "Other:Malware-gen\\ [Trj]", "target": null }, { "id": "Win.Trojan.Emotet-9951800-0", "display_name": "Win.Trojan.Emotet-9951800-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": "66ca37ac60cb425a2b3856c6", "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 2, "URL": 4635, "domain": 771, "email": 11, "hostname": 1993, "FileHash-SHA256": 3185, "FileHash-MD5": 113, "FileHash-SHA1": 101, "CVE": 3 }, "indicator_count": 10814, "is_author": false, "is_subscribing": null, "subscriber_count": 236, "modified_text": "588 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66eb3ef6d765187a437767e4", "name": "Hijacked 'Operation Endgame' Tofsee Ransomware", "description": "This a project. A target has been put into different Operations: Project Hilo, Project Helix, Operation Endgame, The NSO Cellebrite Pegasus hit list. These are real and very serious serious threat. Severe Cyber issues made their way to her infected devices as well as the devices of family members. Death threats continue to come in. Several DoD IP addresses found in a PDF. It's unresearched at this time,, DoD via BGP HE has been questionable considering use gateway abuse by SWIPPER. \n\nStill no authority can confirm victim is a suspect. Must be a crazy high to help Jeffrey Scott Reiner PT. DPT get away with assault in such a ridiculous manner. Court report posted online by Trellis (BS) is of course a falsified , vulnerability filled 'made you click' document.. Faldif0, empty docmpty doc, citing it was refreshed in 2023. \nThere is no doubt these masqueraders mean to intimidate, humiliate, isolate & harm target. These people are not in China. False attribution is likely. Attack is disseminates from USA.", "modified": "2024-10-18T20:04:41.836000", "created": "2024-09-18T20:58:30.691000", "tags": [ "as8075", "united", "pid425870621", "tid700443057", "tpid425870621", "slot1", "mascore2", "bcnt1", "unid88000705", "nct1", "date", "china", "china unknown", "passive dns", "body xml", "error code", "requestid", "hostid ec", "server", "gmt content", "type", "registry", "intel", "ms windows", "show", "entries", "search", "high", "pe32", "high process", "injection t1055", "salicode", "worm", "copy", "tools", "service", "write", "win32", "persistence", "execution", "april", "urls", "http", "unique", "scan endpoints", "all scoreblue", "url http", "pulse pulses", "ip address", "related nids", "code", "as54113", "unknown", "body", "fastly error", "please", "sea p", "msil", "accept", "aaaa", "nxdomain", "whitelisted", "as15169 google", "status", "as44273 host", "as46691", "domain", "url https", "files location", "info", "script urls", "path max", "age86400 set", "cookie", "script domains", "javascript", "script script", "trojanspy", "cname", "emails", "servers", "all search", "related pulses", "file samples", "files matching", "creation date", "germany unknown", "yara detections", "filehash", "av detections", "ids detections", "alerts", "analysis date", "file score", "meta", "home welcome", "write c", "delete c", "query", "local", "hostname", "a domains", "lowfi", "content type", "record value", "suite", "showing", "asnone united", "as29873", "ipv4", "pulse submit", "url analysis", "files", "pe32 executable", "potential scan", "0pgtwhu", "t1045", "port", "infection", "recon", "malware", "june", "delphi", "taobao network", "as45102 alibaba", "as4812 china", "next", "expiration date", "name servers", "dynamicloader", "dynamic", "sha256", "dynamic link", "library exe", "adobe", "incorporated", "read", "yara rule", "delete", "binary file", "push", "malicious", "july", "iocs", "levelbluelabs", "jeff4son", "adversaries", "registry run", "flow t1574", "dll sideloading", "boot", "logon autostart", "execution t1547", "keys", "startup folder", "t1497 may", "encryption", "catalog tree", "analysis ob0001", "virtual machine", "detection b0009", "check registry", "analysis ob0002", "executable code", "stack strings", "control ob0004", "get http", "http requests", "dns resolutions", "ip traffic", "pattern domains", "memory pattern", "urls http", "request", "response", "connection", "trojan", "otx scoreblue", "windows", "embeddedwb", "medium", "shellexecuteexw", "msie", "windows nt", "displayname", "tofsee", "hashes", "vhash", "authentihash", "ssdeep", "win32 exe", "magic pe32", "trid win32", "library", "read c", "file guard", "rtversion", "langchinese", "legalcopyright", "reserved", "ransom", "moved", "media", "ascii text", "default", "upack", "mike", "contacted", "x87xe1x1d", "regsetvalueexa", "x95xd3xa4", "regbinary", "x84xa8xe8i", "x8dxb7xb7", "hx88x9ax1e", "mx81xd1r", "x92xac", "xc2x84", "stream", "swipper", "pdfcreator.sf.net", "botnet", "black mercedes", "please forgive me", "therahand thouroughhand" ], "references": [ "Project Endgame - pegausintel.com -Unsjre if related to NSO Group", "Antivirus Detections: ALF:HeraklezEval:Rogue:Win32/FakeRean", "Yara Detections: compromised_site_redirector_fromcharcode , Cabinet_Archive , SFX_CAB", "Alerts: infostealer_cookies persistence_autorun recon_programs recon_fingerprint removes_zoneid_ads anomalous_deletefile", "P\u2019s Contacted: 93.184.221.240 3.33.130.190 | Domains Contacted: counterslocal.com", "compromised_site_redirector_fromcharcode fromCharCode", "Interesting Strings: http://www.interoperabilitybridges.com/wmp http://crbug.com/40902 http://crbug.com/516527", "Interesting Strings: http://service.real.com/realplayer/security/02062012_player/en/", "Interesting Strings: https://support.google.com/chrome/?p=plugin_pdf", "https://support.google.com/chrome/?p=plugin_quicktime https://chrome.google.com/", "Interesting Strings: http://schema.org/GovernmentOrganization https://support.google.com/chrome/?p=plugin_java https://crbug.com/593166", "Pdf.Phishing.TtraffRobotInstall-7605656-0 00004feb58be42ba1bd506ea89f90c5e1d83e6e1fb84841931949a454b0bb539", "Antivirus Detections Cryp_Xed-12 , Mal/Generic-S , Packed/Upack Yara Detections Upackv039finalDwing , UpackV037Dwing", "https://pin.it/ | https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Worm:Win32/Macoute.A", "display_name": "Worm:Win32/Macoute.A", "target": "/malware/Worm:Win32/Macoute.A" }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "ALF:HeraklezEval:Rogue:Win32/FakeRean", "display_name": "ALF:HeraklezEval:Rogue:Win32/FakeRean", "target": null }, { "id": "Worm:Win32/Fesber.A", "display_name": "Worm:Win32/Fesber.A", "target": "/malware/Worm:Win32/Fesber.A" }, { "id": "Ransom:Win32/Eniqma.A", "display_name": "Ransom:Win32/Eniqma.A", "target": "/malware/Ransom:Win32/Eniqma.A" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "UpackV037Dwing", "display_name": "UpackV037Dwing", "target": null }, { "id": "Cryp_Xed-12", "display_name": "Cryp_Xed-12", "target": null }, { "id": "Mal/Generic-S", "display_name": "Mal/Generic-S", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1493, "FileHash-SHA1": 1393, "FileHash-SHA256": 5881, "URL": 1495, "domain": 1947, "hostname": 1360, "email": 18, "CVE": 1 }, "indicator_count": 13588, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "590 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66e94760a415fb970ab2dfdd", "name": "Pornhub Api connected to Targets phone via Remote Telegram install", "description": "Cyber attack named 'Project Endgame' by threat actors || Cyber criminal IMMEDIATELY remotely accessed targets device when it was new from manufacturer. Remote installation of telegram app, installed pornhub. Dumping, making all types of pornography appear to come from targets and associated persons devices. It's never ending. || Win32:PWSX-gen\\ [Trj]\n#Lowfi:HSTR:Win32/Exprio\nALF:Trojan:BAT/EnvVarCharReplacement\nBackdoor:Win32/Tofsee\nTrojan:Win32/Azorult\nTrojan:Win32/Danabot\nTrojan:Win32/Eqtonex\nTrojan:Win32/Meredrop\nTrojanDownloader:Win32/Tofsee\nVirTool:Win32/Obfuscator\nWin.Dropper.Tofsee-10023347-0", "modified": "2024-10-17T08:04:26.924000", "created": "2024-09-17T09:09:52.842000", "tags": [ "all scoreblue", "contacted", "telegram", "pornhub", "hostname", "domain", "iocs", "pdf report", "pcap", "stix", "openioc", "ck t1003", "os credential", "dumping t1005", "local system", "t1012", "registry t1018", "remote system", "discovery t1027", "files", "t1053", "whitelisted", "agent", "as13414 twitter", "as14061", "as15169 google", "as16552", "as16276", "as19679 dropbox", "as22612", "as25019", "as32934", "as35680", "as62597", "as54113", "as397241", "as397240", "nsone as63949", "as35819", "china unknown", "chrome", "code", "as16552 tiggee", "as2914 ntt", "as25019 saudi", "asnone hong", "as63949 linode", "as7303 telecom", "as8151", "as9318 sk", "asn as13414", "asn as48684", "cookie", "encrypt", "endgame", "emails", "cryp", "delphi", "dynamicloader", "dns", "grum", "germany unknown", "gmt max", "connection", "dns resolutions", "porn", "regsz", "langgeorgian", "sublangdefault", "rticon", "english", "regsetvalueexa", "regdword", "medium", "t1055", "win32", "malware", "copy", "updater", "generic", "delete c", "yara rule", "high", "search", "ms windows", "tofsee", "show", "windows", "russia as49505", "united", "grum", "write", "query", "contacted", "installs", "stream", "unknown", "as46606", "passive dns", "date", "scan endpoints", "pulse pulses", "urls", "as8151", "mexico unknown", "saudi arabia", "as25019 saudi", "china unknown", "as7303 telecom", "hungary unknown", "trojan", "msie", "body", "ransom", "icmp traffic", "pdb path", "filehash", "url http", "http", "address", "russia unknown", "privacy tools", "as396982 google", "as57416 llc", "div div", "span h3", "span div", "h3 p", "as24940 hetzner", "face", "delete", "yara detections", "sinkhole cookie", "value snkz", "pe32", "suspicious", "possible", "as56864 xeon", "ipv4", "pulse submit", "url analysis", "ip address", "location united", "next", "germany unknown", "method", "allowed server", "content length", "content type", "cookie", "registrar abuse", "explorer", "files matching", "homepage", "hungary unknown", "installs ip", "installs", "ip", "link", "mexico unknown", "pegasus", "operation endgame", "public key", "ransom", "twitter redirect", "Kong unknown", "script urls", "servers", "updater", "united kingdom unknown", "unique", "ukraine unknown", "trojan features", "trojan", "tofsee", "title telegram", "tags twitter", "twitter", "tags", "sublangdefault" ], "references": [ "Pornhub.com | Telegram https://t.me/login/36861 | loopprojects.t.me", "Cookie : stel_ssid b86d14460f22d8fea8_13386273115952986987", "www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "https://www.pornhub.com/video/search?search=tsara+brashears", "ads.pornhub.com | ams-v61.pornhub.com | api-stage.pornhub.com", "api-stage.pornhub.com | abtesting.pornhub.com | pornhub.com | cms-stage20.pornhub.com | imgs.pornhub.com | http://tourcdn.girlsdoporn.com", "girlsdoporn.com | bar.pornhub.com | bar.pornhub.com | cdn-d-vid-embed.pornhub.com | http://pornhub.tv/Jena6599 | whatsapp.pornhub.com", "https://sslproxy.gatewayclient3.v.hikops.com", "api2ip.ua \u00bb External IP Lookup Service Domain", "83610e8d2924c9886b25ad530e8ad971.pornhub.com", "Win32:PWSX-gen\\ [Trj] IDS Detections Potential Dridex.Maldoc Minimal Executable Request External IP Address Lookup DNS Query (2ip .ua) Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) Query to a *.top domain - Likely Hostile Suspicious User Agent (Microsoft Internet Explorer) SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 HTTP Request to a *.top domain Dotted Quad Host ZIP Request Possible EXE Download From Suspicious TLD TLS Handshake Failure ... Less", "IDS Detections: Potential Dridex.Maldoc Minimal Executable Request External IP Address Lookup DNS Query (2ip .ua)", "IDS Detections: Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) Query to a *.top domain - Likely Hostile", "IDS Detections: Suspicious User Agent (Microsoft Internet Explorer) SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016", "Win32:RansomX-gen\\ [Ransom] Trojan:Win32/Neconyd.A" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Australia", "Brazil", "Singapore", "Netherlands", "Russian Federation", "Japan", "Malaysia", "Hong Kong", "Ireland", "Korea, Republic of", "France", "United Kingdom of Great Britain and Northern Ireland", "Argentina", "Austria", "China", "Canada", "Germany" ], "malware_families": [ { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "TrojanDownloader:Win32/Tofsee", "display_name": "TrojanDownloader:Win32/Tofsee", "target": "/malware/TrojanDownloader:Win32/Tofsee" }, { "id": "Win32:PWSX-gen\\ [Trj]", "display_name": "Win32:PWSX-gen\\ [Trj]", "target": null }, { "id": "Win.Dropper.Tofsee-10023347-0", "display_name": "Win.Dropper.Tofsee-10023347-0", "target": null }, { "id": "#Lowfi:HSTR:Win32/Exprio", "display_name": "#Lowfi:HSTR:Win32/Exprio", "target": null }, { "id": "VirTool:Win32/Obfuscator", "display_name": "VirTool:Win32/Obfuscator", "target": "/malware/VirTool:Win32/Obfuscator" }, { "id": "Trojan:Win32/Meredrop", "display_name": "Trojan:Win32/Meredrop", "target": "/malware/Trojan:Win32/Meredrop" }, { "id": "Trojan:Win32/Eqtonex", "display_name": "Trojan:Win32/Eqtonex", "target": "/malware/Trojan:Win32/Eqtonex" }, { "id": "Trojan:Win32/Danabot", "display_name": "Trojan:Win32/Danabot", "target": "/malware/Trojan:Win32/Danabot" }, { "id": "Trojan:Win32/Azorult", "display_name": "Trojan:Win32/Azorult", "target": "/malware/Trojan:Win32/Azorult" }, { "id": "ALF:Trojan:BAT/EnvVarCharReplacement", "display_name": "ALF:Trojan:BAT/EnvVarCharReplacement", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1443", "name": "Remotely Install Application", "display_name": "T1443 - Remotely Install Application" }, { "id": "T1478", "name": "Install Insecure or Malicious Configuration", "display_name": "T1478 - Install Insecure or Malicious Configuration" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1570, "FileHash-SHA1": 1301, "FileHash-SHA256": 3497, "URL": 3835, "domain": 1475, "hostname": 2405, "CIDR": 1, "email": 23 }, "indicator_count": 14107, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "591 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66c661131c5003925e9bfe15", "name": "Telco - Swipper | Emoted and other malware spreader. BGP related ?", "description": "I'm not sure what to make of this. I'm unnerved. As far back as I have been able to research, Swipper has been ever present, not even hiding in the attacks target who noticed this for themselves.Some information is no longer on the Internet , yet there are continuous command multiple IP's. This relates directly to the suspect hacker & co. Use of FreeDNS and many other tools related to this resource with the Net Handle Name: Swipper. It's seems to be prominent on Colorado, Ohio Constantly moving to the British Virgin Islands while having am Ashburn, Va [Loudon, Co]- Verizon Business address ont he MCI block [FBI nearby] Swipper was connected to targets Notepad for years,; with FBI name and address prominently displayed. Mysterious emails, and false MD referral locations of victim pointed back to a Swipper or Stephen Middleton IP address. It's always has a variant of Emotet. I don't know. Abuse of use by same attorney.", "modified": "2024-09-20T20:04:19.210000", "created": "2024-08-21T21:50:11.612000", "tags": [ "net152", "net1520000", "loudoun county", "ans core", "nethandle", "as1321", "parkway city", "as701 orgnocref", "swipper", "verizon", "high", "intel", "icmp traffic", "dns query", "object", "all scoreblue", "filehash", "malware", "comcast", "cve1102", "actors", "investigation", "bad domains", "emotet am", "iocs", "first", "utc submissions", "submitters", "summary iocs", "graph community", "webcc", "gmo internet", "csc corporate", "domains", "alibaba cloud", "computing", "beijing", "dynadot", "ltd dba", "china telecom", "group", "google", "cloudflarenet", "kb txtresse", "mb smartsaver", "admin cmd", "mb threatsniper", "mb history", "mb gadget", "installer", "referrer", "styes worm", "historical ssl", "script script", "i span", "ie script", "win64", "span", "urls", "levelblue labs", "pulses", "nastya", "meta", "open", "date", "vj92", "uagdaaeqcqaaaag", "ukgbagaqcqaaaae", "slfrd1", "hostnames", "urls http", "ukgbagaqcq", "jid1886833764", "jid882556742", "samples", "unknown", "united", "as20940", "as2914 ntt", "nxdomain", "status", "as6461 zayo", "united kingdom", "as15169 google", "as33438", "search", "creation date", "name servers", "showing", "hungary unknown", "entries", "scan endpoints", "next", "cape", "show", "copy", "emotet malware", "read", "write", "delete", "june", "emotet", "as14627", "passive dns", "ipv4", "pulse pulses", "win32", "months ago", "created", "modified", "email", "glupteba", "hostname", "cyber", "read c", "port", "medium", "msie", "windows nt", "wow64", "slcc2", "media center", "dock", "execution", "method status", "url hostname", "ip country", "type get", "cachecontrol", "location https", "date thu", "gmt server", "code", "ve234 server", "aaaa", "whitelisted", "as44273 host", "as46691", "domain", "script urls", "path max", "age86400 set", "cookie", "script domains", "trojan", "body" ], "references": [ "Stranger Things | http://hopto.org/colocrossing/192.3.13.56/telco", "Antivirus Detections: Other:Malware-gen\\ [Trj]", "Yara Detections: UPXProtectorv10x2 , UPX Alerts dead_host network_icmp nolookup_communication", "Antivirus Detections: Other:Malware-gen\\ [Trj] , Win.Trojan.Emotet-9951800-0", "Yara Detections: osx_GoLang", ".trino-11062202-1d32.stress-11061903-3b4c.westus2.projecthilo.net\tprojecthilo.net", "0-courier.push.apple.com | https://apple-accouut.sytes.net/ | appupdate-logapple.ddnsking.com | appleidi-iforgot.3utilities.com", "http://appleidi-iforgot.3utilities.com/\t | https://appupdate-logapple.ddnsking.com/?reset | http://appleidi-iforgot.3utilities.com/Upload-Identity.php |", "http://appleidi-iforgot.3utilities.com/Verify.php", "device-ccf717a6-ed4f-4771-abfa-ccaafbfb6526.remotewd.com | device-local-359704df-0b29-4ae8-bbc5-f48b0a4de73c.remotewd.com | remotedev.org | dan.remotedev.org", "152.199.171.19 : USDA Fort Collins, Colorado", "Swipper: swipper@verizonbusiness.com | help4u@verizonbusiness.com", "152.199.161.19: ANS Communications, Inc (ANS)", "OrgTechHandle: SWIPP-ARIN OrgTechName: swipper OrgTechPhone: +1-800-900-0241 OrgTechEmail: swipper@verizonbusiness.com", "http://bat.bing.com/bat.js | bounceme.net | bounceme.net | hopto.org | hopto.org |,serveblog.net | serveblog.net", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://hopto.org/colocrossing/192.3.13.56/telco", "Emotet: FileHash-SHA256 9c9459e9a5f0102c034ec013b9d801d38ed474bcd73b7aeded931e5c2a4f75cc", "Win.Virus.PolyRansom-5704625-0: FileHash-SHA256 f46de5d0c5dd13f5de6114372542efd1ea048e14f051b64b34c33e96c175cb09", "Other:Malware-gen\\ [Trj: FileHash-SHA256 4ef29fd29fd95990a36379ad7a4320f04da64e7ec63546e047e2491e533c71a3", "Injection Source: www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Injection Source: http://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Injection Source: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "SLF:Trojan:Win32/Grandoreiro.A", "display_name": "SLF:Trojan:Win32/Grandoreiro.A", "target": null }, { "id": "Other:Malware-gen\\ [Trj]", "display_name": "Other:Malware-gen\\ [Trj]", "target": null }, { "id": "Win.Trojan.Emotet-9951800-0", "display_name": "Win.Trojan.Emotet-9951800-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 2, "URL": 4338, "domain": 753, "email": 9, "hostname": 1799, "FileHash-SHA256": 3098, "FileHash-MD5": 110, "FileHash-SHA1": 98, "CVE": 3 }, "indicator_count": 10210, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "618 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66c66114103f15aab3b00d6c", "name": "Telco - Swipper | Emoted and other malware spreader. BGP related ?", "description": "I'm not sure what to make of this. I'm unnerved. As far back as I have been able to research, Swipper has been ever present, not even hiding in the attacks target who noticed this for themselves.Some information is no longer on the Internet , yet there are continuous command multiple IP's. This relates directly to the suspect hacker & co. Use of FreeDNS and many other tools related to this resource with the Net Handle Name: Swipper. It's seems to be prominent on Colorado, Ohio Constantly moving to the British Virgin Islands while having am Ashburn, Va [Loudon, Co]- Verizon Business address ont he MCI block [FBI nearby] Swipper was connected to targets Notepad for years,; with FBI name and address prominently displayed. Mysterious emails, and false MD referral locations of victim pointed back to a Swipper or Stephen Middleton IP address. It's always has a variant of Emotet. I don't know. Abuse of use by same attorney.", "modified": "2024-09-20T20:04:19.210000", "created": "2024-08-21T21:50:12.543000", "tags": [ "net152", "net1520000", "loudoun county", "ans core", "nethandle", "as1321", "parkway city", "as701 orgnocref", "swipper", "verizon", "high", "intel", "icmp traffic", "dns query", "object", "all scoreblue", "filehash", "malware", "comcast", "cve1102", "actors", "investigation", "bad domains", "emotet am", "iocs", "first", "utc submissions", "submitters", "summary iocs", "graph community", "webcc", "gmo internet", "csc corporate", "domains", "alibaba cloud", "computing", "beijing", "dynadot", "ltd dba", "china telecom", "group", "google", "cloudflarenet", "kb txtresse", "mb smartsaver", "admin cmd", "mb threatsniper", "mb history", "mb gadget", "installer", "referrer", "styes worm", "historical ssl", "script script", "i span", "ie script", "win64", "span", "urls", "levelblue labs", "pulses", "nastya", "meta", "open", "date", "vj92", "uagdaaeqcqaaaag", "ukgbagaqcqaaaae", "slfrd1", "hostnames", "urls http", "ukgbagaqcq", "jid1886833764", "jid882556742", "samples", "unknown", "united", "as20940", "as2914 ntt", "nxdomain", "status", "as6461 zayo", "united kingdom", "as15169 google", "as33438", "search", "creation date", "name servers", "showing", "hungary unknown", "entries", "scan endpoints", "next", "cape", "show", "copy", "emotet malware", "read", "write", "delete", "june", "emotet", "as14627", "passive dns", "ipv4", "pulse pulses", "win32", "months ago", "created", "modified", "email", "glupteba", "hostname", "cyber", "read c", "port", "medium", "msie", "windows nt", "wow64", "slcc2", "media center", "dock", "execution", "method status", "url hostname", "ip country", "type get", "cachecontrol", "location https", "date thu", "gmt server", "code", "ve234 server", "aaaa", "whitelisted", "as44273 host", "as46691", "domain", "script urls", "path max", "age86400 set", "cookie", "script domains", "trojan", "body" ], "references": [ "Stranger Things | http://hopto.org/colocrossing/192.3.13.56/telco", "Antivirus Detections: Other:Malware-gen\\ [Trj]", "Yara Detections: UPXProtectorv10x2 , UPX Alerts dead_host network_icmp nolookup_communication", "Antivirus Detections: Other:Malware-gen\\ [Trj] , Win.Trojan.Emotet-9951800-0", "Yara Detections: osx_GoLang", ".trino-11062202-1d32.stress-11061903-3b4c.westus2.projecthilo.net\tprojecthilo.net", "0-courier.push.apple.com | https://apple-accouut.sytes.net/ | appupdate-logapple.ddnsking.com | appleidi-iforgot.3utilities.com", "http://appleidi-iforgot.3utilities.com/\t | https://appupdate-logapple.ddnsking.com/?reset | http://appleidi-iforgot.3utilities.com/Upload-Identity.php |", "http://appleidi-iforgot.3utilities.com/Verify.php", "device-ccf717a6-ed4f-4771-abfa-ccaafbfb6526.remotewd.com | device-local-359704df-0b29-4ae8-bbc5-f48b0a4de73c.remotewd.com | remotedev.org | dan.remotedev.org", "152.199.171.19 : USDA Fort Collins, Colorado", "Swipper: swipper@verizonbusiness.com | help4u@verizonbusiness.com", "152.199.161.19: ANS Communications, Inc (ANS)", "OrgTechHandle: SWIPP-ARIN OrgTechName: swipper OrgTechPhone: +1-800-900-0241 OrgTechEmail: swipper@verizonbusiness.com", "http://bat.bing.com/bat.js | bounceme.net | bounceme.net | hopto.org | hopto.org |,serveblog.net | serveblog.net", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://hopto.org/colocrossing/192.3.13.56/telco", "Emotet: FileHash-SHA256 9c9459e9a5f0102c034ec013b9d801d38ed474bcd73b7aeded931e5c2a4f75cc", "Win.Virus.PolyRansom-5704625-0: FileHash-SHA256 f46de5d0c5dd13f5de6114372542efd1ea048e14f051b64b34c33e96c175cb09", "Other:Malware-gen\\ [Trj: FileHash-SHA256 4ef29fd29fd95990a36379ad7a4320f04da64e7ec63546e047e2491e533c71a3", "Injection Source: www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Injection Source: http://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Injection Source: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "SLF:Trojan:Win32/Grandoreiro.A", "display_name": "SLF:Trojan:Win32/Grandoreiro.A", "target": null }, { "id": "Other:Malware-gen\\ [Trj]", "display_name": "Other:Malware-gen\\ [Trj]", "target": null }, { "id": "Win.Trojan.Emotet-9951800-0", "display_name": "Win.Trojan.Emotet-9951800-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 2, "URL": 4338, "domain": 753, "email": 9, "hostname": 1799, "FileHash-SHA256": 3098, "FileHash-MD5": 110, "FileHash-SHA1": 98, "CVE": 3 }, "indicator_count": 10210, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "618 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66ca37ac60cb425a2b3856c6", "name": "Telco - Swipper | Emotet and other malware spreader. BGP Hurricane Electric related ", "description": "", "modified": "2024-09-20T20:04:19.210000", "created": "2024-08-24T19:42:36.642000", "tags": [ "net152", "net1520000", "loudoun county", "ans core", "nethandle", "as1321", "parkway city", "as701 orgnocref", "swipper", "verizon", "high", "intel", "icmp traffic", "dns query", "object", "all scoreblue", "filehash", "malware", "comcast", "cve1102", "actors", "investigation", "bad domains", "emotet am", "iocs", "first", "utc submissions", "submitters", "summary iocs", "graph community", "webcc", "gmo internet", "csc corporate", "domains", "alibaba cloud", "computing", "beijing", "dynadot", "ltd dba", "china telecom", "group", "google", "cloudflarenet", "kb txtresse", "mb smartsaver", "admin cmd", "mb threatsniper", "mb history", "mb gadget", "installer", "referrer", "styes worm", "historical ssl", "script script", "i span", "ie script", "win64", "span", "urls", "levelblue labs", "pulses", "nastya", "meta", "open", "date", "vj92", "uagdaaeqcqaaaag", "ukgbagaqcqaaaae", "slfrd1", "hostnames", "urls http", "ukgbagaqcq", "jid1886833764", "jid882556742", "samples", "unknown", "united", "as20940", "as2914 ntt", "nxdomain", "status", "as6461 zayo", "united kingdom", "as15169 google", "as33438", "search", "creation date", "name servers", "showing", "hungary unknown", "entries", "scan endpoints", "next", "cape", "show", "copy", "emotet malware", "read", "write", "delete", "june", "emotet", "as14627", "passive dns", "ipv4", "pulse pulses", "win32", "months ago", "created", "modified", "email", "glupteba", "hostname", "cyber", "read c", "port", "medium", "msie", "windows nt", "wow64", "slcc2", "media center", "dock", "execution", "method status", "url hostname", "ip country", "type get", "cachecontrol", "location https", "date thu", "gmt server", "code", "ve234 server", "aaaa", "whitelisted", "as44273 host", "as46691", "domain", "script urls", "path max", "age86400 set", "cookie", "script domains", "trojan", "body" ], "references": [ "Stranger Things | http://hopto.org/colocrossing/192.3.13.56/telco", "Antivirus Detections: Other:Malware-gen\\ [Trj]", "Yara Detections: UPXProtectorv10x2 , UPX Alerts dead_host network_icmp nolookup_communication", "Antivirus Detections: Other:Malware-gen\\ [Trj] , Win.Trojan.Emotet-9951800-0", "Yara Detections: osx_GoLang", ".trino-11062202-1d32.stress-11061903-3b4c.westus2.projecthilo.net\tprojecthilo.net", "0-courier.push.apple.com | https://apple-accouut.sytes.net/ | appupdate-logapple.ddnsking.com | appleidi-iforgot.3utilities.com", "http://appleidi-iforgot.3utilities.com/\t | https://appupdate-logapple.ddnsking.com/?reset | http://appleidi-iforgot.3utilities.com/Upload-Identity.php |", "http://appleidi-iforgot.3utilities.com/Verify.php", "device-ccf717a6-ed4f-4771-abfa-ccaafbfb6526.remotewd.com | device-local-359704df-0b29-4ae8-bbc5-f48b0a4de73c.remotewd.com | remotedev.org | dan.remotedev.org", "152.199.171.19 : USDA Fort Collins, Colorado", "Swipper: swipper@verizonbusiness.com | help4u@verizonbusiness.com", "152.199.161.19: ANS Communications, Inc (ANS)", "OrgTechHandle: SWIPP-ARIN OrgTechName: swipper OrgTechPhone: +1-800-900-0241 OrgTechEmail: swipper@verizonbusiness.com", "http://bat.bing.com/bat.js | bounceme.net | bounceme.net | hopto.org | hopto.org |,serveblog.net | serveblog.net", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://hopto.org/colocrossing/192.3.13.56/telco", "Emotet: FileHash-SHA256 9c9459e9a5f0102c034ec013b9d801d38ed474bcd73b7aeded931e5c2a4f75cc", "Win.Virus.PolyRansom-5704625-0: FileHash-SHA256 f46de5d0c5dd13f5de6114372542efd1ea048e14f051b64b34c33e96c175cb09", "Other:Malware-gen\\ [Trj: FileHash-SHA256 4ef29fd29fd95990a36379ad7a4320f04da64e7ec63546e047e2491e533c71a3", "Injection Source: www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Injection Source: http://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Injection Source: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "SLF:Trojan:Win32/Grandoreiro.A", "display_name": "SLF:Trojan:Win32/Grandoreiro.A", "target": null }, { "id": "Other:Malware-gen\\ [Trj]", "display_name": "Other:Malware-gen\\ [Trj]", "target": null }, { "id": "Win.Trojan.Emotet-9951800-0", "display_name": "Win.Trojan.Emotet-9951800-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": "66c66114103f15aab3b00d6c", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 2, "URL": 4338, "domain": 753, "email": 9, "hostname": 1799, "FileHash-SHA256": 3098, "FileHash-MD5": 110, "FileHash-SHA1": 98, "CVE": 3 }, "indicator_count": 10210, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "618 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d4b052225d396d18e395c3", "name": " Telco - SWIPPER | Emotet and other malware spreader. BGP Hurricane Electric ", "description": "", "modified": "2024-09-20T20:04:19.210000", "created": "2024-09-01T18:20:02.256000", "tags": [ "net152", "net1520000", "loudoun county", "ans core", "nethandle", "as1321", "parkway city", "as701 orgnocref", "swipper", "verizon", "high", "intel", "icmp traffic", "dns query", "object", "all scoreblue", "filehash", "malware", "comcast", "cve1102", "actors", "investigation", "bad domains", "emotet am", "iocs", "first", "utc submissions", "submitters", "summary iocs", "graph community", "webcc", "gmo internet", "csc corporate", "domains", "alibaba cloud", "computing", "beijing", "dynadot", "ltd dba", "china telecom", "group", "google", "cloudflarenet", "kb txtresse", "mb smartsaver", "admin cmd", "mb threatsniper", "mb history", "mb gadget", "installer", "referrer", "styes worm", "historical ssl", "script script", "i span", "ie script", "win64", "span", "urls", "levelblue labs", "pulses", "nastya", "meta", "open", "date", "vj92", "uagdaaeqcqaaaag", "ukgbagaqcqaaaae", "slfrd1", "hostnames", "urls http", "ukgbagaqcq", "jid1886833764", "jid882556742", "samples", "unknown", "united", "as20940", "as2914 ntt", "nxdomain", "status", "as6461 zayo", "united kingdom", "as15169 google", "as33438", "search", "creation date", "name servers", "showing", "hungary unknown", "entries", "scan endpoints", "next", "cape", "show", "copy", "emotet malware", "read", "write", "delete", "june", "emotet", "as14627", "passive dns", "ipv4", "pulse pulses", "win32", "months ago", "created", "modified", "email", "glupteba", "hostname", "cyber", "read c", "port", "medium", "msie", "windows nt", "wow64", "slcc2", "media center", "dock", "execution", "method status", "url hostname", "ip country", "type get", "cachecontrol", "location https", "date thu", "gmt server", "code", "ve234 server", "aaaa", "whitelisted", "as44273 host", "as46691", "domain", "script urls", "path max", "age86400 set", "cookie", "script domains", "trojan", "body" ], "references": [ "Stranger Things | http://hopto.org/colocrossing/192.3.13.56/telco", "Antivirus Detections: Other:Malware-gen\\ [Trj]", "Yara Detections: UPXProtectorv10x2 , UPX Alerts dead_host network_icmp nolookup_communication", "Antivirus Detections: Other:Malware-gen\\ [Trj] , Win.Trojan.Emotet-9951800-0", "Yara Detections: osx_GoLang", ".trino-11062202-1d32.stress-11061903-3b4c.westus2.projecthilo.net\tprojecthilo.net", "0-courier.push.apple.com | https://apple-accouut.sytes.net/ | appupdate-logapple.ddnsking.com | appleidi-iforgot.3utilities.com", "http://appleidi-iforgot.3utilities.com/\t | https://appupdate-logapple.ddnsking.com/?reset | http://appleidi-iforgot.3utilities.com/Upload-Identity.php |", "http://appleidi-iforgot.3utilities.com/Verify.php", "device-ccf717a6-ed4f-4771-abfa-ccaafbfb6526.remotewd.com | device-local-359704df-0b29-4ae8-bbc5-f48b0a4de73c.remotewd.com | remotedev.org | dan.remotedev.org", "152.199.171.19 : USDA Fort Collins, Colorado", "Swipper: swipper@verizonbusiness.com | help4u@verizonbusiness.com", "152.199.161.19: ANS Communications, Inc (ANS)", "OrgTechHandle: SWIPP-ARIN OrgTechName: swipper OrgTechPhone: +1-800-900-0241 OrgTechEmail: swipper@verizonbusiness.com", "http://bat.bing.com/bat.js | bounceme.net | bounceme.net | hopto.org | hopto.org |,serveblog.net | serveblog.net", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://hopto.org/colocrossing/192.3.13.56/telco", "Emotet: FileHash-SHA256 9c9459e9a5f0102c034ec013b9d801d38ed474bcd73b7aeded931e5c2a4f75cc", "Win.Virus.PolyRansom-5704625-0: FileHash-SHA256 f46de5d0c5dd13f5de6114372542efd1ea048e14f051b64b34c33e96c175cb09", "Other:Malware-gen\\ [Trj: FileHash-SHA256 4ef29fd29fd95990a36379ad7a4320f04da64e7ec63546e047e2491e533c71a3", "Injection Source: www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Injection Source: http://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Injection Source: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "SLF:Trojan:Win32/Grandoreiro.A", "display_name": "SLF:Trojan:Win32/Grandoreiro.A", "target": null }, { "id": "Other:Malware-gen\\ [Trj]", "display_name": "Other:Malware-gen\\ [Trj]", "target": null }, { "id": "Win.Trojan.Emotet-9951800-0", "display_name": "Win.Trojan.Emotet-9951800-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": "66ca37ac60cb425a2b3856c6", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 2, "URL": 4338, "domain": 753, "email": 9, "hostname": 1799, "FileHash-SHA256": 3098, "FileHash-MD5": 110, "FileHash-SHA1": 98, "CVE": 3 }, "indicator_count": 10210, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "618 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6683aae863ba601bac1a28b5", "name": "Zombie.A \u2022 Bayrob in fake malware information website.", "description": "Incredibly malicious IoC's found in a legitimate appearing website with informative information. Prominently appears at top of targets search results. \n https://www.blackberry.com/etc.clientlibs/bbcom/clientlibs/clientlib-etc-legacy/resources/cylance-web/global/bb-default-thumbnail-social.png\nMultiple government domains behind website. Honeypot?", "modified": "2024-08-01T06:03:26.298000", "created": "2024-07-02T07:23:20.582000", "tags": [ "ukraine", "referrer", "deploys fake", "uue files", "fsociety", "target colombia", "judiciary", "financial", "public", "tools", "sector", "mexico", "aka xloader", "html", "html info", "title", "meta tags", "google tag", "utc gnr5gzhd545", "utc na", "utc aw944900006", "utc linkedin", "formbook", "accept", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "apache", "so funny", "click", "urls", "passive dns", "http", "unique", "scan endpoints", "all octoseek", "url http", "ip address", "related nids", "code", "united", "as54113", "unknown", "aaaa", "as15169 google", "as46691", "status", "cname", "search", "whitelisted", "body", "date", "msil", "meta", "third-party-cookies", "iframes", "external-resources", "text/html", "trackers", "end game", "name servers", "select contact", "domain holder", "nexus category", "creation date", "showing", "date hash", "avast avg", "trojan", "mtb may", "dynamicloader", "high", "medium", "yara detections", "sniffs", "attempts", "alternate data", "stream", "a foreign", "cultureneutral", "get na", "show", "delete c", "entries", "cape", "delete", "default", "copy", "nivdort", "write", "trojanspy", "bayrob", "malware", "eagle eyed", "nonads", "path max", "age86400 set", "cookie", "script urls", "type", "script script", "win32 exe", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 compiler", "exe32", "compiler", "vs98", "contained", "simplified", "info compiler", "products", "sp6 build", "header intel", "name md5", "language", "not found", "rules not", "mitre", "info ids", "found sigma", "found", "files not", "found network", "getlasterror", "icons library", "os2 executable", "files", "file type", "kb file", "name", "type name", "ip detections", "country", "gandi sas", "dynadot", "enom", "namecheap", "dynadot inc", "namecheap inc", "dynadot llc", "domains", "tucows domains", "melbourne it", "historical ssl", "realteck audio", "problems", "lemon duck", "iocs", "sneaky server", "replacement", "unauthorized", "windows", "windir", "samplepath", "user", "process", "created", "shell commands", "windefend", "created bus", "tree", "registry keys", "reports upgrade", "keys set", "upgradestart", "dword", "data registry", "keys deleted", "reports", "get http", "request", "http requests", "ip traffic", "dns resolutions", "resolutions", "mitre att", "defense evasion", "ta0007 command", "control ta0011", "impact ta0034", "impact ta0040", "graph", "bundled files", "name file", "contacted ip", "users", "number", "ascii text", "crlf line", "database", "english", "tue jun", "installer", "template", "tulach", "rexxfield", "milesit", "cp", "self deleting", "stuff", "copying", "packages found", "targeting major", "injects ads", "into search", "results", "overlay", "text", "win32 dll", "javascript", "db2maestro", "open ports", "ipv4", "pulse submit", "url analysis", "expiration date", "hostname", "next", "ten process", "utc facebook", "utc google", "title ten", "blog meta", "tags", "elastic blog", "bing ads", "as8068", "certificate", "otx telemetry", "ref b", "record value", "emails", "please", "win32", "x msedge", "pulse pulses", "no data", "tag count", "analyzer threat", "url summary", "ip summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "alexa top", "safe site", "mail spammer", "million", "malware site", "phishing site", "malicious site", "bank", "fuery", "unsafe", "malicious", "alexa", "zbot", "asn as16625", "akamai", "less", "is2osecurity", "domain name", "active", "as21342", "domain", "location israel", "asn as1680", "invalid url", "body html", "head title", "title head", "body h1", "reference", "log id", "gmtn", "digicert tls", "rsa sha256", "tls web", "full name", "digicert inc", "organization", "district", "columbia", "false", "as20940", "as16625 akamai", "as8987 amazon", "moved", "as1680 cellcom", "alerts", "related pulses", "guard", "dynamic", "reads", "https link", "as8075", "record type", "ttl value", "redacted for", "privacy tech", "privacy admin", "postal code", "stateprovince", "server", "email", "office open", "ms word", "document", "xml document", "xml spreadsheet", "email trash", "rich text", "pdf tripwire", "fall", "whois lookups", "contact email", "blind eagle", "brian sabey" ], "references": [ "https://www.blackberry.com/etc.clientlibs/bbcom/clientlibs/clientlib-etc-legacy/resources/cylance-web/global/bb-default-thumbnail-social.png", "https://otx.alienvault.com/indicator/url/www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-MD5 da9b9e892ced7ec90841d813f6e42339", "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-SHA1 48dc18f70b2dfdf554e8247eb9e4a8910e19bd3b", "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-SHA256 215fbe9cf76ccbdde60eaa66538edeecadb844078b4379e66cacb83c7ac05690", "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-SHA256 18f62aec151e9f17c55987f80ed1244d9812895018d2bc931df083fb846a52dc", "Trojan:Win32/Zombie.A: FileHash-SHA256: 72bd98a9157afcd3ae38b60a7cf3ae4f23d6bb069a7aa7be7080b6967a6cf0cc", "Trojan:Win32/Zombie.A: FileHash-MD5: 36b71d23ca7553fb9db0730e56e6bf77", "Trojan:Win32/Zombie.A: FileHash-SHA1: 1fa3519b200cf5078c1c6c7df1cf44cd747c2320", "Alerts: creates_largekey script_created_process antisandbox_mouse_hook antivm_generic_disk dead_connect", "Alerts: infostealer_cookies infostealer_keylog persistence_ads suspicious_command_tools anomalous_deletefile", "IDS Detections: Terse HTTP 1.0 Request Possible Nivdort W32/Bayrob Attempted Checkin 403 Forbidden", "Alerts: cape_detected_threat cape_extracted_content", "TrojanSpy:Win32/Nivdort.CW: FileHash-SHA256\t3744b06ebb5465c1b3601abc9899e0448c3bb53e81ad6a3101780ab94931ba69", "TrojanSpy:Win32/Nivdort.CW: FileHash-SHA1 ad560bee21bf7aefc1f1a1be2762d852c7301c07", "TrojanSpy:Win32/Nivdort.CW: FileHash-MD5\t9d6de961a498f831acb63c95e7b2ff0c", "Bayrob: FileHash-SHA256 3744b06ebb5465c1b3601abc9899e0448c3bb53e81ad6a3101780ab94931ba69", "Bayrob: FileHash-SHA1 ad560bee21bf7aefc1f1a1be2762d852c7301c07", "Bayrob: FileHash-MD5 871f1532a8f0f9cf9ec3e82b5da3a120", "Domains Contacted: bettercaught.net electricstrong.net recordtrouble.net electrictrouble.net recordpresident.net", "Domains Contacted: electricpresident.net recordcaught.net electriccaught.net streetstrong.net tradestrong.net", "https://otx.alienvault.com/indicator/file/72bd98a9157afcd3ae38b60a7cf3ae4f23d6bb069a7aa7be7080b6967a6cf0cc", "trojan.cosmu/xpiro - 960879004e1059a9e7eaca7b95f45ab9baf8f5b905e2714f1c65f92244396758", "Matches rule SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)", "Malware Behavior Catalog: Defense Evasion OB0006 \u2022 Delayed Execution B0003.003 \u2022 Move File C0063 \u2022 Process Environment Block B0001.019", "Malware Behavior Catalog: Dynamic Analysis Evasion B0003 \u2022 Create File C0016 \u2022 Create Process C0017 \u2022 Create Thread C0038", "Malware Behavior Catalog: Operating System OC0008 \u2022 Environment Variable C0034 \u2022 Self Deletion F0007 \u2022 : Tree Anti-Behavioral Analysis", "Malware Behavior Catalog: System Information Discovery E1082 \u2022 File and Directory Discovery E1083 \u2022 Execution OB0009 \u2022 File System OC0001", "Malware Behavior Catalog: COMSPEC Environment Variable F0007.001 \u2022 Install Additional Program B0023 \u2022 Delete File C0047 \u2022", "Malware Behavior Catalog: Tree Anti-Behavioral Analysis: C0017 Create Thread \u2022 C0038 Operating System \u2022 Debugger Detection B0001", "Malware Behavior Catalog: Get File Attributes C0049 \u2022 Set File Attributes C0050 \u2022 Read File C0051 \u2022 Writes File C0052", "Malware Behavior Catalog: Tree Anti-Behavioral: Environment Variable C0034 \u2022 Anti-Behavioral Analysis OB0001 \u2022 Process OC0003", "Bayrob: 3744b06ebb5465c1b3601abc9899e0448c3bb53e81ad6a3101780ab94931ba69 ef55e2c918f9678e97037d5505b0c8a3.virus", "Matches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "Matches rule ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses", "Matches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst", "Matches rule PROTOCOL-ICMP PING Windows Matches rule PROTOCOL-ICMP Unusual PING detected Matches rule PROTOCOL-ICMP", "http://Object.prototype.hasOwnProperty.call", "Tulach! It's been a minute - 114.114.114.114", "What's going on here judiciary? Karen - cisa.gov? e.final", "f.search schema.org t.final", "ACTIVE Emails: IS2OSecurity@hq.dhs.gov \u2022 CISA.GOV Status \u2022 schoolsafety.gov \u2022 power2prevent.gov \u2022 is2osecurity@hq.dhs.gov", "[https://cisa gov] https://otx.alienvault.com/indicator/ip/92.123.203.73 \u2022 https://otx.alienvault.com/indicator/hostname/hq.dhs.gov", "[cisa gov] https://otx.alienvault.com/indicator/domain/cisa.gov \u2022 [hq.dhs.gov] https://otx.alienvault.com/indicator/hostname/hq.dhs.gov", "[dhs gov] https://otx.alienvault.com/indicator/domain/dhs.gov \u2022 https://otx.alienvault.com/indicator/url/https:%2F%2Fwww.cisa.gov%2Fcybersecurity-advisories%2Fics-advisories.xml", "Alerts: (cisa gov) ransomware_file_modifications script_created_process antisandbox_mouse_hook antivm_generic_disk infostealer_cookies suspicious_command_tools antidebug_guardpages dynamic_function_loading reads_self stealth_window", "https://otx.alienvault.com/indicator/domain/asp.net \u2022 https://otx.alienvault.com/indicator/hostname/ts1.mm.bing.net", "Security Contact Email: 212d0c197dca818es@hq.dhs.gov \u2022ACTIVE Domain Name: DHS.GOV" ], "public": 1, "adversary": "Blind Eagle", "targeted_countries": [ "United States of America", "Colombia", "Netherlands", "Israel" ], "malware_families": [ { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn", "target": null }, { "id": "TrojanSpy:Win32/Nivdort.CW", "display_name": "TrojanSpy:Win32/Nivdort.CW", "target": "/malware/TrojanSpy:Win32/Nivdort.CW" }, { "id": "Bayrob", "display_name": "Bayrob", "target": null }, { "id": "trojan.bayrob/lazy", "display_name": "trojan.bayrob/lazy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0029", "name": "Privilege Escalation", "display_name": "TA0029 - Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0030", "name": "Defense Evasion", "display_name": "TA0030 - Defense Evasion" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1055.003", "name": "Thread Execution Hijacking", "display_name": "T1055.003 - Thread Execution Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1416", "name": "URI Hijacking", "display_name": "T1416 - URI Hijacking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1167, "FileHash-SHA1": 738, "FileHash-SHA256": 3074, "URL": 1019, "domain": 1639, "hostname": 973, "email": 11, "SSLCertFingerprint": 2 }, "indicator_count": 8623, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "668 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "http://bat.bing.com/bat.js | bounceme.net | bounceme.net | hopto.org | hopto.org |,serveblog.net | serveblog.net", "compromised_site_redirector_fromcharcode fromCharCode", "Malware Behavior Catalog: Defense Evasion OB0006 \u2022 Delayed Execution B0003.003 \u2022 Move File C0063 \u2022 Process Environment Block B0001.019", "Domains Contacted: bettercaught.net electricstrong.net recordtrouble.net electrictrouble.net recordpresident.net", "Domains Contacted: electricpresident.net recordcaught.net electriccaught.net streetstrong.net tradestrong.net", "Matches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst", "Yara Detections: osx_GoLang", "https://otx.alienvault.com/indicator/file/72bd98a9157afcd3ae38b60a7cf3ae4f23d6bb069a7aa7be7080b6967a6cf0cc", "Antivirus Detections: Other:Malware-gen\\ [Trj] , Win.Trojan.Emotet-9951800-0", "Alerts: cape_detected_threat cape_extracted_content", "Stranger Things | http://hopto.org/colocrossing/192.3.13.56/telco", "Swipper: swipper@verizonbusiness.com | help4u@verizonbusiness.com", "OrgTechHandle: SWIPP-ARIN OrgTechName: swipper OrgTechPhone: +1-800-900-0241 OrgTechEmail: swipper@verizonbusiness.com", "www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "http://appleidi-iforgot.3utilities.com/\t | https://appupdate-logapple.ddnsking.com/?reset | http://appleidi-iforgot.3utilities.com/Upload-Identity.php |", "Antivirus Detections: ALF:HeraklezEval:Rogue:Win32/FakeRean", "Emotet: FileHash-SHA256 9c9459e9a5f0102c034ec013b9d801d38ed474bcd73b7aeded931e5c2a4f75cc", "api2ip.ua \u00bb External IP Lookup Service Domain", "http://Object.prototype.hasOwnProperty.call", "Malware Behavior Catalog: Get File Attributes C0049 \u2022 Set File Attributes C0050 \u2022 Read File C0051 \u2022 Writes File C0052", "Matches rule PROTOCOL-ICMP PING Windows Matches rule PROTOCOL-ICMP Unusual PING detected Matches rule PROTOCOL-ICMP", "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-SHA256 18f62aec151e9f17c55987f80ed1244d9812895018d2bc931df083fb846a52dc", "Alerts: infostealer_cookies infostealer_keylog persistence_ads suspicious_command_tools anomalous_deletefile", "[cisa gov] https://otx.alienvault.com/indicator/domain/cisa.gov \u2022 [hq.dhs.gov] https://otx.alienvault.com/indicator/hostname/hq.dhs.gov", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://hopto.org/colocrossing/192.3.13.56/telco", "https://www.pornhub.com/video/search?search=tsara+brashears", "P\u2019s Contacted: 93.184.221.240 3.33.130.190 | Domains Contacted: counterslocal.com", "Trojan:Win32/Zombie.A: FileHash-SHA1: 1fa3519b200cf5078c1c6c7df1cf44cd747c2320", "TrojanSpy:Win32/Nivdort.CW: FileHash-SHA1 ad560bee21bf7aefc1f1a1be2762d852c7301c07", "Malware Behavior Catalog: System Information Discovery E1082 \u2022 File and Directory Discovery E1083 \u2022 Execution OB0009 \u2022 File System OC0001", "ads.pornhub.com | ams-v61.pornhub.com | api-stage.pornhub.com", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Interesting Strings: http://schema.org/GovernmentOrganization https://support.google.com/chrome/?p=plugin_java https://crbug.com/593166", "https://otx.alienvault.com/indicator/url/www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-SHA1 48dc18f70b2dfdf554e8247eb9e4a8910e19bd3b", "Security Contact Email: 212d0c197dca818es@hq.dhs.gov \u2022ACTIVE Domain Name: DHS.GOV", "Project Endgame - pegausintel.com -Unsjre if related to NSO Group", "Yara Detections: compromised_site_redirector_fromcharcode , Cabinet_Archive , SFX_CAB", "0-courier.push.apple.com | https://apple-accouut.sytes.net/ | appupdate-logapple.ddnsking.com | appleidi-iforgot.3utilities.com", "Trojan:Win32/Zombie.A: FileHash-SHA256: 72bd98a9157afcd3ae38b60a7cf3ae4f23d6bb069a7aa7be7080b6967a6cf0cc", "IDS Detections: Potential Dridex.Maldoc Minimal Executable Request External IP Address Lookup DNS Query (2ip .ua)", "152.199.161.19: ANS Communications, Inc (ANS)", "f.search schema.org t.final", "Malware Behavior Catalog: Operating System OC0008 \u2022 Environment Variable C0034 \u2022 Self Deletion F0007 \u2022 : Tree Anti-Behavioral Analysis", "https://support.google.com/chrome/?p=plugin_quicktime https://chrome.google.com/", "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-MD5 da9b9e892ced7ec90841d813f6e42339", "Antivirus Detections Cryp_Xed-12 , Mal/Generic-S , Packed/Upack Yara Detections Upackv039finalDwing , UpackV037Dwing", "Bayrob: FileHash-SHA1 ad560bee21bf7aefc1f1a1be2762d852c7301c07", "Injection Source: www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Win32:PWSX-gen\\ [Trj] IDS Detections Potential Dridex.Maldoc Minimal Executable Request External IP Address Lookup DNS Query (2ip .ua) Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) Query to a *.top domain - Likely Hostile Suspicious User Agent (Microsoft Internet Explorer) SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 HTTP Request to a *.top domain Dotted Quad Host ZIP Request Possible EXE Download From Suspicious TLD TLS Handshake Failure ... Less", "https://sslproxy.gatewayclient3.v.hikops.com", "ACTIVE Emails: IS2OSecurity@hq.dhs.gov \u2022 CISA.GOV Status \u2022 schoolsafety.gov \u2022 power2prevent.gov \u2022 is2osecurity@hq.dhs.gov", "Injection Source: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "TrojanSpy:Win32/Nivdort.CW: FileHash-SHA256\t3744b06ebb5465c1b3601abc9899e0448c3bb53e81ad6a3101780ab94931ba69", "Antivirus Detections: Other:Malware-gen\\ [Trj]", "Injection Source: http://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Matches rule ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses", "152.199.171.19 : USDA Fort Collins, Colorado", "Trojan:Win32/Zombie.A: FileHash-MD5: 36b71d23ca7553fb9db0730e56e6bf77", "Alerts: (cisa gov) ransomware_file_modifications script_created_process antisandbox_mouse_hook antivm_generic_disk infostealer_cookies suspicious_command_tools antidebug_guardpages dynamic_function_loading reads_self stealth_window", "https://pin.it/ | https://www.anyxxxtube.net/search-porn/tsara-brashears/", "IDS Detections: Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) Query to a *.top domain - Likely Hostile", "Interesting Strings: https://support.google.com/chrome/?p=plugin_pdf", "Matches rule SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)", "Cookie : stel_ssid b86d14460f22d8fea8_13386273115952986987", "Bayrob: FileHash-SHA256 3744b06ebb5465c1b3601abc9899e0448c3bb53e81ad6a3101780ab94931ba69", "Win32:RansomX-gen\\ [Ransom] Trojan:Win32/Neconyd.A", "TrojanSpy:Win32/Nivdort.CW: FileHash-MD5\t9d6de961a498f831acb63c95e7b2ff0c", "api-stage.pornhub.com | abtesting.pornhub.com | pornhub.com | cms-stage20.pornhub.com | imgs.pornhub.com | http://tourcdn.girlsdoporn.com", "Matches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "[dhs gov] https://otx.alienvault.com/indicator/domain/dhs.gov \u2022 https://otx.alienvault.com/indicator/url/https:%2F%2Fwww.cisa.gov%2Fcybersecurity-advisories%2Fics-advisories.xml", "Malware Behavior Catalog: COMSPEC Environment Variable F0007.001 \u2022 Install Additional Program B0023 \u2022 Delete File C0047 \u2022", "IDS Detections: Terse HTTP 1.0 Request Possible Nivdort W32/Bayrob Attempted Checkin 403 Forbidden", "[https://cisa gov] https://otx.alienvault.com/indicator/ip/92.123.203.73 \u2022 https://otx.alienvault.com/indicator/hostname/hq.dhs.gov", "Other:Malware-gen\\ [Trj: FileHash-SHA256 4ef29fd29fd95990a36379ad7a4320f04da64e7ec63546e047e2491e533c71a3", "Malware Behavior Catalog: Tree Anti-Behavioral: Environment Variable C0034 \u2022 Anti-Behavioral Analysis OB0001 \u2022 Process OC0003", "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-SHA256 215fbe9cf76ccbdde60eaa66538edeecadb844078b4379e66cacb83c7ac05690", "https://otx.alienvault.com/indicator/domain/asp.net \u2022 https://otx.alienvault.com/indicator/hostname/ts1.mm.bing.net", "trojan.cosmu/xpiro - 960879004e1059a9e7eaca7b95f45ab9baf8f5b905e2714f1c65f92244396758", "Win.Virus.PolyRansom-5704625-0: FileHash-SHA256 f46de5d0c5dd13f5de6114372542efd1ea048e14f051b64b34c33e96c175cb09", "Pornhub.com | Telegram https://t.me/login/36861 | loopprojects.t.me", "Malware Behavior Catalog: Tree Anti-Behavioral Analysis: C0017 Create Thread \u2022 C0038 Operating System \u2022 Debugger Detection B0001", "device-ccf717a6-ed4f-4771-abfa-ccaafbfb6526.remotewd.com | device-local-359704df-0b29-4ae8-bbc5-f48b0a4de73c.remotewd.com | remotedev.org | dan.remotedev.org", "What's going on here judiciary? Karen - cisa.gov? e.final", "Malware Behavior Catalog: Dynamic Analysis Evasion B0003 \u2022 Create File C0016 \u2022 Create Process C0017 \u2022 Create Thread C0038", "IDS Detections: Suspicious User Agent (Microsoft Internet Explorer) SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016", "Interesting Strings: http://www.interoperabilitybridges.com/wmp http://crbug.com/40902 http://crbug.com/516527", "Tulach! It's been a minute - 114.114.114.114", "http://appleidi-iforgot.3utilities.com/Verify.php", "Pdf.Phishing.TtraffRobotInstall-7605656-0 00004feb58be42ba1bd506ea89f90c5e1d83e6e1fb84841931949a454b0bb539", ".trino-11062202-1d32.stress-11061903-3b4c.westus2.projecthilo.net\tprojecthilo.net", "Bayrob: FileHash-MD5 871f1532a8f0f9cf9ec3e82b5da3a120", "Interesting Strings: http://service.real.com/realplayer/security/02062012_player/en/", "Bayrob: 3744b06ebb5465c1b3601abc9899e0448c3bb53e81ad6a3101780ab94931ba69 ef55e2c918f9678e97037d5505b0c8a3.virus", "83610e8d2924c9886b25ad530e8ad971.pornhub.com", "Alerts: creates_largekey script_created_process antisandbox_mouse_hook antivm_generic_disk dead_connect", "Yara Detections: UPXProtectorv10x2 , UPX Alerts dead_host network_icmp nolookup_communication", "https://www.blackberry.com/etc.clientlibs/bbcom/clientlibs/clientlib-etc-legacy/resources/cylance-web/global/bb-default-thumbnail-social.png", "girlsdoporn.com | bar.pornhub.com | bar.pornhub.com | cdn-d-vid-embed.pornhub.com | http://pornhub.tv/Jena6599 | whatsapp.pornhub.com", "Alerts: infostealer_cookies persistence_autorun recon_programs recon_fingerprint removes_zoneid_ads anomalous_deletefile" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Blind Eagle" ], "malware_families": [ "Slf:trojan:win32/grandoreiro.a", "Alf:trojan:bat/envvarcharreplacement", "Virtool:win32/injector", "Trojan:win32/danabot", "Trojan:win32/zombie.a", "Win.dropper.tofsee-10023347-0", "Alf:jasyp:trojandownloader:win32/quireap!atmn", "Trojandownloader:win32/nemucod", "Backdoor:win32/tofsee", "Win32:pwsx-gen\\ [trj]", "Trojanspy:win32/nivdort", "Other:malware-gen\\ [trj]", "Worm:win32/macoute.a", "Trojanspy:win32/nivdort.cw", "Ransom:win32/eniqma.a", "Formbook", "Trojan.bayrob/lazy", "Trojan:win32/eqtonex", "Worm:win32/fesber.a", "Trojan:win32/meredrop", "Bayrob", "Trojan:win32/azorult", "Virtool:win32/obfuscator", "Upackv037dwing", "Cryp_xed-12", "Win.trojan.emotet-9951800-0", "Mal/generic-s", "#lowfi:hstr:win32/exprio", "Trojandownloader:win32/tofsee", "Alf:heraklezeval:rogue:win32/fakerean", "Tofsee" ], "industries": [], "unique_indicators": 70751 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/docebosaas.com", "whois": "http://whois.domaintools.com/docebosaas.com", "domain": "docebosaas.com", "hostname": "elastic.docebosaas.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 15, "pulses": [ { "id": "6a056cacb981e6f3b2dd4647", "name": "Hijacked 'Operation Endgame' Tofsee Ransomware clone credit scoreblue", "description": "", "modified": "2026-05-14T07:28:01.780000", "created": "2026-05-14T06:33:16.946000", "tags": [ "as8075", "united", "pid425870621", "tid700443057", "tpid425870621", "slot1", "mascore2", "bcnt1", "unid88000705", "nct1", "date", "china", "china unknown", "passive dns", "body xml", "error code", "requestid", "hostid ec", "server", "gmt content", "type", "registry", "intel", "ms windows", "show", "entries", "search", "high", "pe32", "high process", "injection t1055", "salicode", "worm", "copy", "tools", "service", "write", "win32", "persistence", "execution", "april", "urls", "http", "unique", "scan endpoints", "all scoreblue", "url http", "pulse pulses", "ip address", "related nids", "code", "as54113", "unknown", "body", "fastly error", "please", "sea p", "msil", "accept", "aaaa", "nxdomain", "whitelisted", "as15169 google", "status", "as44273 host", "as46691", "domain", "url https", "files location", "info", "script urls", "path max", "age86400 set", "cookie", "script domains", "javascript", "script script", "trojanspy", "cname", "emails", "servers", "all search", "related pulses", "file samples", "files matching", "creation date", "germany unknown", "yara detections", "filehash", "av detections", "ids detections", "alerts", "analysis date", "file score", "meta", "home welcome", "write c", "delete c", "query", "local", "hostname", "a domains", "lowfi", "content type", "record value", "suite", "showing", "asnone united", "as29873", "ipv4", "pulse submit", "url analysis", "files", "pe32 executable", "potential scan", "0pgtwhu", "t1045", "port", "infection", "recon", "malware", "june", "delphi", "taobao network", "as45102 alibaba", "as4812 china", "next", "expiration date", "name servers", "dynamicloader", "dynamic", "sha256", "dynamic link", "library exe", "adobe", "incorporated", "read", "yara rule", "delete", "binary file", "push", "malicious", "july", "iocs", "levelbluelabs", "jeff4son", "adversaries", "registry run", "flow t1574", "dll sideloading", "boot", "logon autostart", "execution t1547", "keys", "startup folder", "t1497 may", "encryption", "catalog tree", "analysis ob0001", "virtual machine", "detection b0009", "check registry", "analysis ob0002", "executable code", "stack strings", "control ob0004", "get http", "http requests", "dns resolutions", "ip traffic", "pattern domains", "memory pattern", "urls http", "request", "response", "connection", "trojan", "otx scoreblue", "windows", "embeddedwb", "medium", "shellexecuteexw", "msie", "windows nt", "displayname", "tofsee", "hashes", "vhash", "authentihash", "ssdeep", "win32 exe", "magic pe32", "trid win32", "library", "read c", "file guard", "rtversion", "langchinese", "legalcopyright", "reserved", "ransom", "moved", "media", "ascii text", "default", "upack", "mike", "contacted", "x87xe1x1d", "regsetvalueexa", "x95xd3xa4", "regbinary", "x84xa8xe8i", "x8dxb7xb7", "hx88x9ax1e", "mx81xd1r", "x92xac", "xc2x84", "stream", "swipper", "pdfcreator.sf.net", "botnet", "black mercedes", "please forgive me", "therahand thouroughhand" ], "references": [ "Project Endgame - pegausintel.com -Unsjre if related to NSO Group", "Antivirus Detections: ALF:HeraklezEval:Rogue:Win32/FakeRean", "Yara Detections: compromised_site_redirector_fromcharcode , Cabinet_Archive , SFX_CAB", "Alerts: infostealer_cookies persistence_autorun recon_programs recon_fingerprint removes_zoneid_ads anomalous_deletefile", "P\u2019s Contacted: 93.184.221.240 3.33.130.190 | Domains Contacted: counterslocal.com", "compromised_site_redirector_fromcharcode fromCharCode", "Interesting Strings: http://www.interoperabilitybridges.com/wmp http://crbug.com/40902 http://crbug.com/516527", "Interesting Strings: http://service.real.com/realplayer/security/02062012_player/en/", "Interesting Strings: https://support.google.com/chrome/?p=plugin_pdf", "https://support.google.com/chrome/?p=plugin_quicktime https://chrome.google.com/", "Interesting Strings: http://schema.org/GovernmentOrganization https://support.google.com/chrome/?p=plugin_java https://crbug.com/593166", "Pdf.Phishing.TtraffRobotInstall-7605656-0 00004feb58be42ba1bd506ea89f90c5e1d83e6e1fb84841931949a454b0bb539", "Antivirus Detections Cryp_Xed-12 , Mal/Generic-S , Packed/Upack Yara Detections Upackv039finalDwing , UpackV037Dwing", "https://pin.it/ | https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Worm:Win32/Macoute.A", "display_name": "Worm:Win32/Macoute.A", "target": "/malware/Worm:Win32/Macoute.A" }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "ALF:HeraklezEval:Rogue:Win32/FakeRean", "display_name": "ALF:HeraklezEval:Rogue:Win32/FakeRean", "target": null }, { "id": "Worm:Win32/Fesber.A", "display_name": "Worm:Win32/Fesber.A", "target": "/malware/Worm:Win32/Fesber.A" }, { "id": "Ransom:Win32/Eniqma.A", "display_name": "Ransom:Win32/Eniqma.A", "target": "/malware/Ransom:Win32/Eniqma.A" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "UpackV037Dwing", "display_name": "UpackV037Dwing", "target": null }, { "id": "Cryp_Xed-12", "display_name": "Cryp_Xed-12", "target": null }, { "id": "Mal/Generic-S", "display_name": "Mal/Generic-S", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" } ], "industries": [], "TLP": "green", "cloned_from": "66eb3ef6d765187a437767e4", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1521, "FileHash-SHA1": 1395, "FileHash-SHA256": 6084, "URL": 1499, "domain": 1947, "hostname": 1361, "email": 18, "CVE": 1 }, "indicator_count": 13826, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a056cac80d9b80eb1a97e29", "name": "Hijacked 'Operation Endgame' Tofsee Ransomware clone credit scoreblue", "description": "", "modified": "2026-05-14T07:14:09.098000", "created": "2026-05-14T06:33:16.505000", "tags": [ "as8075", "united", "pid425870621", "tid700443057", "tpid425870621", "slot1", "mascore2", "bcnt1", "unid88000705", "nct1", "date", "china", "china unknown", "passive dns", "body xml", "error code", "requestid", "hostid ec", "server", "gmt content", "type", "registry", "intel", "ms windows", "show", "entries", "search", "high", "pe32", "high process", "injection t1055", "salicode", "worm", "copy", "tools", "service", "write", "win32", "persistence", "execution", "april", "urls", "http", "unique", "scan endpoints", "all scoreblue", "url http", "pulse pulses", "ip address", "related nids", "code", "as54113", "unknown", "body", "fastly error", "please", "sea p", "msil", "accept", "aaaa", "nxdomain", "whitelisted", "as15169 google", "status", "as44273 host", "as46691", "domain", "url https", "files location", "info", "script urls", "path max", "age86400 set", "cookie", "script domains", "javascript", "script script", "trojanspy", "cname", "emails", "servers", "all search", "related pulses", "file samples", "files matching", "creation date", "germany unknown", "yara detections", "filehash", "av detections", "ids detections", "alerts", "analysis date", "file score", "meta", "home welcome", "write c", "delete c", "query", "local", "hostname", "a domains", "lowfi", "content type", "record value", "suite", "showing", "asnone united", "as29873", "ipv4", "pulse submit", "url analysis", "files", "pe32 executable", "potential scan", "0pgtwhu", "t1045", "port", "infection", "recon", "malware", "june", "delphi", "taobao network", "as45102 alibaba", "as4812 china", "next", "expiration date", "name servers", "dynamicloader", "dynamic", "sha256", "dynamic link", "library exe", "adobe", "incorporated", "read", "yara rule", "delete", "binary file", "push", "malicious", "july", "iocs", "levelbluelabs", "jeff4son", "adversaries", "registry run", "flow t1574", "dll sideloading", "boot", "logon autostart", "execution t1547", "keys", "startup folder", "t1497 may", "encryption", "catalog tree", "analysis ob0001", "virtual machine", "detection b0009", "check registry", "analysis ob0002", "executable code", "stack strings", "control ob0004", "get http", "http requests", "dns resolutions", "ip traffic", "pattern domains", "memory pattern", "urls http", "request", "response", "connection", "trojan", "otx scoreblue", "windows", "embeddedwb", "medium", "shellexecuteexw", "msie", "windows nt", "displayname", "tofsee", "hashes", "vhash", "authentihash", "ssdeep", "win32 exe", "magic pe32", "trid win32", "library", "read c", "file guard", "rtversion", "langchinese", "legalcopyright", "reserved", "ransom", "moved", "media", "ascii text", "default", "upack", "mike", "contacted", "x87xe1x1d", "regsetvalueexa", "x95xd3xa4", "regbinary", "x84xa8xe8i", "x8dxb7xb7", "hx88x9ax1e", "mx81xd1r", "x92xac", "xc2x84", "stream", "swipper", "pdfcreator.sf.net", "botnet", "black mercedes", "please forgive me", "therahand thouroughhand" ], "references": [ "Project Endgame - pegausintel.com -Unsjre if related to NSO Group", "Antivirus Detections: ALF:HeraklezEval:Rogue:Win32/FakeRean", "Yara Detections: compromised_site_redirector_fromcharcode , Cabinet_Archive , SFX_CAB", "Alerts: infostealer_cookies persistence_autorun recon_programs recon_fingerprint removes_zoneid_ads anomalous_deletefile", "P\u2019s Contacted: 93.184.221.240 3.33.130.190 | Domains Contacted: counterslocal.com", "compromised_site_redirector_fromcharcode fromCharCode", "Interesting Strings: http://www.interoperabilitybridges.com/wmp http://crbug.com/40902 http://crbug.com/516527", "Interesting Strings: http://service.real.com/realplayer/security/02062012_player/en/", "Interesting Strings: https://support.google.com/chrome/?p=plugin_pdf", "https://support.google.com/chrome/?p=plugin_quicktime https://chrome.google.com/", "Interesting Strings: http://schema.org/GovernmentOrganization https://support.google.com/chrome/?p=plugin_java https://crbug.com/593166", "Pdf.Phishing.TtraffRobotInstall-7605656-0 00004feb58be42ba1bd506ea89f90c5e1d83e6e1fb84841931949a454b0bb539", "Antivirus Detections Cryp_Xed-12 , Mal/Generic-S , Packed/Upack Yara Detections Upackv039finalDwing , UpackV037Dwing", "https://pin.it/ | https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Worm:Win32/Macoute.A", "display_name": "Worm:Win32/Macoute.A", "target": "/malware/Worm:Win32/Macoute.A" }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "ALF:HeraklezEval:Rogue:Win32/FakeRean", "display_name": "ALF:HeraklezEval:Rogue:Win32/FakeRean", "target": null }, { "id": "Worm:Win32/Fesber.A", "display_name": "Worm:Win32/Fesber.A", "target": "/malware/Worm:Win32/Fesber.A" }, { "id": "Ransom:Win32/Eniqma.A", "display_name": "Ransom:Win32/Eniqma.A", "target": "/malware/Ransom:Win32/Eniqma.A" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "UpackV037Dwing", "display_name": "UpackV037Dwing", "target": null }, { "id": "Cryp_Xed-12", "display_name": "Cryp_Xed-12", "target": null }, { "id": "Mal/Generic-S", "display_name": "Mal/Generic-S", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" } ], "industries": [], "TLP": "green", "cloned_from": "66eb3ef6d765187a437767e4", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1493, "FileHash-SHA1": 1393, "FileHash-SHA256": 5881, "URL": 1499, "domain": 1947, "hostname": 1360, "email": 18, "CVE": 1 }, "indicator_count": 13592, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fc1b9d02d8ebe162913b74", "name": "Credit: OctoSeek -2yrs ago [Zombie.A \u2022 Bayrob in fake malware information website.]", "description": "", "modified": "2026-05-07T05:03:23.418000", "created": "2026-05-07T04:57:01.616000", "tags": [ "ukraine", "referrer", "deploys fake", "uue files", "fsociety", "target colombia", "judiciary", "financial", "public", "tools", "sector", "mexico", "aka xloader", "html", "html info", "title", "meta tags", "google tag", "utc gnr5gzhd545", "utc na", "utc aw944900006", "utc linkedin", "formbook", "accept", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "apache", "so funny", "click", "urls", "passive dns", "http", "unique", "scan endpoints", "all octoseek", "url http", "ip address", "related nids", "code", "united", "as54113", "unknown", "aaaa", "as15169 google", "as46691", "status", "cname", "search", "whitelisted", "body", "date", "msil", "meta", "third-party-cookies", "iframes", "external-resources", "text/html", "trackers", "end game", "name servers", "select contact", "domain holder", "nexus category", "creation date", "showing", "date hash", "avast avg", "trojan", "mtb may", "dynamicloader", "high", "medium", "yara detections", "sniffs", "attempts", "alternate data", "stream", "a foreign", "cultureneutral", "get na", "show", "delete c", "entries", "cape", "delete", "default", "copy", "nivdort", "write", "trojanspy", "bayrob", "malware", "eagle eyed", "nonads", "path max", "age86400 set", "cookie", "script urls", "type", "script script", "win32 exe", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 compiler", "exe32", "compiler", "vs98", "contained", "simplified", "info compiler", "products", "sp6 build", "header intel", "name md5", "language", "not found", "rules not", "mitre", "info ids", "found sigma", "found", "files not", "found network", "getlasterror", "icons library", "os2 executable", "files", "file type", "kb file", "name", "type name", "ip detections", "country", "gandi sas", "dynadot", "enom", "namecheap", "dynadot inc", "namecheap inc", "dynadot llc", "domains", "tucows domains", "melbourne it", "historical ssl", "realteck audio", "problems", "lemon duck", "iocs", "sneaky server", "replacement", "unauthorized", "windows", "windir", "samplepath", "user", "process", "created", "shell commands", "windefend", "created bus", "tree", "registry keys", "reports upgrade", "keys set", "upgradestart", "dword", "data registry", "keys deleted", "reports", "get http", "request", "http requests", "ip traffic", "dns resolutions", "resolutions", "mitre att", "defense evasion", "ta0007 command", "control ta0011", "impact ta0034", "impact ta0040", "graph", "bundled files", "name file", "contacted ip", "users", "number", "ascii text", "crlf line", "database", "english", "tue jun", "installer", "template", "tulach", "rexxfield", "milesit", "cp", "self deleting", "stuff", "copying", "packages found", "targeting major", "injects ads", "into search", "results", "overlay", "text", "win32 dll", "javascript", "db2maestro", "open ports", "ipv4", "pulse submit", "url analysis", "expiration date", "hostname", "next", "ten process", "utc facebook", "utc google", "title ten", "blog meta", "tags", "elastic blog", "bing ads", "as8068", "certificate", "otx telemetry", "ref b", "record value", "emails", "please", "win32", "x msedge", "pulse pulses", "no data", "tag count", "analyzer threat", "url summary", "ip summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "alexa top", "safe site", "mail spammer", "million", "malware site", "phishing site", "malicious site", "bank", "fuery", "unsafe", "malicious", "alexa", "zbot", "asn as16625", "akamai", "less", "is2osecurity", "domain name", "active", "as21342", "domain", "location israel", "asn as1680", "invalid url", "body html", "head title", "title head", "body h1", "reference", "log id", "gmtn", "digicert tls", "rsa sha256", "tls web", "full name", "digicert inc", "organization", "district", "columbia", "false", "as20940", "as16625 akamai", "as8987 amazon", "moved", "as1680 cellcom", "alerts", "related pulses", "guard", "dynamic", "reads", "https link", "as8075", "record type", "ttl value", "redacted for", "privacy tech", "privacy admin", "postal code", "stateprovince", "server", "email", "office open", "ms word", "document", "xml document", "xml spreadsheet", "email trash", "rich text", "pdf tripwire", "fall", "whois lookups", "contact email", "blind eagle", "brian sabey" ], "references": [ "https://www.blackberry.com/etc.clientlibs/bbcom/clientlibs/clientlib-etc-legacy/resources/cylance-web/global/bb-default-thumbnail-social.png", "https://otx.alienvault.com/indicator/url/www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-MD5 da9b9e892ced7ec90841d813f6e42339", "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-SHA1 48dc18f70b2dfdf554e8247eb9e4a8910e19bd3b", "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-SHA256 215fbe9cf76ccbdde60eaa66538edeecadb844078b4379e66cacb83c7ac05690", "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-SHA256 18f62aec151e9f17c55987f80ed1244d9812895018d2bc931df083fb846a52dc", "Trojan:Win32/Zombie.A: FileHash-SHA256: 72bd98a9157afcd3ae38b60a7cf3ae4f23d6bb069a7aa7be7080b6967a6cf0cc", "Trojan:Win32/Zombie.A: FileHash-MD5: 36b71d23ca7553fb9db0730e56e6bf77", "Trojan:Win32/Zombie.A: FileHash-SHA1: 1fa3519b200cf5078c1c6c7df1cf44cd747c2320", "Alerts: creates_largekey script_created_process antisandbox_mouse_hook antivm_generic_disk dead_connect", "Alerts: infostealer_cookies infostealer_keylog persistence_ads suspicious_command_tools anomalous_deletefile", "IDS Detections: Terse HTTP 1.0 Request Possible Nivdort W32/Bayrob Attempted Checkin 403 Forbidden", "Alerts: cape_detected_threat cape_extracted_content", "TrojanSpy:Win32/Nivdort.CW: FileHash-SHA256\t3744b06ebb5465c1b3601abc9899e0448c3bb53e81ad6a3101780ab94931ba69", "TrojanSpy:Win32/Nivdort.CW: FileHash-SHA1 ad560bee21bf7aefc1f1a1be2762d852c7301c07", "TrojanSpy:Win32/Nivdort.CW: FileHash-MD5\t9d6de961a498f831acb63c95e7b2ff0c", "Bayrob: FileHash-SHA256 3744b06ebb5465c1b3601abc9899e0448c3bb53e81ad6a3101780ab94931ba69", "Bayrob: FileHash-SHA1 ad560bee21bf7aefc1f1a1be2762d852c7301c07", "Bayrob: FileHash-MD5 871f1532a8f0f9cf9ec3e82b5da3a120", "Domains Contacted: bettercaught.net electricstrong.net recordtrouble.net electrictrouble.net recordpresident.net", "Domains Contacted: electricpresident.net recordcaught.net electriccaught.net streetstrong.net tradestrong.net", "https://otx.alienvault.com/indicator/file/72bd98a9157afcd3ae38b60a7cf3ae4f23d6bb069a7aa7be7080b6967a6cf0cc", "trojan.cosmu/xpiro - 960879004e1059a9e7eaca7b95f45ab9baf8f5b905e2714f1c65f92244396758", "Matches rule SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)", "Malware Behavior Catalog: Defense Evasion OB0006 \u2022 Delayed Execution B0003.003 \u2022 Move File C0063 \u2022 Process Environment Block B0001.019", "Malware Behavior Catalog: Dynamic Analysis Evasion B0003 \u2022 Create File C0016 \u2022 Create Process C0017 \u2022 Create Thread C0038", "Malware Behavior Catalog: Operating System OC0008 \u2022 Environment Variable C0034 \u2022 Self Deletion F0007 \u2022 : Tree Anti-Behavioral Analysis", "Malware Behavior Catalog: System Information Discovery E1082 \u2022 File and Directory Discovery E1083 \u2022 Execution OB0009 \u2022 File System OC0001", "Malware Behavior Catalog: COMSPEC Environment Variable F0007.001 \u2022 Install Additional Program B0023 \u2022 Delete File C0047 \u2022", "Malware Behavior Catalog: Tree Anti-Behavioral Analysis: C0017 Create Thread \u2022 C0038 Operating System \u2022 Debugger Detection B0001", "Malware Behavior Catalog: Get File Attributes C0049 \u2022 Set File Attributes C0050 \u2022 Read File C0051 \u2022 Writes File C0052", "Malware Behavior Catalog: Tree Anti-Behavioral: Environment Variable C0034 \u2022 Anti-Behavioral Analysis OB0001 \u2022 Process OC0003", "Bayrob: 3744b06ebb5465c1b3601abc9899e0448c3bb53e81ad6a3101780ab94931ba69 ef55e2c918f9678e97037d5505b0c8a3.virus", "Matches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "Matches rule ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses", "Matches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst", "Matches rule PROTOCOL-ICMP PING Windows Matches rule PROTOCOL-ICMP Unusual PING detected Matches rule PROTOCOL-ICMP", "http://Object.prototype.hasOwnProperty.call", "Tulach! It's been a minute - 114.114.114.114", "What's going on here judiciary? Karen - cisa.gov? e.final", "f.search schema.org t.final", "ACTIVE Emails: IS2OSecurity@hq.dhs.gov \u2022 CISA.GOV Status \u2022 schoolsafety.gov \u2022 power2prevent.gov \u2022 is2osecurity@hq.dhs.gov", "[https://cisa gov] https://otx.alienvault.com/indicator/ip/92.123.203.73 \u2022 https://otx.alienvault.com/indicator/hostname/hq.dhs.gov", "[cisa gov] https://otx.alienvault.com/indicator/domain/cisa.gov \u2022 [hq.dhs.gov] https://otx.alienvault.com/indicator/hostname/hq.dhs.gov", "[dhs gov] https://otx.alienvault.com/indicator/domain/dhs.gov \u2022 https://otx.alienvault.com/indicator/url/https:%2F%2Fwww.cisa.gov%2Fcybersecurity-advisories%2Fics-advisories.xml", "Alerts: (cisa gov) ransomware_file_modifications script_created_process antisandbox_mouse_hook antivm_generic_disk infostealer_cookies suspicious_command_tools antidebug_guardpages dynamic_function_loading reads_self stealth_window", "https://otx.alienvault.com/indicator/domain/asp.net \u2022 https://otx.alienvault.com/indicator/hostname/ts1.mm.bing.net", "Security Contact Email: 212d0c197dca818es@hq.dhs.gov \u2022ACTIVE Domain Name: DHS.GOV" ], "public": 1, "adversary": "Blind Eagle", "targeted_countries": [ "United States of America", "Colombia", "Netherlands", "Israel" ], "malware_families": [ { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn", "target": null }, { "id": "TrojanSpy:Win32/Nivdort.CW", "display_name": "TrojanSpy:Win32/Nivdort.CW", "target": "/malware/TrojanSpy:Win32/Nivdort.CW" }, { "id": "Bayrob", "display_name": "Bayrob", "target": null }, { "id": "trojan.bayrob/lazy", "display_name": "trojan.bayrob/lazy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0029", "name": "Privilege Escalation", "display_name": "TA0029 - Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0030", "name": "Defense Evasion", "display_name": "TA0030 - Defense Evasion" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1055.003", "name": "Thread Execution Hijacking", "display_name": "T1055.003 - Thread Execution Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1416", "name": "URI Hijacking", "display_name": "T1416 - URI Hijacking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "green", "cloned_from": "6683aae863ba601bac1a28b5", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1167, "FileHash-SHA1": 738, "FileHash-SHA256": 3074, "URL": 1019, "domain": 1640, "hostname": 973, "email": 12, "SSLCertFingerprint": 2, "URI": 2 }, "indicator_count": 8627, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "689b9b9fab42ca4f016a226f", "name": "Elastic's Al-driven Endpoint Security - Red Team Malicious (moved?)", "description": "Endgame - Unruy Activity -System infection | (Moved) Endpoint security (MOVED) from Elastic\nElastic's Al-driven security analytics empowers you with comprehensive endpoint protection. Detect, investigate, and respond to threats faster with a single agent and unified console. Gain actionable insights for a proactive defense posture. All built on the Search\nAl platform.\n| Used maliciously against monitored non-criminal targets. |\n{ virus - https://universitycenter.uccs.edu/}\n#unruy #activity #monitored_target #red_team_malicious #trojan #worm #moved\n#ai #adversarial #custom_malware #ransom #crypt #guardrails #dns #cnc #evasive #domain_generation #remote_access #devices #remotewd #virus #custom_malware #rip #endgame \n\u2022 TrojanDropper\t\t\t\n\u2022 Win32:Evo-gen\t\u2022 Cassini\n\u2022 RansomX-gen\u2022 Zombie.A\n\u2022 win32:MalwareX-gen\t\u2022 Win32:Malware-gen \u2022 Nymeria\n\u2022 Forcud +", "modified": "2025-09-11T13:03:18.814000", "created": "2025-08-12T19:53:03.953000", "tags": [ "url http", "url https", "indicator role", "title added", "active related", "pulses url", "entries", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "mitre att", "ck techniques", "evasion att", "href", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "show technique", "ck matrix", "null", "refresh", "body", "span", "general", "local", "path", "iframe", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "united", "unknown ns", "ip address", "creation date", "search", "present sep", "moved", "domain add", "encrypt", "accept", "please", "passive dns", "msie", "next associated", "html", "background", "unknown site", "div div", "trojan", "zeus", "process32nextw", "read c", "show", "shellexecuteexw", "windows nt", "wow64", "copy", "dock", "write", "malware", "unknown", "defense evasion", "t1480 execution", "file defense", "august", "hybrid", "port", "destination", "tlsv1", "as15169", "ogoogle trust", "cngts ca", "execution", "next", "persistence", "data upload", "extraction", "win32", "ransom", "trojandropper", "mtb nov", "forcud", "files show", "date hash", "avast avg" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4179, "domain": 774, "hostname": 1673, "FileHash-MD5": 169, "FileHash-SHA1": 110, "FileHash-SHA256": 2073, "email": 1, "SSLCertFingerprint": 13, "CVE": 1 }, "indicator_count": 8993, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "262 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687d18d829739be014393c59", "name": "SoundCloud - Hear the world\u2019s sounds", "description": "Social engineering included lots of contact via Facebook, Twitter, SoundCloud, Victims website, iCloud.. iCloud was erased and the hacker left the man \u2018deadmau5\u2018 . deadmau5 was used threatening posts emails and whoever they are sent photos and became overly interested in victims music. 1st to report music was not showing up on YouTube. Statements show victim had millions of views redirected. Hackers would often thank artistss for another million views. Songs pirated. Jansky on SoundCloud contacted victims daughter often, sent a photo and said he was from Great Britain. \n\u2022 ALFPER:PUA:Win32/InstallCore\n\u2022 TrojanDropper:Win32/VB.IL\n\u2022 Win.Trojan.Agent-\n|| blog.jpcert.or.jp \n\n\u2022 Registrant Org: Japan Computer Emergency Response Team Coordination Center\n\nI feel like this is very dangerous. These people are in Colorado no matter where they say they are.", "modified": "2025-08-19T14:03:11.976000", "created": "2025-07-20T16:27:04.872000", "tags": [ "read c", "search", "medium", "entries", "show", "unicode", "tls handshake", "memcommit", "delete", "crlf line", "next", "dock", "write", "execution", "malware", "copy", "no expiration", "filehashmd5", "filehashsha256", "showing", "urls", "passive dns", "http", "unique", "l add", "pulse pulses", "ip address", "related nids", "files location", "united", "code", "present jul", "present showing", "title error", "date checked", "url hostname", "server response", "google safe", "results jul", "next associated", "files show", "win32", "date", "urls show", "error", "creation date", "name servers", "value emails", "name eric", "wahlforss name", "org soundcloud", "city berlin", "country de", "dnssec unsigned", "files", "verdict", "domain", "files ip", "address", "location united", "asn as16509", "less", "results nov", "associated urls", "results jan", "present feb", "related tags", "none indicator", "facts domain", "present", "akamai external", "resources whois", "urlvoid", "related", "png image", "rgba", "alfper", "ipv4 add", "trojandropper", "present may", "present jun", "cname", "emails", "status", "servers", "less whois", "body", "fastly error", "please", "sea p", "america flag", "america asn", "trojan", "accept", "url add", "ip related", "pulses none", "cdhc", "oxq xr8w1", "fv5hc9a2l", "s showing", "next related", "domains domain", "script urls", "present sep", "cookie", "hostname add" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6020, "hostname": 1865, "FileHash-SHA256": 676, "FileHash-MD5": 106, "FileHash-SHA1": 86, "domain": 990, "email": 5 }, "indicator_count": 9748, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "285 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687d18de7177474b759ab2b7", "name": "SoundCloud - Hear the world\u2019s sounds", "description": "Social engineering included lots of contact via Facebook, Twitter, SoundCloud, Victims website, iCloud.. iCloud was erased and the hacker left the man \u2018deadmau5\u2018 . deadmau5 was used threatening posts emails and whoever they are sent photos and became overly interested in victims music. 1st to report music was not showing up on YouTube. Statements show victim had millions of views redirected. Hackers would often thank artistss for another million views. Songs pirated. Jansky on SoundCloud contacted victims daughter often, sent a photo and said he was from Great Britain. \n\u2022 ALFPER:PUA:Win32/InstallCore\n\u2022 TrojanDropper:Win32/VB.IL\n\u2022 Win.Trojan.Agent-\n|| blog.jpcert.or.jp \n\n\u2022 Registrant Org: Japan Computer Emergency Response Team Coordination Center\n\nI feel like this is very dangerous. These people are in Colorado no matter where they say they are.", "modified": "2025-08-19T14:03:11.976000", "created": "2025-07-20T16:27:10.608000", "tags": [ "read c", "search", "medium", "entries", "show", "unicode", "tls handshake", "memcommit", "delete", "crlf line", "next", "dock", "write", "execution", "malware", "copy", "no expiration", "filehashmd5", "filehashsha256", "showing", "urls", "passive dns", "http", "unique", "l add", "pulse pulses", "ip address", "related nids", "files location", "united", "code", "present jul", "present showing", "title error", "date checked", "url hostname", "server response", "google safe", "results jul", "next associated", "files show", "win32", "date", "urls show", "error", "creation date", "name servers", "value emails", "name eric", "wahlforss name", "org soundcloud", "city berlin", "country de", "dnssec unsigned", "files", "verdict", "domain", "files ip", "address", "location united", "asn as16509", "less", "results nov", "associated urls", "results jan", "present feb", "related tags", "none indicator", "facts domain", "present", "akamai external", "resources whois", "urlvoid", "related", "png image", "rgba", "alfper", "ipv4 add", "trojandropper", "present may", "present jun", "cname", "emails", "status", "servers", "less whois", "body", "fastly error", "please", "sea p", "america flag", "america asn", "trojan", "accept", "url add", "ip related", "pulses none", "cdhc", "oxq xr8w1", "fv5hc9a2l", "s showing", "next related", "domains domain", "script urls", "present sep", "cookie", "hostname add" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6020, "hostname": 1865, "FileHash-SHA256": 676, "FileHash-MD5": 106, "FileHash-SHA1": 86, "domain": 990, "email": 5 }, "indicator_count": 9748, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "285 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6862f3dfadf9868777a97d96", "name": "LokiBot \u2022 Denver Apartments & Townhomes for Rent |", "description": "| ENDGAME |\n\u2022 ALF:Trojan:MSIL/LokiBot.BY!MTBv\n\u2022 Win32:MalwareX-gen\\ [Trj\n| w3.org - 324 malicious files communicating |\n{https://otx.alienvault.com/indicator/file/4fe0a2474da348b703e074cd0e951b09b1152bb9c571eddc268e4ee82178ca0f}\n\n\u2022 Trojan:Win32/Gepys.PVS!MTB\tMalware infection\n\u2022 www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process\n\u2022 www.endgame.com/\n(Researcher: CHRIS KRAYBILL?? | Emails\tG5DEV@G5SEARCHMARKETING.COM | Chief Technology Officer of Amplion, Inc)\n! SELL.INTERNETTRAFFIC.COM !\nDescribed as Upscale living.\nMonitoring/Hacking/ Targeting/ Crime/ Keyloggers\n\nUnsafe connections & logging.\n[404/Snake/Matiex Keylogger Style External IP Check\nPossible HTTP 403 XSS Attempt (Local Source)\nDYNAMIC_DNS Query to *.duckdns. Domain]\n[https://otx.alienvault.com/indicator/file/4fe0a2474da348b703e074cd0e951b09b1152bb9c571eddc268e4ee82178ca0f]", "modified": "2025-07-30T20:03:49.035000", "created": "2025-06-30T20:30:23.414000", "tags": [ "passive dns", "urls", "files ip", "address", "moved", "script urls", "creation date", "search", "record value", "date", "body", "x cache", "hio50 c1", "x amz", "read c", "document file", "v2 document", "tls handshake", "failure", "write", "show", "port", "destination", "copy", "malware", "next", "domains show", "domain related", "memcommit", "cryptexportkey", "invalid pointer", "medium", "icmp traffic", "t1055", "http", "memreserve", "windows", "checks amount", "msie", "windows nt", "wow64", "slcc2", "media center", "hostname", "files domain", "files related", "pulses none", "related tags", "none google", "safe browsing", "no expiration", "url https", "expiration", "domain", "sec ch", "ch ua", "ua full", "ua platform", "united", "cname", "present jun", "entries", "ip address", "name servers", "showing", "domain add", "present may", "next associated", "urls show", "date checked", "url hostname", "response ip", "address google", "present sep", "present dec", "present nov", "unique", "url add", "pulse pulses", "related nids", "files location", "code", "present apr", "status", "private name", "org domains", "proxy", "llc address", "road city", "us creation", "domain name", "aaaa", "trojan", "yara detections", "alerts", "analysis date", "file score", "mtb yara", "detections none", "related pulses", "none related", "win32", "expiration date", "title error", "hostname add", "pulse submit", "entries http", "scans record", "value", "a domains", "server", "gmt content", "length", "flywheel", "sea x", "miss x", "accept", "meta", "pulses", "tags", "otx telemetry", "twitter running", "open ports", "certificate", "cookie", "flag united", "local", "unknown ns", "unknown soa", "external ip", "process32nextw", "lookup", "dyndns checkip", "address server", "response", "savbwcd", "ef3ghigj", "abxcde", "unknown", "info", "amazon", "amazon rsa", "location united", "asn as16509", "whois registrar", "none indicator", "facts otx", "referral url", "solutions", "whois server", "query", "contacted", "pulse", "av detections", "ids detections", "detections" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 576, "FileHash-SHA1": 534, "hostname": 212, "URL": 149, "domain": 683, "email": 10, "FileHash-SHA256": 1925, "SSLCertFingerprint": 1 }, "indicator_count": 4090, "is_author": false, "is_subscribing": null, "subscriber_count": 146, "modified_text": "305 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66eb1585832bcf4f494f0335", "name": "Telco - Swipper | Emotet and other malware spreader. BGP Bridging", "description": "", "modified": "2024-10-20T13:04:44.866000", "created": "2024-09-18T18:01:41.013000", "tags": [ "net152", "net1520000", "loudoun county", "ans core", "nethandle", "as1321", "parkway city", "as701 orgnocref", "swipper", "verizon", "high", "intel", "icmp traffic", "dns query", "object", "all scoreblue", "filehash", "malware", "comcast", "cve1102", "actors", "investigation", "bad domains", "emotet am", "iocs", "first", "utc submissions", "submitters", "summary iocs", "graph community", "webcc", "gmo internet", "csc corporate", "domains", "alibaba cloud", "computing", "beijing", "dynadot", "ltd dba", "china telecom", "group", "google", "cloudflarenet", "kb txtresse", "mb smartsaver", "admin cmd", "mb threatsniper", "mb history", "mb gadget", "installer", "referrer", "styes worm", "historical ssl", "script script", "i span", "ie script", "win64", "span", "urls", "levelblue labs", "pulses", "nastya", "meta", "open", "date", "vj92", "uagdaaeqcqaaaag", "ukgbagaqcqaaaae", "slfrd1", "hostnames", "urls http", "ukgbagaqcq", "jid1886833764", "jid882556742", "samples", "unknown", "united", "as20940", "as2914 ntt", "nxdomain", "status", "as6461 zayo", "united kingdom", "as15169 google", "as33438", "search", "creation date", "name servers", "showing", "hungary unknown", "entries", "scan endpoints", "next", "cape", "show", "copy", "emotet malware", "read", "write", "delete", "june", "emotet", "as14627", "passive dns", "ipv4", "pulse pulses", "win32", "months ago", "created", "modified", "email", "glupteba", "hostname", "cyber", "read c", "port", "medium", "msie", "windows nt", "wow64", "slcc2", "media center", "dock", "execution", "method status", "url hostname", "ip country", "type get", "cachecontrol", "location https", "date thu", "gmt server", "code", "ve234 server", "aaaa", "whitelisted", "as44273 host", "as46691", "domain", "script urls", "path max", "age86400 set", "cookie", "script domains", "trojan", "body" ], "references": [ "Stranger Things | http://hopto.org/colocrossing/192.3.13.56/telco", "Antivirus Detections: Other:Malware-gen\\ [Trj]", "Yara Detections: UPXProtectorv10x2 , UPX Alerts dead_host network_icmp nolookup_communication", "Antivirus Detections: Other:Malware-gen\\ [Trj] , Win.Trojan.Emotet-9951800-0", "Yara Detections: osx_GoLang", ".trino-11062202-1d32.stress-11061903-3b4c.westus2.projecthilo.net\tprojecthilo.net", "0-courier.push.apple.com | https://apple-accouut.sytes.net/ | appupdate-logapple.ddnsking.com | appleidi-iforgot.3utilities.com", "http://appleidi-iforgot.3utilities.com/\t | https://appupdate-logapple.ddnsking.com/?reset | http://appleidi-iforgot.3utilities.com/Upload-Identity.php |", "http://appleidi-iforgot.3utilities.com/Verify.php", "device-ccf717a6-ed4f-4771-abfa-ccaafbfb6526.remotewd.com | device-local-359704df-0b29-4ae8-bbc5-f48b0a4de73c.remotewd.com | remotedev.org | dan.remotedev.org", "152.199.171.19 : USDA Fort Collins, Colorado", "Swipper: swipper@verizonbusiness.com | help4u@verizonbusiness.com", "152.199.161.19: ANS Communications, Inc (ANS)", "OrgTechHandle: SWIPP-ARIN OrgTechName: swipper OrgTechPhone: +1-800-900-0241 OrgTechEmail: swipper@verizonbusiness.com", "http://bat.bing.com/bat.js | bounceme.net | bounceme.net | hopto.org | hopto.org |,serveblog.net | serveblog.net", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://hopto.org/colocrossing/192.3.13.56/telco", "Emotet: FileHash-SHA256 9c9459e9a5f0102c034ec013b9d801d38ed474bcd73b7aeded931e5c2a4f75cc", "Win.Virus.PolyRansom-5704625-0: FileHash-SHA256 f46de5d0c5dd13f5de6114372542efd1ea048e14f051b64b34c33e96c175cb09", "Other:Malware-gen\\ [Trj: FileHash-SHA256 4ef29fd29fd95990a36379ad7a4320f04da64e7ec63546e047e2491e533c71a3", "Injection Source: www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Injection Source: http://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Injection Source: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "SLF:Trojan:Win32/Grandoreiro.A", "display_name": "SLF:Trojan:Win32/Grandoreiro.A", "target": null }, { "id": "Other:Malware-gen\\ [Trj]", "display_name": "Other:Malware-gen\\ [Trj]", "target": null }, { "id": "Win.Trojan.Emotet-9951800-0", "display_name": "Win.Trojan.Emotet-9951800-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": "66ca37ac60cb425a2b3856c6", "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 2, "URL": 4635, "domain": 771, "email": 11, "hostname": 1993, "FileHash-SHA256": 3185, "FileHash-MD5": 113, "FileHash-SHA1": 101, "CVE": 3 }, "indicator_count": 10814, "is_author": false, "is_subscribing": null, "subscriber_count": 236, "modified_text": "588 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66eb3ef6d765187a437767e4", "name": "Hijacked 'Operation Endgame' Tofsee Ransomware", "description": "This a project. A target has been put into different Operations: Project Hilo, Project Helix, Operation Endgame, The NSO Cellebrite Pegasus hit list. These are real and very serious serious threat. Severe Cyber issues made their way to her infected devices as well as the devices of family members. Death threats continue to come in. Several DoD IP addresses found in a PDF. It's unresearched at this time,, DoD via BGP HE has been questionable considering use gateway abuse by SWIPPER. \n\nStill no authority can confirm victim is a suspect. Must be a crazy high to help Jeffrey Scott Reiner PT. DPT get away with assault in such a ridiculous manner. Court report posted online by Trellis (BS) is of course a falsified , vulnerability filled 'made you click' document.. Faldif0, empty docmpty doc, citing it was refreshed in 2023. \nThere is no doubt these masqueraders mean to intimidate, humiliate, isolate & harm target. These people are not in China. False attribution is likely. Attack is disseminates from USA.", "modified": "2024-10-18T20:04:41.836000", "created": "2024-09-18T20:58:30.691000", "tags": [ "as8075", "united", "pid425870621", "tid700443057", "tpid425870621", "slot1", "mascore2", "bcnt1", "unid88000705", "nct1", "date", "china", "china unknown", "passive dns", "body xml", "error code", "requestid", "hostid ec", "server", "gmt content", "type", "registry", "intel", "ms windows", "show", "entries", "search", "high", "pe32", "high process", "injection t1055", "salicode", "worm", "copy", "tools", "service", "write", "win32", "persistence", "execution", "april", "urls", "http", "unique", "scan endpoints", "all scoreblue", "url http", "pulse pulses", "ip address", "related nids", "code", "as54113", "unknown", "body", "fastly error", "please", "sea p", "msil", "accept", "aaaa", "nxdomain", "whitelisted", "as15169 google", "status", "as44273 host", "as46691", "domain", "url https", "files location", "info", "script urls", "path max", "age86400 set", "cookie", "script domains", "javascript", "script script", "trojanspy", "cname", "emails", "servers", "all search", "related pulses", "file samples", "files matching", "creation date", "germany unknown", "yara detections", "filehash", "av detections", "ids detections", "alerts", "analysis date", "file score", "meta", "home welcome", "write c", "delete c", "query", "local", "hostname", "a domains", "lowfi", "content type", "record value", "suite", "showing", "asnone united", "as29873", "ipv4", "pulse submit", "url analysis", "files", "pe32 executable", "potential scan", "0pgtwhu", "t1045", "port", "infection", "recon", "malware", "june", "delphi", "taobao network", "as45102 alibaba", "as4812 china", "next", "expiration date", "name servers", "dynamicloader", "dynamic", "sha256", "dynamic link", "library exe", "adobe", "incorporated", "read", "yara rule", "delete", "binary file", "push", "malicious", "july", "iocs", "levelbluelabs", "jeff4son", "adversaries", "registry run", "flow t1574", "dll sideloading", "boot", "logon autostart", "execution t1547", "keys", "startup folder", "t1497 may", "encryption", "catalog tree", "analysis ob0001", "virtual machine", "detection b0009", "check registry", "analysis ob0002", "executable code", "stack strings", "control ob0004", "get http", "http requests", "dns resolutions", "ip traffic", "pattern domains", "memory pattern", "urls http", "request", "response", "connection", "trojan", "otx scoreblue", "windows", "embeddedwb", "medium", "shellexecuteexw", "msie", "windows nt", "displayname", "tofsee", "hashes", "vhash", "authentihash", "ssdeep", "win32 exe", "magic pe32", "trid win32", "library", "read c", "file guard", "rtversion", "langchinese", "legalcopyright", "reserved", "ransom", "moved", "media", "ascii text", "default", "upack", "mike", "contacted", "x87xe1x1d", "regsetvalueexa", "x95xd3xa4", "regbinary", "x84xa8xe8i", "x8dxb7xb7", "hx88x9ax1e", "mx81xd1r", "x92xac", "xc2x84", "stream", "swipper", "pdfcreator.sf.net", "botnet", "black mercedes", "please forgive me", "therahand thouroughhand" ], "references": [ "Project Endgame - pegausintel.com -Unsjre if related to NSO Group", "Antivirus Detections: ALF:HeraklezEval:Rogue:Win32/FakeRean", "Yara Detections: compromised_site_redirector_fromcharcode , Cabinet_Archive , SFX_CAB", "Alerts: infostealer_cookies persistence_autorun recon_programs recon_fingerprint removes_zoneid_ads anomalous_deletefile", "P\u2019s Contacted: 93.184.221.240 3.33.130.190 | Domains Contacted: counterslocal.com", "compromised_site_redirector_fromcharcode fromCharCode", "Interesting Strings: http://www.interoperabilitybridges.com/wmp http://crbug.com/40902 http://crbug.com/516527", "Interesting Strings: http://service.real.com/realplayer/security/02062012_player/en/", "Interesting Strings: https://support.google.com/chrome/?p=plugin_pdf", "https://support.google.com/chrome/?p=plugin_quicktime https://chrome.google.com/", "Interesting Strings: http://schema.org/GovernmentOrganization https://support.google.com/chrome/?p=plugin_java https://crbug.com/593166", "Pdf.Phishing.TtraffRobotInstall-7605656-0 00004feb58be42ba1bd506ea89f90c5e1d83e6e1fb84841931949a454b0bb539", "Antivirus Detections Cryp_Xed-12 , Mal/Generic-S , Packed/Upack Yara Detections Upackv039finalDwing , UpackV037Dwing", "https://pin.it/ | https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Worm:Win32/Macoute.A", "display_name": "Worm:Win32/Macoute.A", "target": "/malware/Worm:Win32/Macoute.A" }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "ALF:HeraklezEval:Rogue:Win32/FakeRean", "display_name": "ALF:HeraklezEval:Rogue:Win32/FakeRean", "target": null }, { "id": "Worm:Win32/Fesber.A", "display_name": "Worm:Win32/Fesber.A", "target": "/malware/Worm:Win32/Fesber.A" }, { "id": "Ransom:Win32/Eniqma.A", "display_name": "Ransom:Win32/Eniqma.A", "target": "/malware/Ransom:Win32/Eniqma.A" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "UpackV037Dwing", "display_name": "UpackV037Dwing", "target": null }, { "id": "Cryp_Xed-12", "display_name": "Cryp_Xed-12", "target": null }, { "id": "Mal/Generic-S", "display_name": "Mal/Generic-S", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1493, "FileHash-SHA1": 1393, "FileHash-SHA256": 5881, "URL": 1495, "domain": 1947, "hostname": 1360, "email": 18, "CVE": 1 }, "indicator_count": 13588, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "590 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66e94760a415fb970ab2dfdd", "name": "Pornhub Api connected to Targets phone via Remote Telegram install", "description": "Cyber attack named 'Project Endgame' by threat actors || Cyber criminal IMMEDIATELY remotely accessed targets device when it was new from manufacturer. Remote installation of telegram app, installed pornhub. Dumping, making all types of pornography appear to come from targets and associated persons devices. It's never ending. || Win32:PWSX-gen\\ [Trj]\n#Lowfi:HSTR:Win32/Exprio\nALF:Trojan:BAT/EnvVarCharReplacement\nBackdoor:Win32/Tofsee\nTrojan:Win32/Azorult\nTrojan:Win32/Danabot\nTrojan:Win32/Eqtonex\nTrojan:Win32/Meredrop\nTrojanDownloader:Win32/Tofsee\nVirTool:Win32/Obfuscator\nWin.Dropper.Tofsee-10023347-0", "modified": "2024-10-17T08:04:26.924000", "created": "2024-09-17T09:09:52.842000", "tags": [ "all scoreblue", "contacted", "telegram", "pornhub", "hostname", "domain", "iocs", "pdf report", "pcap", "stix", "openioc", "ck t1003", "os credential", "dumping t1005", "local system", "t1012", "registry t1018", "remote system", "discovery t1027", "files", "t1053", "whitelisted", "agent", "as13414 twitter", "as14061", "as15169 google", "as16552", "as16276", "as19679 dropbox", "as22612", "as25019", "as32934", "as35680", "as62597", "as54113", "as397241", "as397240", "nsone as63949", "as35819", "china unknown", "chrome", "code", "as16552 tiggee", "as2914 ntt", "as25019 saudi", "asnone hong", "as63949 linode", "as7303 telecom", "as8151", "as9318 sk", "asn as13414", "asn as48684", "cookie", "encrypt", "endgame", "emails", "cryp", "delphi", "dynamicloader", "dns", "grum", "germany unknown", "gmt max", "connection", "dns resolutions", "porn", "regsz", "langgeorgian", "sublangdefault", "rticon", "english", "regsetvalueexa", "regdword", "medium", "t1055", "win32", "malware", "copy", "updater", "generic", "delete c", "yara rule", "high", "search", "ms windows", "tofsee", "show", "windows", "russia as49505", "united", "grum", "write", "query", "contacted", "installs", "stream", "unknown", "as46606", "passive dns", "date", "scan endpoints", "pulse pulses", "urls", "as8151", "mexico unknown", "saudi arabia", "as25019 saudi", "china unknown", "as7303 telecom", "hungary unknown", "trojan", "msie", "body", "ransom", "icmp traffic", "pdb path", "filehash", "url http", "http", "address", "russia unknown", "privacy tools", "as396982 google", "as57416 llc", "div div", "span h3", "span div", "h3 p", "as24940 hetzner", "face", "delete", "yara detections", "sinkhole cookie", "value snkz", "pe32", "suspicious", "possible", "as56864 xeon", "ipv4", "pulse submit", "url analysis", "ip address", "location united", "next", "germany unknown", "method", "allowed server", "content length", "content type", "cookie", "registrar abuse", "explorer", "files matching", "homepage", "hungary unknown", "installs ip", "installs", "ip", "link", "mexico unknown", "pegasus", "operation endgame", "public key", "ransom", "twitter redirect", "Kong unknown", "script urls", "servers", "updater", "united kingdom unknown", "unique", "ukraine unknown", "trojan features", "trojan", "tofsee", "title telegram", "tags twitter", "twitter", "tags", "sublangdefault" ], "references": [ "Pornhub.com | Telegram https://t.me/login/36861 | loopprojects.t.me", "Cookie : stel_ssid b86d14460f22d8fea8_13386273115952986987", "www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "https://www.pornhub.com/video/search?search=tsara+brashears", "ads.pornhub.com | ams-v61.pornhub.com | api-stage.pornhub.com", "api-stage.pornhub.com | abtesting.pornhub.com | pornhub.com | cms-stage20.pornhub.com | imgs.pornhub.com | http://tourcdn.girlsdoporn.com", "girlsdoporn.com | bar.pornhub.com | bar.pornhub.com | cdn-d-vid-embed.pornhub.com | http://pornhub.tv/Jena6599 | whatsapp.pornhub.com", "https://sslproxy.gatewayclient3.v.hikops.com", "api2ip.ua \u00bb External IP Lookup Service Domain", "83610e8d2924c9886b25ad530e8ad971.pornhub.com", "Win32:PWSX-gen\\ [Trj] IDS Detections Potential Dridex.Maldoc Minimal Executable Request External IP Address Lookup DNS Query (2ip .ua) Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) Query to a *.top domain - Likely Hostile Suspicious User Agent (Microsoft Internet Explorer) SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 HTTP Request to a *.top domain Dotted Quad Host ZIP Request Possible EXE Download From Suspicious TLD TLS Handshake Failure ... Less", "IDS Detections: Potential Dridex.Maldoc Minimal Executable Request External IP Address Lookup DNS Query (2ip .ua)", "IDS Detections: Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) Query to a *.top domain - Likely Hostile", "IDS Detections: Suspicious User Agent (Microsoft Internet Explorer) SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016", "Win32:RansomX-gen\\ [Ransom] Trojan:Win32/Neconyd.A" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Australia", "Brazil", "Singapore", "Netherlands", "Russian Federation", "Japan", "Malaysia", "Hong Kong", "Ireland", "Korea, Republic of", "France", "United Kingdom of Great Britain and Northern Ireland", "Argentina", "Austria", "China", "Canada", "Germany" ], "malware_families": [ { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "TrojanDownloader:Win32/Tofsee", "display_name": "TrojanDownloader:Win32/Tofsee", "target": "/malware/TrojanDownloader:Win32/Tofsee" }, { "id": "Win32:PWSX-gen\\ [Trj]", "display_name": "Win32:PWSX-gen\\ [Trj]", "target": null }, { "id": "Win.Dropper.Tofsee-10023347-0", "display_name": "Win.Dropper.Tofsee-10023347-0", "target": null }, { "id": "#Lowfi:HSTR:Win32/Exprio", "display_name": "#Lowfi:HSTR:Win32/Exprio", "target": null }, { "id": "VirTool:Win32/Obfuscator", "display_name": "VirTool:Win32/Obfuscator", "target": "/malware/VirTool:Win32/Obfuscator" }, { "id": "Trojan:Win32/Meredrop", "display_name": "Trojan:Win32/Meredrop", "target": "/malware/Trojan:Win32/Meredrop" }, { "id": "Trojan:Win32/Eqtonex", "display_name": "Trojan:Win32/Eqtonex", "target": "/malware/Trojan:Win32/Eqtonex" }, { "id": "Trojan:Win32/Danabot", "display_name": "Trojan:Win32/Danabot", "target": "/malware/Trojan:Win32/Danabot" }, { "id": "Trojan:Win32/Azorult", "display_name": "Trojan:Win32/Azorult", "target": "/malware/Trojan:Win32/Azorult" }, { "id": "ALF:Trojan:BAT/EnvVarCharReplacement", "display_name": "ALF:Trojan:BAT/EnvVarCharReplacement", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1443", "name": "Remotely Install Application", "display_name": "T1443 - Remotely Install Application" }, { "id": "T1478", "name": "Install Insecure or Malicious Configuration", "display_name": "T1478 - Install Insecure or Malicious Configuration" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1570, "FileHash-SHA1": 1301, "FileHash-SHA256": 3497, "URL": 3835, "domain": 1475, "hostname": 2405, "CIDR": 1, "email": 23 }, "indicator_count": 14107, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "591 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://elastic.docebosaas.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://elastic.docebosaas.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780265768.1881711 }