{ "type": "URL", "indicator": "https://email.getwham.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://email.getwham.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3815588583, "indicator": "https://email.getwham.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "65c7b86fa120d19bbc88f367", "name": "Hijacker", "description": "Hackers hired to humiliate, threaten,steal data, evidence, recordings , spy and intimidate.", "modified": "2024-03-11T17:01:59.026000", "created": "2024-02-10T17:54:55.243000", "tags": [ "ssl certificate", "whois record", "contacted", "tsara brashears", "referrer", "communicating", "resolutions", "historical ssl", "high level", "hackers", "hacktool", "download", "malware", "crypto", "hijacker", "monitoring", "installer", "tofsee", "domains domains", "domains files", "files files", "script", "kgs0", "kls0", "relic", "iframe", "pe32 executable", "ms windows", "intel", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "rticon neutral", "info compiler", "products id", "header intel", "name md5", "contained", "type", "language", "ico rtgroupicon", "neutral", "first", "utc submissions", "submitters", "company limited", "computer", "amazonaes", "china telecom", "group", "csc corporate", "domains", "malware spreading evader", "cnc", "malvertizing", "milehighmedia", "trojandropper", "moved", "passive dns", "urls", "as14576", "backdoor", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "trojan", "encrypt", "body", "date", "date hash", "avast avg", "mtb may", "kratona", "threat", "paste", "iocs", "analyze", "hostnames", "urls https", "script urls", "united", "meta", "unknown", "emails", "name servers", "search", "as62597 nsone", "a domains", "as397241", "media", "next", "december", "unlocker", "threat round", "apple ios", "apple phone", "project", "blister", "agent tesla", "open", "execution", "videos", "strong", "porn videos", "watch", "daddy", "free", "top rated", "most viewed", "cancel anytime", "views", "play", "black", "enjoy", "czech", "hunk", "virtool", "cryp", "creation date", "otx telemetry", "expiration date", "servers", "status", "win32", "showing", "domain", "nxdomain", "as8075", "shell code", "threat", "cyber espionage", "cyber stalking", "danger", "critical", "attack", "treats", "as15169 google", "aaaa", "record value", "error", "entries", "hostname", "url http", "http", "files domain", "files related", "shinjiru msc", "sdn bhd", "dnssec", "protect", "as54455 madeit", "phishing", "backdoor", "contextualizing", "elevated exposure", "malvertizing", "ransom", "msil", "hackers for hire", "hashes", "http method", "get http", "http requests", "get dns", "ip traffic", "memory pattern", "pattern ips", "@emreimer", "iextract2", "cp cyber", "denver", "security", "siem compliance", "skip", "cybersecurity", "larimer st", "suite", "resources cyber", "risk assessment", "bill", "mind", "delaware", "pa", "arizona", "colorado", "stalkers", "deuteronomy 28:7", "hitmen" ], "references": [ "honey.exe", "0001c8afa9ca148752e1439140fadb6571b27f455ad1474d85625bcddfb63550", "CS Sigma Rules: Suspicious Remote Thread Created by Perez Diego (@darkquassar), oscd.community", "CS Sigma Rules: Python Initiated Connection by frack113", "CS Sigma Rules: Use Remove-Item to Delete File by frack113", "CS Sigma Rules: Suspicious Userinit Child Process by Florian Roth (rule), Samir Bousseaden (idea)", "Relationship: http://www.cpmfun.com/go.php?i=Zml0sXNlQhR0gRzjdXpLNlz4&p=71408&s=1&m=1&ua=mozilla/5.0+(linux;+android+4.4.2;+ast21+build/kvt49l)+", "api.login.live.com", "http://appleid.icloud.com-website33.org/", "https://www.milehighmedia.com/legal/2257 [phishing \u2022 Brazzers porn]", "FileHash-SHA256 c030b0a1be8745d192f45.159.189.105743b3c4f4094f33507a5904c184c8db0bde1a91efccb5 [tracking]", "http://45.159.189.105/bot/regex [Tracking Tsara Brashears involves in person following and or harassment as well]", "message.htm.com", "http://pornhub.com/gay/video/search", "CnC IP's: 206.189.61.126 \u2022 217.74.65.23 \u2022 46.8.8.100 \u2022 64.190.63.111", "stop following, stalking, hacking, talking, modifying, hijacking, threatening, contacting, sending people to harass target, threats", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "W32.Sality.PE", "display_name": "W32.Sality.PE", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Virus.Win32.Virut.q", "display_name": "Virus.Win32.Virut.q", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null }, { "id": "TrojanDropper:Win32", "display_name": "TrojanDropper:Win32", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 54, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6303, "FileHash-MD5": 215, "FileHash-SHA1": 192, "FileHash-SHA256": 2663, "domain": 2673, "hostname": 2686, "CVE": 2, "email": 16 }, "indicator_count": 14750, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "769 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658f967a4fc7ebe8021b9382", "name": "Mirai Apple Attack +", "description": "This is hard to make sense of. All calls, clicks on a DGA Domain masquerading as desired service, lands you on the radar of a faux service where in turn bad actors attack everything. Target, remotely hack, follow, smear your life, same victim auto populates 79%, no hunt for assaulter.\n I'm assuming to see it one must 1st be in a Botnet. We keep seeing the same targets but no preparator. \nShe said \"Life was busy, life was good; full of health and hope. Then one sunny October day... I'm still grateful but what happened my body, thoughts and the world around me? Where's God? Am I a criminally responsible for getting attacked?\"", "modified": "2024-01-29T03:01:29.910000", "created": "2023-12-30T04:03:06.598000", "tags": [ "whois record", "ssl certificate", "contacted", "whois whois", "historical ssl", "referrer", "communicating", "resolutions", "apple", "collections", "core", "stealer", "execution", "ratel", "suspicious", "threat", "paste", "iocs", "hostnames", "urls https", "windir", "json data", "localappdata", "ascii text", "unicode text", "pattern match", "file", "indicator", "mitre att", "path", "factory", "hybrid", "general", "memcommit", "regsetvalueexa", "regdword", "t1055", "high", "regbinary", "dynamic dns", "regsetvalueexw", "regsz", "medium", "win32", "malware", "copy", "capture", "name servers", "creation date", "servers", "passive dns", "urls", "domain", "search", "expiration date", "scan endpoints", "all scoreblue", "date", "next", "applenoc", "showing", "status", "united", "as44273 host", "unknown", "all search", "otx scoreblue", "aaaa", "as54113", "privacy inc", "customer", "asnone united", "entries", "pulse pulses", "dga", "redacted for", "as20940", "body", "for privacy", "ipv4", "files", "location united", "america asn", "as54252", "type name", "dns replication", "iana", "whois lookup", "ipv4 address", "ripe ncc", "afrinic", "africa", "apnic", "asia pacific", "arin", "lacnic", "elf executable", "sysv", "linux", "elf wgetboat", "contacted urls", "red team", "tsara brashears", "apple phone", "unlocker", "fakedout threat", "hostname", "samples", "mirai", "ph elf", "telefonica de", "elf collection", "llwn", "text", "gp practice", "oracle", "apple ios", "password", "threat network", "kgs0", "kls0", "hacktool", "probe", "malicious" ], "references": [ "https://www.rmvictimlaw.org/about-us/board-directors/hazel-heckers", "https://hybrid-analysis.com/sample/1f75fd5ec731cc5b1f338a5f7f44b42c9f1988214c373bf582d766934399b525", "https://twitter.com/PORNO_SEXYBABES", "IPv4 199.59.243.224 and IPv4 67.21.93.249 - command_and_control", "103.246.145.111 phishing", "nr-data.net | Apple Private Data collection", "BitRAT CnC: File Hash SHA256 23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706", "00000000.apple.com | remote SIM Swap", "https://otx.alienvault.com/indicator/file/23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706#:~:text=%C3%97", "103.246.145.111 - scanning host", "https://app-portal.wsgc.com/saml20/idp/sso?SAMLRequest=jZFBb8IwDIX/SpR70zS0sEa0iA1NQ2IagrLDLlNII4jWJl2cwvj3qyhI7IJ2tPzs9/x5PPmpK3RQDrQ1GY4IxUgZaUttdhneFM/BA57kYxB1xRo+bf3erNR3q8CjbtAA7zsZbp3hVoAGbkStgHvJ19PXBWeE8sZZb6WtMJoCKOc7qydroK2VWyt30FJtVosM771vgIfhETTZCvkF3roTkXtnjZaVIqBk67Q/hUICRrMugzbCn3NfR0XTBI11XlTkCDtJpK3Dc0Ia6rIJASxG81mGP0dpOYqGVEZxGYkk3iaDVMZMKipGMR0kSScDaNXcgBfGZ5hRNghoGrC4YIzTlNMhidPkA6Pl5bhHbXpo90hsexHwl6JYBsu3dYHR+xV+J8AX1Pzs7m4Z318srmBx/m+M4/DWK7+Uf7+c/wI=&RelayState=AcE8QCtmc3hl5id4ZjN8p", "https://www.virustotal.com/en/domain/sipa.be (GoodCop - BadCop 404 error. This may have been a dorkingbeauty graph or collection. There seems to be several VT users experiencing similar issues w/overlap", "https://ms13p01if-qufw21344001.ms.if.apple.com:8083/", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 (Apple remote hacktool that enter via Apple media)", "usw2-platform-dmchat-avengers-prod-ext.apple.com", "https://otx.alienvault.com/indicator/hostname/00000000.apple.com#:~:text=%C3%97", "Malware Hosting * Spyware: http://141.98.6.249/boat.arm7, http://141.98.6.249/boat.ppc , http://141.98.6.249/boat.x86" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "RATel", "display_name": "RATel", "target": null }, { "id": "trojan.mirai/genericrxui", "display_name": "trojan.mirai/genericrxui", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 578, "FileHash-SHA1": 521, "FileHash-SHA256": 6392, "URL": 5741, "domain": 2243, "hostname": 1536, "SSLCertFingerprint": 2, "email": 8, "CVE": 1 }, "indicator_count": 17022, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "811 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659127f3265ec6306b607faa", "name": "Mirai Apple Attack +", "description": "", "modified": "2024-01-29T03:01:29.910000", "created": "2023-12-31T08:36:03.380000", "tags": [ "whois record", "ssl certificate", "contacted", "whois whois", "historical ssl", "referrer", "communicating", "resolutions", "apple", "collections", "core", "stealer", "execution", "ratel", "suspicious", "threat", "paste", "iocs", "hostnames", "urls https", "windir", "json data", "localappdata", "ascii text", "unicode text", "pattern match", "file", "indicator", "mitre att", "path", "factory", "hybrid", "general", "memcommit", "regsetvalueexa", "regdword", "t1055", "high", "regbinary", "dynamic dns", "regsetvalueexw", "regsz", "medium", "win32", "malware", "copy", "capture", "name servers", "creation date", "servers", "passive dns", "urls", "domain", "search", "expiration date", "scan endpoints", "all scoreblue", "date", "next", "applenoc", "showing", "status", "united", "as44273 host", "unknown", "all search", "otx scoreblue", "aaaa", "as54113", "privacy inc", "customer", "asnone united", "entries", "pulse pulses", "dga", "redacted for", "as20940", "body", "for privacy", "ipv4", "files", "location united", "america asn", "as54252", "type name", "dns replication", "iana", "whois lookup", "ipv4 address", "ripe ncc", "afrinic", "africa", "apnic", "asia pacific", "arin", "lacnic", "elf executable", "sysv", "linux", "elf wgetboat", "contacted urls", "red team", "tsara brashears", "apple phone", "unlocker", "fakedout threat", "hostname", "samples", "mirai", "ph elf", "telefonica de", "elf collection", "llwn", "text", "gp practice", "oracle", "apple ios", "password", "threat network", "kgs0", "kls0", "hacktool", "probe", "malicious" ], "references": [ "https://www.rmvictimlaw.org/about-us/board-directors/hazel-heckers", "https://hybrid-analysis.com/sample/1f75fd5ec731cc5b1f338a5f7f44b42c9f1988214c373bf582d766934399b525", "https://twitter.com/PORNO_SEXYBABES", "IPv4 199.59.243.224 and IPv4 67.21.93.249 - command_and_control", "103.246.145.111 phishing", "nr-data.net | Apple Private Data collection", "BitRAT CnC: File Hash SHA256 23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706", "00000000.apple.com | remote SIM Swap", "https://otx.alienvault.com/indicator/file/23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706#:~:text=%C3%97", "103.246.145.111 - scanning host", "https://app-portal.wsgc.com/saml20/idp/sso?SAMLRequest=jZFBb8IwDIX/SpR70zS0sEa0iA1NQ2IagrLDLlNII4jWJl2cwvj3qyhI7IJ2tPzs9/x5PPmpK3RQDrQ1GY4IxUgZaUttdhneFM/BA57kYxB1xRo+bf3erNR3q8CjbtAA7zsZbp3hVoAGbkStgHvJ19PXBWeE8sZZb6WtMJoCKOc7qydroK2VWyt30FJtVosM771vgIfhETTZCvkF3roTkXtnjZaVIqBk67Q/hUICRrMugzbCn3NfR0XTBI11XlTkCDtJpK3Dc0Ia6rIJASxG81mGP0dpOYqGVEZxGYkk3iaDVMZMKipGMR0kSScDaNXcgBfGZ5hRNghoGrC4YIzTlNMhidPkA6Pl5bhHbXpo90hsexHwl6JYBsu3dYHR+xV+J8AX1Pzs7m4Z318srmBx/m+M4/DWK7+Uf7+c/wI=&RelayState=AcE8QCtmc3hl5id4ZjN8p", "https://www.virustotal.com/en/domain/sipa.be (GoodCop - BadCop 404 error. This may have been a dorkingbeauty graph or collection. There seems to be several VT users experiencing similar issues w/overlap", "https://ms13p01if-qufw21344001.ms.if.apple.com:8083/", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 (Apple remote hacktool that enter via Apple media)", "usw2-platform-dmchat-avengers-prod-ext.apple.com", "https://otx.alienvault.com/indicator/hostname/00000000.apple.com#:~:text=%C3%97", "Malware Hosting * Spyware: http://141.98.6.249/boat.arm7, http://141.98.6.249/boat.ppc , http://141.98.6.249/boat.x86" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "RATel", "display_name": "RATel", "target": null }, { "id": "trojan.mirai/genericrxui", "display_name": "trojan.mirai/genericrxui", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "green", "cloned_from": "658f967a4fc7ebe8021b9382", "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 578, "FileHash-SHA1": 521, "FileHash-SHA256": 6392, "URL": 5741, "domain": 2243, "hostname": 1536, "SSLCertFingerprint": 2, "email": 8, "CVE": 1 }, "indicator_count": 17022, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "811 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65944b9812ea52ab41c0259d", "name": "Mirai Apple Attack +", "description": "", "modified": "2024-01-29T03:01:29.910000", "created": "2024-01-02T17:44:56.709000", "tags": [ "whois record", "ssl certificate", "contacted", "whois whois", "historical ssl", "referrer", "communicating", "resolutions", "apple", "collections", "core", "stealer", "execution", "ratel", "suspicious", "threat", "paste", "iocs", "hostnames", "urls https", "windir", "json data", "localappdata", "ascii text", "unicode text", "pattern match", "file", "indicator", "mitre att", "path", "factory", "hybrid", "general", "memcommit", "regsetvalueexa", "regdword", "t1055", "high", "regbinary", "dynamic dns", "regsetvalueexw", "regsz", "medium", "win32", "malware", "copy", "capture", "name servers", "creation date", "servers", "passive dns", "urls", "domain", "search", "expiration date", "scan endpoints", "all scoreblue", "date", "next", "applenoc", "showing", "status", "united", "as44273 host", "unknown", "all search", "otx scoreblue", "aaaa", "as54113", "privacy inc", "customer", "asnone united", "entries", "pulse pulses", "dga", "redacted for", "as20940", "body", "for privacy", "ipv4", "files", "location united", "america asn", "as54252", "type name", "dns replication", "iana", "whois lookup", "ipv4 address", "ripe ncc", "afrinic", "africa", "apnic", "asia pacific", "arin", "lacnic", "elf executable", "sysv", "linux", "elf wgetboat", "contacted urls", "red team", "tsara brashears", "apple phone", "unlocker", "fakedout threat", "hostname", "samples", "mirai", "ph elf", "telefonica de", "elf collection", "llwn", "text", "gp practice", "oracle", "apple ios", "password", "threat network", "kgs0", "kls0", "hacktool", "probe", "malicious" ], "references": [ "https://www.rmvictimlaw.org/about-us/board-directors/hazel-heckers", "https://hybrid-analysis.com/sample/1f75fd5ec731cc5b1f338a5f7f44b42c9f1988214c373bf582d766934399b525", "https://twitter.com/PORNO_SEXYBABES", "IPv4 199.59.243.224 and IPv4 67.21.93.249 - command_and_control", "103.246.145.111 phishing", "nr-data.net | Apple Private Data collection", "BitRAT CnC: File Hash SHA256 23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706", "00000000.apple.com | remote SIM Swap", "https://otx.alienvault.com/indicator/file/23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706#:~:text=%C3%97", "103.246.145.111 - scanning host", "https://app-portal.wsgc.com/saml20/idp/sso?SAMLRequest=jZFBb8IwDIX/SpR70zS0sEa0iA1NQ2IagrLDLlNII4jWJl2cwvj3qyhI7IJ2tPzs9/x5PPmpK3RQDrQ1GY4IxUgZaUttdhneFM/BA57kYxB1xRo+bf3erNR3q8CjbtAA7zsZbp3hVoAGbkStgHvJ19PXBWeE8sZZb6WtMJoCKOc7qydroK2VWyt30FJtVosM771vgIfhETTZCvkF3roTkXtnjZaVIqBk67Q/hUICRrMugzbCn3NfR0XTBI11XlTkCDtJpK3Dc0Ia6rIJASxG81mGP0dpOYqGVEZxGYkk3iaDVMZMKipGMR0kSScDaNXcgBfGZ5hRNghoGrC4YIzTlNMhidPkA6Pl5bhHbXpo90hsexHwl6JYBsu3dYHR+xV+J8AX1Pzs7m4Z318srmBx/m+M4/DWK7+Uf7+c/wI=&RelayState=AcE8QCtmc3hl5id4ZjN8p", "https://www.virustotal.com/en/domain/sipa.be (GoodCop - BadCop 404 error. This may have been a dorkingbeauty graph or collection. There seems to be several VT users experiencing similar issues w/overlap", "https://ms13p01if-qufw21344001.ms.if.apple.com:8083/", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 (Apple remote hacktool that enter via Apple media)", "usw2-platform-dmchat-avengers-prod-ext.apple.com", "https://otx.alienvault.com/indicator/hostname/00000000.apple.com#:~:text=%C3%97", "Malware Hosting * Spyware: http://141.98.6.249/boat.arm7, http://141.98.6.249/boat.ppc , http://141.98.6.249/boat.x86" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "RATel", "display_name": "RATel", "target": null }, { "id": "trojan.mirai/genericrxui", "display_name": "trojan.mirai/genericrxui", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "green", "cloned_from": "658f967a4fc7ebe8021b9382", "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 578, "FileHash-SHA1": 521, "FileHash-SHA256": 6392, "URL": 5741, "domain": 2243, "hostname": 1536, "SSLCertFingerprint": 2, "email": 8, "CVE": 1 }, "indicator_count": 17022, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "811 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "http://appleid.icloud.com-website33.org/", "http://45.159.189.105/bot/regex [Tracking Tsara Brashears involves in person following and or harassment as well]", "nr-data.net | Apple Private Data collection", "https://www.virustotal.com/en/domain/sipa.be (GoodCop - BadCop 404 error. This may have been a dorkingbeauty graph or collection. There seems to be several VT users experiencing similar issues w/overlap", "FileHash-SHA256 c030b0a1be8745d192f45.159.189.105743b3c4f4094f33507a5904c184c8db0bde1a91efccb5 [tracking]", "https://otx.alienvault.com/indicator/file/23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706#:~:text=%C3%97", "CS Sigma Rules: Python Initiated Connection by frack113", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://app-portal.wsgc.com/saml20/idp/sso?SAMLRequest=jZFBb8IwDIX/SpR70zS0sEa0iA1NQ2IagrLDLlNII4jWJl2cwvj3qyhI7IJ2tPzs9/x5PPmpK3RQDrQ1GY4IxUgZaUttdhneFM/BA57kYxB1xRo+bf3erNR3q8CjbtAA7zsZbp3hVoAGbkStgHvJ19PXBWeE8sZZb6WtMJoCKOc7qydroK2VWyt30FJtVosM771vgIfhETTZCvkF3roTkXtnjZaVIqBk67Q/hUICRrMugzbCn3NfR0XTBI11XlTkCDtJpK3Dc0Ia6rIJASxG81mGP0dpOYqGVEZxGYkk3iaDVMZMKipGMR0kSScDaNXcgBfGZ5hRNghoGrC4YIzTlNMhidPkA6Pl5bhHbXpo90hsexHwl6JYBsu3dYHR+xV+J8AX1Pzs7m4Z318srmBx/m+M4/DWK7+Uf7+c/wI=&RelayState=AcE8QCtmc3hl5id4ZjN8p", "https://hybrid-analysis.com/sample/1f75fd5ec731cc5b1f338a5f7f44b42c9f1988214c373bf582d766934399b525", "https://www.rmvictimlaw.org/about-us/board-directors/hazel-heckers", "BitRAT CnC: File Hash SHA256 23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706", "103.246.145.111 - scanning host", "usw2-platform-dmchat-avengers-prod-ext.apple.com", "stop following, stalking, hacking, talking, modifying, hijacking, threatening, contacting, sending people to harass target, threats", "https://www.milehighmedia.com/legal/2257 [phishing \u2022 Brazzers porn]", "Relationship: http://www.cpmfun.com/go.php?i=Zml0sXNlQhR0gRzjdXpLNlz4&p=71408&s=1&m=1&ua=mozilla/5.0+(linux;+android+4.4.2;+ast21+build/kvt49l)+", "103.246.145.111 phishing", "http://pornhub.com/gay/video/search", "CS Sigma Rules: Suspicious Userinit Child Process by Florian Roth (rule), Samir Bousseaden (idea)", "https://ms13p01if-qufw21344001.ms.if.apple.com:8083/", "CnC IP's: 206.189.61.126 \u2022 217.74.65.23 \u2022 46.8.8.100 \u2022 64.190.63.111", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 (Apple remote hacktool that enter via Apple media)", "Malware Hosting * Spyware: http://141.98.6.249/boat.arm7, http://141.98.6.249/boat.ppc , http://141.98.6.249/boat.x86", "CS Sigma Rules: Use Remove-Item to Delete File by frack113", "api.login.live.com", "honey.exe", "https://twitter.com/PORNO_SEXYBABES", "00000000.apple.com | remote SIM Swap", "message.htm.com", "CS Sigma Rules: Suspicious Remote Thread Created by Perez Diego (@darkquassar), oscd.community", "0001c8afa9ca148752e1439140fadb6571b27f455ad1474d85625bcddfb63550", "https://otx.alienvault.com/indicator/hostname/00000000.apple.com#:~:text=%C3%97", "IPv4 199.59.243.224 and IPv4 67.21.93.249 - command_and_control", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Trojandropper:win32", "Tofsee", "Relic", "W32.sality.pe", "Virus.win32.virut.q", "Trojanspy", "Trojan.mirai/genericrxui", "Virtool", "Hacktool", "Ratel" ], "industries": [], "unique_indicators": 32647 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/getwham.com", "whois": "http://whois.domaintools.com/getwham.com", "domain": "getwham.com", "hostname": "email.getwham.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "65c7b86fa120d19bbc88f367", "name": "Hijacker", "description": "Hackers hired to humiliate, threaten,steal data, evidence, recordings , spy and intimidate.", "modified": "2024-03-11T17:01:59.026000", "created": "2024-02-10T17:54:55.243000", "tags": [ "ssl certificate", "whois record", "contacted", "tsara brashears", "referrer", "communicating", "resolutions", "historical ssl", "high level", "hackers", "hacktool", "download", "malware", "crypto", "hijacker", "monitoring", "installer", "tofsee", "domains domains", "domains files", "files files", "script", "kgs0", "kls0", "relic", "iframe", "pe32 executable", "ms windows", "intel", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "rticon neutral", "info compiler", "products id", "header intel", "name md5", "contained", "type", "language", "ico rtgroupicon", "neutral", "first", "utc submissions", "submitters", "company limited", "computer", "amazonaes", "china telecom", "group", "csc corporate", "domains", "malware spreading evader", "cnc", "malvertizing", "milehighmedia", "trojandropper", "moved", "passive dns", "urls", "as14576", "backdoor", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "trojan", "encrypt", "body", "date", "date hash", "avast avg", "mtb may", "kratona", "threat", "paste", "iocs", "analyze", "hostnames", "urls https", "script urls", "united", "meta", "unknown", "emails", "name servers", "search", "as62597 nsone", "a domains", "as397241", "media", "next", "december", "unlocker", "threat round", "apple ios", "apple phone", "project", "blister", "agent tesla", "open", "execution", "videos", "strong", "porn videos", "watch", "daddy", "free", "top rated", "most viewed", "cancel anytime", "views", "play", "black", "enjoy", "czech", "hunk", "virtool", "cryp", "creation date", "otx telemetry", "expiration date", "servers", "status", "win32", "showing", "domain", "nxdomain", "as8075", "shell code", "threat", "cyber espionage", "cyber stalking", "danger", "critical", "attack", "treats", "as15169 google", "aaaa", "record value", "error", "entries", "hostname", "url http", "http", "files domain", "files related", "shinjiru msc", "sdn bhd", "dnssec", "protect", "as54455 madeit", "phishing", "backdoor", "contextualizing", "elevated exposure", "malvertizing", "ransom", "msil", "hackers for hire", "hashes", "http method", "get http", "http requests", "get dns", "ip traffic", "memory pattern", "pattern ips", "@emreimer", "iextract2", "cp cyber", "denver", "security", "siem compliance", "skip", "cybersecurity", "larimer st", "suite", "resources cyber", "risk assessment", "bill", "mind", "delaware", "pa", "arizona", "colorado", "stalkers", "deuteronomy 28:7", "hitmen" ], "references": [ "honey.exe", "0001c8afa9ca148752e1439140fadb6571b27f455ad1474d85625bcddfb63550", "CS Sigma Rules: Suspicious Remote Thread Created by Perez Diego (@darkquassar), oscd.community", "CS Sigma Rules: Python Initiated Connection by frack113", "CS Sigma Rules: Use Remove-Item to Delete File by frack113", "CS Sigma Rules: Suspicious Userinit Child Process by Florian Roth (rule), Samir Bousseaden (idea)", "Relationship: http://www.cpmfun.com/go.php?i=Zml0sXNlQhR0gRzjdXpLNlz4&p=71408&s=1&m=1&ua=mozilla/5.0+(linux;+android+4.4.2;+ast21+build/kvt49l)+", "api.login.live.com", "http://appleid.icloud.com-website33.org/", "https://www.milehighmedia.com/legal/2257 [phishing \u2022 Brazzers porn]", "FileHash-SHA256 c030b0a1be8745d192f45.159.189.105743b3c4f4094f33507a5904c184c8db0bde1a91efccb5 [tracking]", "http://45.159.189.105/bot/regex [Tracking Tsara Brashears involves in person following and or harassment as well]", "message.htm.com", "http://pornhub.com/gay/video/search", "CnC IP's: 206.189.61.126 \u2022 217.74.65.23 \u2022 46.8.8.100 \u2022 64.190.63.111", "stop following, stalking, hacking, talking, modifying, hijacking, threatening, contacting, sending people to harass target, threats", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "W32.Sality.PE", "display_name": "W32.Sality.PE", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Virus.Win32.Virut.q", "display_name": "Virus.Win32.Virut.q", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null }, { "id": "TrojanDropper:Win32", "display_name": "TrojanDropper:Win32", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 54, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6303, "FileHash-MD5": 215, "FileHash-SHA1": 192, "FileHash-SHA256": 2663, "domain": 2673, "hostname": 2686, "CVE": 2, "email": 16 }, "indicator_count": 14750, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "769 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658f967a4fc7ebe8021b9382", "name": "Mirai Apple Attack +", "description": "This is hard to make sense of. All calls, clicks on a DGA Domain masquerading as desired service, lands you on the radar of a faux service where in turn bad actors attack everything. Target, remotely hack, follow, smear your life, same victim auto populates 79%, no hunt for assaulter.\n I'm assuming to see it one must 1st be in a Botnet. We keep seeing the same targets but no preparator. \nShe said \"Life was busy, life was good; full of health and hope. Then one sunny October day... I'm still grateful but what happened my body, thoughts and the world around me? Where's God? Am I a criminally responsible for getting attacked?\"", "modified": "2024-01-29T03:01:29.910000", "created": "2023-12-30T04:03:06.598000", "tags": [ "whois record", "ssl certificate", "contacted", "whois whois", "historical ssl", "referrer", "communicating", "resolutions", "apple", "collections", "core", "stealer", "execution", "ratel", "suspicious", "threat", "paste", "iocs", "hostnames", "urls https", "windir", "json data", "localappdata", "ascii text", "unicode text", "pattern match", "file", "indicator", "mitre att", "path", "factory", "hybrid", "general", "memcommit", "regsetvalueexa", "regdword", "t1055", "high", "regbinary", "dynamic dns", "regsetvalueexw", "regsz", "medium", "win32", "malware", "copy", "capture", "name servers", "creation date", "servers", "passive dns", "urls", "domain", "search", "expiration date", "scan endpoints", "all scoreblue", "date", "next", "applenoc", "showing", "status", "united", "as44273 host", "unknown", "all search", "otx scoreblue", "aaaa", "as54113", "privacy inc", "customer", "asnone united", "entries", "pulse pulses", "dga", "redacted for", "as20940", "body", "for privacy", "ipv4", "files", "location united", "america asn", "as54252", "type name", "dns replication", "iana", "whois lookup", "ipv4 address", "ripe ncc", "afrinic", "africa", "apnic", "asia pacific", "arin", "lacnic", "elf executable", "sysv", "linux", "elf wgetboat", "contacted urls", "red team", "tsara brashears", "apple phone", "unlocker", "fakedout threat", "hostname", "samples", "mirai", "ph elf", "telefonica de", "elf collection", "llwn", "text", "gp practice", "oracle", "apple ios", "password", "threat network", "kgs0", "kls0", "hacktool", "probe", "malicious" ], "references": [ "https://www.rmvictimlaw.org/about-us/board-directors/hazel-heckers", "https://hybrid-analysis.com/sample/1f75fd5ec731cc5b1f338a5f7f44b42c9f1988214c373bf582d766934399b525", "https://twitter.com/PORNO_SEXYBABES", "IPv4 199.59.243.224 and IPv4 67.21.93.249 - command_and_control", "103.246.145.111 phishing", "nr-data.net | Apple Private Data collection", "BitRAT CnC: File Hash SHA256 23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706", "00000000.apple.com | remote SIM Swap", "https://otx.alienvault.com/indicator/file/23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706#:~:text=%C3%97", "103.246.145.111 - scanning host", "https://app-portal.wsgc.com/saml20/idp/sso?SAMLRequest=jZFBb8IwDIX/SpR70zS0sEa0iA1NQ2IagrLDLlNII4jWJl2cwvj3qyhI7IJ2tPzs9/x5PPmpK3RQDrQ1GY4IxUgZaUttdhneFM/BA57kYxB1xRo+bf3erNR3q8CjbtAA7zsZbp3hVoAGbkStgHvJ19PXBWeE8sZZb6WtMJoCKOc7qydroK2VWyt30FJtVosM771vgIfhETTZCvkF3roTkXtnjZaVIqBk67Q/hUICRrMugzbCn3NfR0XTBI11XlTkCDtJpK3Dc0Ia6rIJASxG81mGP0dpOYqGVEZxGYkk3iaDVMZMKipGMR0kSScDaNXcgBfGZ5hRNghoGrC4YIzTlNMhidPkA6Pl5bhHbXpo90hsexHwl6JYBsu3dYHR+xV+J8AX1Pzs7m4Z318srmBx/m+M4/DWK7+Uf7+c/wI=&RelayState=AcE8QCtmc3hl5id4ZjN8p", "https://www.virustotal.com/en/domain/sipa.be (GoodCop - BadCop 404 error. This may have been a dorkingbeauty graph or collection. There seems to be several VT users experiencing similar issues w/overlap", "https://ms13p01if-qufw21344001.ms.if.apple.com:8083/", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 (Apple remote hacktool that enter via Apple media)", "usw2-platform-dmchat-avengers-prod-ext.apple.com", "https://otx.alienvault.com/indicator/hostname/00000000.apple.com#:~:text=%C3%97", "Malware Hosting * Spyware: http://141.98.6.249/boat.arm7, http://141.98.6.249/boat.ppc , http://141.98.6.249/boat.x86" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "RATel", "display_name": "RATel", "target": null }, { "id": "trojan.mirai/genericrxui", "display_name": "trojan.mirai/genericrxui", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 578, "FileHash-SHA1": 521, "FileHash-SHA256": 6392, "URL": 5741, "domain": 2243, "hostname": 1536, "SSLCertFingerprint": 2, "email": 8, "CVE": 1 }, "indicator_count": 17022, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "811 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659127f3265ec6306b607faa", "name": "Mirai Apple Attack +", "description": "", "modified": "2024-01-29T03:01:29.910000", "created": "2023-12-31T08:36:03.380000", "tags": [ "whois record", "ssl certificate", "contacted", "whois whois", "historical ssl", "referrer", "communicating", "resolutions", "apple", "collections", "core", "stealer", "execution", "ratel", "suspicious", "threat", "paste", "iocs", "hostnames", "urls https", "windir", "json data", "localappdata", "ascii text", "unicode text", "pattern match", "file", "indicator", "mitre att", "path", "factory", "hybrid", "general", "memcommit", "regsetvalueexa", "regdword", "t1055", "high", "regbinary", "dynamic dns", "regsetvalueexw", "regsz", "medium", "win32", "malware", "copy", "capture", "name servers", "creation date", "servers", "passive dns", "urls", "domain", "search", "expiration date", "scan endpoints", "all scoreblue", "date", "next", "applenoc", "showing", "status", "united", "as44273 host", "unknown", "all search", "otx scoreblue", "aaaa", "as54113", "privacy inc", "customer", "asnone united", "entries", "pulse pulses", "dga", "redacted for", "as20940", "body", "for privacy", "ipv4", "files", "location united", "america asn", "as54252", "type name", "dns replication", "iana", "whois lookup", "ipv4 address", "ripe ncc", "afrinic", "africa", "apnic", "asia pacific", "arin", "lacnic", "elf executable", "sysv", "linux", "elf wgetboat", "contacted urls", "red team", "tsara brashears", "apple phone", "unlocker", "fakedout threat", "hostname", "samples", "mirai", "ph elf", "telefonica de", "elf collection", "llwn", "text", "gp practice", "oracle", "apple ios", "password", "threat network", "kgs0", "kls0", "hacktool", "probe", "malicious" ], "references": [ "https://www.rmvictimlaw.org/about-us/board-directors/hazel-heckers", "https://hybrid-analysis.com/sample/1f75fd5ec731cc5b1f338a5f7f44b42c9f1988214c373bf582d766934399b525", "https://twitter.com/PORNO_SEXYBABES", "IPv4 199.59.243.224 and IPv4 67.21.93.249 - command_and_control", "103.246.145.111 phishing", "nr-data.net | Apple Private Data collection", "BitRAT CnC: File Hash SHA256 23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706", "00000000.apple.com | remote SIM Swap", "https://otx.alienvault.com/indicator/file/23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706#:~:text=%C3%97", "103.246.145.111 - scanning host", "https://app-portal.wsgc.com/saml20/idp/sso?SAMLRequest=jZFBb8IwDIX/SpR70zS0sEa0iA1NQ2IagrLDLlNII4jWJl2cwvj3qyhI7IJ2tPzs9/x5PPmpK3RQDrQ1GY4IxUgZaUttdhneFM/BA57kYxB1xRo+bf3erNR3q8CjbtAA7zsZbp3hVoAGbkStgHvJ19PXBWeE8sZZb6WtMJoCKOc7qydroK2VWyt30FJtVosM771vgIfhETTZCvkF3roTkXtnjZaVIqBk67Q/hUICRrMugzbCn3NfR0XTBI11XlTkCDtJpK3Dc0Ia6rIJASxG81mGP0dpOYqGVEZxGYkk3iaDVMZMKipGMR0kSScDaNXcgBfGZ5hRNghoGrC4YIzTlNMhidPkA6Pl5bhHbXpo90hsexHwl6JYBsu3dYHR+xV+J8AX1Pzs7m4Z318srmBx/m+M4/DWK7+Uf7+c/wI=&RelayState=AcE8QCtmc3hl5id4ZjN8p", "https://www.virustotal.com/en/domain/sipa.be (GoodCop - BadCop 404 error. This may have been a dorkingbeauty graph or collection. There seems to be several VT users experiencing similar issues w/overlap", "https://ms13p01if-qufw21344001.ms.if.apple.com:8083/", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 (Apple remote hacktool that enter via Apple media)", "usw2-platform-dmchat-avengers-prod-ext.apple.com", "https://otx.alienvault.com/indicator/hostname/00000000.apple.com#:~:text=%C3%97", "Malware Hosting * Spyware: http://141.98.6.249/boat.arm7, http://141.98.6.249/boat.ppc , http://141.98.6.249/boat.x86" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "RATel", "display_name": "RATel", "target": null }, { "id": "trojan.mirai/genericrxui", "display_name": "trojan.mirai/genericrxui", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "green", "cloned_from": "658f967a4fc7ebe8021b9382", "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 578, "FileHash-SHA1": 521, "FileHash-SHA256": 6392, "URL": 5741, "domain": 2243, "hostname": 1536, "SSLCertFingerprint": 2, "email": 8, "CVE": 1 }, "indicator_count": 17022, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "811 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65944b9812ea52ab41c0259d", "name": "Mirai Apple Attack +", "description": "", "modified": "2024-01-29T03:01:29.910000", "created": "2024-01-02T17:44:56.709000", "tags": [ "whois record", "ssl certificate", "contacted", "whois whois", "historical ssl", "referrer", "communicating", "resolutions", "apple", "collections", "core", "stealer", "execution", "ratel", "suspicious", "threat", "paste", "iocs", "hostnames", "urls https", "windir", "json data", "localappdata", "ascii text", "unicode text", "pattern match", "file", "indicator", "mitre att", "path", "factory", "hybrid", "general", "memcommit", "regsetvalueexa", "regdword", "t1055", "high", "regbinary", "dynamic dns", "regsetvalueexw", "regsz", "medium", "win32", "malware", "copy", "capture", "name servers", "creation date", "servers", "passive dns", "urls", "domain", "search", "expiration date", "scan endpoints", "all scoreblue", "date", "next", "applenoc", "showing", "status", "united", "as44273 host", "unknown", "all search", "otx scoreblue", "aaaa", "as54113", "privacy inc", "customer", "asnone united", "entries", "pulse pulses", "dga", "redacted for", "as20940", "body", "for privacy", "ipv4", "files", "location united", "america asn", "as54252", "type name", "dns replication", "iana", "whois lookup", "ipv4 address", "ripe ncc", "afrinic", "africa", "apnic", "asia pacific", "arin", "lacnic", "elf executable", "sysv", "linux", "elf wgetboat", "contacted urls", "red team", "tsara brashears", "apple phone", "unlocker", "fakedout threat", "hostname", "samples", "mirai", "ph elf", "telefonica de", "elf collection", "llwn", "text", "gp practice", "oracle", "apple ios", "password", "threat network", "kgs0", "kls0", "hacktool", "probe", "malicious" ], "references": [ "https://www.rmvictimlaw.org/about-us/board-directors/hazel-heckers", "https://hybrid-analysis.com/sample/1f75fd5ec731cc5b1f338a5f7f44b42c9f1988214c373bf582d766934399b525", "https://twitter.com/PORNO_SEXYBABES", "IPv4 199.59.243.224 and IPv4 67.21.93.249 - command_and_control", "103.246.145.111 phishing", "nr-data.net | Apple Private Data collection", "BitRAT CnC: File Hash SHA256 23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706", "00000000.apple.com | remote SIM Swap", "https://otx.alienvault.com/indicator/file/23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706#:~:text=%C3%97", "103.246.145.111 - scanning host", "https://app-portal.wsgc.com/saml20/idp/sso?SAMLRequest=jZFBb8IwDIX/SpR70zS0sEa0iA1NQ2IagrLDLlNII4jWJl2cwvj3qyhI7IJ2tPzs9/x5PPmpK3RQDrQ1GY4IxUgZaUttdhneFM/BA57kYxB1xRo+bf3erNR3q8CjbtAA7zsZbp3hVoAGbkStgHvJ19PXBWeE8sZZb6WtMJoCKOc7qydroK2VWyt30FJtVosM771vgIfhETTZCvkF3roTkXtnjZaVIqBk67Q/hUICRrMugzbCn3NfR0XTBI11XlTkCDtJpK3Dc0Ia6rIJASxG81mGP0dpOYqGVEZxGYkk3iaDVMZMKipGMR0kSScDaNXcgBfGZ5hRNghoGrC4YIzTlNMhidPkA6Pl5bhHbXpo90hsexHwl6JYBsu3dYHR+xV+J8AX1Pzs7m4Z318srmBx/m+M4/DWK7+Uf7+c/wI=&RelayState=AcE8QCtmc3hl5id4ZjN8p", "https://www.virustotal.com/en/domain/sipa.be (GoodCop - BadCop 404 error. This may have been a dorkingbeauty graph or collection. There seems to be several VT users experiencing similar issues w/overlap", "https://ms13p01if-qufw21344001.ms.if.apple.com:8083/", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 (Apple remote hacktool that enter via Apple media)", "usw2-platform-dmchat-avengers-prod-ext.apple.com", "https://otx.alienvault.com/indicator/hostname/00000000.apple.com#:~:text=%C3%97", "Malware Hosting * Spyware: http://141.98.6.249/boat.arm7, http://141.98.6.249/boat.ppc , http://141.98.6.249/boat.x86" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "RATel", "display_name": "RATel", "target": null }, { "id": "trojan.mirai/genericrxui", "display_name": "trojan.mirai/genericrxui", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "green", "cloned_from": "658f967a4fc7ebe8021b9382", "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 578, "FileHash-SHA1": 521, "FileHash-SHA256": 6392, "URL": 5741, "domain": 2243, "hostname": 1536, "SSLCertFingerprint": 2, "email": 8, "CVE": 1 }, "indicator_count": 17022, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "811 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://email.getwham.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://email.getwham.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776645601.815304 }