{ "type": "URL", "indicator": "https://es.tequilas.net", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://es.tequilas.net", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3178875877, "indicator": "https://es.tequilas.net", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "68f7582b2454d926e77db68c", "name": "AWS does have issues - Indictor removal service impacting threat hunting services", "description": "Malicious. I hope the pulse posted yesterday didn\u2019t lead to AWS outage. I learned about it a few a few hours ago. AWS does have issues, like having a monopoly and the type of services allowed to exist on their servers. I never saw the links until I learned. I appreciate tips , opinions , and sharing.received. An issue found on targets old iOS 14 device ,due to deletions . This had me researching a link that is related to multiple links researched before. Impacts: Threat hunting services. * Worm:Win32/AutoRun.XXY!bit (Emotet and Neshta relationship). There are many other malicious indicators.", "modified": "2025-11-20T06:00:01.014000", "created": "2025-10-21T09:53:47.767000", "tags": [ "url http", "url https", "united", "sweden", "canada", "search", "type indicator", "added active", "related pulses", "aws", "passive dns", "urls", "files domain", "files related", "related tags", "none google", "safe browsing", "present jun", "present sep", "present aug", "present jul", "present oct", "present may", "ip address", "uruguay unknown", "india showing", "next associated", "urls show", "date checked", "url hostname", "server response", "google safe", "unknown", "write", "read", "unknown www", "et trojan", "suspicious", "read c", "myagrent", "get myagrent", "win32", "malware", "ids detections", "et", "dynamicloader", "medium", "write c", "high", "pcratgh0st cnc", "backdoor family", "show", "ms windows", "trojandropper", "code", "next", "polymorphic", "indicator role", "title added", "active related", "report spam", "threat hunters", "brian", "sabey created", "day ago", "white indicator", "sabey", "worm", "emotet", "tags", "malware family", "ck ids", "t1140", "information", "t1045", "packing", "t1060", "dns", "role title", "filehashmd5", "malware attacks", "find encrypted", "pulses url", "q oct", "dns", "ators show", "tbmvid", "sourcelnms", "ipv4", "types", "indicators show" ], "references": [ "business-support.intel.com \u2022 dns0.org \u2022 http://g-ns-1047.awsdns-20.org/", "Alerts: physical_drive_access deletes_executed_files anomalous_deletefile", "Alerts: suspicious_iocontrol_codes polymorphic static_pe_anomaly suricata_alert", "Alerts: injection_rwx antivm_checks_available_memory queries_computer_name", "Alerts: resumethread_remote_process antivm_generic_disk antisandbox_sleep dynamic_function_loading", "Alerts: enumerates_running_processes reads_self packer_unknown_pe_section_name contains_pe_overlay dropper queries_keyboard_layout", "102 Yara Detections: XOR_embeded_exefile_xored_with_round_256_bytes_key", "More PE Packer Microsoft Visual C++ Compilation | File Type PEXE - PE32 executable (GUI) Intel 80386, for MS Windows", "IDS Detections: Backdoor family PCRat/Gh0st CnC traffic Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND)", "Contacted ipp.getcash2018.com conf.f.360.cn", "All IP\u2019s Contacted 27.102.115.143 199.232.210.172 Domains", "IDS Detections: Backdoor family PCRat/Gh0st CnC traffic Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND)", "New? patch-aws-8y03-v202542-266-2.space.prod.a0core.net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null }, { "id": "Zegost", "display_name": "Zegost", "target": null }, { "id": "TrojanDropper:Win32/Zegost.B", "display_name": "TrojanDropper:Win32/Zegost.B", "target": "/malware/TrojanDropper:Win32/Zegost.B" }, { "id": "Worm:Win32/AutoRun.XXY!bit", "display_name": "Worm:Win32/AutoRun.XXY!bit", "target": "/malware/Worm:Win32/AutoRun.XXY!bit" }, { "id": "Trojan:Win32/Fugrafa", "display_name": "Trojan:Win32/Fugrafa", "target": "/malware/Trojan:Win32/Fugrafa" }, { "id": "Win32:MalwareX-gen", "display_name": "Win32:MalwareX-gen", "target": null } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1224, "URL": 2979, "domain": 609, "FileHash-SHA256": 765, "FileHash-SHA1": 350, "FileHash-MD5": 374, "CVE": 1, "email": 1 }, "indicator_count": 6303, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "151 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e0ee3c026bf0e346f62f80", "name": "Original State ", "description": "", "modified": "2024-03-30T20:02:03.506000", "created": "2024-02-29T20:51:08.655000", "tags": [ "referrer", "contacted urls", "contacted", "shaw telecom", "shaw business", "city", "solutions", "bgpp ref", "rtechhandle", "net72", "net720000", "server", "google", "creation date", "dnssec", "domain name", "status", "abuse contact", "email", "bat", "heuristic", "trojan", "dropper", "ssl certificate", "execution", "siblings", "resolutions", "code overlap", "yara detections", "pea exe", "scan endpoints", "all octoseek", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "Pea: pack, encrypt, authenticate", "search", "entries", "hostname", "pulse submit", "url analysis", "passive dns", "urls", "files", "unknown", "united", "servers", "showing", "name servers", "meta", "whois", "pe resource", "whois domain", "doylestown, pa", "ransom", "body", "gmt contenttype", "ubuntu", "date", "all search", "otx octoseek", "ipv4", "location united", "urls url", "domains domain", "whois record", "whois whois", "historical ssl", "group", "mirai", "exploit", "dark power", "bitrat", "powershell", "aurora stealer", "matryoshka", "service", "emotet", "date hash", "ComSpyAudit", "delphi", "win64", "related pulses", "icmp traffic", "packing t1045", "t1045", "show", "malware", "copy", "write", "stack_string", "evoe", "eej er", "lex1 esaaege", "ap e06eke4", "ehpeeepe e", "ehrk elm", "eme et", "exx el", "esme evte1exe", "evte1exe", "false", "useragent usage", "true", "windows nt", "close", "flashpix", "open", "dock", "next", "hello", "encrypt", "nexus myst", "active threat", "source id", "targeting", "defacement" ], "references": [ "7034.sydneyplus.com", "LIBRARYWEBLINK.EXE", "Pea: pack, encrypt, authenticate", "EXE:CompanyName: LegalCopyright\t- Giorgio Tani, LGPLv3", "Private IP address: 0.64.0.0 -", "Emotet: FileHash-MD5 a77357ccec5530d0db3f0d603584191f", "Emotet: FileHash-SHA1 218afe0fccd7fd1d7cb08904e12caf2d22a0db47", "Emotet: FileHash-SHA256 fcf5500a8b46bf8c7234fb0cc4568e2bd65b12ef8b700dc11ff8ee507ba129da", "Pottieq: FileHash-MD5 8b91e351d1e46af68f27bae037fcfff6", "Pottieq: FileHash-SHA1 1ba1aa3d08080e27eb91d206cf54672edb051662", "Pottieq: FileHash-SHA256 cd2515f7f08ffea35d351b5cd37045f330c420e575f533ef3394a32c2fd52e95", "Mirai IP: 0.110.128.0", "Worm:Win32/Gamarue: FileHash-MD5 d3a36a65f960436b0b35ce5fb17481c6", "Worm:Win32/Gamarue: FileHash-SHA 3f390af687885304f5b610eabe82b3d9dad8f6d8", "Worm:Win32/Gamarue: FileHash-SHA256 8bb70aa49c307504f4872431e38ff8136b3e09520f228c5720e5d50c406d8a68", "Worm:Win32/Mofksys.RND!MTB: FileHash-MD5 db595ce78a3324f4ae83c1b2cb06f7aa", "Worm:Win32/Mofksys.RND!MTB: FileHash-SHA1 1dfd47d2c3c93536d8b924308faf100b338acd6a", "Worm:Win32/Mofksys.RND!MTB: FileHash-SHA256 16b0b335d23384388123215741c0f89d71532f36afa7ff7e8f112bfc7bc9de46", "Win64:BotX-gen\\ [Trj]: FileHash-MD5 d2a0a135abcc97aab5d85c0dc95a5857", "Win64:BotX-gen\\ [Trj]: FileHash-SHA1 cdb6de8689a1d4d9132d0fbb8647f09fc0348776", "Win64:BotX-gen\\ [Trj]: FileHash-SHA256 000588bb01a8ebf9612179a8c3991c998658686589dae48ad220253fde655f1f", "The Medical Protection Society Ltd: The Medical Protection Society Limited (\u201cMPS\u201d) is the world's leading protection organisation for doctors, dentists and healthcare professionals.", "https://otx.alienvault.com/indicator/hostname/library.medicalprotection.org", "https://otx.alienvault.com/indicator/file/cd2515f7f08ffea35d351b5cd37045f330c420e575f533ef3394a32c2fd52e95", "https://otx.alienvault.com/indicator/file/000588bb01a8ebf9612179a8c3991c998658686589dae48ad220253fde655f1f" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Antiy-AVL Trojan[Downloader]/Win32.Betload", "display_name": "Antiy-AVL Trojan[Downloader]/Win32.Betload", "target": null }, { "id": "Trojan.BAT.Agent.tnKf", "display_name": "Trojan.BAT.Agent.tnKf", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Worm:Win32/Goosky", "display_name": "Worm:Win32/Goosky", "target": "/malware/Worm:Win32/Goosky" }, { "id": "Ransom:Win32/Pottieq", "display_name": "Ransom:Win32/Pottieq", "target": "/malware/Ransom:Win32/Pottieq" }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Worm:Win32/Gamarue", "display_name": "Worm:Win32/Gamarue", "target": "/malware/Worm:Win32/Gamarue" }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Win.Malware.Razy-9866790-0", "display_name": "Win.Malware.Razy-9866790-0", "target": null }, { "id": "Other:Malware-gen\\ [Trj]", "display_name": "Other:Malware-gen\\ [Trj]", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1491.001", "name": "Internal Defacement", "display_name": "T1491.001 - Internal Defacement" }, { "id": "T1156", "name": "Malicious Shell Modification", "display_name": "T1156 - Malicious Shell Modification" }, { "id": "T1399", "name": "Modify Trusted Execution Environment", "display_name": "T1399 - Modify Trusted Execution Environment" } ], "industries": [], "TLP": "white", "cloned_from": "65de91e67d0d575c27960e12", "export_count": 59, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 560, "FileHash-SHA256": 1242, "URL": 712, "domain": 365, "CIDR": 1, "email": 5, "FileHash-MD5": 321, "FileHash-SHA1": 319, "CVE": 1, "SSLCertFingerprint": 1 }, "indicator_count": 3527, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "750 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c7b86fa120d19bbc88f367", "name": "Hijacker", "description": "Hackers hired to humiliate, threaten,steal data, evidence, recordings , spy and intimidate.", "modified": "2024-03-11T17:01:59.026000", "created": "2024-02-10T17:54:55.243000", "tags": [ "ssl certificate", "whois record", "contacted", "tsara brashears", "referrer", "communicating", "resolutions", "historical ssl", "high level", "hackers", "hacktool", "download", "malware", "crypto", "hijacker", "monitoring", "installer", "tofsee", "domains domains", "domains files", "files files", "script", "kgs0", "kls0", "relic", "iframe", "pe32 executable", "ms windows", "intel", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "rticon neutral", "info compiler", "products id", "header intel", "name md5", "contained", "type", "language", "ico rtgroupicon", "neutral", "first", "utc submissions", "submitters", "company limited", "computer", "amazonaes", "china telecom", "group", "csc corporate", "domains", "malware spreading evader", "cnc", "malvertizing", "milehighmedia", "trojandropper", "moved", "passive dns", "urls", "as14576", "backdoor", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "trojan", "encrypt", "body", "date", "date hash", "avast avg", "mtb may", "kratona", "threat", "paste", "iocs", "analyze", "hostnames", "urls https", "script urls", "united", "meta", "unknown", "emails", "name servers", "search", "as62597 nsone", "a domains", "as397241", "media", "next", "december", "unlocker", "threat round", "apple ios", "apple phone", "project", "blister", "agent tesla", "open", "execution", "videos", "strong", "porn videos", "watch", "daddy", "free", "top rated", "most viewed", "cancel anytime", "views", "play", "black", "enjoy", "czech", "hunk", "virtool", "cryp", "creation date", "otx telemetry", "expiration date", "servers", "status", "win32", "showing", "domain", "nxdomain", "as8075", "shell code", "threat", "cyber espionage", "cyber stalking", "danger", "critical", "attack", "treats", "as15169 google", "aaaa", "record value", "error", "entries", "hostname", "url http", "http", "files domain", "files related", "shinjiru msc", "sdn bhd", "dnssec", "protect", "as54455 madeit", "phishing", "backdoor", "contextualizing", "elevated exposure", "malvertizing", "ransom", "msil", "hackers for hire", "hashes", "http method", "get http", "http requests", "get dns", "ip traffic", "memory pattern", "pattern ips", "@emreimer", "iextract2", "cp cyber", "denver", "security", "siem compliance", "skip", "cybersecurity", "larimer st", "suite", "resources cyber", "risk assessment", "bill", "mind", "delaware", "pa", "arizona", "colorado", "stalkers", "deuteronomy 28:7", "hitmen" ], "references": [ "honey.exe", "0001c8afa9ca148752e1439140fadb6571b27f455ad1474d85625bcddfb63550", "CS Sigma Rules: Suspicious Remote Thread Created by Perez Diego (@darkquassar), oscd.community", "CS Sigma Rules: Python Initiated Connection by frack113", "CS Sigma Rules: Use Remove-Item to Delete File by frack113", "CS Sigma Rules: Suspicious Userinit Child Process by Florian Roth (rule), Samir Bousseaden (idea)", "Relationship: http://www.cpmfun.com/go.php?i=Zml0sXNlQhR0gRzjdXpLNlz4&p=71408&s=1&m=1&ua=mozilla/5.0+(linux;+android+4.4.2;+ast21+build/kvt49l)+", "api.login.live.com", "http://appleid.icloud.com-website33.org/", "https://www.milehighmedia.com/legal/2257 [phishing \u2022 Brazzers porn]", "FileHash-SHA256 c030b0a1be8745d192f45.159.189.105743b3c4f4094f33507a5904c184c8db0bde1a91efccb5 [tracking]", "http://45.159.189.105/bot/regex [Tracking Tsara Brashears involves in person following and or harassment as well]", "message.htm.com", "http://pornhub.com/gay/video/search", "CnC IP's: 206.189.61.126 \u2022 217.74.65.23 \u2022 46.8.8.100 \u2022 64.190.63.111", "stop following, stalking, hacking, talking, modifying, hijacking, threatening, contacting, sending people to harass target, threats", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "W32.Sality.PE", "display_name": "W32.Sality.PE", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Virus.Win32.Virut.q", "display_name": "Virus.Win32.Virut.q", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null }, { "id": "TrojanDropper:Win32", "display_name": "TrojanDropper:Win32", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 54, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6303, "FileHash-MD5": 215, "FileHash-SHA1": 192, "FileHash-SHA256": 2663, "domain": 2673, "hostname": 2686, "CVE": 2, "email": 16 }, "indicator_count": 14750, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "769 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c607c354336e9c19aa3e1f", "name": "RansomEXX + Cyber attack \u2022 Premier Denver Recording Studio", "description": "Studio description: Adelio developed and managed A-list producer DJ Frank E, who has worked with the likes of Kanye West, B.O.B., Madonna, and Justin Bieber...\nResearch confirms target releases songs recorded @ Side3 studios.\nCreative differences aren't uncommon, research shows a common kink with m. Brian sabey if hallrender hacking everything from hospital is to insurance portals. He's nuts. Unclear if true nameof attacker is Brian Sabey /Tulach / using NSO grouo and various cyver attacks. A man representing an attorney named M. Brian Sabey socially engineered himself and others into targets world. If studio interns or management had malice towards target, social engineering access would be easy.", "modified": "2024-03-10T11:05:48.248000", "created": "2024-02-09T11:08:51.939000", "tags": [ "url http", "united", "unknown", "search", "status", "creation date", "date", "expiration date", "showing", "as201682 liquid", "as32244 liquid", "trojan", "passive dns", "entries", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "open", "win32", "body", "date hash", "avast avg", "lowfi", "ssl certificate", "contacted", "whois whois", "sdhyzbh7v http", "whois record", "execution", "apple ios", "historical ssl", "resolutions", "sdhyzbh7v", "attack", "ransomexx", "quasar", "asyncrat", "hacktool", "maze", "find", "hell", "crypto", "remcosrat", "worm", "first", "utc submissions", "submitters", "computer", "company limited", "gandi sas", "porkbun llc", "ovh sas", "summary iocs", "graph community", "as63949 linode", "for privacy", "asnone united", "as174 cogent", "as197695 domain", "russia unknown", "as16276", "france unknown", "encrypt", "next", "tsara brashears", "targeting", "cyber threat", "abuse", "malware spreading", "hallgrand", "tulach", "sabey data centers", "sav.com", "outbreak", "location united", "asn as63949", "whois registrar", "related tags", "interfacing", "malicious", "retaliation", "botnet", "porn", "teen porn", "illegal activities", "theft", "side3studios" ], "references": [ "http://mobilesmafia.com/applications/botnet.ex", "Found in: https://Side3.com/", "CnC IP's: 198.58.118.167 \u2022 45.33.18.44 \u2022 45.33.2.79 \u2022 45.33.20.235 \u2022 45.33.23.183 \u2022 45.33.30.197 \u2022 45.79.19.196 \u2022 45.33.30.197 \u2022 45.56.79.23 \u2022 72.14.178.174 \u2022 72.14.185.43 \u2022 96.126.123.244", "https://otx.alienvault.com/indicator/domain/findmy-apple.support", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing \u2022 malvertizing \u2022 apple data collection]", "nr-data.net [Apple Private Data Collection]", "WHOIS Registrar: SAV.COM, LLC - 35, Creation Date: Feb 5, 2024 - again?", "/addons/error.txt&reffer=http://www.mp3olimp.net/\" target=\"_blank\" class=\"nowrap ellipsis\">http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03", "http://c1.getapplicationmy.info/?step_id=1&installer_id=5230748627062792346&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=2&download_id=8693199875993334460&external_id=0&session_id=16805482311189156276&hardware_id=369127768221549700&product_name=cocina.rar&installer_file_name=cocina.rar&product_file_name=cocina.rar&product_download_url=http://fra-7m17-stor09.uploaded.net/dl/a2433760-879d-4562-b94d-461547fc758c&AddToPayload=StepReport=", "http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03&product_file_name=vintage+boxing&AddToPayload=StepReport=", "http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03&product_file_name=vintage+boxing&AddToPayload=StepReport=", "http://c1.downlloaddatamy.info/?step_id=1&installer_id=4472257684899349270&publisher_id=2213&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=2&download_id=5397224780012170065&external_id=0&installer_type=IX_2013&hardware_id=15739043569615579517&session_id=6869288066589810689&installer_type=IX_2013&=&=&=&q=solutionnice.info&product_name=Design%20and%20Implementation%20of%20a%20Home%20Embedded%20Surveillance%20System%20with%20Ultra%20Low%20Alert%20Power%20doc&installer_file_", "http://c2.getapplicationmy.info/?step_id=1&installer_id=2096894809025524155&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=6356079339412925470&external_id=0&session_id=14287130792570298399&hardware_id=11580995441620935677&product_name=rachel%20blaine%20-%20don%20t%20you%20want%20me&product_file_name=error.txt&AddToPayload=", "http://c2.getapplicationmy.info/?step_id=1&installer_id=2488504921480818878&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=4&download_id=2186029835193520054&external_id=0&session_id=16256931977914952487&hardware_id=14366935065466949181&product_name=Libro%23003119.pdf&installer_file_name=Libro%23003119.pdf&product_file_name=Libro%23003119.pdf&product_download_url=http://fra-7m21-stor06.uploaded.net/dl/780b5695-d022-4fab-9aa0-b967ecaf5828&AddToPayload=StepReport=", "http://c2.getapplicationmy.info/?step_id=1&installer_id=2488504921480818878&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=4&download_id=2186029835193520054&external_id=0&session_id=16256931977914952487&hardware_id=14366935065466949181&product_name=Libro%23003119.pdf&installer_file_name=Libro%23003119.pdf&product_file_name=Libro%23003119.pdf&product_download_url=http://fra-7m21-stor06.uploaded.net/dl/780b5695-d022-4fab-9aa0-b967ecaf5828&AddToPayload=StepReport=", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "https://sexpornimages.com.leechlink.net [Match: www.sexpornimages.com/lynn/lynn-brashears-tsara-porn/rc1j0g.html]", "pornhub.org", "ww12.indianpornxxxtube.com", "youporndownload.com [park logic -malicious] http://golddesisex.com/en/search/teen%20anal%20long%20porn" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:Inject-BCL\\ [Trj]", "display_name": "Win32:Inject-BCL\\ [Trj]", "target": null }, { "id": "#Lowfi:SuspiciousSectionName", "display_name": "#Lowfi:SuspiciousSectionName", "target": null }, { "id": "Win32:Evo-gen\\ [Trj]", "display_name": "Win32:Evo-gen\\ [Trj]", "target": null }, { "id": "Win.Trojan.Mbrlock-9779766-0", "display_name": "Win.Trojan.Mbrlock-9779766-0", "target": null }, { "id": "Win.Trojan.Agent-828507", "display_name": "Win.Trojan.Agent-828507", "target": null }, { "id": "SHeur4.CEOO", "display_name": "SHeur4.CEOO", "target": null }, { "id": "Win32/Cryptor", "display_name": "Win32/Cryptor", "target": null }, { "id": "Win32/Tanatos.A", "display_name": "Win32/Tanatos.A", "target": null }, { "id": "W32.Sality-73", "display_name": "W32.Sality-73", "target": null }, { "id": "Generic_r.BYW", "display_name": "Generic_r.BYW", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Trojan:Win32/RemcosRAT", "display_name": "Trojan:Win32/RemcosRAT", "target": "/malware/Trojan:Win32/RemcosRAT" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null } ], "attack_ids": [ { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [ "Entertainment", "Technology", "Telecommunications", "Media" ], "TLP": "white", "cloned_from": null, "export_count": 39, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 71387, "domain": 8768, "hostname": 17727, "email": 16, "FileHash-MD5": 195, "FileHash-SHA1": 168, "FileHash-SHA256": 15313, "CVE": 9, "CIDR": 7 }, "indicator_count": 113590, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "771 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655b9a90e44a70d0fbbde981", "name": "Domain Seized - http://server3.elgenero.com/cgi-bin/xdown.cgi", "description": "Domain stated ' SEIZED' by Departing Homeland Security\nSeizure links below seem a bit questionable: \n\nhttp://server3.elgenero.com/iprc_seized_banner.png\nhttp://kickass.to/IPRC_Seized_2016_kat.jpg\nhttp://kickass.to/the-adventures-of-tom-sawyer-t2068537.html\t\nhttp://bludv.tv/iprc_seized_banner.png\nhttp://z-lib.org/iprc_seized_banner.png\nIPRC_Seized_2016_kat.jpg\n... just banners? Moved and continue? Okay.\nListed below also listed in seized domain. Domains,URL's and Botnetwork Hosts still seem to exist.\nhttp://alohatube.xyz/search/tsara-brashears\nalohatube.xyz\nhttps://alohatube.xyz/search/tsara-brashears\nhttps://www.anyxxxtube.net/search-porn/tsara-brashears/\nhttp://45.159.189.105/bot/regex\t\nhttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbia\t\nnr-data.net", "modified": "2023-12-20T17:01:34.161000", "created": "2023-11-20T17:42:40.771000", "tags": [ "safe site", "million", "cisco umbrella", "alexa top", "site", "tag count", "tld count", "jul jan", "team alexa", "count blacklist", "maltiverse", "redirme", "cronup threat", "intel malware", "malicious site", "malware", "no data", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "united", "cyber threat", "engineering", "team", "malware site", "covid19", "phishing site", "phishing", "phishtank", "bank", "zbot", "malicious", "download", "suppobox", "zeus", "nymaim", "matsnu", "artemis", "virut", "panama", "smsspy", "cobalt strike", "emotet", "bradesco", "stealer", "facebook", "service", "simda", "runescape", "cutwail", "unruy", "bandoo", "tinba", "pykspa", "domaiq", "ave maria", "citadel", "pony", "keitaro", "ponmocup", "ransomware", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "sha256", "sha1", "ascii text", "date", "unknown", "body", "error", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "malicious url", "union", "unsafe", "node tcp", "traffic", "tor known", "tor relayrouter", "spammer", "threats et", "ssl certificate", "contacted", "whois record", "whois whois", "historical ssl", "apple ios", "resolutions", "bundled", "referrer", "collections", "android", "banker", "keylogger", "generic malware", "generic", "blacklist http", "ac32a", "heur", "alexa", "xtrat", "iframe", "installcore", "win64", "crack", "xrat", "nircmd", "swrort", "agent", "filetour", "cleaner", "patcher", "adload", "wacatac", "riskware", "acint", "conduit", "fakealert", "opencandy", "xtreme", "downldr", "outbreak", "iobit", "rostpay", "dropper", "mediaget", "installpack", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "floxif", "presenoker", "fusioncore", "exploit", "filerepmetagen", "download json", "hostname", "hostnames", "mail spammer", "anonymizer", "firehol proxy", "asyncrat", "genkryptik", "fuery", "webtoolbar", "trojanspy", "dropped", "execution", "contacted urls", "http spammer", "host", "ip address", "site top", "site safe", "blacklist https", "tsara brashears", "kgs0", "kls0", "critical risk", "attack", "hacktool", "installer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Latvia", "Poland", "Germany" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 46, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1117, "FileHash-SHA1": 664, "FileHash-SHA256": 3426, "domain": 977, "hostname": 2269, "URL": 5554, "CVE": 23, "URI": 8, "Mutex": 1 }, "indicator_count": 14039, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "851 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656a9c2eeebaf7b69d0e12ba", "name": "Domain Seized - http://server3.elgenero.com/cgi-bin/xdown.cgi", "description": "", "modified": "2023-12-20T17:01:34.161000", "created": "2023-12-02T02:53:34.585000", "tags": [ "safe site", "million", "cisco umbrella", "alexa top", "site", "tag count", "tld count", "jul jan", "team alexa", "count blacklist", "maltiverse", "redirme", "cronup threat", "intel malware", "malicious site", "malware", "no data", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "united", "cyber threat", "engineering", "team", "malware site", "covid19", "phishing site", "phishing", "phishtank", "bank", "zbot", "malicious", "download", "suppobox", "zeus", "nymaim", "matsnu", "artemis", "virut", "panama", "smsspy", "cobalt strike", "emotet", "bradesco", "stealer", "facebook", "service", "simda", "runescape", "cutwail", "unruy", "bandoo", "tinba", "pykspa", "domaiq", "ave maria", "citadel", "pony", "keitaro", "ponmocup", "ransomware", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "sha256", "sha1", "ascii text", "date", "unknown", "body", "error", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "malicious url", "union", "unsafe", "node tcp", "traffic", "tor known", "tor relayrouter", "spammer", "threats et", "ssl certificate", "contacted", "whois record", "whois whois", "historical ssl", "apple ios", "resolutions", "bundled", "referrer", "collections", "android", "banker", "keylogger", "generic malware", "generic", "blacklist http", "ac32a", "heur", "alexa", "xtrat", "iframe", "installcore", "win64", "crack", "xrat", "nircmd", "swrort", "agent", "filetour", "cleaner", "patcher", "adload", "wacatac", "riskware", "acint", "conduit", "fakealert", "opencandy", "xtreme", "downldr", "outbreak", "iobit", "rostpay", "dropper", "mediaget", "installpack", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "floxif", "presenoker", "fusioncore", "exploit", "filerepmetagen", "download json", "hostname", "hostnames", "mail spammer", "anonymizer", "firehol proxy", "asyncrat", "genkryptik", "fuery", "webtoolbar", "trojanspy", "dropped", "execution", "contacted urls", "http spammer", "host", "ip address", "site top", "site safe", "blacklist https", "tsara brashears", "kgs0", "kls0", "critical risk", "attack", "hacktool", "installer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Latvia", "Poland", "Germany" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "655b9a90e44a70d0fbbde981", "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1117, "FileHash-SHA1": 664, "FileHash-SHA256": 3426, "domain": 977, "hostname": 2269, "URL": 5554, "CVE": 23, "URI": 8, "Mutex": 1 }, "indicator_count": 14039, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "851 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65708127d14f133931af519e", "name": "www.StephenMiller.net ~ Former White House senior adviser to President Trump", "description": "", "modified": "2023-12-06T14:11:51.785000", "created": "2023-12-06T14:11:51.785000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 525, "hostname": 688, "URL": 2368, "domain": 1043, "email": 2, "CVE": 1, "FileHash-SHA1": 5 }, "indicator_count": 4632, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6229929ea38aec664790238f", "name": "www.StephenMiller.net ~ Former White House senior adviser to President Trump", "description": "", "modified": "2022-04-08T00:05:40.239000", "created": "2022-03-10T05:54:38.947000", "tags": [ "whois record", "ssl certificate", "whois" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 688, "URL": 2368, "FileHash-SHA256": 525, "domain": 1044, "CVE": 1, "FileHash-SHA1": 5, "email": 2 }, "indicator_count": 4633, "is_author": false, "is_subscribing": null, "subscriber_count": 408, "modified_text": "1473 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Alerts: suspicious_iocontrol_codes polymorphic static_pe_anomaly suricata_alert", "Pottieq: FileHash-SHA1 1ba1aa3d08080e27eb91d206cf54672edb051662", "/addons/error.txt&reffer=http://www.mp3olimp.net/\" target=\"_blank\" class=\"nowrap ellipsis\">http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03", "Worm:Win32/Mofksys.RND!MTB: FileHash-SHA1 1dfd47d2c3c93536d8b924308faf100b338acd6a", "Win64:BotX-gen\\ [Trj]: FileHash-SHA256 000588bb01a8ebf9612179a8c3991c998658686589dae48ad220253fde655f1f", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing \u2022 malvertizing \u2022 apple data collection]", "CS Sigma Rules: Suspicious Remote Thread Created by Perez Diego (@darkquassar), oscd.community", "https://otx.alienvault.com/indicator/domain/findmy-apple.support", "Worm:Win32/Mofksys.RND!MTB: FileHash-SHA256 16b0b335d23384388123215741c0f89d71532f36afa7ff7e8f112bfc7bc9de46", "Contacted ipp.getcash2018.com conf.f.360.cn", "pornhub.org", "youporndownload.com [park logic -malicious] http://golddesisex.com/en/search/teen%20anal%20long%20porn", "http://appleid.icloud.com-website33.org/", "All IP\u2019s Contacted 27.102.115.143 199.232.210.172 Domains", "CS Sigma Rules: Use Remove-Item to Delete File by frack113", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "honey.exe", "Pea: pack, encrypt, authenticate", "Pottieq: FileHash-SHA256 cd2515f7f08ffea35d351b5cd37045f330c420e575f533ef3394a32c2fd52e95", "EXE:CompanyName: LegalCopyright\t- Giorgio Tani, LGPLv3", "http://45.159.189.105/bot/regex [Tracking Tsara Brashears involves in person following and or harassment as well]", "The Medical Protection Society Ltd: The Medical Protection Society Limited (\u201cMPS\u201d) is the world's leading protection organisation for doctors, dentists and healthcare professionals.", "LIBRARYWEBLINK.EXE", "0001c8afa9ca148752e1439140fadb6571b27f455ad1474d85625bcddfb63550", "http://c2.getapplicationmy.info/?step_id=1&installer_id=2488504921480818878&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=4&download_id=2186029835193520054&external_id=0&session_id=16256931977914952487&hardware_id=14366935065466949181&product_name=Libro%23003119.pdf&installer_file_name=Libro%23003119.pdf&product_file_name=Libro%23003119.pdf&product_download_url=http://fra-7m21-stor06.uploaded.net/dl/780b5695-d022-4fab-9aa0-b967ecaf5828&AddToPayload=StepReport=", "http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03&product_file_name=vintage+boxing&AddToPayload=StepReport=", "https://sexpornimages.com.leechlink.net [Match: www.sexpornimages.com/lynn/lynn-brashears-tsara-porn/rc1j0g.html]", "Worm:Win32/Gamarue: FileHash-SHA256 8bb70aa49c307504f4872431e38ff8136b3e09520f228c5720e5d50c406d8a68", "Alerts: physical_drive_access deletes_executed_files anomalous_deletefile", "https://otx.alienvault.com/indicator/hostname/library.medicalprotection.org", "message.htm.com", "Worm:Win32/Gamarue: FileHash-SHA 3f390af687885304f5b610eabe82b3d9dad8f6d8", "http://c1.downlloaddatamy.info/?step_id=1&installer_id=4472257684899349270&publisher_id=2213&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=2&download_id=5397224780012170065&external_id=0&installer_type=IX_2013&hardware_id=15739043569615579517&session_id=6869288066589810689&installer_type=IX_2013&=&=&=&q=solutionnice.info&product_name=Design%20and%20Implementation%20of%20a%20Home%20Embedded%20Surveillance%20System%20with%20Ultra%20Low%20Alert%20Power%20doc&installer_file_", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "CS Sigma Rules: Python Initiated Connection by frack113", "Mirai IP: 0.110.128.0", "business-support.intel.com \u2022 dns0.org \u2022 http://g-ns-1047.awsdns-20.org/", "Win64:BotX-gen\\ [Trj]: FileHash-SHA1 cdb6de8689a1d4d9132d0fbb8647f09fc0348776", "http://c1.getapplicationmy.info/?step_id=1&installer_id=5230748627062792346&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=2&download_id=8693199875993334460&external_id=0&session_id=16805482311189156276&hardware_id=369127768221549700&product_name=cocina.rar&installer_file_name=cocina.rar&product_file_name=cocina.rar&product_download_url=http://fra-7m17-stor09.uploaded.net/dl/a2433760-879d-4562-b94d-461547fc758c&AddToPayload=StepReport=", "Emotet: FileHash-SHA256 fcf5500a8b46bf8c7234fb0cc4568e2bd65b12ef8b700dc11ff8ee507ba129da", "FileHash-SHA256 c030b0a1be8745d192f45.159.189.105743b3c4f4094f33507a5904c184c8db0bde1a91efccb5 [tracking]", "Found in: https://Side3.com/", "Emotet: FileHash-MD5 a77357ccec5530d0db3f0d603584191f", "CnC IP's: 198.58.118.167 \u2022 45.33.18.44 \u2022 45.33.2.79 \u2022 45.33.20.235 \u2022 45.33.23.183 \u2022 45.33.30.197 \u2022 45.79.19.196 \u2022 45.33.30.197 \u2022 45.56.79.23 \u2022 72.14.178.174 \u2022 72.14.185.43 \u2022 96.126.123.244", "More PE Packer Microsoft Visual C++ Compilation | File Type PEXE - PE32 executable (GUI) Intel 80386, for MS Windows", "Worm:Win32/Gamarue: FileHash-MD5 d3a36a65f960436b0b35ce5fb17481c6", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "Emotet: FileHash-SHA1 218afe0fccd7fd1d7cb08904e12caf2d22a0db47", "ww12.indianpornxxxtube.com", "CnC IP's: 206.189.61.126 \u2022 217.74.65.23 \u2022 46.8.8.100 \u2022 64.190.63.111", "WHOIS Registrar: SAV.COM, LLC - 35, Creation Date: Feb 5, 2024 - again?", "Alerts: injection_rwx antivm_checks_available_memory queries_computer_name", "http://pornhub.com/gay/video/search", "7034.sydneyplus.com", "Alerts: resumethread_remote_process antivm_generic_disk antisandbox_sleep dynamic_function_loading", "Relationship: http://www.cpmfun.com/go.php?i=Zml0sXNlQhR0gRzjdXpLNlz4&p=71408&s=1&m=1&ua=mozilla/5.0+(linux;+android+4.4.2;+ast21+build/kvt49l)+", "https://www.milehighmedia.com/legal/2257 [phishing \u2022 Brazzers porn]", "102 Yara Detections: XOR_embeded_exefile_xored_with_round_256_bytes_key", "IDS Detections: Backdoor family PCRat/Gh0st CnC traffic Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND)", "Worm:Win32/Mofksys.RND!MTB: FileHash-MD5 db595ce78a3324f4ae83c1b2cb06f7aa", "Pottieq: FileHash-MD5 8b91e351d1e46af68f27bae037fcfff6", "New? patch-aws-8y03-v202542-266-2.space.prod.a0core.net", "Win64:BotX-gen\\ [Trj]: FileHash-MD5 d2a0a135abcc97aab5d85c0dc95a5857", "https://otx.alienvault.com/indicator/file/cd2515f7f08ffea35d351b5cd37045f330c420e575f533ef3394a32c2fd52e95", "api.login.live.com", "http://c2.getapplicationmy.info/?step_id=1&installer_id=2096894809025524155&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=6356079339412925470&external_id=0&session_id=14287130792570298399&hardware_id=11580995441620935677&product_name=rachel%20blaine%20-%20don%20t%20you%20want%20me&product_file_name=error.txt&AddToPayload=", "Private IP address: 0.64.0.0 -", "Alerts: enumerates_running_processes reads_self packer_unknown_pe_section_name contains_pe_overlay dropper queries_keyboard_layout", "stop following, stalking, hacking, talking, modifying, hijacking, threatening, contacting, sending people to harass target, threats", "http://mobilesmafia.com/applications/botnet.ex", "nr-data.net [Apple Private Data Collection]", "CS Sigma Rules: Suspicious Userinit Child Process by Florian Roth (rule), Samir Bousseaden (idea)", "https://otx.alienvault.com/indicator/file/000588bb01a8ebf9612179a8c3991c998658686589dae48ad220253fde655f1f" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Worm:win32/mofksys.rnd!mtb", "Trojandropper:win32", "Other:malware-gen\\ [trj]", "Trojan:win32/remcosrat", "Virus.win32.virut.q", "Worm:win32/autorun.xxy!bit", "Worm:win32/gamarue", "W32.sality-73", "Win32:inject-bcl\\ [trj]", "W32.sality.pe", "#lowfi:suspicioussectionname", "Sheur4.ceoo", "Win.malware.razy-9866790-0", "Virtool", "Trojandropper:win32/zegost.b", "Win32:malwarex-gen", "Trojan:win32/fugrafa", "Trojanspy", "Et", "Tofsee", "Webtoolbar", "Zegost", "Worm:win32/goosky", "Trojan.bat.agent.tnkf", "Emotet", "Generic", "Win32/cryptor", "Win.trojan.mbrlock-9779766-0", "Quasar rat", "Antiy-avl trojan[downloader]/win32.betload", "Win.trojan.agent-828507", "Ransomexx", "Win32:evo-gen\\ [trj]", "Relic", "Generic_r.byw", "Win32/tanatos.a", "Ransom:win32/pottieq", "Mirai", "Hacktool" ], "industries": [ "Telecommunications", "Entertainment", "Government", "Media", "Technology" ], "unique_indicators": 65007 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/tequilas.net", "whois": "http://whois.domaintools.com/tequilas.net", "domain": "tequilas.net", "hostname": "es.tequilas.net" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "68f7582b2454d926e77db68c", "name": "AWS does have issues - Indictor removal service impacting threat hunting services", "description": "Malicious. I hope the pulse posted yesterday didn\u2019t lead to AWS outage. I learned about it a few a few hours ago. AWS does have issues, like having a monopoly and the type of services allowed to exist on their servers. I never saw the links until I learned. I appreciate tips , opinions , and sharing.received. An issue found on targets old iOS 14 device ,due to deletions . This had me researching a link that is related to multiple links researched before. Impacts: Threat hunting services. * Worm:Win32/AutoRun.XXY!bit (Emotet and Neshta relationship). There are many other malicious indicators.", "modified": "2025-11-20T06:00:01.014000", "created": "2025-10-21T09:53:47.767000", "tags": [ "url http", "url https", "united", "sweden", "canada", "search", "type indicator", "added active", "related pulses", "aws", "passive dns", "urls", "files domain", "files related", "related tags", "none google", "safe browsing", "present jun", "present sep", "present aug", "present jul", "present oct", "present may", "ip address", "uruguay unknown", "india showing", "next associated", "urls show", "date checked", "url hostname", "server response", "google safe", "unknown", "write", "read", "unknown www", "et trojan", "suspicious", "read c", "myagrent", "get myagrent", "win32", "malware", "ids detections", "et", "dynamicloader", "medium", "write c", "high", "pcratgh0st cnc", "backdoor family", "show", "ms windows", "trojandropper", "code", "next", "polymorphic", "indicator role", "title added", "active related", "report spam", "threat hunters", "brian", "sabey created", "day ago", "white indicator", "sabey", "worm", "emotet", "tags", "malware family", "ck ids", "t1140", "information", "t1045", "packing", "t1060", "dns", "role title", "filehashmd5", "malware attacks", "find encrypted", "pulses url", "q oct", "dns", "ators show", "tbmvid", "sourcelnms", "ipv4", "types", "indicators show" ], "references": [ "business-support.intel.com \u2022 dns0.org \u2022 http://g-ns-1047.awsdns-20.org/", "Alerts: physical_drive_access deletes_executed_files anomalous_deletefile", "Alerts: suspicious_iocontrol_codes polymorphic static_pe_anomaly suricata_alert", "Alerts: injection_rwx antivm_checks_available_memory queries_computer_name", "Alerts: resumethread_remote_process antivm_generic_disk antisandbox_sleep dynamic_function_loading", "Alerts: enumerates_running_processes reads_self packer_unknown_pe_section_name contains_pe_overlay dropper queries_keyboard_layout", "102 Yara Detections: XOR_embeded_exefile_xored_with_round_256_bytes_key", "More PE Packer Microsoft Visual C++ Compilation | File Type PEXE - PE32 executable (GUI) Intel 80386, for MS Windows", "IDS Detections: Backdoor family PCRat/Gh0st CnC traffic Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND)", "Contacted ipp.getcash2018.com conf.f.360.cn", "All IP\u2019s Contacted 27.102.115.143 199.232.210.172 Domains", "IDS Detections: Backdoor family PCRat/Gh0st CnC traffic Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND)", "New? patch-aws-8y03-v202542-266-2.space.prod.a0core.net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null }, { "id": "Zegost", "display_name": "Zegost", "target": null }, { "id": "TrojanDropper:Win32/Zegost.B", "display_name": "TrojanDropper:Win32/Zegost.B", "target": "/malware/TrojanDropper:Win32/Zegost.B" }, { "id": "Worm:Win32/AutoRun.XXY!bit", "display_name": "Worm:Win32/AutoRun.XXY!bit", "target": "/malware/Worm:Win32/AutoRun.XXY!bit" }, { "id": "Trojan:Win32/Fugrafa", "display_name": "Trojan:Win32/Fugrafa", "target": "/malware/Trojan:Win32/Fugrafa" }, { "id": "Win32:MalwareX-gen", "display_name": "Win32:MalwareX-gen", "target": null } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1224, "URL": 2979, "domain": 609, "FileHash-SHA256": 765, "FileHash-SHA1": 350, "FileHash-MD5": 374, "CVE": 1, "email": 1 }, "indicator_count": 6303, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "151 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e0ee3c026bf0e346f62f80", "name": "Original State ", "description": "", "modified": "2024-03-30T20:02:03.506000", "created": "2024-02-29T20:51:08.655000", "tags": [ "referrer", "contacted urls", "contacted", "shaw telecom", "shaw business", "city", "solutions", "bgpp ref", "rtechhandle", "net72", "net720000", "server", "google", "creation date", "dnssec", "domain name", "status", "abuse contact", "email", "bat", "heuristic", "trojan", "dropper", "ssl certificate", "execution", "siblings", "resolutions", "code overlap", "yara detections", "pea exe", "scan endpoints", "all octoseek", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "Pea: pack, encrypt, authenticate", "search", "entries", "hostname", "pulse submit", "url analysis", "passive dns", "urls", "files", "unknown", "united", "servers", "showing", "name servers", "meta", "whois", "pe resource", "whois domain", "doylestown, pa", "ransom", "body", "gmt contenttype", "ubuntu", "date", "all search", "otx octoseek", "ipv4", "location united", "urls url", "domains domain", "whois record", "whois whois", "historical ssl", "group", "mirai", "exploit", "dark power", "bitrat", "powershell", "aurora stealer", "matryoshka", "service", "emotet", "date hash", "ComSpyAudit", "delphi", "win64", "related pulses", "icmp traffic", "packing t1045", "t1045", "show", "malware", "copy", "write", "stack_string", "evoe", "eej er", "lex1 esaaege", "ap e06eke4", "ehpeeepe e", "ehrk elm", "eme et", "exx el", "esme evte1exe", "evte1exe", "false", "useragent usage", "true", "windows nt", "close", "flashpix", "open", "dock", "next", "hello", "encrypt", "nexus myst", "active threat", "source id", "targeting", "defacement" ], "references": [ "7034.sydneyplus.com", "LIBRARYWEBLINK.EXE", "Pea: pack, encrypt, authenticate", "EXE:CompanyName: LegalCopyright\t- Giorgio Tani, LGPLv3", "Private IP address: 0.64.0.0 -", "Emotet: FileHash-MD5 a77357ccec5530d0db3f0d603584191f", "Emotet: FileHash-SHA1 218afe0fccd7fd1d7cb08904e12caf2d22a0db47", "Emotet: FileHash-SHA256 fcf5500a8b46bf8c7234fb0cc4568e2bd65b12ef8b700dc11ff8ee507ba129da", "Pottieq: FileHash-MD5 8b91e351d1e46af68f27bae037fcfff6", "Pottieq: FileHash-SHA1 1ba1aa3d08080e27eb91d206cf54672edb051662", "Pottieq: FileHash-SHA256 cd2515f7f08ffea35d351b5cd37045f330c420e575f533ef3394a32c2fd52e95", "Mirai IP: 0.110.128.0", "Worm:Win32/Gamarue: FileHash-MD5 d3a36a65f960436b0b35ce5fb17481c6", "Worm:Win32/Gamarue: FileHash-SHA 3f390af687885304f5b610eabe82b3d9dad8f6d8", "Worm:Win32/Gamarue: FileHash-SHA256 8bb70aa49c307504f4872431e38ff8136b3e09520f228c5720e5d50c406d8a68", "Worm:Win32/Mofksys.RND!MTB: FileHash-MD5 db595ce78a3324f4ae83c1b2cb06f7aa", "Worm:Win32/Mofksys.RND!MTB: FileHash-SHA1 1dfd47d2c3c93536d8b924308faf100b338acd6a", "Worm:Win32/Mofksys.RND!MTB: FileHash-SHA256 16b0b335d23384388123215741c0f89d71532f36afa7ff7e8f112bfc7bc9de46", "Win64:BotX-gen\\ [Trj]: FileHash-MD5 d2a0a135abcc97aab5d85c0dc95a5857", "Win64:BotX-gen\\ [Trj]: FileHash-SHA1 cdb6de8689a1d4d9132d0fbb8647f09fc0348776", "Win64:BotX-gen\\ [Trj]: FileHash-SHA256 000588bb01a8ebf9612179a8c3991c998658686589dae48ad220253fde655f1f", "The Medical Protection Society Ltd: The Medical Protection Society Limited (\u201cMPS\u201d) is the world's leading protection organisation for doctors, dentists and healthcare professionals.", "https://otx.alienvault.com/indicator/hostname/library.medicalprotection.org", "https://otx.alienvault.com/indicator/file/cd2515f7f08ffea35d351b5cd37045f330c420e575f533ef3394a32c2fd52e95", "https://otx.alienvault.com/indicator/file/000588bb01a8ebf9612179a8c3991c998658686589dae48ad220253fde655f1f" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Antiy-AVL Trojan[Downloader]/Win32.Betload", "display_name": "Antiy-AVL Trojan[Downloader]/Win32.Betload", "target": null }, { "id": "Trojan.BAT.Agent.tnKf", "display_name": "Trojan.BAT.Agent.tnKf", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Worm:Win32/Goosky", "display_name": "Worm:Win32/Goosky", "target": "/malware/Worm:Win32/Goosky" }, { "id": "Ransom:Win32/Pottieq", "display_name": "Ransom:Win32/Pottieq", "target": "/malware/Ransom:Win32/Pottieq" }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Worm:Win32/Gamarue", "display_name": "Worm:Win32/Gamarue", "target": "/malware/Worm:Win32/Gamarue" }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Win.Malware.Razy-9866790-0", "display_name": "Win.Malware.Razy-9866790-0", "target": null }, { "id": "Other:Malware-gen\\ [Trj]", "display_name": "Other:Malware-gen\\ [Trj]", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1491.001", "name": "Internal Defacement", "display_name": "T1491.001 - Internal Defacement" }, { "id": "T1156", "name": "Malicious Shell Modification", "display_name": "T1156 - Malicious Shell Modification" }, { "id": "T1399", "name": "Modify Trusted Execution Environment", "display_name": "T1399 - Modify Trusted Execution Environment" } ], "industries": [], "TLP": "white", "cloned_from": "65de91e67d0d575c27960e12", "export_count": 59, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 560, "FileHash-SHA256": 1242, "URL": 712, "domain": 365, "CIDR": 1, "email": 5, "FileHash-MD5": 321, "FileHash-SHA1": 319, "CVE": 1, "SSLCertFingerprint": 1 }, "indicator_count": 3527, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "750 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c7b86fa120d19bbc88f367", "name": "Hijacker", "description": "Hackers hired to humiliate, threaten,steal data, evidence, recordings , spy and intimidate.", "modified": "2024-03-11T17:01:59.026000", "created": "2024-02-10T17:54:55.243000", "tags": [ "ssl certificate", "whois record", "contacted", "tsara brashears", "referrer", "communicating", "resolutions", "historical ssl", "high level", "hackers", "hacktool", "download", "malware", "crypto", "hijacker", "monitoring", "installer", "tofsee", "domains domains", "domains files", "files files", "script", "kgs0", "kls0", "relic", "iframe", "pe32 executable", "ms windows", "intel", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "rticon neutral", "info compiler", "products id", "header intel", "name md5", "contained", "type", "language", "ico rtgroupicon", "neutral", "first", "utc submissions", "submitters", "company limited", "computer", "amazonaes", "china telecom", "group", "csc corporate", "domains", "malware spreading evader", "cnc", "malvertizing", "milehighmedia", "trojandropper", "moved", "passive dns", "urls", "as14576", "backdoor", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "trojan", "encrypt", "body", "date", "date hash", "avast avg", "mtb may", "kratona", "threat", "paste", "iocs", "analyze", "hostnames", "urls https", "script urls", "united", "meta", "unknown", "emails", "name servers", "search", "as62597 nsone", "a domains", "as397241", "media", "next", "december", "unlocker", "threat round", "apple ios", "apple phone", "project", "blister", "agent tesla", "open", "execution", "videos", "strong", "porn videos", "watch", "daddy", "free", "top rated", "most viewed", "cancel anytime", "views", "play", "black", "enjoy", "czech", "hunk", "virtool", "cryp", "creation date", "otx telemetry", "expiration date", "servers", "status", "win32", "showing", "domain", "nxdomain", "as8075", "shell code", "threat", "cyber espionage", "cyber stalking", "danger", "critical", "attack", "treats", "as15169 google", "aaaa", "record value", "error", "entries", "hostname", "url http", "http", "files domain", "files related", "shinjiru msc", "sdn bhd", "dnssec", "protect", "as54455 madeit", "phishing", "backdoor", "contextualizing", "elevated exposure", "malvertizing", "ransom", "msil", "hackers for hire", "hashes", "http method", "get http", "http requests", "get dns", "ip traffic", "memory pattern", "pattern ips", "@emreimer", "iextract2", "cp cyber", "denver", "security", "siem compliance", "skip", "cybersecurity", "larimer st", "suite", "resources cyber", "risk assessment", "bill", "mind", "delaware", "pa", "arizona", "colorado", "stalkers", "deuteronomy 28:7", "hitmen" ], "references": [ "honey.exe", "0001c8afa9ca148752e1439140fadb6571b27f455ad1474d85625bcddfb63550", "CS Sigma Rules: Suspicious Remote Thread Created by Perez Diego (@darkquassar), oscd.community", "CS Sigma Rules: Python Initiated Connection by frack113", "CS Sigma Rules: Use Remove-Item to Delete File by frack113", "CS Sigma Rules: Suspicious Userinit Child Process by Florian Roth (rule), Samir Bousseaden (idea)", "Relationship: http://www.cpmfun.com/go.php?i=Zml0sXNlQhR0gRzjdXpLNlz4&p=71408&s=1&m=1&ua=mozilla/5.0+(linux;+android+4.4.2;+ast21+build/kvt49l)+", "api.login.live.com", "http://appleid.icloud.com-website33.org/", "https://www.milehighmedia.com/legal/2257 [phishing \u2022 Brazzers porn]", "FileHash-SHA256 c030b0a1be8745d192f45.159.189.105743b3c4f4094f33507a5904c184c8db0bde1a91efccb5 [tracking]", "http://45.159.189.105/bot/regex [Tracking Tsara Brashears involves in person following and or harassment as well]", "message.htm.com", "http://pornhub.com/gay/video/search", "CnC IP's: 206.189.61.126 \u2022 217.74.65.23 \u2022 46.8.8.100 \u2022 64.190.63.111", "stop following, stalking, hacking, talking, modifying, hijacking, threatening, contacting, sending people to harass target, threats", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "W32.Sality.PE", "display_name": "W32.Sality.PE", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Virus.Win32.Virut.q", "display_name": "Virus.Win32.Virut.q", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null }, { "id": "TrojanDropper:Win32", "display_name": "TrojanDropper:Win32", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 54, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6303, "FileHash-MD5": 215, "FileHash-SHA1": 192, "FileHash-SHA256": 2663, "domain": 2673, "hostname": 2686, "CVE": 2, "email": 16 }, "indicator_count": 14750, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "769 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c607c354336e9c19aa3e1f", "name": "RansomEXX + Cyber attack \u2022 Premier Denver Recording Studio", "description": "Studio description: Adelio developed and managed A-list producer DJ Frank E, who has worked with the likes of Kanye West, B.O.B., Madonna, and Justin Bieber...\nResearch confirms target releases songs recorded @ Side3 studios.\nCreative differences aren't uncommon, research shows a common kink with m. Brian sabey if hallrender hacking everything from hospital is to insurance portals. He's nuts. Unclear if true nameof attacker is Brian Sabey /Tulach / using NSO grouo and various cyver attacks. A man representing an attorney named M. Brian Sabey socially engineered himself and others into targets world. If studio interns or management had malice towards target, social engineering access would be easy.", "modified": "2024-03-10T11:05:48.248000", "created": "2024-02-09T11:08:51.939000", "tags": [ "url http", "united", "unknown", "search", "status", "creation date", "date", "expiration date", "showing", "as201682 liquid", "as32244 liquid", "trojan", "passive dns", "entries", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "open", "win32", "body", "date hash", "avast avg", "lowfi", "ssl certificate", "contacted", "whois whois", "sdhyzbh7v http", "whois record", "execution", "apple ios", "historical ssl", "resolutions", "sdhyzbh7v", "attack", "ransomexx", "quasar", "asyncrat", "hacktool", "maze", "find", "hell", "crypto", "remcosrat", "worm", "first", "utc submissions", "submitters", "computer", "company limited", "gandi sas", "porkbun llc", "ovh sas", "summary iocs", "graph community", "as63949 linode", "for privacy", "asnone united", "as174 cogent", "as197695 domain", "russia unknown", "as16276", "france unknown", "encrypt", "next", "tsara brashears", "targeting", "cyber threat", "abuse", "malware spreading", "hallgrand", "tulach", "sabey data centers", "sav.com", "outbreak", "location united", "asn as63949", "whois registrar", "related tags", "interfacing", "malicious", "retaliation", "botnet", "porn", "teen porn", "illegal activities", "theft", "side3studios" ], "references": [ "http://mobilesmafia.com/applications/botnet.ex", "Found in: https://Side3.com/", "CnC IP's: 198.58.118.167 \u2022 45.33.18.44 \u2022 45.33.2.79 \u2022 45.33.20.235 \u2022 45.33.23.183 \u2022 45.33.30.197 \u2022 45.79.19.196 \u2022 45.33.30.197 \u2022 45.56.79.23 \u2022 72.14.178.174 \u2022 72.14.185.43 \u2022 96.126.123.244", "https://otx.alienvault.com/indicator/domain/findmy-apple.support", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing \u2022 malvertizing \u2022 apple data collection]", "nr-data.net [Apple Private Data Collection]", "WHOIS Registrar: SAV.COM, LLC - 35, Creation Date: Feb 5, 2024 - again?", "/addons/error.txt&reffer=http://www.mp3olimp.net/\" target=\"_blank\" class=\"nowrap ellipsis\">http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03", "http://c1.getapplicationmy.info/?step_id=1&installer_id=5230748627062792346&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=2&download_id=8693199875993334460&external_id=0&session_id=16805482311189156276&hardware_id=369127768221549700&product_name=cocina.rar&installer_file_name=cocina.rar&product_file_name=cocina.rar&product_download_url=http://fra-7m17-stor09.uploaded.net/dl/a2433760-879d-4562-b94d-461547fc758c&AddToPayload=StepReport=", "http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03&product_file_name=vintage+boxing&AddToPayload=StepReport=", "http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03&product_file_name=vintage+boxing&AddToPayload=StepReport=", "http://c1.downlloaddatamy.info/?step_id=1&installer_id=4472257684899349270&publisher_id=2213&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=2&download_id=5397224780012170065&external_id=0&installer_type=IX_2013&hardware_id=15739043569615579517&session_id=6869288066589810689&installer_type=IX_2013&=&=&=&q=solutionnice.info&product_name=Design%20and%20Implementation%20of%20a%20Home%20Embedded%20Surveillance%20System%20with%20Ultra%20Low%20Alert%20Power%20doc&installer_file_", "http://c2.getapplicationmy.info/?step_id=1&installer_id=2096894809025524155&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=6356079339412925470&external_id=0&session_id=14287130792570298399&hardware_id=11580995441620935677&product_name=rachel%20blaine%20-%20don%20t%20you%20want%20me&product_file_name=error.txt&AddToPayload=", "http://c2.getapplicationmy.info/?step_id=1&installer_id=2488504921480818878&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=4&download_id=2186029835193520054&external_id=0&session_id=16256931977914952487&hardware_id=14366935065466949181&product_name=Libro%23003119.pdf&installer_file_name=Libro%23003119.pdf&product_file_name=Libro%23003119.pdf&product_download_url=http://fra-7m21-stor06.uploaded.net/dl/780b5695-d022-4fab-9aa0-b967ecaf5828&AddToPayload=StepReport=", "http://c2.getapplicationmy.info/?step_id=1&installer_id=2488504921480818878&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=4&download_id=2186029835193520054&external_id=0&session_id=16256931977914952487&hardware_id=14366935065466949181&product_name=Libro%23003119.pdf&installer_file_name=Libro%23003119.pdf&product_file_name=Libro%23003119.pdf&product_download_url=http://fra-7m21-stor06.uploaded.net/dl/780b5695-d022-4fab-9aa0-b967ecaf5828&AddToPayload=StepReport=", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "https://sexpornimages.com.leechlink.net [Match: www.sexpornimages.com/lynn/lynn-brashears-tsara-porn/rc1j0g.html]", "pornhub.org", "ww12.indianpornxxxtube.com", "youporndownload.com [park logic -malicious] http://golddesisex.com/en/search/teen%20anal%20long%20porn" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:Inject-BCL\\ [Trj]", "display_name": "Win32:Inject-BCL\\ [Trj]", "target": null }, { "id": "#Lowfi:SuspiciousSectionName", "display_name": "#Lowfi:SuspiciousSectionName", "target": null }, { "id": "Win32:Evo-gen\\ [Trj]", "display_name": "Win32:Evo-gen\\ [Trj]", "target": null }, { "id": "Win.Trojan.Mbrlock-9779766-0", "display_name": "Win.Trojan.Mbrlock-9779766-0", "target": null }, { "id": "Win.Trojan.Agent-828507", "display_name": "Win.Trojan.Agent-828507", "target": null }, { "id": "SHeur4.CEOO", "display_name": "SHeur4.CEOO", "target": null }, { "id": "Win32/Cryptor", "display_name": "Win32/Cryptor", "target": null }, { "id": "Win32/Tanatos.A", "display_name": "Win32/Tanatos.A", "target": null }, { "id": "W32.Sality-73", "display_name": "W32.Sality-73", "target": null }, { "id": "Generic_r.BYW", "display_name": "Generic_r.BYW", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Trojan:Win32/RemcosRAT", "display_name": "Trojan:Win32/RemcosRAT", "target": "/malware/Trojan:Win32/RemcosRAT" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null } ], "attack_ids": [ { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [ "Entertainment", "Technology", "Telecommunications", "Media" ], "TLP": "white", "cloned_from": null, "export_count": 39, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 71387, "domain": 8768, "hostname": 17727, "email": 16, "FileHash-MD5": 195, "FileHash-SHA1": 168, "FileHash-SHA256": 15313, "CVE": 9, "CIDR": 7 }, "indicator_count": 113590, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "771 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655b9a90e44a70d0fbbde981", "name": "Domain Seized - http://server3.elgenero.com/cgi-bin/xdown.cgi", "description": "Domain stated ' SEIZED' by Departing Homeland Security\nSeizure links below seem a bit questionable: \n\nhttp://server3.elgenero.com/iprc_seized_banner.png\nhttp://kickass.to/IPRC_Seized_2016_kat.jpg\nhttp://kickass.to/the-adventures-of-tom-sawyer-t2068537.html\t\nhttp://bludv.tv/iprc_seized_banner.png\nhttp://z-lib.org/iprc_seized_banner.png\nIPRC_Seized_2016_kat.jpg\n... just banners? Moved and continue? Okay.\nListed below also listed in seized domain. Domains,URL's and Botnetwork Hosts still seem to exist.\nhttp://alohatube.xyz/search/tsara-brashears\nalohatube.xyz\nhttps://alohatube.xyz/search/tsara-brashears\nhttps://www.anyxxxtube.net/search-porn/tsara-brashears/\nhttp://45.159.189.105/bot/regex\t\nhttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbia\t\nnr-data.net", "modified": "2023-12-20T17:01:34.161000", "created": "2023-11-20T17:42:40.771000", "tags": [ "safe site", "million", "cisco umbrella", "alexa top", "site", "tag count", "tld count", "jul jan", "team alexa", "count blacklist", "maltiverse", "redirme", "cronup threat", "intel malware", "malicious site", "malware", "no data", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "united", "cyber threat", "engineering", "team", "malware site", "covid19", "phishing site", "phishing", "phishtank", "bank", "zbot", "malicious", "download", "suppobox", "zeus", "nymaim", "matsnu", "artemis", "virut", "panama", "smsspy", "cobalt strike", "emotet", "bradesco", "stealer", "facebook", "service", "simda", "runescape", "cutwail", "unruy", "bandoo", "tinba", "pykspa", "domaiq", "ave maria", "citadel", "pony", "keitaro", "ponmocup", "ransomware", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "sha256", "sha1", "ascii text", "date", "unknown", "body", "error", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "malicious url", "union", "unsafe", "node tcp", "traffic", "tor known", "tor relayrouter", "spammer", "threats et", "ssl certificate", "contacted", "whois record", "whois whois", "historical ssl", "apple ios", "resolutions", "bundled", "referrer", "collections", "android", "banker", "keylogger", "generic malware", "generic", "blacklist http", "ac32a", "heur", "alexa", "xtrat", "iframe", "installcore", "win64", "crack", "xrat", "nircmd", "swrort", "agent", "filetour", "cleaner", "patcher", "adload", "wacatac", "riskware", "acint", "conduit", "fakealert", "opencandy", "xtreme", "downldr", "outbreak", "iobit", "rostpay", "dropper", "mediaget", "installpack", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "floxif", "presenoker", "fusioncore", "exploit", "filerepmetagen", "download json", "hostname", "hostnames", "mail spammer", "anonymizer", "firehol proxy", "asyncrat", "genkryptik", "fuery", "webtoolbar", "trojanspy", "dropped", "execution", "contacted urls", "http spammer", "host", "ip address", "site top", "site safe", "blacklist https", "tsara brashears", "kgs0", "kls0", "critical risk", "attack", "hacktool", "installer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Latvia", "Poland", "Germany" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 46, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1117, "FileHash-SHA1": 664, "FileHash-SHA256": 3426, "domain": 977, "hostname": 2269, "URL": 5554, "CVE": 23, "URI": 8, "Mutex": 1 }, "indicator_count": 14039, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "851 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656a9c2eeebaf7b69d0e12ba", "name": "Domain Seized - http://server3.elgenero.com/cgi-bin/xdown.cgi", "description": "", "modified": "2023-12-20T17:01:34.161000", "created": "2023-12-02T02:53:34.585000", "tags": [ "safe site", "million", "cisco umbrella", "alexa top", "site", "tag count", "tld count", "jul jan", "team alexa", "count blacklist", "maltiverse", "redirme", "cronup threat", "intel malware", "malicious site", "malware", "no data", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "united", "cyber threat", "engineering", "team", "malware site", "covid19", "phishing site", "phishing", "phishtank", "bank", "zbot", "malicious", "download", "suppobox", "zeus", "nymaim", "matsnu", "artemis", "virut", "panama", "smsspy", "cobalt strike", "emotet", "bradesco", "stealer", "facebook", "service", "simda", "runescape", "cutwail", "unruy", "bandoo", "tinba", "pykspa", "domaiq", "ave maria", "citadel", "pony", "keitaro", "ponmocup", "ransomware", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "sha256", "sha1", "ascii text", "date", "unknown", "body", "error", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "malicious url", "union", "unsafe", "node tcp", "traffic", "tor known", "tor relayrouter", "spammer", "threats et", "ssl certificate", "contacted", "whois record", "whois whois", "historical ssl", "apple ios", "resolutions", "bundled", "referrer", "collections", "android", "banker", "keylogger", "generic malware", "generic", "blacklist http", "ac32a", "heur", "alexa", "xtrat", "iframe", "installcore", "win64", "crack", "xrat", "nircmd", "swrort", "agent", "filetour", "cleaner", "patcher", "adload", "wacatac", "riskware", "acint", "conduit", "fakealert", "opencandy", "xtreme", "downldr", "outbreak", "iobit", "rostpay", "dropper", "mediaget", "installpack", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "floxif", "presenoker", "fusioncore", "exploit", "filerepmetagen", "download json", "hostname", "hostnames", "mail spammer", "anonymizer", "firehol proxy", "asyncrat", "genkryptik", "fuery", "webtoolbar", "trojanspy", "dropped", "execution", "contacted urls", "http spammer", "host", "ip address", "site top", "site safe", "blacklist https", "tsara brashears", "kgs0", "kls0", "critical risk", "attack", "hacktool", "installer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Latvia", "Poland", "Germany" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "655b9a90e44a70d0fbbde981", "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1117, "FileHash-SHA1": 664, "FileHash-SHA256": 3426, "domain": 977, "hostname": 2269, "URL": 5554, "CVE": 23, "URI": 8, "Mutex": 1 }, "indicator_count": 14039, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "851 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65708127d14f133931af519e", "name": "www.StephenMiller.net ~ Former White House senior adviser to President Trump", "description": "", "modified": "2023-12-06T14:11:51.785000", "created": "2023-12-06T14:11:51.785000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 525, "hostname": 688, "URL": 2368, "domain": 1043, "email": 2, "CVE": 1, "FileHash-SHA1": 5 }, "indicator_count": 4632, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6229929ea38aec664790238f", "name": "www.StephenMiller.net ~ Former White House senior adviser to President Trump", "description": "", "modified": "2022-04-08T00:05:40.239000", "created": "2022-03-10T05:54:38.947000", "tags": [ "whois record", "ssl certificate", "whois" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 688, "URL": 2368, "FileHash-SHA256": 525, "domain": 1044, "CVE": 1, "FileHash-SHA1": 5, "email": 2 }, "indicator_count": 4633, "is_author": false, "is_subscribing": null, "subscriber_count": 408, "modified_text": "1473 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://es.tequilas.net", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://es.tequilas.net", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776692442.9194348 }