{ "type": "URL", "indicator": "https://eu4.paradoxwikis.com/Netherlands", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://eu4.paradoxwikis.com/Netherlands", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3736651416, "indicator": "https://eu4.paradoxwikis.com/Netherlands", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "6683aae863ba601bac1a28b5", "name": "Zombie.A \u2022 Bayrob in fake malware information website.", "description": "Incredibly malicious IoC's found in a legitimate appearing website with informative information. Prominently appears at top of targets search results. \n https://www.blackberry.com/etc.clientlibs/bbcom/clientlibs/clientlib-etc-legacy/resources/cylance-web/global/bb-default-thumbnail-social.png\nMultiple government domains behind website. Honeypot?", "modified": "2024-08-01T06:03:26.298000", "created": "2024-07-02T07:23:20.582000", "tags": [ "ukraine", "referrer", "deploys fake", "uue files", "fsociety", "target colombia", "judiciary", "financial", "public", "tools", "sector", "mexico", "aka xloader", "html", "html info", "title", "meta tags", "google tag", "utc gnr5gzhd545", "utc na", "utc aw944900006", "utc linkedin", "formbook", "accept", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "apache", "so funny", "click", "urls", "passive dns", "http", "unique", "scan endpoints", "all octoseek", "url http", "ip address", "related nids", "code", "united", "as54113", "unknown", "aaaa", "as15169 google", "as46691", "status", "cname", "search", "whitelisted", "body", "date", "msil", "meta", "third-party-cookies", "iframes", "external-resources", "text/html", "trackers", "end game", "name servers", "select contact", "domain holder", "nexus category", "creation date", "showing", "date hash", "avast avg", "trojan", "mtb may", "dynamicloader", "high", "medium", "yara detections", "sniffs", "attempts", "alternate data", "stream", "a foreign", "cultureneutral", "get na", "show", "delete c", "entries", "cape", "delete", "default", "copy", "nivdort", "write", "trojanspy", "bayrob", "malware", "eagle eyed", "nonads", "path max", "age86400 set", "cookie", "script urls", "type", "script script", "win32 exe", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 compiler", "exe32", "compiler", "vs98", "contained", "simplified", "info compiler", "products", "sp6 build", "header intel", "name md5", "language", "not found", "rules not", "mitre", "info ids", "found sigma", "found", "files not", "found network", "getlasterror", "icons library", "os2 executable", "files", "file type", "kb file", "name", "type name", "ip detections", "country", "gandi sas", "dynadot", "enom", "namecheap", "dynadot inc", "namecheap inc", "dynadot llc", "domains", "tucows domains", "melbourne it", "historical ssl", "realteck audio", "problems", "lemon duck", "iocs", "sneaky server", "replacement", "unauthorized", "windows", "windir", "samplepath", "user", "process", "created", "shell commands", "windefend", "created bus", "tree", "registry keys", "reports upgrade", "keys set", "upgradestart", "dword", "data registry", "keys deleted", "reports", "get http", "request", "http requests", "ip traffic", "dns resolutions", "resolutions", "mitre att", "defense evasion", "ta0007 command", "control ta0011", "impact ta0034", "impact ta0040", "graph", "bundled files", "name file", "contacted ip", "users", "number", "ascii text", "crlf line", "database", "english", "tue jun", "installer", "template", "tulach", "rexxfield", "milesit", "cp", "self deleting", "stuff", "copying", "packages found", "targeting major", "injects ads", "into search", "results", "overlay", "text", "win32 dll", "javascript", "db2maestro", "open ports", "ipv4", "pulse submit", "url analysis", "expiration date", "hostname", "next", "ten process", "utc facebook", "utc google", "title ten", "blog meta", "tags", "elastic blog", "bing ads", "as8068", "certificate", "otx telemetry", "ref b", "record value", "emails", "please", "win32", "x msedge", "pulse pulses", "no data", "tag count", "analyzer threat", "url summary", "ip summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "alexa top", "safe site", "mail spammer", "million", "malware site", "phishing site", "malicious site", "bank", "fuery", "unsafe", "malicious", "alexa", "zbot", "asn as16625", "akamai", "less", "is2osecurity", "domain name", "active", "as21342", "domain", "location israel", "asn as1680", "invalid url", "body html", "head title", "title head", "body h1", "reference", "log id", "gmtn", "digicert tls", "rsa sha256", "tls web", "full name", "digicert inc", "organization", "district", "columbia", "false", "as20940", "as16625 akamai", "as8987 amazon", "moved", "as1680 cellcom", "alerts", "related pulses", "guard", "dynamic", "reads", "https link", "as8075", "record type", "ttl value", "redacted for", "privacy tech", "privacy admin", "postal code", "stateprovince", "server", "email", "office open", "ms word", "document", "xml document", "xml spreadsheet", "email trash", "rich text", "pdf tripwire", "fall", "whois lookups", "contact email", "blind eagle", "brian sabey" ], "references": [ "https://www.blackberry.com/etc.clientlibs/bbcom/clientlibs/clientlib-etc-legacy/resources/cylance-web/global/bb-default-thumbnail-social.png", "https://otx.alienvault.com/indicator/url/www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-MD5 da9b9e892ced7ec90841d813f6e42339", "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-SHA1 48dc18f70b2dfdf554e8247eb9e4a8910e19bd3b", "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-SHA256 215fbe9cf76ccbdde60eaa66538edeecadb844078b4379e66cacb83c7ac05690", "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-SHA256 18f62aec151e9f17c55987f80ed1244d9812895018d2bc931df083fb846a52dc", "Trojan:Win32/Zombie.A: FileHash-SHA256: 72bd98a9157afcd3ae38b60a7cf3ae4f23d6bb069a7aa7be7080b6967a6cf0cc", "Trojan:Win32/Zombie.A: FileHash-MD5: 36b71d23ca7553fb9db0730e56e6bf77", "Trojan:Win32/Zombie.A: FileHash-SHA1: 1fa3519b200cf5078c1c6c7df1cf44cd747c2320", "Alerts: creates_largekey script_created_process antisandbox_mouse_hook antivm_generic_disk dead_connect", "Alerts: infostealer_cookies infostealer_keylog persistence_ads suspicious_command_tools anomalous_deletefile", "IDS Detections: Terse HTTP 1.0 Request Possible Nivdort W32/Bayrob Attempted Checkin 403 Forbidden", "Alerts: cape_detected_threat cape_extracted_content", "TrojanSpy:Win32/Nivdort.CW: FileHash-SHA256\t3744b06ebb5465c1b3601abc9899e0448c3bb53e81ad6a3101780ab94931ba69", "TrojanSpy:Win32/Nivdort.CW: FileHash-SHA1 ad560bee21bf7aefc1f1a1be2762d852c7301c07", "TrojanSpy:Win32/Nivdort.CW: FileHash-MD5\t9d6de961a498f831acb63c95e7b2ff0c", "Bayrob: FileHash-SHA256 3744b06ebb5465c1b3601abc9899e0448c3bb53e81ad6a3101780ab94931ba69", "Bayrob: FileHash-SHA1 ad560bee21bf7aefc1f1a1be2762d852c7301c07", "Bayrob: FileHash-MD5 871f1532a8f0f9cf9ec3e82b5da3a120", "Domains Contacted: bettercaught.net electricstrong.net recordtrouble.net electrictrouble.net recordpresident.net", "Domains Contacted: electricpresident.net recordcaught.net electriccaught.net streetstrong.net tradestrong.net", "https://otx.alienvault.com/indicator/file/72bd98a9157afcd3ae38b60a7cf3ae4f23d6bb069a7aa7be7080b6967a6cf0cc", "trojan.cosmu/xpiro - 960879004e1059a9e7eaca7b95f45ab9baf8f5b905e2714f1c65f92244396758", "Matches rule SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)", "Malware Behavior Catalog: Defense Evasion OB0006 \u2022 Delayed Execution B0003.003 \u2022 Move File C0063 \u2022 Process Environment Block B0001.019", "Malware Behavior Catalog: Dynamic Analysis Evasion B0003 \u2022 Create File C0016 \u2022 Create Process C0017 \u2022 Create Thread C0038", "Malware Behavior Catalog: Operating System OC0008 \u2022 Environment Variable C0034 \u2022 Self Deletion F0007 \u2022 : Tree Anti-Behavioral Analysis", "Malware Behavior Catalog: System Information Discovery E1082 \u2022 File and Directory Discovery E1083 \u2022 Execution OB0009 \u2022 File System OC0001", "Malware Behavior Catalog: COMSPEC Environment Variable F0007.001 \u2022 Install Additional Program B0023 \u2022 Delete File C0047 \u2022", "Malware Behavior Catalog: Tree Anti-Behavioral Analysis: C0017 Create Thread \u2022 C0038 Operating System \u2022 Debugger Detection B0001", "Malware Behavior Catalog: Get File Attributes C0049 \u2022 Set File Attributes C0050 \u2022 Read File C0051 \u2022 Writes File C0052", "Malware Behavior Catalog: Tree Anti-Behavioral: Environment Variable C0034 \u2022 Anti-Behavioral Analysis OB0001 \u2022 Process OC0003", "Bayrob: 3744b06ebb5465c1b3601abc9899e0448c3bb53e81ad6a3101780ab94931ba69 ef55e2c918f9678e97037d5505b0c8a3.virus", "Matches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "Matches rule ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses", "Matches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst", "Matches rule PROTOCOL-ICMP PING Windows Matches rule PROTOCOL-ICMP Unusual PING detected Matches rule PROTOCOL-ICMP", "http://Object.prototype.hasOwnProperty.call", "Tulach! It's been a minute - 114.114.114.114", "What's going on here judiciary? Karen - cisa.gov? e.final", "f.search schema.org t.final", "ACTIVE Emails: IS2OSecurity@hq.dhs.gov \u2022 CISA.GOV Status \u2022 schoolsafety.gov \u2022 power2prevent.gov \u2022 is2osecurity@hq.dhs.gov", "[https://cisa gov] https://otx.alienvault.com/indicator/ip/92.123.203.73 \u2022 https://otx.alienvault.com/indicator/hostname/hq.dhs.gov", "[cisa gov] https://otx.alienvault.com/indicator/domain/cisa.gov \u2022 [hq.dhs.gov] https://otx.alienvault.com/indicator/hostname/hq.dhs.gov", "[dhs gov] https://otx.alienvault.com/indicator/domain/dhs.gov \u2022 https://otx.alienvault.com/indicator/url/https:%2F%2Fwww.cisa.gov%2Fcybersecurity-advisories%2Fics-advisories.xml", "Alerts: (cisa gov) ransomware_file_modifications script_created_process antisandbox_mouse_hook antivm_generic_disk infostealer_cookies suspicious_command_tools antidebug_guardpages dynamic_function_loading reads_self stealth_window", "https://otx.alienvault.com/indicator/domain/asp.net \u2022 https://otx.alienvault.com/indicator/hostname/ts1.mm.bing.net", "Security Contact Email: 212d0c197dca818es@hq.dhs.gov \u2022ACTIVE Domain Name: DHS.GOV" ], "public": 1, "adversary": "Blind Eagle", "targeted_countries": [ "United States of America", "Colombia", "Netherlands", "Israel" ], "malware_families": [ { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn", "target": null }, { "id": "TrojanSpy:Win32/Nivdort.CW", "display_name": "TrojanSpy:Win32/Nivdort.CW", "target": "/malware/TrojanSpy:Win32/Nivdort.CW" }, { "id": "Bayrob", "display_name": "Bayrob", "target": null }, { "id": "trojan.bayrob/lazy", "display_name": "trojan.bayrob/lazy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0029", "name": "Privilege Escalation", "display_name": "TA0029 - Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0030", "name": "Defense Evasion", "display_name": "TA0030 - Defense Evasion" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1055.003", "name": "Thread Execution Hijacking", "display_name": "T1055.003 - Thread Execution Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1416", "name": "URI Hijacking", "display_name": "T1416 - URI Hijacking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1167, "FileHash-SHA1": 738, "FileHash-SHA256": 3074, "URL": 1019, "domain": 1639, "hostname": 973, "email": 11, "SSLCertFingerprint": 2 }, "indicator_count": 8623, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "626 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6533ed2685e0fc66ac0628bd", "name": "Network capture | Gather Victim Network Information | C2", "description": "Botnet. Spammer. BN campaigners. Victim name used for marketing BN and porn. This website contains age-restricted material and contains explicit depictions of sexual activity, but does not ask for permission to access or access any of the site's materials. \u00c2\u00a9 Mile High Distribution Inc", "modified": "2023-11-20T11:03:09.867000", "created": "2023-10-21T15:24:22.377000", "tags": [ "mile high", "logos", "trademarks", "aylo premium", "click", "record keeping", "statement", "all rights", "reserved", "vendo", "ssl certificate", "contacted", "whois record", "tsara brashears", "historical ssl", "apple", "password", "porn", "networks", "botnet campaign", "crypto", "installer", "attacker", "metro", "brazzers", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "maxage86400", "path", "html info", "title page", "found meta", "milehigh", "watch", "milfs", "trackers google", "analytics na", "name verdict", "falcon sandbox", "reports no", "specific", "pattern match", "file", "ascii text", "windows nt", "jpeg image", "united", "appdata", "jfif", "mitre att", "date", "unknown", "hybrid", "accept", "general", "local", "strings", "class", "critical", "error", "server", "email", "code", "whois privacy", "domain status", "registrar abuse", "registrar url", "registrar", "registry domain", "C2", "organization", "threat level", "windir", "getpost", "name server", "openurl c" ], "references": [ "https://www.milehighmedia.com/legal/2257 exploit_source [Metro T-Mobile attacker. Brazzers | T]", "https://www.sweetheartvideo.com/tsara-brashears/ [Botnet tracking campaign, referrer]", "https://www.sweetheartvideo.com/tsara-brashears [Network ID]", "https://www.sweetheartvideo.com [Pattern match, Brashears]", "m1.sweetheartvideo.com [mailer!]", "mba3.sweetheartvideo.com [Server]", "https://www.hybrid-analysis.com/sample/a478360da159c358a804f1340f142fa2a0d689e02d743b71509e5e3921877a3e [Research Tool]", "Other", "browser.events.data.msn.com [sandbox and archive browser events]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.004", "name": "Server", "display_name": "T1583.004 - Server" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4377, "FileHash-MD5": 128, "FileHash-SHA1": 127, "FileHash-SHA256": 2861, "domain": 829, "hostname": 1452, "CVE": 1, "email": 6 }, "indicator_count": 9781, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "881 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f1d4a989642696d13b34c", "name": "Network capture | Gather Victim Network Information | C2", "description": "", "modified": "2023-11-20T11:03:09.867000", "created": "2023-10-30T03:04:42.175000", "tags": [ "mile high", "logos", "trademarks", "aylo premium", "click", "record keeping", "statement", "all rights", "reserved", "vendo", "ssl certificate", "contacted", "whois record", "tsara brashears", "historical ssl", "apple", "password", "porn", "networks", "botnet campaign", "crypto", "installer", "attacker", "metro", "brazzers", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "maxage86400", "path", "html info", "title page", "found meta", "milehigh", "watch", "milfs", "trackers google", "analytics na", "name verdict", "falcon sandbox", "reports no", "specific", "pattern match", "file", "ascii text", "windows nt", "jpeg image", "united", "appdata", "jfif", "mitre att", "date", "unknown", "hybrid", "accept", "general", "local", "strings", "class", "critical", "error", "server", "email", "code", "whois privacy", "domain status", "registrar abuse", "registrar url", "registrar", "registry domain", "C2", "organization", "threat level", "windir", "getpost", "name server", "openurl c" ], "references": [ "https://www.milehighmedia.com/legal/2257 exploit_source [Metro T-Mobile attacker. Brazzers | T]", "https://www.sweetheartvideo.com/tsara-brashears/ [Botnet tracking campaign, referrer]", "https://www.sweetheartvideo.com/tsara-brashears [Network ID]", "https://www.sweetheartvideo.com [Pattern match, Brashears]", "m1.sweetheartvideo.com [mailer!]", "mba3.sweetheartvideo.com [Server]", "https://www.hybrid-analysis.com/sample/a478360da159c358a804f1340f142fa2a0d689e02d743b71509e5e3921877a3e [Research Tool]", "Other", "browser.events.data.msn.com [sandbox and archive browser events]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.004", "name": "Server", "display_name": "T1583.004 - Server" } ], "industries": [], "TLP": "white", "cloned_from": "6533ed2685e0fc66ac0628bd", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4377, "FileHash-MD5": 128, "FileHash-SHA1": 127, "FileHash-SHA256": 2861, "domain": 829, "hostname": 1452, "CVE": 1, "email": 6 }, "indicator_count": 9781, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "881 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64d56620fb6845e22b859e75", "name": "Who is ENOM (DREAMHOST)", "description": "", "modified": "2023-09-11T00:03:40.398000", "created": "2023-08-10T22:35:12.322000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64d31d52d54a9591dd717e17", "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ellenmmm", "id": "233693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2544, "domain": 2507, "URL": 2757, "email": 26, "CVE": 25, "FileHash-SHA256": 61, "FileHash-MD5": 9, "FileHash-SHA1": 12 }, "indicator_count": 7941, "is_author": false, "is_subscribing": null, "subscriber_count": 85, "modified_text": "952 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-SHA256 215fbe9cf76ccbdde60eaa66538edeecadb844078b4379e66cacb83c7ac05690", "TrojanSpy:Win32/Nivdort.CW: FileHash-SHA1 ad560bee21bf7aefc1f1a1be2762d852c7301c07", "https://www.hybrid-analysis.com/sample/a478360da159c358a804f1340f142fa2a0d689e02d743b71509e5e3921877a3e [Research Tool]", "https://otx.alienvault.com/indicator/url/www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Bayrob: FileHash-SHA256 3744b06ebb5465c1b3601abc9899e0448c3bb53e81ad6a3101780ab94931ba69", "Alerts: (cisa gov) ransomware_file_modifications script_created_process antisandbox_mouse_hook antivm_generic_disk infostealer_cookies suspicious_command_tools antidebug_guardpages dynamic_function_loading reads_self stealth_window", "Other", "Malware Behavior Catalog: COMSPEC Environment Variable F0007.001 \u2022 Install Additional Program B0023 \u2022 Delete File C0047 \u2022", "https://www.sweetheartvideo.com/tsara-brashears [Network ID]", "What's going on here judiciary? Karen - cisa.gov? e.final", "f.search schema.org t.final", "Bayrob: 3744b06ebb5465c1b3601abc9899e0448c3bb53e81ad6a3101780ab94931ba69 ef55e2c918f9678e97037d5505b0c8a3.virus", "Alerts: cape_detected_threat cape_extracted_content", "m1.sweetheartvideo.com [mailer!]", "Trojan:Win32/Zombie.A: FileHash-MD5: 36b71d23ca7553fb9db0730e56e6bf77", "browser.events.data.msn.com [sandbox and archive browser events]", "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-SHA1 48dc18f70b2dfdf554e8247eb9e4a8910e19bd3b", "Malware Behavior Catalog: Get File Attributes C0049 \u2022 Set File Attributes C0050 \u2022 Read File C0051 \u2022 Writes File C0052", "Malware Behavior Catalog: Dynamic Analysis Evasion B0003 \u2022 Create File C0016 \u2022 Create Process C0017 \u2022 Create Thread C0038", "Matches rule ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses", "https://otx.alienvault.com/indicator/file/72bd98a9157afcd3ae38b60a7cf3ae4f23d6bb069a7aa7be7080b6967a6cf0cc", "Security Contact Email: 212d0c197dca818es@hq.dhs.gov \u2022ACTIVE Domain Name: DHS.GOV", "Matches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "trojan.cosmu/xpiro - 960879004e1059a9e7eaca7b95f45ab9baf8f5b905e2714f1c65f92244396758", "https://www.blackberry.com/etc.clientlibs/bbcom/clientlibs/clientlib-etc-legacy/resources/cylance-web/global/bb-default-thumbnail-social.png", "Malware Behavior Catalog: System Information Discovery E1082 \u2022 File and Directory Discovery E1083 \u2022 Execution OB0009 \u2022 File System OC0001", "http://Object.prototype.hasOwnProperty.call", "https://www.sweetheartvideo.com/tsara-brashears/ [Botnet tracking campaign, referrer]", "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-MD5 da9b9e892ced7ec90841d813f6e42339", "[cisa gov] https://otx.alienvault.com/indicator/domain/cisa.gov \u2022 [hq.dhs.gov] https://otx.alienvault.com/indicator/hostname/hq.dhs.gov", "IDS Detections: Terse HTTP 1.0 Request Possible Nivdort W32/Bayrob Attempted Checkin 403 Forbidden", "Trojan:Win32/Zombie.A: FileHash-SHA1: 1fa3519b200cf5078c1c6c7df1cf44cd747c2320", "Alerts: infostealer_cookies infostealer_keylog persistence_ads suspicious_command_tools anomalous_deletefile", "Matches rule SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)", "Malware Behavior Catalog: Tree Anti-Behavioral Analysis: C0017 Create Thread \u2022 C0038 Operating System \u2022 Debugger Detection B0001", "Malware Behavior Catalog: Tree Anti-Behavioral: Environment Variable C0034 \u2022 Anti-Behavioral Analysis OB0001 \u2022 Process OC0003", "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-SHA256 18f62aec151e9f17c55987f80ed1244d9812895018d2bc931df083fb846a52dc", "Bayrob: FileHash-SHA1 ad560bee21bf7aefc1f1a1be2762d852c7301c07", "Malware Behavior Catalog: Operating System OC0008 \u2022 Environment Variable C0034 \u2022 Self Deletion F0007 \u2022 : Tree Anti-Behavioral Analysis", "Malware Behavior Catalog: Defense Evasion OB0006 \u2022 Delayed Execution B0003.003 \u2022 Move File C0063 \u2022 Process Environment Block B0001.019", "Tulach! It's been a minute - 114.114.114.114", "mba3.sweetheartvideo.com [Server]", "ACTIVE Emails: IS2OSecurity@hq.dhs.gov \u2022 CISA.GOV Status \u2022 schoolsafety.gov \u2022 power2prevent.gov \u2022 is2osecurity@hq.dhs.gov", "https://www.sweetheartvideo.com [Pattern match, Brashears]", "Bayrob: FileHash-MD5 871f1532a8f0f9cf9ec3e82b5da3a120", "Domains Contacted: bettercaught.net electricstrong.net recordtrouble.net electrictrouble.net recordpresident.net", "Domains Contacted: electricpresident.net recordcaught.net electriccaught.net streetstrong.net tradestrong.net", "TrojanSpy:Win32/Nivdort.CW: FileHash-MD5\t9d6de961a498f831acb63c95e7b2ff0c", "TrojanSpy:Win32/Nivdort.CW: FileHash-SHA256\t3744b06ebb5465c1b3601abc9899e0448c3bb53e81ad6a3101780ab94931ba69", "Matches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst", "Matches rule PROTOCOL-ICMP PING Windows Matches rule PROTOCOL-ICMP Unusual PING detected Matches rule PROTOCOL-ICMP", "https://www.milehighmedia.com/legal/2257 exploit_source [Metro T-Mobile attacker. Brazzers | T]", "[https://cisa gov] https://otx.alienvault.com/indicator/ip/92.123.203.73 \u2022 https://otx.alienvault.com/indicator/hostname/hq.dhs.gov", "Alerts: creates_largekey script_created_process antisandbox_mouse_hook antivm_generic_disk dead_connect", "https://otx.alienvault.com/indicator/domain/asp.net \u2022 https://otx.alienvault.com/indicator/hostname/ts1.mm.bing.net", "[dhs gov] https://otx.alienvault.com/indicator/domain/dhs.gov \u2022 https://otx.alienvault.com/indicator/url/https:%2F%2Fwww.cisa.gov%2Fcybersecurity-advisories%2Fics-advisories.xml", "Trojan:Win32/Zombie.A: FileHash-SHA256: 72bd98a9157afcd3ae38b60a7cf3ae4f23d6bb069a7aa7be7080b6967a6cf0cc" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Blind Eagle" ], "malware_families": [ "Trojan.bayrob/lazy", "Bayrob", "Trojanspy:win32/nivdort.cw", "Alf:jasyp:trojandownloader:win32/quireap!atmn", "Formbook", "Trojan:win32/zombie.a" ], "industries": [], "unique_indicators": 23926 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/paradoxwikis.com", "whois": "http://whois.domaintools.com/paradoxwikis.com", "domain": "paradoxwikis.com", "hostname": "eu4.paradoxwikis.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "6683aae863ba601bac1a28b5", "name": "Zombie.A \u2022 Bayrob in fake malware information website.", "description": "Incredibly malicious IoC's found in a legitimate appearing website with informative information. Prominently appears at top of targets search results. \n https://www.blackberry.com/etc.clientlibs/bbcom/clientlibs/clientlib-etc-legacy/resources/cylance-web/global/bb-default-thumbnail-social.png\nMultiple government domains behind website. Honeypot?", "modified": "2024-08-01T06:03:26.298000", "created": "2024-07-02T07:23:20.582000", "tags": [ "ukraine", "referrer", "deploys fake", "uue files", "fsociety", "target colombia", "judiciary", "financial", "public", "tools", "sector", "mexico", "aka xloader", "html", "html info", "title", "meta tags", "google tag", "utc gnr5gzhd545", "utc na", "utc aw944900006", "utc linkedin", "formbook", "accept", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "apache", "so funny", "click", "urls", "passive dns", "http", "unique", "scan endpoints", "all octoseek", "url http", "ip address", "related nids", "code", "united", "as54113", "unknown", "aaaa", "as15169 google", "as46691", "status", "cname", "search", "whitelisted", "body", "date", "msil", "meta", "third-party-cookies", "iframes", "external-resources", "text/html", "trackers", "end game", "name servers", "select contact", "domain holder", "nexus category", "creation date", "showing", "date hash", "avast avg", "trojan", "mtb may", "dynamicloader", "high", "medium", "yara detections", "sniffs", "attempts", "alternate data", "stream", "a foreign", "cultureneutral", "get na", "show", "delete c", "entries", "cape", "delete", "default", "copy", "nivdort", "write", "trojanspy", "bayrob", "malware", "eagle eyed", "nonads", "path max", "age86400 set", "cookie", "script urls", "type", "script script", "win32 exe", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 compiler", "exe32", "compiler", "vs98", "contained", "simplified", "info compiler", "products", "sp6 build", "header intel", "name md5", "language", "not found", "rules not", "mitre", "info ids", "found sigma", "found", "files not", "found network", "getlasterror", "icons library", "os2 executable", "files", "file type", "kb file", "name", "type name", "ip detections", "country", "gandi sas", "dynadot", "enom", "namecheap", "dynadot inc", "namecheap inc", "dynadot llc", "domains", "tucows domains", "melbourne it", "historical ssl", "realteck audio", "problems", "lemon duck", "iocs", "sneaky server", "replacement", "unauthorized", "windows", "windir", "samplepath", "user", "process", "created", "shell commands", "windefend", "created bus", "tree", "registry keys", "reports upgrade", "keys set", "upgradestart", "dword", "data registry", "keys deleted", "reports", "get http", "request", "http requests", "ip traffic", "dns resolutions", "resolutions", "mitre att", "defense evasion", "ta0007 command", "control ta0011", "impact ta0034", "impact ta0040", "graph", "bundled files", "name file", "contacted ip", "users", "number", "ascii text", "crlf line", "database", "english", "tue jun", "installer", "template", "tulach", "rexxfield", "milesit", "cp", "self deleting", "stuff", "copying", "packages found", "targeting major", "injects ads", "into search", "results", "overlay", "text", "win32 dll", "javascript", "db2maestro", "open ports", "ipv4", "pulse submit", "url analysis", "expiration date", "hostname", "next", "ten process", "utc facebook", "utc google", "title ten", "blog meta", "tags", "elastic blog", "bing ads", "as8068", "certificate", "otx telemetry", "ref b", "record value", "emails", "please", "win32", "x msedge", "pulse pulses", "no data", "tag count", "analyzer threat", "url summary", "ip summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "alexa top", "safe site", "mail spammer", "million", "malware site", "phishing site", "malicious site", "bank", "fuery", "unsafe", "malicious", "alexa", "zbot", "asn as16625", "akamai", "less", "is2osecurity", "domain name", "active", "as21342", "domain", "location israel", "asn as1680", "invalid url", "body html", "head title", "title head", "body h1", "reference", "log id", "gmtn", "digicert tls", "rsa sha256", "tls web", "full name", "digicert inc", "organization", "district", "columbia", "false", "as20940", "as16625 akamai", "as8987 amazon", "moved", "as1680 cellcom", "alerts", "related pulses", "guard", "dynamic", "reads", "https link", "as8075", "record type", "ttl value", "redacted for", "privacy tech", "privacy admin", "postal code", "stateprovince", "server", "email", "office open", "ms word", "document", "xml document", "xml spreadsheet", "email trash", "rich text", "pdf tripwire", "fall", "whois lookups", "contact email", "blind eagle", "brian sabey" ], "references": [ "https://www.blackberry.com/etc.clientlibs/bbcom/clientlibs/clientlib-etc-legacy/resources/cylance-web/global/bb-default-thumbnail-social.png", "https://otx.alienvault.com/indicator/url/www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-MD5 da9b9e892ced7ec90841d813f6e42339", "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-SHA1 48dc18f70b2dfdf554e8247eb9e4a8910e19bd3b", "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-SHA256 215fbe9cf76ccbdde60eaa66538edeecadb844078b4379e66cacb83c7ac05690", "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-SHA256 18f62aec151e9f17c55987f80ed1244d9812895018d2bc931df083fb846a52dc", "Trojan:Win32/Zombie.A: FileHash-SHA256: 72bd98a9157afcd3ae38b60a7cf3ae4f23d6bb069a7aa7be7080b6967a6cf0cc", "Trojan:Win32/Zombie.A: FileHash-MD5: 36b71d23ca7553fb9db0730e56e6bf77", "Trojan:Win32/Zombie.A: FileHash-SHA1: 1fa3519b200cf5078c1c6c7df1cf44cd747c2320", "Alerts: creates_largekey script_created_process antisandbox_mouse_hook antivm_generic_disk dead_connect", "Alerts: infostealer_cookies infostealer_keylog persistence_ads suspicious_command_tools anomalous_deletefile", "IDS Detections: Terse HTTP 1.0 Request Possible Nivdort W32/Bayrob Attempted Checkin 403 Forbidden", "Alerts: cape_detected_threat cape_extracted_content", "TrojanSpy:Win32/Nivdort.CW: FileHash-SHA256\t3744b06ebb5465c1b3601abc9899e0448c3bb53e81ad6a3101780ab94931ba69", "TrojanSpy:Win32/Nivdort.CW: FileHash-SHA1 ad560bee21bf7aefc1f1a1be2762d852c7301c07", "TrojanSpy:Win32/Nivdort.CW: FileHash-MD5\t9d6de961a498f831acb63c95e7b2ff0c", "Bayrob: FileHash-SHA256 3744b06ebb5465c1b3601abc9899e0448c3bb53e81ad6a3101780ab94931ba69", "Bayrob: FileHash-SHA1 ad560bee21bf7aefc1f1a1be2762d852c7301c07", "Bayrob: FileHash-MD5 871f1532a8f0f9cf9ec3e82b5da3a120", "Domains Contacted: bettercaught.net electricstrong.net recordtrouble.net electrictrouble.net recordpresident.net", "Domains Contacted: electricpresident.net recordcaught.net electriccaught.net streetstrong.net tradestrong.net", "https://otx.alienvault.com/indicator/file/72bd98a9157afcd3ae38b60a7cf3ae4f23d6bb069a7aa7be7080b6967a6cf0cc", "trojan.cosmu/xpiro - 960879004e1059a9e7eaca7b95f45ab9baf8f5b905e2714f1c65f92244396758", "Matches rule SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)", "Malware Behavior Catalog: Defense Evasion OB0006 \u2022 Delayed Execution B0003.003 \u2022 Move File C0063 \u2022 Process Environment Block B0001.019", "Malware Behavior Catalog: Dynamic Analysis Evasion B0003 \u2022 Create File C0016 \u2022 Create Process C0017 \u2022 Create Thread C0038", "Malware Behavior Catalog: Operating System OC0008 \u2022 Environment Variable C0034 \u2022 Self Deletion F0007 \u2022 : Tree Anti-Behavioral Analysis", "Malware Behavior Catalog: System Information Discovery E1082 \u2022 File and Directory Discovery E1083 \u2022 Execution OB0009 \u2022 File System OC0001", "Malware Behavior Catalog: COMSPEC Environment Variable F0007.001 \u2022 Install Additional Program B0023 \u2022 Delete File C0047 \u2022", "Malware Behavior Catalog: Tree Anti-Behavioral Analysis: C0017 Create Thread \u2022 C0038 Operating System \u2022 Debugger Detection B0001", "Malware Behavior Catalog: Get File Attributes C0049 \u2022 Set File Attributes C0050 \u2022 Read File C0051 \u2022 Writes File C0052", "Malware Behavior Catalog: Tree Anti-Behavioral: Environment Variable C0034 \u2022 Anti-Behavioral Analysis OB0001 \u2022 Process OC0003", "Bayrob: 3744b06ebb5465c1b3601abc9899e0448c3bb53e81ad6a3101780ab94931ba69 ef55e2c918f9678e97037d5505b0c8a3.virus", "Matches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "Matches rule ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses", "Matches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst", "Matches rule PROTOCOL-ICMP PING Windows Matches rule PROTOCOL-ICMP Unusual PING detected Matches rule PROTOCOL-ICMP", "http://Object.prototype.hasOwnProperty.call", "Tulach! It's been a minute - 114.114.114.114", "What's going on here judiciary? Karen - cisa.gov? e.final", "f.search schema.org t.final", "ACTIVE Emails: IS2OSecurity@hq.dhs.gov \u2022 CISA.GOV Status \u2022 schoolsafety.gov \u2022 power2prevent.gov \u2022 is2osecurity@hq.dhs.gov", "[https://cisa gov] https://otx.alienvault.com/indicator/ip/92.123.203.73 \u2022 https://otx.alienvault.com/indicator/hostname/hq.dhs.gov", "[cisa gov] https://otx.alienvault.com/indicator/domain/cisa.gov \u2022 [hq.dhs.gov] https://otx.alienvault.com/indicator/hostname/hq.dhs.gov", "[dhs gov] https://otx.alienvault.com/indicator/domain/dhs.gov \u2022 https://otx.alienvault.com/indicator/url/https:%2F%2Fwww.cisa.gov%2Fcybersecurity-advisories%2Fics-advisories.xml", "Alerts: (cisa gov) ransomware_file_modifications script_created_process antisandbox_mouse_hook antivm_generic_disk infostealer_cookies suspicious_command_tools antidebug_guardpages dynamic_function_loading reads_self stealth_window", "https://otx.alienvault.com/indicator/domain/asp.net \u2022 https://otx.alienvault.com/indicator/hostname/ts1.mm.bing.net", "Security Contact Email: 212d0c197dca818es@hq.dhs.gov \u2022ACTIVE Domain Name: DHS.GOV" ], "public": 1, "adversary": "Blind Eagle", "targeted_countries": [ "United States of America", "Colombia", "Netherlands", "Israel" ], "malware_families": [ { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn", "target": null }, { "id": "TrojanSpy:Win32/Nivdort.CW", "display_name": "TrojanSpy:Win32/Nivdort.CW", "target": "/malware/TrojanSpy:Win32/Nivdort.CW" }, { "id": "Bayrob", "display_name": "Bayrob", "target": null }, { "id": "trojan.bayrob/lazy", "display_name": "trojan.bayrob/lazy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0029", "name": "Privilege Escalation", "display_name": "TA0029 - Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0030", "name": "Defense Evasion", "display_name": "TA0030 - Defense Evasion" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1055.003", "name": "Thread Execution Hijacking", "display_name": "T1055.003 - Thread Execution Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1416", "name": "URI Hijacking", "display_name": "T1416 - URI Hijacking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1167, "FileHash-SHA1": 738, "FileHash-SHA256": 3074, "URL": 1019, "domain": 1639, "hostname": 973, "email": 11, "SSLCertFingerprint": 2 }, "indicator_count": 8623, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "626 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6533ed2685e0fc66ac0628bd", "name": "Network capture | Gather Victim Network Information | C2", "description": "Botnet. Spammer. BN campaigners. Victim name used for marketing BN and porn. This website contains age-restricted material and contains explicit depictions of sexual activity, but does not ask for permission to access or access any of the site's materials. \u00c2\u00a9 Mile High Distribution Inc", "modified": "2023-11-20T11:03:09.867000", "created": "2023-10-21T15:24:22.377000", "tags": [ "mile high", "logos", "trademarks", "aylo premium", "click", "record keeping", "statement", "all rights", "reserved", "vendo", "ssl certificate", "contacted", "whois record", "tsara brashears", "historical ssl", "apple", "password", "porn", "networks", "botnet campaign", "crypto", "installer", "attacker", "metro", "brazzers", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "maxage86400", "path", "html info", "title page", "found meta", "milehigh", "watch", "milfs", "trackers google", "analytics na", "name verdict", "falcon sandbox", "reports no", "specific", "pattern match", "file", "ascii text", "windows nt", "jpeg image", "united", "appdata", "jfif", "mitre att", "date", "unknown", "hybrid", "accept", "general", "local", "strings", "class", "critical", "error", "server", "email", "code", "whois privacy", "domain status", "registrar abuse", "registrar url", "registrar", "registry domain", "C2", "organization", "threat level", "windir", "getpost", "name server", "openurl c" ], "references": [ "https://www.milehighmedia.com/legal/2257 exploit_source [Metro T-Mobile attacker. Brazzers | T]", "https://www.sweetheartvideo.com/tsara-brashears/ [Botnet tracking campaign, referrer]", "https://www.sweetheartvideo.com/tsara-brashears [Network ID]", "https://www.sweetheartvideo.com [Pattern match, Brashears]", "m1.sweetheartvideo.com [mailer!]", "mba3.sweetheartvideo.com [Server]", "https://www.hybrid-analysis.com/sample/a478360da159c358a804f1340f142fa2a0d689e02d743b71509e5e3921877a3e [Research Tool]", "Other", "browser.events.data.msn.com [sandbox and archive browser events]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.004", "name": "Server", "display_name": "T1583.004 - Server" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4377, "FileHash-MD5": 128, "FileHash-SHA1": 127, "FileHash-SHA256": 2861, "domain": 829, "hostname": 1452, "CVE": 1, "email": 6 }, "indicator_count": 9781, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "881 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f1d4a989642696d13b34c", "name": "Network capture | Gather Victim Network Information | C2", "description": "", "modified": "2023-11-20T11:03:09.867000", "created": "2023-10-30T03:04:42.175000", "tags": [ "mile high", "logos", "trademarks", "aylo premium", "click", "record keeping", "statement", "all rights", "reserved", "vendo", "ssl certificate", "contacted", "whois record", "tsara brashears", "historical ssl", "apple", "password", "porn", "networks", "botnet campaign", "crypto", "installer", "attacker", "metro", "brazzers", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "maxage86400", "path", "html info", "title page", "found meta", "milehigh", "watch", "milfs", "trackers google", "analytics na", "name verdict", "falcon sandbox", "reports no", "specific", "pattern match", "file", "ascii text", "windows nt", "jpeg image", "united", "appdata", "jfif", "mitre att", "date", "unknown", "hybrid", "accept", "general", "local", "strings", "class", "critical", "error", "server", "email", "code", "whois privacy", "domain status", "registrar abuse", "registrar url", "registrar", "registry domain", "C2", "organization", "threat level", "windir", "getpost", "name server", "openurl c" ], "references": [ "https://www.milehighmedia.com/legal/2257 exploit_source [Metro T-Mobile attacker. Brazzers | T]", "https://www.sweetheartvideo.com/tsara-brashears/ [Botnet tracking campaign, referrer]", "https://www.sweetheartvideo.com/tsara-brashears [Network ID]", "https://www.sweetheartvideo.com [Pattern match, Brashears]", "m1.sweetheartvideo.com [mailer!]", "mba3.sweetheartvideo.com [Server]", "https://www.hybrid-analysis.com/sample/a478360da159c358a804f1340f142fa2a0d689e02d743b71509e5e3921877a3e [Research Tool]", "Other", "browser.events.data.msn.com [sandbox and archive browser events]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.004", "name": "Server", "display_name": "T1583.004 - Server" } ], "industries": [], "TLP": "white", "cloned_from": "6533ed2685e0fc66ac0628bd", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4377, "FileHash-MD5": 128, "FileHash-SHA1": 127, "FileHash-SHA256": 2861, "domain": 829, "hostname": 1452, "CVE": 1, "email": 6 }, "indicator_count": 9781, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "881 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64d56620fb6845e22b859e75", "name": "Who is ENOM (DREAMHOST)", "description": "", "modified": "2023-09-11T00:03:40.398000", "created": "2023-08-10T22:35:12.322000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64d31d52d54a9591dd717e17", "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ellenmmm", "id": "233693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2544, "domain": 2507, "URL": 2757, "email": 26, "CVE": 25, "FileHash-SHA256": 61, "FileHash-MD5": 9, "FileHash-SHA1": 12 }, "indicator_count": 7941, "is_author": false, "is_subscribing": null, "subscriber_count": 85, "modified_text": "952 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://eu4.paradoxwikis.com/Netherlands", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://eu4.paradoxwikis.com/Netherlands", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776648720.6450033 }