{ "type": "URL", "indicator": "https://fbbaby.boyaa.us", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://fbbaby.boyaa.us", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3491495040, "indicator": "https://fbbaby.boyaa.us", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 17, "pulses": [ { "id": "68858e8244c8db854e8947c1", "name": "Goodreads Malware", "description": "Goodreads is an older book review website. I found Goodreads[.]com links botnet joining Pulse. Just curious. #goodreads #malware #goodreads_botnet_join #thismightbeabotnet\n#gogray #purpleteamit #malware \n#thismightbeabotnet #ineedtolearnmore", "modified": "2025-08-26T01:03:19.405000", "created": "2025-07-27T02:27:14.517000", "tags": [ "passive dns", "urls", "url add", "pulse pulses", "http", "ip address", "related nids", "files location", "united", "flag united", "present jun", "present may", "present apr", "search", "moved", "creation date", "record value", "date", "body", "meta", "indicator role", "title added", "active related", "pulses url", "memcommit", "value1", "partnerid4146", "username", "gamesessionid", "port", "destination", "regsetvalueexa", "mozilla", "write", "persistence", "execution", "malware", "copy", "next", "process32nextw", "show", "entries", "module load", "t1129", "intel", "ms windows", "showing", "t1045", "win32", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "spawns", "mitre att", "ck techniques", "evasion att", "sha1", "copy md5", "copy sha1", "copy sha256", "sha256", "size", "pattern match", "ascii text", "null", "error", "starfield", "click", "hybrid", "local", "path", "strings", "refresh", "tools", "onload", "span", "smbds ipc", "ms17010", "msf style", "probe ms17010", "generic flags", "yara detections", "nrv2x", "upxoepplace" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 155, "hostname": 1237, "FileHash-SHA256": 1141, "domain": 574, "URL": 4593, "FileHash-SHA1": 139, "email": 1, "SSLCertFingerprint": 8 }, "indicator_count": 7848, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "236 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b3fb6752ac464268b971b1", "name": "BazaarLoader | REDCAP | https://jbplegal com/ | Cyber espionage", "description": "Found periphery.m (moderate sized dump) Targets Tsara Brashears Several staffed law offices based on Colorado, USA.\nContact made. Physical records. Client: Brashears.\nhttps://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/Trojan.Win32.REDCAP.MCRK/\n1c597b7c7934ef03eb0def0b64655dd79abe08567ff3053761e5516064a43376\nhttps://otx.alienvault.com/malware/TEL:Trojan:Win32%2FBazaarLoader!MTB/\nhttps://www.trendmicro.com/en_ph/research/21/k/bazarloader-adds-compromised-installers-iso-to-arrival-delivery-vectors.html\nTEL:Trojan:Win32/BazaarLoader\n987204ca82337f0a3f28097a5d66d5f3ecb11d43d82f67cd753d0bf2ce40b7a7", "modified": "2024-09-05T07:02:20.491000", "created": "2024-01-26T18:35:19.690000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as3356 level", "as15133 verizon", "as22822", "as20446", "cname", "honeypot", "read c", "regsetvalueexa", "regdword", "as29789", "moved", "morphex", "cryp", "susp" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2401, "FileHash-MD5": 2428, "FileHash-SHA1": 2136, "FileHash-SHA256": 5377, "domain": 3794, "hostname": 2763, "CVE": 5, "email": 19, "SSLCertFingerprint": 4 }, "indicator_count": 18927, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "591 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b85df45cc3d3fd07139ea9", "name": "Honeypot | https://jbplegal com/ | Cyber espionage | DynamicLoader", "description": "", "modified": "2024-09-05T06:38:09.443000", "created": "2024-01-30T02:24:52.774000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as14061", "whitelisted", "as16276", "script urls", "name servers", "meta", "as43317 fishnet" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil", "Netherlands", "Romania", "Russian Federation", "Japan" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": "65b47501fcbc39983f098723", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2390, "FileHash-MD5": 2213, "FileHash-SHA1": 1921, "FileHash-SHA256": 4357, "domain": 3534, "hostname": 2670, "CVE": 5, "email": 17, "SSLCertFingerprint": 4 }, "indicator_count": 17111, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "591 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65fc4d4c24f2000879921be5", "name": "The Org : FormBook CnC | Pykspa", "description": "Front Facing Description: 'TheOrg' (https://theorg.com) The Org\nThe Org is an online professional community platform. It helps organizations get more exposure externally and operate more efficiently internally. | efficiently internally | Nefarious scheme? Unclear. Possible visa, immigration scheme. | Pykspa is a piece of malware that can be used to remotely control infected systems. It also enables attackers to. download other malware or extract personal data. || Dark. | Score 100% Falcon Sandbox | Evasive. Moved permanently 03/21/2024 | FormBook is an infostealer of browser cached credentials , screenshots, keystrokes. | Tags auto populated", "modified": "2024-04-20T14:04:02.366000", "created": "2024-03-21T15:07:56.415000", "tags": [ "q https", "https", "enablement", "org log", "sign", "contact", "right person", "explore", "start", "grafana labs", "ogilvy", "figma", "find", "apollo", "http", "span", "learn", "html", "expiry", "form", "label", "youtube video", "linkedin", "input", "pixel", "legend", "cookie", "march", "de indicators", "domains", "hashes", "gmbh version", "status page", "service privacy", "legal", "impressum", "reverse dns", "general full", "url https", "protocol h2", "security tls", "united", "resource", "asn16509", "amazon02", "name value", "main", "ssl certificate", "whois record", "whois whois", "resolutions", "threat roundup", "communicating", "referrer", "subdomains", "historical ssl", "collections", "june", "february", "blister", "cobalt strike", "phishing", "formbook", "contacted", "ip check", "adult content", "divergent", "hacktool", "copy", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers age", "cachecontrol", "connection", "tsara brashears", "malicious", "life", "core", "dns replication", "date", "win32 exe", "files", "detections type", "name", "wininit", "office open", "xml document", "qiwi hack", "android", "mgeinteg", "html info", "title", "org meta", "tags viewport", "org twitter", "org og", "the org", "utc google", "tag manager", "g5nxq655fgp", "domain", "search", "status", "scan endpoints", "all scoreblue", "hostname", "pulse pulses", "passive dns", "urls", "bhagam bhag", "home screen", "entries", "createdate", "title bhagam", "select xmp", "filehash", "malware", "format", "unknown", "meta", "as44273 host", "creation date", "moved", "encrypt", "district", "body", "window", "hall law", "a domains", "script urls", "datalayer", "registrar", "next", "accept encoding", "showing", "yara rule", "http host", "worm", "high", "possible", "win32", "bits", "cname", "as396982 google", "redacted for", "expiration date", "div div", "as26710 icann", "script domains", "citadel", "indonesia", "get updates", "write c", "create c", "read c", "show", "default", "common upatre", "upatre", "downloader", "zeus", "write", "execution", "regsetvalueexa", "regdword", "module load", "dock", "persistence", "as54113", "github pages", "formbook cnc", "checkin", "lowfi", "class", "trojan", "accept", "visa scheme", "mtb feb", "mtb jan", "romeo scheme", "exploitation", "pattern match", "command decode", "mitre att", "suricata ipv4", "ck id", "show technique", "ck matrix", "suricata udpv4", "facebook", "hybrid", "general", "model", "comspec", "click", "strings", "footer", "michelle", "nora", "hallrender", "name servers", "record value", "emails", "servers", "found", "gmt content", "error", "code", "men", "man", "woman", "hit", "sreredrum", "honey client", "hiv", "threat", "paste", "iocs", "urls https", "malicious site", "phishing site", "blockchain", "unsafe", "malware site", "malicious url", "phishtank", "cyber threat", "artemis", "asyncrat", "team", "cisco umbrella", "site", "safe site", "heur", "million", "xrat", "downldr", "union", "bank", "gvt google video transcoding", "malvertizing", "targeting", "target", "yandex dropper extend", "remote procedure call", "identity_helper.exe", "cookie bot" ], "references": [ "https://theorg.com", "Ransom: CVE-2023-4966", "Ransom: ransomed.vc", "FormBook: a4ec4c6ea1c92e2e6.awsglobalaccelerator.com", "Malware: http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel | 103.246.145.111", "Malware: 0a6e883228a04a6e8738511a6210914dea1773d88cf57950c83e092f02c7f3bf - Other:Malware-gen\\ [Trj]", "Yara Detections invalid_trailer_structure , multiple_versions", "Malware Hosting IP addresses: 141.193.213.20 | 185.199.108.153| 185.199.110.153 | 185.199.111.153", "https://otx.alienvault.com/indicator/url/https://theorg.com/_next/data/Gh7c6NpBHZESb74aisPB8/org/springboard-collaborative.json?companySlug=springboard-collaborative", "Scanning host: 31.214.178.54 , 37.152.88.54", "Yara Detections: vad_contains_network_strings information | HackToolWin32Patch CodeOverlap | PWSWin32Phorex CodeOverlap", "Yara: TrojanDropperWin32Ropest | CodeOverlap TrojanWin32Gatsorm | CodeOverlap TrojanWinNTConficker | CodeOverlap Alerts: WormWin32Pykspa", "Aspnet collect: https://otx.alienvault.com/otxapi/indicators/file/screenshot/000444cc67b97f45f11e1fdf89ad8f5127c87aa858fe151fa9c4975276f53b42", "development.digitalphotogallery.com _YandexDropperExtend", "Emotet: FileHash-MD5 bafae95c36402dfc1ea5fa04523e4e81", "Emotet: FileHash-SHA256 db9d59b0f192c91f8ecf939c415b3252b13b0fb052d4a66ceefb80dfb43d6e8a |", "Emotet: FileHash-SHA1\t19c14ab0aaab2c1dd922f0baca3cf64056f80acc", "thevisafirm.com | Immigration Lawyers Capital Immigration Lawyers Green Card Lawyer [ London, DC] malicious", "www.hallinjurylaw.com |\tMinneapolis Personal Injury Lawyer Personal Injury Law Experts", "Malvertizing, Phishing, Botnet PWD: https://pin.it/ | https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | www.pornhub.com", "Phishing, Botnet PWD:https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://www.sweetheartvideo.com/tsara-brashears/ | www.sweetheartvideo.com", "https://hybrid-analysis.com/sample/ac09d7f6b26675a529a366b47bc09b3fd776576fb099c020f57204ff7b4ea31c", "CVE-2007-3896 | CVE-2023-22518 | CVE-2023-4966", "jpocxaar1---r3---sn-jpocxaa-a03e.gvt1.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Win32:Renos-KY\\ [Trj]", "display_name": "Win32:Renos-KY\\ [Trj]", "target": null }, { "id": "Win.Worm.Pykspa-1", "display_name": "Win.Worm.Pykspa-1", "target": null }, { "id": "Worm:Win32/Pykspa.C", "display_name": "Worm:Win32/Pykspa.C", "target": "/malware/Worm:Win32/Pykspa.C" }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null }, { "id": "ApolloLocker", "display_name": "ApolloLocker", "target": null }, { "id": "TrojanDropper:Win32", "display_name": "TrojanDropper:Win32", "target": null }, { "id": "Other:Malware-gen\\ [Trj]", "display_name": "Other:Malware-gen\\ [Trj]", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [ "Media", "Immigration", "Technology", "Government" ], "TLP": "green", "cloned_from": null, "export_count": 55, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4567, "domain": 2576, "hostname": 1212, "FileHash-SHA256": 3836, "FileHash-MD5": 744, "FileHash-SHA1": 724, "CVE": 5, "email": 9, "SSLCertFingerprint": 1 }, "indicator_count": 13674, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "729 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b3fe6c4cd0f5158eb18692", "name": "Honeypot | https://jbplegal com/ | Cyber espionage | DynamicLoader,", "description": "Found periphery.m (moderate sized dump) Targets Tsara Brashears Several staffed law offices based on Colorado, USA. Contact made. Physical records. Client: Brashears. https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/Trojan.Win32.REDCAP.MCRK/ 1c597b7c7934ef03eb0def0b64655dd79abe08567ff3053761e5516064a43376 https://otx.alienvault.com/malware/TEL:Trojan:Win32%2FBazaarLoader!MTB/ https://www.trendmicro.com/en_ph/research/21/k/bazarloader-adds-compromised-installers-iso-to-arrival-delivery-vectors.html TEL:Trojan:Win32/BazaarLoader 987204ca82337f0a3f28097a5d66d5f3ecb11d43d82f67cd753d0bf2ce40b7a7https://www.joesandbox.com/analysis/1311477\nTarget: Critical Risk. In person contact made. Fraud services offered. \nThis is crazy.", "modified": "2024-02-25T17:03:29.232000", "created": "2024-01-26T18:48:12.433000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as14061", "whitelisted", "as16276", "script urls", "name servers", "meta", "as43317 fishnet" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil", "Netherlands", "Romania", "Russian Federation", "Japan" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1509, "FileHash-MD5": 2213, "FileHash-SHA1": 1921, "FileHash-SHA256": 4239, "domain": 3480, "hostname": 2466, "CVE": 5, "email": 17, "SSLCertFingerprint": 4 }, "indicator_count": 15854, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "784 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b47501fcbc39983f098723", "name": "Honeypot | https://jbplegal com/ | Cyber espionage | DynamicLoader", "description": "", "modified": "2024-02-25T17:03:29.232000", "created": "2024-01-27T03:14:09.392000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as14061", "whitelisted", "as16276", "script urls", "name servers", "meta", "as43317 fishnet" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil", "Netherlands", "Romania", "Russian Federation", "Japan" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": "65b3fe6c4cd0f5158eb18692", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1509, "FileHash-MD5": 2213, "FileHash-SHA1": 1921, "FileHash-SHA256": 4239, "domain": 3480, "hostname": 2466, "CVE": 5, "email": 17, "SSLCertFingerprint": 4 }, "indicator_count": 15854, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "784 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b47524b1ec6b5c783a832e", "name": "BazaarLoader | REDCAP | https://jbplegal com/ | Cyber espionage", "description": "", "modified": "2024-02-25T17:03:29.232000", "created": "2024-01-27T03:14:44.070000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as3356 level", "as15133 verizon", "as22822", "as20446", "cname", "honeypot", "read c", "regsetvalueexa", "regdword", "as29789", "moved", "morphex", "cryp", "susp" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": "65b3fb6752ac464268b971b1", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1530, "FileHash-MD5": 2428, "FileHash-SHA1": 2136, "FileHash-SHA256": 5239, "domain": 3740, "hostname": 2560, "CVE": 5, "email": 19, "SSLCertFingerprint": 4 }, "indicator_count": 17661, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "784 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b80982381b53c66f0dd1e1", "name": "BazaarLoader | REDCAP | https://jbplegal com/ | Cyber espionage", "description": "", "modified": "2024-02-25T17:03:29.232000", "created": "2024-01-29T20:24:34.644000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as3356 level", "as15133 verizon", "as22822", "as20446", "cname", "honeypot", "read c", "regsetvalueexa", "regdword", "as29789", "moved", "morphex", "cryp", "susp" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": "65b47524b1ec6b5c783a832e", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1530, "FileHash-MD5": 2428, "FileHash-SHA1": 2136, "FileHash-SHA256": 5239, "domain": 3740, "hostname": 2560, "CVE": 5, "email": 19, "SSLCertFingerprint": 4 }, "indicator_count": 17661, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "784 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65be8dde8544d0b022b4c464", "name": "Honeypot | https://jbplegal com/ | Cyber espionage | Emotet ", "description": "", "modified": "2024-02-25T17:03:29.232000", "created": "2024-02-03T19:02:54.507000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as14061", "whitelisted", "as16276", "script urls", "name servers", "meta", "as43317 fishnet" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil", "Netherlands", "Romania", "Russian Federation", "Japan" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": "65b85df45cc3d3fd07139ea9", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1509, "FileHash-MD5": 2213, "FileHash-SHA1": 1921, "FileHash-SHA256": 4239, "domain": 3480, "hostname": 2466, "CVE": 5, "email": 17, "SSLCertFingerprint": 4 }, "indicator_count": 15854, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "784 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659b4cea3e6da3a00306ae11", "name": "Ragnar Locker | Cowrie Hash", "description": "Cowrie is a medium interaction SSH and Telnet honeypot designed to log brute force attacks and shell interaction performed by an attacker. Cowrie also functions as an SSH and telnet proxy to observe attacker behavior to another system. Cowrie was developed from Kippo.\n\nRagnar Locker: \nAffected platforms: Microsoft Windows\nImpacted parties: Microsoft Windows & Linux Users\nImpact: Encrypts files on the compromised machine and demands ransom for file decryption\nSeverity level: High\n\nI'm not sure. It seems this 'Law' group aquires and sell your digital profiles, PHI. PII, Banking , Insurance credentials on the dark web.", "modified": "2024-02-06T23:04:54.022000", "created": "2024-01-08T01:16:26.884000", "tags": [ "contacted", "pe resource", "execution", "problems", "alienvault part", "dropped", "kgs0", "kls0", "collections", "schema abuse", "iframe", "united", "as29791", "search", "entries", "passive dns", "urls", "service", "date", "unknown", "japan unknown", "body", "czechia unknown", "sinkhole", "emotet", "date hash", "avast avg", "mtb dec", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "samples", "tulach", "tulach.cc", "sabey data center", "malware server", "gorf", "set cookie", "united kingdom", "script urls", "trojan", "status", "showing", "cookie", "template", "johnnsabey", "briansabey", "data center", "choco", "name", "win32 exe", "domains", "registrar", "markmonitor inc", "ip detections", "country", "us execution", "parents", "whois record", "whois whois", "ssl certificate", "apple ios", "red team", "tsara brashears", "historical ssl", "hacktool", "copy", "malicious", "life", "unsafe", "server", "registrar abuse", "contact phone", "domain status", "registrar whois", "email", "registry domain", "registry expiry", "algorithm", "v3 serial", "number", "issuer", "key algorithm", "ec oid", "key identifier", "subject key", "identifier", "x509v3 key", "info", "first", "http method", "http requests", "connect http", "get dns", "resolutions", "ip traffic", "intel", "ms windows", "write c", "pe32", "pe32 executable", "copy c", "show", "free", "recon", "benjamin", "write", "worm", "win32", "june", "delphi", "code", "malware", "next", "using", "urls http", "benjamin", "nids", "cowrie hashes", "dns replication", "files", "sample", "sender", "us postal", "cowrie", "iranian actor", "shipping", "healthcare", "ragnar locker", "qakbot", "qbot", "pii", "phi", "privacy", "honeypot", "referrer", "spyware", "android", "nanocore", "banker", "keylogger" ], "references": [ "choco.exe", "media-router-fp74.prod.media.vip.bf1.yahoo.com", "https://www.cybereason.com/blog/threat-analysis-report-ragnar-locker-ransomware-targeting-the-energy-sector?hs_amp=true", "httphttp://security.didici.cc/cves://www.sentinelone.com/anthology/ragnar-locker/", "http://security.didici.cc/cve", "https://whois.domaintools.com/gov1.info", "https://nsa.gov1.info/utah-data-center/", "https://github.com/cowrie/cowrie", "Cowrie (honeypot) - Wikipedia", "https://www.fortinet.com/blog/threat-research/ransomware-roundup-ragnar-locker-ransomware" ], "public": 1, "adversary": "Ragnar Locker | M. Brian Sabey | HallRender| Tulach | Benjamin", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "ALF:Win32/GbdInf_123DF591.J!ibt", "display_name": "ALF:Win32/GbdInf_123DF591.J!ibt", "target": "/malware/ALF:Win32/GbdInf_123DF591.J!ibt" }, { "id": "SABEY", "display_name": "SABEY", "target": null }, { "id": "ALF:Trojan:Win32/Cassini_f28c33a2!ibt", "display_name": "ALF:Trojan:Win32/Cassini_f28c33a2!ibt", "target": null }, { "id": "ALF:Trojan:Win32/Cassini_ade36583!ibt", "display_name": "ALF:Trojan:Win32/Cassini_ade36583!ibt", "target": null }, { "id": "ALF:Ransom:Win32/Babax.SG!MTB", "display_name": "ALF:Ransom:Win32/Babax.SG!MTB", "target": null }, { "id": "ALF:SpikeAexR.SECTHDR", "display_name": "ALF:SpikeAexR.SECTHDR", "target": null }, { "id": "ALF:Trojan:MSIL/AgentTesla.KM", "display_name": "ALF:Trojan:MSIL/AgentTesla.KM", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker , , ALF:Trojan:Win32/AutoRun.PI!MTB , ALF:Trojan:Win32/Cassini_6d4ebdc9!ibt", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker , , ALF:Trojan:Win32/AutoRun.PI!MTB , ALF:Trojan:Win32/Cassini_6d4ebdc9!ibt", "target": null }, { "id": "ALF:HeraklezEval:Ransom:MSIL/Gorf", "display_name": "ALF:HeraklezEval:Ransom:MSIL/Gorf", "target": null }, { "id": "Worm:Win32/Benjamin", "display_name": "Worm:Win32/Benjamin", "target": "/malware/Worm:Win32/Benjamin" }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "Ragnar Locker", "display_name": "Ragnar Locker", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Trojan", "display_name": "Trojan", "target": null }, { "id": "Worm", "display_name": "Worm", "target": null }, { "id": "NanCore RAY", "display_name": "NanCore RAY", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [ "Healthcare", "Insurance" ], "TLP": "white", "cloned_from": null, "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 347, "FileHash-SHA1": 222, "FileHash-SHA256": 6645, "hostname": 2744, "URL": 9123, "domain": 3065, "email": 4 }, "indicator_count": 22150, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "802 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570913ea199e27fa3fc3266", "name": "btloader.com part 2 that otx froze - CVE-2017-0147 -", "description": "", "modified": "2023-12-06T15:20:29.831000", "created": "2023-12-06T15:20:29.831000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "hostname": 325, "domain": 122, "FileHash-SHA256": 393, "URL": 1000 }, "indicator_count": 1841, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65708fdef7d4b5483117bb67", "name": "BINGO \ud83d\udea8\ud83d\udea8\ud83d\udea8 VT Graph json upload of UBotBrowser.exe - 20.99.132.105 - 33 collections - minecraft instances", "description": "", "modified": "2023-12-06T15:14:38.824000", "created": "2023-12-06T15:14:38.824000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 812, "domain": 110, "hostname": 502, "URL": 1437 }, "indicator_count": 2861, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6544f195987ad886d609d965", "name": "Apple iOS | Skynet", "description": "PoemHunter.com\nAnti-Reverse Engineering Creates guarded memory regions (anti-debugging trick to avoid memory dumping)\ndetails , CNC\n tcp traffic, phishing, malicious, 24/7 tracking, monitoring, spyware, scanning host, malware host, command and control, adware, trojan, worm, apple iOS tracking, device location tracking, listening, information retrieval, malvertizing, BotNet service.", "modified": "2023-12-03T12:00:16.446000", "created": "2023-11-03T13:11:48.680000", "tags": [], "references": [ "https://hybrid-analysis.com/sample/86479bf7c9a675913b93a0d399f5cbe0c0e8003239e93ae5e00f97cdbc5ec5ba", "Poemhunter.com", "iphone-track-service.info", "track-idevice-location.info", "http://45.159.189.105/bot/regex", "chat.pornhub.dev" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 124, "FileHash-SHA1": 117, "FileHash-SHA256": 2855, "domain": 686, "hostname": 1730, "URL": 5380, "email": 2, "CVE": 3 }, "indicator_count": 10897, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "868 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "654593cc8486ce8ed1254858", "name": "Apple iOS | Skynet", "description": "", "modified": "2023-12-03T12:00:16.446000", "created": "2023-11-04T00:43:56.830000", "tags": [], "references": [ "https://hybrid-analysis.com/sample/86479bf7c9a675913b93a0d399f5cbe0c0e8003239e93ae5e00f97cdbc5ec5ba", "Poemhunter.com", "iphone-track-service.info", "track-idevice-location.info", "http://45.159.189.105/bot/regex", "chat.pornhub.dev" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" } ], "industries": [], "TLP": "green", "cloned_from": "6544f195987ad886d609d965", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 124, "FileHash-SHA1": 117, "FileHash-SHA256": 2855, "domain": 686, "hostname": 1730, "URL": 5380, "email": 2, "CVE": 3 }, "indicator_count": 10897, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "868 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62f2d5b46351f77f312db0fd", "name": "btloader.com part 2 that otx froze - CVE-2017-0147 -", "description": "", "modified": "2022-09-08T00:01:12.540000", "created": "2022-08-09T21:46:28.473000", "tags": [ "ipv4", "url http", "cdn range", "positive ipv4", "akamai rank", "type indicator", "reason hostname", "private ip", "address url", "CVE-2017-0147" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1000, "hostname": 325, "FileHash-SHA256": 393, "domain": 122, "CVE": 1 }, "indicator_count": 1841, "is_author": false, "is_subscribing": null, "subscriber_count": 401, "modified_text": "1319 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62dd3c2d995db8d35f0b4e48", "name": "How tracker/3rd party abuse translates to much bigger crime netw", "description": "ooo I wonder how much malware is being delivered by numerous means masked in whitelisted and false positive ip's", "modified": "2022-08-23T00:02:12.321000", "created": "2022-07-24T12:33:49.953000", "tags": [], "references": [ "VT graph Json upload to otx", "https://www.virustotal.com/graph/g4655ac448333498bac4fb8b20fed4be62d42ea86d1824fcd9401ba5b30027f57", "can no longer create collections in account - get exceeded api allowance even on just 28 req's in 24 hours", "https://udc-neb.kampyle.com/v1/qceuv8449dzg58ptt1bhda9g8ue19c7s/track" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1137, "domain": 138, "hostname": 421, "FileHash-SHA256": 893, "CVE": 1 }, "indicator_count": 2590, "is_author": false, "is_subscribing": null, "subscriber_count": 393, "modified_text": "1335 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62bb08310a8957d97aa23c30", "name": "BINGO \ud83d\udea8\ud83d\udea8\ud83d\udea8 VT Graph json upload of UBotBrowser.exe - 20.99.132.105 - 33 collections - minecraft instances", "description": "", "modified": "2022-07-28T00:02:14.384000", "created": "2022-06-28T13:54:57.927000", "tags": [ "entity", "ubotbrowser", "20.99.132.105", "minecraft" ], "references": [ "https://www.virustotal.com/graph/g57851267a0734f7fab3824bb4cca5cb9afab6573d8fa4b54a4f624390f9ba0bc" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 502, "URL": 1437, "domain": 110, "FileHash-SHA256": 812 }, "indicator_count": 2861, "is_author": false, "is_subscribing": null, "subscriber_count": 398, "modified_text": "1361 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Cowrie (honeypot) - Wikipedia", "media-router-fp74.prod.media.vip.bf1.yahoo.com", "http://security.didici.cc/cve", "https://udc-neb.kampyle.com/v1/qceuv8449dzg58ptt1bhda9g8ue19c7s/track", "Yara Detections invalid_trailer_structure , multiple_versions", "Malware: http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel | 103.246.145.111", "http://45.159.189.105/bot/regex", "https://otx.alienvault.com/indicator/url/https://theorg.com/_next/data/Gh7c6NpBHZESb74aisPB8/org/springboard-collaborative.json?companySlug=springboard-collaborative", "VT graph Json upload to otx", "Emotet: FileHash-MD5 bafae95c36402dfc1ea5fa04523e4e81", "development.digitalphotogallery.com _YandexDropperExtend", "CVE-2007-3896 | CVE-2023-22518 | CVE-2023-4966", "track-idevice-location.info", "can no longer create collections in account - get exceeded api allowance even on just 28 req's in 24 hours", "www.hallinjurylaw.com |\tMinneapolis Personal Injury Lawyer Personal Injury Law Experts", "https://nsa.gov1.info/utah-data-center/", "chat.pornhub.dev", "choco.exe", "jpocxaar1---r3---sn-jpocxaa-a03e.gvt1.com", "https://github.com/cowrie/cowrie", "Ransom: ransomed.vc", "FormBook: a4ec4c6ea1c92e2e6.awsglobalaccelerator.com", "Yara Detections: vad_contains_network_strings information | HackToolWin32Patch CodeOverlap | PWSWin32Phorex CodeOverlap", "Poemhunter.com", "Emotet: FileHash-SHA256 db9d59b0f192c91f8ecf939c415b3252b13b0fb052d4a66ceefb80dfb43d6e8a |", "Emotet: FileHash-SHA1\t19c14ab0aaab2c1dd922f0baca3cf64056f80acc", "Aspnet collect: https://otx.alienvault.com/otxapi/indicators/file/screenshot/000444cc67b97f45f11e1fdf89ad8f5127c87aa858fe151fa9c4975276f53b42", "thevisafirm.com | Immigration Lawyers Capital Immigration Lawyers Green Card Lawyer [ London, DC] malicious", "Phishing, Botnet PWD:https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://www.sweetheartvideo.com/tsara-brashears/ | www.sweetheartvideo.com", "Malware Hosting IP addresses: 141.193.213.20 | 185.199.108.153| 185.199.110.153 | 185.199.111.153", "Malware: 0a6e883228a04a6e8738511a6210914dea1773d88cf57950c83e092f02c7f3bf - Other:Malware-gen\\ [Trj]", "https://www.virustotal.com/graph/g4655ac448333498bac4fb8b20fed4be62d42ea86d1824fcd9401ba5b30027f57", "https://theorg.com", "https://www.cybereason.com/blog/threat-analysis-report-ragnar-locker-ransomware-targeting-the-energy-sector?hs_amp=true", "https://hybrid-analysis.com/sample/ac09d7f6b26675a529a366b47bc09b3fd776576fb099c020f57204ff7b4ea31c", "https://www.virustotal.com/graph/g57851267a0734f7fab3824bb4cca5cb9afab6573d8fa4b54a4f624390f9ba0bc", "iphone-track-service.info", "httphttp://security.didici.cc/cves://www.sentinelone.com/anthology/ragnar-locker/", "Yara: TrojanDropperWin32Ropest | CodeOverlap TrojanWin32Gatsorm | CodeOverlap TrojanWinNTConficker | CodeOverlap Alerts: WormWin32Pykspa", "https://hybrid-analysis.com/sample/86479bf7c9a675913b93a0d399f5cbe0c0e8003239e93ae5e00f97cdbc5ec5ba", "Scanning host: 31.214.178.54 , 37.152.88.54", "https://whois.domaintools.com/gov1.info", "https://www.fortinet.com/blog/threat-research/ransomware-roundup-ragnar-locker-ransomware", "Ransom: CVE-2023-4966", "Malvertizing, Phishing, Botnet PWD: https://pin.it/ | https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | www.pornhub.com" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Ragnar Locker | M. Brian Sabey | HallRender| Tulach | Benjamin" ], "malware_families": [ "Hallrender", "Alf:trojan:win32/cassini_f28c33a2!ibt", "Worm:win32/benjamin", "Formbook", "Alf:heraklezeval:trojan:win32/clipbanker , , alf:trojan:win32/autorun.pi!mtb , alf:trojan:win32/cassini_6d4ebdc9!ibt", "Worm:win32/pykspa.c", "Tulach", "Other:malware-gen\\ [trj]", "Qakbot", "Alf:trojan:win32/cassini_ade36583!ibt", "Sabey", "Alf:win32/gbdinf_123df591.j!ibt", "Alf:ransom:win32/babax.sg!mtb", "Alf:trojan:msil/agenttesla.km", "Win32:renos-ky\\ [trj]", "Apollolocker", "Hacktool", "Emotet", "Alf:heraklezeval:ransom:msil/gorf", "Ransom", "Qbot", "Trojan", "Worm", "Alf:spikeaexr.secthdr", "Ragnar locker", "Win.worm.pykspa-1", "Nancore ray", "Trojandropper:win32" ], "industries": [ "Insurance", "Technology", "Healthcare", "Immigration", "Government", "Media" ], "unique_indicators": 76589 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/boyaa.us", "whois": "http://whois.domaintools.com/boyaa.us", "domain": "boyaa.us", "hostname": "fbbaby.boyaa.us" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 17, "pulses": [ { "id": "68858e8244c8db854e8947c1", "name": "Goodreads Malware", "description": "Goodreads is an older book review website. I found Goodreads[.]com links botnet joining Pulse. Just curious. #goodreads #malware #goodreads_botnet_join #thismightbeabotnet\n#gogray #purpleteamit #malware \n#thismightbeabotnet #ineedtolearnmore", "modified": "2025-08-26T01:03:19.405000", "created": "2025-07-27T02:27:14.517000", "tags": [ "passive dns", "urls", "url add", "pulse pulses", "http", "ip address", "related nids", "files location", "united", "flag united", "present jun", "present may", "present apr", "search", "moved", "creation date", "record value", "date", "body", "meta", "indicator role", "title added", "active related", "pulses url", "memcommit", "value1", "partnerid4146", "username", "gamesessionid", "port", "destination", "regsetvalueexa", "mozilla", "write", "persistence", "execution", "malware", "copy", "next", "process32nextw", "show", "entries", "module load", "t1129", "intel", "ms windows", "showing", "t1045", "win32", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "spawns", "mitre att", "ck techniques", "evasion att", "sha1", "copy md5", "copy sha1", "copy sha256", "sha256", "size", "pattern match", "ascii text", "null", "error", "starfield", "click", "hybrid", "local", "path", "strings", "refresh", "tools", "onload", "span", "smbds ipc", "ms17010", "msf style", "probe ms17010", "generic flags", "yara detections", "nrv2x", "upxoepplace" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 155, "hostname": 1237, "FileHash-SHA256": 1141, "domain": 574, "URL": 4593, "FileHash-SHA1": 139, "email": 1, "SSLCertFingerprint": 8 }, "indicator_count": 7848, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "236 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b3fb6752ac464268b971b1", "name": "BazaarLoader | REDCAP | https://jbplegal com/ | Cyber espionage", "description": "Found periphery.m (moderate sized dump) Targets Tsara Brashears Several staffed law offices based on Colorado, USA.\nContact made. Physical records. Client: Brashears.\nhttps://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/Trojan.Win32.REDCAP.MCRK/\n1c597b7c7934ef03eb0def0b64655dd79abe08567ff3053761e5516064a43376\nhttps://otx.alienvault.com/malware/TEL:Trojan:Win32%2FBazaarLoader!MTB/\nhttps://www.trendmicro.com/en_ph/research/21/k/bazarloader-adds-compromised-installers-iso-to-arrival-delivery-vectors.html\nTEL:Trojan:Win32/BazaarLoader\n987204ca82337f0a3f28097a5d66d5f3ecb11d43d82f67cd753d0bf2ce40b7a7", "modified": "2024-09-05T07:02:20.491000", "created": "2024-01-26T18:35:19.690000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as3356 level", "as15133 verizon", "as22822", "as20446", "cname", "honeypot", "read c", "regsetvalueexa", "regdword", "as29789", "moved", "morphex", "cryp", "susp" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2401, "FileHash-MD5": 2428, "FileHash-SHA1": 2136, "FileHash-SHA256": 5377, "domain": 3794, "hostname": 2763, "CVE": 5, "email": 19, "SSLCertFingerprint": 4 }, "indicator_count": 18927, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "591 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b85df45cc3d3fd07139ea9", "name": "Honeypot | https://jbplegal com/ | Cyber espionage | DynamicLoader", "description": "", "modified": "2024-09-05T06:38:09.443000", "created": "2024-01-30T02:24:52.774000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as14061", "whitelisted", "as16276", "script urls", "name servers", "meta", "as43317 fishnet" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil", "Netherlands", "Romania", "Russian Federation", "Japan" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": "65b47501fcbc39983f098723", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2390, "FileHash-MD5": 2213, "FileHash-SHA1": 1921, "FileHash-SHA256": 4357, "domain": 3534, "hostname": 2670, "CVE": 5, "email": 17, "SSLCertFingerprint": 4 }, "indicator_count": 17111, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "591 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65fc4d4c24f2000879921be5", "name": "The Org : FormBook CnC | Pykspa", "description": "Front Facing Description: 'TheOrg' (https://theorg.com) The Org\nThe Org is an online professional community platform. It helps organizations get more exposure externally and operate more efficiently internally. | efficiently internally | Nefarious scheme? Unclear. Possible visa, immigration scheme. | Pykspa is a piece of malware that can be used to remotely control infected systems. It also enables attackers to. download other malware or extract personal data. || Dark. | Score 100% Falcon Sandbox | Evasive. Moved permanently 03/21/2024 | FormBook is an infostealer of browser cached credentials , screenshots, keystrokes. | Tags auto populated", "modified": "2024-04-20T14:04:02.366000", "created": "2024-03-21T15:07:56.415000", "tags": [ "q https", "https", "enablement", "org log", "sign", "contact", "right person", "explore", "start", "grafana labs", "ogilvy", "figma", "find", "apollo", "http", "span", "learn", "html", "expiry", "form", "label", "youtube video", "linkedin", "input", "pixel", "legend", "cookie", "march", "de indicators", "domains", "hashes", "gmbh version", "status page", "service privacy", "legal", "impressum", "reverse dns", "general full", "url https", "protocol h2", "security tls", "united", "resource", "asn16509", "amazon02", "name value", "main", "ssl certificate", "whois record", "whois whois", "resolutions", "threat roundup", "communicating", "referrer", "subdomains", "historical ssl", "collections", "june", "february", "blister", "cobalt strike", "phishing", "formbook", "contacted", "ip check", "adult content", "divergent", "hacktool", "copy", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers age", "cachecontrol", "connection", "tsara brashears", "malicious", "life", "core", "dns replication", "date", "win32 exe", "files", "detections type", "name", "wininit", "office open", "xml document", "qiwi hack", "android", "mgeinteg", "html info", "title", "org meta", "tags viewport", "org twitter", "org og", "the org", "utc google", "tag manager", "g5nxq655fgp", "domain", "search", "status", "scan endpoints", "all scoreblue", "hostname", "pulse pulses", "passive dns", "urls", "bhagam bhag", "home screen", "entries", "createdate", "title bhagam", "select xmp", "filehash", "malware", "format", "unknown", "meta", "as44273 host", "creation date", "moved", "encrypt", "district", "body", "window", "hall law", "a domains", "script urls", "datalayer", "registrar", "next", "accept encoding", "showing", "yara rule", "http host", "worm", "high", "possible", "win32", "bits", "cname", "as396982 google", "redacted for", "expiration date", "div div", "as26710 icann", "script domains", "citadel", "indonesia", "get updates", "write c", "create c", "read c", "show", "default", "common upatre", "upatre", "downloader", "zeus", "write", "execution", "regsetvalueexa", "regdword", "module load", "dock", "persistence", "as54113", "github pages", "formbook cnc", "checkin", "lowfi", "class", "trojan", "accept", "visa scheme", "mtb feb", "mtb jan", "romeo scheme", "exploitation", "pattern match", "command decode", "mitre att", "suricata ipv4", "ck id", "show technique", "ck matrix", "suricata udpv4", "facebook", "hybrid", "general", "model", "comspec", "click", "strings", "footer", "michelle", "nora", "hallrender", "name servers", "record value", "emails", "servers", "found", "gmt content", "error", "code", "men", "man", "woman", "hit", "sreredrum", "honey client", "hiv", "threat", "paste", "iocs", "urls https", "malicious site", "phishing site", "blockchain", "unsafe", "malware site", "malicious url", "phishtank", "cyber threat", "artemis", "asyncrat", "team", "cisco umbrella", "site", "safe site", "heur", "million", "xrat", "downldr", "union", "bank", "gvt google video transcoding", "malvertizing", "targeting", "target", "yandex dropper extend", "remote procedure call", "identity_helper.exe", "cookie bot" ], "references": [ "https://theorg.com", "Ransom: CVE-2023-4966", "Ransom: ransomed.vc", "FormBook: a4ec4c6ea1c92e2e6.awsglobalaccelerator.com", "Malware: http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel | 103.246.145.111", "Malware: 0a6e883228a04a6e8738511a6210914dea1773d88cf57950c83e092f02c7f3bf - Other:Malware-gen\\ [Trj]", "Yara Detections invalid_trailer_structure , multiple_versions", "Malware Hosting IP addresses: 141.193.213.20 | 185.199.108.153| 185.199.110.153 | 185.199.111.153", "https://otx.alienvault.com/indicator/url/https://theorg.com/_next/data/Gh7c6NpBHZESb74aisPB8/org/springboard-collaborative.json?companySlug=springboard-collaborative", "Scanning host: 31.214.178.54 , 37.152.88.54", "Yara Detections: vad_contains_network_strings information | HackToolWin32Patch CodeOverlap | PWSWin32Phorex CodeOverlap", "Yara: TrojanDropperWin32Ropest | CodeOverlap TrojanWin32Gatsorm | CodeOverlap TrojanWinNTConficker | CodeOverlap Alerts: WormWin32Pykspa", "Aspnet collect: https://otx.alienvault.com/otxapi/indicators/file/screenshot/000444cc67b97f45f11e1fdf89ad8f5127c87aa858fe151fa9c4975276f53b42", "development.digitalphotogallery.com _YandexDropperExtend", "Emotet: FileHash-MD5 bafae95c36402dfc1ea5fa04523e4e81", "Emotet: FileHash-SHA256 db9d59b0f192c91f8ecf939c415b3252b13b0fb052d4a66ceefb80dfb43d6e8a |", "Emotet: FileHash-SHA1\t19c14ab0aaab2c1dd922f0baca3cf64056f80acc", "thevisafirm.com | Immigration Lawyers Capital Immigration Lawyers Green Card Lawyer [ London, DC] malicious", "www.hallinjurylaw.com |\tMinneapolis Personal Injury Lawyer Personal Injury Law Experts", "Malvertizing, Phishing, Botnet PWD: https://pin.it/ | https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | www.pornhub.com", "Phishing, Botnet PWD:https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://www.sweetheartvideo.com/tsara-brashears/ | www.sweetheartvideo.com", "https://hybrid-analysis.com/sample/ac09d7f6b26675a529a366b47bc09b3fd776576fb099c020f57204ff7b4ea31c", "CVE-2007-3896 | CVE-2023-22518 | CVE-2023-4966", "jpocxaar1---r3---sn-jpocxaa-a03e.gvt1.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Win32:Renos-KY\\ [Trj]", "display_name": "Win32:Renos-KY\\ [Trj]", "target": null }, { "id": "Win.Worm.Pykspa-1", "display_name": "Win.Worm.Pykspa-1", "target": null }, { "id": "Worm:Win32/Pykspa.C", "display_name": "Worm:Win32/Pykspa.C", "target": "/malware/Worm:Win32/Pykspa.C" }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null }, { "id": "ApolloLocker", "display_name": "ApolloLocker", "target": null }, { "id": "TrojanDropper:Win32", "display_name": "TrojanDropper:Win32", "target": null }, { "id": "Other:Malware-gen\\ [Trj]", "display_name": "Other:Malware-gen\\ [Trj]", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [ "Media", "Immigration", "Technology", "Government" ], "TLP": "green", "cloned_from": null, "export_count": 55, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4567, "domain": 2576, "hostname": 1212, "FileHash-SHA256": 3836, "FileHash-MD5": 744, "FileHash-SHA1": 724, "CVE": 5, "email": 9, "SSLCertFingerprint": 1 }, "indicator_count": 13674, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "729 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b3fe6c4cd0f5158eb18692", "name": "Honeypot | https://jbplegal com/ | Cyber espionage | DynamicLoader,", "description": "Found periphery.m (moderate sized dump) Targets Tsara Brashears Several staffed law offices based on Colorado, USA. Contact made. Physical records. Client: Brashears. https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/Trojan.Win32.REDCAP.MCRK/ 1c597b7c7934ef03eb0def0b64655dd79abe08567ff3053761e5516064a43376 https://otx.alienvault.com/malware/TEL:Trojan:Win32%2FBazaarLoader!MTB/ https://www.trendmicro.com/en_ph/research/21/k/bazarloader-adds-compromised-installers-iso-to-arrival-delivery-vectors.html TEL:Trojan:Win32/BazaarLoader 987204ca82337f0a3f28097a5d66d5f3ecb11d43d82f67cd753d0bf2ce40b7a7https://www.joesandbox.com/analysis/1311477\nTarget: Critical Risk. In person contact made. Fraud services offered. \nThis is crazy.", "modified": "2024-02-25T17:03:29.232000", "created": "2024-01-26T18:48:12.433000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as14061", "whitelisted", "as16276", "script urls", "name servers", "meta", "as43317 fishnet" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil", "Netherlands", "Romania", "Russian Federation", "Japan" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1509, "FileHash-MD5": 2213, "FileHash-SHA1": 1921, "FileHash-SHA256": 4239, "domain": 3480, "hostname": 2466, "CVE": 5, "email": 17, "SSLCertFingerprint": 4 }, "indicator_count": 15854, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "784 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b47501fcbc39983f098723", "name": "Honeypot | https://jbplegal com/ | Cyber espionage | DynamicLoader", "description": "", "modified": "2024-02-25T17:03:29.232000", "created": "2024-01-27T03:14:09.392000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as14061", "whitelisted", "as16276", "script urls", "name servers", "meta", "as43317 fishnet" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil", "Netherlands", "Romania", "Russian Federation", "Japan" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": "65b3fe6c4cd0f5158eb18692", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1509, "FileHash-MD5": 2213, "FileHash-SHA1": 1921, "FileHash-SHA256": 4239, "domain": 3480, "hostname": 2466, "CVE": 5, "email": 17, "SSLCertFingerprint": 4 }, "indicator_count": 15854, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "784 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b47524b1ec6b5c783a832e", "name": "BazaarLoader | REDCAP | https://jbplegal com/ | Cyber espionage", "description": "", "modified": "2024-02-25T17:03:29.232000", "created": "2024-01-27T03:14:44.070000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as3356 level", "as15133 verizon", "as22822", "as20446", "cname", "honeypot", "read c", "regsetvalueexa", "regdword", "as29789", "moved", "morphex", "cryp", "susp" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": "65b3fb6752ac464268b971b1", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1530, "FileHash-MD5": 2428, "FileHash-SHA1": 2136, "FileHash-SHA256": 5239, "domain": 3740, "hostname": 2560, "CVE": 5, "email": 19, "SSLCertFingerprint": 4 }, "indicator_count": 17661, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "784 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b80982381b53c66f0dd1e1", "name": "BazaarLoader | REDCAP | https://jbplegal com/ | Cyber espionage", "description": "", "modified": "2024-02-25T17:03:29.232000", "created": "2024-01-29T20:24:34.644000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as3356 level", "as15133 verizon", "as22822", "as20446", "cname", "honeypot", "read c", "regsetvalueexa", "regdword", "as29789", "moved", "morphex", "cryp", "susp" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": "65b47524b1ec6b5c783a832e", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1530, "FileHash-MD5": 2428, "FileHash-SHA1": 2136, "FileHash-SHA256": 5239, "domain": 3740, "hostname": 2560, "CVE": 5, "email": 19, "SSLCertFingerprint": 4 }, "indicator_count": 17661, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "784 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65be8dde8544d0b022b4c464", "name": "Honeypot | https://jbplegal com/ | Cyber espionage | Emotet ", "description": "", "modified": "2024-02-25T17:03:29.232000", "created": "2024-02-03T19:02:54.507000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as14061", "whitelisted", "as16276", "script urls", "name servers", "meta", "as43317 fishnet" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil", "Netherlands", "Romania", "Russian Federation", "Japan" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": "65b85df45cc3d3fd07139ea9", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1509, "FileHash-MD5": 2213, "FileHash-SHA1": 1921, "FileHash-SHA256": 4239, "domain": 3480, "hostname": 2466, "CVE": 5, "email": 17, "SSLCertFingerprint": 4 }, "indicator_count": 15854, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "784 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659b4cea3e6da3a00306ae11", "name": "Ragnar Locker | Cowrie Hash", "description": "Cowrie is a medium interaction SSH and Telnet honeypot designed to log brute force attacks and shell interaction performed by an attacker. Cowrie also functions as an SSH and telnet proxy to observe attacker behavior to another system. Cowrie was developed from Kippo.\n\nRagnar Locker: \nAffected platforms: Microsoft Windows\nImpacted parties: Microsoft Windows & Linux Users\nImpact: Encrypts files on the compromised machine and demands ransom for file decryption\nSeverity level: High\n\nI'm not sure. It seems this 'Law' group aquires and sell your digital profiles, PHI. PII, Banking , Insurance credentials on the dark web.", "modified": "2024-02-06T23:04:54.022000", "created": "2024-01-08T01:16:26.884000", "tags": [ "contacted", "pe resource", "execution", "problems", "alienvault part", "dropped", "kgs0", "kls0", "collections", "schema abuse", "iframe", "united", "as29791", "search", "entries", "passive dns", "urls", "service", "date", "unknown", "japan unknown", "body", "czechia unknown", "sinkhole", "emotet", "date hash", "avast avg", "mtb dec", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "samples", "tulach", "tulach.cc", "sabey data center", "malware server", "gorf", "set cookie", "united kingdom", "script urls", "trojan", "status", "showing", "cookie", "template", "johnnsabey", "briansabey", "data center", "choco", "name", "win32 exe", "domains", "registrar", "markmonitor inc", "ip detections", "country", "us execution", "parents", "whois record", "whois whois", "ssl certificate", "apple ios", "red team", "tsara brashears", "historical ssl", "hacktool", "copy", "malicious", "life", "unsafe", "server", "registrar abuse", "contact phone", "domain status", "registrar whois", "email", "registry domain", "registry expiry", "algorithm", "v3 serial", "number", "issuer", "key algorithm", "ec oid", "key identifier", "subject key", "identifier", "x509v3 key", "info", "first", "http method", "http requests", "connect http", "get dns", "resolutions", "ip traffic", "intel", "ms windows", "write c", "pe32", "pe32 executable", "copy c", "show", "free", "recon", "benjamin", "write", "worm", "win32", "june", "delphi", "code", "malware", "next", "using", "urls http", "benjamin", "nids", "cowrie hashes", "dns replication", "files", "sample", "sender", "us postal", "cowrie", "iranian actor", "shipping", "healthcare", "ragnar locker", "qakbot", "qbot", "pii", "phi", "privacy", "honeypot", "referrer", "spyware", "android", "nanocore", "banker", "keylogger" ], "references": [ "choco.exe", "media-router-fp74.prod.media.vip.bf1.yahoo.com", "https://www.cybereason.com/blog/threat-analysis-report-ragnar-locker-ransomware-targeting-the-energy-sector?hs_amp=true", "httphttp://security.didici.cc/cves://www.sentinelone.com/anthology/ragnar-locker/", "http://security.didici.cc/cve", "https://whois.domaintools.com/gov1.info", "https://nsa.gov1.info/utah-data-center/", "https://github.com/cowrie/cowrie", "Cowrie (honeypot) - Wikipedia", "https://www.fortinet.com/blog/threat-research/ransomware-roundup-ragnar-locker-ransomware" ], "public": 1, "adversary": "Ragnar Locker | M. Brian Sabey | HallRender| Tulach | Benjamin", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "ALF:Win32/GbdInf_123DF591.J!ibt", "display_name": "ALF:Win32/GbdInf_123DF591.J!ibt", "target": "/malware/ALF:Win32/GbdInf_123DF591.J!ibt" }, { "id": "SABEY", "display_name": "SABEY", "target": null }, { "id": "ALF:Trojan:Win32/Cassini_f28c33a2!ibt", "display_name": "ALF:Trojan:Win32/Cassini_f28c33a2!ibt", "target": null }, { "id": "ALF:Trojan:Win32/Cassini_ade36583!ibt", "display_name": "ALF:Trojan:Win32/Cassini_ade36583!ibt", "target": null }, { "id": "ALF:Ransom:Win32/Babax.SG!MTB", "display_name": "ALF:Ransom:Win32/Babax.SG!MTB", "target": null }, { "id": "ALF:SpikeAexR.SECTHDR", "display_name": "ALF:SpikeAexR.SECTHDR", "target": null }, { "id": "ALF:Trojan:MSIL/AgentTesla.KM", "display_name": "ALF:Trojan:MSIL/AgentTesla.KM", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker , , ALF:Trojan:Win32/AutoRun.PI!MTB , ALF:Trojan:Win32/Cassini_6d4ebdc9!ibt", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker , , ALF:Trojan:Win32/AutoRun.PI!MTB , ALF:Trojan:Win32/Cassini_6d4ebdc9!ibt", "target": null }, { "id": "ALF:HeraklezEval:Ransom:MSIL/Gorf", "display_name": "ALF:HeraklezEval:Ransom:MSIL/Gorf", "target": null }, { "id": "Worm:Win32/Benjamin", "display_name": "Worm:Win32/Benjamin", "target": "/malware/Worm:Win32/Benjamin" }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "Ragnar Locker", "display_name": "Ragnar Locker", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Trojan", "display_name": "Trojan", "target": null }, { "id": "Worm", "display_name": "Worm", "target": null }, { "id": "NanCore RAY", "display_name": "NanCore RAY", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [ "Healthcare", "Insurance" ], "TLP": "white", "cloned_from": null, "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 347, "FileHash-SHA1": 222, "FileHash-SHA256": 6645, "hostname": 2744, "URL": 9123, "domain": 3065, "email": 4 }, "indicator_count": 22150, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "802 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://fbbaby.boyaa.us", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://fbbaby.boyaa.us", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776630444.7875423 }