{ "type": "URL", "indicator": "https://flarenotes.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://flarenotes.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3982143118, "indicator": "https://flarenotes.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 9, "pulses": [ { "id": "6952fbca42c1b0da7431e6a7", "name": "Pegasus / Pegacloud - Infiltration (10-2013 or 2014 to Current/ Ongoing) ", "description": "", "modified": "2025-12-29T22:08:10.280000", "created": "2025-12-29T22:08:10.280000", "tags": [ "backdoor", "cyprus", "trojan", "mtb sep", "passive dns", "ddos", "mtb oct", "mtb aug", "ipv4 add", "smokeloader", "trojandropper", "extraction", "se extraction", "failed", "data upload", "enter s", "enter sc", "data u", "extrac please", "prop", "extre data", "type", "extr data", "include review", "exclude", "find s", "typ data", "source tir", "extri", "exclude sugges", "se type", "extra", "include data", "exclude review", "show", "showinil tvnes", "dom dom", "sc cat959", "drop", "pulse pulses", "worm", "files show", "date hash", "avast avg", "win32", "susp", "cyprus showing", "entries", "next associated", "urls show", "date checked", "url hostname", "server response", "ip address", "google safe", "server", "registrar abuse", "iana id", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "registrar", "se cre", "pul use", "url list", "status http", "linkid182227", "linkid151642", "first", "domain list", "ii llc", "sc data", "ukl extract", "hiloti style", "msle", "win3 data", "onio", "observea", "data data", "stop data", "monitored target", "tsara", "pegasus", "social engineering" ], "references": [ "http://fakejuko.site40/", "pegacloud.net", "IDS: Hiloti Style GET to PHP with invalid terse MSIE headers", "IDS: Win32/Ibashade CnC Beacon", "IDS: Win32.Scar.hhrw POST", "IDS: Trojan.Win32.Cosmu.cdqg Checkin", "IDS: OnionDuke CnC Beacon 1", "IDS: Observed Suspicious UA (Mozilla/5.0)", "IDS: Data POST to an image file (jpg)", "cwt-cwtcxp1-dt1.pegacloud.net\t\u2022 fortrea-prod1.pegacloud.net \u2022 ssl-ssldmp-dt1-sftp.pegacloud.net \u2022 13.40.20.221 \u2022 44.215.155.206 \u2022 44.226.180.214" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:WormX-gen [Wrm]", "display_name": "Win32:WormX-gen [Wrm]", "target": null }, { "id": "Worm:Win32:Drolnux", "display_name": "Worm:Win32:Drolnux", "target": null }, { "id": "Pegasus - MOB-S0005", "display_name": "Pegasus - MOB-S0005", "target": null } ], "attack_ids": [], "industries": [ "Technology", "Telecommunications", "Government" ], "TLP": "white", "cloned_from": "6877422df67773a07ef450c2", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1630, "URL": 4078, "FileHash-MD5": 245, "FileHash-SHA1": 246, "FileHash-SHA256": 2561, "CVE": 2, "domain": 1307, "email": 1 }, "indicator_count": 10070, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "111 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6877422df67773a07ef450c2", "name": "Pegasus / Pegacloud - Infiltration", "description": "Pegasus IoC\u2019s found in the periphery of research. Appears target contacted a \u2018fake host\u2019 after finding name in multiple highly malicious domains. May have appeared between 12/2013 - 11-2014. Target was contacted by telephone and asked \u2018 have you checked Googled yourself\u2019, to which target answered \u2018Not really\u2019. Target was told \u2018you really should Google yourself\u2019. Target, upset about content clicked and began a takedown effort with host.\n\nThis seems to be at the start of many malicious campaigns. Requires further investigation.", "modified": "2025-08-15T05:01:22.570000", "created": "2025-07-16T06:09:49.704000", "tags": [ "backdoor", "cyprus", "trojan", "mtb sep", "passive dns", "ddos", "mtb oct", "mtb aug", "ipv4 add", "smokeloader", "trojandropper", "extraction", "se extraction", "failed", "data upload", "enter s", "enter sc", "data u", "extrac please", "prop", "extre data", "type", "extr data", "include review", "exclude", "find s", "typ data", "source tir", "extri", "exclude sugges", "se type", "extra", "include data", "exclude review", "show", "showinil tvnes", "dom dom", "sc cat959", "drop", "pulse pulses", "worm", "files show", "date hash", "avast avg", "win32", "susp", "cyprus showing", "entries", "next associated", "urls show", "date checked", "url hostname", "server response", "ip address", "google safe", "server", "registrar abuse", "iana id", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "registrar", "se cre", "pul use", "url list", "status http", "linkid182227", "linkid151642", "first", "domain list", "ii llc", "sc data", "ukl extract", "hiloti style", "msle", "win3 data", "onio", "observea", "data data", "stop data", "monitored target", "tsara", "pegasus", "social engineering" ], "references": [ "http://fakejuko.site40/", "pegacloud.net", "IDS: Hiloti Style GET to PHP with invalid terse MSIE headers", "IDS: Win32/Ibashade CnC Beacon", "IDS: Win32.Scar.hhrw POST", "IDS: Trojan.Win32.Cosmu.cdqg Checkin", "IDS: OnionDuke CnC Beacon 1", "IDS: Observed Suspicious UA (Mozilla/5.0)", "IDS: Data POST to an image file (jpg)", "cwt-cwtcxp1-dt1.pegacloud.net\t\u2022 fortrea-prod1.pegacloud.net \u2022 ssl-ssldmp-dt1-sftp.pegacloud.net \u2022 13.40.20.221 \u2022 44.215.155.206 \u2022 44.226.180.214" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:WormX-gen [Wrm]", "display_name": "Win32:WormX-gen [Wrm]", "target": null }, { "id": "Worm:Win32:Drolnux", "display_name": "Worm:Win32:Drolnux", "target": null }, { "id": "Pegasus - MOB-S0005", "display_name": "Pegasus - MOB-S0005", "target": null } ], "attack_ids": [], "industries": [ "Technology", "Telecommunications", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1630, "URL": 4078, "FileHash-MD5": 245, "FileHash-SHA1": 246, "FileHash-SHA256": 2561, "CVE": 2, "domain": 1307, "email": 1 }, "indicator_count": 10070, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "247 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688b0fbceab364a2b84b1124", "name": "Busybox MIORI Hackers - ongoing Aurora , Medical Campus -Mirai [by scoreblue -Team 8]", "description": "", "modified": "2025-07-31T06:39:56.204000", "created": "2025-07-31T06:39:56.204000", "tags": [ "idnischdr http", "computer", "america asn", "as7018 att", "url https", "america", "united states", "united", "germany", "italy", "trojan", "all scoreblue", "report spam", "created", "trojanspy", "worm", "trojanclicker", "virtool", "service", "all search", "author avatar", "miori hackers", "file score", "detections elf", "path", "busybox busybox", "brute force", "attack bad", "login yara", "detections", "sid name", "malware cve", "suspicious path", "busybox", "activity", "system", "malware beacon", "bad login", "attack", "port", "destination", "show", "search", "exif data", "property value", "elf info", "key value", "x86 baddr", "elf64 crypto", "final url", "ip address", "status code", "body", "kb body", "sha256", "server", "gmt connection", "date sun", "gmt contenttype", "filehashsha256", "crazy doll", "next", "key identifier", "x509v3 subject", "data", "v3 serial", "number", "cgb stgreater", "cnsectigo rsa", "secure server", "ca validity", "cus stcolorado", "info", "director", "orgtechhandle", "orgtechref", "university", "whois lookup", "netrange", "nethandle", "net168", "net1680000", "ucha", "network", "registry arin", "country us", "continent na", "meta", "script script", "lance mueller", "mueller", "unknown", "script urls", "photography", "passive dns", "urls", "model", "creation date", "hostname", "pulse submit", "url analysis", "files", "domain", "status", "http", "record value", "emails", "dnssec", "domain name", "backdoor", "bad request", "entries", "title style", "f2f2f2 color", "helvetica neue", "exploit", "browse scan", "endpoints all", "search otx", "related pulses", "file samples", "files matching", "as44273 host", "showing", "telper", "date hash", "copyright", "url http", "win64", "as53665 bodis", "aaaa", "as206834 team", "canada unknown", "read c", "create c", "write c", "msie", "windows nt", "wow64", "slcc2", "media center", "delete c", "dock", "write", "execution", "copy", "xport", "1575038779", "medium", "capture", "malware", "february", "as61969 team", "servers", "domain robot", "expiration date", "as714 apple", "as42 woodynet", "nxdomain", "name servers", "a nxdomain", "ipv4", "found", "control", "content type", "as20940", "asnone united", "as701 verizon", "as2914 ntt", "win32", "certificate", "date", "dynamicloader", "high", "t1055", "attempts", "yara detections", "bitcoinaltcoin", "code injection", "high defense", "ip related", "pulses otx", "pulses", "overview domain", "files ip", "address domain", "related tags", "pulse pulses", "div div", "as49505", "span", "form", "as6185 apple", "china", "as4812 china", "as17816 china", "as4134 chinanet", "scan endpoints", "trojan features", "enigmaprotector", "dynamic", "powershell", "filehash", "for privacy", "ltd dba", "com laude", "cname", "cve20170147 sep", "verdict", "as63949 linode", "https", "as8075", "united kingdom", "whitelisted", "as25825", "moved", "aurora", "redacted for", "whois lookups", "orgid", "east", "seen", "update date", "cidr", "netname uch", "parent net168", "nettype direct", "contacted", "tulach", "brian sabey" ], "references": [ "ELF:Mirai-TO\\ [Trj] UCH/PU_Log_ID/Locked_Scr [168.200.5.63] || http://itsupport.uchealth.org/ || [Trj] http://itsupport.uchealth.org/", "ELF:Mirai-TO\\ [Trj] 12.111.210.191 | United States of America ASN AS7018 att services inc", "ELF:Mirai-TO\\ [Trj] FileHash-SHA256. 09c0d1671fd9da396c13456d552a884a582aa194c8739a97ee18928c001bbbca", "ELF:Mirai-TO\\ [Trj] tulach.cc", "ELF:Mirai-TO\\ [Trj] FileHash-SHA256 09c0d1671fd9da396c13456d552a884a582aa194c8739a97ee18928c001bbbca", "IDS Detections: busybox MIORI Hackers - Infected System SUSPICIOUS Path to BusyBox", "IDS Detections: busybox MIORI Hackers - Possible Brute Force Attack Bad Login", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout", "Yara Detections: is__elf", "168.200.5.0/24: Autonomous System Number :18693 || Autonomous System Label UCH-CENTRAL Regional Internet Registry: ARIN: Country US", "www.proxydocker.com Yvmc.org is hosted in United States ip detail \u00c9tats Unis (US) , (Aurora , Colorado ) links to network IP address: 168.200.5.63", "Computer Forensics Malware Analysis Digital Investigations | www.forensickb.com |", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://www.forensickb.com/2013/03/file-entropy-explained.html", "webcam.sopris.net || https://www.chietimeteo.it/webcamabruzzo.htm savethemalesdenver.com", "girlsandtheir.webcam - suspicious_write_exe network_icmp infostealer_keylogger process_martian injection_resumethread | parkingcrew.net ns2.parkingcrew.net", "http://serafinipelletteria.it/riparazioni/13-borse-restauro/22-spy-bag-%C3%83%C2%A2%C3%A2%C2%82%C2%AC%C3%A2%C2%80%C2%9C-fend", "Title The page title. Chieti Meteo - Webcam Abruzzo", "Final URL contacted when you try to visit the URL under study, after any potential redirects. https://www.chietimeteo.it/webcamabruzzo.htm Serving IP Address: 89.46.110.55", "savethemalesdenver.com | brasville.com.br?", "168.200.45.168 Original IP- UCHealth is jacking accounts | University of Colorado Hospital Scot.MacCabe@uchealth.org", "Basic Properties Regional Internet Registry ARIN Country US Continent NA Whois Lookup NetRange: 168.200.0.0 - 168.200.255.255 US", "CIDR: 168.200.0.0/16 NetName: UCH NetHandle: NET-168-200-0-0-1 Parent: NET168 (NET-168-0-0-0-0) NetType: Direct Allocation Organization: University of Colorado Hospital (UCHA) RegDate: 1994-06-22 Updated: 2021-12-14 Ref: https://rdap.arin.net/registry/ip/168.200.0.0 OrgName: University of Colorado Hospital OrgId: UCHA Address: 13001 East 17th Place Address: UH Fitzsimons bldg 500 5th floor east Address: Information Services City: Aurora StateProv: CO PostalCode: 80045-0505 Country:", "Address 198.185.159.144 , 198.185.159.145 , 198.49.23.144 , 198.49.23.145", "Lance Mueller Photography Artistic Portraiture || Domains || lancemueller.com/https://www.lancemueller.com/ www.instagram.com", "IP: 198.185.159.144 Backdoor:Linux/Mirai.B || TELPER:HSTR:DotCisOffer || TrojanSpy:Win32/Nivdort || Bladabindi || TrojanDownloader:Win32/Bulilit", "IDS Detections: Win32.Renos/Artro Trojan Checkin M1 Fakealert.ATQ/Renos.GNC Checkin AlphaCrypt CnC Beacon 5 Win32.Meredrop Checkin", "IDS Detections: CryptoWall Check-in Net-Worm.Win32.Koobface.jxs Checkin AlphaCrypt CnC Beacon 6 Koobface HTTP Request", "IDS Detections: Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative) FormBook CnC Checkin (GET)", "Crypt3.BWVY \u00bb forums.girlsandtheir.webcam | http://girlsandtheir.webcam/&_=1642807476815 | http://girlsandtheir.webcam/&_=1677944772349", "http://girlsandtheir.webcam/&_=1678440394065 | http://girlsandtheir.webcam/&_=1678605911170 | http://girlsandtheir.webcam/&_=1678901115584", "http://girlsandtheir.webcam/&_=1727668914786 | http://girlsandtheir.webcam/&_=1727684361432 | http://girlsandtheir.webcam/&_=1678620676912", "http://girlsandtheir.webcam/&_=167922487756 | http://girlsandtheir.webcam/&_=1678764409894 | http://girlsandtheir.webcam/&_=1679002803910", "http://girlsandtheir.webcam/&_=1679275226198 | http://girlsandtheir.webcam/&_=1679338009770| http://girlsandtheir.webcam/&_=1679628920449 No Expira http://girlsandtheir.webcam/&_=1727448919580\t | http://girlsandtheir.webcam/&_=1727487291351 No Expiration\t0\t URL http://girlsandtheir.webcam/&_=1727511329381 No Expiration\t0\t URL http://girlsandtheir.webcam/&_=1727586798507 | http://girlsandtheir.webcam/&_=1727595333556 | http://girlsandtheir.webcam/&_=1727665483552", "chatluongvn.tk - use of targeted surveillance intended to spy on members of civil society, suppress dissent, crime victims & monitor journalists.", "Apple ID: 17.253.142.4 | Reverse DNS www.applesports.webcam", "Associated w/Apple ID: http://www.ripmixburn.com/| www.ripmixburn.com | 17.253.142.4 | http://www.qttv.net |www.qttv.net | 17.253.142.4", "Associated w/Apple ID: http://qumoteze.apple-hk.com\tqumoteze.apple-hk.com | 17.253.142.4 | http://identity.appke.com | identity.appke.com", "Associated w/Apple ID: 17.253.142.4 |\thttp://xn--8mrw5wsjh2jt.top | xn--8mrw5wsjh2jt.top | 17.253.142.4 | https://www.qttv.net | www.qttv.net", "Associated w.Apple ID: 17.253.142.4 | https://qumoteze.apple-hk.com | http://applegiftcard.apple/ | https://identity.appke.com", "Win.Packed.Enigma-10023199-0: FileHash - SHA256 2753cb6cd4b034d91a1361d5d4f643e3f45abbe249a1563e2e3bf6e7b6001cd3", "Trojan:Win32/Mydoom | apple.com | IP Address 17.253.144.10: Yara Detections EnigmaProtector , xor_0x8_This_program Alerts network_bind persistence_autorun antivm_generic_diskreg", "Win.Malware.Midie-9950743-0 Apple IP 17.253.144.10: SHA256 8b3170934dd8efaf4335f752d4a1a1816f8be3cdba963d897b93f308fa4ab644", "Win.Malware.Midie Alerts: injection_inter_process injection_create_remote_thread antisandbox_sleep persistence_autorun browser_security", "Win.Malware.Midie Alerts: antisandbox_unhook infostealer_cookies deletes_executed_files infostealer_bitcoin injection_createremotethread", "Win.Malware.Midie-9950743-0: Domains Contacted microsoft.com dropbox.com twitter.com sendspace.com etrade.com", "Win.Malware.Midie-9950743-0: Domains Contacted instagram.com github.com icloud.com python.org facebook.com" ], "public": 1, "adversary": "busybox MIORI Hackers", "targeted_countries": [ "United States of America", "Mexico" ], "malware_families": [ { "id": "TrojanDownloader:Win32/Bulilit", "display_name": "TrojanDownloader:Win32/Bulilit", "target": "/malware/TrojanDownloader:Win32/Bulilit" }, { "id": "ELF:Mirai-TO\\ [Trj]", "display_name": "ELF:Mirai-TO\\ [Trj]", "target": null }, { "id": "Backdoor:Linux/Mirai.B", "display_name": "Backdoor:Linux/Mirai.B", "target": "/malware/Backdoor:Linux/Mirai.B" }, { "id": "TELPER:HSTR:DotCisOffer", "display_name": "TELPER:HSTR:DotCisOffer", "target": null }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Backdoor:Win32/Bladabindi", "display_name": "Backdoor:Win32/Bladabindi", "target": "/malware/Backdoor:Win32/Bladabindi" }, { "id": "ALF:E5", "display_name": "ALF:E5", "target": null }, { "id": "Win.Malware.Midie-9950743-0", "display_name": "Win.Malware.Midie-9950743-0", "target": null }, { "id": "Trojan:Win32/Emotet.ARJ!MTB", "display_name": "Trojan:Win32/Emotet.ARJ!MTB", "target": "/malware/Trojan:Win32/Emotet.ARJ!MTB" } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "green", "cloned_from": "66fb3c4e8a2593134641f3c0", "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 459, "FileHash-MD5": 1228, "FileHash-SHA1": 1163, "FileHash-SHA256": 2243, "domain": 876, "hostname": 1088, "CIDR": 2, "email": 17, "CVE": 2, "SSLCertFingerprint": 5 }, "indicator_count": 7083, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "262 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "684a93360163e8802e213158", "name": "ELF:Mirai AMAZON-02 - Autonomous System 65.0.0.0/14", "description": "ELF:Mirai-BHZ\\ [Trj]\t\n65.0.0.0/14\nAutonomous System Number\n16509\nAutonomous System Label\nAMAZON-02\nRelated to \u2022 103.252.236.26 | \n\u2022 sr2.reliedhosting.com | \n.\u2022 http://planitair.com/ |\n\u2022 bgptools-wildcard-confirmed.acemalibu.com | \n\u2022 https://www.anyxxxtube.net/search-porn/tsara-brashears/ | \t\t\t\n\u2022 static.ads-twitter.com\t\n\u2022 https://twitter.com/PORNO_SEXYBABES\t\n\u2022 analytics.twitter.com\n\u2022 appleupdate.org\n\u2022 apps.apple.com\n\u2022 pin.it |\n\u2022 https://pin.it/ |\n\u2022 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian Critical issue. Cyber weaponry [Unclear] Stealth contractual US cyber defense entity, endless DGA\u2019s. India IP block.\nAdversary named by bupyeongop:\n\ubd80\ud3c9\uc624\ud53c \ucd9c\uc7a5\ub9c8\uc0ac\uc9c0\uc548\ub0b4.COM \ubd80\ud3c9OP (massage service?)\n*DoS with many OTX features", "modified": "2025-07-12T07:04:05.635000", "created": "2025-06-12T08:43:34.719000", "tags": [ "thumbprint", "apnic", "apnic whois", "database", "please", "arin whois", "north america", "caribbean", "africa", "internet", "iana", "address range", "cidr", "network name", "allocation type", "whois server", "algorithm", "v3 serial", "number", "cbe oglobalsign", "r6 alphassl", "validity", "subject public", "key info", "key algorithm", "key identifier", "link", "search", "united", "a domains", "ip address", "creation date", "record value", "date", "showing", "india unknown", "status", "passive dns", "ipv4 add", "pulse submit", "url analysis", "urls", "files", "location india", "india asn", "as133296 web", "dns resolutions" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "APNIC", "display_name": "APNIC", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 27, "domain": 2499, "hostname": 2651, "URL": 10986, "CIDR": 2, "FileHash-SHA256": 3596, "email": 1, "FileHash-MD5": 23, "CVE": 7 }, "indicator_count": 19792, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "281 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "682dd4e25a347684b2dfeabe", "name": "Apple Radar? Manipulated iOS products access , manipulate , control technology in periphery", "description": "Apple product(s) using radar? access nearby tech, (Apple products, other brands, televisions, MP3 players). Target reports other devices have been erased, refreshed, truncated,. .https://ssdauthority.com/does-sandisk-ixpand-work-on-windows/ |\nssdauthority.com |\nradarsubmissions.apple.com |\nsecure.www.apple.com\nThis will take further, in depth investigation. I can\u2019t explain what seems fantastical and be. considered sane. Many files resolved already.", "modified": "2025-06-20T12:05:58.229000", "created": "2025-05-21T13:28:01.980000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 637, "CVE": 1, "FileHash-MD5": 26, "FileHash-SHA1": 25, "FileHash-SHA256": 1296, "domain": 170, "hostname": 369 }, "indicator_count": 2524, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "303 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6810fc9906f77b86e54482c1", "name": "(port_scan) TCP filtered portsweep 17.253.83.201 strefa=1003.v.vgt.pl", "description": "https://ti.qianxin.com/v2/search?type=ip&value=94.152.152.233\nstrefa=1003.v.vgt.pl\n773906b0efdefa24a7f2b8eb6985bf37", "modified": "2025-05-29T16:04:10.332000", "created": "2025-04-29T16:21:45.491000", "tags": [ "submission", "vhash", "ssdeep", "html internet", "magic html", "unicode text", "utf8", "crlf line", "trid text", "magika html", "ip wykrycia", "system", "kraj" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 1, "FileHash-SHA256": 68, "hostname": 25, "domain": 46, "URL": 155, "CVE": 2 }, "indicator_count": 300, "is_author": false, "is_subscribing": null, "subscriber_count": 122, "modified_text": "325 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66fc29a49b5ac693c8d75122", "name": "Medical Campus - Aurora, Co | Recheck", "description": "This weekend we found a busybox MIORI Hackers - serious attack Aurora, Medical Campus -Mirai. This recheck is generic. All results generated automatically by LevelBlue, sourced by ScoreBlue.\nMaybe it will be clean today. Complaints of pop up auto logins on locked screens and autonomous system running alongside actual system. System root.\nMalware Families:\nTrojanDownloader:Win32/Bulilit, ELF:Mirai-TO\\ [Trj], Backdoor:Linux/Mirai.B, TELPER:HSTR:DotCisOffer, TrojanSpy:Win32/Nivdort, Backdoor:Win32/Bladabindi, ALF:E5, Win.Malware.Midie-9950743-0, Trojan:Win32/Emotet.ARJ!MTB", "modified": "2024-10-31T16:03:52.240000", "created": "2024-10-01T16:56:04.004000", "tags": [ "united", "as397240", "search", "showing", "as54113", "as397241", "unknown", "moved", "creation date", "record value", "next", "date", "body", "a domains", "passive dns", "formbook cnc", "checkin", "entries", "github pages", "sea x", "accept", "status", "name servers", "certificate", "urls", "aaaa", "cname", "meta", "whitelisted ip", "address", "location united", "asn as36459", "github", "less whois", "registrar", "markmonitor", "related tags", "as36459", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "files", "ninite", "expiration date", "domain", "hostname", "sha256", "sha1", "ascii text", "pattern match", "document file", "v2 document", "utf8", "crlf line", "beginstring", "size", "null", "hybrid", "refresh", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "url https", "tulach type", "role title", "added active", "pulses url", "url http", "nextc type", "type indicator", "related pulses", "filehashsha256", "copyright", "ipv6", "germany", "italy", "trojan", "trojanspy", "worm", "trojanclicker", "virtool", "service", "linux x8664", "khtml", "gecko", "veryhigh", "redirect", "httpsupgrades", "collisionbox", "runner", "gameoverpanel", "trex", "orgtechhandle", "orgtechref", "director", "university", "nethandle", "net168", "net1680000", "ucha", "orgid", "east", "report spam", "as8075", "servers", "secure server", "error all", "typeof", "error f", "crazy doll", "created", "filehashmd5", "types of", "russia", "emotet type", "mirai type", "mirai", "mtb description", "win32 type", "as31034 aruba", "italy unknown", "as19527 google", "encrypt", "health type", "miori hackers", "brute force", "backdoor", "aurora", "ip address", "path", "unis", "dotcisoffer", "bladabindi", "artro", "script urls", "as46606", "brazil unknown", "as11284", "as10906", "apache", "lanc type", "telper", "win32", "win64", "pulses email", "as9009 m247", "as7296 alchemy", "as14061", "as16276", "trojandropper", "ransom", "mtb sep", "msie", "chrome", "ip check", "gmt content", "pulse submit", "url analysis", "files ip", "aaaa nxdomain", "nxdomain", "a nxdomain", "as22612", "dnssec", "meta http", "accept encoding", "request id", "united kingdom", "div div", "arial helvetica", "emails", "as15169 google", "cryp", "gmt cache", "sameorigin", "domain name", "code", "false", "command type", "roleselfservice", "mcig sep", "all search", "author avatar", "days ago", "http", "related nids", "files location", "as30081", "gmt contenttype", "mozilla", "as15133 verizon", "whitelisted", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "request", "softcnapp", "overview ip", "flag united", "files related", "as62597 nsone", "as31898 oracle", "mtb aug", "class", "twitter", "april", "secure", "httponly", "expiresthu", "pragma", "as13414 twitter", "smoke loader", "reverse dns", "asnone united", "idlogin sep", "uid38009", "expiration", "hack type", "porn type" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Italy", "Aruba" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3850, "FileHash-MD5": 6012, "FileHash-SHA1": 5906, "domain": 3329, "email": 33, "hostname": 4231, "CVE": 2, "FileHash-SHA256": 8407, "CIDR": 2, "SSLCertFingerprint": 7 }, "indicator_count": 31779, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "535 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66fb3c4e8a2593134641f3c0", "name": "busybox MIORI Hackers - attack Aurora, Medical Campus -Mirai", "description": "*Tipped-Patient reports computers with fully locked screens log in every time she enters a room at UC Health Anshutz Campus. Unauthorized Login: http://ITSupport.UCHealth.org. Graphs deleted from Virus Total\u00bbLogin ID: 168.200.45.168 [bound]. I've tried to post pulse multiple times. IP's were contacted. Brute force attempts on my device. Anyway it's Tulach. There is a 'pro- ale' and other 'monitoring, silencing, dangerous groups' silencing crime victims, journalists, dissents, potential whistle blowers. One victim attacked physically losing health battle. Doctors unwilling to treat.Auto populated\u00bb The full text of the Mirai-TO malware, which was launched on Friday, has now been published on the website of www.forensickb.co.uk..com. hmmm...there was a counter attack.", "modified": "2024-10-30T22:04:06.705000", "created": "2024-10-01T00:03:26.199000", "tags": [ "idnischdr http", "computer", "america asn", "as7018 att", "url https", "america", "united states", "united", "germany", "italy", "trojan", "all scoreblue", "report spam", "created", "trojanspy", "worm", "trojanclicker", "virtool", "service", "all search", "author avatar", "miori hackers", "file score", "detections elf", "path", "busybox busybox", "brute force", "attack bad", "login yara", "detections", "sid name", "malware cve", "suspicious path", "busybox", "activity", "system", "malware beacon", "bad login", "attack", "port", "destination", "show", "search", "exif data", "property value", "elf info", "key value", "x86 baddr", "elf64 crypto", "final url", "ip address", "status code", "body", "kb body", "sha256", "server", "gmt connection", "date sun", "gmt contenttype", "filehashsha256", "crazy doll", "next", "key identifier", "x509v3 subject", "data", "v3 serial", "number", "cgb stgreater", "cnsectigo rsa", "secure server", "ca validity", "cus stcolorado", "info", "director", "orgtechhandle", "orgtechref", "university", "whois lookup", "netrange", "nethandle", "net168", "net1680000", "ucha", "network", "registry arin", "country us", "continent na", "meta", "script script", "lance mueller", "mueller", "unknown", "script urls", "photography", "passive dns", "urls", "model", "creation date", "hostname", "pulse submit", "url analysis", "files", "domain", "status", "http", "record value", "emails", "dnssec", "domain name", "backdoor", "bad request", "entries", "title style", "f2f2f2 color", "helvetica neue", "exploit", "browse scan", "endpoints all", "search otx", "related pulses", "file samples", "files matching", "as44273 host", "showing", "telper", "date hash", "copyright", "url http", "win64", "as53665 bodis", "aaaa", "as206834 team", "canada unknown", "read c", "create c", "write c", "msie", "windows nt", "wow64", "slcc2", "media center", "delete c", "dock", "write", "execution", "copy", "xport", "1575038779", "medium", "capture", "malware", "february", "as61969 team", "servers", "domain robot", "expiration date", "as714 apple", "as42 woodynet", "nxdomain", "name servers", "a nxdomain", "ipv4", "found", "control", "content type", "as20940", "asnone united", "as701 verizon", "as2914 ntt", "win32", "certificate", "date", "dynamicloader", "high", "t1055", "attempts", "yara detections", "bitcoinaltcoin", "code injection", "high defense", "ip related", "pulses otx", "pulses", "overview domain", "files ip", "address domain", "related tags", "pulse pulses", "div div", "as49505", "span", "form", "as6185 apple", "china", "as4812 china", "as17816 china", "as4134 chinanet", "scan endpoints", "trojan features", "enigmaprotector", "dynamic", "powershell", "filehash", "for privacy", "ltd dba", "com laude", "cname", "cve20170147 sep", "verdict", "as63949 linode", "https", "as8075", "united kingdom", "whitelisted", "as25825", "moved", "aurora", "redacted for", "whois lookups", "orgid", "east", "seen", "update date", "cidr", "netname uch", "parent net168", "nettype direct", "contacted", "tulach", "brian sabey" ], "references": [ "ELF:Mirai-TO\\ [Trj] UCH/PU_Log_ID/Locked_Scr [168.200.5.63] || http://itsupport.uchealth.org/ || [Trj] http://itsupport.uchealth.org/", "ELF:Mirai-TO\\ [Trj] 12.111.210.191 | United States of America ASN AS7018 att services inc", "ELF:Mirai-TO\\ [Trj] FileHash-SHA256. 09c0d1671fd9da396c13456d552a884a582aa194c8739a97ee18928c001bbbca", "ELF:Mirai-TO\\ [Trj] tulach.cc", "ELF:Mirai-TO\\ [Trj] FileHash-SHA256 09c0d1671fd9da396c13456d552a884a582aa194c8739a97ee18928c001bbbca", "IDS Detections: busybox MIORI Hackers - Infected System SUSPICIOUS Path to BusyBox", "IDS Detections: busybox MIORI Hackers - Possible Brute Force Attack Bad Login", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout", "Yara Detections: is__elf", "168.200.5.0/24: Autonomous System Number :18693 || Autonomous System Label UCH-CENTRAL Regional Internet Registry: ARIN: Country US", "www.proxydocker.com Yvmc.org is hosted in United States ip detail \u00c9tats Unis (US) , (Aurora , Colorado ) links to network IP address: 168.200.5.63", "Computer Forensics Malware Analysis Digital Investigations | www.forensickb.com |", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://www.forensickb.com/2013/03/file-entropy-explained.html", "webcam.sopris.net || https://www.chietimeteo.it/webcamabruzzo.htm savethemalesdenver.com", "girlsandtheir.webcam - suspicious_write_exe network_icmp infostealer_keylogger process_martian injection_resumethread | parkingcrew.net ns2.parkingcrew.net", "http://serafinipelletteria.it/riparazioni/13-borse-restauro/22-spy-bag-%C3%83%C2%A2%C3%A2%C2%82%C2%AC%C3%A2%C2%80%C2%9C-fend", "Title The page title. Chieti Meteo - Webcam Abruzzo", "Final URL contacted when you try to visit the URL under study, after any potential redirects. https://www.chietimeteo.it/webcamabruzzo.htm Serving IP Address: 89.46.110.55", "savethemalesdenver.com | brasville.com.br?", "168.200.45.168 Original IP- UCHealth is jacking accounts | University of Colorado Hospital Scot.MacCabe@uchealth.org", "Basic Properties Regional Internet Registry ARIN Country US Continent NA Whois Lookup NetRange: 168.200.0.0 - 168.200.255.255 US", "CIDR: 168.200.0.0/16 NetName: UCH NetHandle: NET-168-200-0-0-1 Parent: NET168 (NET-168-0-0-0-0) NetType: Direct Allocation Organization: University of Colorado Hospital (UCHA) RegDate: 1994-06-22 Updated: 2021-12-14 Ref: https://rdap.arin.net/registry/ip/168.200.0.0 OrgName: University of Colorado Hospital OrgId: UCHA Address: 13001 East 17th Place Address: UH Fitzsimons bldg 500 5th floor east Address: Information Services City: Aurora StateProv: CO PostalCode: 80045-0505 Country:", "Address 198.185.159.144 , 198.185.159.145 , 198.49.23.144 , 198.49.23.145", "Lance Mueller Photography Artistic Portraiture || Domains || lancemueller.com/https://www.lancemueller.com/ www.instagram.com", "IP: 198.185.159.144 Backdoor:Linux/Mirai.B || TELPER:HSTR:DotCisOffer || TrojanSpy:Win32/Nivdort || Bladabindi || TrojanDownloader:Win32/Bulilit", "IDS Detections: Win32.Renos/Artro Trojan Checkin M1 Fakealert.ATQ/Renos.GNC Checkin AlphaCrypt CnC Beacon 5 Win32.Meredrop Checkin", "IDS Detections: CryptoWall Check-in Net-Worm.Win32.Koobface.jxs Checkin AlphaCrypt CnC Beacon 6 Koobface HTTP Request", "IDS Detections: Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative) FormBook CnC Checkin (GET)", "Crypt3.BWVY \u00bb forums.girlsandtheir.webcam | http://girlsandtheir.webcam/&_=1642807476815 | http://girlsandtheir.webcam/&_=1677944772349", "http://girlsandtheir.webcam/&_=1678440394065 | http://girlsandtheir.webcam/&_=1678605911170 | http://girlsandtheir.webcam/&_=1678901115584", "http://girlsandtheir.webcam/&_=1727668914786 | http://girlsandtheir.webcam/&_=1727684361432 | http://girlsandtheir.webcam/&_=1678620676912", "http://girlsandtheir.webcam/&_=167922487756 | http://girlsandtheir.webcam/&_=1678764409894 | http://girlsandtheir.webcam/&_=1679002803910", "http://girlsandtheir.webcam/&_=1679275226198 | http://girlsandtheir.webcam/&_=1679338009770| http://girlsandtheir.webcam/&_=1679628920449 No Expira http://girlsandtheir.webcam/&_=1727448919580\t | http://girlsandtheir.webcam/&_=1727487291351 No Expiration\t0\t URL http://girlsandtheir.webcam/&_=1727511329381 No Expiration\t0\t URL http://girlsandtheir.webcam/&_=1727586798507 | http://girlsandtheir.webcam/&_=1727595333556 | http://girlsandtheir.webcam/&_=1727665483552", "chatluongvn.tk - use of targeted surveillance intended to spy on members of civil society, suppress dissent, crime victims & monitor journalists.", "Apple ID: 17.253.142.4 | Reverse DNS www.applesports.webcam", "Associated w/Apple ID: http://www.ripmixburn.com/| www.ripmixburn.com | 17.253.142.4 | http://www.qttv.net |www.qttv.net | 17.253.142.4", "Associated w/Apple ID: http://qumoteze.apple-hk.com\tqumoteze.apple-hk.com | 17.253.142.4 | http://identity.appke.com | identity.appke.com", "Associated w/Apple ID: 17.253.142.4 |\thttp://xn--8mrw5wsjh2jt.top | xn--8mrw5wsjh2jt.top | 17.253.142.4 | https://www.qttv.net | www.qttv.net", "Associated w.Apple ID: 17.253.142.4 | https://qumoteze.apple-hk.com | http://applegiftcard.apple/ | https://identity.appke.com", "Win.Packed.Enigma-10023199-0: FileHash - SHA256 2753cb6cd4b034d91a1361d5d4f643e3f45abbe249a1563e2e3bf6e7b6001cd3", "Trojan:Win32/Mydoom | apple.com | IP Address 17.253.144.10: Yara Detections EnigmaProtector , xor_0x8_This_program Alerts network_bind persistence_autorun antivm_generic_diskreg", "Win.Malware.Midie-9950743-0 Apple IP 17.253.144.10: SHA256 8b3170934dd8efaf4335f752d4a1a1816f8be3cdba963d897b93f308fa4ab644", "Win.Malware.Midie Alerts: injection_inter_process injection_create_remote_thread antisandbox_sleep persistence_autorun browser_security", "Win.Malware.Midie Alerts: antisandbox_unhook infostealer_cookies deletes_executed_files infostealer_bitcoin injection_createremotethread", "Win.Malware.Midie-9950743-0: Domains Contacted microsoft.com dropbox.com twitter.com sendspace.com etrade.com", "Win.Malware.Midie-9950743-0: Domains Contacted instagram.com github.com icloud.com python.org facebook.com" ], "public": 1, "adversary": "busybox MIORI Hackers", "targeted_countries": [ "United States of America", "Mexico" ], "malware_families": [ { "id": "TrojanDownloader:Win32/Bulilit", "display_name": "TrojanDownloader:Win32/Bulilit", "target": "/malware/TrojanDownloader:Win32/Bulilit" }, { "id": "ELF:Mirai-TO\\ [Trj]", "display_name": "ELF:Mirai-TO\\ [Trj]", "target": null }, { "id": "Backdoor:Linux/Mirai.B", "display_name": "Backdoor:Linux/Mirai.B", "target": "/malware/Backdoor:Linux/Mirai.B" }, { "id": "TELPER:HSTR:DotCisOffer", "display_name": "TELPER:HSTR:DotCisOffer", "target": null }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Backdoor:Win32/Bladabindi", "display_name": "Backdoor:Win32/Bladabindi", "target": "/malware/Backdoor:Win32/Bladabindi" }, { "id": "ALF:E5", "display_name": "ALF:E5", "target": null }, { "id": "Win.Malware.Midie-9950743-0", "display_name": "Win.Malware.Midie-9950743-0", "target": null }, { "id": "Trojan:Win32/Emotet.ARJ!MTB", "display_name": "Trojan:Win32/Emotet.ARJ!MTB", "target": "/malware/Trojan:Win32/Emotet.ARJ!MTB" } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 459, "FileHash-MD5": 1228, "FileHash-SHA1": 1163, "FileHash-SHA256": 2243, "domain": 876, "hostname": 1088, "CIDR": 2, "email": 17, "CVE": 2, "SSLCertFingerprint": 5 }, "indicator_count": 7083, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "536 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66f44b56b1c42433231641e9", "name": "47be59af1862f9ee7c9e8391512cd79f226fd09ebaca37b8902c126a85722027 - OG Certs Group 1 (J/Skocherhan; Enriched)", "description": "Description\n47be59af1862f9ee7c9e8391512cd79f226fd09ebaca37b8902c126a85722027 - OG Certs Group 1 - 09.25.24 This Collection is based on above file (a zipped file containing certificates) and created from graphs by myself and skocherhan (09.2024)\n\nhttps://www.virustotal.com/graph/embed/ga6f4f3cb5f1143dba3a0c5c4de4b4253709421851a914925a1512678f1034e9a?theme=dark + https://www.virustotal.com/graph/embed/g9e26667333d9418897f0ed8ce09560a6f8c68666f388427fb984306cf72b0125?theme=dark = This Collection\nEnriched on import into AlienVault/LBLs", "modified": "2024-10-25T17:05:01.856000", "created": "2024-09-25T17:41:42.241000", "tags": [ "entity", "please", "javascript", "Certificates" ], "references": [ "https://www.virustotal.com/graph/embed/g9e26667333d9418897f0ed8ce09560a6f8c68666f388427fb984306cf72b0125?theme=dark", "https://www.virustotal.com/graph/embed/ga6f4f3cb5f1143dba3a0c5c4de4b4253709421851a914925a1512678f1034e9a?theme=dark", "https://www.virustotal.com/gui/collection/0c323ad7f87df817719f1709edb03022c6b7fa4d27907b90eef0d5c863c1624a", "https://www.virustotal.com/gui/collection/0c323ad7f87df817719f1709edb03022c6b7fa4d27907b90eef0d5c863c1624a/iocs", "https://www.virustotal.com/gui/collection/0c323ad7f87df817719f1709edb03022c6b7fa4d27907b90eef0d5c863c1624a/graph" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology", "Telecommunications", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 113, "FileHash-SHA1": 112, "FileHash-SHA256": 1996, "URL": 568, "domain": 500, "hostname": 394 }, "indicator_count": 3683, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "541 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://www.forensickb.com/2013/03/file-entropy-explained.html", "http://fakejuko.site40/", "Lance Mueller Photography Artistic Portraiture || Domains || lancemueller.com/https://www.lancemueller.com/ www.instagram.com", "ELF:Mirai-TO\\ [Trj] 12.111.210.191 | United States of America ASN AS7018 att services inc", "IDS Detections: busybox MIORI Hackers - Possible Brute Force Attack Bad Login", "http://serafinipelletteria.it/riparazioni/13-borse-restauro/22-spy-bag-%C3%83%C2%A2%C3%A2%C2%82%C2%AC%C3%A2%C2%80%C2%9C-fend", "girlsandtheir.webcam - suspicious_write_exe network_icmp infostealer_keylogger process_martian injection_resumethread | parkingcrew.net ns2.parkingcrew.net", "Title The page title. Chieti Meteo - Webcam Abruzzo", "ELF:Mirai-TO\\ [Trj] tulach.cc", "http://girlsandtheir.webcam/&_=1679275226198 | http://girlsandtheir.webcam/&_=1679338009770| http://girlsandtheir.webcam/&_=1679628920449 No Expira http://girlsandtheir.webcam/&_=1727448919580\t | http://girlsandtheir.webcam/&_=1727487291351 No Expiration\t0\t URL http://girlsandtheir.webcam/&_=1727511329381 No Expiration\t0\t URL http://girlsandtheir.webcam/&_=1727586798507 | http://girlsandtheir.webcam/&_=1727595333556 | http://girlsandtheir.webcam/&_=1727665483552", "https://www.virustotal.com/graph/embed/ga6f4f3cb5f1143dba3a0c5c4de4b4253709421851a914925a1512678f1034e9a?theme=dark", "pegacloud.net", "Associated w.Apple ID: 17.253.142.4 | https://qumoteze.apple-hk.com | http://applegiftcard.apple/ | https://identity.appke.com", "ELF:Mirai-TO\\ [Trj] FileHash-SHA256 09c0d1671fd9da396c13456d552a884a582aa194c8739a97ee18928c001bbbca", "cwt-cwtcxp1-dt1.pegacloud.net\t\u2022 fortrea-prod1.pegacloud.net \u2022 ssl-ssldmp-dt1-sftp.pegacloud.net \u2022 13.40.20.221 \u2022 44.215.155.206 \u2022 44.226.180.214", "IDS: Trojan.Win32.Cosmu.cdqg Checkin", "IDS: Observed Suspicious UA (Mozilla/5.0)", "Final URL contacted when you try to visit the URL under study, after any potential redirects. https://www.chietimeteo.it/webcamabruzzo.htm Serving IP Address: 89.46.110.55", "168.200.45.168 Original IP- UCHealth is jacking accounts | University of Colorado Hospital Scot.MacCabe@uchealth.org", "IDS Detections: Win32.Renos/Artro Trojan Checkin M1 Fakealert.ATQ/Renos.GNC Checkin AlphaCrypt CnC Beacon 5 Win32.Meredrop Checkin", "IDS: OnionDuke CnC Beacon 1", "Win.Malware.Midie Alerts: antisandbox_unhook infostealer_cookies deletes_executed_files infostealer_bitcoin injection_createremotethread", "Win.Malware.Midie Alerts: injection_inter_process injection_create_remote_thread antisandbox_sleep persistence_autorun browser_security", "Apple ID: 17.253.142.4 | Reverse DNS www.applesports.webcam", "Win.Malware.Midie-9950743-0: Domains Contacted microsoft.com dropbox.com twitter.com sendspace.com etrade.com", "Computer Forensics Malware Analysis Digital Investigations | www.forensickb.com |", "http://girlsandtheir.webcam/&_=1678440394065 | http://girlsandtheir.webcam/&_=1678605911170 | http://girlsandtheir.webcam/&_=1678901115584", "http://girlsandtheir.webcam/&_=1727668914786 | http://girlsandtheir.webcam/&_=1727684361432 | http://girlsandtheir.webcam/&_=1678620676912", "IDS: Data POST to an image file (jpg)", "IP: 198.185.159.144 Backdoor:Linux/Mirai.B || TELPER:HSTR:DotCisOffer || TrojanSpy:Win32/Nivdort || Bladabindi || TrojanDownloader:Win32/Bulilit", "Win.Packed.Enigma-10023199-0: FileHash - SHA256 2753cb6cd4b034d91a1361d5d4f643e3f45abbe249a1563e2e3bf6e7b6001cd3", "webcam.sopris.net || https://www.chietimeteo.it/webcamabruzzo.htm savethemalesdenver.com", "Trojan:Win32/Mydoom | apple.com | IP Address 17.253.144.10: Yara Detections EnigmaProtector , xor_0x8_This_program Alerts network_bind persistence_autorun antivm_generic_diskreg", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout", "IDS: Hiloti Style GET to PHP with invalid terse MSIE headers", "IDS Detections: Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative) FormBook CnC Checkin (GET)", "IDS: Win32.Scar.hhrw POST", "Associated w/Apple ID: http://qumoteze.apple-hk.com\tqumoteze.apple-hk.com | 17.253.142.4 | http://identity.appke.com | identity.appke.com", "https://www.virustotal.com/graph/embed/g9e26667333d9418897f0ed8ce09560a6f8c68666f388427fb984306cf72b0125?theme=dark", "IDS Detections: busybox MIORI Hackers - Infected System SUSPICIOUS Path to BusyBox", "Address 198.185.159.144 , 198.185.159.145 , 198.49.23.144 , 198.49.23.145", "www.proxydocker.com Yvmc.org is hosted in United States ip detail \u00c9tats Unis (US) , (Aurora , Colorado ) links to network IP address: 168.200.5.63", "Yara Detections: is__elf", "https://www.virustotal.com/gui/collection/0c323ad7f87df817719f1709edb03022c6b7fa4d27907b90eef0d5c863c1624a", "chatluongvn.tk - use of targeted surveillance intended to spy on members of civil society, suppress dissent, crime victims & monitor journalists.", "Win.Malware.Midie-9950743-0 Apple IP 17.253.144.10: SHA256 8b3170934dd8efaf4335f752d4a1a1816f8be3cdba963d897b93f308fa4ab644", "savethemalesdenver.com | brasville.com.br?", "ELF:Mirai-TO\\ [Trj] FileHash-SHA256. 09c0d1671fd9da396c13456d552a884a582aa194c8739a97ee18928c001bbbca", "http://girlsandtheir.webcam/&_=167922487756 | http://girlsandtheir.webcam/&_=1678764409894 | http://girlsandtheir.webcam/&_=1679002803910", "IDS Detections: CryptoWall Check-in Net-Worm.Win32.Koobface.jxs Checkin AlphaCrypt CnC Beacon 6 Koobface HTTP Request", "IDS: Win32/Ibashade CnC Beacon", "168.200.5.0/24: Autonomous System Number :18693 || Autonomous System Label UCH-CENTRAL Regional Internet Registry: ARIN: Country US", "https://www.virustotal.com/gui/collection/0c323ad7f87df817719f1709edb03022c6b7fa4d27907b90eef0d5c863c1624a/iocs", "CIDR: 168.200.0.0/16 NetName: UCH NetHandle: NET-168-200-0-0-1 Parent: NET168 (NET-168-0-0-0-0) NetType: Direct Allocation Organization: University of Colorado Hospital (UCHA) RegDate: 1994-06-22 Updated: 2021-12-14 Ref: https://rdap.arin.net/registry/ip/168.200.0.0 OrgName: University of Colorado Hospital OrgId: UCHA Address: 13001 East 17th Place Address: UH Fitzsimons bldg 500 5th floor east Address: Information Services City: Aurora StateProv: CO PostalCode: 80045-0505 Country:", "Associated w/Apple ID: 17.253.142.4 |\thttp://xn--8mrw5wsjh2jt.top | xn--8mrw5wsjh2jt.top | 17.253.142.4 | https://www.qttv.net | www.qttv.net", "https://www.virustotal.com/gui/collection/0c323ad7f87df817719f1709edb03022c6b7fa4d27907b90eef0d5c863c1624a/graph", "Associated w/Apple ID: http://www.ripmixburn.com/| www.ripmixburn.com | 17.253.142.4 | http://www.qttv.net |www.qttv.net | 17.253.142.4", "Crypt3.BWVY \u00bb forums.girlsandtheir.webcam | http://girlsandtheir.webcam/&_=1642807476815 | http://girlsandtheir.webcam/&_=1677944772349", "Basic Properties Regional Internet Registry ARIN Country US Continent NA Whois Lookup NetRange: 168.200.0.0 - 168.200.255.255 US", "ELF:Mirai-TO\\ [Trj] UCH/PU_Log_ID/Locked_Scr [168.200.5.63] || http://itsupport.uchealth.org/ || [Trj] http://itsupport.uchealth.org/", "Win.Malware.Midie-9950743-0: Domains Contacted instagram.com github.com icloud.com python.org facebook.com" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "busybox MIORI Hackers" ], "malware_families": [ "Trojanspy:win32/nivdort", "Backdoor:win32/bladabindi", "Win.malware.midie-9950743-0", "Mirai", "Backdoor:linux/mirai.b", "Alf:e5", "Artro", "Pegasus - mob-s0005", "Telper:hstr:dotcisoffer", "Win32:wormx-gen [wrm]", "Trojan:win32/emotet.arj!mtb", "Elf:mirai-to\\ [trj]", "Apnic", "Worm:win32:drolnux", "Trojandownloader:win32/bulilit" ], "industries": [ "Government", "Telecommunications", "Technology" ], "unique_indicators": 68828 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/flarenotes.com", "whois": "http://whois.domaintools.com/flarenotes.com", "domain": "flarenotes.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 9, "pulses": [ { "id": "6952fbca42c1b0da7431e6a7", "name": "Pegasus / Pegacloud - Infiltration (10-2013 or 2014 to Current/ Ongoing) ", "description": "", "modified": "2025-12-29T22:08:10.280000", "created": "2025-12-29T22:08:10.280000", "tags": [ "backdoor", "cyprus", "trojan", "mtb sep", "passive dns", "ddos", "mtb oct", "mtb aug", "ipv4 add", "smokeloader", "trojandropper", "extraction", "se extraction", "failed", "data upload", "enter s", "enter sc", "data u", "extrac please", "prop", "extre data", "type", "extr data", "include review", "exclude", "find s", "typ data", "source tir", "extri", "exclude sugges", "se type", "extra", "include data", "exclude review", "show", "showinil tvnes", "dom dom", "sc cat959", "drop", "pulse pulses", "worm", "files show", "date hash", "avast avg", "win32", "susp", "cyprus showing", "entries", "next associated", "urls show", "date checked", "url hostname", "server response", "ip address", "google safe", "server", "registrar abuse", "iana id", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "registrar", "se cre", "pul use", "url list", "status http", "linkid182227", "linkid151642", "first", "domain list", "ii llc", "sc data", "ukl extract", "hiloti style", "msle", "win3 data", "onio", "observea", "data data", "stop data", "monitored target", "tsara", "pegasus", "social engineering" ], "references": [ "http://fakejuko.site40/", "pegacloud.net", "IDS: Hiloti Style GET to PHP with invalid terse MSIE headers", "IDS: Win32/Ibashade CnC Beacon", "IDS: Win32.Scar.hhrw POST", "IDS: Trojan.Win32.Cosmu.cdqg Checkin", "IDS: OnionDuke CnC Beacon 1", "IDS: Observed Suspicious UA (Mozilla/5.0)", "IDS: Data POST to an image file (jpg)", "cwt-cwtcxp1-dt1.pegacloud.net\t\u2022 fortrea-prod1.pegacloud.net \u2022 ssl-ssldmp-dt1-sftp.pegacloud.net \u2022 13.40.20.221 \u2022 44.215.155.206 \u2022 44.226.180.214" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:WormX-gen [Wrm]", "display_name": "Win32:WormX-gen [Wrm]", "target": null }, { "id": "Worm:Win32:Drolnux", "display_name": "Worm:Win32:Drolnux", "target": null }, { "id": "Pegasus - MOB-S0005", "display_name": "Pegasus - MOB-S0005", "target": null } ], "attack_ids": [], "industries": [ "Technology", "Telecommunications", "Government" ], "TLP": "white", "cloned_from": "6877422df67773a07ef450c2", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1630, "URL": 4078, "FileHash-MD5": 245, "FileHash-SHA1": 246, "FileHash-SHA256": 2561, "CVE": 2, "domain": 1307, "email": 1 }, "indicator_count": 10070, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "111 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6877422df67773a07ef450c2", "name": "Pegasus / Pegacloud - Infiltration", "description": "Pegasus IoC\u2019s found in the periphery of research. Appears target contacted a \u2018fake host\u2019 after finding name in multiple highly malicious domains. May have appeared between 12/2013 - 11-2014. Target was contacted by telephone and asked \u2018 have you checked Googled yourself\u2019, to which target answered \u2018Not really\u2019. Target was told \u2018you really should Google yourself\u2019. Target, upset about content clicked and began a takedown effort with host.\n\nThis seems to be at the start of many malicious campaigns. Requires further investigation.", "modified": "2025-08-15T05:01:22.570000", "created": "2025-07-16T06:09:49.704000", "tags": [ "backdoor", "cyprus", "trojan", "mtb sep", "passive dns", "ddos", "mtb oct", "mtb aug", "ipv4 add", "smokeloader", "trojandropper", "extraction", "se extraction", "failed", "data upload", "enter s", "enter sc", "data u", "extrac please", "prop", "extre data", "type", "extr data", "include review", "exclude", "find s", "typ data", "source tir", "extri", "exclude sugges", "se type", "extra", "include data", "exclude review", "show", "showinil tvnes", "dom dom", "sc cat959", "drop", "pulse pulses", "worm", "files show", "date hash", "avast avg", "win32", "susp", "cyprus showing", "entries", "next associated", "urls show", "date checked", "url hostname", "server response", "ip address", "google safe", "server", "registrar abuse", "iana id", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "registrar", "se cre", "pul use", "url list", "status http", "linkid182227", "linkid151642", "first", "domain list", "ii llc", "sc data", "ukl extract", "hiloti style", "msle", "win3 data", "onio", "observea", "data data", "stop data", "monitored target", "tsara", "pegasus", "social engineering" ], "references": [ "http://fakejuko.site40/", "pegacloud.net", "IDS: Hiloti Style GET to PHP with invalid terse MSIE headers", "IDS: Win32/Ibashade CnC Beacon", "IDS: Win32.Scar.hhrw POST", "IDS: Trojan.Win32.Cosmu.cdqg Checkin", "IDS: OnionDuke CnC Beacon 1", "IDS: Observed Suspicious UA (Mozilla/5.0)", "IDS: Data POST to an image file (jpg)", "cwt-cwtcxp1-dt1.pegacloud.net\t\u2022 fortrea-prod1.pegacloud.net \u2022 ssl-ssldmp-dt1-sftp.pegacloud.net \u2022 13.40.20.221 \u2022 44.215.155.206 \u2022 44.226.180.214" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:WormX-gen [Wrm]", "display_name": "Win32:WormX-gen [Wrm]", "target": null }, { "id": "Worm:Win32:Drolnux", "display_name": "Worm:Win32:Drolnux", "target": null }, { "id": "Pegasus - MOB-S0005", "display_name": "Pegasus - MOB-S0005", "target": null } ], "attack_ids": [], "industries": [ "Technology", "Telecommunications", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1630, "URL": 4078, "FileHash-MD5": 245, "FileHash-SHA1": 246, "FileHash-SHA256": 2561, "CVE": 2, "domain": 1307, "email": 1 }, "indicator_count": 10070, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "247 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688b0fbceab364a2b84b1124", "name": "Busybox MIORI Hackers - ongoing Aurora , Medical Campus -Mirai [by scoreblue -Team 8]", "description": "", "modified": "2025-07-31T06:39:56.204000", "created": "2025-07-31T06:39:56.204000", "tags": [ "idnischdr http", "computer", "america asn", "as7018 att", "url https", "america", "united states", "united", "germany", "italy", "trojan", "all scoreblue", "report spam", "created", "trojanspy", "worm", "trojanclicker", "virtool", "service", "all search", "author avatar", "miori hackers", "file score", "detections elf", "path", "busybox busybox", "brute force", "attack bad", "login yara", "detections", "sid name", "malware cve", "suspicious path", "busybox", "activity", "system", "malware beacon", "bad login", "attack", "port", "destination", "show", "search", "exif data", "property value", "elf info", "key value", "x86 baddr", "elf64 crypto", "final url", "ip address", "status code", "body", "kb body", "sha256", "server", "gmt connection", "date sun", "gmt contenttype", "filehashsha256", "crazy doll", "next", "key identifier", "x509v3 subject", "data", "v3 serial", "number", "cgb stgreater", "cnsectigo rsa", "secure server", "ca validity", "cus stcolorado", "info", "director", "orgtechhandle", "orgtechref", "university", "whois lookup", "netrange", "nethandle", "net168", "net1680000", "ucha", "network", "registry arin", "country us", "continent na", "meta", "script script", "lance mueller", "mueller", "unknown", "script urls", "photography", "passive dns", "urls", "model", "creation date", "hostname", "pulse submit", "url analysis", "files", "domain", "status", "http", "record value", "emails", "dnssec", "domain name", "backdoor", "bad request", "entries", "title style", "f2f2f2 color", "helvetica neue", "exploit", "browse scan", "endpoints all", "search otx", "related pulses", "file samples", "files matching", "as44273 host", "showing", "telper", "date hash", "copyright", "url http", "win64", "as53665 bodis", "aaaa", "as206834 team", "canada unknown", "read c", "create c", "write c", "msie", "windows nt", "wow64", "slcc2", "media center", "delete c", "dock", "write", "execution", "copy", "xport", "1575038779", "medium", "capture", "malware", "february", "as61969 team", "servers", "domain robot", "expiration date", "as714 apple", "as42 woodynet", "nxdomain", "name servers", "a nxdomain", "ipv4", "found", "control", "content type", "as20940", "asnone united", "as701 verizon", "as2914 ntt", "win32", "certificate", "date", "dynamicloader", "high", "t1055", "attempts", "yara detections", "bitcoinaltcoin", "code injection", "high defense", "ip related", "pulses otx", "pulses", "overview domain", "files ip", "address domain", "related tags", "pulse pulses", "div div", "as49505", "span", "form", "as6185 apple", "china", "as4812 china", "as17816 china", "as4134 chinanet", "scan endpoints", "trojan features", "enigmaprotector", "dynamic", "powershell", "filehash", "for privacy", "ltd dba", "com laude", "cname", "cve20170147 sep", "verdict", "as63949 linode", "https", "as8075", "united kingdom", "whitelisted", "as25825", "moved", "aurora", "redacted for", "whois lookups", "orgid", "east", "seen", "update date", "cidr", "netname uch", "parent net168", "nettype direct", "contacted", "tulach", "brian sabey" ], "references": [ "ELF:Mirai-TO\\ [Trj] UCH/PU_Log_ID/Locked_Scr [168.200.5.63] || http://itsupport.uchealth.org/ || [Trj] http://itsupport.uchealth.org/", "ELF:Mirai-TO\\ [Trj] 12.111.210.191 | United States of America ASN AS7018 att services inc", "ELF:Mirai-TO\\ [Trj] FileHash-SHA256. 09c0d1671fd9da396c13456d552a884a582aa194c8739a97ee18928c001bbbca", "ELF:Mirai-TO\\ [Trj] tulach.cc", "ELF:Mirai-TO\\ [Trj] FileHash-SHA256 09c0d1671fd9da396c13456d552a884a582aa194c8739a97ee18928c001bbbca", "IDS Detections: busybox MIORI Hackers - Infected System SUSPICIOUS Path to BusyBox", "IDS Detections: busybox MIORI Hackers - Possible Brute Force Attack Bad Login", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout", "Yara Detections: is__elf", "168.200.5.0/24: Autonomous System Number :18693 || Autonomous System Label UCH-CENTRAL Regional Internet Registry: ARIN: Country US", "www.proxydocker.com Yvmc.org is hosted in United States ip detail \u00c9tats Unis (US) , (Aurora , Colorado ) links to network IP address: 168.200.5.63", "Computer Forensics Malware Analysis Digital Investigations | www.forensickb.com |", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://www.forensickb.com/2013/03/file-entropy-explained.html", "webcam.sopris.net || https://www.chietimeteo.it/webcamabruzzo.htm savethemalesdenver.com", "girlsandtheir.webcam - suspicious_write_exe network_icmp infostealer_keylogger process_martian injection_resumethread | parkingcrew.net ns2.parkingcrew.net", "http://serafinipelletteria.it/riparazioni/13-borse-restauro/22-spy-bag-%C3%83%C2%A2%C3%A2%C2%82%C2%AC%C3%A2%C2%80%C2%9C-fend", "Title The page title. Chieti Meteo - Webcam Abruzzo", "Final URL contacted when you try to visit the URL under study, after any potential redirects. https://www.chietimeteo.it/webcamabruzzo.htm Serving IP Address: 89.46.110.55", "savethemalesdenver.com | brasville.com.br?", "168.200.45.168 Original IP- UCHealth is jacking accounts | University of Colorado Hospital Scot.MacCabe@uchealth.org", "Basic Properties Regional Internet Registry ARIN Country US Continent NA Whois Lookup NetRange: 168.200.0.0 - 168.200.255.255 US", "CIDR: 168.200.0.0/16 NetName: UCH NetHandle: NET-168-200-0-0-1 Parent: NET168 (NET-168-0-0-0-0) NetType: Direct Allocation Organization: University of Colorado Hospital (UCHA) RegDate: 1994-06-22 Updated: 2021-12-14 Ref: https://rdap.arin.net/registry/ip/168.200.0.0 OrgName: University of Colorado Hospital OrgId: UCHA Address: 13001 East 17th Place Address: UH Fitzsimons bldg 500 5th floor east Address: Information Services City: Aurora StateProv: CO PostalCode: 80045-0505 Country:", "Address 198.185.159.144 , 198.185.159.145 , 198.49.23.144 , 198.49.23.145", "Lance Mueller Photography Artistic Portraiture || Domains || lancemueller.com/https://www.lancemueller.com/ www.instagram.com", "IP: 198.185.159.144 Backdoor:Linux/Mirai.B || TELPER:HSTR:DotCisOffer || TrojanSpy:Win32/Nivdort || Bladabindi || TrojanDownloader:Win32/Bulilit", "IDS Detections: Win32.Renos/Artro Trojan Checkin M1 Fakealert.ATQ/Renos.GNC Checkin AlphaCrypt CnC Beacon 5 Win32.Meredrop Checkin", "IDS Detections: CryptoWall Check-in Net-Worm.Win32.Koobface.jxs Checkin AlphaCrypt CnC Beacon 6 Koobface HTTP Request", "IDS Detections: Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative) FormBook CnC Checkin (GET)", "Crypt3.BWVY \u00bb forums.girlsandtheir.webcam | http://girlsandtheir.webcam/&_=1642807476815 | http://girlsandtheir.webcam/&_=1677944772349", "http://girlsandtheir.webcam/&_=1678440394065 | http://girlsandtheir.webcam/&_=1678605911170 | http://girlsandtheir.webcam/&_=1678901115584", "http://girlsandtheir.webcam/&_=1727668914786 | http://girlsandtheir.webcam/&_=1727684361432 | http://girlsandtheir.webcam/&_=1678620676912", "http://girlsandtheir.webcam/&_=167922487756 | http://girlsandtheir.webcam/&_=1678764409894 | http://girlsandtheir.webcam/&_=1679002803910", "http://girlsandtheir.webcam/&_=1679275226198 | http://girlsandtheir.webcam/&_=1679338009770| http://girlsandtheir.webcam/&_=1679628920449 No Expira http://girlsandtheir.webcam/&_=1727448919580\t | http://girlsandtheir.webcam/&_=1727487291351 No Expiration\t0\t URL http://girlsandtheir.webcam/&_=1727511329381 No Expiration\t0\t URL http://girlsandtheir.webcam/&_=1727586798507 | http://girlsandtheir.webcam/&_=1727595333556 | http://girlsandtheir.webcam/&_=1727665483552", "chatluongvn.tk - use of targeted surveillance intended to spy on members of civil society, suppress dissent, crime victims & monitor journalists.", "Apple ID: 17.253.142.4 | Reverse DNS www.applesports.webcam", "Associated w/Apple ID: http://www.ripmixburn.com/| www.ripmixburn.com | 17.253.142.4 | http://www.qttv.net |www.qttv.net | 17.253.142.4", "Associated w/Apple ID: http://qumoteze.apple-hk.com\tqumoteze.apple-hk.com | 17.253.142.4 | http://identity.appke.com | identity.appke.com", "Associated w/Apple ID: 17.253.142.4 |\thttp://xn--8mrw5wsjh2jt.top | xn--8mrw5wsjh2jt.top | 17.253.142.4 | https://www.qttv.net | www.qttv.net", "Associated w.Apple ID: 17.253.142.4 | https://qumoteze.apple-hk.com | http://applegiftcard.apple/ | https://identity.appke.com", "Win.Packed.Enigma-10023199-0: FileHash - SHA256 2753cb6cd4b034d91a1361d5d4f643e3f45abbe249a1563e2e3bf6e7b6001cd3", "Trojan:Win32/Mydoom | apple.com | IP Address 17.253.144.10: Yara Detections EnigmaProtector , xor_0x8_This_program Alerts network_bind persistence_autorun antivm_generic_diskreg", "Win.Malware.Midie-9950743-0 Apple IP 17.253.144.10: SHA256 8b3170934dd8efaf4335f752d4a1a1816f8be3cdba963d897b93f308fa4ab644", "Win.Malware.Midie Alerts: injection_inter_process injection_create_remote_thread antisandbox_sleep persistence_autorun browser_security", "Win.Malware.Midie Alerts: antisandbox_unhook infostealer_cookies deletes_executed_files infostealer_bitcoin injection_createremotethread", "Win.Malware.Midie-9950743-0: Domains Contacted microsoft.com dropbox.com twitter.com sendspace.com etrade.com", "Win.Malware.Midie-9950743-0: Domains Contacted instagram.com github.com icloud.com python.org facebook.com" ], "public": 1, "adversary": "busybox MIORI Hackers", "targeted_countries": [ "United States of America", "Mexico" ], "malware_families": [ { "id": "TrojanDownloader:Win32/Bulilit", "display_name": "TrojanDownloader:Win32/Bulilit", "target": "/malware/TrojanDownloader:Win32/Bulilit" }, { "id": "ELF:Mirai-TO\\ [Trj]", "display_name": "ELF:Mirai-TO\\ [Trj]", "target": null }, { "id": "Backdoor:Linux/Mirai.B", "display_name": "Backdoor:Linux/Mirai.B", "target": "/malware/Backdoor:Linux/Mirai.B" }, { "id": "TELPER:HSTR:DotCisOffer", "display_name": "TELPER:HSTR:DotCisOffer", "target": null }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Backdoor:Win32/Bladabindi", "display_name": "Backdoor:Win32/Bladabindi", "target": "/malware/Backdoor:Win32/Bladabindi" }, { "id": "ALF:E5", "display_name": "ALF:E5", "target": null }, { "id": "Win.Malware.Midie-9950743-0", "display_name": "Win.Malware.Midie-9950743-0", "target": null }, { "id": "Trojan:Win32/Emotet.ARJ!MTB", "display_name": "Trojan:Win32/Emotet.ARJ!MTB", "target": "/malware/Trojan:Win32/Emotet.ARJ!MTB" } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "green", "cloned_from": "66fb3c4e8a2593134641f3c0", "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 459, "FileHash-MD5": 1228, "FileHash-SHA1": 1163, "FileHash-SHA256": 2243, "domain": 876, "hostname": 1088, "CIDR": 2, "email": 17, "CVE": 2, "SSLCertFingerprint": 5 }, "indicator_count": 7083, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "262 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "684a93360163e8802e213158", "name": "ELF:Mirai AMAZON-02 - Autonomous System 65.0.0.0/14", "description": "ELF:Mirai-BHZ\\ [Trj]\t\n65.0.0.0/14\nAutonomous System Number\n16509\nAutonomous System Label\nAMAZON-02\nRelated to \u2022 103.252.236.26 | \n\u2022 sr2.reliedhosting.com | \n.\u2022 http://planitair.com/ |\n\u2022 bgptools-wildcard-confirmed.acemalibu.com | \n\u2022 https://www.anyxxxtube.net/search-porn/tsara-brashears/ | \t\t\t\n\u2022 static.ads-twitter.com\t\n\u2022 https://twitter.com/PORNO_SEXYBABES\t\n\u2022 analytics.twitter.com\n\u2022 appleupdate.org\n\u2022 apps.apple.com\n\u2022 pin.it |\n\u2022 https://pin.it/ |\n\u2022 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian Critical issue. Cyber weaponry [Unclear] Stealth contractual US cyber defense entity, endless DGA\u2019s. India IP block.\nAdversary named by bupyeongop:\n\ubd80\ud3c9\uc624\ud53c \ucd9c\uc7a5\ub9c8\uc0ac\uc9c0\uc548\ub0b4.COM \ubd80\ud3c9OP (massage service?)\n*DoS with many OTX features", "modified": "2025-07-12T07:04:05.635000", "created": "2025-06-12T08:43:34.719000", "tags": [ "thumbprint", "apnic", "apnic whois", "database", "please", "arin whois", "north america", "caribbean", "africa", "internet", "iana", "address range", "cidr", "network name", "allocation type", "whois server", "algorithm", "v3 serial", "number", "cbe oglobalsign", "r6 alphassl", "validity", "subject public", "key info", "key algorithm", "key identifier", "link", "search", "united", "a domains", "ip address", "creation date", "record value", "date", "showing", "india unknown", "status", "passive dns", "ipv4 add", "pulse submit", "url analysis", "urls", "files", "location india", "india asn", "as133296 web", "dns resolutions" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "APNIC", "display_name": "APNIC", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 27, "domain": 2499, "hostname": 2651, "URL": 10986, "CIDR": 2, "FileHash-SHA256": 3596, "email": 1, "FileHash-MD5": 23, "CVE": 7 }, "indicator_count": 19792, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "281 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "682dd4e25a347684b2dfeabe", "name": "Apple Radar? Manipulated iOS products access , manipulate , control technology in periphery", "description": "Apple product(s) using radar? access nearby tech, (Apple products, other brands, televisions, MP3 players). Target reports other devices have been erased, refreshed, truncated,. .https://ssdauthority.com/does-sandisk-ixpand-work-on-windows/ |\nssdauthority.com |\nradarsubmissions.apple.com |\nsecure.www.apple.com\nThis will take further, in depth investigation. I can\u2019t explain what seems fantastical and be. considered sane. Many files resolved already.", "modified": "2025-06-20T12:05:58.229000", "created": "2025-05-21T13:28:01.980000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 637, "CVE": 1, "FileHash-MD5": 26, "FileHash-SHA1": 25, "FileHash-SHA256": 1296, "domain": 170, "hostname": 369 }, "indicator_count": 2524, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "303 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6810fc9906f77b86e54482c1", "name": "(port_scan) TCP filtered portsweep 17.253.83.201 strefa=1003.v.vgt.pl", "description": "https://ti.qianxin.com/v2/search?type=ip&value=94.152.152.233\nstrefa=1003.v.vgt.pl\n773906b0efdefa24a7f2b8eb6985bf37", "modified": "2025-05-29T16:04:10.332000", "created": "2025-04-29T16:21:45.491000", "tags": [ "submission", "vhash", "ssdeep", "html internet", "magic html", "unicode text", "utf8", "crlf line", "trid text", "magika html", "ip wykrycia", "system", "kraj" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 1, "FileHash-SHA256": 68, "hostname": 25, "domain": 46, "URL": 155, "CVE": 2 }, "indicator_count": 300, "is_author": false, "is_subscribing": null, "subscriber_count": 122, "modified_text": "325 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66fc29a49b5ac693c8d75122", "name": "Medical Campus - Aurora, Co | Recheck", "description": "This weekend we found a busybox MIORI Hackers - serious attack Aurora, Medical Campus -Mirai. This recheck is generic. All results generated automatically by LevelBlue, sourced by ScoreBlue.\nMaybe it will be clean today. Complaints of pop up auto logins on locked screens and autonomous system running alongside actual system. System root.\nMalware Families:\nTrojanDownloader:Win32/Bulilit, ELF:Mirai-TO\\ [Trj], Backdoor:Linux/Mirai.B, TELPER:HSTR:DotCisOffer, TrojanSpy:Win32/Nivdort, Backdoor:Win32/Bladabindi, ALF:E5, Win.Malware.Midie-9950743-0, Trojan:Win32/Emotet.ARJ!MTB", "modified": "2024-10-31T16:03:52.240000", "created": "2024-10-01T16:56:04.004000", "tags": [ "united", "as397240", "search", "showing", "as54113", "as397241", "unknown", "moved", "creation date", "record value", "next", "date", "body", "a domains", "passive dns", "formbook cnc", "checkin", "entries", "github pages", "sea x", "accept", "status", "name servers", "certificate", "urls", "aaaa", "cname", "meta", "whitelisted ip", "address", "location united", "asn as36459", "github", "less whois", "registrar", "markmonitor", "related tags", "as36459", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "files", "ninite", "expiration date", "domain", "hostname", "sha256", "sha1", "ascii text", "pattern match", "document file", "v2 document", "utf8", "crlf line", "beginstring", "size", "null", "hybrid", "refresh", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "url https", "tulach type", "role title", "added active", "pulses url", "url http", "nextc type", "type indicator", "related pulses", "filehashsha256", "copyright", "ipv6", "germany", "italy", "trojan", "trojanspy", "worm", "trojanclicker", "virtool", "service", "linux x8664", "khtml", "gecko", "veryhigh", "redirect", "httpsupgrades", "collisionbox", "runner", "gameoverpanel", "trex", "orgtechhandle", "orgtechref", "director", "university", "nethandle", "net168", "net1680000", "ucha", "orgid", "east", "report spam", "as8075", "servers", "secure server", "error all", "typeof", "error f", "crazy doll", "created", "filehashmd5", "types of", "russia", "emotet type", "mirai type", "mirai", "mtb description", "win32 type", "as31034 aruba", "italy unknown", "as19527 google", "encrypt", "health type", "miori hackers", "brute force", "backdoor", "aurora", "ip address", "path", "unis", "dotcisoffer", "bladabindi", "artro", "script urls", "as46606", "brazil unknown", "as11284", "as10906", "apache", "lanc type", "telper", "win32", "win64", "pulses email", "as9009 m247", "as7296 alchemy", "as14061", "as16276", "trojandropper", "ransom", "mtb sep", "msie", "chrome", "ip check", "gmt content", "pulse submit", "url analysis", "files ip", "aaaa nxdomain", "nxdomain", "a nxdomain", "as22612", "dnssec", "meta http", "accept encoding", "request id", "united kingdom", "div div", "arial helvetica", "emails", "as15169 google", "cryp", "gmt cache", "sameorigin", "domain name", "code", "false", "command type", "roleselfservice", "mcig sep", "all search", "author avatar", "days ago", "http", "related nids", "files location", "as30081", "gmt contenttype", "mozilla", "as15133 verizon", "whitelisted", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "request", "softcnapp", "overview ip", "flag united", "files related", "as62597 nsone", "as31898 oracle", "mtb aug", "class", "twitter", "april", "secure", "httponly", "expiresthu", "pragma", "as13414 twitter", "smoke loader", "reverse dns", "asnone united", "idlogin sep", "uid38009", "expiration", "hack type", "porn type" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Italy", "Aruba" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3850, "FileHash-MD5": 6012, "FileHash-SHA1": 5906, "domain": 3329, "email": 33, "hostname": 4231, "CVE": 2, "FileHash-SHA256": 8407, "CIDR": 2, "SSLCertFingerprint": 7 }, "indicator_count": 31779, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "535 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66fb3c4e8a2593134641f3c0", "name": "busybox MIORI Hackers - attack Aurora, Medical Campus -Mirai", "description": "*Tipped-Patient reports computers with fully locked screens log in every time she enters a room at UC Health Anshutz Campus. Unauthorized Login: http://ITSupport.UCHealth.org. Graphs deleted from Virus Total\u00bbLogin ID: 168.200.45.168 [bound]. I've tried to post pulse multiple times. IP's were contacted. Brute force attempts on my device. Anyway it's Tulach. There is a 'pro- ale' and other 'monitoring, silencing, dangerous groups' silencing crime victims, journalists, dissents, potential whistle blowers. One victim attacked physically losing health battle. Doctors unwilling to treat.Auto populated\u00bb The full text of the Mirai-TO malware, which was launched on Friday, has now been published on the website of www.forensickb.co.uk..com. hmmm...there was a counter attack.", "modified": "2024-10-30T22:04:06.705000", "created": "2024-10-01T00:03:26.199000", "tags": [ "idnischdr http", "computer", "america asn", "as7018 att", "url https", "america", "united states", "united", "germany", "italy", "trojan", "all scoreblue", "report spam", "created", "trojanspy", "worm", "trojanclicker", "virtool", "service", "all search", "author avatar", "miori hackers", "file score", "detections elf", "path", "busybox busybox", "brute force", "attack bad", "login yara", "detections", "sid name", "malware cve", "suspicious path", "busybox", "activity", "system", "malware beacon", "bad login", "attack", "port", "destination", "show", "search", "exif data", "property value", "elf info", "key value", "x86 baddr", "elf64 crypto", "final url", "ip address", "status code", "body", "kb body", "sha256", "server", "gmt connection", "date sun", "gmt contenttype", "filehashsha256", "crazy doll", "next", "key identifier", "x509v3 subject", "data", "v3 serial", "number", "cgb stgreater", "cnsectigo rsa", "secure server", "ca validity", "cus stcolorado", "info", "director", "orgtechhandle", "orgtechref", "university", "whois lookup", "netrange", "nethandle", "net168", "net1680000", "ucha", "network", "registry arin", "country us", "continent na", "meta", "script script", "lance mueller", "mueller", "unknown", "script urls", "photography", "passive dns", "urls", "model", "creation date", "hostname", "pulse submit", "url analysis", "files", "domain", "status", "http", "record value", "emails", "dnssec", "domain name", "backdoor", "bad request", "entries", "title style", "f2f2f2 color", "helvetica neue", "exploit", "browse scan", "endpoints all", "search otx", "related pulses", "file samples", "files matching", "as44273 host", "showing", "telper", "date hash", "copyright", "url http", "win64", "as53665 bodis", "aaaa", "as206834 team", "canada unknown", "read c", "create c", "write c", "msie", "windows nt", "wow64", "slcc2", "media center", "delete c", "dock", "write", "execution", "copy", "xport", "1575038779", "medium", "capture", "malware", "february", "as61969 team", "servers", "domain robot", "expiration date", "as714 apple", "as42 woodynet", "nxdomain", "name servers", "a nxdomain", "ipv4", "found", "control", "content type", "as20940", "asnone united", "as701 verizon", "as2914 ntt", "win32", "certificate", "date", "dynamicloader", "high", "t1055", "attempts", "yara detections", "bitcoinaltcoin", "code injection", "high defense", "ip related", "pulses otx", "pulses", "overview domain", "files ip", "address domain", "related tags", "pulse pulses", "div div", "as49505", "span", "form", "as6185 apple", "china", "as4812 china", "as17816 china", "as4134 chinanet", "scan endpoints", "trojan features", "enigmaprotector", "dynamic", "powershell", "filehash", "for privacy", "ltd dba", "com laude", "cname", "cve20170147 sep", "verdict", "as63949 linode", "https", "as8075", "united kingdom", "whitelisted", "as25825", "moved", "aurora", "redacted for", "whois lookups", "orgid", "east", "seen", "update date", "cidr", "netname uch", "parent net168", "nettype direct", "contacted", "tulach", "brian sabey" ], "references": [ "ELF:Mirai-TO\\ [Trj] UCH/PU_Log_ID/Locked_Scr [168.200.5.63] || http://itsupport.uchealth.org/ || [Trj] http://itsupport.uchealth.org/", "ELF:Mirai-TO\\ [Trj] 12.111.210.191 | United States of America ASN AS7018 att services inc", "ELF:Mirai-TO\\ [Trj] FileHash-SHA256. 09c0d1671fd9da396c13456d552a884a582aa194c8739a97ee18928c001bbbca", "ELF:Mirai-TO\\ [Trj] tulach.cc", "ELF:Mirai-TO\\ [Trj] FileHash-SHA256 09c0d1671fd9da396c13456d552a884a582aa194c8739a97ee18928c001bbbca", "IDS Detections: busybox MIORI Hackers - Infected System SUSPICIOUS Path to BusyBox", "IDS Detections: busybox MIORI Hackers - Possible Brute Force Attack Bad Login", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout", "Yara Detections: is__elf", "168.200.5.0/24: Autonomous System Number :18693 || Autonomous System Label UCH-CENTRAL Regional Internet Registry: ARIN: Country US", "www.proxydocker.com Yvmc.org is hosted in United States ip detail \u00c9tats Unis (US) , (Aurora , Colorado ) links to network IP address: 168.200.5.63", "Computer Forensics Malware Analysis Digital Investigations | www.forensickb.com |", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://www.forensickb.com/2013/03/file-entropy-explained.html", "webcam.sopris.net || https://www.chietimeteo.it/webcamabruzzo.htm savethemalesdenver.com", "girlsandtheir.webcam - suspicious_write_exe network_icmp infostealer_keylogger process_martian injection_resumethread | parkingcrew.net ns2.parkingcrew.net", "http://serafinipelletteria.it/riparazioni/13-borse-restauro/22-spy-bag-%C3%83%C2%A2%C3%A2%C2%82%C2%AC%C3%A2%C2%80%C2%9C-fend", "Title The page title. Chieti Meteo - Webcam Abruzzo", "Final URL contacted when you try to visit the URL under study, after any potential redirects. https://www.chietimeteo.it/webcamabruzzo.htm Serving IP Address: 89.46.110.55", "savethemalesdenver.com | brasville.com.br?", "168.200.45.168 Original IP- UCHealth is jacking accounts | University of Colorado Hospital Scot.MacCabe@uchealth.org", "Basic Properties Regional Internet Registry ARIN Country US Continent NA Whois Lookup NetRange: 168.200.0.0 - 168.200.255.255 US", "CIDR: 168.200.0.0/16 NetName: UCH NetHandle: NET-168-200-0-0-1 Parent: NET168 (NET-168-0-0-0-0) NetType: Direct Allocation Organization: University of Colorado Hospital (UCHA) RegDate: 1994-06-22 Updated: 2021-12-14 Ref: https://rdap.arin.net/registry/ip/168.200.0.0 OrgName: University of Colorado Hospital OrgId: UCHA Address: 13001 East 17th Place Address: UH Fitzsimons bldg 500 5th floor east Address: Information Services City: Aurora StateProv: CO PostalCode: 80045-0505 Country:", "Address 198.185.159.144 , 198.185.159.145 , 198.49.23.144 , 198.49.23.145", "Lance Mueller Photography Artistic Portraiture || Domains || lancemueller.com/https://www.lancemueller.com/ www.instagram.com", "IP: 198.185.159.144 Backdoor:Linux/Mirai.B || TELPER:HSTR:DotCisOffer || TrojanSpy:Win32/Nivdort || Bladabindi || TrojanDownloader:Win32/Bulilit", "IDS Detections: Win32.Renos/Artro Trojan Checkin M1 Fakealert.ATQ/Renos.GNC Checkin AlphaCrypt CnC Beacon 5 Win32.Meredrop Checkin", "IDS Detections: CryptoWall Check-in Net-Worm.Win32.Koobface.jxs Checkin AlphaCrypt CnC Beacon 6 Koobface HTTP Request", "IDS Detections: Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative) FormBook CnC Checkin (GET)", "Crypt3.BWVY \u00bb forums.girlsandtheir.webcam | http://girlsandtheir.webcam/&_=1642807476815 | http://girlsandtheir.webcam/&_=1677944772349", "http://girlsandtheir.webcam/&_=1678440394065 | http://girlsandtheir.webcam/&_=1678605911170 | http://girlsandtheir.webcam/&_=1678901115584", "http://girlsandtheir.webcam/&_=1727668914786 | http://girlsandtheir.webcam/&_=1727684361432 | http://girlsandtheir.webcam/&_=1678620676912", "http://girlsandtheir.webcam/&_=167922487756 | http://girlsandtheir.webcam/&_=1678764409894 | http://girlsandtheir.webcam/&_=1679002803910", "http://girlsandtheir.webcam/&_=1679275226198 | http://girlsandtheir.webcam/&_=1679338009770| http://girlsandtheir.webcam/&_=1679628920449 No Expira http://girlsandtheir.webcam/&_=1727448919580\t | http://girlsandtheir.webcam/&_=1727487291351 No Expiration\t0\t URL http://girlsandtheir.webcam/&_=1727511329381 No Expiration\t0\t URL http://girlsandtheir.webcam/&_=1727586798507 | http://girlsandtheir.webcam/&_=1727595333556 | http://girlsandtheir.webcam/&_=1727665483552", "chatluongvn.tk - use of targeted surveillance intended to spy on members of civil society, suppress dissent, crime victims & monitor journalists.", "Apple ID: 17.253.142.4 | Reverse DNS www.applesports.webcam", "Associated w/Apple ID: http://www.ripmixburn.com/| www.ripmixburn.com | 17.253.142.4 | http://www.qttv.net |www.qttv.net | 17.253.142.4", "Associated w/Apple ID: http://qumoteze.apple-hk.com\tqumoteze.apple-hk.com | 17.253.142.4 | http://identity.appke.com | identity.appke.com", "Associated w/Apple ID: 17.253.142.4 |\thttp://xn--8mrw5wsjh2jt.top | xn--8mrw5wsjh2jt.top | 17.253.142.4 | https://www.qttv.net | www.qttv.net", "Associated w.Apple ID: 17.253.142.4 | https://qumoteze.apple-hk.com | http://applegiftcard.apple/ | https://identity.appke.com", "Win.Packed.Enigma-10023199-0: FileHash - SHA256 2753cb6cd4b034d91a1361d5d4f643e3f45abbe249a1563e2e3bf6e7b6001cd3", "Trojan:Win32/Mydoom | apple.com | IP Address 17.253.144.10: Yara Detections EnigmaProtector , xor_0x8_This_program Alerts network_bind persistence_autorun antivm_generic_diskreg", "Win.Malware.Midie-9950743-0 Apple IP 17.253.144.10: SHA256 8b3170934dd8efaf4335f752d4a1a1816f8be3cdba963d897b93f308fa4ab644", "Win.Malware.Midie Alerts: injection_inter_process injection_create_remote_thread antisandbox_sleep persistence_autorun browser_security", "Win.Malware.Midie Alerts: antisandbox_unhook infostealer_cookies deletes_executed_files infostealer_bitcoin injection_createremotethread", "Win.Malware.Midie-9950743-0: Domains Contacted microsoft.com dropbox.com twitter.com sendspace.com etrade.com", "Win.Malware.Midie-9950743-0: Domains Contacted instagram.com github.com icloud.com python.org facebook.com" ], "public": 1, "adversary": "busybox MIORI Hackers", "targeted_countries": [ "United States of America", "Mexico" ], "malware_families": [ { "id": "TrojanDownloader:Win32/Bulilit", "display_name": "TrojanDownloader:Win32/Bulilit", "target": "/malware/TrojanDownloader:Win32/Bulilit" }, { "id": "ELF:Mirai-TO\\ [Trj]", "display_name": "ELF:Mirai-TO\\ [Trj]", "target": null }, { "id": "Backdoor:Linux/Mirai.B", "display_name": "Backdoor:Linux/Mirai.B", "target": "/malware/Backdoor:Linux/Mirai.B" }, { "id": "TELPER:HSTR:DotCisOffer", "display_name": "TELPER:HSTR:DotCisOffer", "target": null }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Backdoor:Win32/Bladabindi", "display_name": "Backdoor:Win32/Bladabindi", "target": "/malware/Backdoor:Win32/Bladabindi" }, { "id": "ALF:E5", "display_name": "ALF:E5", "target": null }, { "id": "Win.Malware.Midie-9950743-0", "display_name": "Win.Malware.Midie-9950743-0", "target": null }, { "id": "Trojan:Win32/Emotet.ARJ!MTB", "display_name": "Trojan:Win32/Emotet.ARJ!MTB", "target": "/malware/Trojan:Win32/Emotet.ARJ!MTB" } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 459, "FileHash-MD5": 1228, "FileHash-SHA1": 1163, "FileHash-SHA256": 2243, "domain": 876, "hostname": 1088, "CIDR": 2, "email": 17, "CVE": 2, "SSLCertFingerprint": 5 }, "indicator_count": 7083, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "536 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66f44b56b1c42433231641e9", "name": "47be59af1862f9ee7c9e8391512cd79f226fd09ebaca37b8902c126a85722027 - OG Certs Group 1 (J/Skocherhan; Enriched)", "description": "Description\n47be59af1862f9ee7c9e8391512cd79f226fd09ebaca37b8902c126a85722027 - OG Certs Group 1 - 09.25.24 This Collection is based on above file (a zipped file containing certificates) and created from graphs by myself and skocherhan (09.2024)\n\nhttps://www.virustotal.com/graph/embed/ga6f4f3cb5f1143dba3a0c5c4de4b4253709421851a914925a1512678f1034e9a?theme=dark + https://www.virustotal.com/graph/embed/g9e26667333d9418897f0ed8ce09560a6f8c68666f388427fb984306cf72b0125?theme=dark = This Collection\nEnriched on import into AlienVault/LBLs", "modified": "2024-10-25T17:05:01.856000", "created": "2024-09-25T17:41:42.241000", "tags": [ "entity", "please", "javascript", "Certificates" ], "references": [ "https://www.virustotal.com/graph/embed/g9e26667333d9418897f0ed8ce09560a6f8c68666f388427fb984306cf72b0125?theme=dark", "https://www.virustotal.com/graph/embed/ga6f4f3cb5f1143dba3a0c5c4de4b4253709421851a914925a1512678f1034e9a?theme=dark", "https://www.virustotal.com/gui/collection/0c323ad7f87df817719f1709edb03022c6b7fa4d27907b90eef0d5c863c1624a", "https://www.virustotal.com/gui/collection/0c323ad7f87df817719f1709edb03022c6b7fa4d27907b90eef0d5c863c1624a/iocs", "https://www.virustotal.com/gui/collection/0c323ad7f87df817719f1709edb03022c6b7fa4d27907b90eef0d5c863c1624a/graph" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology", "Telecommunications", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 113, "FileHash-SHA1": 112, "FileHash-SHA256": 1996, "URL": 568, "domain": 500, "hostname": 394 }, "indicator_count": 3683, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "541 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://flarenotes.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://flarenotes.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776638275.2865808 }