{ "type": "URL", "indicator": "https://git.sprinter.es", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://git.sprinter.es", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3913121301, "indicator": "https://git.sprinter.es", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 19, "pulses": [ { "id": "6888a85aa32aab22f638d0e6", "name": "Autodesk issue in CrowdStrike prior to outage | [by scoreblue]", "description": "", "modified": "2025-07-29T10:54:18.501000", "created": "2025-07-29T10:54:18.501000", "tags": [ "healthy check", "ssl bypass", "domain tracker", "privacy badger", "startpage", "w11 pc", "pass", "iocs", "all scoreblue", "pdf report", "pcap", "stix", "avast avg", "no expiration", "status", "name servers", "moved", "h1 center", "next", "sec ch", "ch ua", "ua platform", "emails", "certificate", "passive dns", "urls", "encrypt", "body", "pe32 executable", "ms windows", "intel", "windows control", "panel item", "dos borland", "executable", "algorithm", "thumbprint", "serial number", "signing ca", "symantec time", "stamping", "g2 name", "g2 issuer", "class", "code", "kb pe", "csc corporate", "porkbun llc", "gandi sas", "request", "path", "get https", "get http", "response", "cachecontrol", "pragma", "connection", "gmt connection", "accept", "slug", "as29789", "united", "unknown", "ransom", "heur", "server", "registrar abuse", "san rafael", "autodesk", "contact phone", "registrar url", "process32nextw", "create c", "read c", "writeconsolew", "delete", "write", "show", "malware", "write c", "regsetvalueexa", "delete c", "search", "regdword", "whitelisted", "panda banker", "ursnif", "win32", "persistence", "execution", "banker", "local", "domain", "servers", "pulse pulses", "files", "ip address", "creation date", "united kingdom", "as9009 m247", "ipv4", "pulse submit", "url analysis", "twitter", "as16552 tiggee", "as397241", "as397240", "entries", "cname", "nxdomain", "a nxdomain", "worm", "file samples", "files matching", "alf features", "denver co", "wewatta", "scan endpoints", "related pulses", "date hash", "showing", "as62597 nsone", "date", "trojanspy", "cookie", "hostmaster", "expiration date", "msie", "windows nt", "wow64", "slcc2", "media center", "tls handshake", "et info", "getdc0x2a", "failure", "post http", "copy", "crash", "ascii text", "ascii", "jpeg image", "artemis", "trojan", "virustotal", "mike", "vipre", "panda", "win32mediadrug", "win324shared", "win32spigot", "hstr", "lowfi", "yara detections", "contacted", "report spam", "mozilla", "trojanclicker", "url http", "url https", "role title", "added active", "type indicator", "source domain", "akamai rank", "hostname", "ver2", "msclkidn", "vids0", "global outage", "cobalt strike", "fancy bear", "communications", "android device", "cnc beacon", "suspicious ua", "youtube", "sakula rat", "mivast", "sakula", "windows", "samuel tulach", "light dark", "samuel", "tulach", "hyperv", "detecting", "writing gui", "bootkits", "world", "information", "discovery", "t1027", "t1057", "t1071", "protocol", "t1105", "tool transfer", "t1129", "capture", "service", "t1119" ], "references": [ "autodesk.com [ Everything below was found in Autodesk [including crowdstrike & any.desk] Found in in Crowdsrike if labeled.", "66.254.114.234 | reflectededge.reflected.net | reflected.net | 192.0.2.0 | https://www.brazzers.com/ | brazzers.com | brazzersnetwork.com", "keezmovies.com | redtube.com | tube8.com | tube8.com | youporn.com| 0.brazzers.com | www.g-tunnel.comwww.brazzers.com |", "Win32:Mystic , Win.Trojan.Xblocker-236 \u00bbFileHash-SHA256 8c59adbccc1987d13fec983f1e2be046611511b65479d1719bda77c5c90bbe21", "IDS Detections: TLS Handshake Failure | Alerts: network_icmp , injection", "Win32:BankerX-gen\\ [Trj] \u00bb FileHash-SHA256 2e5118d15a18ae852bf94d91707ff634d9d8354fef492f5c4e1c46b9cf96184c", "IDS Detections: Zeus Panda Banker / Ursnif Malicious SSL Certificate Detected TLS Handshake Failure", "Alerts: network_icmp antisandbox_idletime modifies_certificates modifies_proxy_wpad disables_proxy", "RedTube.com Detections: ALF:AGGR:OpcCl:95!ml , ALF:JASYP:Backdoor:Win32/Cycbot!atmn , Win.Downloader.117423-1 ,", "RedTube.com Detections: Win.Trojan.Crypt-321 , Win.Trojan.FakeAV-4166 , Win.Trojan.Fakeav-10977 , Win.Trojan.Fakeav-3386", "Crowdstrike: wildcard.352-445-1166.device.sim.to.img.sedoparking.com", "Crowdstrike: maxfehlinger.de http://auth.cranberry.testing.maxfehlinger.de | http://latex.cranberry.testing.maxfehlinger.de |", "Crowdstrike: https://traefik.cranberry.testing.maxfehlinger.de | http://traefik.cranberry.testing.maxfehlinger.de |", "Crowdstrike: http://watchtower.cranberry.testing.maxfehlinger.de| https://auth.cranberry.testing.maxfehlinger.de |", "Crowdstrike: auth.cranberry.testing.maxfehlinger.de | latex.cranberry.testing.maxfehlinger.de | traefik.cranberry.testing.maxfehlinger.de |", "Crowdstrike: watchtower.cranberry.testing.maxfehlinger.de | https://latex.cranberry.testing.maxfehlinger.de |", "Crowdstrike: https://www.anyxxxtube.net/search-porn/tsara-brashears/\tphishing\t| https://www.anyxxxtube.net/sitemap.xml", "Crowdstrike: https://www.pornhub.com/gifs/search?search=tsara+lynn+brash |", "Crowdstrike: autodesk.com | 0ds.autodesk.com | aknanalytics.autodesk.com | anubis.autodesk.com | autobetaint.autodesk.com", "Crowdstrike: autodeskarchitecture.autodesk.com | beacon-dev3.autodesk.com | boxtooffice365.autodesk.com | brahma-studio.autodesk.com", "Crowdstrike: cdc-stg-emea.autodesk.com | cloudcost.autodesk.com | cloudpc-stg.autodesk.com | d-s.autodesk.com |", "Crowdstrike: daiwahouse-learning.autodesk.com| datagovernance-dev.autodesk.com | enterprise-api-np.autodesk.com", "Crowdstrike: symcd.com [Certificate Subjectaltname \u00bb\u00bb anydesk.com \u00bb\u00bb http://gn.symcb.com/gn.crt Ocsp\thttp://gn.symcd.com] ANYDESK.COM-unsigned", "Crowdstrike: https://bat.bing.com/action/0?ti=12001672&tm=al001&Ver=2&mid=12436868-a484-4998-931c-980262982f67&sid=b92cd8f0483e11efa3c96fe28be413cb&vid=b92cdd10483e11efb1024309353d849f&vids=1&msclkid=N&pi=-740138922&lg=en-US&sw=800&sh=600&sc=24&tl=CrowdStrike%3A%20Stop%20breaches.%20Drive%20business.&p=https%3A%2F%2Fwww.crowdstrike.com%2Fen-us%2F&r=<=1022&pt=1721661968606", "Crowdstrike: \tbat.bing.com, https://tulach.cc, https://otx.alienvault.com/indicator/url/http://www.hallrender.com/attorney/brian-sabey", "Crowdstrike: https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | https://www.pornhub.com/video/search?search=tsara+brashears | www.youtube.com/watch?v=GyuMozsVyYs | www.pornhub.com | www.youtube.com", "Crowdstrike: https://hr.employmenthero.com/rs/387-SZZ-170/images/youtube-icon-emp-hero-violet.png", "Crowdstrike + Autodesk.com: hallrender.com/attorney/brian-sabey www.hallrender.com/attorney/brian-sabey hallrender.com www.hallrender.com https://hallrender.com milehighmedia.com https://www.milehighmedia.com/ https://www.milehighmedia.com/legal/2257", "Crowdstrike + Autodesk.com: brassiere.world mail.brassiere.world webdisk.brassiere.world webmail.brassiere.world", "Crowdstrike + Autodesk.com: 128 + symcd.com some w/issues | 658 autodesk.com pulse some w/issues | removed any.desk & boot", "The more I say...Any.Desk + boot.net.anydesk.com was in OG Private CrowdsStrike pulse", "Above links in search results direct out with and arrow pointing out.", "https://otx.alienvault.com/browse/global/pulses?q=tag:%22esta%20caliente%22&include_inactive=0&sort=-modified&page=1&limit=10&indicatorsSearch=esta%20caliente", "Above link opened 'esta caliente'= 'it's hot'| I did NOT do that | All connected links gone. This has become common.", "I didn't add pertinent findings back to Pulse. Pulse comp,eyes says ago . Couldn't submit. It's was actually a tiny pulse of autodesk.com with crowdstrike relationship references,", "boot.net.anydesk.com removed from my Pulse below", "https://otx.alienvault.com/pulse/66d4c125ad61ee5577639a2d" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands" ], "malware_families": [ { "id": "Win32:Mystic", "display_name": "Win32:Mystic", "target": null }, { "id": "Win.Trojan.Xblocker-236", "display_name": "Win.Trojan.Xblocker-236", "target": null }, { "id": "Ransom:Win32/Genasom", "display_name": "Ransom:Win32/Genasom", "target": "/malware/Ransom:Win32/Genasom" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "ALF:JASYP:Backdoor:Win32/Cycbot", "display_name": "ALF:JASYP:Backdoor:Win32/Cycbot", "target": null }, { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanSpy:Win32/Usteal", "display_name": "TrojanSpy:Win32/Usteal", "target": "/malware/TrojanSpy:Win32/Usteal" }, { "id": "Win.Trojan.PoetRat-7669676-0", "display_name": "Win.Trojan.PoetRat-7669676-0", "target": null }, { "id": "Mivast", "display_name": "Mivast", "target": null }, { "id": "Sakula", "display_name": "Sakula", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": "66d89c45ddc0c7db084b75b7", "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1417, "FileHash-SHA1": 1165, "FileHash-SHA256": 6536, "URL": 6112, "domain": 1340, "hostname": 2654, "email": 15, "SSLCertFingerprint": 9 }, "indicator_count": 19248, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "264 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6769c9335e6691b76d03c761", "name": "waketagat", "description": "", "modified": "2024-12-23T20:33:55.121000", "created": "2024-12-23T20:33:55.121000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1470, "domain": 31, "hostname": 472, "FileHash-SHA256": 63 }, "indicator_count": 2036, "is_author": false, "is_subscribing": null, "subscriber_count": 177, "modified_text": "481 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66eb1585832bcf4f494f0335", "name": "Telco - Swipper | Emotet and other malware spreader. BGP Bridging", "description": "", "modified": "2024-10-20T13:04:44.866000", "created": "2024-09-18T18:01:41.013000", "tags": [ "net152", "net1520000", "loudoun county", "ans core", "nethandle", "as1321", "parkway city", "as701 orgnocref", "swipper", "verizon", "high", "intel", "icmp traffic", "dns query", "object", "all scoreblue", "filehash", "malware", "comcast", "cve1102", "actors", "investigation", "bad domains", "emotet am", "iocs", "first", "utc submissions", "submitters", "summary iocs", "graph community", "webcc", "gmo internet", "csc corporate", "domains", "alibaba cloud", "computing", "beijing", "dynadot", "ltd dba", "china telecom", "group", "google", "cloudflarenet", "kb txtresse", "mb smartsaver", "admin cmd", "mb threatsniper", "mb history", "mb gadget", "installer", "referrer", "styes worm", "historical ssl", "script script", "i span", "ie script", "win64", "span", "urls", "levelblue labs", "pulses", "nastya", "meta", "open", "date", "vj92", "uagdaaeqcqaaaag", "ukgbagaqcqaaaae", "slfrd1", "hostnames", "urls http", "ukgbagaqcq", "jid1886833764", "jid882556742", "samples", "unknown", "united", "as20940", "as2914 ntt", "nxdomain", "status", "as6461 zayo", "united kingdom", "as15169 google", "as33438", "search", "creation date", "name servers", "showing", "hungary unknown", "entries", "scan endpoints", "next", "cape", "show", "copy", "emotet malware", "read", "write", "delete", "june", "emotet", "as14627", "passive dns", "ipv4", "pulse pulses", "win32", "months ago", "created", "modified", "email", "glupteba", "hostname", "cyber", "read c", "port", "medium", "msie", "windows nt", "wow64", "slcc2", "media center", "dock", "execution", "method status", "url hostname", "ip country", "type get", "cachecontrol", "location https", "date thu", "gmt server", "code", "ve234 server", "aaaa", "whitelisted", "as44273 host", "as46691", "domain", "script urls", "path max", "age86400 set", "cookie", "script domains", "trojan", "body" ], "references": [ "Stranger Things | http://hopto.org/colocrossing/192.3.13.56/telco", "Antivirus Detections: Other:Malware-gen\\ [Trj]", "Yara Detections: UPXProtectorv10x2 , UPX Alerts dead_host network_icmp nolookup_communication", "Antivirus Detections: Other:Malware-gen\\ [Trj] , Win.Trojan.Emotet-9951800-0", "Yara Detections: osx_GoLang", ".trino-11062202-1d32.stress-11061903-3b4c.westus2.projecthilo.net\tprojecthilo.net", "0-courier.push.apple.com | https://apple-accouut.sytes.net/ | appupdate-logapple.ddnsking.com | appleidi-iforgot.3utilities.com", "http://appleidi-iforgot.3utilities.com/\t | https://appupdate-logapple.ddnsking.com/?reset | http://appleidi-iforgot.3utilities.com/Upload-Identity.php |", "http://appleidi-iforgot.3utilities.com/Verify.php", "device-ccf717a6-ed4f-4771-abfa-ccaafbfb6526.remotewd.com | device-local-359704df-0b29-4ae8-bbc5-f48b0a4de73c.remotewd.com | remotedev.org | dan.remotedev.org", "152.199.171.19 : USDA Fort Collins, Colorado", "Swipper: swipper@verizonbusiness.com | help4u@verizonbusiness.com", "152.199.161.19: ANS Communications, Inc (ANS)", "OrgTechHandle: SWIPP-ARIN OrgTechName: swipper OrgTechPhone: +1-800-900-0241 OrgTechEmail: swipper@verizonbusiness.com", "http://bat.bing.com/bat.js | bounceme.net | bounceme.net | hopto.org | hopto.org |,serveblog.net | serveblog.net", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://hopto.org/colocrossing/192.3.13.56/telco", "Emotet: FileHash-SHA256 9c9459e9a5f0102c034ec013b9d801d38ed474bcd73b7aeded931e5c2a4f75cc", "Win.Virus.PolyRansom-5704625-0: FileHash-SHA256 f46de5d0c5dd13f5de6114372542efd1ea048e14f051b64b34c33e96c175cb09", "Other:Malware-gen\\ [Trj: FileHash-SHA256 4ef29fd29fd95990a36379ad7a4320f04da64e7ec63546e047e2491e533c71a3", "Injection Source: www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Injection Source: http://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Injection Source: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "SLF:Trojan:Win32/Grandoreiro.A", "display_name": "SLF:Trojan:Win32/Grandoreiro.A", "target": null }, { "id": "Other:Malware-gen\\ [Trj]", "display_name": "Other:Malware-gen\\ [Trj]", "target": null }, { "id": "Win.Trojan.Emotet-9951800-0", "display_name": "Win.Trojan.Emotet-9951800-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": "66ca37ac60cb425a2b3856c6", "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 2, "URL": 4635, "domain": 771, "email": 11, "hostname": 1993, "FileHash-SHA256": 3185, "FileHash-MD5": 113, "FileHash-SHA1": 101, "CVE": 3 }, "indicator_count": 10814, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "546 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66e94760a415fb970ab2dfdd", "name": "Pornhub Api connected to Targets phone via Remote Telegram install", "description": "Cyber attack named 'Project Endgame' by threat actors || Cyber criminal IMMEDIATELY remotely accessed targets device when it was new from manufacturer. Remote installation of telegram app, installed pornhub. Dumping, making all types of pornography appear to come from targets and associated persons devices. It's never ending. || Win32:PWSX-gen\\ [Trj]\n#Lowfi:HSTR:Win32/Exprio\nALF:Trojan:BAT/EnvVarCharReplacement\nBackdoor:Win32/Tofsee\nTrojan:Win32/Azorult\nTrojan:Win32/Danabot\nTrojan:Win32/Eqtonex\nTrojan:Win32/Meredrop\nTrojanDownloader:Win32/Tofsee\nVirTool:Win32/Obfuscator\nWin.Dropper.Tofsee-10023347-0", "modified": "2024-10-17T08:04:26.924000", "created": "2024-09-17T09:09:52.842000", "tags": [ "all scoreblue", "contacted", "telegram", "pornhub", "hostname", "domain", "iocs", "pdf report", "pcap", "stix", "openioc", "ck t1003", "os credential", "dumping t1005", "local system", "t1012", "registry t1018", "remote system", "discovery t1027", "files", "t1053", "whitelisted", "agent", "as13414 twitter", "as14061", "as15169 google", "as16552", "as16276", "as19679 dropbox", "as22612", "as25019", "as32934", "as35680", "as62597", "as54113", "as397241", "as397240", "nsone as63949", "as35819", "china unknown", "chrome", "code", "as16552 tiggee", "as2914 ntt", "as25019 saudi", "asnone hong", "as63949 linode", "as7303 telecom", "as8151", "as9318 sk", "asn as13414", "asn as48684", "cookie", "encrypt", "endgame", "emails", "cryp", "delphi", "dynamicloader", "dns", "grum", "germany unknown", "gmt max", "connection", "dns resolutions", "porn", "regsz", "langgeorgian", "sublangdefault", "rticon", "english", "regsetvalueexa", "regdword", "medium", "t1055", "win32", "malware", "copy", "updater", "generic", "delete c", "yara rule", "high", "search", "ms windows", "tofsee", "show", "windows", "russia as49505", "united", "grum", "write", "query", "contacted", "installs", "stream", "unknown", "as46606", "passive dns", "date", "scan endpoints", "pulse pulses", "urls", "as8151", "mexico unknown", "saudi arabia", "as25019 saudi", "china unknown", "as7303 telecom", "hungary unknown", "trojan", "msie", "body", "ransom", "icmp traffic", "pdb path", "filehash", "url http", "http", "address", "russia unknown", "privacy tools", "as396982 google", "as57416 llc", "div div", "span h3", "span div", "h3 p", "as24940 hetzner", "face", "delete", "yara detections", "sinkhole cookie", "value snkz", "pe32", "suspicious", "possible", "as56864 xeon", "ipv4", "pulse submit", "url analysis", "ip address", "location united", "next", "germany unknown", "method", "allowed server", "content length", "content type", "cookie", "registrar abuse", "explorer", "files matching", "homepage", "hungary unknown", "installs ip", "installs", "ip", "link", "mexico unknown", "pegasus", "operation endgame", "public key", "ransom", "twitter redirect", "Kong unknown", "script urls", "servers", "updater", "united kingdom unknown", "unique", "ukraine unknown", "trojan features", "trojan", "tofsee", "title telegram", "tags twitter", "twitter", "tags", "sublangdefault" ], "references": [ "Pornhub.com | Telegram https://t.me/login/36861 | loopprojects.t.me", "Cookie : stel_ssid b86d14460f22d8fea8_13386273115952986987", "www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "https://www.pornhub.com/video/search?search=tsara+brashears", "ads.pornhub.com | ams-v61.pornhub.com | api-stage.pornhub.com", "api-stage.pornhub.com | abtesting.pornhub.com | pornhub.com | cms-stage20.pornhub.com | imgs.pornhub.com | http://tourcdn.girlsdoporn.com", "girlsdoporn.com | bar.pornhub.com | bar.pornhub.com | cdn-d-vid-embed.pornhub.com | http://pornhub.tv/Jena6599 | whatsapp.pornhub.com", "https://sslproxy.gatewayclient3.v.hikops.com", "api2ip.ua \u00bb External IP Lookup Service Domain", "83610e8d2924c9886b25ad530e8ad971.pornhub.com", "Win32:PWSX-gen\\ [Trj] IDS Detections Potential Dridex.Maldoc Minimal Executable Request External IP Address Lookup DNS Query (2ip .ua) Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) Query to a *.top domain - Likely Hostile Suspicious User Agent (Microsoft Internet Explorer) SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 HTTP Request to a *.top domain Dotted Quad Host ZIP Request Possible EXE Download From Suspicious TLD TLS Handshake Failure ... Less", "IDS Detections: Potential Dridex.Maldoc Minimal Executable Request External IP Address Lookup DNS Query (2ip .ua)", "IDS Detections: Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) Query to a *.top domain - Likely Hostile", "IDS Detections: Suspicious User Agent (Microsoft Internet Explorer) SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016", "Win32:RansomX-gen\\ [Ransom] Trojan:Win32/Neconyd.A" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Australia", "Brazil", "Singapore", "Netherlands", "Russian Federation", "Japan", "Malaysia", "Hong Kong", "Ireland", "Korea, Republic of", "France", "United Kingdom of Great Britain and Northern Ireland", "Argentina", "Austria", "China", "Canada", "Germany" ], "malware_families": [ { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "TrojanDownloader:Win32/Tofsee", "display_name": "TrojanDownloader:Win32/Tofsee", "target": "/malware/TrojanDownloader:Win32/Tofsee" }, { "id": "Win32:PWSX-gen\\ [Trj]", "display_name": "Win32:PWSX-gen\\ [Trj]", "target": null }, { "id": "Win.Dropper.Tofsee-10023347-0", "display_name": "Win.Dropper.Tofsee-10023347-0", "target": null }, { "id": "#Lowfi:HSTR:Win32/Exprio", "display_name": "#Lowfi:HSTR:Win32/Exprio", "target": null }, { "id": "VirTool:Win32/Obfuscator", "display_name": "VirTool:Win32/Obfuscator", "target": "/malware/VirTool:Win32/Obfuscator" }, { "id": "Trojan:Win32/Meredrop", "display_name": "Trojan:Win32/Meredrop", "target": "/malware/Trojan:Win32/Meredrop" }, { "id": "Trojan:Win32/Eqtonex", "display_name": "Trojan:Win32/Eqtonex", "target": "/malware/Trojan:Win32/Eqtonex" }, { "id": "Trojan:Win32/Danabot", "display_name": "Trojan:Win32/Danabot", "target": "/malware/Trojan:Win32/Danabot" }, { "id": "Trojan:Win32/Azorult", "display_name": "Trojan:Win32/Azorult", "target": "/malware/Trojan:Win32/Azorult" }, { "id": "ALF:Trojan:BAT/EnvVarCharReplacement", "display_name": "ALF:Trojan:BAT/EnvVarCharReplacement", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1443", "name": "Remotely Install Application", "display_name": "T1443 - Remotely Install Application" }, { "id": "T1478", "name": "Install Insecure or Malicious Configuration", "display_name": "T1478 - Install Insecure or Malicious Configuration" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1570, "FileHash-SHA1": 1301, "FileHash-SHA256": 3497, "URL": 3835, "domain": 1475, "hostname": 2405, "CIDR": 1, "email": 23 }, "indicator_count": 14107, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "549 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66bb7f69cd76278113c22968", "name": "Remote | Inject | Access Token Manipulation | Jeffrey Reimer DPT Tsara Brashears Yandex Attack", "description": "Targets devices injected with extremely malicious URL's. The links did everything imaginable. Pushed up Jeffrey Reimer DPT in search engine while suppressing all positive search engine results of his victim. Her business was completely halted and redirected. Views went to well known artists. It also contained content scrapers causing certain keywords [keylogger included] to generate results in Bing search engines attempt to frame target. Countless porn sites posted w/victims name appearing heaviest in Yandex moderately heavy in Google. Killed targets YouTube channel. Heavy use in victims Apple terminal. Death and bomb threats often. *http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/\n*http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "modified": "2024-10-11T00:04:00.735000", "created": "2024-08-13T15:44:41.449000", "tags": [ "ip addresses", "luna moth", "campaign", "norad tracking", "ipdomain", "investigation", "hr rtd", "hallrender", "brian sabey", "heuristic", "referrer", "pe resource", "first", "utc submissions", "submitters", "solutions", "namesilo", "amazon02", "digitaloceanasn", "limited", "aschoopa", "ovh sas", "generator", "data", "v3 serial", "number", "issuer", "everywhere dv", "tls ca", "g1 odigicert", "validity", "subject public", "key info", "date", "server", "email", "code", "registrar abuse", "registrar url", "whois lookup", "admin city", "admin country", "cn admin", "office open", "xml spreadsheet", "detections type", "name", "dns replication", "iana id", "contact phone", "dnssec", "domain status", "registrar whois", "historical ssl", "threat roundup", "october", "investigation c", "december", "september", "ngfw traffic", "malicious ip", "address", "raspberry robin", "stealer", "creation date", "passive dns", "urls", "search", "name servers", "status", "showing", "all scoreblue", "unknown", "next", "as47846", "germany unknown", "as44273 host", "united", "as12876 online", "domain", "cve-2016-2569", "yodaprot", "xorcrypt", "yoda", "aspack", "yara detections", "intel", "comments", "show", "productversion", "inno setup", "invalid", "format", "invalid variant", "delphi", "stack", "error", "iniciar download setup", "gui", "application/octet-stream", "tsara brashears", "targets", "cve-2017-0199", "aspack", "contains-pe", "contains-elf", "bobsoft", "cve-2010-3333", "contains-embedded-js", "cve-2014-3931", "cve-2017-11882", "adware.adload/adinstaller", "win32processor", "information", "flow t1574", "dll sideloading", "reads", "downloads", "win32process", "t1055 spawns", "access token", "modify access", "files", "catalog tree", "analysis ob0001", "b0001 process", "b0003 delayed", "analysis ob0002", "evasion ob0006", "self deletion", "f0007 discovery", "ob0007 analysis", "dead", "cybercrime", "cyber criminal group", "dynamicloader", "high", "medium", "trojan", "less see", "contacted", "yara rule", "installs", "windows", "windows startup", "february", "copy", "as14061", "as16276", "canada unknown", "united kingdom", "as63949 linode", "as202053", "finland unknown", "aaaa", "get http", "request", "windows nt", "khtml", "gecko", "wow64", "host", "connection", "cus cndigicert", "ca1 odigicert", "win32", "win64", "accept", "dataset", "system property", "lookups", "select family", "userprofile", "temp", "samplepath", "user", "runtime modules", "modules", "programfiles", "windir", "datacrashpad", "k netsvcs", "s ngcctnrsvc", "nameweb bvba", "domains", "csc corporate", "registrarsafe", "registrar", "namecheap inc", "nameweb", "win32 exe", "detections file", "win32 dll", "ip detections", "country", "highly targeted", "problems", "sneaky server", "replacement", "unauthorized", "high level", "hackers", "unknown win", "agent tesla", "worm", "formbook", "startpage", "dead drop resolver", "nxdomain", "ns nxdomain", "scan endpoints", "all search", "otx scoreblue", "pulse pulses", "hostname", "files ip", "address domain", "div div", "a li", "p div", "read more", "a div", "bq aug", "script script", "path max", "age86400 set", "cookie", "entries", "trojandropper", "body", "trojan features", "related pulses", "file samples", "files matching", "date hash", "copyright", "virtool", "trojanspy", "hashes c2ae", "capa", "cape sandbox", "moves", "tencent habo", "zenbox", "tls rsa", "sha256", "inc subject", "global g2", "odigicert inc", "cndigicert sha2", "high assurance", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinl", "javascripts", "iframes", "embedded", "x sucuri", "cookie policy", "jeffrey scott reimer dpt", "toni braxton", "police", "fbi va", "loudon county", "ashburn va", "douglas co", "douglas co sheriff", "sheriff", "justin bieber", "swipper", "cape" ], "references": [ "cnbd.net\t | d1.cnbd.net\t| localhost.cnbd.net | mail.cnbd.net | siteinlink.d1.cnbd.net cnbd.net hghltd.yandex.net", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Crowdsourced Sigma: Matches rule Potential Dead Drop Resolvers by Sorina Ionescu, X__Junior (Nextron Systems)", "Crowdsourced YARA: Matches rule Base64_Encoded_URL from ruleset Base64_Encoded_URL by InQuest Labs", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Unusual PING detected", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING Windows", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Echo Reply", "Yara Detections: Delphi", "\"Malware Behavior Catalog Tree: Anti-Behavioral Analysis OB0001 Debugger Detection B0001 Process Environment Block B0001.019 Dynamic Analysis Evasion B0003 Delayed Execution B0003.003", "\"Malware Behavior Catalog Tree: Anti-Static Analysis OB0002 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E102", "\"Malware Behavior Catalog Tree : Defense Evasion OB0006 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E1027.m02", "\"Malware Behavior Catalog Tree: Hidden Files and Directories F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Execution OB0009 Install Additional Program B0023 Command and Scripting Interpreter E1059", "\"Malware Behavior Catalog Tree: Analysis Tool Discovery F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 System Information Discovery B0013 Process detection B0013.001", "\"Malware Behavior Catalog Tree: Hidden Files and Directories E1082 File and Directory Discovery E1083", "Malware Behavior Catalog Tree: Command and Scripting Interpreter OB0009 Install Additional Program B0023", "\"Dataset actions -System Property Lookups: IIWbemServices::Connect", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: Execution OB0012 F0005 File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048 Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007 Change Memory Protection C0008 Process OC0003 Create Process C0017 Create Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001 Modulo C0058 Cryptography OC0005", "Researched: d569ab9b9e89ebd9e2ff995bcd6509bc.virus", "Apple Issues:\tapple-validsecure.serviceirc.com serviceirc.com http://apple-validsecure.serviceirc.com https://apple-validsecure.serviceirc.com", "Apple Issues:\tcheckapple.com http://www.checkapple.com/ https://bincc.xyz/bin-apple-music-1month-apple-tv-7days apple-marketing.com", "Apple Issues:\tapp-appleid.serveirc.com appleid-appleus.serveirc.com appleidapple.serveirc.com apples-uncek.serveirc.com", "Apple Issues:\thttp://www.apple-verifallert.serveirc.com/ http://www.appleid-lockid.serveirc.com/ http://www.appleid-seccure23.serveirc.com/", "Apple Issues:\thttp://www.appleid-secure20.serveirc.com/ http://www.appleid-secure22.serveirc.com/ serviceirc.com", "Apple Issues: http://www.appleid-supporthelp.serveirc.com/ http://www.appleids-security.serveirc.com/", "Apple Issues: URL https://bincc.xyz/bin-apple-music-1month-apple-tv-7days", "Apple Issues: http://checkapple.com/home/item/131-iOs-%E0%B9%80%E0%B8%A1%E0%B8%B7%E0%B8%AD%E0%B8%87%E0%B8%9C%E0%B8%B9%E0%B9%89%E0%B8%94%E0%B8%B5-%E0%B8%9F%E0%B8%B1%E0%B8%99%E0%B8%98%E0%B8%87-iPhone-4-%E0%B8%9A%E0%B8%B2%E0%B8%87%E0%B8%81%E0%B8%A7%E0%B9%88%E0%B8%B2-Galaxy-S-2.htm", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Terse HTTP 1.0 Request Possible Nivdort Worm.Mydoom Checkin User-Agent (explwer)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti/Mufanom Downloader Checkin Win32.Sality-GR Checkin Backdoor.Win32.Shiz.ivr", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Empty Checkin Upatre Retrieving encoded payload (Common Header Struct)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Checkin Win32/Nivdort", "Antivirus Detections: ALF:HeraklezEval:Ransom:Win32/CVE , ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn , ALF:HeraklezEval:Trojan:Win32/Zombie.A", "Antivirus Detections: ALF:Trojan:Win32/FormBook.F!MTB , Backdoor:Linux/Setag!rfn , Backdoor:Win32/Bifrose.IQ , Backdoor:Win32/Simda!rfn", "Antivirus Detections: ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn , ALF:PUA:Win32/InstallMate.P , ALF:Trojan:Win32/Cassini_f9070846!ibt", "\"Malware Behavior Catalog Tree: File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048", "\"Malware Behavior Catalog Tree: Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007", "\"Malware Behavior Catalog Tree: Change Memory Protection C0008 Process OC0003 Create Process C0017", "\"Malware Behavior Catalog Tree: Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004", "\"Malware Behavior Catalog Tree: Create 00001807 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001", "\"Malware Behavior Catalog Tree: Modulo C0058 Cryptography OC0005 Generate Pseudo-random Sequence C0021", "\"Malware Behavior Catalog Tree: Communication OC0006 HTTP Communication C0002 Operating System OC0008 Registry", "\"Malware Behavior Catalog Tree: Registry Value C0036.006 Capabilities Data-Manipulation\"", "\"Malware Behavior Catalog Tree: C0036 Open Registry Key C0036.003 Create Registry Key C0036.004 Query", "Capabilities Data: Manipulation Generate random numbers using the Delphi LCG Encode data using XOR Hash data with CRC32", "Capabilities Data: Linking Link function at runtime on Windows Collection Get geographical location Targeting Identify system language via API", "Capabilities Data: Executable Extract resource via kernel32 functions Contain a thread local storage (.tls) section Packaged as an Inno Setup installer", "Capabilities Data: Anti-Analysis Reference analysis tools strings Internal (Internal) installer file limitation", "Capabilities Data: Host-Interaction - Get file attributes Create process suspended Create process on Windows", "Capabilities Data: Host-Interaction - Allocate or change RWX memory Accept command line arguments Set thread local storage value", "Capabilities Data: Host-Interaction - Get system information on Windows Delete directory", "Capabilities Data: Host-Interaction - Get thread local storage value Read file on Windows Write file on Windows", "Capabilities Data: Host-Interaction - Get file size Query environment variable Get common file path", "Capabilities Data: Host-Interaction - Query or enumerate registry value Delete file Create directory Shutdown system", "Capabilities Data: Host-Interaction - Modify access privileges Check if file exists", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "United States of America" ], "malware_families": [ { "id": "PUP/Win32.Bundler.R1865", "display_name": "PUP/Win32.Bundler.R1865", "target": null }, { "id": "Inno:Downloader-J [PUP]", "display_name": "Inno:Downloader-J [PUP]", "target": null }, { "id": "AdWare:Win32/AdLoad.0e19dea6", "display_name": "AdWare:Win32/AdLoad.0e19dea6", "target": "/malware/AdWare:Win32/AdLoad.0e19dea6" }, { "id": "Adware.Adload/Adinstaller", "display_name": "Adware.Adload/Adinstaller", "target": null }, { "id": "Win.Packed.Razy-9828382-0", "display_name": "Win.Packed.Razy-9828382-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" }, { "id": "Trojan:Win32/Zombie", "display_name": "Trojan:Win32/Zombie", "target": "/malware/Trojan:Win32/Zombie" }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1516", "name": "Input Injection", "display_name": "T1516 - Input Injection" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" } ], "industries": [ "Technology", "Civilian Society" ], "TLP": "white", "cloned_from": null, "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1402, "FileHash-SHA1": 1366, "FileHash-SHA256": 6457, "URL": 6175, "domain": 1418, "hostname": 2288, "CVE": 10, "email": 6 }, "indicator_count": 19122, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "555 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66bb7bf15d571906a0a5e1a3", "name": "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "description": "Targets devices injected with extremely malicious URL's. The links did everything imaginable. Pushed up Jeffrey Reimer DPT in search engine while suppressing all positive search engine results of his victim. Her business was completely halted and redirected. Views went to well known artists. It also contained content scrapers causing certain keywords [keylogger included] to generate results in Bing search engines attempt to frame target. Countless porn sites posted w/victims name appearing heaviest in Yandex moderately heavy in Google. Killed targets YouTube channel. Heavy use in victims Apple terminal. Death and bomb threats often. *http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/\n*http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "modified": "2024-10-11T00:04:00.735000", "created": "2024-08-13T15:29:53.002000", "tags": [ "ip addresses", "luna moth", "campaign", "norad tracking", "ipdomain", "investigation", "hr rtd", "hallrender", "brian sabey", "heuristic", "referrer", "pe resource", "first", "utc submissions", "submitters", "solutions", "namesilo", "amazon02", "digitaloceanasn", "limited", "aschoopa", "ovh sas", "generator", "data", "v3 serial", "number", "issuer", "everywhere dv", "tls ca", "g1 odigicert", "validity", "subject public", "key info", "date", "server", "email", "code", "registrar abuse", "registrar url", "whois lookup", "admin city", "admin country", "cn admin", "office open", "xml spreadsheet", "detections type", "name", "dns replication", "iana id", "contact phone", "dnssec", "domain status", "registrar whois", "historical ssl", "threat roundup", "october", "investigation c", "december", "september", "ngfw traffic", "malicious ip", "address", "raspberry robin", "stealer", "creation date", "passive dns", "urls", "search", "name servers", "status", "showing", "all scoreblue", "unknown", "next", "as47846", "germany unknown", "as44273 host", "united", "as12876 online", "domain", "cve-2016-2569", "yodaprot", "xorcrypt", "yoda", "aspack", "yara detections", "intel", "comments", "show", "productversion", "inno setup", "invalid", "format", "invalid variant", "delphi", "stack", "error", "iniciar download setup", "gui", "application/octet-stream", "tsara brashears", "targets", "cve-2017-0199", "aspack", "contains-pe", "contains-elf", "bobsoft", "cve-2010-3333", "contains-embedded-js", "cve-2014-3931", "cve-2017-11882", "adware.adload/adinstaller", "win32processor", "information", "flow t1574", "dll sideloading", "reads", "downloads", "win32process", "t1055 spawns", "access token", "modify access", "files", "catalog tree", "analysis ob0001", "b0001 process", "b0003 delayed", "analysis ob0002", "evasion ob0006", "self deletion", "f0007 discovery", "ob0007 analysis", "dead", "cybercrime", "cyber criminal group", "dynamicloader", "high", "medium", "trojan", "less see", "contacted", "yara rule", "installs", "windows", "windows startup", "february", "copy", "as14061", "as16276", "canada unknown", "united kingdom", "as63949 linode", "as202053", "finland unknown", "aaaa", "get http", "request", "windows nt", "khtml", "gecko", "wow64", "host", "connection", "cus cndigicert", "ca1 odigicert", "win32", "win64", "accept", "dataset", "system property", "lookups", "select family", "userprofile", "temp", "samplepath", "user", "runtime modules", "modules", "programfiles", "windir", "datacrashpad", "k netsvcs", "s ngcctnrsvc", "nameweb bvba", "domains", "csc corporate", "registrarsafe", "registrar", "namecheap inc", "nameweb", "win32 exe", "detections file", "win32 dll", "ip detections", "country", "highly targeted", "problems", "sneaky server", "replacement", "unauthorized", "high level", "hackers", "unknown win", "agent tesla", "worm", "formbook", "startpage", "dead drop resolver", "nxdomain", "ns nxdomain", "scan endpoints", "all search", "otx scoreblue", "pulse pulses", "hostname", "files ip", "address domain", "div div", "a li", "p div", "read more", "a div", "bq aug", "script script", "path max", "age86400 set", "cookie", "entries", "trojandropper", "body", "trojan features", "related pulses", "file samples", "files matching", "date hash", "copyright", "virtool", "trojanspy", "hashes c2ae", "capa", "cape sandbox", "moves", "tencent habo", "zenbox", "tls rsa", "sha256", "inc subject", "global g2", "odigicert inc", "cndigicert sha2", "high assurance", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinl", "javascripts", "iframes", "embedded", "x sucuri", "cookie policy", "jeffrey scott reimer dpt", "toni braxton", "police", "fbi va", "loudon county", "ashburn va", "douglas co", "douglas co sheriff", "sheriff", "justin bieber", "swipper" ], "references": [ "cnbd.net\t | d1.cnbd.net\t| localhost.cnbd.net | mail.cnbd.net | siteinlink.d1.cnbd.net cnbd.net hghltd.yandex.net", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Crowdsourced Sigma: Matches rule Potential Dead Drop Resolvers by Sorina Ionescu, X__Junior (Nextron Systems)", "Crowdsourced YARA: Matches rule Base64_Encoded_URL from ruleset Base64_Encoded_URL by InQuest Labs", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Unusual PING detected", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING Windows", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Echo Reply", "Yara Detections: Delphi", "\"Malware Behavior Catalog Tree: Anti-Behavioral Analysis OB0001 Debugger Detection B0001 Process Environment Block B0001.019 Dynamic Analysis Evasion B0003 Delayed Execution B0003.003", "\"Malware Behavior Catalog Tree: Anti-Static Analysis OB0002 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E102", "\"Malware Behavior Catalog Tree : Defense Evasion OB0006 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E1027.m02", "\"Malware Behavior Catalog Tree: Hidden Files and Directories F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 Analysis Tool Discovery B0013 Process detection B0013.001 System Information Discovery E1082 File and Directory Discovery E1083", "\"Malware Behavior Catalog Tree: Execution OB0009 Install Additional Program B0023 Command and Scripting Interpreter E1059", "\"Malware Behavior Catalog Tree: Analysis Tool Discovery F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 System Information Discovery B0013 Process detection B0013.001", "\"Malware Behavior Catalog Tree: Hidden Files and Directories E1082 File and Directory Discovery E1083", "Malware Behavior Catalog Tree: Command and Scripting Interpreter OB0009 Install Additional Program B0023", "\"Dataset actions -System Property Lookups: IIWbemServices::Connect", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: Execution OB0012 F0005 File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048 Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007 Change Memory Protection C0008 Process OC0003 Create Process C0017 Create Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001 Modulo C0058 Cryptography OC0005", "Researched: d569ab9b9e89ebd9e2ff995bcd6509bc.virus", "Apple Issues:\tapple-validsecure.serviceirc.com serviceirc.com http://apple-validsecure.serviceirc.com https://apple-validsecure.serviceirc.com", "Apple Issues:\tcheckapple.com http://www.checkapple.com/ https://bincc.xyz/bin-apple-music-1month-apple-tv-7days apple-marketing.com", "Apple Issues:\tapp-appleid.serveirc.com appleid-appleus.serveirc.com appleidapple.serveirc.com apples-uncek.serveirc.com", "Apple Issues:\thttp://www.apple-verifallert.serveirc.com/ http://www.appleid-lockid.serveirc.com/ http://www.appleid-seccure23.serveirc.com/", "Apple Issues:\thttp://www.appleid-secure20.serveirc.com/ http://www.appleid-secure22.serveirc.com/ serviceirc.com", "Apple Issues: http://www.appleid-supporthelp.serveirc.com/ http://www.appleids-security.serveirc.com/", "Apple Issues: URL https://bincc.xyz/bin-apple-music-1month-apple-tv-7days", "Apple Issues: http://checkapple.com/home/item/131-iOs-%E0%B9%80%E0%B8%A1%E0%B8%B7%E0%B8%AD%E0%B8%87%E0%B8%9C%E0%B8%B9%E0%B9%89%E0%B8%94%E0%B8%B5-%E0%B8%9F%E0%B8%B1%E0%B8%99%E0%B8%98%E0%B8%87-iPhone-4-%E0%B8%9A%E0%B8%B2%E0%B8%87%E0%B8%81%E0%B8%A7%E0%B9%88%E0%B8%B2-Galaxy-S-2.htm", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Terse HTTP 1.0 Request Possible Nivdort Worm.Mydoom Checkin User-Agent (explwer)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti/Mufanom Downloader Checkin Win32.Sality-GR Checkin Backdoor.Win32.Shiz.ivr", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Empty Checkin Upatre Retrieving encoded payload (Common Header Struct)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Checkin Win32/Nivdort", "Antivirus Detections: ALF:HeraklezEval:Ransom:Win32/CVE , ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn , ALF:HeraklezEval:Trojan:Win32/Zombie.A", "Antivirus Detections: ALF:Trojan:Win32/FormBook.F!MTB , Backdoor:Linux/Setag!rfn , Backdoor:Win32/Bifrose.IQ , Backdoor:Win32/Simda!rfn", "Antivirus Detections: ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn , ALF:PUA:Win32/InstallMate.P , ALF:Trojan:Win32/Cassini_f9070846!ibt", "\"Malware Behavior Catalog Tree: File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048", "\"Malware Behavior Catalog Tree: Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007", "\"Malware Behavior Catalog Tree: Change Memory Protection C0008 Process OC0003 Create Process C0017", "\"Malware Behavior Catalog Tree: Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004", "\"Malware Behavior Catalog Tree: Create 00001807 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001", "\"Malware Behavior Catalog Tree: Modulo C0058 Cryptography OC0005 Generate Pseudo-random Sequence C0021", "\"Malware Behavior Catalog Tree: Communication OC0006 HTTP Communication C0002 Operating System OC0008 Registry", "\"Malware Behavior Catalog Tree: Registry Value C0036.006 Capabilities Data-Manipulation\"", "\"Malware Behavior Catalog Tree: C0036 Open Registry Key C0036.003 Create Registry Key C0036.004 Query", "Capabilities Data: Manipulation Generate random numbers using the Delphi LCG Encode data using XOR Hash data with CRC32", "Capabilities Data: Linking Link function at runtime on Windows Collection Get geographical location Targeting Identify system language via API", "Capabilities Data: Executable Extract resource via kernel32 functions Contain a thread local storage (.tls) section Packaged as an Inno Setup installer", "Capabilities Data: Anti-Analysis Reference analysis tools strings Internal (Internal) installer file limitation", "Capabilities Data: Host-Interaction - Get file attributes Create process suspended Create process on Windows", "Capabilities Data: Host-Interaction - Allocate or change RWX memory Accept command line arguments Set thread local storage value", "Capabilities Data: Host-Interaction - Get system information on Windows Delete directory", "Capabilities Data: Host-Interaction - Get thread local storage value Read file on Windows Write file on Windows", "Capabilities Data: Host-Interaction - Get file size Query environment variable Get common file path", "Capabilities Data: Host-Interaction - Query or enumerate registry value Delete file Create directory Shutdown system", "Capabilities Data: Host-Interaction - Modify access privileges Check if file exists", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "United States of America" ], "malware_families": [ { "id": "PUP/Win32.Bundler.R1865", "display_name": "PUP/Win32.Bundler.R1865", "target": null }, { "id": "Inno:Downloader-J [PUP]", "display_name": "Inno:Downloader-J [PUP]", "target": null }, { "id": "AdWare:Win32/AdLoad.0e19dea6", "display_name": "AdWare:Win32/AdLoad.0e19dea6", "target": "/malware/AdWare:Win32/AdLoad.0e19dea6" }, { "id": "Adware.Adload/Adinstaller", "display_name": "Adware.Adload/Adinstaller", "target": null }, { "id": "Win.Packed.Razy-9828382-0", "display_name": "Win.Packed.Razy-9828382-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" }, { "id": "Trojan:Win32/Zombie", "display_name": "Trojan:Win32/Zombie", "target": "/malware/Trojan:Win32/Zombie" }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1516", "name": "Input Injection", "display_name": "T1516 - Input Injection" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" } ], "industries": [ "Technology", "Civilian Society" ], "TLP": "white", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1402, "FileHash-SHA1": 1366, "FileHash-SHA256": 6457, "URL": 6175, "domain": 1418, "hostname": 2288, "CVE": 10, "email": 6 }, "indicator_count": 19122, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "555 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66bb7bdba31f4d175b19d1ef", "name": "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "description": "Targets devices injected with extremely malicious URL's. The links did everything imaginable. Pushed up Jeffrey Reimer DPT in search engine while suppressing all positive search engine results of his victim. Her business was completely halted and redirected. Views went to well known artists. It also contained content scrapers causing certain keywords [keylogger included] to generate results in Bing search engines attempt to frame target. Countless porn sites posted w/victims name appearing heaviest in Yandex moderately heavy in Google. Killed targets YouTube channel. Heavy use in victims Apple terminal. Death and bomb threats often. *http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/\n*http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "modified": "2024-10-11T00:04:00.735000", "created": "2024-08-13T15:29:31.899000", "tags": [ "ip addresses", "luna moth", "campaign", "norad tracking", "ipdomain", "investigation", "hr rtd", "hallrender", "brian sabey", "heuristic", "referrer", "pe resource", "first", "utc submissions", "submitters", "solutions", "namesilo", "amazon02", "digitaloceanasn", "limited", "aschoopa", "ovh sas", "generator", "data", "v3 serial", "number", "issuer", "everywhere dv", "tls ca", "g1 odigicert", "validity", "subject public", "key info", "date", "server", "email", "code", "registrar abuse", "registrar url", "whois lookup", "admin city", "admin country", "cn admin", "office open", "xml spreadsheet", "detections type", "name", "dns replication", "iana id", "contact phone", "dnssec", "domain status", "registrar whois", "historical ssl", "threat roundup", "october", "investigation c", "december", "september", "ngfw traffic", "malicious ip", "address", "raspberry robin", "stealer", "creation date", "passive dns", "urls", "search", "name servers", "status", "showing", "all scoreblue", "unknown", "next", "as47846", "germany unknown", "as44273 host", "united", "as12876 online", "domain", "cve-2016-2569", "yodaprot", "xorcrypt", "yoda", "aspack", "yara detections", "intel", "comments", "show", "productversion", "inno setup", "invalid", "format", "invalid variant", "delphi", "stack", "error", "iniciar download setup", "gui", "application/octet-stream", "tsara brashears", "targets", "cve-2017-0199", "aspack", "contains-pe", "contains-elf", "bobsoft", "cve-2010-3333", "contains-embedded-js", "cve-2014-3931", "cve-2017-11882", "adware.adload/adinstaller", "win32processor", "information", "flow t1574", "dll sideloading", "reads", "downloads", "win32process", "t1055 spawns", "access token", "modify access", "files", "catalog tree", "analysis ob0001", "b0001 process", "b0003 delayed", "analysis ob0002", "evasion ob0006", "self deletion", "f0007 discovery", "ob0007 analysis", "dead", "cybercrime", "cyber criminal group", "dynamicloader", "high", "medium", "trojan", "less see", "contacted", "yara rule", "installs", "windows", "windows startup", "february", "copy", "as14061", "as16276", "canada unknown", "united kingdom", "as63949 linode", "as202053", "finland unknown", "aaaa", "get http", "request", "windows nt", "khtml", "gecko", "wow64", "host", "connection", "cus cndigicert", "ca1 odigicert", "win32", "win64", "accept", "dataset", "system property", "lookups", "select family", "userprofile", "temp", "samplepath", "user", "runtime modules", "modules", "programfiles", "windir", "datacrashpad", "k netsvcs", "s ngcctnrsvc", "nameweb bvba", "domains", "csc corporate", "registrarsafe", "registrar", "namecheap inc", "nameweb", "win32 exe", "detections file", "win32 dll", "ip detections", "country", "highly targeted", "problems", "sneaky server", "replacement", "unauthorized", "high level", "hackers", "unknown win", "agent tesla", "worm", "formbook", "startpage", "dead drop resolver", "nxdomain", "ns nxdomain", "scan endpoints", "all search", "otx scoreblue", "pulse pulses", "hostname", "files ip", "address domain", "div div", "a li", "p div", "read more", "a div", "bq aug", "script script", "path max", "age86400 set", "cookie", "entries", "trojandropper", "body", "trojan features", "related pulses", "file samples", "files matching", "date hash", "copyright", "virtool", "trojanspy", "hashes c2ae", "capa", "cape sandbox", "moves", "tencent habo", "zenbox", "tls rsa", "sha256", "inc subject", "global g2", "odigicert inc", "cndigicert sha2", "high assurance", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinl", "javascripts", "iframes", "embedded", "x sucuri", "cookie policy", "jeffrey scott reimer dpt", "toni braxton", "police", "fbi va", "loudon county", "ashburn va", "douglas co", "douglas co sheriff", "sheriff", "justin bieber", "swipper" ], "references": [ "cnbd.net\t | d1.cnbd.net\t| localhost.cnbd.net | mail.cnbd.net | siteinlink.d1.cnbd.net cnbd.net hghltd.yandex.net", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Crowdsourced Sigma: Matches rule Potential Dead Drop Resolvers by Sorina Ionescu, X__Junior (Nextron Systems)", "Crowdsourced YARA: Matches rule Base64_Encoded_URL from ruleset Base64_Encoded_URL by InQuest Labs", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Unusual PING detected", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING Windows", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Echo Reply", "Yara Detections: Delphi", "\"Malware Behavior Catalog Tree: Anti-Behavioral Analysis OB0001 Debugger Detection B0001 Process Environment Block B0001.019 Dynamic Analysis Evasion B0003 Delayed Execution B0003.003", "\"Malware Behavior Catalog Tree: Anti-Static Analysis OB0002 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E102", "\"Malware Behavior Catalog Tree : Defense Evasion OB0006 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E1027.m02", "\"Malware Behavior Catalog Tree: Hidden Files and Directories F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 Analysis Tool Discovery B0013 Process detection B0013.001 System Information Discovery E1082 File and Directory Discovery E1083", "\"Malware Behavior Catalog Tree: Execution OB0009 Install Additional Program B0023 Command and Scripting Interpreter E1059", "\"Malware Behavior Catalog Tree: Analysis Tool Discovery F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 System Information Discovery B0013 Process detection B0013.001", "\"Malware Behavior Catalog Tree: Hidden Files and Directories E1082 File and Directory Discovery E1083", "Malware Behavior Catalog Tree: Command and Scripting Interpreter OB0009 Install Additional Program B0023", "\"Dataset actions -System Property Lookups: IIWbemServices::Connect", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: Execution OB0012 F0005 File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048 Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007 Change Memory Protection C0008 Process OC0003 Create Process C0017 Create Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001 Modulo C0058 Cryptography OC0005", "Researched: d569ab9b9e89ebd9e2ff995bcd6509bc.virus", "Apple Issues:\tapple-validsecure.serviceirc.com serviceirc.com http://apple-validsecure.serviceirc.com https://apple-validsecure.serviceirc.com", "Apple Issues:\tcheckapple.com http://www.checkapple.com/ https://bincc.xyz/bin-apple-music-1month-apple-tv-7days apple-marketing.com", "Apple Issues:\tapp-appleid.serveirc.com appleid-appleus.serveirc.com appleidapple.serveirc.com apples-uncek.serveirc.com", "Apple Issues:\thttp://www.apple-verifallert.serveirc.com/ http://www.appleid-lockid.serveirc.com/ http://www.appleid-seccure23.serveirc.com/", "Apple Issues:\thttp://www.appleid-secure20.serveirc.com/ http://www.appleid-secure22.serveirc.com/ serviceirc.com", "Apple Issues: http://www.appleid-supporthelp.serveirc.com/ http://www.appleids-security.serveirc.com/", "Apple Issues: URL https://bincc.xyz/bin-apple-music-1month-apple-tv-7days", "Apple Issues: http://checkapple.com/home/item/131-iOs-%E0%B9%80%E0%B8%A1%E0%B8%B7%E0%B8%AD%E0%B8%87%E0%B8%9C%E0%B8%B9%E0%B9%89%E0%B8%94%E0%B8%B5-%E0%B8%9F%E0%B8%B1%E0%B8%99%E0%B8%98%E0%B8%87-iPhone-4-%E0%B8%9A%E0%B8%B2%E0%B8%87%E0%B8%81%E0%B8%A7%E0%B9%88%E0%B8%B2-Galaxy-S-2.htm", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Terse HTTP 1.0 Request Possible Nivdort Worm.Mydoom Checkin User-Agent (explwer)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti/Mufanom Downloader Checkin Win32.Sality-GR Checkin Backdoor.Win32.Shiz.ivr", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Empty Checkin Upatre Retrieving encoded payload (Common Header Struct)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Checkin Win32/Nivdort", "Antivirus Detections: ALF:HeraklezEval:Ransom:Win32/CVE , ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn , ALF:HeraklezEval:Trojan:Win32/Zombie.A", "Antivirus Detections: ALF:Trojan:Win32/FormBook.F!MTB , Backdoor:Linux/Setag!rfn , Backdoor:Win32/Bifrose.IQ , Backdoor:Win32/Simda!rfn", "Antivirus Detections: ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn , ALF:PUA:Win32/InstallMate.P , ALF:Trojan:Win32/Cassini_f9070846!ibt", "\"Malware Behavior Catalog Tree: File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048", "\"Malware Behavior Catalog Tree: Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007", "\"Malware Behavior Catalog Tree: Change Memory Protection C0008 Process OC0003 Create Process C0017", "\"Malware Behavior Catalog Tree: Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004", "\"Malware Behavior Catalog Tree: Create 00001807 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001", "\"Malware Behavior Catalog Tree: Modulo C0058 Cryptography OC0005 Generate Pseudo-random Sequence C0021", "\"Malware Behavior Catalog Tree: Communication OC0006 HTTP Communication C0002 Operating System OC0008 Registry", "\"Malware Behavior Catalog Tree: Registry Value C0036.006 Capabilities Data-Manipulation\"", "\"Malware Behavior Catalog Tree: C0036 Open Registry Key C0036.003 Create Registry Key C0036.004 Query", "Capabilities Data: Manipulation Generate random numbers using the Delphi LCG Encode data using XOR Hash data with CRC32", "Capabilities Data: Linking Link function at runtime on Windows Collection Get geographical location Targeting Identify system language via API", "Capabilities Data: Executable Extract resource via kernel32 functions Contain a thread local storage (.tls) section Packaged as an Inno Setup installer", "Capabilities Data: Anti-Analysis Reference analysis tools strings Internal (Internal) installer file limitation", "Capabilities Data: Host-Interaction - Get file attributes Create process suspended Create process on Windows", "Capabilities Data: Host-Interaction - Allocate or change RWX memory Accept command line arguments Set thread local storage value", "Capabilities Data: Host-Interaction - Get system information on Windows Delete directory", "Capabilities Data: Host-Interaction - Get thread local storage value Read file on Windows Write file on Windows", "Capabilities Data: Host-Interaction - Get file size Query environment variable Get common file path", "Capabilities Data: Host-Interaction - Query or enumerate registry value Delete file Create directory Shutdown system", "Capabilities Data: Host-Interaction - Modify access privileges Check if file exists", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "United States of America" ], "malware_families": [ { "id": "PUP/Win32.Bundler.R1865", "display_name": "PUP/Win32.Bundler.R1865", "target": null }, { "id": "Inno:Downloader-J [PUP]", "display_name": "Inno:Downloader-J [PUP]", "target": null }, { "id": "AdWare:Win32/AdLoad.0e19dea6", "display_name": "AdWare:Win32/AdLoad.0e19dea6", "target": "/malware/AdWare:Win32/AdLoad.0e19dea6" }, { "id": "Adware.Adload/Adinstaller", "display_name": "Adware.Adload/Adinstaller", "target": null }, { "id": "Win.Packed.Razy-9828382-0", "display_name": "Win.Packed.Razy-9828382-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" }, { "id": "Trojan:Win32/Zombie", "display_name": "Trojan:Win32/Zombie", "target": "/malware/Trojan:Win32/Zombie" }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1516", "name": "Input Injection", "display_name": "T1516 - Input Injection" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" } ], "industries": [ "Technology", "Civilian Society" ], "TLP": "white", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1403, "FileHash-SHA1": 1367, "FileHash-SHA256": 6478, "URL": 6415, "domain": 1445, "hostname": 2408, "CVE": 10, "email": 6 }, "indicator_count": 19532, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "555 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66bb7ac0b39138b588fa325b", "name": "Injection | Target devices affected. Connected to Notepad | Yandex| Brian Sabey & Associated", "description": "Targets devices injected with extremely malicious URL's. The links did everything imaginable. Pushed up Jeffrey Reimer DPT in search engine while suppressing all positive search engine results of his victim. Her business was completely halted and redirected. Views went to well known artists. It also contained content scrapers causing certain keywords [keylogger included] to generate results in Bing search engines attempt to frame target. Countless porn sites posted w/victims name appearing heaviest in Yandex moderately heavy in Google. Killed targets YouTube channel. Heavy use in victims Apple terminal. Death and bomb threats often. *http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/\n*http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "modified": "2024-10-11T00:04:00.735000", "created": "2024-08-13T15:24:48.834000", "tags": [ "ip addresses", "luna moth", "campaign", "norad tracking", "ipdomain", "investigation", "hr rtd", "hallrender", "brian sabey", "heuristic", "referrer", "pe resource", "first", "utc submissions", "submitters", "solutions", "namesilo", "amazon02", "digitaloceanasn", "limited", "aschoopa", "ovh sas", "generator", "data", "v3 serial", "number", "issuer", "everywhere dv", "tls ca", "g1 odigicert", "validity", "subject public", "key info", "date", "server", "email", "code", "registrar abuse", "registrar url", "whois lookup", "admin city", "admin country", "cn admin", "office open", "xml spreadsheet", "detections type", "name", "dns replication", "iana id", "contact phone", "dnssec", "domain status", "registrar whois", "historical ssl", "threat roundup", "october", "investigation c", "december", "september", "ngfw traffic", "malicious ip", "address", "raspberry robin", "stealer", "creation date", "passive dns", "urls", "search", "name servers", "status", "showing", "all scoreblue", "unknown", "next", "as47846", "germany unknown", "as44273 host", "united", "as12876 online", "domain", "cve-2016-2569", "yodaprot", "xorcrypt", "yoda", "aspack", "yara detections", "intel", "comments", "show", "productversion", "inno setup", "invalid", "format", "invalid variant", "delphi", "stack", "error", "iniciar download setup", "gui", "application/octet-stream", "tsara brashears", "targets", "cve-2017-0199", "aspack", "contains-pe", "contains-elf", "bobsoft", "cve-2010-3333", "contains-embedded-js", "cve-2014-3931", "cve-2017-11882", "adware.adload/adinstaller", "win32processor", "information", "flow t1574", "dll sideloading", "reads", "downloads", "win32process", "t1055 spawns", "access token", "modify access", "files", "catalog tree", "analysis ob0001", "b0001 process", "b0003 delayed", "analysis ob0002", "evasion ob0006", "self deletion", "f0007 discovery", "ob0007 analysis", "dead", "cybercrime", "cyber criminal group", "dynamicloader", "high", "medium", "trojan", "less see", "contacted", "yara rule", "installs", "windows", "windows startup", "february", "copy", "as14061", "as16276", "canada unknown", "united kingdom", "as63949 linode", "as202053", "finland unknown", "aaaa", "get http", "request", "windows nt", "khtml", "gecko", "wow64", "host", "connection", "cus cndigicert", "ca1 odigicert", "win32", "win64", "accept", "dataset", "system property", "lookups", "select family", "userprofile", "temp", "samplepath", "user", "runtime modules", "modules", "programfiles", "windir", "datacrashpad", "k netsvcs", "s ngcctnrsvc", "nameweb bvba", "domains", "csc corporate", "registrarsafe", "registrar", "namecheap inc", "nameweb", "win32 exe", "detections file", "win32 dll", "ip detections", "country", "highly targeted", "problems", "sneaky server", "replacement", "unauthorized", "high level", "hackers", "unknown win", "agent tesla", "worm", "formbook", "startpage", "dead drop resolver", "nxdomain", "ns nxdomain", "scan endpoints", "all search", "otx scoreblue", "pulse pulses", "hostname", "files ip", "address domain", "div div", "a li", "p div", "read more", "a div", "bq aug", "script script", "path max", "age86400 set", "cookie", "entries", "trojandropper", "body", "trojan features", "related pulses", "file samples", "files matching", "date hash", "copyright", "virtool", "trojanspy", "hashes c2ae", "capa", "cape sandbox", "moves", "tencent habo", "zenbox", "tls rsa", "sha256", "inc subject", "global g2", "odigicert inc", "cndigicert sha2", "high assurance", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinl", "javascripts", "iframes", "embedded", "x sucuri", "cookie policy", "jeffrey scott reimer dpt", "toni braxton", "police", "fbi va", "loudon county", "ashburn va", "douglas co", "douglas co sheriff", "sheriff", "justin bieber", "swipper" ], "references": [ "cnbd.net\t | d1.cnbd.net\t| localhost.cnbd.net | mail.cnbd.net | siteinlink.d1.cnbd.net cnbd.net hghltd.yandex.net", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Crowdsourced Sigma: Matches rule Potential Dead Drop Resolvers by Sorina Ionescu, X__Junior (Nextron Systems)", "Crowdsourced YARA: Matches rule Base64_Encoded_URL from ruleset Base64_Encoded_URL by InQuest Labs", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Unusual PING detected", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING Windows", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Echo Reply", "Yara Detections: Delphi", "\"Malware Behavior Catalog Tree: Anti-Behavioral Analysis OB0001 Debugger Detection B0001 Process Environment Block B0001.019 Dynamic Analysis Evasion B0003 Delayed Execution B0003.003", "\"Malware Behavior Catalog Tree: Anti-Static Analysis OB0002 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E102", "\"Malware Behavior Catalog Tree : Defense Evasion OB0006 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E1027.m02", "\"Malware Behavior Catalog Tree: Hidden Files and Directories F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 Analysis Tool Discovery B0013 Process detection B0013.001 System Information Discovery E1082 File and Directory Discovery E1083", "\"Malware Behavior Catalog Tree: Execution OB0009 Install Additional Program B0023 Command and Scripting Interpreter E1059", "\"Malware Behavior Catalog Tree: Analysis Tool Discovery F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 System Information Discovery B0013 Process detection B0013.001", "\"Malware Behavior Catalog Tree: Hidden Files and Directories E1082 File and Directory Discovery E1083", "Malware Behavior Catalog Tree: Command and Scripting Interpreter OB0009 Install Additional Program B0023", "\"Dataset actions -System Property Lookups: IIWbemServices::Connect", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: Execution OB0012 F0005 File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048 Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007 Change Memory Protection C0008 Process OC0003 Create Process C0017 Create Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001 Modulo C0058 Cryptography OC0005", "Researched: d569ab9b9e89ebd9e2ff995bcd6509bc.virus", "Apple Issues:\tapple-validsecure.serviceirc.com serviceirc.com http://apple-validsecure.serviceirc.com https://apple-validsecure.serviceirc.com", "Apple Issues:\tcheckapple.com http://www.checkapple.com/ https://bincc.xyz/bin-apple-music-1month-apple-tv-7days apple-marketing.com", "Apple Issues:\tapp-appleid.serveirc.com appleid-appleus.serveirc.com appleidapple.serveirc.com apples-uncek.serveirc.com", "Apple Issues:\thttp://www.apple-verifallert.serveirc.com/ http://www.appleid-lockid.serveirc.com/ http://www.appleid-seccure23.serveirc.com/", "Apple Issues:\thttp://www.appleid-secure20.serveirc.com/ http://www.appleid-secure22.serveirc.com/ serviceirc.com", "Apple Issues: http://www.appleid-supporthelp.serveirc.com/ http://www.appleids-security.serveirc.com/", "Apple Issues: URL https://bincc.xyz/bin-apple-music-1month-apple-tv-7days", "Apple Issues: http://checkapple.com/home/item/131-iOs-%E0%B9%80%E0%B8%A1%E0%B8%B7%E0%B8%AD%E0%B8%87%E0%B8%9C%E0%B8%B9%E0%B9%89%E0%B8%94%E0%B8%B5-%E0%B8%9F%E0%B8%B1%E0%B8%99%E0%B8%98%E0%B8%87-iPhone-4-%E0%B8%9A%E0%B8%B2%E0%B8%87%E0%B8%81%E0%B8%A7%E0%B9%88%E0%B8%B2-Galaxy-S-2.htm", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Terse HTTP 1.0 Request Possible Nivdort Worm.Mydoom Checkin User-Agent (explwer)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti/Mufanom Downloader Checkin Win32.Sality-GR Checkin Backdoor.Win32.Shiz.ivr", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Empty Checkin Upatre Retrieving encoded payload (Common Header Struct)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Checkin Win32/Nivdort", "Antivirus Detections: ALF:HeraklezEval:Ransom:Win32/CVE , ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn , ALF:HeraklezEval:Trojan:Win32/Zombie.A", "Antivirus Detections: ALF:Trojan:Win32/FormBook.F!MTB , Backdoor:Linux/Setag!rfn , Backdoor:Win32/Bifrose.IQ , Backdoor:Win32/Simda!rfn", "Antivirus Detections: ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn , ALF:PUA:Win32/InstallMate.P , ALF:Trojan:Win32/Cassini_f9070846!ibt", "\"Malware Behavior Catalog Tree: File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048", "\"Malware Behavior Catalog Tree: Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007", "\"Malware Behavior Catalog Tree: Change Memory Protection C0008 Process OC0003 Create Process C0017", "\"Malware Behavior Catalog Tree: Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004", "\"Malware Behavior Catalog Tree: Create 00001807 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001", "\"Malware Behavior Catalog Tree: Modulo C0058 Cryptography OC0005 Generate Pseudo-random Sequence C0021", "\"Malware Behavior Catalog Tree: Communication OC0006 HTTP Communication C0002 Operating System OC0008 Registry", "\"Malware Behavior Catalog Tree: Registry Value C0036.006 Capabilities Data-Manipulation\"", "\"Malware Behavior Catalog Tree: C0036 Open Registry Key C0036.003 Create Registry Key C0036.004 Query", "Capabilities Data: Manipulation Generate random numbers using the Delphi LCG Encode data using XOR Hash data with CRC32", "Capabilities Data: Linking Link function at runtime on Windows Collection Get geographical location Targeting Identify system language via API", "Capabilities Data: Executable Extract resource via kernel32 functions Contain a thread local storage (.tls) section Packaged as an Inno Setup installer", "Capabilities Data: Anti-Analysis Reference analysis tools strings Internal (Internal) installer file limitation", "Capabilities Data: Host-Interaction - Get file attributes Create process suspended Create process on Windows", "Capabilities Data: Host-Interaction - Allocate or change RWX memory Accept command line arguments Set thread local storage value", "Capabilities Data: Host-Interaction - Get system information on Windows Delete directory", "Capabilities Data: Host-Interaction - Get thread local storage value Read file on Windows Write file on Windows", "Capabilities Data: Host-Interaction - Get file size Query environment variable Get common file path", "Capabilities Data: Host-Interaction - Query or enumerate registry value Delete file Create directory Shutdown system", "Capabilities Data: Host-Interaction - Modify access privileges Check if file exists", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "United States of America" ], "malware_families": [ { "id": "PUP/Win32.Bundler.R1865", "display_name": "PUP/Win32.Bundler.R1865", "target": null }, { "id": "Inno:Downloader-J [PUP]", "display_name": "Inno:Downloader-J [PUP]", "target": null }, { "id": "AdWare:Win32/AdLoad.0e19dea6", "display_name": "AdWare:Win32/AdLoad.0e19dea6", "target": "/malware/AdWare:Win32/AdLoad.0e19dea6" }, { "id": "Adware.Adload/Adinstaller", "display_name": "Adware.Adload/Adinstaller", "target": null }, { "id": "Win.Packed.Razy-9828382-0", "display_name": "Win.Packed.Razy-9828382-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" }, { "id": "Trojan:Win32/Zombie", "display_name": "Trojan:Win32/Zombie", "target": "/malware/Trojan:Win32/Zombie" }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1516", "name": "Input Injection", "display_name": "T1516 - Input Injection" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" } ], "industries": [ "Technology", "Civilian Society" ], "TLP": "green", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1402, "FileHash-SHA1": 1366, "FileHash-SHA256": 6457, "URL": 6175, "domain": 1418, "hostname": 2287, "CVE": 10, "email": 6 }, "indicator_count": 19121, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "555 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d89c45ddc0c7db084b75b7", "name": "Autodesk weakens CS | Unauthorized AlienVault API | Stolen pulsed", "description": "Critical issues within AlienVault , VT & my devices. Plugins auto installed after I opened message from AV user. Sudden redirects to 0/ http/s. Heavy modifications, removal of IoC's on AV & VT & Virus Total. Autodesk.com was under CrowdStrike until last night. Links where vulnerabilities were originating from completely disappeared from graph I kindly kept private. Continuous mods for months to Crowdstrike and other pulses. [https://otx.alienvault.com/api appears in search] A page opens with Tag: \"esta caliente\" | All linked pulses Gone. Only person who frequently contacted me appears where they didn't before & These dishonest billion $ companies cover up though they are at fault for allowing ALL threat actor to be protected with non adversarial businesses. Besides other compromises, surprisingly Brashears porn found in Crowdstrike/Autodesk others. Disappointing.", "modified": "2024-10-04T17:02:07.067000", "created": "2024-09-04T17:43:33.123000", "tags": [ "healthy check", "ssl bypass", "domain tracker", "privacy badger", "startpage", "w11 pc", "pass", "iocs", "all scoreblue", "pdf report", "pcap", "stix", "avast avg", "no expiration", "status", "name servers", "moved", "h1 center", "next", "sec ch", "ch ua", "ua platform", "emails", "certificate", "passive dns", "urls", "encrypt", "body", "pe32 executable", "ms windows", "intel", "windows control", "panel item", "dos borland", "executable", "algorithm", "thumbprint", "serial number", "signing ca", "symantec time", "stamping", "g2 name", "g2 issuer", "class", "code", "kb pe", "csc corporate", "porkbun llc", "gandi sas", "request", "path", "get https", "get http", "response", "cachecontrol", "pragma", "connection", "gmt connection", "accept", "slug", "as29789", "united", "unknown", "ransom", "heur", "server", "registrar abuse", "san rafael", "autodesk", "contact phone", "registrar url", "process32nextw", "create c", "read c", "writeconsolew", "delete", "write", "show", "malware", "write c", "regsetvalueexa", "delete c", "search", "regdword", "whitelisted", "panda banker", "ursnif", "win32", "persistence", "execution", "banker", "local", "domain", "servers", "pulse pulses", "files", "ip address", "creation date", "united kingdom", "as9009 m247", "ipv4", "pulse submit", "url analysis", "twitter", "as16552 tiggee", "as397241", "as397240", "entries", "cname", "nxdomain", "a nxdomain", "worm", "file samples", "files matching", "alf features", "denver co", "wewatta", "scan endpoints", "related pulses", "date hash", "showing", "as62597 nsone", "date", "trojanspy", "cookie", "hostmaster", "expiration date", "msie", "windows nt", "wow64", "slcc2", "media center", "tls handshake", "et info", "getdc0x2a", "failure", "post http", "copy", "crash", "ascii text", "ascii", "jpeg image", "artemis", "trojan", "virustotal", "mike", "vipre", "panda", "win32mediadrug", "win324shared", "win32spigot", "hstr", "lowfi", "yara detections", "contacted", "report spam", "mozilla", "trojanclicker", "url http", "url https", "role title", "added active", "type indicator", "source domain", "akamai rank", "hostname", "ver2", "msclkidn", "vids0", "global outage", "cobalt strike", "fancy bear", "communications", "android device", "cnc beacon", "suspicious ua", "youtube", "sakula rat", "mivast", "sakula", "windows", "samuel tulach", "light dark", "samuel", "tulach", "hyperv", "detecting", "writing gui", "bootkits", "world", "information", "discovery", "t1027", "t1057", "t1071", "protocol", "t1105", "tool transfer", "t1129", "capture", "service", "t1119" ], "references": [ "autodesk.com [ Everything below was found in Autodesk [including crowdstrike & any.desk] Found in in Crowdsrike if labeled.", "66.254.114.234 | reflectededge.reflected.net | reflected.net | 192.0.2.0 | https://www.brazzers.com/ | brazzers.com | brazzersnetwork.com", "keezmovies.com | redtube.com | tube8.com | tube8.com | youporn.com| 0.brazzers.com | www.g-tunnel.comwww.brazzers.com |", "Win32:Mystic , Win.Trojan.Xblocker-236 \u00bbFileHash-SHA256 8c59adbccc1987d13fec983f1e2be046611511b65479d1719bda77c5c90bbe21", "IDS Detections: TLS Handshake Failure | Alerts: network_icmp , injection", "Win32:BankerX-gen\\ [Trj] \u00bb FileHash-SHA256 2e5118d15a18ae852bf94d91707ff634d9d8354fef492f5c4e1c46b9cf96184c", "IDS Detections: Zeus Panda Banker / Ursnif Malicious SSL Certificate Detected TLS Handshake Failure", "Alerts: network_icmp antisandbox_idletime modifies_certificates modifies_proxy_wpad disables_proxy", "RedTube.com Detections: ALF:AGGR:OpcCl:95!ml , ALF:JASYP:Backdoor:Win32/Cycbot!atmn , Win.Downloader.117423-1 ,", "RedTube.com Detections: Win.Trojan.Crypt-321 , Win.Trojan.FakeAV-4166 , Win.Trojan.Fakeav-10977 , Win.Trojan.Fakeav-3386", "Crowdstrike: wildcard.352-445-1166.device.sim.to.img.sedoparking.com", "Crowdstrike: maxfehlinger.de http://auth.cranberry.testing.maxfehlinger.de | http://latex.cranberry.testing.maxfehlinger.de |", "Crowdstrike: https://traefik.cranberry.testing.maxfehlinger.de | http://traefik.cranberry.testing.maxfehlinger.de |", "Crowdstrike: http://watchtower.cranberry.testing.maxfehlinger.de| https://auth.cranberry.testing.maxfehlinger.de |", "Crowdstrike: auth.cranberry.testing.maxfehlinger.de | latex.cranberry.testing.maxfehlinger.de | traefik.cranberry.testing.maxfehlinger.de |", "Crowdstrike: watchtower.cranberry.testing.maxfehlinger.de | https://latex.cranberry.testing.maxfehlinger.de |", "Crowdstrike: https://www.anyxxxtube.net/search-porn/tsara-brashears/\tphishing\t| https://www.anyxxxtube.net/sitemap.xml", "Crowdstrike: https://www.pornhub.com/gifs/search?search=tsara+lynn+brash |", "Crowdstrike: autodesk.com | 0ds.autodesk.com | aknanalytics.autodesk.com | anubis.autodesk.com | autobetaint.autodesk.com", "Crowdstrike: autodeskarchitecture.autodesk.com | beacon-dev3.autodesk.com | boxtooffice365.autodesk.com | brahma-studio.autodesk.com", "Crowdstrike: cdc-stg-emea.autodesk.com | cloudcost.autodesk.com | cloudpc-stg.autodesk.com | d-s.autodesk.com |", "Crowdstrike: daiwahouse-learning.autodesk.com| datagovernance-dev.autodesk.com | enterprise-api-np.autodesk.com", "Crowdstrike: symcd.com [Certificate Subjectaltname \u00bb\u00bb anydesk.com \u00bb\u00bb http://gn.symcb.com/gn.crt Ocsp\thttp://gn.symcd.com] ANYDESK.COM-unsigned", "Crowdstrike: https://bat.bing.com/action/0?ti=12001672&tm=al001&Ver=2&mid=12436868-a484-4998-931c-980262982f67&sid=b92cd8f0483e11efa3c96fe28be413cb&vid=b92cdd10483e11efb1024309353d849f&vids=1&msclkid=N&pi=-740138922&lg=en-US&sw=800&sh=600&sc=24&tl=CrowdStrike%3A%20Stop%20breaches.%20Drive%20business.&p=https%3A%2F%2Fwww.crowdstrike.com%2Fen-us%2F&r=<=1022&pt=1721661968606", "Crowdstrike: \tbat.bing.com, https://tulach.cc, https://otx.alienvault.com/indicator/url/http://www.hallrender.com/attorney/brian-sabey", "Crowdstrike: https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | https://www.pornhub.com/video/search?search=tsara+brashears | www.youtube.com/watch?v=GyuMozsVyYs | www.pornhub.com | www.youtube.com", "Crowdstrike: https://hr.employmenthero.com/rs/387-SZZ-170/images/youtube-icon-emp-hero-violet.png", "Crowdstrike + Autodesk.com: hallrender.com/attorney/brian-sabey www.hallrender.com/attorney/brian-sabey hallrender.com www.hallrender.com https://hallrender.com milehighmedia.com https://www.milehighmedia.com/ https://www.milehighmedia.com/legal/2257", "Crowdstrike + Autodesk.com: brassiere.world mail.brassiere.world webdisk.brassiere.world webmail.brassiere.world", "Crowdstrike + Autodesk.com: 128 + symcd.com some w/issues | 658 autodesk.com pulse some w/issues | removed any.desk & boot", "The more I say...Any.Desk + boot.net.anydesk.com was in OG Private CrowdsStrike pulse", "Above links in search results direct out with and arrow pointing out.", "https://otx.alienvault.com/browse/global/pulses?q=tag:%22esta%20caliente%22&include_inactive=0&sort=-modified&page=1&limit=10&indicatorsSearch=esta%20caliente", "Above link opened 'esta caliente'= 'it's hot'| I did NOT do that | All connected links gone. This has become common.", "I didn't add pertinent findings back to Pulse. Pulse comp,eyes says ago . Couldn't submit. It's was actually a tiny pulse of autodesk.com with crowdstrike relationship references,", "boot.net.anydesk.com removed from my Pulse below", "https://otx.alienvault.com/pulse/66d4c125ad61ee5577639a2d" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands" ], "malware_families": [ { "id": "Win32:Mystic", "display_name": "Win32:Mystic", "target": null }, { "id": "Win.Trojan.Xblocker-236", "display_name": "Win.Trojan.Xblocker-236", "target": null }, { "id": "Ransom:Win32/Genasom", "display_name": "Ransom:Win32/Genasom", "target": "/malware/Ransom:Win32/Genasom" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "ALF:JASYP:Backdoor:Win32/Cycbot", "display_name": "ALF:JASYP:Backdoor:Win32/Cycbot", "target": null }, { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanSpy:Win32/Usteal", "display_name": "TrojanSpy:Win32/Usteal", "target": "/malware/TrojanSpy:Win32/Usteal" }, { "id": "Win.Trojan.PoetRat-7669676-0", "display_name": "Win.Trojan.PoetRat-7669676-0", "target": null }, { "id": "Mivast", "display_name": "Mivast", "target": null }, { "id": "Sakula", "display_name": "Sakula", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1417, "FileHash-SHA1": 1165, "FileHash-SHA256": 6536, "URL": 6112, "domain": 1340, "hostname": 2654, "email": 15, "SSLCertFingerprint": 9 }, "indicator_count": 19248, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "562 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66c661131c5003925e9bfe15", "name": "Telco - Swipper | Emoted and other malware spreader. BGP related ?", "description": "I'm not sure what to make of this. I'm unnerved. As far back as I have been able to research, Swipper has been ever present, not even hiding in the attacks target who noticed this for themselves.Some information is no longer on the Internet , yet there are continuous command multiple IP's. This relates directly to the suspect hacker & co. Use of FreeDNS and many other tools related to this resource with the Net Handle Name: Swipper. It's seems to be prominent on Colorado, Ohio Constantly moving to the British Virgin Islands while having am Ashburn, Va [Loudon, Co]- Verizon Business address ont he MCI block [FBI nearby] Swipper was connected to targets Notepad for years,; with FBI name and address prominently displayed. Mysterious emails, and false MD referral locations of victim pointed back to a Swipper or Stephen Middleton IP address. It's always has a variant of Emotet. I don't know. Abuse of use by same attorney.", "modified": "2024-09-20T20:04:19.210000", "created": "2024-08-21T21:50:11.612000", "tags": [ "net152", "net1520000", "loudoun county", "ans core", "nethandle", "as1321", "parkway city", "as701 orgnocref", "swipper", "verizon", "high", "intel", "icmp traffic", "dns query", "object", "all scoreblue", "filehash", "malware", "comcast", "cve1102", "actors", "investigation", "bad domains", "emotet am", "iocs", "first", "utc submissions", "submitters", "summary iocs", "graph community", "webcc", "gmo internet", "csc corporate", "domains", "alibaba cloud", "computing", "beijing", "dynadot", "ltd dba", "china telecom", "group", "google", "cloudflarenet", "kb txtresse", "mb smartsaver", "admin cmd", "mb threatsniper", "mb history", "mb gadget", "installer", "referrer", "styes worm", "historical ssl", "script script", "i span", "ie script", "win64", "span", "urls", "levelblue labs", "pulses", "nastya", "meta", "open", "date", "vj92", "uagdaaeqcqaaaag", "ukgbagaqcqaaaae", "slfrd1", "hostnames", "urls http", "ukgbagaqcq", "jid1886833764", "jid882556742", "samples", "unknown", "united", "as20940", "as2914 ntt", "nxdomain", "status", "as6461 zayo", "united kingdom", "as15169 google", "as33438", "search", "creation date", "name servers", "showing", "hungary unknown", "entries", "scan endpoints", "next", "cape", "show", "copy", "emotet malware", "read", "write", "delete", "june", "emotet", "as14627", "passive dns", "ipv4", "pulse pulses", "win32", "months ago", "created", "modified", "email", "glupteba", "hostname", "cyber", "read c", "port", "medium", "msie", "windows nt", "wow64", "slcc2", "media center", "dock", "execution", "method status", "url hostname", "ip country", "type get", "cachecontrol", "location https", "date thu", "gmt server", "code", "ve234 server", "aaaa", "whitelisted", "as44273 host", "as46691", "domain", "script urls", "path max", "age86400 set", "cookie", "script domains", "trojan", "body" ], "references": [ "Stranger Things | http://hopto.org/colocrossing/192.3.13.56/telco", "Antivirus Detections: Other:Malware-gen\\ [Trj]", "Yara Detections: UPXProtectorv10x2 , UPX Alerts dead_host network_icmp nolookup_communication", "Antivirus Detections: Other:Malware-gen\\ [Trj] , Win.Trojan.Emotet-9951800-0", "Yara Detections: osx_GoLang", ".trino-11062202-1d32.stress-11061903-3b4c.westus2.projecthilo.net\tprojecthilo.net", "0-courier.push.apple.com | https://apple-accouut.sytes.net/ | appupdate-logapple.ddnsking.com | appleidi-iforgot.3utilities.com", "http://appleidi-iforgot.3utilities.com/\t | https://appupdate-logapple.ddnsking.com/?reset | http://appleidi-iforgot.3utilities.com/Upload-Identity.php |", "http://appleidi-iforgot.3utilities.com/Verify.php", "device-ccf717a6-ed4f-4771-abfa-ccaafbfb6526.remotewd.com | device-local-359704df-0b29-4ae8-bbc5-f48b0a4de73c.remotewd.com | remotedev.org | dan.remotedev.org", "152.199.171.19 : USDA Fort Collins, Colorado", "Swipper: swipper@verizonbusiness.com | help4u@verizonbusiness.com", "152.199.161.19: ANS Communications, Inc (ANS)", "OrgTechHandle: SWIPP-ARIN OrgTechName: swipper OrgTechPhone: +1-800-900-0241 OrgTechEmail: swipper@verizonbusiness.com", "http://bat.bing.com/bat.js | bounceme.net | bounceme.net | hopto.org | hopto.org |,serveblog.net | serveblog.net", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://hopto.org/colocrossing/192.3.13.56/telco", "Emotet: FileHash-SHA256 9c9459e9a5f0102c034ec013b9d801d38ed474bcd73b7aeded931e5c2a4f75cc", "Win.Virus.PolyRansom-5704625-0: FileHash-SHA256 f46de5d0c5dd13f5de6114372542efd1ea048e14f051b64b34c33e96c175cb09", "Other:Malware-gen\\ [Trj: FileHash-SHA256 4ef29fd29fd95990a36379ad7a4320f04da64e7ec63546e047e2491e533c71a3", "Injection Source: www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Injection Source: http://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Injection Source: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "SLF:Trojan:Win32/Grandoreiro.A", "display_name": "SLF:Trojan:Win32/Grandoreiro.A", "target": null }, { "id": "Other:Malware-gen\\ [Trj]", "display_name": "Other:Malware-gen\\ [Trj]", "target": null }, { "id": "Win.Trojan.Emotet-9951800-0", "display_name": "Win.Trojan.Emotet-9951800-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 2, "URL": 4338, "domain": 753, "email": 9, "hostname": 1799, "FileHash-SHA256": 3098, "FileHash-MD5": 110, "FileHash-SHA1": 98, "CVE": 3 }, "indicator_count": 10210, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "576 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66c66114103f15aab3b00d6c", "name": "Telco - Swipper | Emoted and other malware spreader. BGP related ?", "description": "I'm not sure what to make of this. I'm unnerved. As far back as I have been able to research, Swipper has been ever present, not even hiding in the attacks target who noticed this for themselves.Some information is no longer on the Internet , yet there are continuous command multiple IP's. This relates directly to the suspect hacker & co. Use of FreeDNS and many other tools related to this resource with the Net Handle Name: Swipper. It's seems to be prominent on Colorado, Ohio Constantly moving to the British Virgin Islands while having am Ashburn, Va [Loudon, Co]- Verizon Business address ont he MCI block [FBI nearby] Swipper was connected to targets Notepad for years,; with FBI name and address prominently displayed. Mysterious emails, and false MD referral locations of victim pointed back to a Swipper or Stephen Middleton IP address. It's always has a variant of Emotet. I don't know. Abuse of use by same attorney.", "modified": "2024-09-20T20:04:19.210000", "created": "2024-08-21T21:50:12.543000", "tags": [ "net152", "net1520000", "loudoun county", "ans core", "nethandle", "as1321", "parkway city", "as701 orgnocref", "swipper", "verizon", "high", "intel", "icmp traffic", "dns query", "object", "all scoreblue", "filehash", "malware", "comcast", "cve1102", "actors", "investigation", "bad domains", "emotet am", "iocs", "first", "utc submissions", "submitters", "summary iocs", "graph community", "webcc", "gmo internet", "csc corporate", "domains", "alibaba cloud", "computing", "beijing", "dynadot", "ltd dba", "china telecom", "group", "google", "cloudflarenet", "kb txtresse", "mb smartsaver", "admin cmd", "mb threatsniper", "mb history", "mb gadget", "installer", "referrer", "styes worm", "historical ssl", "script script", "i span", "ie script", "win64", "span", "urls", "levelblue labs", "pulses", "nastya", "meta", "open", "date", "vj92", "uagdaaeqcqaaaag", "ukgbagaqcqaaaae", "slfrd1", "hostnames", "urls http", "ukgbagaqcq", "jid1886833764", "jid882556742", "samples", "unknown", "united", "as20940", "as2914 ntt", "nxdomain", "status", "as6461 zayo", "united kingdom", "as15169 google", "as33438", "search", "creation date", "name servers", "showing", "hungary unknown", "entries", "scan endpoints", "next", "cape", "show", "copy", "emotet malware", "read", "write", "delete", "june", "emotet", "as14627", "passive dns", "ipv4", "pulse pulses", "win32", "months ago", "created", "modified", "email", "glupteba", "hostname", "cyber", "read c", "port", "medium", "msie", "windows nt", "wow64", "slcc2", "media center", "dock", "execution", "method status", "url hostname", "ip country", "type get", "cachecontrol", "location https", "date thu", "gmt server", "code", "ve234 server", "aaaa", "whitelisted", "as44273 host", "as46691", "domain", "script urls", "path max", "age86400 set", "cookie", "script domains", "trojan", "body" ], "references": [ "Stranger Things | http://hopto.org/colocrossing/192.3.13.56/telco", "Antivirus Detections: Other:Malware-gen\\ [Trj]", "Yara Detections: UPXProtectorv10x2 , UPX Alerts dead_host network_icmp nolookup_communication", "Antivirus Detections: Other:Malware-gen\\ [Trj] , Win.Trojan.Emotet-9951800-0", "Yara Detections: osx_GoLang", ".trino-11062202-1d32.stress-11061903-3b4c.westus2.projecthilo.net\tprojecthilo.net", "0-courier.push.apple.com | https://apple-accouut.sytes.net/ | appupdate-logapple.ddnsking.com | appleidi-iforgot.3utilities.com", "http://appleidi-iforgot.3utilities.com/\t | https://appupdate-logapple.ddnsking.com/?reset | http://appleidi-iforgot.3utilities.com/Upload-Identity.php |", "http://appleidi-iforgot.3utilities.com/Verify.php", "device-ccf717a6-ed4f-4771-abfa-ccaafbfb6526.remotewd.com | device-local-359704df-0b29-4ae8-bbc5-f48b0a4de73c.remotewd.com | remotedev.org | dan.remotedev.org", "152.199.171.19 : USDA Fort Collins, Colorado", "Swipper: swipper@verizonbusiness.com | help4u@verizonbusiness.com", "152.199.161.19: ANS Communications, Inc (ANS)", "OrgTechHandle: SWIPP-ARIN OrgTechName: swipper OrgTechPhone: +1-800-900-0241 OrgTechEmail: swipper@verizonbusiness.com", "http://bat.bing.com/bat.js | bounceme.net | bounceme.net | hopto.org | hopto.org |,serveblog.net | serveblog.net", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://hopto.org/colocrossing/192.3.13.56/telco", "Emotet: FileHash-SHA256 9c9459e9a5f0102c034ec013b9d801d38ed474bcd73b7aeded931e5c2a4f75cc", "Win.Virus.PolyRansom-5704625-0: FileHash-SHA256 f46de5d0c5dd13f5de6114372542efd1ea048e14f051b64b34c33e96c175cb09", "Other:Malware-gen\\ [Trj: FileHash-SHA256 4ef29fd29fd95990a36379ad7a4320f04da64e7ec63546e047e2491e533c71a3", "Injection Source: www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Injection Source: http://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Injection Source: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "SLF:Trojan:Win32/Grandoreiro.A", "display_name": "SLF:Trojan:Win32/Grandoreiro.A", "target": null }, { "id": "Other:Malware-gen\\ [Trj]", "display_name": "Other:Malware-gen\\ [Trj]", "target": null }, { "id": "Win.Trojan.Emotet-9951800-0", "display_name": "Win.Trojan.Emotet-9951800-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 2, "URL": 4338, "domain": 753, "email": 9, "hostname": 1799, "FileHash-SHA256": 3098, "FileHash-MD5": 110, "FileHash-SHA1": 98, "CVE": 3 }, "indicator_count": 10210, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "576 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66ca37ac60cb425a2b3856c6", "name": "Telco - Swipper | Emotet and other malware spreader. BGP Hurricane Electric related ", "description": "", "modified": "2024-09-20T20:04:19.210000", "created": "2024-08-24T19:42:36.642000", "tags": [ "net152", "net1520000", "loudoun county", "ans core", "nethandle", "as1321", "parkway city", "as701 orgnocref", "swipper", "verizon", "high", "intel", "icmp traffic", "dns query", "object", "all scoreblue", "filehash", "malware", "comcast", "cve1102", "actors", "investigation", "bad domains", "emotet am", "iocs", "first", "utc submissions", "submitters", "summary iocs", "graph community", "webcc", "gmo internet", "csc corporate", "domains", "alibaba cloud", "computing", "beijing", "dynadot", "ltd dba", "china telecom", "group", "google", "cloudflarenet", "kb txtresse", "mb smartsaver", "admin cmd", "mb threatsniper", "mb history", "mb gadget", "installer", "referrer", "styes worm", "historical ssl", "script script", "i span", "ie script", "win64", "span", "urls", "levelblue labs", "pulses", "nastya", "meta", "open", "date", "vj92", "uagdaaeqcqaaaag", "ukgbagaqcqaaaae", "slfrd1", "hostnames", "urls http", "ukgbagaqcq", "jid1886833764", "jid882556742", "samples", "unknown", "united", "as20940", "as2914 ntt", "nxdomain", "status", "as6461 zayo", "united kingdom", "as15169 google", "as33438", "search", "creation date", "name servers", "showing", "hungary unknown", "entries", "scan endpoints", "next", "cape", "show", "copy", "emotet malware", "read", "write", "delete", "june", "emotet", "as14627", "passive dns", "ipv4", "pulse pulses", "win32", "months ago", "created", "modified", "email", "glupteba", "hostname", "cyber", "read c", "port", "medium", "msie", "windows nt", "wow64", "slcc2", "media center", "dock", "execution", "method status", "url hostname", "ip country", "type get", "cachecontrol", "location https", "date thu", "gmt server", "code", "ve234 server", "aaaa", "whitelisted", "as44273 host", "as46691", "domain", "script urls", "path max", "age86400 set", "cookie", "script domains", "trojan", "body" ], "references": [ "Stranger Things | http://hopto.org/colocrossing/192.3.13.56/telco", "Antivirus Detections: Other:Malware-gen\\ [Trj]", "Yara Detections: UPXProtectorv10x2 , UPX Alerts dead_host network_icmp nolookup_communication", "Antivirus Detections: Other:Malware-gen\\ [Trj] , Win.Trojan.Emotet-9951800-0", "Yara Detections: osx_GoLang", ".trino-11062202-1d32.stress-11061903-3b4c.westus2.projecthilo.net\tprojecthilo.net", "0-courier.push.apple.com | https://apple-accouut.sytes.net/ | appupdate-logapple.ddnsking.com | appleidi-iforgot.3utilities.com", "http://appleidi-iforgot.3utilities.com/\t | https://appupdate-logapple.ddnsking.com/?reset | http://appleidi-iforgot.3utilities.com/Upload-Identity.php |", "http://appleidi-iforgot.3utilities.com/Verify.php", "device-ccf717a6-ed4f-4771-abfa-ccaafbfb6526.remotewd.com | device-local-359704df-0b29-4ae8-bbc5-f48b0a4de73c.remotewd.com | remotedev.org | dan.remotedev.org", "152.199.171.19 : USDA Fort Collins, Colorado", "Swipper: swipper@verizonbusiness.com | help4u@verizonbusiness.com", "152.199.161.19: ANS Communications, Inc (ANS)", "OrgTechHandle: SWIPP-ARIN OrgTechName: swipper OrgTechPhone: +1-800-900-0241 OrgTechEmail: swipper@verizonbusiness.com", "http://bat.bing.com/bat.js | bounceme.net | bounceme.net | hopto.org | hopto.org |,serveblog.net | serveblog.net", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://hopto.org/colocrossing/192.3.13.56/telco", "Emotet: FileHash-SHA256 9c9459e9a5f0102c034ec013b9d801d38ed474bcd73b7aeded931e5c2a4f75cc", "Win.Virus.PolyRansom-5704625-0: FileHash-SHA256 f46de5d0c5dd13f5de6114372542efd1ea048e14f051b64b34c33e96c175cb09", "Other:Malware-gen\\ [Trj: FileHash-SHA256 4ef29fd29fd95990a36379ad7a4320f04da64e7ec63546e047e2491e533c71a3", "Injection Source: www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Injection Source: http://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Injection Source: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "SLF:Trojan:Win32/Grandoreiro.A", "display_name": "SLF:Trojan:Win32/Grandoreiro.A", "target": null }, { "id": "Other:Malware-gen\\ [Trj]", "display_name": "Other:Malware-gen\\ [Trj]", "target": null }, { "id": "Win.Trojan.Emotet-9951800-0", "display_name": "Win.Trojan.Emotet-9951800-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": "66c66114103f15aab3b00d6c", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 2, "URL": 4338, "domain": 753, "email": 9, "hostname": 1799, "FileHash-SHA256": 3098, "FileHash-MD5": 110, "FileHash-SHA1": 98, "CVE": 3 }, "indicator_count": 10210, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "576 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d4b052225d396d18e395c3", "name": " Telco - SWIPPER | Emotet and other malware spreader. BGP Hurricane Electric ", "description": "", "modified": "2024-09-20T20:04:19.210000", "created": "2024-09-01T18:20:02.256000", "tags": [ "net152", "net1520000", "loudoun county", "ans core", "nethandle", "as1321", "parkway city", "as701 orgnocref", "swipper", "verizon", "high", "intel", "icmp traffic", "dns query", "object", "all scoreblue", "filehash", "malware", "comcast", "cve1102", "actors", "investigation", "bad domains", "emotet am", "iocs", "first", "utc submissions", "submitters", "summary iocs", "graph community", "webcc", "gmo internet", "csc corporate", "domains", "alibaba cloud", "computing", "beijing", "dynadot", "ltd dba", "china telecom", "group", "google", "cloudflarenet", "kb txtresse", "mb smartsaver", "admin cmd", "mb threatsniper", "mb history", "mb gadget", "installer", "referrer", "styes worm", "historical ssl", "script script", "i span", "ie script", "win64", "span", "urls", "levelblue labs", "pulses", "nastya", "meta", "open", "date", "vj92", "uagdaaeqcqaaaag", "ukgbagaqcqaaaae", "slfrd1", "hostnames", "urls http", "ukgbagaqcq", "jid1886833764", "jid882556742", "samples", "unknown", "united", "as20940", "as2914 ntt", "nxdomain", "status", "as6461 zayo", "united kingdom", "as15169 google", "as33438", "search", "creation date", "name servers", "showing", "hungary unknown", "entries", "scan endpoints", "next", "cape", "show", "copy", "emotet malware", "read", "write", "delete", "june", "emotet", "as14627", "passive dns", "ipv4", "pulse pulses", "win32", "months ago", "created", "modified", "email", "glupteba", "hostname", "cyber", "read c", "port", "medium", "msie", "windows nt", "wow64", "slcc2", "media center", "dock", "execution", "method status", "url hostname", "ip country", "type get", "cachecontrol", "location https", "date thu", "gmt server", "code", "ve234 server", "aaaa", "whitelisted", "as44273 host", "as46691", "domain", "script urls", "path max", "age86400 set", "cookie", "script domains", "trojan", "body" ], "references": [ "Stranger Things | http://hopto.org/colocrossing/192.3.13.56/telco", "Antivirus Detections: Other:Malware-gen\\ [Trj]", "Yara Detections: UPXProtectorv10x2 , UPX Alerts dead_host network_icmp nolookup_communication", "Antivirus Detections: Other:Malware-gen\\ [Trj] , Win.Trojan.Emotet-9951800-0", "Yara Detections: osx_GoLang", ".trino-11062202-1d32.stress-11061903-3b4c.westus2.projecthilo.net\tprojecthilo.net", "0-courier.push.apple.com | https://apple-accouut.sytes.net/ | appupdate-logapple.ddnsking.com | appleidi-iforgot.3utilities.com", "http://appleidi-iforgot.3utilities.com/\t | https://appupdate-logapple.ddnsking.com/?reset | http://appleidi-iforgot.3utilities.com/Upload-Identity.php |", "http://appleidi-iforgot.3utilities.com/Verify.php", "device-ccf717a6-ed4f-4771-abfa-ccaafbfb6526.remotewd.com | device-local-359704df-0b29-4ae8-bbc5-f48b0a4de73c.remotewd.com | remotedev.org | dan.remotedev.org", "152.199.171.19 : USDA Fort Collins, Colorado", "Swipper: swipper@verizonbusiness.com | help4u@verizonbusiness.com", "152.199.161.19: ANS Communications, Inc (ANS)", "OrgTechHandle: SWIPP-ARIN OrgTechName: swipper OrgTechPhone: +1-800-900-0241 OrgTechEmail: swipper@verizonbusiness.com", "http://bat.bing.com/bat.js | bounceme.net | bounceme.net | hopto.org | hopto.org |,serveblog.net | serveblog.net", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://hopto.org/colocrossing/192.3.13.56/telco", "Emotet: FileHash-SHA256 9c9459e9a5f0102c034ec013b9d801d38ed474bcd73b7aeded931e5c2a4f75cc", "Win.Virus.PolyRansom-5704625-0: FileHash-SHA256 f46de5d0c5dd13f5de6114372542efd1ea048e14f051b64b34c33e96c175cb09", "Other:Malware-gen\\ [Trj: FileHash-SHA256 4ef29fd29fd95990a36379ad7a4320f04da64e7ec63546e047e2491e533c71a3", "Injection Source: www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Injection Source: http://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Injection Source: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "SLF:Trojan:Win32/Grandoreiro.A", "display_name": "SLF:Trojan:Win32/Grandoreiro.A", "target": null }, { "id": "Other:Malware-gen\\ [Trj]", "display_name": "Other:Malware-gen\\ [Trj]", "target": null }, { "id": "Win.Trojan.Emotet-9951800-0", "display_name": "Win.Trojan.Emotet-9951800-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": "66ca37ac60cb425a2b3856c6", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 2, "URL": 4338, "domain": 753, "email": 9, "hostname": 1799, "FileHash-SHA256": 3098, "FileHash-MD5": 110, "FileHash-SHA1": 98, "CVE": 3 }, "indicator_count": 10210, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "576 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66bb7aa9d0ec86cff5b95b64", "name": "Injection | Target devices affected. Connected to Notepad | Yandex| Brian Sabey & Associated", "description": "Targets devices injected with extremely malicious URL's. The links did everything imaginable. Pushed up Jeffrey Reimer DPT in search engine while suppressing all positive search engine results of his victim. Her business was completely halted and redirected. Views went to well known artists. It also contained content scrapers causing certain keywords [keylogger included] to generate results in Bing search engines attempt to frame target. Countless porn sites posted w/victims name appearing heaviest in Yandex moderately heavy in Google. Killed targets YouTube channel. Heavy use in victims Apple terminal. Death and bomb threats often. *http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/\n*http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "modified": "2024-09-12T14:01:56.106000", "created": "2024-08-13T15:24:25.284000", "tags": [ "ip addresses", "luna moth", "campaign", "norad tracking", "ipdomain", "investigation", "hr rtd", "hallrender", "brian sabey", "heuristic", "referrer", "pe resource", "first", "utc submissions", "submitters", "solutions", "namesilo", "amazon02", "digitaloceanasn", "limited", "aschoopa", "ovh sas", "generator", "data", "v3 serial", "number", "issuer", "everywhere dv", "tls ca", "g1 odigicert", "validity", "subject public", "key info", "date", "server", "email", "code", "registrar abuse", "registrar url", "whois lookup", "admin city", "admin country", "cn admin", "office open", "xml spreadsheet", "detections type", "name", "dns replication", "iana id", "contact phone", "dnssec", "domain status", "registrar whois", "historical ssl", "threat roundup", "october", "investigation c", "december", "september", "ngfw traffic", "malicious ip", "address", "raspberry robin", "stealer", "creation date", "passive dns", "urls", "search", "name servers", "status", "showing", "all scoreblue", "unknown", "next", "as47846", "germany unknown", "as44273 host", "united", "as12876 online", "domain", "cve-2016-2569", "yodaprot", "xorcrypt", "yoda", "aspack", "yara detections", "intel", "comments", "show", "productversion", "inno setup", "invalid", "format", "invalid variant", "delphi", "stack", "error", "iniciar download setup", "gui", "application/octet-stream", "tsara brashears", "targets", "cve-2017-0199", "aspack", "contains-pe", "contains-elf", "bobsoft", "cve-2010-3333", "contains-embedded-js", "cve-2014-3931", "cve-2017-11882", "adware.adload/adinstaller", "win32processor", "information", "flow t1574", "dll sideloading", "reads", "downloads", "win32process", "t1055 spawns", "access token", "modify access", "files", "catalog tree", "analysis ob0001", "b0001 process", "b0003 delayed", "analysis ob0002", "evasion ob0006", "self deletion", "f0007 discovery", "ob0007 analysis", "dead", "cybercrime", "cyber criminal group", "dynamicloader", "high", "medium", "trojan", "less see", "contacted", "yara rule", "installs", "windows", "windows startup", "february", "copy", "as14061", "as16276", "canada unknown", "united kingdom", "as63949 linode", "as202053", "finland unknown", "aaaa", "get http", "request", "windows nt", "khtml", "gecko", "wow64", "host", "connection", "cus cndigicert", "ca1 odigicert", "win32", "win64", "accept", "dataset", "system property", "lookups", "select family", "userprofile", "temp", "samplepath", "user", "runtime modules", "modules", "programfiles", "windir", "datacrashpad", "k netsvcs", "s ngcctnrsvc", "nameweb bvba", "domains", "csc corporate", "registrarsafe", "registrar", "namecheap inc", "nameweb", "win32 exe", "detections file", "win32 dll", "ip detections", "country", "highly targeted", "problems", "sneaky server", "replacement", "unauthorized", "high level", "hackers", "unknown win", "agent tesla", "worm", "formbook", "startpage", "dead drop resolver", "nxdomain", "ns nxdomain", "scan endpoints", "all search", "otx scoreblue", "pulse pulses", "hostname", "files ip", "address domain", "div div", "a li", "p div", "read more", "a div", "bq aug", "script script", "path max", "age86400 set", "cookie", "entries", "trojandropper", "body", "trojan features", "related pulses", "file samples", "files matching", "date hash", "copyright", "virtool", "trojanspy", "hashes c2ae", "capa", "cape sandbox", "moves", "tencent habo", "zenbox", "tls rsa", "sha256", "inc subject", "global g2", "odigicert inc", "cndigicert sha2", "high assurance", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinl", "javascripts", "iframes", "embedded", "x sucuri", "cookie policy", "jeffrey scott reimer dpt", "toni braxton", "police", "fbi va", "loudon county", "ashburn va", "douglas co", "douglas co sheriff", "sheriff", "justin bieber", "swipper" ], "references": [ "cnbd.net\t | d1.cnbd.net\t| localhost.cnbd.net | mail.cnbd.net | siteinlink.d1.cnbd.net cnbd.net hghltd.yandex.net", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Crowdsourced Sigma: Matches rule Potential Dead Drop Resolvers by Sorina Ionescu, X__Junior (Nextron Systems)", "Crowdsourced YARA: Matches rule Base64_Encoded_URL from ruleset Base64_Encoded_URL by InQuest Labs", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Unusual PING detected", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING Windows", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Echo Reply", "Yara Detections: Delphi", "\"Malware Behavior Catalog Tree: Anti-Behavioral Analysis OB0001 Debugger Detection B0001 Process Environment Block B0001.019 Dynamic Analysis Evasion B0003 Delayed Execution B0003.003", "\"Malware Behavior Catalog Tree: Anti-Static Analysis OB0002 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E102", "\"Malware Behavior Catalog Tree : Defense Evasion OB0006 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E1027.m02", "\"Malware Behavior Catalog Tree: Hidden Files and Directories F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 Analysis Tool Discovery B0013 Process detection B0013.001 System Information Discovery E1082 File and Directory Discovery E1083", "\"Malware Behavior Catalog Tree: Execution OB0009 Install Additional Program B0023 Command and Scripting Interpreter E1059", "\"Malware Behavior Catalog Tree: Analysis Tool Discovery F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 System Information Discovery B0013 Process detection B0013.001", "\"Malware Behavior Catalog Tree: Hidden Files and Directories E1082 File and Directory Discovery E1083", "Malware Behavior Catalog Tree: Command and Scripting Interpreter OB0009 Install Additional Program B0023", "\"Dataset actions -System Property Lookups: IIWbemServices::Connect", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: Execution OB0012 F0005 File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048 Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007 Change Memory Protection C0008 Process OC0003 Create Process C0017 Create Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001 Modulo C0058 Cryptography OC0005", "Researched: d569ab9b9e89ebd9e2ff995bcd6509bc.virus", "Apple Issues:\tapple-validsecure.serviceirc.com serviceirc.com http://apple-validsecure.serviceirc.com https://apple-validsecure.serviceirc.com", "Apple Issues:\tcheckapple.com http://www.checkapple.com/ https://bincc.xyz/bin-apple-music-1month-apple-tv-7days apple-marketing.com", "Apple Issues:\tapp-appleid.serveirc.com appleid-appleus.serveirc.com appleidapple.serveirc.com apples-uncek.serveirc.com", "Apple Issues:\thttp://www.apple-verifallert.serveirc.com/ http://www.appleid-lockid.serveirc.com/ http://www.appleid-seccure23.serveirc.com/", "Apple Issues:\thttp://www.appleid-secure20.serveirc.com/ http://www.appleid-secure22.serveirc.com/ serviceirc.com", "Apple Issues: http://www.appleid-supporthelp.serveirc.com/ http://www.appleids-security.serveirc.com/", "Apple Issues: URL https://bincc.xyz/bin-apple-music-1month-apple-tv-7days", "Apple Issues: http://checkapple.com/home/item/131-iOs-%E0%B9%80%E0%B8%A1%E0%B8%B7%E0%B8%AD%E0%B8%87%E0%B8%9C%E0%B8%B9%E0%B9%89%E0%B8%94%E0%B8%B5-%E0%B8%9F%E0%B8%B1%E0%B8%99%E0%B8%98%E0%B8%87-iPhone-4-%E0%B8%9A%E0%B8%B2%E0%B8%87%E0%B8%81%E0%B8%A7%E0%B9%88%E0%B8%B2-Galaxy-S-2.htm", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Terse HTTP 1.0 Request Possible Nivdort Worm.Mydoom Checkin User-Agent (explwer)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti/Mufanom Downloader Checkin Win32.Sality-GR Checkin Backdoor.Win32.Shiz.ivr", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Empty Checkin Upatre Retrieving encoded payload (Common Header Struct)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Checkin Win32/Nivdort", "Antivirus Detections: ALF:HeraklezEval:Ransom:Win32/CVE , ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn , ALF:HeraklezEval:Trojan:Win32/Zombie.A", "Antivirus Detections: ALF:Trojan:Win32/FormBook.F!MTB , Backdoor:Linux/Setag!rfn , Backdoor:Win32/Bifrose.IQ , Backdoor:Win32/Simda!rfn", "Antivirus Detections: ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn , ALF:PUA:Win32/InstallMate.P , ALF:Trojan:Win32/Cassini_f9070846!ibt", "\"Malware Behavior Catalog Tree: File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048", "\"Malware Behavior Catalog Tree: Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007", "\"Malware Behavior Catalog Tree: Change Memory Protection C0008 Process OC0003 Create Process C0017", "\"Malware Behavior Catalog Tree: Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004", "\"Malware Behavior Catalog Tree: Create 00001807 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001", "\"Malware Behavior Catalog Tree: Modulo C0058 Cryptography OC0005 Generate Pseudo-random Sequence C0021", "\"Malware Behavior Catalog Tree: Communication OC0006 HTTP Communication C0002 Operating System OC0008 Registry", "\"Malware Behavior Catalog Tree: Registry Value C0036.006 Capabilities Data-Manipulation\"", "\"Malware Behavior Catalog Tree: C0036 Open Registry Key C0036.003 Create Registry Key C0036.004 Query", "Capabilities Data: Manipulation Generate random numbers using the Delphi LCG Encode data using XOR Hash data with CRC32", "Capabilities Data: Linking Link function at runtime on Windows Collection Get geographical location Targeting Identify system language via API", "Capabilities Data: Executable Extract resource via kernel32 functions Contain a thread local storage (.tls) section Packaged as an Inno Setup installer", "Capabilities Data: Anti-Analysis Reference analysis tools strings Internal (Internal) installer file limitation", "Capabilities Data: Host-Interaction - Get file attributes Create process suspended Create process on Windows", "Capabilities Data: Host-Interaction - Allocate or change RWX memory Accept command line arguments Set thread local storage value", "Capabilities Data: Host-Interaction - Get system information on Windows Delete directory", "Capabilities Data: Host-Interaction - Get thread local storage value Read file on Windows Write file on Windows", "Capabilities Data: Host-Interaction - Get file size Query environment variable Get common file path", "Capabilities Data: Host-Interaction - Query or enumerate registry value Delete file Create directory Shutdown system", "Capabilities Data: Host-Interaction - Modify access privileges Check if file exists", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "United States of America" ], "malware_families": [ { "id": "PUP/Win32.Bundler.R1865", "display_name": "PUP/Win32.Bundler.R1865", "target": null }, { "id": "Inno:Downloader-J [PUP]", "display_name": "Inno:Downloader-J [PUP]", "target": null }, { "id": "AdWare:Win32/AdLoad.0e19dea6", "display_name": "AdWare:Win32/AdLoad.0e19dea6", "target": "/malware/AdWare:Win32/AdLoad.0e19dea6" }, { "id": "Adware.Adload/Adinstaller", "display_name": "Adware.Adload/Adinstaller", "target": null }, { "id": "Win.Packed.Razy-9828382-0", "display_name": "Win.Packed.Razy-9828382-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" }, { "id": "Trojan:Win32/Zombie", "display_name": "Trojan:Win32/Zombie", "target": "/malware/Trojan:Win32/Zombie" }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1516", "name": "Input Injection", "display_name": "T1516 - Input Injection" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" } ], "industries": [ "Technology", "Civilian Society" ], "TLP": "green", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1401, "FileHash-SHA1": 1365, "FileHash-SHA256": 6436, "URL": 5931, "domain": 1391, "hostname": 2165, "CVE": 5, "email": 6 }, "indicator_count": 18700, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "584 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66994bda3e150656cd5ac9dd", "name": "Browser Session Hijacking Various MyChart Phishing Scams", "description": "Ongoing issues with medical information hijacking. Various medical corporations affected. Tracking, medical, injection process, records retrieval, botnets.", "modified": "2024-08-17T16:01:11.866000", "created": "2024-07-18T17:07:38.719000", "tags": [ "historical ssl", "referrer", "domains", "august", "phishingscams", "domains part", "domain tracker", "roundup", "new problems", "privacy badger", "startpage", "self", "httponly", "samesitenone", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "pragma", "mychartlocale", "urls", "ip detections", "country", "contacted", "files", "file type", "name file", "gmbh", "cloudflare", "tucows", "ii llc", "alibaba cloud", "computing", "sample", "media t1091", "t1497 may", "mitre att", "access ta0001", "replication", "ta0004 process", "injection t1055", "defense evasion", "http requests", "get http", "request", "host", "dns resolutions", "ip traffic", "hashes", "tsara brashears", "red team", "hackers", "highly targeted", "critical risk", "cyberstalking", "apple", "apple ios", "logistics", "cyber defense", "guloader", "hacktool", "emotet", "phishing", "facebook", "malware", "hiddentear", "maze", "server", "domain status", "date", "algorithm", "google llc", "registrar abuse", "registrar", "record type", "ttl value", "aaaa", "whois lookup", "admin country", "ca creation", "dnssec", "markmonitor", "siblings", "whois lookups", "expiration date", "registrar iana", "creation date", "first", "united", "as15169 google", "cname", "status", "virtool", "cryp", "as396982 google", "search", "name servers", "win32", "remote" ], "references": [ "MyChart Phishing Scams", "exploit_source IP's: 20.99.186.246 , 40.126.24.147 , 40.126.24.149 , 40.126.24.81 , 40.126.24.82", "VirTool:Win32/Obfuscator: 0.googleusercontent.com [hacking]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/\t URL\thttp://45.159.189.105/bot/regex |\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win64-Trojan/Pakes.Exp", "display_name": "Win64-Trojan/Pakes.Exp", "target": null }, { "id": "Win64:RansomX-gen", "display_name": "Win64:RansomX-gen", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [ "Healthcare", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 37, "FileHash-SHA1": 33, "FileHash-SHA256": 3473, "domain": 693, "URL": 4384, "hostname": 1610, "CVE": 2, "email": 3 }, "indicator_count": 10235, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "610 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6681f270d3801ae3dfde1cd0", "name": "Drive-by Compromise | TEL:Trojan:Win32/Injector | Zeus | Ransomware ", "description": "", "modified": "2024-07-30T08:04:39.977000", "created": "2024-07-01T00:04:00.567000", "tags": [ "vj83", "tsara brashears", "malware", "password bypass", "problems", "threat network", "infrastructure", "checking", "china", "iocs", "download", "relic", "monitoring", "installer", "graph", "server", "domain status", "date", "code", "country", "registrar abuse", "registrar", "whois lookup", "admin city", "redmond admin", "analyzer paste", "urls http", "z1277946686", "slfrd1", "uiebaae", "jid960554243", "samples", "malicious url", "z1767086795", "no data", "tag count", "count blacklist", "tag tag", "sample29", "team alexa", "million", "alexa", "site", "cisco umbrella", "hostname", "united", "mail spammer", "malicious site", "covid19", "cyber threat", "filerepmalware", "phishing site", "heur", "engineering", "keybase", "bank", "malicious", "artemis", "phishing", "div div", "domain", "passive dns", "creation date", "as46606", "content type", "script script", "a div", "unknown", "meta", "process32nextw", "medium", "wizard", "registry", "module load", "t1129", "registry run", "keys", "t1060", "memcommit", "win32", "service", "explorer", "june", "copy", "delphi", "tools", "persistence", "execution", "capture", "a dd", "h3 p", "search", "aaaa", "free", "p div", "virtool", "form", "window", "next", "status", "record value", "showing", "cname", "gmt content", "body", "pulses", "urls", "files ip", "address", "location united", "asn as13335", "whois registrar", "as8075", "access", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "yara detections", "push", "filehash", "av detections", "ids detections", "alerts", "analysis date", "sec ch", "xml base64", "ch ua", "ua full", "ua platform", "moved", "whois", "trojan", "entries", "gmt server", "centos", "ransom", "detection list", "alexa top", "bluehost", "e emeseieee", "msie", "windows nt", "wow64", "slcc2", "media center", "dynamicloader", "cryptowall", "malware beacon", "suspicious", "zeus", "write", "bits", "date hash", "avast avg", "mtb dec", "script urls", "typeof", "script domains", "as54600 peg", "li ol", "apple", "ios", "samsung", "tracking", "ms windows", "pe32", "read c", "intel", "pe32 executable", "qt translation", "regsetvalueexa", "write c", "show", "april", "observer", "stream", "local", "e eue", "goatsinacoat" ], "references": [ "espysite.azurewebsites.net", "http://45.159.189.105/bot/regex [command and control infection source]", "http://update.partitionwizard.com/checking-update/ko/verconfig-v11-registered.txt", "http://www.partitionwizard.com/checking-update/ko/verconfig-v11-registered.txt", "http://tracking.minitool.com/pw/launch.php?120100-from-enterprise-v11", "http://www.google-analytics.com/r/collect?v=1&_v=j83&a=160340377&t=pageview&_s=1&dl=http://tracking.minitool.com/pw/launch.html?120100-from-enterprise-v11&ul=en-us&de=utf-8&dt=launch%20tracking&sd=32-bit&sr=1152x864&vp=79x26&je=0&fl=19.0%20r0&_u=IEBAAE~&jid=960554243&gjid=1088832951&cid=1848517172.1595359858&tid=UA-686301-39&_gid=1248672958.1595359858", "http://tracking.minitool.com/pw/launch.html?120100-from-enterprise-v11", "https://twitter.com/PORNO_SEXYBABES", "https://adservice.google.com.uy/clk\t init.ess.apple.com", "WinToFlash-Lite-The-Bootable-USB-Creator-1.13.0000-Setup.exe | Setup.Bin Lockbin1.com", "crl.globalsign.com\tWinPCA.crl gscodesigng2.crl crl.globalsign.net root.crl crl.microsoft.com WinPCA.crl analytics.js tracking.minitool.com launch.php", "VTBehaviour.CommonDataStirage.GoogleAPIs.com\t Playatoms-pa.googleapis.com SongCulture.com bam.nr-data.net", "https://www.google.co.kr/ads/ga-audiences?v=1&aip=1&t=sr&_r=4&tid=UA-686301-28&cid=1048899291.1595287580&jid=1064984308&_v=j83&z=1277946686&slf_rd=1&random=491737294", "Yara Detections: Delphi , ProtectSharewareV11eCompservCMS", "Alerts: stops_service network_icmp network_irc persistence_autorun creates_largekey antisandbox_mouse_hook", "Alerts: infostealer_keylogger rat_pcclient process_interest injection_resumethread stealth_hiddenfile", "Domains Contacted: cdn2.minitool.com www.partitionwizard.com", "https://otx.alienvault.com/indicator/file/22e8de5785b65790950eeef5e81dadf9acd44d7767399f8a88bab8b7059b1269", "PWS:Win32/Ymacco: FileHash-SHA256 22e8de5785b65790950eeef5e81dadf9acd44d7767399f8a88bab8b7059b1269", "PWS:Win32/Ymacco: FileHash-MD5 0145b299e0d988750bd", "PWS:Win32/Ymacco: FileHash-SHA1 05d3eef1b402fcceced24bd5e8cc3d613c311419", "samsungdevapi.reverselogix.net", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/22e8de5785b65790950eeef5e81dadf9acd44d7767399f8a88bab8b7059b1269", "https://otx.alienvault.com/indicator/hostname/www.partitionwizard.com", "TEL:Trojan:Win32/Injector.AB!MSR: FileHash-SHA256 3a8d5782cd3335cb19bc9f1588a9303e7c8bf46aa0a6dd8d9a8fbada0dc23293", "TEL:Trojan:Win32/Injector.AB!MSR: FileHash-MD5 502983a98c69c012c600e2a2a7b2a1af", "TEL:Trojan:Win32/Injector.AB!MSR: FileHash-SHA1 217eed43662f43704c5c65bbdb503699b8689d6a", "CVE-2017-0147 CVE-2017-11882 CVE-2017-8570 CVE-2018-8453 CVE-2014-0160", "https://otx.alienvault.com/indicator/url/http://www.pulsesolutions.com/WebService/EasyLoggerWebService.asmx/", "Ransom:Win32/Crowti.A: FileHash-SHA256 3328a110970be661ce1267a553fa2ddf", "Ransom:Win32/Crowti.A: FileHash-SHA1 f7e6be8e6b15e4c67d82ec663abee6f0a292ff77", "Ransom:Win32/Crowti.A: FileHash-MD5 3328a110970be661ce1267a553fa2ddf", "https://otx.alienvault.com/indicator/file/94cdf28c30c4bb09d191990706844f10d8ba837459c9a81dd672f209e77c2fb9", "IDS Detections: CryptoWall Check-in Zeus Bot Connectivity Check External IP Check myexternalip.com IP Check myexternalip.com", "Alerts: procmem_yara injection_inter_process injection_create_remote_thread antiav_servicestop suricata_alert suspicious_command_tools", "Alerts: bcdedit_command stealth_network cape_detected_threat deletes_shadow_copies infostealer_cookies", "TrojanSpy:Win32/Nivdort.DC: FileHash-SHA256 00f4950d49404f58e223c0946f18a2a779c502d82ce67d419ce42f794666d3c8", "TrojanSpy:Win32/Nivdort.DC: FileHash-SHA1 fa773890465396aefe1a6b74d107ce1fee664ef9", "TrojanSpy:Win32/Nivdort.DC: FileHash-MD5 ecd1617974166e34de036ddf859a78f6", "Trojan:Win32/Formbook!MTB: FileHash-SHA256 c72bf65e0b2635221ce291191b40ddae3d599e418601dcef5d3ef4ab6e929d5f", "Trojan:Win32/Formbook!MTB: FileHash-SHA1 3bba9a34622ca39fe8b7132da8056a0d8c9be36c", "Trojan:Win32/Formbook!MTB: FileHash-MD5 1f5c006f1ef8d4998c5a6392c4082aef", "VirTool:Win32/Obfuscator.JM: FileHash-SHA256 b4cbdc6fe310af9d4d089d36141ca51d5b91ce877c6d0f6f78fc8bd8e6ce5b37", "https://saptools.mx/files/aud2txt-linux.zip | linuxeater.com | kent@riboe.se | https://saptools.mx/files/aud2txt-linux.zip", "Related Domains By Email DOMAIN ORGANISATION NAME: citrusea.com - Kent Riboe | linuxeater.com - Kent Riboe [kent@riboe.se]", "https://admin.safeid.io/Account/ResetPassword?token=Bx_9HrVhO0ihjnilL3BfcpM9s_1XmMRCAI4Sr1QWsLNmMlpmaAH0DI8fWkk7MSrh", "Tracking: jrstrackingfunction.com | http://tracking.orca-functions.zoovu.solutions/ | http://tracking.orca-functions.zoovu.solutions/", "Tracking: https://sharepointwow.msnd36.com/tracking/lc/3d8656d6-d66c-4b3b-aec3-a363f4faf30f/9d15012d-b2b5-4d70-abb1-eed6eff85f20/7b92544e-3ea3-dccc-179b-fdc110fc452a/", "Tracking: URL http://45.159.189.105/bot/regex | http://tracking.minitool.com/pw/launch.html?120100-from-enterprise-v11", "Tracking: http://tracking.minitool.com/pw/launch.php?120100-from-enterprise-v11 No Expiration\t0\t URL http://www.google-analytics.com/r/collect?v=1&_v=j83&a=160340377&t=pageview&_s=1&dl=http://tracking.minitool.com/pw/launch.html?120100-from-enterprise-v11&ul=en-us&de=utf-8&dt=launch%20tracking&sd=32-bit&sr=1152x864&vp=79x26&je=0&fl=19.0%20r0&_u=IEBAAE~&jid=960554243&gjid=1088832951&cid=1848517172.1595359858&tid=UA-686301-39&_gid=1248672958.1595359858&_r=1&z=1767086795", "IDS Detections: Win32/Kapahyku.A Activity 1 PUP/ASMalwNS.A Checkin Observed Suspicious UA (NSIS_Inetc (Mozilla))", "iappletech.com | init.ess.apple.com | https://appliedinnovation.forms.pia.ai/r | join.appliedpsych.com", "Zeus: FileHash-SHA256 94cdf28c30c4bb09d191990706844f10d8ba837459c9a81dd672f209e77c2fb9", "IDS Detections: CryptoWall Check-in Zeus Bot Connectivity Check External IP Check myexternalip.com IP Check myexternalip.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "PWS:Win32/Ymacco", "display_name": "PWS:Win32/Ymacco", "target": "/malware/PWS:Win32/Ymacco" }, { "id": "Win.Malware.Swisyn-7610494-0", "display_name": "Win.Malware.Swisyn-7610494-0", "target": null }, { "id": "Win32:VB-AJKP\\ [Trj]", "display_name": "Win32:VB-AJKP\\ [Trj]", "target": null }, { "id": "Win.Malware.Drivepack-9884589-1", "display_name": "Win.Malware.Drivepack-9884589-1", "target": null }, { "id": "TEL:Trojan:Win32/Injector.AB!MSR", "display_name": "TEL:Trojan:Win32/Injector.AB!MSR", "target": null }, { "id": "Ransom:Win32/Crowti.A", "display_name": "Ransom:Win32/Crowti.A", "target": "/malware/Ransom:Win32/Crowti.A" }, { "id": "Zeus", "display_name": "Zeus", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1054", "name": "Indicator Blocking", "display_name": "T1054 - Indicator Blocking" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [ "Healthcare", "Civil Society", "Targeted Individuals" ], "TLP": "green", "cloned_from": "668115d703e0a46887c7f08d", "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1324, "FileHash-SHA1": 931, "FileHash-SHA256": 2209, "URL": 1572, "hostname": 1628, "domain": 1711, "email": 10, "CVE": 5, "SSLCertFingerprint": 2 }, "indicator_count": 9392, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "628 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "668115d703e0a46887c7f08d", "name": "Drive-by Compromise | TEL:Trojan:Win32/Injector | Zeus | Ransomware", "description": "Targeted Individual has experienced attacks on both iOS, Android, MacBooks & PC's. Drive-by Compromise can be accomplished by various methods this can be done, for example: A pop up advert could have an 'X' in the corner that disguises itself as a close button, but actually acts as a catalyst for starting a malicious download once pressed. A tactic used on specific target is a pop-up w/with (a non-Google affiliated disclaimer)'Google' account chooser with Google logo desired email checked. [https://accounts.google.com/AccountChooser?]; checked. Every time TB acquired a new phone, this occurs. A link could appear legitimate, but clicking on it could cause the download to begin. Drive-by Compromise \u00b7 A legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript.", "modified": "2024-07-30T08:04:39.977000", "created": "2024-06-30T08:22:47.783000", "tags": [ "vj83", "tsara brashears", "malware", "password bypass", "problems", "threat network", "infrastructure", "checking", "china", "iocs", "download", "relic", "monitoring", "installer", "graph", "server", "domain status", "date", "code", "country", "registrar abuse", "registrar", "whois lookup", "admin city", "redmond admin", "analyzer paste", "urls http", "z1277946686", "slfrd1", "uiebaae", "jid960554243", "samples", "malicious url", "z1767086795", "no data", "tag count", "count blacklist", "tag tag", "sample29", "team alexa", "million", "alexa", "site", "cisco umbrella", "hostname", "united", "mail spammer", "malicious site", "covid19", "cyber threat", "filerepmalware", "phishing site", "heur", "engineering", "keybase", "bank", "malicious", "artemis", "phishing", "div div", "domain", "passive dns", "creation date", "as46606", "content type", "script script", "a div", "unknown", "meta", "process32nextw", "medium", "wizard", "registry", "module load", "t1129", "registry run", "keys", "t1060", "memcommit", "win32", "service", "explorer", "june", "copy", "delphi", "tools", "persistence", "execution", "capture", "a dd", "h3 p", "search", "aaaa", "free", "p div", "virtool", "form", "window", "next", "status", "record value", "showing", "cname", "gmt content", "body", "pulses", "urls", "files ip", "address", "location united", "asn as13335", "whois registrar", "as8075", "access", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "yara detections", "push", "filehash", "av detections", "ids detections", "alerts", "analysis date", "sec ch", "xml base64", "ch ua", "ua full", "ua platform", "moved", "whois", "trojan", "entries", "gmt server", "centos", "ransom", "detection list", "alexa top", "bluehost", "e emeseieee", "msie", "windows nt", "wow64", "slcc2", "media center", "dynamicloader", "cryptowall", "malware beacon", "suspicious", "zeus", "write", "bits", "date hash", "avast avg", "mtb dec", "script urls", "typeof", "script domains", "as54600 peg", "li ol", "apple", "ios", "samsung", "tracking", "ms windows", "pe32", "read c", "intel", "pe32 executable", "qt translation", "regsetvalueexa", "write c", "show", "april", "observer", "stream", "local", "e eue", "goatsinacoat" ], "references": [ "espysite.azurewebsites.net", "http://45.159.189.105/bot/regex [command and control infection source]", "http://update.partitionwizard.com/checking-update/ko/verconfig-v11-registered.txt", "http://www.partitionwizard.com/checking-update/ko/verconfig-v11-registered.txt", "http://tracking.minitool.com/pw/launch.php?120100-from-enterprise-v11", "http://www.google-analytics.com/r/collect?v=1&_v=j83&a=160340377&t=pageview&_s=1&dl=http://tracking.minitool.com/pw/launch.html?120100-from-enterprise-v11&ul=en-us&de=utf-8&dt=launch%20tracking&sd=32-bit&sr=1152x864&vp=79x26&je=0&fl=19.0%20r0&_u=IEBAAE~&jid=960554243&gjid=1088832951&cid=1848517172.1595359858&tid=UA-686301-39&_gid=1248672958.1595359858", "http://tracking.minitool.com/pw/launch.html?120100-from-enterprise-v11", "https://twitter.com/PORNO_SEXYBABES", "https://adservice.google.com.uy/clk\t init.ess.apple.com", "WinToFlash-Lite-The-Bootable-USB-Creator-1.13.0000-Setup.exe | Setup.Bin Lockbin1.com", "crl.globalsign.com\tWinPCA.crl gscodesigng2.crl crl.globalsign.net root.crl crl.microsoft.com WinPCA.crl analytics.js tracking.minitool.com launch.php", "VTBehaviour.CommonDataStirage.GoogleAPIs.com\t Playatoms-pa.googleapis.com SongCulture.com bam.nr-data.net", "https://www.google.co.kr/ads/ga-audiences?v=1&aip=1&t=sr&_r=4&tid=UA-686301-28&cid=1048899291.1595287580&jid=1064984308&_v=j83&z=1277946686&slf_rd=1&random=491737294", "Yara Detections: Delphi , ProtectSharewareV11eCompservCMS", "Alerts: stops_service network_icmp network_irc persistence_autorun creates_largekey antisandbox_mouse_hook", "Alerts: infostealer_keylogger rat_pcclient process_interest injection_resumethread stealth_hiddenfile", "Domains Contacted: cdn2.minitool.com www.partitionwizard.com", "https://otx.alienvault.com/indicator/file/22e8de5785b65790950eeef5e81dadf9acd44d7767399f8a88bab8b7059b1269", "PWS:Win32/Ymacco: FileHash-SHA256 22e8de5785b65790950eeef5e81dadf9acd44d7767399f8a88bab8b7059b1269", "PWS:Win32/Ymacco: FileHash-MD5 0145b299e0d988750bd", "PWS:Win32/Ymacco: FileHash-SHA1 05d3eef1b402fcceced24bd5e8cc3d613c311419", "samsungdevapi.reverselogix.net", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/22e8de5785b65790950eeef5e81dadf9acd44d7767399f8a88bab8b7059b1269", "https://otx.alienvault.com/indicator/hostname/www.partitionwizard.com", "TEL:Trojan:Win32/Injector.AB!MSR: FileHash-SHA256 3a8d5782cd3335cb19bc9f1588a9303e7c8bf46aa0a6dd8d9a8fbada0dc23293", "TEL:Trojan:Win32/Injector.AB!MSR: FileHash-MD5 502983a98c69c012c600e2a2a7b2a1af", "TEL:Trojan:Win32/Injector.AB!MSR: FileHash-SHA1 217eed43662f43704c5c65bbdb503699b8689d6a", "CVE-2017-0147 CVE-2017-11882 CVE-2017-8570 CVE-2018-8453 CVE-2014-0160", "https://otx.alienvault.com/indicator/url/http://www.pulsesolutions.com/WebService/EasyLoggerWebService.asmx/", "Ransom:Win32/Crowti.A: FileHash-SHA256 3328a110970be661ce1267a553fa2ddf", "Ransom:Win32/Crowti.A: FileHash-SHA1 f7e6be8e6b15e4c67d82ec663abee6f0a292ff77", "Ransom:Win32/Crowti.A: FileHash-MD5 3328a110970be661ce1267a553fa2ddf", "https://otx.alienvault.com/indicator/file/94cdf28c30c4bb09d191990706844f10d8ba837459c9a81dd672f209e77c2fb9", "IDS Detections: CryptoWall Check-in Zeus Bot Connectivity Check External IP Check myexternalip.com IP Check myexternalip.com", "Alerts: procmem_yara injection_inter_process injection_create_remote_thread antiav_servicestop suricata_alert suspicious_command_tools", "Alerts: bcdedit_command stealth_network cape_detected_threat deletes_shadow_copies infostealer_cookies", "TrojanSpy:Win32/Nivdort.DC: FileHash-SHA256 00f4950d49404f58e223c0946f18a2a779c502d82ce67d419ce42f794666d3c8", "TrojanSpy:Win32/Nivdort.DC: FileHash-SHA1 fa773890465396aefe1a6b74d107ce1fee664ef9", "TrojanSpy:Win32/Nivdort.DC: FileHash-MD5 ecd1617974166e34de036ddf859a78f6", "Trojan:Win32/Formbook!MTB: FileHash-SHA256 c72bf65e0b2635221ce291191b40ddae3d599e418601dcef5d3ef4ab6e929d5f", "Trojan:Win32/Formbook!MTB: FileHash-SHA1 3bba9a34622ca39fe8b7132da8056a0d8c9be36c", "Trojan:Win32/Formbook!MTB: FileHash-MD5 1f5c006f1ef8d4998c5a6392c4082aef", "VirTool:Win32/Obfuscator.JM: FileHash-SHA256 b4cbdc6fe310af9d4d089d36141ca51d5b91ce877c6d0f6f78fc8bd8e6ce5b37", "https://saptools.mx/files/aud2txt-linux.zip | linuxeater.com | kent@riboe.se | https://saptools.mx/files/aud2txt-linux.zip", "Related Domains By Email DOMAIN ORGANISATION NAME: citrusea.com - Kent Riboe | linuxeater.com - Kent Riboe [kent@riboe.se]", "https://admin.safeid.io/Account/ResetPassword?token=Bx_9HrVhO0ihjnilL3BfcpM9s_1XmMRCAI4Sr1QWsLNmMlpmaAH0DI8fWkk7MSrh", "Tracking: jrstrackingfunction.com | http://tracking.orca-functions.zoovu.solutions/ | http://tracking.orca-functions.zoovu.solutions/", "Tracking: https://sharepointwow.msnd36.com/tracking/lc/3d8656d6-d66c-4b3b-aec3-a363f4faf30f/9d15012d-b2b5-4d70-abb1-eed6eff85f20/7b92544e-3ea3-dccc-179b-fdc110fc452a/", "Tracking: URL http://45.159.189.105/bot/regex | http://tracking.minitool.com/pw/launch.html?120100-from-enterprise-v11", "Tracking: http://tracking.minitool.com/pw/launch.php?120100-from-enterprise-v11 No Expiration\t0\t URL http://www.google-analytics.com/r/collect?v=1&_v=j83&a=160340377&t=pageview&_s=1&dl=http://tracking.minitool.com/pw/launch.html?120100-from-enterprise-v11&ul=en-us&de=utf-8&dt=launch%20tracking&sd=32-bit&sr=1152x864&vp=79x26&je=0&fl=19.0%20r0&_u=IEBAAE~&jid=960554243&gjid=1088832951&cid=1848517172.1595359858&tid=UA-686301-39&_gid=1248672958.1595359858&_r=1&z=1767086795", "IDS Detections: Win32/Kapahyku.A Activity 1 PUP/ASMalwNS.A Checkin Observed Suspicious UA (NSIS_Inetc (Mozilla))", "iappletech.com | init.ess.apple.com | https://appliedinnovation.forms.pia.ai/r | join.appliedpsych.com", "Zeus: FileHash-SHA256 94cdf28c30c4bb09d191990706844f10d8ba837459c9a81dd672f209e77c2fb9", "IDS Detections: CryptoWall Check-in Zeus Bot Connectivity Check External IP Check myexternalip.com IP Check myexternalip.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "PWS:Win32/Ymacco", "display_name": "PWS:Win32/Ymacco", "target": "/malware/PWS:Win32/Ymacco" }, { "id": "Win.Malware.Swisyn-7610494-0", "display_name": "Win.Malware.Swisyn-7610494-0", "target": null }, { "id": "Win32:VB-AJKP\\ [Trj]", "display_name": "Win32:VB-AJKP\\ [Trj]", "target": null }, { "id": "Win.Malware.Drivepack-9884589-1", "display_name": "Win.Malware.Drivepack-9884589-1", "target": null }, { "id": "TEL:Trojan:Win32/Injector.AB!MSR", "display_name": "TEL:Trojan:Win32/Injector.AB!MSR", "target": null }, { "id": "Ransom:Win32/Crowti.A", "display_name": "Ransom:Win32/Crowti.A", "target": "/malware/Ransom:Win32/Crowti.A" }, { "id": "Zeus", "display_name": "Zeus", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1054", "name": "Indicator Blocking", "display_name": "T1054 - Indicator Blocking" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [ "Healthcare", "Civil Society", "Targeted Individuals" ], "TLP": "green", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1324, "FileHash-SHA1": 931, "FileHash-SHA256": 2209, "URL": 1572, "hostname": 1628, "domain": 1711, "email": 10, "CVE": 5, "SSLCertFingerprint": 2 }, "indicator_count": 9392, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "628 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "667f591470ecb21b4ad041a5", "name": "Sakula RAT | Porn name change>>brassiere.world | Orbiters", "description": "brassiere.world a brazzersporn redirect. Malicious Sakula RAT. Orbiters including Brian Sabey, Mile High Media Legal 2257. If this is legal then it's time to make significant change.", "modified": "2024-07-28T23:00:54.190000", "created": "2024-06-29T00:45:08.323000", "tags": [ "algorithm", "v3 serial", "number", "subject public", "key info", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "date", "first", "threat roundup", "october", "december", "september", "round", "referrer", "november", "april", "historical ssl", "keeper", "core", "hacktool", "kiana arellano", "a person", "kiana", "harassment", "strikes", "colorado", "github", "heur", "info title", "record keeping", "media", "adult mobile", "scene", "brandi love", "alexis fawx", "girls", "carter cruise", "brandi loves", "reagan foxx", "kenzie reeves", "ryan keely", "privacy policy", "meow", "love", "summer", "click", "back", "accept", "tsara brashears", "youngcoders", "hallrender", "briansabey", "sweetheartvideos", "2257legalporn", "union blvd", "samiamnot", "utc submissions", "submitters", "enom", "moniker online", "wild west", "domains", "domainsite", "annulet", "google llc", "facebook", "twitter", "service", "nitro", "creation date", "status", "search", "scan endpoints", "all scoreblue", "hostname", "pulse submit", "url analysis", "passive dns", "unknown", "default", "cnc beacon", "show", "delete", "ids detections", "yara detections", "suspicious ua", "intel", "ms windows", "copy", "sakula", "write", "february", "bublik", "malware", "suspicious", "pornhub", "#pornvibes", "ng", "united", "as44273 host", "expiration date", "showing", "as394695 pdr", "virgin islands", "cname", "as19905", "pulses", "nxdomain", "as8075", "servers", "domain", "name servers", "entries", "date hash", "avast avg", "as30148 sucuri", "aaaa", "gvt mitm", "van", "png image", "jpeg image", "rgba", "exif standard", "tiff image", "pattern match", "ascii text", "jfif", "et tor", "starfield", "june", "hybrid", "general", "local", "encrypt", "strings", "adobea", "daga", "orbiting tsara brashears", "arvada", "projecthilo" ], "references": [ "brassiere.world mail.brassiere.world webdisk.brassiere.world webmail.brassiere.world", "IDS Detections: Sakula/Mivast RAT CnC Beacon 1 SUSPICIOUS UA (iexplore) | Alert: cape_detected_threat", "hallrender.com/attorney/brian-sabey www.hallrender.com/attorney/brian-sabey hallrender.com www.hallrender.com https://hallrender.com", "milehighmedia.com https://www.milehighmedia.com/ https://www.milehighmedia.com/legal/2257", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.sweetheartvideo.com/tsara-brashears/ | 66.254.114.234", "www.youtube.com/watch?v=GyuMozsVyYs [TB's YouTube]", "youngcoders.ng", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Sakula RAT: www.polarroute.com", "CVE-1999-0016 CVE-2019-12259 CVE-2019-12265 CVE-2001-0260 CVE-2005-0446 CVE-2005-0560 CVE-2005-1476", "CVE-2008-2257\tCVE-2008-2938\tCVE-2008-2939\tCVE-2008-3018\tCVE-2008-3021\tCVE-2009-1122", "CVE-2015-2808 CVE-2016-0101 CVE-2016-2569 CVE-2006-3869 CVE-2014-6345 CVE-2009-1535", "Sakula RAT: FileHash-SHA256 0932c2b991cc37bd0de1a90f9ffd43f1324944b59fdbaa0e03f3e94adb59c61f rat", "Sakula RAT: FileHash-SHA25627ddd99c31b3141f0e635ca8c3ded921bee4fddd93364f4280ee5 rat", "Sakula RAT: FileHash-SHA256 48fd389005934aa4ee77f2029f1addc2d918fa0916b64a43049c65ce83ebde765866dbc5f8d", "Sakula RAT: FileHash-SHA256 0f3775b95144206425cc95283f7ae481eab4cc5cbdd687c7bde3e5c7c9b5482a", "Banload: 556d622fae283aca465e24143c392e2ccf2b0d6a95cf28363ef5b84175729638", "Waledac: FileHash-SHA256 7a513daf66139269a18f5aeebc6790ac3179ff533d24f0fe18b2c4d6a1761787" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ALF:HeraklezEval:VirTool:Win32/Waledac!rfn", "display_name": "ALF:HeraklezEval:VirTool:Win32/Waledac!rfn", "target": null }, { "id": "TrojanDownloader:Win32/Banload", "display_name": "TrojanDownloader:Win32/Banload", "target": "/malware/TrojanDownloader:Win32/Banload" }, { "id": "Sakula", "display_name": "Sakula", "target": null }, { "id": "Sakula RAT", "display_name": "Sakula RAT", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1483", "name": "Domain Generation Algorithms", "display_name": "T1483 - Domain Generation Algorithms" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 278, "FileHash-SHA1": 141, "FileHash-SHA256": 991, "domain": 1074, "hostname": 706, "URL": 859, "CVE": 19, "email": 5, "SSLCertFingerprint": 20 }, "indicator_count": 4093, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "629 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6681f3bd6a8701371811709b", "name": "Sakula RAT | Porn name change>>brassiere.world | Orbiters ", "description": "", "modified": "2024-07-28T23:00:54.190000", "created": "2024-07-01T00:09:33.078000", "tags": [ "algorithm", "v3 serial", "number", "subject public", "key info", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "date", "first", "threat roundup", "october", "december", "september", "round", "referrer", "november", "april", "historical ssl", "keeper", "core", "hacktool", "kiana arellano", "a person", "kiana", "harassment", "strikes", "colorado", "github", "heur", "info title", "record keeping", "media", "adult mobile", "scene", "brandi love", "alexis fawx", "girls", "carter cruise", "brandi loves", "reagan foxx", "kenzie reeves", "ryan keely", "privacy policy", "meow", "love", "summer", "click", "back", "accept", "tsara brashears", "youngcoders", "hallrender", "briansabey", "sweetheartvideos", "2257legalporn", "union blvd", "samiamnot", "utc submissions", "submitters", "enom", "moniker online", "wild west", "domains", "domainsite", "annulet", "google llc", "facebook", "twitter", "service", "nitro", "creation date", "status", "search", "scan endpoints", "all scoreblue", "hostname", "pulse submit", "url analysis", "passive dns", "unknown", "default", "cnc beacon", "show", "delete", "ids detections", "yara detections", "suspicious ua", "intel", "ms windows", "copy", "sakula", "write", "february", "bublik", "malware", "suspicious", "pornhub", "#pornvibes", "ng", "united", "as44273 host", "expiration date", "showing", "as394695 pdr", "virgin islands", "cname", "as19905", "pulses", "nxdomain", "as8075", "servers", "domain", "name servers", "entries", "date hash", "avast avg", "as30148 sucuri", "aaaa", "gvt mitm", "van", "png image", "jpeg image", "rgba", "exif standard", "tiff image", "pattern match", "ascii text", "jfif", "et tor", "starfield", "june", "hybrid", "general", "local", "encrypt", "strings", "adobea", "daga", "orbiting tsara brashears", "arvada", "projecthilo" ], "references": [ "brassiere.world mail.brassiere.world webdisk.brassiere.world webmail.brassiere.world", "IDS Detections: Sakula/Mivast RAT CnC Beacon 1 SUSPICIOUS UA (iexplore) | Alert: cape_detected_threat", "hallrender.com/attorney/brian-sabey www.hallrender.com/attorney/brian-sabey hallrender.com www.hallrender.com https://hallrender.com", "milehighmedia.com https://www.milehighmedia.com/ https://www.milehighmedia.com/legal/2257", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.sweetheartvideo.com/tsara-brashears/ | 66.254.114.234", "www.youtube.com/watch?v=GyuMozsVyYs [TB's YouTube]", "youngcoders.ng", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Sakula RAT: www.polarroute.com", "CVE-1999-0016 CVE-2019-12259 CVE-2019-12265 CVE-2001-0260 CVE-2005-0446 CVE-2005-0560 CVE-2005-1476", "CVE-2008-2257\tCVE-2008-2938\tCVE-2008-2939\tCVE-2008-3018\tCVE-2008-3021\tCVE-2009-1122", "CVE-2015-2808 CVE-2016-0101 CVE-2016-2569 CVE-2006-3869 CVE-2014-6345 CVE-2009-1535", "Sakula RAT: FileHash-SHA256 0932c2b991cc37bd0de1a90f9ffd43f1324944b59fdbaa0e03f3e94adb59c61f rat", "Sakula RAT: FileHash-SHA25627ddd99c31b3141f0e635ca8c3ded921bee4fddd93364f4280ee5 rat", "Sakula RAT: FileHash-SHA256 48fd389005934aa4ee77f2029f1addc2d918fa0916b64a43049c65ce83ebde765866dbc5f8d", "Sakula RAT: FileHash-SHA256 0f3775b95144206425cc95283f7ae481eab4cc5cbdd687c7bde3e5c7c9b5482a", "Banload: 556d622fae283aca465e24143c392e2ccf2b0d6a95cf28363ef5b84175729638", "Waledac: FileHash-SHA256 7a513daf66139269a18f5aeebc6790ac3179ff533d24f0fe18b2c4d6a1761787" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ALF:HeraklezEval:VirTool:Win32/Waledac!rfn", "display_name": "ALF:HeraklezEval:VirTool:Win32/Waledac!rfn", "target": null }, { "id": "TrojanDownloader:Win32/Banload", "display_name": "TrojanDownloader:Win32/Banload", "target": "/malware/TrojanDownloader:Win32/Banload" }, { "id": "Sakula", "display_name": "Sakula", "target": null }, { "id": "Sakula RAT", "display_name": "Sakula RAT", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1483", "name": "Domain Generation Algorithms", "display_name": "T1483 - Domain Generation Algorithms" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": "667f591470ecb21b4ad041a5", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 278, "FileHash-SHA1": 141, "FileHash-SHA256": 991, "domain": 1074, "hostname": 706, "URL": 859, "CVE": 19, "email": 5, "SSLCertFingerprint": 20 }, "indicator_count": 4093, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "629 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Stranger Things | http://hopto.org/colocrossing/192.3.13.56/telco", "\"Malware Behavior Catalog Tree: Hidden Files and Directories E1082 File and Directory Discovery E1083", "Alerts: stops_service network_icmp network_irc persistence_autorun creates_largekey antisandbox_mouse_hook", "https://www.google.co.kr/ads/ga-audiences?v=1&aip=1&t=sr&_r=4&tid=UA-686301-28&cid=1048899291.1595287580&jid=1064984308&_v=j83&z=1277946686&slf_rd=1&random=491737294", "Alerts: infostealer_keylogger rat_pcclient process_interest injection_resumethread stealth_hiddenfile", "Win32:BankerX-gen\\ [Trj] \u00bb FileHash-SHA256 2e5118d15a18ae852bf94d91707ff634d9d8354fef492f5c4e1c46b9cf96184c", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Echo Reply", "Alerts: bcdedit_command stealth_network cape_detected_threat deletes_shadow_copies infostealer_cookies", "RedTube.com Detections: Win.Trojan.Crypt-321 , Win.Trojan.FakeAV-4166 , Win.Trojan.Fakeav-10977 , Win.Trojan.Fakeav-3386", "Crowdstrike: autodeskarchitecture.autodesk.com | beacon-dev3.autodesk.com | boxtooffice365.autodesk.com | brahma-studio.autodesk.com", "\"Malware Behavior Catalog Tree: Change Memory Protection C0008 Process OC0003 Create Process C0017", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Checkin Win32/Nivdort", "Apple Issues: http://www.appleid-supporthelp.serveirc.com/ http://www.appleids-security.serveirc.com/", "brassiere.world mail.brassiere.world webdisk.brassiere.world webmail.brassiere.world", "Capabilities Data: Host-Interaction - Get file size Query environment variable Get common file path", "Crowdsourced Sigma: Matches rule Potential Dead Drop Resolvers by Sorina Ionescu, X__Junior (Nextron Systems)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Empty Checkin Upatre Retrieving encoded payload (Common Header Struct)", "Crowdstrike: https://www.anyxxxtube.net/search-porn/tsara-brashears/\tphishing\t| https://www.anyxxxtube.net/sitemap.xml", "\"Malware Behavior Catalog Tree: Registry Value C0036.006 Capabilities Data-Manipulation\"", "Alerts: procmem_yara injection_inter_process injection_create_remote_thread antiav_servicestop suricata_alert suspicious_command_tools", "Injection Source: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Apple Issues:\tapp-appleid.serveirc.com appleid-appleus.serveirc.com appleidapple.serveirc.com apples-uncek.serveirc.com", "Ransom:Win32/Crowti.A: FileHash-SHA256 3328a110970be661ce1267a553fa2ddf", "Apple Issues: http://checkapple.com/home/item/131-iOs-%E0%B9%80%E0%B8%A1%E0%B8%B7%E0%B8%AD%E0%B8%87%E0%B8%9C%E0%B8%B9%E0%B9%89%E0%B8%94%E0%B8%B5-%E0%B8%9F%E0%B8%B1%E0%B8%99%E0%B8%98%E0%B8%87-iPhone-4-%E0%B8%9A%E0%B8%B2%E0%B8%87%E0%B8%81%E0%B8%A7%E0%B9%88%E0%B8%B2-Galaxy-S-2.htm", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "Antivirus Detections: ALF:HeraklezEval:Ransom:Win32/CVE , ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn , ALF:HeraklezEval:Trojan:Win32/Zombie.A", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "Crowdstrike: https://www.pornhub.com/gifs/search?search=tsara+lynn+brash |", "IDS Detections: Win32/Kapahyku.A Activity 1 PUP/ASMalwNS.A Checkin Observed Suspicious UA (NSIS_Inetc (Mozilla))", "IDS Detections: Potential Dridex.Maldoc Minimal Executable Request External IP Address Lookup DNS Query (2ip .ua)", "https://twitter.com/PORNO_SEXYBABES", "CVE-2008-2257\tCVE-2008-2938\tCVE-2008-2939\tCVE-2008-3018\tCVE-2008-3021\tCVE-2009-1122", "Injection Source: www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Capabilities Data: Manipulation Generate random numbers using the Delphi LCG Encode data using XOR Hash data with CRC32", "Sakula RAT: www.polarroute.com", "http://www.google-analytics.com/r/collect?v=1&_v=j83&a=160340377&t=pageview&_s=1&dl=http://tracking.minitool.com/pw/launch.html?120100-from-enterprise-v11&ul=en-us&de=utf-8&dt=launch%20tracking&sd=32-bit&sr=1152x864&vp=79x26&je=0&fl=19.0%20r0&_u=IEBAAE~&jid=960554243&gjid=1088832951&cid=1848517172.1595359858&tid=UA-686301-39&_gid=1248672958.1595359858", "PWS:Win32/Ymacco: FileHash-SHA1 05d3eef1b402fcceced24bd5e8cc3d613c311419", "MyChart Phishing Scams", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/22e8de5785b65790950eeef5e81dadf9acd44d7767399f8a88bab8b7059b1269", "https://sslproxy.gatewayclient3.v.hikops.com", "TEL:Trojan:Win32/Injector.AB!MSR: FileHash-SHA256 3a8d5782cd3335cb19bc9f1588a9303e7c8bf46aa0a6dd8d9a8fbada0dc23293", "youngcoders.ng", "Yara Detections: osx_GoLang", "Tracking: URL http://45.159.189.105/bot/regex | http://tracking.minitool.com/pw/launch.html?120100-from-enterprise-v11", "Ransom:Win32/Crowti.A: FileHash-SHA1 f7e6be8e6b15e4c67d82ec663abee6f0a292ff77", "http://bat.bing.com/bat.js | bounceme.net | bounceme.net | hopto.org | hopto.org |,serveblog.net | serveblog.net", "https://www.pornhub.com/video/search?search=tsara+brashears", "Win.Virus.PolyRansom-5704625-0: FileHash-SHA256 f46de5d0c5dd13f5de6114372542efd1ea048e14f051b64b34c33e96c175cb09", "Domains Contacted: cdn2.minitool.com www.partitionwizard.com", "\"Malware Behavior Catalog Tree: Modulo C0058 Cryptography OC0005 Generate Pseudo-random Sequence C0021", "TrojanSpy:Win32/Nivdort.DC: FileHash-SHA256 00f4950d49404f58e223c0946f18a2a779c502d82ce67d419ce42f794666d3c8", "Emotet: FileHash-SHA256 9c9459e9a5f0102c034ec013b9d801d38ed474bcd73b7aeded931e5c2a4f75cc", "Sakula RAT: FileHash-SHA25627ddd99c31b3141f0e635ca8c3ded921bee4fddd93364f4280ee5 rat", "Pornhub.com | Telegram https://t.me/login/36861 | loopprojects.t.me", "Capabilities Data: Host-Interaction - Get thread local storage value Read file on Windows Write file on Windows", "Capabilities Data: Anti-Analysis Reference analysis tools strings Internal (Internal) installer file limitation", "66.254.114.234 | reflectededge.reflected.net | reflected.net | 192.0.2.0 | https://www.brazzers.com/ | brazzers.com | brazzersnetwork.com", "api2ip.ua \u00bb External IP Lookup Service Domain", "Capabilities Data: Host-Interaction - Allocate or change RWX memory Accept command line arguments Set thread local storage value", "http://45.159.189.105/bot/regex [command and control infection source]", "http://update.partitionwizard.com/checking-update/ko/verconfig-v11-registered.txt", "CVE-1999-0016 CVE-2019-12259 CVE-2019-12265 CVE-2001-0260 CVE-2005-0446 CVE-2005-0560 CVE-2005-1476", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/", "Crowdstrike + Autodesk.com: hallrender.com/attorney/brian-sabey www.hallrender.com/attorney/brian-sabey hallrender.com www.hallrender.com https://hallrender.com milehighmedia.com https://www.milehighmedia.com/ https://www.milehighmedia.com/legal/2257", "IDS Detections: TLS Handshake Failure | Alerts: network_icmp , injection", "Alerts: network_icmp antisandbox_idletime modifies_certificates modifies_proxy_wpad disables_proxy", "keezmovies.com | redtube.com | tube8.com | tube8.com | youporn.com| 0.brazzers.com | www.g-tunnel.comwww.brazzers.com |", "Crowdstrike + Autodesk.com: brassiere.world mail.brassiere.world webdisk.brassiere.world webmail.brassiere.world", "http://appleidi-iforgot.3utilities.com/\t | https://appupdate-logapple.ddnsking.com/?reset | http://appleidi-iforgot.3utilities.com/Upload-Identity.php |", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://hopto.org/colocrossing/192.3.13.56/telco", "Crowdstrike: autodesk.com | 0ds.autodesk.com | aknanalytics.autodesk.com | anubis.autodesk.com | autobetaint.autodesk.com", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Unusual PING detected", "IDS Detections: Zeus Panda Banker / Ursnif Malicious SSL Certificate Detected TLS Handshake Failure", "Antivirus Detections: ALF:Trojan:Win32/FormBook.F!MTB , Backdoor:Linux/Setag!rfn , Backdoor:Win32/Bifrose.IQ , Backdoor:Win32/Simda!rfn", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "TEL:Trojan:Win32/Injector.AB!MSR: FileHash-MD5 502983a98c69c012c600e2a2a7b2a1af", "Trojan:Win32/Formbook!MTB: FileHash-SHA1 3bba9a34622ca39fe8b7132da8056a0d8c9be36c", "\"Malware Behavior Catalog Tree: Communication OC0006 HTTP Communication C0002 Operating System OC0008 Registry", "TrojanSpy:Win32/Nivdort.DC: FileHash-MD5 ecd1617974166e34de036ddf859a78f6", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "\"Malware Behavior Catalog Tree: Discovery OB0007 System Information Discovery B0013 Process detection B0013.001", "http://tracking.minitool.com/pw/launch.php?120100-from-enterprise-v11", "Crowdstrike: auth.cranberry.testing.maxfehlinger.de | latex.cranberry.testing.maxfehlinger.de | traefik.cranberry.testing.maxfehlinger.de |", "\"Malware Behavior Catalog Tree: Anti-Static Analysis OB0002 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E102", "Tracking: https://sharepointwow.msnd36.com/tracking/lc/3d8656d6-d66c-4b3b-aec3-a363f4faf30f/9d15012d-b2b5-4d70-abb1-eed6eff85f20/7b92544e-3ea3-dccc-179b-fdc110fc452a/", "hallrender.com/attorney/brian-sabey www.hallrender.com/attorney/brian-sabey hallrender.com www.hallrender.com https://hallrender.com", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "Capabilities Data: Executable Extract resource via kernel32 functions Contain a thread local storage (.tls) section Packaged as an Inno Setup installer", "PWS:Win32/Ymacco: FileHash-MD5 0145b299e0d988750bd", "Capabilities Data: Host-Interaction - Get file attributes Create process suspended Create process on Windows", "espysite.azurewebsites.net", "Swipper: swipper@verizonbusiness.com | help4u@verizonbusiness.com", "milehighmedia.com https://www.milehighmedia.com/ https://www.milehighmedia.com/legal/2257", "Capabilities Data: Host-Interaction - Query or enumerate registry value Delete file Create directory Shutdown system", "Crowdstrike: https://traefik.cranberry.testing.maxfehlinger.de | http://traefik.cranberry.testing.maxfehlinger.de |", "https://saptools.mx/files/aud2txt-linux.zip | linuxeater.com | kent@riboe.se | https://saptools.mx/files/aud2txt-linux.zip", "VirTool:Win32/Obfuscator: 0.googleusercontent.com [hacking]", "IDS Detections: Sakula/Mivast RAT CnC Beacon 1 SUSPICIOUS UA (iexplore) | Alert: cape_detected_threat", "https://otx.alienvault.com/pulse/66d4c125ad61ee5577639a2d", "www.youtube.com/watch?v=GyuMozsVyYs [TB's YouTube]", "PWS:Win32/Ymacco: FileHash-SHA256 22e8de5785b65790950eeef5e81dadf9acd44d7767399f8a88bab8b7059b1269", "https://otx.alienvault.com/indicator/file/94cdf28c30c4bb09d191990706844f10d8ba837459c9a81dd672f209e77c2fb9", "Crowdstrike: https://bat.bing.com/action/0?ti=12001672&tm=al001&Ver=2&mid=12436868-a484-4998-931c-980262982f67&sid=b92cd8f0483e11efa3c96fe28be413cb&vid=b92cdd10483e11efb1024309353d849f&vids=1&msclkid=N&pi=-740138922&lg=en-US&sw=800&sh=600&sc=24&tl=CrowdStrike%3A%20Stop%20breaches.%20Drive%20business.&p=https%3A%2F%2Fwww.crowdstrike.com%2Fen-us%2F&r=<=1022&pt=1721661968606", "Banload: 556d622fae283aca465e24143c392e2ccf2b0d6a95cf28363ef5b84175729638", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING Windows", "Above links in search results direct out with and arrow pointing out.", "Antivirus Detections: Other:Malware-gen\\ [Trj]", "Cookie : stel_ssid b86d14460f22d8fea8_13386273115952986987", "Crowdstrike: cdc-stg-emea.autodesk.com | cloudcost.autodesk.com | cloudpc-stg.autodesk.com | d-s.autodesk.com |", "CVE-2017-0147 CVE-2017-11882 CVE-2017-8570 CVE-2018-8453 CVE-2014-0160", "https://adservice.google.com.uy/clk\t init.ess.apple.com", "Trojan:Win32/Formbook!MTB: FileHash-MD5 1f5c006f1ef8d4998c5a6392c4082aef", "Capabilities Data: Host-Interaction - Get system information on Windows Delete directory", "TEL:Trojan:Win32/Injector.AB!MSR: FileHash-SHA1 217eed43662f43704c5c65bbdb503699b8689d6a", "152.199.171.19 : USDA Fort Collins, Colorado", "Tracking: http://tracking.minitool.com/pw/launch.php?120100-from-enterprise-v11 No Expiration\t0\t URL http://www.google-analytics.com/r/collect?v=1&_v=j83&a=160340377&t=pageview&_s=1&dl=http://tracking.minitool.com/pw/launch.html?120100-from-enterprise-v11&ul=en-us&de=utf-8&dt=launch%20tracking&sd=32-bit&sr=1152x864&vp=79x26&je=0&fl=19.0%20r0&_u=IEBAAE~&jid=960554243&gjid=1088832951&cid=1848517172.1595359858&tid=UA-686301-39&_gid=1248672958.1595359858&_r=1&z=1767086795", "Crowdstrike: maxfehlinger.de http://auth.cranberry.testing.maxfehlinger.de | http://latex.cranberry.testing.maxfehlinger.de |", "\"Malware Behavior Catalog Tree: Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007", "Yara Detections: Delphi", "\"Dataset actions - System Property Lookups: Execution OB0012 F0005 File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048 Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007 Change Memory Protection C0008 Process OC0003 Create Process C0017 Create Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001 Modulo C0058 Cryptography OC0005", "\"Malware Behavior Catalog Tree: Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004", "WinToFlash-Lite-The-Bootable-USB-Creator-1.13.0000-Setup.exe | Setup.Bin Lockbin1.com", "https://admin.safeid.io/Account/ResetPassword?token=Bx_9HrVhO0ihjnilL3BfcpM9s_1XmMRCAI4Sr1QWsLNmMlpmaAH0DI8fWkk7MSrh", "Malware Behavior Catalog Tree: Command and Scripting Interpreter OB0009 Install Additional Program B0023", "Crowdstrike: watchtower.cranberry.testing.maxfehlinger.de | https://latex.cranberry.testing.maxfehlinger.de |", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "Ransom:Win32/Crowti.A: FileHash-MD5 3328a110970be661ce1267a553fa2ddf", "https://otx.alienvault.com/indicator/url/http://www.pulsesolutions.com/WebService/EasyLoggerWebService.asmx/", "IDS Detections: CryptoWall Check-in Zeus Bot Connectivity Check External IP Check myexternalip.com IP Check myexternalip.com", "Trojan:Win32/Formbook!MTB: FileHash-SHA256 c72bf65e0b2635221ce291191b40ddae3d599e418601dcef5d3ef4ab6e929d5f", "boot.net.anydesk.com removed from my Pulse below", "Apple Issues:\tapple-validsecure.serviceirc.com serviceirc.com http://apple-validsecure.serviceirc.com https://apple-validsecure.serviceirc.com", "\"Malware Behavior Catalog Tree: File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048", "http://tracking.minitool.com/pw/launch.html?120100-from-enterprise-v11", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Win32:PWSX-gen\\ [Trj] IDS Detections Potential Dridex.Maldoc Minimal Executable Request External IP Address Lookup DNS Query (2ip .ua) Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) Query to a *.top domain - Likely Hostile Suspicious User Agent (Microsoft Internet Explorer) SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 HTTP Request to a *.top domain Dotted Quad Host ZIP Request Possible EXE Download From Suspicious TLD TLS Handshake Failure ... Less", "iappletech.com | init.ess.apple.com | https://appliedinnovation.forms.pia.ai/r | join.appliedpsych.com", "api-stage.pornhub.com | abtesting.pornhub.com | pornhub.com | cms-stage20.pornhub.com | imgs.pornhub.com | http://tourcdn.girlsdoporn.com", "83610e8d2924c9886b25ad530e8ad971.pornhub.com", "Antivirus Detections: ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn , ALF:PUA:Win32/InstallMate.P , ALF:Trojan:Win32/Cassini_f9070846!ibt", "Related Domains By Email DOMAIN ORGANISATION NAME: citrusea.com - Kent Riboe | linuxeater.com - Kent Riboe [kent@riboe.se]", "Waledac: FileHash-SHA256 7a513daf66139269a18f5aeebc6790ac3179ff533d24f0fe18b2c4d6a1761787", "IDS Detections: Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) Query to a *.top domain - Likely Hostile", "Capabilities Data: Linking Link function at runtime on Windows Collection Get geographical location Targeting Identify system language via API", "Sakula RAT: FileHash-SHA256 48fd389005934aa4ee77f2029f1addc2d918fa0916b64a43049c65ce83ebde765866dbc5f8d", "Crowdstrike: wildcard.352-445-1166.device.sim.to.img.sedoparking.com", "Yara Detections: UPXProtectorv10x2 , UPX Alerts dead_host network_icmp nolookup_communication", "Apple Issues:\thttp://www.apple-verifallert.serveirc.com/ http://www.appleid-lockid.serveirc.com/ http://www.appleid-seccure23.serveirc.com/", "ads.pornhub.com | ams-v61.pornhub.com | api-stage.pornhub.com", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti/Mufanom Downloader Checkin Win32.Sality-GR Checkin Backdoor.Win32.Shiz.ivr", "Apple Issues:\thttp://www.appleid-secure20.serveirc.com/ http://www.appleid-secure22.serveirc.com/ serviceirc.com", "https://otx.alienvault.com/browse/global/pulses?q=tag:%22esta%20caliente%22&include_inactive=0&sort=-modified&page=1&limit=10&indicatorsSearch=esta%20caliente", "The more I say...Any.Desk + boot.net.anydesk.com was in OG Private CrowdsStrike pulse", "https://otx.alienvault.com/indicator/hostname/www.partitionwizard.com", "Above link opened 'esta caliente'= 'it's hot'| I did NOT do that | All connected links gone. This has become common.", "Win32:RansomX-gen\\ [Ransom] Trojan:Win32/Neconyd.A", "Crowdstrike: https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | https://www.pornhub.com/video/search?search=tsara+brashears | www.youtube.com/watch?v=GyuMozsVyYs | www.pornhub.com | www.youtube.com", "crl.globalsign.com\tWinPCA.crl gscodesigng2.crl crl.globalsign.net root.crl crl.microsoft.com WinPCA.crl analytics.js tracking.minitool.com launch.php", "Zeus: FileHash-SHA256 94cdf28c30c4bb09d191990706844f10d8ba837459c9a81dd672f209e77c2fb9", "152.199.161.19: ANS Communications, Inc (ANS)", "VTBehaviour.CommonDataStirage.GoogleAPIs.com\t Playatoms-pa.googleapis.com SongCulture.com bam.nr-data.net", "girlsdoporn.com | bar.pornhub.com | bar.pornhub.com | cdn-d-vid-embed.pornhub.com | http://pornhub.tv/Jena6599 | whatsapp.pornhub.com", "\"Malware Behavior Catalog Tree: Analysis Tool Discovery F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 Analysis Tool Discovery B0013 Process detection B0013.001 System Information Discovery E1082 File and Directory Discovery E1083", ".trino-11062202-1d32.stress-11061903-3b4c.westus2.projecthilo.net\tprojecthilo.net", "http://www.partitionwizard.com/checking-update/ko/verconfig-v11-registered.txt", "RedTube.com Detections: ALF:AGGR:OpcCl:95!ml , ALF:JASYP:Backdoor:Win32/Cycbot!atmn , Win.Downloader.117423-1 ,", "0-courier.push.apple.com | https://apple-accouut.sytes.net/ | appupdate-logapple.ddnsking.com | appleidi-iforgot.3utilities.com", "Apple Issues: URL https://bincc.xyz/bin-apple-music-1month-apple-tv-7days", "Sakula RAT: FileHash-SHA256 0932c2b991cc37bd0de1a90f9ffd43f1324944b59fdbaa0e03f3e94adb59c61f rat", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Terse HTTP 1.0 Request Possible Nivdort Worm.Mydoom Checkin User-Agent (explwer)", "IDS Detections: Suspicious User Agent (Microsoft Internet Explorer) SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016", "www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Sakula RAT: FileHash-SHA256 0f3775b95144206425cc95283f7ae481eab4cc5cbdd687c7bde3e5c7c9b5482a", "I didn't add pertinent findings back to Pulse. Pulse comp,eyes says ago . Couldn't submit. It's was actually a tiny pulse of autodesk.com with crowdstrike relationship references,", "http://appleidi-iforgot.3utilities.com/Verify.php", "cnbd.net\t | d1.cnbd.net\t| localhost.cnbd.net | mail.cnbd.net | siteinlink.d1.cnbd.net cnbd.net hghltd.yandex.net", "Crowdstrike + Autodesk.com: 128 + symcd.com some w/issues | 658 autodesk.com pulse some w/issues | removed any.desk & boot", "OrgTechHandle: SWIPP-ARIN OrgTechName: swipper OrgTechPhone: +1-800-900-0241 OrgTechEmail: swipper@verizonbusiness.com", "Crowdsourced YARA: Matches rule Base64_Encoded_URL from ruleset Base64_Encoded_URL by InQuest Labs", "Tracking: jrstrackingfunction.com | http://tracking.orca-functions.zoovu.solutions/ | http://tracking.orca-functions.zoovu.solutions/", "https://www.sweetheartvideo.com/tsara-brashears/ | 66.254.114.234", "CVE-2015-2808 CVE-2016-0101 CVE-2016-2569 CVE-2006-3869 CVE-2014-6345 CVE-2009-1535", "Other:Malware-gen\\ [Trj: FileHash-SHA256 4ef29fd29fd95990a36379ad7a4320f04da64e7ec63546e047e2491e533c71a3", "TrojanSpy:Win32/Nivdort.DC: FileHash-SHA1 fa773890465396aefe1a6b74d107ce1fee664ef9", "\"Malware Behavior Catalog Tree: Hidden Files and Directories F0005 Self Deletion F0007", "exploit_source IP's: 20.99.186.246 , 40.126.24.147 , 40.126.24.149 , 40.126.24.81 , 40.126.24.82", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING", "\"Malware Behavior Catalog Tree: Anti-Behavioral Analysis OB0001 Debugger Detection B0001 Process Environment Block B0001.019 Dynamic Analysis Evasion B0003 Delayed Execution B0003.003", "Crowdstrike: http://watchtower.cranberry.testing.maxfehlinger.de| https://auth.cranberry.testing.maxfehlinger.de |", "Yara Detections: Delphi , ProtectSharewareV11eCompservCMS", "autodesk.com [ Everything below was found in Autodesk [including crowdstrike & any.desk] Found in in Crowdsrike if labeled.", "Injection Source: http://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "\"Malware Behavior Catalog Tree : Defense Evasion OB0006 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E1027.m02", "Apple Issues:\tcheckapple.com http://www.checkapple.com/ https://bincc.xyz/bin-apple-music-1month-apple-tv-7days apple-marketing.com", "VirTool:Win32/Obfuscator.JM: FileHash-SHA256 b4cbdc6fe310af9d4d089d36141ca51d5b91ce877c6d0f6f78fc8bd8e6ce5b37", "\"Dataset actions -System Property Lookups: IIWbemServices::Connect", "device-ccf717a6-ed4f-4771-abfa-ccaafbfb6526.remotewd.com | device-local-359704df-0b29-4ae8-bbc5-f48b0a4de73c.remotewd.com | remotedev.org | dan.remotedev.org", "Capabilities Data: Host-Interaction - Modify access privileges Check if file exists", "Crowdstrike: https://hr.employmenthero.com/rs/387-SZZ-170/images/youtube-icon-emp-hero-violet.png", "Crowdstrike: \tbat.bing.com, https://tulach.cc, https://otx.alienvault.com/indicator/url/http://www.hallrender.com/attorney/brian-sabey", "Crowdstrike: symcd.com [Certificate Subjectaltname \u00bb\u00bb anydesk.com \u00bb\u00bb http://gn.symcb.com/gn.crt Ocsp\thttp://gn.symcd.com] ANYDESK.COM-unsigned", "Researched: d569ab9b9e89ebd9e2ff995bcd6509bc.virus", "Antivirus Detections: Other:Malware-gen\\ [Trj] , Win.Trojan.Emotet-9951800-0", "\"Malware Behavior Catalog Tree: Create 00001807 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001", "https://www.anyxxxtube.net/search-porn/tsara-brashears/\t URL\thttp://45.159.189.105/bot/regex |\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Win32:Mystic , Win.Trojan.Xblocker-236 \u00bbFileHash-SHA256 8c59adbccc1987d13fec983f1e2be046611511b65479d1719bda77c5c90bbe21", "Crowdstrike: daiwahouse-learning.autodesk.com| datagovernance-dev.autodesk.com | enterprise-api-np.autodesk.com", "https://otx.alienvault.com/indicator/file/22e8de5785b65790950eeef5e81dadf9acd44d7767399f8a88bab8b7059b1269", "\"Malware Behavior Catalog Tree: C0036 Open Registry Key C0036.003 Create Registry Key C0036.004 Query", "samsungdevapi.reverselogix.net", "\"Malware Behavior Catalog Tree: Execution OB0009 Install Additional Program B0023 Command and Scripting Interpreter E1059" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Slf:trojan:win32/grandoreiro.a", "Win32:mystic", "Pup/win32.bundler.r1865", "Alf:trojan:bat/envvarcharreplacement", "Win32:pwsx-gen\\ [trj]", "Win.dropper.tofsee-10023347-0", "Trojan:win32/danabot", "Other:malware-gen\\ [trj]", "Trojan:win32/zombie", "Alf:jasyp:backdoor:win32/cycbot", "Trojan:win32/azorult", "Win.malware.drivepack-9884589-1", "Trojanspy", "Win64-trojan/pakes.exp", "Ransom:win32/genasom", "Trojanspy:win32/usteal", "Win64:ransomx-gen", "Ransom:win32/crowti.a", "Adware.adload/adinstaller", "Trojan:win32/glupteba.mt!mtb", "Pws:win32/ymacco", "Win32:vb-ajkp\\ [trj]", "Adware:win32/adload.0e19dea6", "Alf:heraklezeval:virtool:win32/waledac!rfn", "Backdoor:win32/tofsee", "Trojan:win32/eqtonex", "Win.malware.swisyn-7610494-0", "Zeus", "Win.trojan.emotet-9951800-0", "Inno:downloader-j [pup]", "#lowfienabledtcontinueafterunpacking", "Trojandropper:win32/muldrop", "Trojanspy:win32/nivdort", "Virtool:win32/obfuscator", "Tel:trojan:win32/injector.ab!msr", "Win.trojan.xblocker-236", "Win.packed.razy-9828382-0", "Win.trojan.poetrat-7669676-0", "Worm:win32/autorun", "#lowfi:hstr:win32/exprio", "Sakula rat", "Trojandownloader:win32/tofsee", "Trojan:win32/meredrop", "Mivast", "Sakula", "Trojandownloader:win32/banload", "Virtool:win32/injector" ], "industries": [ "Targeted individuals", "Civilian society", "Civil society", "Technology", "Healthcare" ], "unique_indicators": 87357 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/sprinter.es", "whois": "http://whois.domaintools.com/sprinter.es", "domain": "sprinter.es", "hostname": "git.sprinter.es" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 19, "pulses": [ { "id": "6888a85aa32aab22f638d0e6", "name": "Autodesk issue in CrowdStrike prior to outage | [by scoreblue]", "description": "", "modified": "2025-07-29T10:54:18.501000", "created": "2025-07-29T10:54:18.501000", "tags": [ "healthy check", "ssl bypass", "domain tracker", "privacy badger", "startpage", "w11 pc", "pass", "iocs", "all scoreblue", "pdf report", "pcap", "stix", "avast avg", "no expiration", "status", "name servers", "moved", "h1 center", "next", "sec ch", "ch ua", "ua platform", "emails", "certificate", "passive dns", "urls", "encrypt", "body", "pe32 executable", "ms windows", "intel", "windows control", "panel item", "dos borland", "executable", "algorithm", "thumbprint", "serial number", "signing ca", "symantec time", "stamping", "g2 name", "g2 issuer", "class", "code", "kb pe", "csc corporate", "porkbun llc", "gandi sas", "request", "path", "get https", "get http", "response", "cachecontrol", "pragma", "connection", "gmt connection", "accept", "slug", "as29789", "united", "unknown", "ransom", "heur", "server", "registrar abuse", "san rafael", "autodesk", "contact phone", "registrar url", "process32nextw", "create c", "read c", "writeconsolew", "delete", "write", "show", "malware", "write c", "regsetvalueexa", "delete c", "search", "regdword", "whitelisted", "panda banker", "ursnif", "win32", "persistence", "execution", "banker", "local", "domain", "servers", "pulse pulses", "files", "ip address", "creation date", "united kingdom", "as9009 m247", "ipv4", "pulse submit", "url analysis", "twitter", "as16552 tiggee", "as397241", "as397240", "entries", "cname", "nxdomain", "a nxdomain", "worm", "file samples", "files matching", "alf features", "denver co", "wewatta", "scan endpoints", "related pulses", "date hash", "showing", "as62597 nsone", "date", "trojanspy", "cookie", "hostmaster", "expiration date", "msie", "windows nt", "wow64", "slcc2", "media center", "tls handshake", "et info", "getdc0x2a", "failure", "post http", "copy", "crash", "ascii text", "ascii", "jpeg image", "artemis", "trojan", "virustotal", "mike", "vipre", "panda", "win32mediadrug", "win324shared", "win32spigot", "hstr", "lowfi", "yara detections", "contacted", "report spam", "mozilla", "trojanclicker", "url http", "url https", "role title", "added active", "type indicator", "source domain", "akamai rank", "hostname", "ver2", "msclkidn", "vids0", "global outage", "cobalt strike", "fancy bear", "communications", "android device", "cnc beacon", "suspicious ua", "youtube", "sakula rat", "mivast", "sakula", "windows", "samuel tulach", "light dark", "samuel", "tulach", "hyperv", "detecting", "writing gui", "bootkits", "world", "information", "discovery", "t1027", "t1057", "t1071", "protocol", "t1105", "tool transfer", "t1129", "capture", "service", "t1119" ], "references": [ "autodesk.com [ Everything below was found in Autodesk [including crowdstrike & any.desk] Found in in Crowdsrike if labeled.", "66.254.114.234 | reflectededge.reflected.net | reflected.net | 192.0.2.0 | https://www.brazzers.com/ | brazzers.com | brazzersnetwork.com", "keezmovies.com | redtube.com | tube8.com | tube8.com | youporn.com| 0.brazzers.com | www.g-tunnel.comwww.brazzers.com |", "Win32:Mystic , Win.Trojan.Xblocker-236 \u00bbFileHash-SHA256 8c59adbccc1987d13fec983f1e2be046611511b65479d1719bda77c5c90bbe21", "IDS Detections: TLS Handshake Failure | Alerts: network_icmp , injection", "Win32:BankerX-gen\\ [Trj] \u00bb FileHash-SHA256 2e5118d15a18ae852bf94d91707ff634d9d8354fef492f5c4e1c46b9cf96184c", "IDS Detections: Zeus Panda Banker / Ursnif Malicious SSL Certificate Detected TLS Handshake Failure", "Alerts: network_icmp antisandbox_idletime modifies_certificates modifies_proxy_wpad disables_proxy", "RedTube.com Detections: ALF:AGGR:OpcCl:95!ml , ALF:JASYP:Backdoor:Win32/Cycbot!atmn , Win.Downloader.117423-1 ,", "RedTube.com Detections: Win.Trojan.Crypt-321 , Win.Trojan.FakeAV-4166 , Win.Trojan.Fakeav-10977 , Win.Trojan.Fakeav-3386", "Crowdstrike: wildcard.352-445-1166.device.sim.to.img.sedoparking.com", "Crowdstrike: maxfehlinger.de http://auth.cranberry.testing.maxfehlinger.de | http://latex.cranberry.testing.maxfehlinger.de |", "Crowdstrike: https://traefik.cranberry.testing.maxfehlinger.de | http://traefik.cranberry.testing.maxfehlinger.de |", "Crowdstrike: http://watchtower.cranberry.testing.maxfehlinger.de| https://auth.cranberry.testing.maxfehlinger.de |", "Crowdstrike: auth.cranberry.testing.maxfehlinger.de | latex.cranberry.testing.maxfehlinger.de | traefik.cranberry.testing.maxfehlinger.de |", "Crowdstrike: watchtower.cranberry.testing.maxfehlinger.de | https://latex.cranberry.testing.maxfehlinger.de |", "Crowdstrike: https://www.anyxxxtube.net/search-porn/tsara-brashears/\tphishing\t| https://www.anyxxxtube.net/sitemap.xml", "Crowdstrike: https://www.pornhub.com/gifs/search?search=tsara+lynn+brash |", "Crowdstrike: autodesk.com | 0ds.autodesk.com | aknanalytics.autodesk.com | anubis.autodesk.com | autobetaint.autodesk.com", "Crowdstrike: autodeskarchitecture.autodesk.com | beacon-dev3.autodesk.com | boxtooffice365.autodesk.com | brahma-studio.autodesk.com", "Crowdstrike: cdc-stg-emea.autodesk.com | cloudcost.autodesk.com | cloudpc-stg.autodesk.com | d-s.autodesk.com |", "Crowdstrike: daiwahouse-learning.autodesk.com| datagovernance-dev.autodesk.com | enterprise-api-np.autodesk.com", "Crowdstrike: symcd.com [Certificate Subjectaltname \u00bb\u00bb anydesk.com \u00bb\u00bb http://gn.symcb.com/gn.crt Ocsp\thttp://gn.symcd.com] ANYDESK.COM-unsigned", "Crowdstrike: https://bat.bing.com/action/0?ti=12001672&tm=al001&Ver=2&mid=12436868-a484-4998-931c-980262982f67&sid=b92cd8f0483e11efa3c96fe28be413cb&vid=b92cdd10483e11efb1024309353d849f&vids=1&msclkid=N&pi=-740138922&lg=en-US&sw=800&sh=600&sc=24&tl=CrowdStrike%3A%20Stop%20breaches.%20Drive%20business.&p=https%3A%2F%2Fwww.crowdstrike.com%2Fen-us%2F&r=<=1022&pt=1721661968606", "Crowdstrike: \tbat.bing.com, https://tulach.cc, https://otx.alienvault.com/indicator/url/http://www.hallrender.com/attorney/brian-sabey", "Crowdstrike: https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | https://www.pornhub.com/video/search?search=tsara+brashears | www.youtube.com/watch?v=GyuMozsVyYs | www.pornhub.com | www.youtube.com", "Crowdstrike: https://hr.employmenthero.com/rs/387-SZZ-170/images/youtube-icon-emp-hero-violet.png", "Crowdstrike + Autodesk.com: hallrender.com/attorney/brian-sabey www.hallrender.com/attorney/brian-sabey hallrender.com www.hallrender.com https://hallrender.com milehighmedia.com https://www.milehighmedia.com/ https://www.milehighmedia.com/legal/2257", "Crowdstrike + Autodesk.com: brassiere.world mail.brassiere.world webdisk.brassiere.world webmail.brassiere.world", "Crowdstrike + Autodesk.com: 128 + symcd.com some w/issues | 658 autodesk.com pulse some w/issues | removed any.desk & boot", "The more I say...Any.Desk + boot.net.anydesk.com was in OG Private CrowdsStrike pulse", "Above links in search results direct out with and arrow pointing out.", "https://otx.alienvault.com/browse/global/pulses?q=tag:%22esta%20caliente%22&include_inactive=0&sort=-modified&page=1&limit=10&indicatorsSearch=esta%20caliente", "Above link opened 'esta caliente'= 'it's hot'| I did NOT do that | All connected links gone. This has become common.", "I didn't add pertinent findings back to Pulse. Pulse comp,eyes says ago . Couldn't submit. It's was actually a tiny pulse of autodesk.com with crowdstrike relationship references,", "boot.net.anydesk.com removed from my Pulse below", "https://otx.alienvault.com/pulse/66d4c125ad61ee5577639a2d" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands" ], "malware_families": [ { "id": "Win32:Mystic", "display_name": "Win32:Mystic", "target": null }, { "id": "Win.Trojan.Xblocker-236", "display_name": "Win.Trojan.Xblocker-236", "target": null }, { "id": "Ransom:Win32/Genasom", "display_name": "Ransom:Win32/Genasom", "target": "/malware/Ransom:Win32/Genasom" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "ALF:JASYP:Backdoor:Win32/Cycbot", "display_name": "ALF:JASYP:Backdoor:Win32/Cycbot", "target": null }, { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanSpy:Win32/Usteal", "display_name": "TrojanSpy:Win32/Usteal", "target": "/malware/TrojanSpy:Win32/Usteal" }, { "id": "Win.Trojan.PoetRat-7669676-0", "display_name": "Win.Trojan.PoetRat-7669676-0", "target": null }, { "id": "Mivast", "display_name": "Mivast", "target": null }, { "id": "Sakula", "display_name": "Sakula", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": "66d89c45ddc0c7db084b75b7", "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1417, "FileHash-SHA1": 1165, "FileHash-SHA256": 6536, "URL": 6112, "domain": 1340, "hostname": 2654, "email": 15, "SSLCertFingerprint": 9 }, "indicator_count": 19248, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "264 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6769c9335e6691b76d03c761", "name": "waketagat", "description": "", "modified": "2024-12-23T20:33:55.121000", "created": "2024-12-23T20:33:55.121000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1470, "domain": 31, "hostname": 472, "FileHash-SHA256": 63 }, "indicator_count": 2036, "is_author": false, "is_subscribing": null, "subscriber_count": 177, "modified_text": "481 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66eb1585832bcf4f494f0335", "name": "Telco - Swipper | Emotet and other malware spreader. BGP Bridging", "description": "", "modified": "2024-10-20T13:04:44.866000", "created": "2024-09-18T18:01:41.013000", "tags": [ "net152", "net1520000", "loudoun county", "ans core", "nethandle", "as1321", "parkway city", "as701 orgnocref", "swipper", "verizon", "high", "intel", "icmp traffic", "dns query", "object", "all scoreblue", "filehash", "malware", "comcast", "cve1102", "actors", "investigation", "bad domains", "emotet am", "iocs", "first", "utc submissions", "submitters", "summary iocs", "graph community", "webcc", "gmo internet", "csc corporate", "domains", "alibaba cloud", "computing", "beijing", "dynadot", "ltd dba", "china telecom", "group", "google", "cloudflarenet", "kb txtresse", "mb smartsaver", "admin cmd", "mb threatsniper", "mb history", "mb gadget", "installer", "referrer", "styes worm", "historical ssl", "script script", "i span", "ie script", "win64", "span", "urls", "levelblue labs", "pulses", "nastya", "meta", "open", "date", "vj92", "uagdaaeqcqaaaag", "ukgbagaqcqaaaae", "slfrd1", "hostnames", "urls http", "ukgbagaqcq", "jid1886833764", "jid882556742", "samples", "unknown", "united", "as20940", "as2914 ntt", "nxdomain", "status", "as6461 zayo", "united kingdom", "as15169 google", "as33438", "search", "creation date", "name servers", "showing", "hungary unknown", "entries", "scan endpoints", "next", "cape", "show", "copy", "emotet malware", "read", "write", "delete", "june", "emotet", "as14627", "passive dns", "ipv4", "pulse pulses", "win32", "months ago", "created", "modified", "email", "glupteba", "hostname", "cyber", "read c", "port", "medium", "msie", "windows nt", "wow64", "slcc2", "media center", "dock", "execution", "method status", "url hostname", "ip country", "type get", "cachecontrol", "location https", "date thu", "gmt server", "code", "ve234 server", "aaaa", "whitelisted", "as44273 host", "as46691", "domain", "script urls", "path max", "age86400 set", "cookie", "script domains", "trojan", "body" ], "references": [ "Stranger Things | http://hopto.org/colocrossing/192.3.13.56/telco", "Antivirus Detections: Other:Malware-gen\\ [Trj]", "Yara Detections: UPXProtectorv10x2 , UPX Alerts dead_host network_icmp nolookup_communication", "Antivirus Detections: Other:Malware-gen\\ [Trj] , Win.Trojan.Emotet-9951800-0", "Yara Detections: osx_GoLang", ".trino-11062202-1d32.stress-11061903-3b4c.westus2.projecthilo.net\tprojecthilo.net", "0-courier.push.apple.com | https://apple-accouut.sytes.net/ | appupdate-logapple.ddnsking.com | appleidi-iforgot.3utilities.com", "http://appleidi-iforgot.3utilities.com/\t | https://appupdate-logapple.ddnsking.com/?reset | http://appleidi-iforgot.3utilities.com/Upload-Identity.php |", "http://appleidi-iforgot.3utilities.com/Verify.php", "device-ccf717a6-ed4f-4771-abfa-ccaafbfb6526.remotewd.com | device-local-359704df-0b29-4ae8-bbc5-f48b0a4de73c.remotewd.com | remotedev.org | dan.remotedev.org", "152.199.171.19 : USDA Fort Collins, Colorado", "Swipper: swipper@verizonbusiness.com | help4u@verizonbusiness.com", "152.199.161.19: ANS Communications, Inc (ANS)", "OrgTechHandle: SWIPP-ARIN OrgTechName: swipper OrgTechPhone: +1-800-900-0241 OrgTechEmail: swipper@verizonbusiness.com", "http://bat.bing.com/bat.js | bounceme.net | bounceme.net | hopto.org | hopto.org |,serveblog.net | serveblog.net", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://hopto.org/colocrossing/192.3.13.56/telco", "Emotet: FileHash-SHA256 9c9459e9a5f0102c034ec013b9d801d38ed474bcd73b7aeded931e5c2a4f75cc", "Win.Virus.PolyRansom-5704625-0: FileHash-SHA256 f46de5d0c5dd13f5de6114372542efd1ea048e14f051b64b34c33e96c175cb09", "Other:Malware-gen\\ [Trj: FileHash-SHA256 4ef29fd29fd95990a36379ad7a4320f04da64e7ec63546e047e2491e533c71a3", "Injection Source: www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Injection Source: http://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Injection Source: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "SLF:Trojan:Win32/Grandoreiro.A", "display_name": "SLF:Trojan:Win32/Grandoreiro.A", "target": null }, { "id": "Other:Malware-gen\\ [Trj]", "display_name": "Other:Malware-gen\\ [Trj]", "target": null }, { "id": "Win.Trojan.Emotet-9951800-0", "display_name": "Win.Trojan.Emotet-9951800-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": "66ca37ac60cb425a2b3856c6", "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 2, "URL": 4635, "domain": 771, "email": 11, "hostname": 1993, "FileHash-SHA256": 3185, "FileHash-MD5": 113, "FileHash-SHA1": 101, "CVE": 3 }, "indicator_count": 10814, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "546 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66e94760a415fb970ab2dfdd", "name": "Pornhub Api connected to Targets phone via Remote Telegram install", "description": "Cyber attack named 'Project Endgame' by threat actors || Cyber criminal IMMEDIATELY remotely accessed targets device when it was new from manufacturer. Remote installation of telegram app, installed pornhub. Dumping, making all types of pornography appear to come from targets and associated persons devices. It's never ending. || Win32:PWSX-gen\\ [Trj]\n#Lowfi:HSTR:Win32/Exprio\nALF:Trojan:BAT/EnvVarCharReplacement\nBackdoor:Win32/Tofsee\nTrojan:Win32/Azorult\nTrojan:Win32/Danabot\nTrojan:Win32/Eqtonex\nTrojan:Win32/Meredrop\nTrojanDownloader:Win32/Tofsee\nVirTool:Win32/Obfuscator\nWin.Dropper.Tofsee-10023347-0", "modified": "2024-10-17T08:04:26.924000", "created": "2024-09-17T09:09:52.842000", "tags": [ "all scoreblue", "contacted", "telegram", "pornhub", "hostname", "domain", "iocs", "pdf report", "pcap", "stix", "openioc", "ck t1003", "os credential", "dumping t1005", "local system", "t1012", "registry t1018", "remote system", "discovery t1027", "files", "t1053", "whitelisted", "agent", "as13414 twitter", "as14061", "as15169 google", "as16552", "as16276", "as19679 dropbox", "as22612", "as25019", "as32934", "as35680", "as62597", "as54113", "as397241", "as397240", "nsone as63949", "as35819", "china unknown", "chrome", "code", "as16552 tiggee", "as2914 ntt", "as25019 saudi", "asnone hong", "as63949 linode", "as7303 telecom", "as8151", "as9318 sk", "asn as13414", "asn as48684", "cookie", "encrypt", "endgame", "emails", "cryp", "delphi", "dynamicloader", "dns", "grum", "germany unknown", "gmt max", "connection", "dns resolutions", "porn", "regsz", "langgeorgian", "sublangdefault", "rticon", "english", "regsetvalueexa", "regdword", "medium", "t1055", "win32", "malware", "copy", "updater", "generic", "delete c", "yara rule", "high", "search", "ms windows", "tofsee", "show", "windows", "russia as49505", "united", "grum", "write", "query", "contacted", "installs", "stream", "unknown", "as46606", "passive dns", "date", "scan endpoints", "pulse pulses", "urls", "as8151", "mexico unknown", "saudi arabia", "as25019 saudi", "china unknown", "as7303 telecom", "hungary unknown", "trojan", "msie", "body", "ransom", "icmp traffic", "pdb path", "filehash", "url http", "http", "address", "russia unknown", "privacy tools", "as396982 google", "as57416 llc", "div div", "span h3", "span div", "h3 p", "as24940 hetzner", "face", "delete", "yara detections", "sinkhole cookie", "value snkz", "pe32", "suspicious", "possible", "as56864 xeon", "ipv4", "pulse submit", "url analysis", "ip address", "location united", "next", "germany unknown", "method", "allowed server", "content length", "content type", "cookie", "registrar abuse", "explorer", "files matching", "homepage", "hungary unknown", "installs ip", "installs", "ip", "link", "mexico unknown", "pegasus", "operation endgame", "public key", "ransom", "twitter redirect", "Kong unknown", "script urls", "servers", "updater", "united kingdom unknown", "unique", "ukraine unknown", "trojan features", "trojan", "tofsee", "title telegram", "tags twitter", "twitter", "tags", "sublangdefault" ], "references": [ "Pornhub.com | Telegram https://t.me/login/36861 | loopprojects.t.me", "Cookie : stel_ssid b86d14460f22d8fea8_13386273115952986987", "www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "https://www.pornhub.com/video/search?search=tsara+brashears", "ads.pornhub.com | ams-v61.pornhub.com | api-stage.pornhub.com", "api-stage.pornhub.com | abtesting.pornhub.com | pornhub.com | cms-stage20.pornhub.com | imgs.pornhub.com | http://tourcdn.girlsdoporn.com", "girlsdoporn.com | bar.pornhub.com | bar.pornhub.com | cdn-d-vid-embed.pornhub.com | http://pornhub.tv/Jena6599 | whatsapp.pornhub.com", "https://sslproxy.gatewayclient3.v.hikops.com", "api2ip.ua \u00bb External IP Lookup Service Domain", "83610e8d2924c9886b25ad530e8ad971.pornhub.com", "Win32:PWSX-gen\\ [Trj] IDS Detections Potential Dridex.Maldoc Minimal Executable Request External IP Address Lookup DNS Query (2ip .ua) Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) Query to a *.top domain - Likely Hostile Suspicious User Agent (Microsoft Internet Explorer) SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 HTTP Request to a *.top domain Dotted Quad Host ZIP Request Possible EXE Download From Suspicious TLD TLS Handshake Failure ... Less", "IDS Detections: Potential Dridex.Maldoc Minimal Executable Request External IP Address Lookup DNS Query (2ip .ua)", "IDS Detections: Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) Query to a *.top domain - Likely Hostile", "IDS Detections: Suspicious User Agent (Microsoft Internet Explorer) SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016", "Win32:RansomX-gen\\ [Ransom] Trojan:Win32/Neconyd.A" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Australia", "Brazil", "Singapore", "Netherlands", "Russian Federation", "Japan", "Malaysia", "Hong Kong", "Ireland", "Korea, Republic of", "France", "United Kingdom of Great Britain and Northern Ireland", "Argentina", "Austria", "China", "Canada", "Germany" ], "malware_families": [ { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "TrojanDownloader:Win32/Tofsee", "display_name": "TrojanDownloader:Win32/Tofsee", "target": "/malware/TrojanDownloader:Win32/Tofsee" }, { "id": "Win32:PWSX-gen\\ [Trj]", "display_name": "Win32:PWSX-gen\\ [Trj]", "target": null }, { "id": "Win.Dropper.Tofsee-10023347-0", "display_name": "Win.Dropper.Tofsee-10023347-0", "target": null }, { "id": "#Lowfi:HSTR:Win32/Exprio", "display_name": "#Lowfi:HSTR:Win32/Exprio", "target": null }, { "id": "VirTool:Win32/Obfuscator", "display_name": "VirTool:Win32/Obfuscator", "target": "/malware/VirTool:Win32/Obfuscator" }, { "id": "Trojan:Win32/Meredrop", "display_name": "Trojan:Win32/Meredrop", "target": "/malware/Trojan:Win32/Meredrop" }, { "id": "Trojan:Win32/Eqtonex", "display_name": "Trojan:Win32/Eqtonex", "target": "/malware/Trojan:Win32/Eqtonex" }, { "id": "Trojan:Win32/Danabot", "display_name": "Trojan:Win32/Danabot", "target": "/malware/Trojan:Win32/Danabot" }, { "id": "Trojan:Win32/Azorult", "display_name": "Trojan:Win32/Azorult", "target": "/malware/Trojan:Win32/Azorult" }, { "id": "ALF:Trojan:BAT/EnvVarCharReplacement", "display_name": "ALF:Trojan:BAT/EnvVarCharReplacement", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1443", "name": "Remotely Install Application", "display_name": "T1443 - Remotely Install Application" }, { "id": "T1478", "name": "Install Insecure or Malicious Configuration", "display_name": "T1478 - Install Insecure or Malicious Configuration" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1570, "FileHash-SHA1": 1301, "FileHash-SHA256": 3497, "URL": 3835, "domain": 1475, "hostname": 2405, "CIDR": 1, "email": 23 }, "indicator_count": 14107, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "549 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66bb7f69cd76278113c22968", "name": "Remote | Inject | Access Token Manipulation | Jeffrey Reimer DPT Tsara Brashears Yandex Attack", "description": "Targets devices injected with extremely malicious URL's. The links did everything imaginable. Pushed up Jeffrey Reimer DPT in search engine while suppressing all positive search engine results of his victim. Her business was completely halted and redirected. Views went to well known artists. It also contained content scrapers causing certain keywords [keylogger included] to generate results in Bing search engines attempt to frame target. Countless porn sites posted w/victims name appearing heaviest in Yandex moderately heavy in Google. Killed targets YouTube channel. Heavy use in victims Apple terminal. Death and bomb threats often. *http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/\n*http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "modified": "2024-10-11T00:04:00.735000", "created": "2024-08-13T15:44:41.449000", "tags": [ "ip addresses", "luna moth", "campaign", "norad tracking", "ipdomain", "investigation", "hr rtd", "hallrender", "brian sabey", "heuristic", "referrer", "pe resource", "first", "utc submissions", "submitters", "solutions", "namesilo", "amazon02", "digitaloceanasn", "limited", "aschoopa", "ovh sas", "generator", "data", "v3 serial", "number", "issuer", "everywhere dv", "tls ca", "g1 odigicert", "validity", "subject public", "key info", "date", "server", "email", "code", "registrar abuse", "registrar url", "whois lookup", "admin city", "admin country", "cn admin", "office open", "xml spreadsheet", "detections type", "name", "dns replication", "iana id", "contact phone", "dnssec", "domain status", "registrar whois", "historical ssl", "threat roundup", "october", "investigation c", "december", "september", "ngfw traffic", "malicious ip", "address", "raspberry robin", "stealer", "creation date", "passive dns", "urls", "search", "name servers", "status", "showing", "all scoreblue", "unknown", "next", "as47846", "germany unknown", "as44273 host", "united", "as12876 online", "domain", "cve-2016-2569", "yodaprot", "xorcrypt", "yoda", "aspack", "yara detections", "intel", "comments", "show", "productversion", "inno setup", "invalid", "format", "invalid variant", "delphi", "stack", "error", "iniciar download setup", "gui", "application/octet-stream", "tsara brashears", "targets", "cve-2017-0199", "aspack", "contains-pe", "contains-elf", "bobsoft", "cve-2010-3333", "contains-embedded-js", "cve-2014-3931", "cve-2017-11882", "adware.adload/adinstaller", "win32processor", "information", "flow t1574", "dll sideloading", "reads", "downloads", "win32process", "t1055 spawns", "access token", "modify access", "files", "catalog tree", "analysis ob0001", "b0001 process", "b0003 delayed", "analysis ob0002", "evasion ob0006", "self deletion", "f0007 discovery", "ob0007 analysis", "dead", "cybercrime", "cyber criminal group", "dynamicloader", "high", "medium", "trojan", "less see", "contacted", "yara rule", "installs", "windows", "windows startup", "february", "copy", "as14061", "as16276", "canada unknown", "united kingdom", "as63949 linode", "as202053", "finland unknown", "aaaa", "get http", "request", "windows nt", "khtml", "gecko", "wow64", "host", "connection", "cus cndigicert", "ca1 odigicert", "win32", "win64", "accept", "dataset", "system property", "lookups", "select family", "userprofile", "temp", "samplepath", "user", "runtime modules", "modules", "programfiles", "windir", "datacrashpad", "k netsvcs", "s ngcctnrsvc", "nameweb bvba", "domains", "csc corporate", "registrarsafe", "registrar", "namecheap inc", "nameweb", "win32 exe", "detections file", "win32 dll", "ip detections", "country", "highly targeted", "problems", "sneaky server", "replacement", "unauthorized", "high level", "hackers", "unknown win", "agent tesla", "worm", "formbook", "startpage", "dead drop resolver", "nxdomain", "ns nxdomain", "scan endpoints", "all search", "otx scoreblue", "pulse pulses", "hostname", "files ip", "address domain", "div div", "a li", "p div", "read more", "a div", "bq aug", "script script", "path max", "age86400 set", "cookie", "entries", "trojandropper", "body", "trojan features", "related pulses", "file samples", "files matching", "date hash", "copyright", "virtool", "trojanspy", "hashes c2ae", "capa", "cape sandbox", "moves", "tencent habo", "zenbox", "tls rsa", "sha256", "inc subject", "global g2", "odigicert inc", "cndigicert sha2", "high assurance", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinl", "javascripts", "iframes", "embedded", "x sucuri", "cookie policy", "jeffrey scott reimer dpt", "toni braxton", "police", "fbi va", "loudon county", "ashburn va", "douglas co", "douglas co sheriff", "sheriff", "justin bieber", "swipper", "cape" ], "references": [ "cnbd.net\t | d1.cnbd.net\t| localhost.cnbd.net | mail.cnbd.net | siteinlink.d1.cnbd.net cnbd.net hghltd.yandex.net", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Crowdsourced Sigma: Matches rule Potential Dead Drop Resolvers by Sorina Ionescu, X__Junior (Nextron Systems)", "Crowdsourced YARA: Matches rule Base64_Encoded_URL from ruleset Base64_Encoded_URL by InQuest Labs", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Unusual PING detected", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING Windows", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Echo Reply", "Yara Detections: Delphi", "\"Malware Behavior Catalog Tree: Anti-Behavioral Analysis OB0001 Debugger Detection B0001 Process Environment Block B0001.019 Dynamic Analysis Evasion B0003 Delayed Execution B0003.003", "\"Malware Behavior Catalog Tree: Anti-Static Analysis OB0002 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E102", "\"Malware Behavior Catalog Tree : Defense Evasion OB0006 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E1027.m02", "\"Malware Behavior Catalog Tree: Hidden Files and Directories F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Execution OB0009 Install Additional Program B0023 Command and Scripting Interpreter E1059", "\"Malware Behavior Catalog Tree: Analysis Tool Discovery F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 System Information Discovery B0013 Process detection B0013.001", "\"Malware Behavior Catalog Tree: Hidden Files and Directories E1082 File and Directory Discovery E1083", "Malware Behavior Catalog Tree: Command and Scripting Interpreter OB0009 Install Additional Program B0023", "\"Dataset actions -System Property Lookups: IIWbemServices::Connect", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: Execution OB0012 F0005 File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048 Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007 Change Memory Protection C0008 Process OC0003 Create Process C0017 Create Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001 Modulo C0058 Cryptography OC0005", "Researched: d569ab9b9e89ebd9e2ff995bcd6509bc.virus", "Apple Issues:\tapple-validsecure.serviceirc.com serviceirc.com http://apple-validsecure.serviceirc.com https://apple-validsecure.serviceirc.com", "Apple Issues:\tcheckapple.com http://www.checkapple.com/ https://bincc.xyz/bin-apple-music-1month-apple-tv-7days apple-marketing.com", "Apple Issues:\tapp-appleid.serveirc.com appleid-appleus.serveirc.com appleidapple.serveirc.com apples-uncek.serveirc.com", "Apple Issues:\thttp://www.apple-verifallert.serveirc.com/ http://www.appleid-lockid.serveirc.com/ http://www.appleid-seccure23.serveirc.com/", "Apple Issues:\thttp://www.appleid-secure20.serveirc.com/ http://www.appleid-secure22.serveirc.com/ serviceirc.com", "Apple Issues: http://www.appleid-supporthelp.serveirc.com/ http://www.appleids-security.serveirc.com/", "Apple Issues: URL https://bincc.xyz/bin-apple-music-1month-apple-tv-7days", "Apple Issues: http://checkapple.com/home/item/131-iOs-%E0%B9%80%E0%B8%A1%E0%B8%B7%E0%B8%AD%E0%B8%87%E0%B8%9C%E0%B8%B9%E0%B9%89%E0%B8%94%E0%B8%B5-%E0%B8%9F%E0%B8%B1%E0%B8%99%E0%B8%98%E0%B8%87-iPhone-4-%E0%B8%9A%E0%B8%B2%E0%B8%87%E0%B8%81%E0%B8%A7%E0%B9%88%E0%B8%B2-Galaxy-S-2.htm", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Terse HTTP 1.0 Request Possible Nivdort Worm.Mydoom Checkin User-Agent (explwer)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti/Mufanom Downloader Checkin Win32.Sality-GR Checkin Backdoor.Win32.Shiz.ivr", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Empty Checkin Upatre Retrieving encoded payload (Common Header Struct)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Checkin Win32/Nivdort", "Antivirus Detections: ALF:HeraklezEval:Ransom:Win32/CVE , ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn , ALF:HeraklezEval:Trojan:Win32/Zombie.A", "Antivirus Detections: ALF:Trojan:Win32/FormBook.F!MTB , Backdoor:Linux/Setag!rfn , Backdoor:Win32/Bifrose.IQ , Backdoor:Win32/Simda!rfn", "Antivirus Detections: ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn , ALF:PUA:Win32/InstallMate.P , ALF:Trojan:Win32/Cassini_f9070846!ibt", "\"Malware Behavior Catalog Tree: File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048", "\"Malware Behavior Catalog Tree: Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007", "\"Malware Behavior Catalog Tree: Change Memory Protection C0008 Process OC0003 Create Process C0017", "\"Malware Behavior Catalog Tree: Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004", "\"Malware Behavior Catalog Tree: Create 00001807 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001", "\"Malware Behavior Catalog Tree: Modulo C0058 Cryptography OC0005 Generate Pseudo-random Sequence C0021", "\"Malware Behavior Catalog Tree: Communication OC0006 HTTP Communication C0002 Operating System OC0008 Registry", "\"Malware Behavior Catalog Tree: Registry Value C0036.006 Capabilities Data-Manipulation\"", "\"Malware Behavior Catalog Tree: C0036 Open Registry Key C0036.003 Create Registry Key C0036.004 Query", "Capabilities Data: Manipulation Generate random numbers using the Delphi LCG Encode data using XOR Hash data with CRC32", "Capabilities Data: Linking Link function at runtime on Windows Collection Get geographical location Targeting Identify system language via API", "Capabilities Data: Executable Extract resource via kernel32 functions Contain a thread local storage (.tls) section Packaged as an Inno Setup installer", "Capabilities Data: Anti-Analysis Reference analysis tools strings Internal (Internal) installer file limitation", "Capabilities Data: Host-Interaction - Get file attributes Create process suspended Create process on Windows", "Capabilities Data: Host-Interaction - Allocate or change RWX memory Accept command line arguments Set thread local storage value", "Capabilities Data: Host-Interaction - Get system information on Windows Delete directory", "Capabilities Data: Host-Interaction - Get thread local storage value Read file on Windows Write file on Windows", "Capabilities Data: Host-Interaction - Get file size Query environment variable Get common file path", "Capabilities Data: Host-Interaction - Query or enumerate registry value Delete file Create directory Shutdown system", "Capabilities Data: Host-Interaction - Modify access privileges Check if file exists", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "United States of America" ], "malware_families": [ { "id": "PUP/Win32.Bundler.R1865", "display_name": "PUP/Win32.Bundler.R1865", "target": null }, { "id": "Inno:Downloader-J [PUP]", "display_name": "Inno:Downloader-J [PUP]", "target": null }, { "id": "AdWare:Win32/AdLoad.0e19dea6", "display_name": "AdWare:Win32/AdLoad.0e19dea6", "target": "/malware/AdWare:Win32/AdLoad.0e19dea6" }, { "id": "Adware.Adload/Adinstaller", "display_name": "Adware.Adload/Adinstaller", "target": null }, { "id": "Win.Packed.Razy-9828382-0", "display_name": "Win.Packed.Razy-9828382-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" }, { "id": "Trojan:Win32/Zombie", "display_name": "Trojan:Win32/Zombie", "target": "/malware/Trojan:Win32/Zombie" }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1516", "name": "Input Injection", "display_name": "T1516 - Input Injection" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" } ], "industries": [ "Technology", "Civilian Society" ], "TLP": "white", "cloned_from": null, "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1402, "FileHash-SHA1": 1366, "FileHash-SHA256": 6457, "URL": 6175, "domain": 1418, "hostname": 2288, "CVE": 10, "email": 6 }, "indicator_count": 19122, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "555 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66bb7bf15d571906a0a5e1a3", "name": "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "description": "Targets devices injected with extremely malicious URL's. The links did everything imaginable. Pushed up Jeffrey Reimer DPT in search engine while suppressing all positive search engine results of his victim. Her business was completely halted and redirected. Views went to well known artists. It also contained content scrapers causing certain keywords [keylogger included] to generate results in Bing search engines attempt to frame target. Countless porn sites posted w/victims name appearing heaviest in Yandex moderately heavy in Google. Killed targets YouTube channel. Heavy use in victims Apple terminal. Death and bomb threats often. *http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/\n*http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "modified": "2024-10-11T00:04:00.735000", "created": "2024-08-13T15:29:53.002000", "tags": [ "ip addresses", "luna moth", "campaign", "norad tracking", "ipdomain", "investigation", "hr rtd", "hallrender", "brian sabey", "heuristic", "referrer", "pe resource", "first", "utc submissions", "submitters", "solutions", "namesilo", "amazon02", "digitaloceanasn", "limited", "aschoopa", "ovh sas", "generator", "data", "v3 serial", "number", "issuer", "everywhere dv", "tls ca", "g1 odigicert", "validity", "subject public", "key info", "date", "server", "email", "code", "registrar abuse", "registrar url", "whois lookup", "admin city", "admin country", "cn admin", "office open", "xml spreadsheet", "detections type", "name", "dns replication", "iana id", "contact phone", "dnssec", "domain status", "registrar whois", "historical ssl", "threat roundup", "october", "investigation c", "december", "september", "ngfw traffic", "malicious ip", "address", "raspberry robin", "stealer", "creation date", "passive dns", "urls", "search", "name servers", "status", "showing", "all scoreblue", "unknown", "next", "as47846", "germany unknown", "as44273 host", "united", "as12876 online", "domain", "cve-2016-2569", "yodaprot", "xorcrypt", "yoda", "aspack", "yara detections", "intel", "comments", "show", "productversion", "inno setup", "invalid", "format", "invalid variant", "delphi", "stack", "error", "iniciar download setup", "gui", "application/octet-stream", "tsara brashears", "targets", "cve-2017-0199", "aspack", "contains-pe", "contains-elf", "bobsoft", "cve-2010-3333", "contains-embedded-js", "cve-2014-3931", "cve-2017-11882", "adware.adload/adinstaller", "win32processor", "information", "flow t1574", "dll sideloading", "reads", "downloads", "win32process", "t1055 spawns", "access token", "modify access", "files", "catalog tree", "analysis ob0001", "b0001 process", "b0003 delayed", "analysis ob0002", "evasion ob0006", "self deletion", "f0007 discovery", "ob0007 analysis", "dead", "cybercrime", "cyber criminal group", "dynamicloader", "high", "medium", "trojan", "less see", "contacted", "yara rule", "installs", "windows", "windows startup", "february", "copy", "as14061", "as16276", "canada unknown", "united kingdom", "as63949 linode", "as202053", "finland unknown", "aaaa", "get http", "request", "windows nt", "khtml", "gecko", "wow64", "host", "connection", "cus cndigicert", "ca1 odigicert", "win32", "win64", "accept", "dataset", "system property", "lookups", "select family", "userprofile", "temp", "samplepath", "user", "runtime modules", "modules", "programfiles", "windir", "datacrashpad", "k netsvcs", "s ngcctnrsvc", "nameweb bvba", "domains", "csc corporate", "registrarsafe", "registrar", "namecheap inc", "nameweb", "win32 exe", "detections file", "win32 dll", "ip detections", "country", "highly targeted", "problems", "sneaky server", "replacement", "unauthorized", "high level", "hackers", "unknown win", "agent tesla", "worm", "formbook", "startpage", "dead drop resolver", "nxdomain", "ns nxdomain", "scan endpoints", "all search", "otx scoreblue", "pulse pulses", "hostname", "files ip", "address domain", "div div", "a li", "p div", "read more", "a div", "bq aug", "script script", "path max", "age86400 set", "cookie", "entries", "trojandropper", "body", "trojan features", "related pulses", "file samples", "files matching", "date hash", "copyright", "virtool", "trojanspy", "hashes c2ae", "capa", "cape sandbox", "moves", "tencent habo", "zenbox", "tls rsa", "sha256", "inc subject", "global g2", "odigicert inc", "cndigicert sha2", "high assurance", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinl", "javascripts", "iframes", "embedded", "x sucuri", "cookie policy", "jeffrey scott reimer dpt", "toni braxton", "police", "fbi va", "loudon county", "ashburn va", "douglas co", "douglas co sheriff", "sheriff", "justin bieber", "swipper" ], "references": [ "cnbd.net\t | d1.cnbd.net\t| localhost.cnbd.net | mail.cnbd.net | siteinlink.d1.cnbd.net cnbd.net hghltd.yandex.net", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Crowdsourced Sigma: Matches rule Potential Dead Drop Resolvers by Sorina Ionescu, X__Junior (Nextron Systems)", "Crowdsourced YARA: Matches rule Base64_Encoded_URL from ruleset Base64_Encoded_URL by InQuest Labs", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Unusual PING detected", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING Windows", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Echo Reply", "Yara Detections: Delphi", "\"Malware Behavior Catalog Tree: Anti-Behavioral Analysis OB0001 Debugger Detection B0001 Process Environment Block B0001.019 Dynamic Analysis Evasion B0003 Delayed Execution B0003.003", "\"Malware Behavior Catalog Tree: Anti-Static Analysis OB0002 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E102", "\"Malware Behavior Catalog Tree : Defense Evasion OB0006 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E1027.m02", "\"Malware Behavior Catalog Tree: Hidden Files and Directories F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 Analysis Tool Discovery B0013 Process detection B0013.001 System Information Discovery E1082 File and Directory Discovery E1083", "\"Malware Behavior Catalog Tree: Execution OB0009 Install Additional Program B0023 Command and Scripting Interpreter E1059", "\"Malware Behavior Catalog Tree: Analysis Tool Discovery F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 System Information Discovery B0013 Process detection B0013.001", "\"Malware Behavior Catalog Tree: Hidden Files and Directories E1082 File and Directory Discovery E1083", "Malware Behavior Catalog Tree: Command and Scripting Interpreter OB0009 Install Additional Program B0023", "\"Dataset actions -System Property Lookups: IIWbemServices::Connect", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: Execution OB0012 F0005 File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048 Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007 Change Memory Protection C0008 Process OC0003 Create Process C0017 Create Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001 Modulo C0058 Cryptography OC0005", "Researched: d569ab9b9e89ebd9e2ff995bcd6509bc.virus", "Apple Issues:\tapple-validsecure.serviceirc.com serviceirc.com http://apple-validsecure.serviceirc.com https://apple-validsecure.serviceirc.com", "Apple Issues:\tcheckapple.com http://www.checkapple.com/ https://bincc.xyz/bin-apple-music-1month-apple-tv-7days apple-marketing.com", "Apple Issues:\tapp-appleid.serveirc.com appleid-appleus.serveirc.com appleidapple.serveirc.com apples-uncek.serveirc.com", "Apple Issues:\thttp://www.apple-verifallert.serveirc.com/ http://www.appleid-lockid.serveirc.com/ http://www.appleid-seccure23.serveirc.com/", "Apple Issues:\thttp://www.appleid-secure20.serveirc.com/ http://www.appleid-secure22.serveirc.com/ serviceirc.com", "Apple Issues: http://www.appleid-supporthelp.serveirc.com/ http://www.appleids-security.serveirc.com/", "Apple Issues: URL https://bincc.xyz/bin-apple-music-1month-apple-tv-7days", "Apple Issues: http://checkapple.com/home/item/131-iOs-%E0%B9%80%E0%B8%A1%E0%B8%B7%E0%B8%AD%E0%B8%87%E0%B8%9C%E0%B8%B9%E0%B9%89%E0%B8%94%E0%B8%B5-%E0%B8%9F%E0%B8%B1%E0%B8%99%E0%B8%98%E0%B8%87-iPhone-4-%E0%B8%9A%E0%B8%B2%E0%B8%87%E0%B8%81%E0%B8%A7%E0%B9%88%E0%B8%B2-Galaxy-S-2.htm", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Terse HTTP 1.0 Request Possible Nivdort Worm.Mydoom Checkin User-Agent (explwer)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti/Mufanom Downloader Checkin Win32.Sality-GR Checkin Backdoor.Win32.Shiz.ivr", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Empty Checkin Upatre Retrieving encoded payload (Common Header Struct)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Checkin Win32/Nivdort", "Antivirus Detections: ALF:HeraklezEval:Ransom:Win32/CVE , ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn , ALF:HeraklezEval:Trojan:Win32/Zombie.A", "Antivirus Detections: ALF:Trojan:Win32/FormBook.F!MTB , Backdoor:Linux/Setag!rfn , Backdoor:Win32/Bifrose.IQ , Backdoor:Win32/Simda!rfn", "Antivirus Detections: ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn , ALF:PUA:Win32/InstallMate.P , ALF:Trojan:Win32/Cassini_f9070846!ibt", "\"Malware Behavior Catalog Tree: File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048", "\"Malware Behavior Catalog Tree: Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007", "\"Malware Behavior Catalog Tree: Change Memory Protection C0008 Process OC0003 Create Process C0017", "\"Malware Behavior Catalog Tree: Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004", "\"Malware Behavior Catalog Tree: Create 00001807 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001", "\"Malware Behavior Catalog Tree: Modulo C0058 Cryptography OC0005 Generate Pseudo-random Sequence C0021", "\"Malware Behavior Catalog Tree: Communication OC0006 HTTP Communication C0002 Operating System OC0008 Registry", "\"Malware Behavior Catalog Tree: Registry Value C0036.006 Capabilities Data-Manipulation\"", "\"Malware Behavior Catalog Tree: C0036 Open Registry Key C0036.003 Create Registry Key C0036.004 Query", "Capabilities Data: Manipulation Generate random numbers using the Delphi LCG Encode data using XOR Hash data with CRC32", "Capabilities Data: Linking Link function at runtime on Windows Collection Get geographical location Targeting Identify system language via API", "Capabilities Data: Executable Extract resource via kernel32 functions Contain a thread local storage (.tls) section Packaged as an Inno Setup installer", "Capabilities Data: Anti-Analysis Reference analysis tools strings Internal (Internal) installer file limitation", "Capabilities Data: Host-Interaction - Get file attributes Create process suspended Create process on Windows", "Capabilities Data: Host-Interaction - Allocate or change RWX memory Accept command line arguments Set thread local storage value", "Capabilities Data: Host-Interaction - Get system information on Windows Delete directory", "Capabilities Data: Host-Interaction - Get thread local storage value Read file on Windows Write file on Windows", "Capabilities Data: Host-Interaction - Get file size Query environment variable Get common file path", "Capabilities Data: Host-Interaction - Query or enumerate registry value Delete file Create directory Shutdown system", "Capabilities Data: Host-Interaction - Modify access privileges Check if file exists", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "United States of America" ], "malware_families": [ { "id": "PUP/Win32.Bundler.R1865", "display_name": "PUP/Win32.Bundler.R1865", "target": null }, { "id": "Inno:Downloader-J [PUP]", "display_name": "Inno:Downloader-J [PUP]", "target": null }, { "id": "AdWare:Win32/AdLoad.0e19dea6", "display_name": "AdWare:Win32/AdLoad.0e19dea6", "target": "/malware/AdWare:Win32/AdLoad.0e19dea6" }, { "id": "Adware.Adload/Adinstaller", "display_name": "Adware.Adload/Adinstaller", "target": null }, { "id": "Win.Packed.Razy-9828382-0", "display_name": "Win.Packed.Razy-9828382-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" }, { "id": "Trojan:Win32/Zombie", "display_name": "Trojan:Win32/Zombie", "target": "/malware/Trojan:Win32/Zombie" }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1516", "name": "Input Injection", "display_name": "T1516 - Input Injection" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" } ], "industries": [ "Technology", "Civilian Society" ], "TLP": "white", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1402, "FileHash-SHA1": 1366, "FileHash-SHA256": 6457, "URL": 6175, "domain": 1418, "hostname": 2288, "CVE": 10, "email": 6 }, "indicator_count": 19122, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "555 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66bb7bdba31f4d175b19d1ef", "name": "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "description": "Targets devices injected with extremely malicious URL's. The links did everything imaginable. Pushed up Jeffrey Reimer DPT in search engine while suppressing all positive search engine results of his victim. Her business was completely halted and redirected. Views went to well known artists. It also contained content scrapers causing certain keywords [keylogger included] to generate results in Bing search engines attempt to frame target. Countless porn sites posted w/victims name appearing heaviest in Yandex moderately heavy in Google. Killed targets YouTube channel. Heavy use in victims Apple terminal. Death and bomb threats often. *http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/\n*http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "modified": "2024-10-11T00:04:00.735000", "created": "2024-08-13T15:29:31.899000", "tags": [ "ip addresses", "luna moth", "campaign", "norad tracking", "ipdomain", "investigation", "hr rtd", "hallrender", "brian sabey", "heuristic", "referrer", "pe resource", "first", "utc submissions", "submitters", "solutions", "namesilo", "amazon02", "digitaloceanasn", "limited", "aschoopa", "ovh sas", "generator", "data", "v3 serial", "number", "issuer", "everywhere dv", "tls ca", "g1 odigicert", "validity", "subject public", "key info", "date", "server", "email", "code", "registrar abuse", "registrar url", "whois lookup", "admin city", "admin country", "cn admin", "office open", "xml spreadsheet", "detections type", "name", "dns replication", "iana id", "contact phone", "dnssec", "domain status", "registrar whois", "historical ssl", "threat roundup", "october", "investigation c", "december", "september", "ngfw traffic", "malicious ip", "address", "raspberry robin", "stealer", "creation date", "passive dns", "urls", "search", "name servers", "status", "showing", "all scoreblue", "unknown", "next", "as47846", "germany unknown", "as44273 host", "united", "as12876 online", "domain", "cve-2016-2569", "yodaprot", "xorcrypt", "yoda", "aspack", "yara detections", "intel", "comments", "show", "productversion", "inno setup", "invalid", "format", "invalid variant", "delphi", "stack", "error", "iniciar download setup", "gui", "application/octet-stream", "tsara brashears", "targets", "cve-2017-0199", "aspack", "contains-pe", "contains-elf", "bobsoft", "cve-2010-3333", "contains-embedded-js", "cve-2014-3931", "cve-2017-11882", "adware.adload/adinstaller", "win32processor", "information", "flow t1574", "dll sideloading", "reads", "downloads", "win32process", "t1055 spawns", "access token", "modify access", "files", "catalog tree", "analysis ob0001", "b0001 process", "b0003 delayed", "analysis ob0002", "evasion ob0006", "self deletion", "f0007 discovery", "ob0007 analysis", "dead", "cybercrime", "cyber criminal group", "dynamicloader", "high", "medium", "trojan", "less see", "contacted", "yara rule", "installs", "windows", "windows startup", "february", "copy", "as14061", "as16276", "canada unknown", "united kingdom", "as63949 linode", "as202053", "finland unknown", "aaaa", "get http", "request", "windows nt", "khtml", "gecko", "wow64", "host", "connection", "cus cndigicert", "ca1 odigicert", "win32", "win64", "accept", "dataset", "system property", "lookups", "select family", "userprofile", "temp", "samplepath", "user", "runtime modules", "modules", "programfiles", "windir", "datacrashpad", "k netsvcs", "s ngcctnrsvc", "nameweb bvba", "domains", "csc corporate", "registrarsafe", "registrar", "namecheap inc", "nameweb", "win32 exe", "detections file", "win32 dll", "ip detections", "country", "highly targeted", "problems", "sneaky server", "replacement", "unauthorized", "high level", "hackers", "unknown win", "agent tesla", "worm", "formbook", "startpage", "dead drop resolver", "nxdomain", "ns nxdomain", "scan endpoints", "all search", "otx scoreblue", "pulse pulses", "hostname", "files ip", "address domain", "div div", "a li", "p div", "read more", "a div", "bq aug", "script script", "path max", "age86400 set", "cookie", "entries", "trojandropper", "body", "trojan features", "related pulses", "file samples", "files matching", "date hash", "copyright", "virtool", "trojanspy", "hashes c2ae", "capa", "cape sandbox", "moves", "tencent habo", "zenbox", "tls rsa", "sha256", "inc subject", "global g2", "odigicert inc", "cndigicert sha2", "high assurance", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinl", "javascripts", "iframes", "embedded", "x sucuri", "cookie policy", "jeffrey scott reimer dpt", "toni braxton", "police", "fbi va", "loudon county", "ashburn va", "douglas co", "douglas co sheriff", "sheriff", "justin bieber", "swipper" ], "references": [ "cnbd.net\t | d1.cnbd.net\t| localhost.cnbd.net | mail.cnbd.net | siteinlink.d1.cnbd.net cnbd.net hghltd.yandex.net", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Crowdsourced Sigma: Matches rule Potential Dead Drop Resolvers by Sorina Ionescu, X__Junior (Nextron Systems)", "Crowdsourced YARA: Matches rule Base64_Encoded_URL from ruleset Base64_Encoded_URL by InQuest Labs", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Unusual PING detected", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING Windows", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Echo Reply", "Yara Detections: Delphi", "\"Malware Behavior Catalog Tree: Anti-Behavioral Analysis OB0001 Debugger Detection B0001 Process Environment Block B0001.019 Dynamic Analysis Evasion B0003 Delayed Execution B0003.003", "\"Malware Behavior Catalog Tree: Anti-Static Analysis OB0002 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E102", "\"Malware Behavior Catalog Tree : Defense Evasion OB0006 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E1027.m02", "\"Malware Behavior Catalog Tree: Hidden Files and Directories F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 Analysis Tool Discovery B0013 Process detection B0013.001 System Information Discovery E1082 File and Directory Discovery E1083", "\"Malware Behavior Catalog Tree: Execution OB0009 Install Additional Program B0023 Command and Scripting Interpreter E1059", "\"Malware Behavior Catalog Tree: Analysis Tool Discovery F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 System Information Discovery B0013 Process detection B0013.001", "\"Malware Behavior Catalog Tree: Hidden Files and Directories E1082 File and Directory Discovery E1083", "Malware Behavior Catalog Tree: Command and Scripting Interpreter OB0009 Install Additional Program B0023", "\"Dataset actions -System Property Lookups: IIWbemServices::Connect", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: Execution OB0012 F0005 File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048 Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007 Change Memory Protection C0008 Process OC0003 Create Process C0017 Create Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001 Modulo C0058 Cryptography OC0005", "Researched: d569ab9b9e89ebd9e2ff995bcd6509bc.virus", "Apple Issues:\tapple-validsecure.serviceirc.com serviceirc.com http://apple-validsecure.serviceirc.com https://apple-validsecure.serviceirc.com", "Apple Issues:\tcheckapple.com http://www.checkapple.com/ https://bincc.xyz/bin-apple-music-1month-apple-tv-7days apple-marketing.com", "Apple Issues:\tapp-appleid.serveirc.com appleid-appleus.serveirc.com appleidapple.serveirc.com apples-uncek.serveirc.com", "Apple Issues:\thttp://www.apple-verifallert.serveirc.com/ http://www.appleid-lockid.serveirc.com/ http://www.appleid-seccure23.serveirc.com/", "Apple Issues:\thttp://www.appleid-secure20.serveirc.com/ http://www.appleid-secure22.serveirc.com/ serviceirc.com", "Apple Issues: http://www.appleid-supporthelp.serveirc.com/ http://www.appleids-security.serveirc.com/", "Apple Issues: URL https://bincc.xyz/bin-apple-music-1month-apple-tv-7days", "Apple Issues: http://checkapple.com/home/item/131-iOs-%E0%B9%80%E0%B8%A1%E0%B8%B7%E0%B8%AD%E0%B8%87%E0%B8%9C%E0%B8%B9%E0%B9%89%E0%B8%94%E0%B8%B5-%E0%B8%9F%E0%B8%B1%E0%B8%99%E0%B8%98%E0%B8%87-iPhone-4-%E0%B8%9A%E0%B8%B2%E0%B8%87%E0%B8%81%E0%B8%A7%E0%B9%88%E0%B8%B2-Galaxy-S-2.htm", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Terse HTTP 1.0 Request Possible Nivdort Worm.Mydoom Checkin User-Agent (explwer)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti/Mufanom Downloader Checkin Win32.Sality-GR Checkin Backdoor.Win32.Shiz.ivr", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Empty Checkin Upatre Retrieving encoded payload (Common Header Struct)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Checkin Win32/Nivdort", "Antivirus Detections: ALF:HeraklezEval:Ransom:Win32/CVE , ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn , ALF:HeraklezEval:Trojan:Win32/Zombie.A", "Antivirus Detections: ALF:Trojan:Win32/FormBook.F!MTB , Backdoor:Linux/Setag!rfn , Backdoor:Win32/Bifrose.IQ , Backdoor:Win32/Simda!rfn", "Antivirus Detections: ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn , ALF:PUA:Win32/InstallMate.P , ALF:Trojan:Win32/Cassini_f9070846!ibt", "\"Malware Behavior Catalog Tree: File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048", "\"Malware Behavior Catalog Tree: Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007", "\"Malware Behavior Catalog Tree: Change Memory Protection C0008 Process OC0003 Create Process C0017", "\"Malware Behavior Catalog Tree: Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004", "\"Malware Behavior Catalog Tree: Create 00001807 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001", "\"Malware Behavior Catalog Tree: Modulo C0058 Cryptography OC0005 Generate Pseudo-random Sequence C0021", "\"Malware Behavior Catalog Tree: Communication OC0006 HTTP Communication C0002 Operating System OC0008 Registry", "\"Malware Behavior Catalog Tree: Registry Value C0036.006 Capabilities Data-Manipulation\"", "\"Malware Behavior Catalog Tree: C0036 Open Registry Key C0036.003 Create Registry Key C0036.004 Query", "Capabilities Data: Manipulation Generate random numbers using the Delphi LCG Encode data using XOR Hash data with CRC32", "Capabilities Data: Linking Link function at runtime on Windows Collection Get geographical location Targeting Identify system language via API", "Capabilities Data: Executable Extract resource via kernel32 functions Contain a thread local storage (.tls) section Packaged as an Inno Setup installer", "Capabilities Data: Anti-Analysis Reference analysis tools strings Internal (Internal) installer file limitation", "Capabilities Data: Host-Interaction - Get file attributes Create process suspended Create process on Windows", "Capabilities Data: Host-Interaction - Allocate or change RWX memory Accept command line arguments Set thread local storage value", "Capabilities Data: Host-Interaction - Get system information on Windows Delete directory", "Capabilities Data: Host-Interaction - Get thread local storage value Read file on Windows Write file on Windows", "Capabilities Data: Host-Interaction - Get file size Query environment variable Get common file path", "Capabilities Data: Host-Interaction - Query or enumerate registry value Delete file Create directory Shutdown system", "Capabilities Data: Host-Interaction - Modify access privileges Check if file exists", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "United States of America" ], "malware_families": [ { "id": "PUP/Win32.Bundler.R1865", "display_name": "PUP/Win32.Bundler.R1865", "target": null }, { "id": "Inno:Downloader-J [PUP]", "display_name": "Inno:Downloader-J [PUP]", "target": null }, { "id": "AdWare:Win32/AdLoad.0e19dea6", "display_name": "AdWare:Win32/AdLoad.0e19dea6", "target": "/malware/AdWare:Win32/AdLoad.0e19dea6" }, { "id": "Adware.Adload/Adinstaller", "display_name": "Adware.Adload/Adinstaller", "target": null }, { "id": "Win.Packed.Razy-9828382-0", "display_name": "Win.Packed.Razy-9828382-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" }, { "id": "Trojan:Win32/Zombie", "display_name": "Trojan:Win32/Zombie", "target": "/malware/Trojan:Win32/Zombie" }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1516", "name": "Input Injection", "display_name": "T1516 - Input Injection" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" } ], "industries": [ "Technology", "Civilian Society" ], "TLP": "white", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1403, "FileHash-SHA1": 1367, "FileHash-SHA256": 6478, "URL": 6415, "domain": 1445, "hostname": 2408, "CVE": 10, "email": 6 }, "indicator_count": 19532, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "555 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66bb7ac0b39138b588fa325b", "name": "Injection | Target devices affected. Connected to Notepad | Yandex| Brian Sabey & Associated", "description": "Targets devices injected with extremely malicious URL's. The links did everything imaginable. Pushed up Jeffrey Reimer DPT in search engine while suppressing all positive search engine results of his victim. Her business was completely halted and redirected. Views went to well known artists. It also contained content scrapers causing certain keywords [keylogger included] to generate results in Bing search engines attempt to frame target. Countless porn sites posted w/victims name appearing heaviest in Yandex moderately heavy in Google. Killed targets YouTube channel. Heavy use in victims Apple terminal. Death and bomb threats often. *http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/\n*http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "modified": "2024-10-11T00:04:00.735000", "created": "2024-08-13T15:24:48.834000", "tags": [ "ip addresses", "luna moth", "campaign", "norad tracking", "ipdomain", "investigation", "hr rtd", "hallrender", "brian sabey", "heuristic", "referrer", "pe resource", "first", "utc submissions", "submitters", "solutions", "namesilo", "amazon02", "digitaloceanasn", "limited", "aschoopa", "ovh sas", "generator", "data", "v3 serial", "number", "issuer", "everywhere dv", "tls ca", "g1 odigicert", "validity", "subject public", "key info", "date", "server", "email", "code", "registrar abuse", "registrar url", "whois lookup", "admin city", "admin country", "cn admin", "office open", "xml spreadsheet", "detections type", "name", "dns replication", "iana id", "contact phone", "dnssec", "domain status", "registrar whois", "historical ssl", "threat roundup", "october", "investigation c", "december", "september", "ngfw traffic", "malicious ip", "address", "raspberry robin", "stealer", "creation date", "passive dns", "urls", "search", "name servers", "status", "showing", "all scoreblue", "unknown", "next", "as47846", "germany unknown", "as44273 host", "united", "as12876 online", "domain", "cve-2016-2569", "yodaprot", "xorcrypt", "yoda", "aspack", "yara detections", "intel", "comments", "show", "productversion", "inno setup", "invalid", "format", "invalid variant", "delphi", "stack", "error", "iniciar download setup", "gui", "application/octet-stream", "tsara brashears", "targets", "cve-2017-0199", "aspack", "contains-pe", "contains-elf", "bobsoft", "cve-2010-3333", "contains-embedded-js", "cve-2014-3931", "cve-2017-11882", "adware.adload/adinstaller", "win32processor", "information", "flow t1574", "dll sideloading", "reads", "downloads", "win32process", "t1055 spawns", "access token", "modify access", "files", "catalog tree", "analysis ob0001", "b0001 process", "b0003 delayed", "analysis ob0002", "evasion ob0006", "self deletion", "f0007 discovery", "ob0007 analysis", "dead", "cybercrime", "cyber criminal group", "dynamicloader", "high", "medium", "trojan", "less see", "contacted", "yara rule", "installs", "windows", "windows startup", "february", "copy", "as14061", "as16276", "canada unknown", "united kingdom", "as63949 linode", "as202053", "finland unknown", "aaaa", "get http", "request", "windows nt", "khtml", "gecko", "wow64", "host", "connection", "cus cndigicert", "ca1 odigicert", "win32", "win64", "accept", "dataset", "system property", "lookups", "select family", "userprofile", "temp", "samplepath", "user", "runtime modules", "modules", "programfiles", "windir", "datacrashpad", "k netsvcs", "s ngcctnrsvc", "nameweb bvba", "domains", "csc corporate", "registrarsafe", "registrar", "namecheap inc", "nameweb", "win32 exe", "detections file", "win32 dll", "ip detections", "country", "highly targeted", "problems", "sneaky server", "replacement", "unauthorized", "high level", "hackers", "unknown win", "agent tesla", "worm", "formbook", "startpage", "dead drop resolver", "nxdomain", "ns nxdomain", "scan endpoints", "all search", "otx scoreblue", "pulse pulses", "hostname", "files ip", "address domain", "div div", "a li", "p div", "read more", "a div", "bq aug", "script script", "path max", "age86400 set", "cookie", "entries", "trojandropper", "body", "trojan features", "related pulses", "file samples", "files matching", "date hash", "copyright", "virtool", "trojanspy", "hashes c2ae", "capa", "cape sandbox", "moves", "tencent habo", "zenbox", "tls rsa", "sha256", "inc subject", "global g2", "odigicert inc", "cndigicert sha2", "high assurance", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinl", "javascripts", "iframes", "embedded", "x sucuri", "cookie policy", "jeffrey scott reimer dpt", "toni braxton", "police", "fbi va", "loudon county", "ashburn va", "douglas co", "douglas co sheriff", "sheriff", "justin bieber", "swipper" ], "references": [ "cnbd.net\t | d1.cnbd.net\t| localhost.cnbd.net | mail.cnbd.net | siteinlink.d1.cnbd.net cnbd.net hghltd.yandex.net", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Crowdsourced Sigma: Matches rule Potential Dead Drop Resolvers by Sorina Ionescu, X__Junior (Nextron Systems)", "Crowdsourced YARA: Matches rule Base64_Encoded_URL from ruleset Base64_Encoded_URL by InQuest Labs", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Unusual PING detected", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING Windows", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Echo Reply", "Yara Detections: Delphi", "\"Malware Behavior Catalog Tree: Anti-Behavioral Analysis OB0001 Debugger Detection B0001 Process Environment Block B0001.019 Dynamic Analysis Evasion B0003 Delayed Execution B0003.003", "\"Malware Behavior Catalog Tree: Anti-Static Analysis OB0002 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E102", "\"Malware Behavior Catalog Tree : Defense Evasion OB0006 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E1027.m02", "\"Malware Behavior Catalog Tree: Hidden Files and Directories F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 Analysis Tool Discovery B0013 Process detection B0013.001 System Information Discovery E1082 File and Directory Discovery E1083", "\"Malware Behavior Catalog Tree: Execution OB0009 Install Additional Program B0023 Command and Scripting Interpreter E1059", "\"Malware Behavior Catalog Tree: Analysis Tool Discovery F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 System Information Discovery B0013 Process detection B0013.001", "\"Malware Behavior Catalog Tree: Hidden Files and Directories E1082 File and Directory Discovery E1083", "Malware Behavior Catalog Tree: Command and Scripting Interpreter OB0009 Install Additional Program B0023", "\"Dataset actions -System Property Lookups: IIWbemServices::Connect", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: Execution OB0012 F0005 File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048 Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007 Change Memory Protection C0008 Process OC0003 Create Process C0017 Create Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001 Modulo C0058 Cryptography OC0005", "Researched: d569ab9b9e89ebd9e2ff995bcd6509bc.virus", "Apple Issues:\tapple-validsecure.serviceirc.com serviceirc.com http://apple-validsecure.serviceirc.com https://apple-validsecure.serviceirc.com", "Apple Issues:\tcheckapple.com http://www.checkapple.com/ https://bincc.xyz/bin-apple-music-1month-apple-tv-7days apple-marketing.com", "Apple Issues:\tapp-appleid.serveirc.com appleid-appleus.serveirc.com appleidapple.serveirc.com apples-uncek.serveirc.com", "Apple Issues:\thttp://www.apple-verifallert.serveirc.com/ http://www.appleid-lockid.serveirc.com/ http://www.appleid-seccure23.serveirc.com/", "Apple Issues:\thttp://www.appleid-secure20.serveirc.com/ http://www.appleid-secure22.serveirc.com/ serviceirc.com", "Apple Issues: http://www.appleid-supporthelp.serveirc.com/ http://www.appleids-security.serveirc.com/", "Apple Issues: URL https://bincc.xyz/bin-apple-music-1month-apple-tv-7days", "Apple Issues: http://checkapple.com/home/item/131-iOs-%E0%B9%80%E0%B8%A1%E0%B8%B7%E0%B8%AD%E0%B8%87%E0%B8%9C%E0%B8%B9%E0%B9%89%E0%B8%94%E0%B8%B5-%E0%B8%9F%E0%B8%B1%E0%B8%99%E0%B8%98%E0%B8%87-iPhone-4-%E0%B8%9A%E0%B8%B2%E0%B8%87%E0%B8%81%E0%B8%A7%E0%B9%88%E0%B8%B2-Galaxy-S-2.htm", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Terse HTTP 1.0 Request Possible Nivdort Worm.Mydoom Checkin User-Agent (explwer)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti/Mufanom Downloader Checkin Win32.Sality-GR Checkin Backdoor.Win32.Shiz.ivr", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Empty Checkin Upatre Retrieving encoded payload (Common Header Struct)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Checkin Win32/Nivdort", "Antivirus Detections: ALF:HeraklezEval:Ransom:Win32/CVE , ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn , ALF:HeraklezEval:Trojan:Win32/Zombie.A", "Antivirus Detections: ALF:Trojan:Win32/FormBook.F!MTB , Backdoor:Linux/Setag!rfn , Backdoor:Win32/Bifrose.IQ , Backdoor:Win32/Simda!rfn", "Antivirus Detections: ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn , ALF:PUA:Win32/InstallMate.P , ALF:Trojan:Win32/Cassini_f9070846!ibt", "\"Malware Behavior Catalog Tree: File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048", "\"Malware Behavior Catalog Tree: Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007", "\"Malware Behavior Catalog Tree: Change Memory Protection C0008 Process OC0003 Create Process C0017", "\"Malware Behavior Catalog Tree: Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004", "\"Malware Behavior Catalog Tree: Create 00001807 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001", "\"Malware Behavior Catalog Tree: Modulo C0058 Cryptography OC0005 Generate Pseudo-random Sequence C0021", "\"Malware Behavior Catalog Tree: Communication OC0006 HTTP Communication C0002 Operating System OC0008 Registry", "\"Malware Behavior Catalog Tree: Registry Value C0036.006 Capabilities Data-Manipulation\"", "\"Malware Behavior Catalog Tree: C0036 Open Registry Key C0036.003 Create Registry Key C0036.004 Query", "Capabilities Data: Manipulation Generate random numbers using the Delphi LCG Encode data using XOR Hash data with CRC32", "Capabilities Data: Linking Link function at runtime on Windows Collection Get geographical location Targeting Identify system language via API", "Capabilities Data: Executable Extract resource via kernel32 functions Contain a thread local storage (.tls) section Packaged as an Inno Setup installer", "Capabilities Data: Anti-Analysis Reference analysis tools strings Internal (Internal) installer file limitation", "Capabilities Data: Host-Interaction - Get file attributes Create process suspended Create process on Windows", "Capabilities Data: Host-Interaction - Allocate or change RWX memory Accept command line arguments Set thread local storage value", "Capabilities Data: Host-Interaction - Get system information on Windows Delete directory", "Capabilities Data: Host-Interaction - Get thread local storage value Read file on Windows Write file on Windows", "Capabilities Data: Host-Interaction - Get file size Query environment variable Get common file path", "Capabilities Data: Host-Interaction - Query or enumerate registry value Delete file Create directory Shutdown system", "Capabilities Data: Host-Interaction - Modify access privileges Check if file exists", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "United States of America" ], "malware_families": [ { "id": "PUP/Win32.Bundler.R1865", "display_name": "PUP/Win32.Bundler.R1865", "target": null }, { "id": "Inno:Downloader-J [PUP]", "display_name": "Inno:Downloader-J [PUP]", "target": null }, { "id": "AdWare:Win32/AdLoad.0e19dea6", "display_name": "AdWare:Win32/AdLoad.0e19dea6", "target": "/malware/AdWare:Win32/AdLoad.0e19dea6" }, { "id": "Adware.Adload/Adinstaller", "display_name": "Adware.Adload/Adinstaller", "target": null }, { "id": "Win.Packed.Razy-9828382-0", "display_name": "Win.Packed.Razy-9828382-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" }, { "id": "Trojan:Win32/Zombie", "display_name": "Trojan:Win32/Zombie", "target": "/malware/Trojan:Win32/Zombie" }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1516", "name": "Input Injection", "display_name": "T1516 - Input Injection" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" } ], "industries": [ "Technology", "Civilian Society" ], "TLP": "green", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1402, "FileHash-SHA1": 1366, "FileHash-SHA256": 6457, "URL": 6175, "domain": 1418, "hostname": 2287, "CVE": 10, "email": 6 }, "indicator_count": 19121, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "555 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d89c45ddc0c7db084b75b7", "name": "Autodesk weakens CS | Unauthorized AlienVault API | Stolen pulsed", "description": "Critical issues within AlienVault , VT & my devices. Plugins auto installed after I opened message from AV user. Sudden redirects to 0/ http/s. Heavy modifications, removal of IoC's on AV & VT & Virus Total. Autodesk.com was under CrowdStrike until last night. Links where vulnerabilities were originating from completely disappeared from graph I kindly kept private. Continuous mods for months to Crowdstrike and other pulses. [https://otx.alienvault.com/api appears in search] A page opens with Tag: \"esta caliente\" | All linked pulses Gone. Only person who frequently contacted me appears where they didn't before & These dishonest billion $ companies cover up though they are at fault for allowing ALL threat actor to be protected with non adversarial businesses. Besides other compromises, surprisingly Brashears porn found in Crowdstrike/Autodesk others. Disappointing.", "modified": "2024-10-04T17:02:07.067000", "created": "2024-09-04T17:43:33.123000", "tags": [ "healthy check", "ssl bypass", "domain tracker", "privacy badger", "startpage", "w11 pc", "pass", "iocs", "all scoreblue", "pdf report", "pcap", "stix", "avast avg", "no expiration", "status", "name servers", "moved", "h1 center", "next", "sec ch", "ch ua", "ua platform", "emails", "certificate", "passive dns", "urls", "encrypt", "body", "pe32 executable", "ms windows", "intel", "windows control", "panel item", "dos borland", "executable", "algorithm", "thumbprint", "serial number", "signing ca", "symantec time", "stamping", "g2 name", "g2 issuer", "class", "code", "kb pe", "csc corporate", "porkbun llc", "gandi sas", "request", "path", "get https", "get http", "response", "cachecontrol", "pragma", "connection", "gmt connection", "accept", "slug", "as29789", "united", "unknown", "ransom", "heur", "server", "registrar abuse", "san rafael", "autodesk", "contact phone", "registrar url", "process32nextw", "create c", "read c", "writeconsolew", "delete", "write", "show", "malware", "write c", "regsetvalueexa", "delete c", "search", "regdword", "whitelisted", "panda banker", "ursnif", "win32", "persistence", "execution", "banker", "local", "domain", "servers", "pulse pulses", "files", "ip address", "creation date", "united kingdom", "as9009 m247", "ipv4", "pulse submit", "url analysis", "twitter", "as16552 tiggee", "as397241", "as397240", "entries", "cname", "nxdomain", "a nxdomain", "worm", "file samples", "files matching", "alf features", "denver co", "wewatta", "scan endpoints", "related pulses", "date hash", "showing", "as62597 nsone", "date", "trojanspy", "cookie", "hostmaster", "expiration date", "msie", "windows nt", "wow64", "slcc2", "media center", "tls handshake", "et info", "getdc0x2a", "failure", "post http", "copy", "crash", "ascii text", "ascii", "jpeg image", "artemis", "trojan", "virustotal", "mike", "vipre", "panda", "win32mediadrug", "win324shared", "win32spigot", "hstr", "lowfi", "yara detections", "contacted", "report spam", "mozilla", "trojanclicker", "url http", "url https", "role title", "added active", "type indicator", "source domain", "akamai rank", "hostname", "ver2", "msclkidn", "vids0", "global outage", "cobalt strike", "fancy bear", "communications", "android device", "cnc beacon", "suspicious ua", "youtube", "sakula rat", "mivast", "sakula", "windows", "samuel tulach", "light dark", "samuel", "tulach", "hyperv", "detecting", "writing gui", "bootkits", "world", "information", "discovery", "t1027", "t1057", "t1071", "protocol", "t1105", "tool transfer", "t1129", "capture", "service", "t1119" ], "references": [ "autodesk.com [ Everything below was found in Autodesk [including crowdstrike & any.desk] Found in in Crowdsrike if labeled.", "66.254.114.234 | reflectededge.reflected.net | reflected.net | 192.0.2.0 | https://www.brazzers.com/ | brazzers.com | brazzersnetwork.com", "keezmovies.com | redtube.com | tube8.com | tube8.com | youporn.com| 0.brazzers.com | www.g-tunnel.comwww.brazzers.com |", "Win32:Mystic , Win.Trojan.Xblocker-236 \u00bbFileHash-SHA256 8c59adbccc1987d13fec983f1e2be046611511b65479d1719bda77c5c90bbe21", "IDS Detections: TLS Handshake Failure | Alerts: network_icmp , injection", "Win32:BankerX-gen\\ [Trj] \u00bb FileHash-SHA256 2e5118d15a18ae852bf94d91707ff634d9d8354fef492f5c4e1c46b9cf96184c", "IDS Detections: Zeus Panda Banker / Ursnif Malicious SSL Certificate Detected TLS Handshake Failure", "Alerts: network_icmp antisandbox_idletime modifies_certificates modifies_proxy_wpad disables_proxy", "RedTube.com Detections: ALF:AGGR:OpcCl:95!ml , ALF:JASYP:Backdoor:Win32/Cycbot!atmn , Win.Downloader.117423-1 ,", "RedTube.com Detections: Win.Trojan.Crypt-321 , Win.Trojan.FakeAV-4166 , Win.Trojan.Fakeav-10977 , Win.Trojan.Fakeav-3386", "Crowdstrike: wildcard.352-445-1166.device.sim.to.img.sedoparking.com", "Crowdstrike: maxfehlinger.de http://auth.cranberry.testing.maxfehlinger.de | http://latex.cranberry.testing.maxfehlinger.de |", "Crowdstrike: https://traefik.cranberry.testing.maxfehlinger.de | http://traefik.cranberry.testing.maxfehlinger.de |", "Crowdstrike: http://watchtower.cranberry.testing.maxfehlinger.de| https://auth.cranberry.testing.maxfehlinger.de |", "Crowdstrike: auth.cranberry.testing.maxfehlinger.de | latex.cranberry.testing.maxfehlinger.de | traefik.cranberry.testing.maxfehlinger.de |", "Crowdstrike: watchtower.cranberry.testing.maxfehlinger.de | https://latex.cranberry.testing.maxfehlinger.de |", "Crowdstrike: https://www.anyxxxtube.net/search-porn/tsara-brashears/\tphishing\t| https://www.anyxxxtube.net/sitemap.xml", "Crowdstrike: https://www.pornhub.com/gifs/search?search=tsara+lynn+brash |", "Crowdstrike: autodesk.com | 0ds.autodesk.com | aknanalytics.autodesk.com | anubis.autodesk.com | autobetaint.autodesk.com", "Crowdstrike: autodeskarchitecture.autodesk.com | beacon-dev3.autodesk.com | boxtooffice365.autodesk.com | brahma-studio.autodesk.com", "Crowdstrike: cdc-stg-emea.autodesk.com | cloudcost.autodesk.com | cloudpc-stg.autodesk.com | d-s.autodesk.com |", "Crowdstrike: daiwahouse-learning.autodesk.com| datagovernance-dev.autodesk.com | enterprise-api-np.autodesk.com", "Crowdstrike: symcd.com [Certificate Subjectaltname \u00bb\u00bb anydesk.com \u00bb\u00bb http://gn.symcb.com/gn.crt Ocsp\thttp://gn.symcd.com] ANYDESK.COM-unsigned", "Crowdstrike: https://bat.bing.com/action/0?ti=12001672&tm=al001&Ver=2&mid=12436868-a484-4998-931c-980262982f67&sid=b92cd8f0483e11efa3c96fe28be413cb&vid=b92cdd10483e11efb1024309353d849f&vids=1&msclkid=N&pi=-740138922&lg=en-US&sw=800&sh=600&sc=24&tl=CrowdStrike%3A%20Stop%20breaches.%20Drive%20business.&p=https%3A%2F%2Fwww.crowdstrike.com%2Fen-us%2F&r=<=1022&pt=1721661968606", "Crowdstrike: \tbat.bing.com, https://tulach.cc, https://otx.alienvault.com/indicator/url/http://www.hallrender.com/attorney/brian-sabey", "Crowdstrike: https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | https://www.pornhub.com/video/search?search=tsara+brashears | www.youtube.com/watch?v=GyuMozsVyYs | www.pornhub.com | www.youtube.com", "Crowdstrike: https://hr.employmenthero.com/rs/387-SZZ-170/images/youtube-icon-emp-hero-violet.png", "Crowdstrike + Autodesk.com: hallrender.com/attorney/brian-sabey www.hallrender.com/attorney/brian-sabey hallrender.com www.hallrender.com https://hallrender.com milehighmedia.com https://www.milehighmedia.com/ https://www.milehighmedia.com/legal/2257", "Crowdstrike + Autodesk.com: brassiere.world mail.brassiere.world webdisk.brassiere.world webmail.brassiere.world", "Crowdstrike + Autodesk.com: 128 + symcd.com some w/issues | 658 autodesk.com pulse some w/issues | removed any.desk & boot", "The more I say...Any.Desk + boot.net.anydesk.com was in OG Private CrowdsStrike pulse", "Above links in search results direct out with and arrow pointing out.", "https://otx.alienvault.com/browse/global/pulses?q=tag:%22esta%20caliente%22&include_inactive=0&sort=-modified&page=1&limit=10&indicatorsSearch=esta%20caliente", "Above link opened 'esta caliente'= 'it's hot'| I did NOT do that | All connected links gone. This has become common.", "I didn't add pertinent findings back to Pulse. Pulse comp,eyes says ago . Couldn't submit. It's was actually a tiny pulse of autodesk.com with crowdstrike relationship references,", "boot.net.anydesk.com removed from my Pulse below", "https://otx.alienvault.com/pulse/66d4c125ad61ee5577639a2d" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands" ], "malware_families": [ { "id": "Win32:Mystic", "display_name": "Win32:Mystic", "target": null }, { "id": "Win.Trojan.Xblocker-236", "display_name": "Win.Trojan.Xblocker-236", "target": null }, { "id": "Ransom:Win32/Genasom", "display_name": "Ransom:Win32/Genasom", "target": "/malware/Ransom:Win32/Genasom" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "ALF:JASYP:Backdoor:Win32/Cycbot", "display_name": "ALF:JASYP:Backdoor:Win32/Cycbot", "target": null }, { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanSpy:Win32/Usteal", "display_name": "TrojanSpy:Win32/Usteal", "target": "/malware/TrojanSpy:Win32/Usteal" }, { "id": "Win.Trojan.PoetRat-7669676-0", "display_name": "Win.Trojan.PoetRat-7669676-0", "target": null }, { "id": "Mivast", "display_name": "Mivast", "target": null }, { "id": "Sakula", "display_name": "Sakula", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1417, "FileHash-SHA1": 1165, "FileHash-SHA256": 6536, "URL": 6112, "domain": 1340, "hostname": 2654, "email": 15, "SSLCertFingerprint": 9 }, "indicator_count": 19248, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "562 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66c661131c5003925e9bfe15", "name": "Telco - Swipper | Emoted and other malware spreader. BGP related ?", "description": "I'm not sure what to make of this. I'm unnerved. As far back as I have been able to research, Swipper has been ever present, not even hiding in the attacks target who noticed this for themselves.Some information is no longer on the Internet , yet there are continuous command multiple IP's. This relates directly to the suspect hacker & co. Use of FreeDNS and many other tools related to this resource with the Net Handle Name: Swipper. It's seems to be prominent on Colorado, Ohio Constantly moving to the British Virgin Islands while having am Ashburn, Va [Loudon, Co]- Verizon Business address ont he MCI block [FBI nearby] Swipper was connected to targets Notepad for years,; with FBI name and address prominently displayed. Mysterious emails, and false MD referral locations of victim pointed back to a Swipper or Stephen Middleton IP address. It's always has a variant of Emotet. I don't know. Abuse of use by same attorney.", "modified": "2024-09-20T20:04:19.210000", "created": "2024-08-21T21:50:11.612000", "tags": [ "net152", "net1520000", "loudoun county", "ans core", "nethandle", "as1321", "parkway city", "as701 orgnocref", "swipper", "verizon", "high", "intel", "icmp traffic", "dns query", "object", "all scoreblue", "filehash", "malware", "comcast", "cve1102", "actors", "investigation", "bad domains", "emotet am", "iocs", "first", "utc submissions", "submitters", "summary iocs", "graph community", "webcc", "gmo internet", "csc corporate", "domains", "alibaba cloud", "computing", "beijing", "dynadot", "ltd dba", "china telecom", "group", "google", "cloudflarenet", "kb txtresse", "mb smartsaver", "admin cmd", "mb threatsniper", "mb history", "mb gadget", "installer", "referrer", "styes worm", "historical ssl", "script script", "i span", "ie script", "win64", "span", "urls", "levelblue labs", "pulses", "nastya", "meta", "open", "date", "vj92", "uagdaaeqcqaaaag", "ukgbagaqcqaaaae", "slfrd1", "hostnames", "urls http", "ukgbagaqcq", "jid1886833764", "jid882556742", "samples", "unknown", "united", "as20940", "as2914 ntt", "nxdomain", "status", "as6461 zayo", "united kingdom", "as15169 google", "as33438", "search", "creation date", "name servers", "showing", "hungary unknown", "entries", "scan endpoints", "next", "cape", "show", "copy", "emotet malware", "read", "write", "delete", "june", "emotet", "as14627", "passive dns", "ipv4", "pulse pulses", "win32", "months ago", "created", "modified", "email", "glupteba", "hostname", "cyber", "read c", "port", "medium", "msie", "windows nt", "wow64", "slcc2", "media center", "dock", "execution", "method status", "url hostname", "ip country", "type get", "cachecontrol", "location https", "date thu", "gmt server", "code", "ve234 server", "aaaa", "whitelisted", "as44273 host", "as46691", "domain", "script urls", "path max", "age86400 set", "cookie", "script domains", "trojan", "body" ], "references": [ "Stranger Things | http://hopto.org/colocrossing/192.3.13.56/telco", "Antivirus Detections: Other:Malware-gen\\ [Trj]", "Yara Detections: UPXProtectorv10x2 , UPX Alerts dead_host network_icmp nolookup_communication", "Antivirus Detections: Other:Malware-gen\\ [Trj] , Win.Trojan.Emotet-9951800-0", "Yara Detections: osx_GoLang", ".trino-11062202-1d32.stress-11061903-3b4c.westus2.projecthilo.net\tprojecthilo.net", "0-courier.push.apple.com | https://apple-accouut.sytes.net/ | appupdate-logapple.ddnsking.com | appleidi-iforgot.3utilities.com", "http://appleidi-iforgot.3utilities.com/\t | https://appupdate-logapple.ddnsking.com/?reset | http://appleidi-iforgot.3utilities.com/Upload-Identity.php |", "http://appleidi-iforgot.3utilities.com/Verify.php", "device-ccf717a6-ed4f-4771-abfa-ccaafbfb6526.remotewd.com | device-local-359704df-0b29-4ae8-bbc5-f48b0a4de73c.remotewd.com | remotedev.org | dan.remotedev.org", "152.199.171.19 : USDA Fort Collins, Colorado", "Swipper: swipper@verizonbusiness.com | help4u@verizonbusiness.com", "152.199.161.19: ANS Communications, Inc (ANS)", "OrgTechHandle: SWIPP-ARIN OrgTechName: swipper OrgTechPhone: +1-800-900-0241 OrgTechEmail: swipper@verizonbusiness.com", "http://bat.bing.com/bat.js | bounceme.net | bounceme.net | hopto.org | hopto.org |,serveblog.net | serveblog.net", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://hopto.org/colocrossing/192.3.13.56/telco", "Emotet: FileHash-SHA256 9c9459e9a5f0102c034ec013b9d801d38ed474bcd73b7aeded931e5c2a4f75cc", "Win.Virus.PolyRansom-5704625-0: FileHash-SHA256 f46de5d0c5dd13f5de6114372542efd1ea048e14f051b64b34c33e96c175cb09", "Other:Malware-gen\\ [Trj: FileHash-SHA256 4ef29fd29fd95990a36379ad7a4320f04da64e7ec63546e047e2491e533c71a3", "Injection Source: www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Injection Source: http://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Injection Source: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "SLF:Trojan:Win32/Grandoreiro.A", "display_name": "SLF:Trojan:Win32/Grandoreiro.A", "target": null }, { "id": "Other:Malware-gen\\ [Trj]", "display_name": "Other:Malware-gen\\ [Trj]", "target": null }, { "id": "Win.Trojan.Emotet-9951800-0", "display_name": "Win.Trojan.Emotet-9951800-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 2, "URL": 4338, "domain": 753, "email": 9, "hostname": 1799, "FileHash-SHA256": 3098, "FileHash-MD5": 110, "FileHash-SHA1": 98, "CVE": 3 }, "indicator_count": 10210, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "576 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://git.sprinter.es", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://git.sprinter.es", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776629323.1884825 }