{ "type": "URL", "indicator": "https://goresolver.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://goresolver.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3836493182, "indicator": "https://goresolver.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "6615d6998eba463f36adf923", "name": "hxxps://viz[.]greynoise[.]io/analysis/22fe6389-fe4a-49dc-b343-b6a2feb32864 - 04.04.24 by jwanihad (enriched)", "description": "", "modified": "2025-06-23T17:53:11.641000", "created": "2024-04-10T00:00:25.617000", "tags": [], "references": [ "https://www.virustotal.com/gui/collection/789999053bd7022e2d79a887a5f959be573ce57d6c4f3165503438fbd5dd9ad5/graph" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2361, "domain": 632, "FileHash-SHA256": 644, "hostname": 918 }, "indicator_count": 4555, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "341 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "660b176a98b0c92ba5a962bc", "name": "\"No Problems\" - UAlberta TLD (Confirmed TLD - 08.04.24) & Subdomain compromise", "description": "Basically the above\n\n\"No Problems\", \"We are Unhackable\", etc. etc. causing problems.", "modified": "2024-09-04T05:01:56.993000", "created": "2024-04-01T20:22:02.851000", "tags": [ "BEC" ], "references": [ "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783/summary", "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783/iocs", "https://www.virustotal.com/graph/embed/gead337f35cdd4241b225b68ff0528a3834be5d60876745fa99254ff7f8a0df22?theme=dark", "https://www.virustotal.com/graph/embed/g1e31eca6803a433a9a33437d593a2bbdf979ff77c91340d1ab624d10dc8732b3?theme=dark", "https://dnstwist.it/#ea665d15-6507-4057-b2c9-18a2e546ee95", "https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore", "https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/", "https://malpedia.caad.fkie.fraunhofer.de/details/win.mydoom", "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America", "Netherlands" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 233, "FileHash-SHA1": 230, "FileHash-SHA256": 6703, "URL": 4450, "CIDR": 3, "domain": 6223, "hostname": 2863, "email": 7, "CVE": 53 }, "indicator_count": 20765, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "634 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c3bd803f15cd94aab6e287", "name": "Lumma Stealer | Colorado Medical Center HCA", "description": "Needs further investigation. Miscellaneous attack affecting Denver physicians directory. Visitors accessing the page using insecure devices may be affected. PII & PHI breached. Monitoring.", "modified": "2024-03-08T17:04:03.644000", "created": "2024-02-07T17:27:28.349000", "tags": [ "whois record", "ssl certificate", "contacted", "historical ssl", "referrer", "execution", "resolutions", "problems", "siblings domain", "whois whois", "startpage", "httponly", "samesitenone", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "language", "html document", "unicode text", "utf8 text", "doctype", "anchor hrefs", "hrefs", "denver", "tsara brashears", "apple ios", "password bypass", "apple phone", "unlocker", "shell code", "script", "contacted urls", "hacktool", "malicious", "download", "malware", "relic", "monitoring", "domains", "eurodns sa", "markmonitor", "ip detections", "country", "graph", "https", "mitre att", "ta0007 network", "t1046 sends", "ssdp", "command", "control ta0011", "protocol t1071", "performs dns", "layer protocol", "number", "cus cndigicert", "ja3s", "subject", "sha2 secure", "server ca", "odigicert inc", "cus cnmicrosoft", "algorithm", "memory pattern", "file system", "registry", "registry keys", "process", "created", "processes tree", "february", "healthone", "gmbh version", "status page", "service privacy", "legal", "impressum", "url https", "reverse dns", "general full", "security tls", "protocol h2", "software", "frankfurt", "main", "germany", "resource hash", "de indicators", "hashes", "value", "scriptsrcelem", "variables", "boomrmq string", "boomrapikey", "boomr function", "system", "babelpolyfill", "assign function", "windows nt", "win64", "khtml", "gecko", "aes256gcm", "level", "akamaiasn1", "europeberlin", "generic malware", "tag count", "tue dec", "threat report", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "root ca", "pattern match", "authority", "span", "presbyterianst", "luke", "medical center", "class", "accept", "date", "refresh", "blood", "liver cancer", "breast cancer", "lung cancer", "kidney cancer", "skin cancer", "sarcoma", "prostate cancer", "body", "facebook", "twitter", "hybrid", "general", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "cookie", "command and control", "mitre", "scanning host", "exploit source", "trojan", "callback function", "targets", "targeting", "samesite=none", "kde", "konqueror", "phi", "pii", "wTJh.exe", "malware ransom trojan evader rat", "network", "rat trojan", "relacionada", "critical risk", "cyberstalking", "elf collection", "matches rule", "emotet", "lockbit", "critical", "copy", "installer", "dark power", "wiper", "ransomware", "cobalt strike", "ursnif", "core", "as55688 pt", "passive dns", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "asn as55688", "threat", "paste", "iocs", "analyze", "hostnames", "united", "aaaa", "unknown", "a domains", "search", "creation date", "record value", "next", "pornhub", "anyxxxtube", "domain", "gandi sas", "hostname", "basic", "pe32", "intel", "ms windows", "generic windos", "executable", "dos executable", "generic", "pe32 packer", "petite", "vs98", "info compiler", "products", "header intel", "name md5", "type", "rticon neutral", "overlay", "dos exe", "threat roundup", "pe resource", "june", "lumma stealer", "ransomexx", "azorult", "njrat", "open", "problem", "plugx", "android", "sex_phot.jpg.exe", "win32 dynamic", "link library", "win16 ne", "delphi generic", "icons library", "pe32 linker", "lcc linker", "empty hash", "tulach", "sabey", "rat", "remote", "remote access trojan" ], "references": [ "https://www.healthonecares.com/locations/presbyterian-st-lukes-medical-center/physicians", "https://www.hybrid-analysis.com/sample/63bf920be2401947bd686d7dd146af7f3e56800409307360105bf50cebb1c1ea", "www2.megawebfind.com [command and control]", "http://ifdnzact.com/?dn=megawebdeals.com&pid=9PO755G95 [ phishing]", "20.99.186.246 [exploit source]", "https://www.healthonecares.com/locations/presbyterian-st-lukes-medical-center/physicians/ [heuristic]", "Win32:RATX-gen [Trj] identified.", "CS Sigma Rules: Shadow Copies Deletion Using Operating Systems Utilities by Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades)", "CS Sigma Rules: Disable UAC Using Registry by frack113", "http://45.159.189.105/bot/regex [ tracking | botnet]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Password cracker | Patient being tracked through multiple medical systems]", "0-173-x.msn.com | https://twitter.com/PORNO_SEXYBABES | 0-3.duckdns.org | 0-212.pornhub.org | 000web.pornhub.org", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "CS Sigma Rules: Wow6432Node CurrentVersion Autorun Keys Modification by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "Remote Access Trojan" ], "public": 1, "adversary": "", "targeted_countries": [ "Indonesia", "United States of America" ], "malware_families": [ { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Win32:RATX-gen [Trj]", "display_name": "Win32:RATX-gen [Trj]", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "W32/Hupigon.NCU", "display_name": "W32/Hupigon.NCU", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "Wiper", "display_name": "Wiper", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null } ], "attack_ids": [ { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Healthcare", "Civil Society" ], "TLP": "green", "cloned_from": null, "export_count": 68, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 883, "URL": 1412, "FileHash-MD5": 283, "FileHash-SHA1": 231, "FileHash-SHA256": 2909, "domain": 824, "email": 3, "CVE": 3 }, "indicator_count": 6548, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "813 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.virustotal.com/graph/embed/g1e31eca6803a433a9a33437d593a2bbdf979ff77c91340d1ab624d10dc8732b3?theme=dark", "https://dnstwist.it/#ea665d15-6507-4057-b2c9-18a2e546ee95", "https://www.virustotal.com/gui/collection/789999053bd7022e2d79a887a5f959be573ce57d6c4f3165503438fbd5dd9ad5/graph", "https://www.healthonecares.com/locations/presbyterian-st-lukes-medical-center/physicians/ [heuristic]", "0-173-x.msn.com | https://twitter.com/PORNO_SEXYBABES | 0-3.duckdns.org | 0-212.pornhub.org | 000web.pornhub.org", "https://www.healthonecares.com/locations/presbyterian-st-lukes-medical-center/physicians", "http://45.159.189.105/bot/regex [ tracking | botnet]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Password cracker | Patient being tracked through multiple medical systems]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "https://www.hybrid-analysis.com/sample/63bf920be2401947bd686d7dd146af7f3e56800409307360105bf50cebb1c1ea", "https://www.virustotal.com/graph/embed/gead337f35cdd4241b225b68ff0528a3834be5d60876745fa99254ff7f8a0df22?theme=dark", "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate", "CS Sigma Rules: Shadow Copies Deletion Using Operating Systems Utilities by Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades)", "http://ifdnzact.com/?dn=megawebdeals.com&pid=9PO755G95 [ phishing]", "https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/", "CS Sigma Rules: Disable UAC Using Registry by frack113", "CS Sigma Rules: Wow6432Node CurrentVersion Autorun Keys Modification by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "Remote Access Trojan", "20.99.186.246 [exploit source]", "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783/summary", "https://malpedia.caad.fkie.fraunhofer.de/details/win.mydoom", "www2.megawebfind.com [command and control]", "https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore", "Win32:RATX-gen [Trj] identified.", "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783/iocs" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Lockbit", "Azorult", "Cobalt strike", "Hacktool", "Win32:ratx-gen [trj]", "Ursnif", "Virut", "Lumma stealer", "Tulach", "Dark power", "Ransomware", "Wiper", "W32/hupigon.ncu", "Relic" ], "industries": [ "Government", "Healthcare", "Civil society", "Technology", "Education" ], "unique_indicators": 18292 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/goresolver.com", "whois": "http://whois.domaintools.com/goresolver.com", "domain": "goresolver.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "6615d6998eba463f36adf923", "name": "hxxps://viz[.]greynoise[.]io/analysis/22fe6389-fe4a-49dc-b343-b6a2feb32864 - 04.04.24 by jwanihad (enriched)", "description": "", "modified": "2025-06-23T17:53:11.641000", "created": "2024-04-10T00:00:25.617000", "tags": [], "references": [ "https://www.virustotal.com/gui/collection/789999053bd7022e2d79a887a5f959be573ce57d6c4f3165503438fbd5dd9ad5/graph" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2361, "domain": 632, "FileHash-SHA256": 644, "hostname": 918 }, "indicator_count": 4555, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "341 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "660b176a98b0c92ba5a962bc", "name": "\"No Problems\" - UAlberta TLD (Confirmed TLD - 08.04.24) & Subdomain compromise", "description": "Basically the above\n\n\"No Problems\", \"We are Unhackable\", etc. etc. causing problems.", "modified": "2024-09-04T05:01:56.993000", "created": "2024-04-01T20:22:02.851000", "tags": [ "BEC" ], "references": [ "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783/summary", "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783/iocs", "https://www.virustotal.com/graph/embed/gead337f35cdd4241b225b68ff0528a3834be5d60876745fa99254ff7f8a0df22?theme=dark", "https://www.virustotal.com/graph/embed/g1e31eca6803a433a9a33437d593a2bbdf979ff77c91340d1ab624d10dc8732b3?theme=dark", "https://dnstwist.it/#ea665d15-6507-4057-b2c9-18a2e546ee95", "https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore", "https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/", "https://malpedia.caad.fkie.fraunhofer.de/details/win.mydoom", "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America", "Netherlands" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 233, "FileHash-SHA1": 230, "FileHash-SHA256": 6703, "URL": 4450, "CIDR": 3, "domain": 6223, "hostname": 2863, "email": 7, "CVE": 53 }, "indicator_count": 20765, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "634 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c3bd803f15cd94aab6e287", "name": "Lumma Stealer | Colorado Medical Center HCA", "description": "Needs further investigation. Miscellaneous attack affecting Denver physicians directory. Visitors accessing the page using insecure devices may be affected. PII & PHI breached. Monitoring.", "modified": "2024-03-08T17:04:03.644000", "created": "2024-02-07T17:27:28.349000", "tags": [ "whois record", "ssl certificate", "contacted", "historical ssl", "referrer", "execution", "resolutions", "problems", "siblings domain", "whois whois", "startpage", "httponly", "samesitenone", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "language", "html document", "unicode text", "utf8 text", "doctype", "anchor hrefs", "hrefs", "denver", "tsara brashears", "apple ios", "password bypass", "apple phone", "unlocker", "shell code", "script", "contacted urls", "hacktool", "malicious", "download", "malware", "relic", "monitoring", "domains", "eurodns sa", "markmonitor", "ip detections", "country", "graph", "https", "mitre att", "ta0007 network", "t1046 sends", "ssdp", "command", "control ta0011", "protocol t1071", "performs dns", "layer protocol", "number", "cus cndigicert", "ja3s", "subject", "sha2 secure", "server ca", "odigicert inc", "cus cnmicrosoft", "algorithm", "memory pattern", "file system", "registry", "registry keys", "process", "created", "processes tree", "february", "healthone", "gmbh version", "status page", "service privacy", "legal", "impressum", "url https", "reverse dns", "general full", "security tls", "protocol h2", "software", "frankfurt", "main", "germany", "resource hash", "de indicators", "hashes", "value", "scriptsrcelem", "variables", "boomrmq string", "boomrapikey", "boomr function", "system", "babelpolyfill", "assign function", "windows nt", "win64", "khtml", "gecko", "aes256gcm", "level", "akamaiasn1", "europeberlin", "generic malware", "tag count", "tue dec", "threat report", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "root ca", "pattern match", "authority", "span", "presbyterianst", "luke", "medical center", "class", "accept", "date", "refresh", "blood", "liver cancer", "breast cancer", "lung cancer", "kidney cancer", "skin cancer", "sarcoma", "prostate cancer", "body", "facebook", "twitter", "hybrid", "general", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "cookie", "command and control", "mitre", "scanning host", "exploit source", "trojan", "callback function", "targets", "targeting", "samesite=none", "kde", "konqueror", "phi", "pii", "wTJh.exe", "malware ransom trojan evader rat", "network", "rat trojan", "relacionada", "critical risk", "cyberstalking", "elf collection", "matches rule", "emotet", "lockbit", "critical", "copy", "installer", "dark power", "wiper", "ransomware", "cobalt strike", "ursnif", "core", "as55688 pt", "passive dns", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "asn as55688", "threat", "paste", "iocs", "analyze", "hostnames", "united", "aaaa", "unknown", "a domains", "search", "creation date", "record value", "next", "pornhub", "anyxxxtube", "domain", "gandi sas", "hostname", "basic", "pe32", "intel", "ms windows", "generic windos", "executable", "dos executable", "generic", "pe32 packer", "petite", "vs98", "info compiler", "products", "header intel", "name md5", "type", "rticon neutral", "overlay", "dos exe", "threat roundup", "pe resource", "june", "lumma stealer", "ransomexx", "azorult", "njrat", "open", "problem", "plugx", "android", "sex_phot.jpg.exe", "win32 dynamic", "link library", "win16 ne", "delphi generic", "icons library", "pe32 linker", "lcc linker", "empty hash", "tulach", "sabey", "rat", "remote", "remote access trojan" ], "references": [ "https://www.healthonecares.com/locations/presbyterian-st-lukes-medical-center/physicians", "https://www.hybrid-analysis.com/sample/63bf920be2401947bd686d7dd146af7f3e56800409307360105bf50cebb1c1ea", "www2.megawebfind.com [command and control]", "http://ifdnzact.com/?dn=megawebdeals.com&pid=9PO755G95 [ phishing]", "20.99.186.246 [exploit source]", "https://www.healthonecares.com/locations/presbyterian-st-lukes-medical-center/physicians/ [heuristic]", "Win32:RATX-gen [Trj] identified.", "CS Sigma Rules: Shadow Copies Deletion Using Operating Systems Utilities by Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades)", "CS Sigma Rules: Disable UAC Using Registry by frack113", "http://45.159.189.105/bot/regex [ tracking | botnet]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Password cracker | Patient being tracked through multiple medical systems]", "0-173-x.msn.com | https://twitter.com/PORNO_SEXYBABES | 0-3.duckdns.org | 0-212.pornhub.org | 000web.pornhub.org", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "CS Sigma Rules: Wow6432Node CurrentVersion Autorun Keys Modification by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "Remote Access Trojan" ], "public": 1, "adversary": "", "targeted_countries": [ "Indonesia", "United States of America" ], "malware_families": [ { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Win32:RATX-gen [Trj]", "display_name": "Win32:RATX-gen [Trj]", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "W32/Hupigon.NCU", "display_name": "W32/Hupigon.NCU", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "Wiper", "display_name": "Wiper", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null } ], "attack_ids": [ { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Healthcare", "Civil Society" ], "TLP": "green", "cloned_from": null, "export_count": 68, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 883, "URL": 1412, "FileHash-MD5": 283, "FileHash-SHA1": 231, "FileHash-SHA256": 2909, "domain": 824, "email": 3, "CVE": 3 }, "indicator_count": 6548, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "813 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://goresolver.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://goresolver.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780242704.2885966 }