{ "type": "URL", "indicator": "https://grabify.link/X4L4K2", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://grabify.link/X4L4K2", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3783520239, "indicator": "https://grabify.link/X4L4K2", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "65576cfc8a3c48947d76db0e", "name": "Apple Private Data Collection Data.net\u2192Asp.net", "description": "APDC became apparent to me when it showed up in plain text on a discarded iOS belonging to target. Fraud services puts target in jeopardy, tracking, location hunting, listening, camera , access, photo access, message, threats via digital communication, emails archived, hidden users, social engineering, drive by app chooser, no click attacks.", "modified": "2023-12-17T12:01:00.032000", "created": "2023-11-17T13:39:08.903000", "tags": [ "url http", "entries", "apple private data collection", "whois record", "contacted", "ssl certificate", "execution", "communicating", "referrer", "historical ssl", "tsara brashears", "collections dns", "rwi dtools", "relic", "monitoring", "vidar", "remcos", "august", "nanocore rat", "malware", "name verdict", "pattern match", "script", "beginstring", "mitre att", "misc attack", "ascii text", "null", "ck id", "show technique", "ck matrix", "date", "unknown", "error", "refresh", "span", "tools", "body", "class", "generator", "critical", "look", "verify", "restart", "meta", "hybrid", "general", "local", "click", "strings", "http://114.114.114.114:90/login", "brian sabey", "hallrender", "malvertizing", "dumping", "framing", "fraud services", "trojan", "command_and_control", "silencing", "retaliation", "cyber threat", "confusing", "impersonation", "network rat", "privilege abuse", "hijacker" ], "references": [ "https://hybrid-analysis.com/sample/da72172e40686435fedc33045fd7e605531edd4b11617b6e605b459f047ce913", "https://hybrid-analysis.com/sample/2cfbf379c005c2c33276d56def17858aeded1996d0c5de0c9d607c88cda8897d", "gov-bam.nr-data.net", "bam.nr-data.net", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "http://45.159.189.105/bot/regex", "http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/", "https://www.anyxxxtube.net/media/favicon/apple" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Matrix", "display_name": "Matrix", "target": null }, { "id": "Trojan", "display_name": "Trojan", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "Remcos", "display_name": "Remcos", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1608.005", "name": "Link Target", "display_name": "T1608.005 - Link Target" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1548.002", "name": "Bypass User Account Control", "display_name": "T1548.002 - Bypass User Account Control" }, { "id": "TA0029", "name": "Privilege Escalation", "display_name": "TA0029 - Privilege Escalation" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1384, "domain": 176, "hostname": 502, "FileHash-SHA256": 1609, "FileHash-MD5": 96, "FileHash-SHA1": 93, "CVE": 1 }, "indicator_count": 3861, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "896 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65580d2e6c8373c7290d9ad8", "name": "Apple Private Data Collection Data.net\u2192Asp.net", "description": "", "modified": "2023-12-17T12:01:00.032000", "created": "2023-11-18T01:02:38.770000", "tags": [ "url http", "entries", "apple private data collection", "whois record", "contacted", "ssl certificate", "execution", "communicating", "referrer", "historical ssl", "tsara brashears", "collections dns", "rwi dtools", "relic", "monitoring", "vidar", "remcos", "august", "nanocore rat", "malware", "name verdict", "pattern match", "script", "beginstring", "mitre att", "misc attack", "ascii text", "null", "ck id", "show technique", "ck matrix", "date", "unknown", "error", "refresh", "span", "tools", "body", "class", "generator", "critical", "look", "verify", "restart", "meta", "hybrid", "general", "local", "click", "strings", "http://114.114.114.114:90/login", "brian sabey", "hallrender", "malvertizing", "dumping", "framing", "fraud services", "trojan", "command_and_control", "silencing", "retaliation", "cyber threat", "confusing", "impersonation", "network rat", "privilege abuse", "hijacker" ], "references": [ "https://hybrid-analysis.com/sample/da72172e40686435fedc33045fd7e605531edd4b11617b6e605b459f047ce913", "https://hybrid-analysis.com/sample/2cfbf379c005c2c33276d56def17858aeded1996d0c5de0c9d607c88cda8897d", "gov-bam.nr-data.net", "bam.nr-data.net", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "http://45.159.189.105/bot/regex", "http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/", "https://www.anyxxxtube.net/media/favicon/apple" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Matrix", "display_name": "Matrix", "target": null }, { "id": "Trojan", "display_name": "Trojan", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "Remcos", "display_name": "Remcos", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1608.005", "name": "Link Target", "display_name": "T1608.005 - Link Target" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1548.002", "name": "Bypass User Account Control", "display_name": "T1548.002 - Bypass User Account Control" }, { "id": "TA0029", "name": "Privilege Escalation", "display_name": "TA0029 - Privilege Escalation" } ], "industries": [], "TLP": "white", "cloned_from": "65576cfc8a3c48947d76db0e", "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1384, "domain": 176, "hostname": 502, "FileHash-SHA256": 1609, "FileHash-MD5": 96, "FileHash-SHA1": 93, "CVE": 1 }, "indicator_count": 3861, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "896 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "bam.nr-data.net", "https://hybrid-analysis.com/sample/2cfbf379c005c2c33276d56def17858aeded1996d0c5de0c9d607c88cda8897d", "gov-bam.nr-data.net", "http://45.159.189.105/bot/regex", "https://hybrid-analysis.com/sample/da72172e40686435fedc33045fd7e605531edd4b11617b6e605b459f047ce913", "https://www.anyxxxtube.net/media/favicon/apple" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Trojan", "Vidar", "Remcos", "Relic", "Matrix", "Nanocore rat", "Tulach malware" ], "industries": [], "unique_indicators": 3944 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/grabify.link", "whois": "http://whois.domaintools.com/grabify.link", "domain": "grabify.link", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "65576cfc8a3c48947d76db0e", "name": "Apple Private Data Collection Data.net\u2192Asp.net", "description": "APDC became apparent to me when it showed up in plain text on a discarded iOS belonging to target. Fraud services puts target in jeopardy, tracking, location hunting, listening, camera , access, photo access, message, threats via digital communication, emails archived, hidden users, social engineering, drive by app chooser, no click attacks.", "modified": "2023-12-17T12:01:00.032000", "created": "2023-11-17T13:39:08.903000", "tags": [ "url http", "entries", "apple private data collection", "whois record", "contacted", "ssl certificate", "execution", "communicating", "referrer", "historical ssl", "tsara brashears", "collections dns", "rwi dtools", "relic", "monitoring", "vidar", "remcos", "august", "nanocore rat", "malware", "name verdict", "pattern match", "script", "beginstring", "mitre att", "misc attack", "ascii text", "null", "ck id", "show technique", "ck matrix", "date", "unknown", "error", "refresh", "span", "tools", "body", "class", "generator", "critical", "look", "verify", "restart", "meta", "hybrid", "general", "local", "click", "strings", "http://114.114.114.114:90/login", "brian sabey", "hallrender", "malvertizing", "dumping", "framing", "fraud services", "trojan", "command_and_control", "silencing", "retaliation", "cyber threat", "confusing", "impersonation", "network rat", "privilege abuse", "hijacker" ], "references": [ "https://hybrid-analysis.com/sample/da72172e40686435fedc33045fd7e605531edd4b11617b6e605b459f047ce913", "https://hybrid-analysis.com/sample/2cfbf379c005c2c33276d56def17858aeded1996d0c5de0c9d607c88cda8897d", "gov-bam.nr-data.net", "bam.nr-data.net", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "http://45.159.189.105/bot/regex", "http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/", "https://www.anyxxxtube.net/media/favicon/apple" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Matrix", "display_name": "Matrix", "target": null }, { "id": "Trojan", "display_name": "Trojan", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "Remcos", "display_name": "Remcos", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1608.005", "name": "Link Target", "display_name": "T1608.005 - Link Target" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1548.002", "name": "Bypass User Account Control", "display_name": "T1548.002 - Bypass User Account Control" }, { "id": "TA0029", "name": "Privilege Escalation", "display_name": "TA0029 - Privilege Escalation" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1384, "domain": 176, "hostname": 502, "FileHash-SHA256": 1609, "FileHash-MD5": 96, "FileHash-SHA1": 93, "CVE": 1 }, "indicator_count": 3861, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "896 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65580d2e6c8373c7290d9ad8", "name": "Apple Private Data Collection Data.net\u2192Asp.net", "description": "", "modified": "2023-12-17T12:01:00.032000", "created": "2023-11-18T01:02:38.770000", "tags": [ "url http", "entries", "apple private data collection", "whois record", "contacted", "ssl certificate", "execution", "communicating", "referrer", "historical ssl", "tsara brashears", "collections dns", "rwi dtools", "relic", "monitoring", "vidar", "remcos", "august", "nanocore rat", "malware", "name verdict", "pattern match", "script", "beginstring", "mitre att", "misc attack", "ascii text", "null", "ck id", "show technique", "ck matrix", "date", "unknown", "error", "refresh", "span", "tools", "body", "class", "generator", "critical", "look", "verify", "restart", "meta", "hybrid", "general", "local", "click", "strings", "http://114.114.114.114:90/login", "brian sabey", "hallrender", "malvertizing", "dumping", "framing", "fraud services", "trojan", "command_and_control", "silencing", "retaliation", "cyber threat", "confusing", "impersonation", "network rat", "privilege abuse", "hijacker" ], "references": [ "https://hybrid-analysis.com/sample/da72172e40686435fedc33045fd7e605531edd4b11617b6e605b459f047ce913", "https://hybrid-analysis.com/sample/2cfbf379c005c2c33276d56def17858aeded1996d0c5de0c9d607c88cda8897d", "gov-bam.nr-data.net", "bam.nr-data.net", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "http://45.159.189.105/bot/regex", "http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/", "https://www.anyxxxtube.net/media/favicon/apple" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Matrix", "display_name": "Matrix", "target": null }, { "id": "Trojan", "display_name": "Trojan", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "Remcos", "display_name": "Remcos", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1608.005", "name": "Link Target", "display_name": "T1608.005 - Link Target" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1548.002", "name": "Bypass User Account Control", "display_name": "T1548.002 - Bypass User Account Control" }, { "id": "TA0029", "name": "Privilege Escalation", "display_name": "TA0029 - Privilege Escalation" } ], "industries": [], "TLP": "white", "cloned_from": "65576cfc8a3c48947d76db0e", "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1384, "domain": 176, "hostname": 502, "FileHash-SHA256": 1609, "FileHash-MD5": 96, "FileHash-SHA1": 93, "CVE": 1 }, "indicator_count": 3861, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "896 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://grabify.link/X4L4K2", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://grabify.link/X4L4K2", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780265991.8220086 }