{ "type": "URL", "indicator": "https://hagiangdiscovery.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://hagiangdiscovery.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3833880778, "indicator": "https://hagiangdiscovery.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "65cb4768b06f4da2fba5959b", "name": "Ryuk Ransomware - workers.dev | https://house.mo.gov", "description": "Ryuk is ransomware version attributed to the hacker group WIZARD SPIDER that has compromised governments, academia, healthcare, manufacturing, and technology organizations.\n\nInterestingly, this ransomware family carries a Japanese name from the anime movie Death Note. The name means \u201cgift of god.\u201d It seems an odd choice for ransomware since the targets lose data or money. From the hacker's perspective, however, it could be considered a gift of god.", "modified": "2024-03-14T09:04:37.097000", "created": "2024-02-13T10:41:44.270000", "tags": [ "contacted", "ssl certificate", "contacted urls", "whois record", "whois whois", "relacionada", "execution", "p2404", "kgs0", "kls0", "lockbit", "lolkek", "emotet", "phishing", "ursnif", "malware", "core", "ryuk ransomware", "qakbot", "makop", "hacktool", "chaos", "ransomexx", "temp", "localappdata", "pattern match", "ascii text", "json data", "united", "indicator", "prefetch8", "observed email", "unicode text", "date", "hybrid", "win64", "general", "click", "strings", "tsara brashears", "suspicious", "falcon", "name verdict", "reinsurance", "scan endpoints", "all octoseek", "domain", "pulse pulses", "passive dns", "urls", "files", "ip address", "location united", "asn as13335", "title", "gmt server", "user agent", "443 ma2592000", "hostname", "encrypt", "script urls", "t matrix", "dch v", "meta", "trang ch", "body", "status", "search", "creation date", "record value", "domain name", "litespeed", "certificate", "speed", "next", "unknown", "ipv4", "reverse dns", "name servers", "expiration date", "showing", "pulse submit", "gandi sas", "moved", "emails", "servers", "error", "russia unknown", "as31483", "as12768", "as30943", "united kingdom", "as208722 yandex", "cname", "spyware", "tracking", "login" ], "references": [ "workers.dev [extraction \u2022 GET request attack]", "ddos.dnsnb8.net [command_and_control]", "www.supernetforme.com [command_and_control]", "https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html", "http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing \u2022 python]", "https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network \u2022 Data collection \u2022 phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 virus network \u2022 Apple data collection ]", "CVE: CVE-2023-23397", "0-129-112027imap-intranet-pv-175-166.matomo.cloud", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption \u2022 unlocker]", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://twitter.com/PORNO_SEXYBABES", "sex-ukraine.net", "http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg \u2022\t humani-teens.com", "feedercontroller.webcrawlingeap-prod-co4.binginternal.com", "accessoire-telephones.fr \u2022 bks-tv.ru [telecom] \u2022 coltel.ru [telecom] \u2022 ceptelefondata.com.tr [data collection \u2022 USA] ts-astra.ru [telecom] wifi.ru", "nexus.b2btest.ertelecom.ru", "Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k", "Tracking: trackyouremails.com \u2022 https://adservice.google.com.uy/clk", "http://micrologin.ogspy.net/track/dhl-information-contact.html" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "Ryuk Ransomware", "display_name": "Ryuk Ransomware", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 127, "FileHash-SHA1": 125, "FileHash-SHA256": 4862, "hostname": 3571, "URL": 10597, "CVE": 3, "domain": 3169, "email": 7 }, "indicator_count": 22461, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "766 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cb476d0566c2d07e474df5", "name": "Ryuk Ransomware - workers.dev | https://house.mo.gov", "description": "Ryuk is ransomware version attributed to the hacker group WIZARD SPIDER that has compromised governments, academia, healthcare, manufacturing, and technology organizations.\n\nInterestingly, this ransomware family carries a Japanese name from the anime movie Death Note. The name means \u201cgift of god.\u201d It seems an odd choice for ransomware since the targets lose data or money. From the hacker's perspective, however, it could be considered a gift of god.", "modified": "2024-03-14T09:04:37.097000", "created": "2024-02-13T10:41:49.140000", "tags": [ "contacted", "ssl certificate", "contacted urls", "whois record", "whois whois", "relacionada", "execution", "p2404", "kgs0", "kls0", "lockbit", "lolkek", "emotet", "phishing", "ursnif", "malware", "core", "ryuk ransomware", "qakbot", "makop", "hacktool", "chaos", "ransomexx", "temp", "localappdata", "pattern match", "ascii text", "json data", "united", "indicator", "prefetch8", "observed email", "unicode text", "date", "hybrid", "win64", "general", "click", "strings", "tsara brashears", "suspicious", "falcon", "name verdict", "reinsurance", "scan endpoints", "all octoseek", "domain", "pulse pulses", "passive dns", "urls", "files", "ip address", "location united", "asn as13335", "title", "gmt server", "user agent", "443 ma2592000", "hostname", "encrypt", "script urls", "t matrix", "dch v", "meta", "trang ch", "body", "status", "search", "creation date", "record value", "domain name", "litespeed", "certificate", "speed", "next", "unknown", "ipv4", "reverse dns", "name servers", "expiration date", "showing", "pulse submit", "gandi sas", "moved", "emails", "servers", "error", "russia unknown", "as31483", "as12768", "as30943", "united kingdom", "as208722 yandex", "cname", "spyware", "tracking", "login" ], "references": [ "workers.dev [extraction \u2022 GET request attack]", "ddos.dnsnb8.net [command_and_control]", "www.supernetforme.com [command_and_control]", "https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html", "http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing \u2022 python]", "https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network \u2022 Data collection \u2022 phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 virus network \u2022 Apple data collection ]", "CVE: CVE-2023-23397", "0-129-112027imap-intranet-pv-175-166.matomo.cloud", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption \u2022 unlocker]", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://twitter.com/PORNO_SEXYBABES", "sex-ukraine.net", "http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg \u2022\t humani-teens.com", "feedercontroller.webcrawlingeap-prod-co4.binginternal.com", "accessoire-telephones.fr \u2022 bks-tv.ru [telecom] \u2022 coltel.ru [telecom] \u2022 ceptelefondata.com.tr [data collection \u2022 USA] ts-astra.ru [telecom] wifi.ru", "nexus.b2btest.ertelecom.ru", "Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k", "Tracking: trackyouremails.com \u2022 https://adservice.google.com.uy/clk", "http://micrologin.ogspy.net/track/dhl-information-contact.html" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "Ryuk Ransomware", "display_name": "Ryuk Ransomware", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 127, "FileHash-SHA1": 125, "FileHash-SHA256": 4862, "hostname": 3571, "URL": 10597, "CVE": 3, "domain": 3169, "email": 7 }, "indicator_count": 22461, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "766 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cb476d935dd560b4a3e938", "name": "Ryuk Ransomware - workers.dev | https://house.mo.gov", "description": "Ryuk is ransomware version attributed to the hacker group WIZARD SPIDER that has compromised governments, academia, healthcare, manufacturing, and technology organizations.\n\nInterestingly, this ransomware family carries a Japanese name from the anime movie Death Note. The name means \u201cgift of god.\u201d It seems an odd choice for ransomware since the targets lose data or money. From the hacker's perspective, however, it could be considered a gift of god.", "modified": "2024-03-14T09:04:37.097000", "created": "2024-02-13T10:41:49.380000", "tags": [ "contacted", "ssl certificate", "contacted urls", "whois record", "whois whois", "relacionada", "execution", "p2404", "kgs0", "kls0", "lockbit", "lolkek", "emotet", "phishing", "ursnif", "malware", "core", "ryuk ransomware", "qakbot", "makop", "hacktool", "chaos", "ransomexx", "temp", "localappdata", "pattern match", "ascii text", "json data", "united", "indicator", "prefetch8", "observed email", "unicode text", "date", "hybrid", "win64", "general", "click", "strings", "tsara brashears", "suspicious", "falcon", "name verdict", "reinsurance", "scan endpoints", "all octoseek", "domain", "pulse pulses", "passive dns", "urls", "files", "ip address", "location united", "asn as13335", "title", "gmt server", "user agent", "443 ma2592000", "hostname", "encrypt", "script urls", "t matrix", "dch v", "meta", "trang ch", "body", "status", "search", "creation date", "record value", "domain name", "litespeed", "certificate", "speed", "next", "unknown", "ipv4", "reverse dns", "name servers", "expiration date", "showing", "pulse submit", "gandi sas", "moved", "emails", "servers", "error", "russia unknown", "as31483", "as12768", "as30943", "united kingdom", "as208722 yandex", "cname", "spyware", "tracking", "login" ], "references": [ "workers.dev [extraction \u2022 GET request attack]", "ddos.dnsnb8.net [command_and_control]", "www.supernetforme.com [command_and_control]", "https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html", "http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing \u2022 python]", "https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network \u2022 Data collection \u2022 phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 virus network \u2022 Apple data collection ]", "CVE: CVE-2023-23397", "0-129-112027imap-intranet-pv-175-166.matomo.cloud", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption \u2022 unlocker]", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://twitter.com/PORNO_SEXYBABES", "sex-ukraine.net", "http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg \u2022\t humani-teens.com", "feedercontroller.webcrawlingeap-prod-co4.binginternal.com", "accessoire-telephones.fr \u2022 bks-tv.ru [telecom] \u2022 coltel.ru [telecom] \u2022 ceptelefondata.com.tr [data collection \u2022 USA] ts-astra.ru [telecom] wifi.ru", "nexus.b2btest.ertelecom.ru", "Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k", "Tracking: trackyouremails.com \u2022 https://adservice.google.com.uy/clk", "http://micrologin.ogspy.net/track/dhl-information-contact.html" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "Ryuk Ransomware", "display_name": "Ryuk Ransomware", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 127, "FileHash-SHA1": 125, "FileHash-SHA256": 4862, "hostname": 3571, "URL": 10597, "CVE": 3, "domain": 3169, "email": 7 }, "indicator_count": 22461, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "766 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cb4772c3d3ad1f7accc98a", "name": "Ryuk Ransomware - workers.dev | https://house.mo.gov", "description": "Ryuk is ransomware version attributed to the hacker group WIZARD SPIDER that has compromised governments, academia, healthcare, manufacturing, and technology organizations.\n\nInterestingly, this ransomware family carries a Japanese name from the anime movie Death Note. The name means \u201cgift of god.\u201d It seems an odd choice for ransomware since the targets lose data or money. From the hacker's perspective, however, it could be considered a gift of god.", "modified": "2024-03-14T09:04:37.097000", "created": "2024-02-13T10:41:53.179000", "tags": [ "contacted", "ssl certificate", "contacted urls", "whois record", "whois whois", "relacionada", "execution", "p2404", "kgs0", "kls0", "lockbit", "lolkek", "emotet", "phishing", "ursnif", "malware", "core", "ryuk ransomware", "qakbot", "makop", "hacktool", "chaos", "ransomexx", "temp", "localappdata", "pattern match", "ascii text", "json data", "united", "indicator", "prefetch8", "observed email", "unicode text", "date", "hybrid", "win64", "general", "click", "strings", "tsara brashears", "suspicious", "falcon", "name verdict", "reinsurance", "scan endpoints", "all octoseek", "domain", "pulse pulses", "passive dns", "urls", "files", "ip address", "location united", "asn as13335", "title", "gmt server", "user agent", "443 ma2592000", "hostname", "encrypt", "script urls", "t matrix", "dch v", "meta", "trang ch", "body", "status", "search", "creation date", "record value", "domain name", "litespeed", "certificate", "speed", "next", "unknown", "ipv4", "reverse dns", "name servers", "expiration date", "showing", "pulse submit", "gandi sas", "moved", "emails", "servers", "error", "russia unknown", "as31483", "as12768", "as30943", "united kingdom", "as208722 yandex", "cname", "spyware", "tracking", "login" ], "references": [ "workers.dev [extraction \u2022 GET request attack]", "ddos.dnsnb8.net [command_and_control]", "www.supernetforme.com [command_and_control]", "https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html", "http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing \u2022 python]", "https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network \u2022 Data collection \u2022 phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 virus network \u2022 Apple data collection ]", "CVE: CVE-2023-23397", "0-129-112027imap-intranet-pv-175-166.matomo.cloud", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption \u2022 unlocker]", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://twitter.com/PORNO_SEXYBABES", "sex-ukraine.net", "http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg \u2022\t humani-teens.com", "feedercontroller.webcrawlingeap-prod-co4.binginternal.com", "accessoire-telephones.fr \u2022 bks-tv.ru [telecom] \u2022 coltel.ru [telecom] \u2022 ceptelefondata.com.tr [data collection \u2022 USA] ts-astra.ru [telecom] wifi.ru", "nexus.b2btest.ertelecom.ru", "Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k", "Tracking: trackyouremails.com \u2022 https://adservice.google.com.uy/clk", "http://micrologin.ogspy.net/track/dhl-information-contact.html" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "Ryuk Ransomware", "display_name": "Ryuk Ransomware", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 127, "FileHash-SHA1": 125, "FileHash-SHA256": 4862, "hostname": 3571, "URL": 10597, "CVE": 3, "domain": 3169, "email": 7 }, "indicator_count": 22461, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "766 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cae8b43072d177d592feb0", "name": "Astaroth Trojan found in: https://house.mo.gov link", "description": "Impact of the Astaroth Trojan\nOnce the campaign has successfully infiltrated, it will log the users keystrokes, intercept their operating system calls, and gather any information saved to the clipboard continuously. With these methods, it uncovers significant amounts of personal information from the user bank accounts and business accounts. Additionally, in conjunction with NetPass, it gathers user login passwords across the board undetected, including any of their remote computers on LAN, mail account passwords, Messenger accounts, Internet Explorer passwords, and others.", "modified": "2024-03-14T03:01:16.126000", "created": "2024-02-13T03:57:40.057000", "tags": [ "ssl certificate", "whois record", "contacted", "bundled", "january", "communicating", "execution", "phishing page", "cyberstalking", "apple ios", "february", "phishing", "crat", "metro", "life", "core", "hacktool", "bitrat", "malicious", "mallox", "lolkek", "emotet", "pe resource", "threat roundup", "roundup", "astaroth", "august", "tsara brashears", "workers", "aaaa", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus cngts", "ogoogle trust", "llc validity", "subject public", "key info", "key algorithm", "data redacted", "redacted for", "domain status", "code", "privacy billing", "privacy tech", "privacy admin", "postal code", "city", "date", "dns replication", "siblings", "server", "pty ltd", "registrar abuse", "wholesale pty", "tpp wholesale", "registry domain", "registrar url", "malvertizing", "pega related attack", "mo", "gov", "msie", "chrome", "status", "search", "passive dns", "urls", "record value", "name servers", "unknown", "body", "next", "trojan", "scanning host", "exploit source", "cnc", "command and control", "united", "domain", "scan endpoints", "all octoseek", "ipv4", "pulse submit", "url analysis", "files", "hallgrand", "brian sabey", "hello", "reinsurance", "remote", "rat", "cyber threat", "targeting" ], "references": [ "Pulse of: hello-world-mute-unit-3072.a-rahimi-farahani.workers.dev", "Found in: http://house.mo.gov/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing & apple collection]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Apple iOS unlocker password decryption]", "nr-data.net [Apple Private Data Collection]", "30597972.bhclick.com", "http://ns2.hallgrandsale.ru/", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term= [AIG- data collection]", "https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Astaroth", "display_name": "Astaroth", "target": null }, { "id": "BitRAT", "display_name": "BitRAT", "target": null }, { "id": "CRAT", "display_name": "CRAT", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Mallox", "display_name": "Mallox", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null } ], "attack_ids": [], "industries": [ "Government", "Media", "Civil Society", "Technology", "Telecommunications", "Healthcare" ], "TLP": "green", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1230, "URL": 4748, "FileHash-MD5": 161, "FileHash-SHA1": 161, "FileHash-SHA256": 2548, "domain": 1261, "CVE": 1, "email": 7 }, "indicator_count": 10117, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "766 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65bca8fcbe62297d71b47c33", "name": "Ragnar Locker", "description": "\u2022 FBI Flash CU-000163-MW: RagnarLocker Ransomware Indicators of Compromise\n\u2022 Found in https://www.Esurance.com\n 108.26.193.165\nAS 701 (UUNET)\n\u2022108.26.193.165 Postal Code: 02465 Reverse Domain Lookup: pool-108-26-193-165.bstnma.fios.verizon.net \n| Ragnar Locker is ransomware for Windows and Linux that exfiltrates information from a compromised machine, encrypts files using the Salsa20 encryption algorithm, and demands that victims pay a ransom to recover their data. The Ragnar Locker group is known to employ a double extortion tactic.", "modified": "2024-03-03T08:00:03.432000", "created": "2024-02-02T08:34:04.425000", "tags": [ "referrer", "contacted", "whois record", "ssl certificate", "whois whois", "contacted urls", "execution", "historical ssl", "red team", "gang breached", "agent tesla", "redline stealer", "metro", "android", "urls url", "files", "kgs0", "kls0", "orgtechhandle", "orgtechref", "orgabusehandle", "orgdnshandle", "orgdnsref", "whois lookup", "netrange", "nethandle", "net108", "net1080000", "communicating", "urls http", "ransomware gang", "breached", "team", "first", "utc submissions", "submitters", "gandi sas", "psiusa", "domain robot", "porkbun llc", "keysystems gmbh", "csc corporate", "domains", "domain name", "network pty", "tucows", "com laude", "dynadot inc" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8354, "FileHash-MD5": 104, "FileHash-SHA1": 81, "FileHash-SHA256": 2711, "CIDR": 5, "CVE": 6, "domain": 1489, "hostname": 3058, "email": 5 }, "indicator_count": 15813, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "777 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 virus network \u2022 Apple data collection ]", "nexus.b2btest.ertelecom.ru", "ddos.dnsnb8.net [command_and_control]", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k", "CVE: CVE-2023-23397", "http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg \u2022\t humani-teens.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption \u2022 unlocker]", "https://twitter.com/PORNO_SEXYBABES", "https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html", "http://ns2.hallgrandsale.ru/", "Pulse of: hello-world-mute-unit-3072.a-rahimi-farahani.workers.dev", "accessoire-telephones.fr \u2022 bks-tv.ru [telecom] \u2022 coltel.ru [telecom] \u2022 ceptelefondata.com.tr [data collection \u2022 USA] ts-astra.ru [telecom] wifi.ru", "https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network \u2022 Data collection \u2022 phishing]", "sex-ukraine.net", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term= [AIG- data collection]", "30597972.bhclick.com", "https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil", "0-129-112027imap-intranet-pv-175-166.matomo.cloud", "Found in: http://house.mo.gov/", "www.supernetforme.com [command_and_control]", "nr-data.net [Apple Private Data Collection]", "Tracking: trackyouremails.com \u2022 https://adservice.google.com.uy/clk", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing & apple collection]", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "http://micrologin.ogspy.net/track/dhl-information-contact.html", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Apple iOS unlocker password decryption]", "feedercontroller.webcrawlingeap-prod-co4.binginternal.com", "workers.dev [extraction \u2022 GET request attack]", "http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing \u2022 python]" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Makop", "Astaroth", "Lolkek", "Emotet", "Mallox", "Hacktool", "Ryuk ransomware", "Malware", "Ursnif", "Bitrat", "Crat", "Hallrender", "Sabey", "Qakbot", "Ransomexx", "Lockbit", "Hallgrand" ], "industries": [ "Telecommunications", "Civil society", "Healthcare", "Government", "Media", "Technology" ], "unique_indicators": 39168 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/hagiangdiscovery.com", "whois": "http://whois.domaintools.com/hagiangdiscovery.com", "domain": "hagiangdiscovery.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "65cb4768b06f4da2fba5959b", "name": "Ryuk Ransomware - workers.dev | https://house.mo.gov", "description": "Ryuk is ransomware version attributed to the hacker group WIZARD SPIDER that has compromised governments, academia, healthcare, manufacturing, and technology organizations.\n\nInterestingly, this ransomware family carries a Japanese name from the anime movie Death Note. The name means \u201cgift of god.\u201d It seems an odd choice for ransomware since the targets lose data or money. From the hacker's perspective, however, it could be considered a gift of god.", "modified": "2024-03-14T09:04:37.097000", "created": "2024-02-13T10:41:44.270000", "tags": [ "contacted", "ssl certificate", "contacted urls", "whois record", "whois whois", "relacionada", "execution", "p2404", "kgs0", "kls0", "lockbit", "lolkek", "emotet", "phishing", "ursnif", "malware", "core", "ryuk ransomware", "qakbot", "makop", "hacktool", "chaos", "ransomexx", "temp", "localappdata", "pattern match", "ascii text", "json data", "united", "indicator", "prefetch8", "observed email", "unicode text", "date", "hybrid", "win64", "general", "click", "strings", "tsara brashears", "suspicious", "falcon", "name verdict", "reinsurance", "scan endpoints", "all octoseek", "domain", "pulse pulses", "passive dns", "urls", "files", "ip address", "location united", "asn as13335", "title", "gmt server", "user agent", "443 ma2592000", "hostname", "encrypt", "script urls", "t matrix", "dch v", "meta", "trang ch", "body", "status", "search", "creation date", "record value", "domain name", "litespeed", "certificate", "speed", "next", "unknown", "ipv4", "reverse dns", "name servers", "expiration date", "showing", "pulse submit", "gandi sas", "moved", "emails", "servers", "error", "russia unknown", "as31483", "as12768", "as30943", "united kingdom", "as208722 yandex", "cname", "spyware", "tracking", "login" ], "references": [ "workers.dev [extraction \u2022 GET request attack]", "ddos.dnsnb8.net [command_and_control]", "www.supernetforme.com [command_and_control]", "https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html", "http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing \u2022 python]", "https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network \u2022 Data collection \u2022 phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 virus network \u2022 Apple data collection ]", "CVE: CVE-2023-23397", "0-129-112027imap-intranet-pv-175-166.matomo.cloud", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption \u2022 unlocker]", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://twitter.com/PORNO_SEXYBABES", "sex-ukraine.net", "http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg \u2022\t humani-teens.com", "feedercontroller.webcrawlingeap-prod-co4.binginternal.com", "accessoire-telephones.fr \u2022 bks-tv.ru [telecom] \u2022 coltel.ru [telecom] \u2022 ceptelefondata.com.tr [data collection \u2022 USA] ts-astra.ru [telecom] wifi.ru", "nexus.b2btest.ertelecom.ru", "Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k", "Tracking: trackyouremails.com \u2022 https://adservice.google.com.uy/clk", "http://micrologin.ogspy.net/track/dhl-information-contact.html" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "Ryuk Ransomware", "display_name": "Ryuk Ransomware", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 127, "FileHash-SHA1": 125, "FileHash-SHA256": 4862, "hostname": 3571, "URL": 10597, "CVE": 3, "domain": 3169, "email": 7 }, "indicator_count": 22461, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "766 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cb476d0566c2d07e474df5", "name": "Ryuk Ransomware - workers.dev | https://house.mo.gov", "description": "Ryuk is ransomware version attributed to the hacker group WIZARD SPIDER that has compromised governments, academia, healthcare, manufacturing, and technology organizations.\n\nInterestingly, this ransomware family carries a Japanese name from the anime movie Death Note. The name means \u201cgift of god.\u201d It seems an odd choice for ransomware since the targets lose data or money. From the hacker's perspective, however, it could be considered a gift of god.", "modified": "2024-03-14T09:04:37.097000", "created": "2024-02-13T10:41:49.140000", "tags": [ "contacted", "ssl certificate", "contacted urls", "whois record", "whois whois", "relacionada", "execution", "p2404", "kgs0", "kls0", "lockbit", "lolkek", "emotet", "phishing", "ursnif", "malware", "core", "ryuk ransomware", "qakbot", "makop", "hacktool", "chaos", "ransomexx", "temp", "localappdata", "pattern match", "ascii text", "json data", "united", "indicator", "prefetch8", "observed email", "unicode text", "date", "hybrid", "win64", "general", "click", "strings", "tsara brashears", "suspicious", "falcon", "name verdict", "reinsurance", "scan endpoints", "all octoseek", "domain", "pulse pulses", "passive dns", "urls", "files", "ip address", "location united", "asn as13335", "title", "gmt server", "user agent", "443 ma2592000", "hostname", "encrypt", "script urls", "t matrix", "dch v", "meta", "trang ch", "body", "status", "search", "creation date", "record value", "domain name", "litespeed", "certificate", "speed", "next", "unknown", "ipv4", "reverse dns", "name servers", "expiration date", "showing", "pulse submit", "gandi sas", "moved", "emails", "servers", "error", "russia unknown", "as31483", "as12768", "as30943", "united kingdom", "as208722 yandex", "cname", "spyware", "tracking", "login" ], "references": [ "workers.dev [extraction \u2022 GET request attack]", "ddos.dnsnb8.net [command_and_control]", "www.supernetforme.com [command_and_control]", "https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html", "http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing \u2022 python]", "https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network \u2022 Data collection \u2022 phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 virus network \u2022 Apple data collection ]", "CVE: CVE-2023-23397", "0-129-112027imap-intranet-pv-175-166.matomo.cloud", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption \u2022 unlocker]", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://twitter.com/PORNO_SEXYBABES", "sex-ukraine.net", "http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg \u2022\t humani-teens.com", "feedercontroller.webcrawlingeap-prod-co4.binginternal.com", "accessoire-telephones.fr \u2022 bks-tv.ru [telecom] \u2022 coltel.ru [telecom] \u2022 ceptelefondata.com.tr [data collection \u2022 USA] ts-astra.ru [telecom] wifi.ru", "nexus.b2btest.ertelecom.ru", "Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k", "Tracking: trackyouremails.com \u2022 https://adservice.google.com.uy/clk", "http://micrologin.ogspy.net/track/dhl-information-contact.html" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "Ryuk Ransomware", "display_name": "Ryuk Ransomware", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 127, "FileHash-SHA1": 125, "FileHash-SHA256": 4862, "hostname": 3571, "URL": 10597, "CVE": 3, "domain": 3169, "email": 7 }, "indicator_count": 22461, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "766 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cb476d935dd560b4a3e938", "name": "Ryuk Ransomware - workers.dev | https://house.mo.gov", "description": "Ryuk is ransomware version attributed to the hacker group WIZARD SPIDER that has compromised governments, academia, healthcare, manufacturing, and technology organizations.\n\nInterestingly, this ransomware family carries a Japanese name from the anime movie Death Note. The name means \u201cgift of god.\u201d It seems an odd choice for ransomware since the targets lose data or money. From the hacker's perspective, however, it could be considered a gift of god.", "modified": "2024-03-14T09:04:37.097000", "created": "2024-02-13T10:41:49.380000", "tags": [ "contacted", "ssl certificate", "contacted urls", "whois record", "whois whois", "relacionada", "execution", "p2404", "kgs0", "kls0", "lockbit", "lolkek", "emotet", "phishing", "ursnif", "malware", "core", "ryuk ransomware", "qakbot", "makop", "hacktool", "chaos", "ransomexx", "temp", "localappdata", "pattern match", "ascii text", "json data", "united", "indicator", "prefetch8", "observed email", "unicode text", "date", "hybrid", "win64", "general", "click", "strings", "tsara brashears", "suspicious", "falcon", "name verdict", "reinsurance", "scan endpoints", "all octoseek", "domain", "pulse pulses", "passive dns", "urls", "files", "ip address", "location united", "asn as13335", "title", "gmt server", "user agent", "443 ma2592000", "hostname", "encrypt", "script urls", "t matrix", "dch v", "meta", "trang ch", "body", "status", "search", "creation date", "record value", "domain name", "litespeed", "certificate", "speed", "next", "unknown", "ipv4", "reverse dns", "name servers", "expiration date", "showing", "pulse submit", "gandi sas", "moved", "emails", "servers", "error", "russia unknown", "as31483", "as12768", "as30943", "united kingdom", "as208722 yandex", "cname", "spyware", "tracking", "login" ], "references": [ "workers.dev [extraction \u2022 GET request attack]", "ddos.dnsnb8.net [command_and_control]", "www.supernetforme.com [command_and_control]", "https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html", "http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing \u2022 python]", "https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network \u2022 Data collection \u2022 phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 virus network \u2022 Apple data collection ]", "CVE: CVE-2023-23397", "0-129-112027imap-intranet-pv-175-166.matomo.cloud", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption \u2022 unlocker]", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://twitter.com/PORNO_SEXYBABES", "sex-ukraine.net", "http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg \u2022\t humani-teens.com", "feedercontroller.webcrawlingeap-prod-co4.binginternal.com", "accessoire-telephones.fr \u2022 bks-tv.ru [telecom] \u2022 coltel.ru [telecom] \u2022 ceptelefondata.com.tr [data collection \u2022 USA] ts-astra.ru [telecom] wifi.ru", "nexus.b2btest.ertelecom.ru", "Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k", "Tracking: trackyouremails.com \u2022 https://adservice.google.com.uy/clk", "http://micrologin.ogspy.net/track/dhl-information-contact.html" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "Ryuk Ransomware", "display_name": "Ryuk Ransomware", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 127, "FileHash-SHA1": 125, "FileHash-SHA256": 4862, "hostname": 3571, "URL": 10597, "CVE": 3, "domain": 3169, "email": 7 }, "indicator_count": 22461, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "766 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cb4772c3d3ad1f7accc98a", "name": "Ryuk Ransomware - workers.dev | https://house.mo.gov", "description": "Ryuk is ransomware version attributed to the hacker group WIZARD SPIDER that has compromised governments, academia, healthcare, manufacturing, and technology organizations.\n\nInterestingly, this ransomware family carries a Japanese name from the anime movie Death Note. The name means \u201cgift of god.\u201d It seems an odd choice for ransomware since the targets lose data or money. From the hacker's perspective, however, it could be considered a gift of god.", "modified": "2024-03-14T09:04:37.097000", "created": "2024-02-13T10:41:53.179000", "tags": [ "contacted", "ssl certificate", "contacted urls", "whois record", "whois whois", "relacionada", "execution", "p2404", "kgs0", "kls0", "lockbit", "lolkek", "emotet", "phishing", "ursnif", "malware", "core", "ryuk ransomware", "qakbot", "makop", "hacktool", "chaos", "ransomexx", "temp", "localappdata", "pattern match", "ascii text", "json data", "united", "indicator", "prefetch8", "observed email", "unicode text", "date", "hybrid", "win64", "general", "click", "strings", "tsara brashears", "suspicious", "falcon", "name verdict", "reinsurance", "scan endpoints", "all octoseek", "domain", "pulse pulses", "passive dns", "urls", "files", "ip address", "location united", "asn as13335", "title", "gmt server", "user agent", "443 ma2592000", "hostname", "encrypt", "script urls", "t matrix", "dch v", "meta", "trang ch", "body", "status", "search", "creation date", "record value", "domain name", "litespeed", "certificate", "speed", "next", "unknown", "ipv4", "reverse dns", "name servers", "expiration date", "showing", "pulse submit", "gandi sas", "moved", "emails", "servers", "error", "russia unknown", "as31483", "as12768", "as30943", "united kingdom", "as208722 yandex", "cname", "spyware", "tracking", "login" ], "references": [ "workers.dev [extraction \u2022 GET request attack]", "ddos.dnsnb8.net [command_and_control]", "www.supernetforme.com [command_and_control]", "https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html", "http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing \u2022 python]", "https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network \u2022 Data collection \u2022 phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 virus network \u2022 Apple data collection ]", "CVE: CVE-2023-23397", "0-129-112027imap-intranet-pv-175-166.matomo.cloud", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption \u2022 unlocker]", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://twitter.com/PORNO_SEXYBABES", "sex-ukraine.net", "http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg \u2022\t humani-teens.com", "feedercontroller.webcrawlingeap-prod-co4.binginternal.com", "accessoire-telephones.fr \u2022 bks-tv.ru [telecom] \u2022 coltel.ru [telecom] \u2022 ceptelefondata.com.tr [data collection \u2022 USA] ts-astra.ru [telecom] wifi.ru", "nexus.b2btest.ertelecom.ru", "Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k", "Tracking: trackyouremails.com \u2022 https://adservice.google.com.uy/clk", "http://micrologin.ogspy.net/track/dhl-information-contact.html" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "Ryuk Ransomware", "display_name": "Ryuk Ransomware", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 127, "FileHash-SHA1": 125, "FileHash-SHA256": 4862, "hostname": 3571, "URL": 10597, "CVE": 3, "domain": 3169, "email": 7 }, "indicator_count": 22461, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "766 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cae8b43072d177d592feb0", "name": "Astaroth Trojan found in: https://house.mo.gov link", "description": "Impact of the Astaroth Trojan\nOnce the campaign has successfully infiltrated, it will log the users keystrokes, intercept their operating system calls, and gather any information saved to the clipboard continuously. With these methods, it uncovers significant amounts of personal information from the user bank accounts and business accounts. Additionally, in conjunction with NetPass, it gathers user login passwords across the board undetected, including any of their remote computers on LAN, mail account passwords, Messenger accounts, Internet Explorer passwords, and others.", "modified": "2024-03-14T03:01:16.126000", "created": "2024-02-13T03:57:40.057000", "tags": [ "ssl certificate", "whois record", "contacted", "bundled", "january", "communicating", "execution", "phishing page", "cyberstalking", "apple ios", "february", "phishing", "crat", "metro", "life", "core", "hacktool", "bitrat", "malicious", "mallox", "lolkek", "emotet", "pe resource", "threat roundup", "roundup", "astaroth", "august", "tsara brashears", "workers", "aaaa", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus cngts", "ogoogle trust", "llc validity", "subject public", "key info", "key algorithm", "data redacted", "redacted for", "domain status", "code", "privacy billing", "privacy tech", "privacy admin", "postal code", "city", "date", "dns replication", "siblings", "server", "pty ltd", "registrar abuse", "wholesale pty", "tpp wholesale", "registry domain", "registrar url", "malvertizing", "pega related attack", "mo", "gov", "msie", "chrome", "status", "search", "passive dns", "urls", "record value", "name servers", "unknown", "body", "next", "trojan", "scanning host", "exploit source", "cnc", "command and control", "united", "domain", "scan endpoints", "all octoseek", "ipv4", "pulse submit", "url analysis", "files", "hallgrand", "brian sabey", "hello", "reinsurance", "remote", "rat", "cyber threat", "targeting" ], "references": [ "Pulse of: hello-world-mute-unit-3072.a-rahimi-farahani.workers.dev", "Found in: http://house.mo.gov/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing & apple collection]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Apple iOS unlocker password decryption]", "nr-data.net [Apple Private Data Collection]", "30597972.bhclick.com", "http://ns2.hallgrandsale.ru/", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term= [AIG- data collection]", "https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Astaroth", "display_name": "Astaroth", "target": null }, { "id": "BitRAT", "display_name": "BitRAT", "target": null }, { "id": "CRAT", "display_name": "CRAT", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Mallox", "display_name": "Mallox", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null } ], "attack_ids": [], "industries": [ "Government", "Media", "Civil Society", "Technology", "Telecommunications", "Healthcare" ], "TLP": "green", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1230, "URL": 4748, "FileHash-MD5": 161, "FileHash-SHA1": 161, "FileHash-SHA256": 2548, "domain": 1261, "CVE": 1, "email": 7 }, "indicator_count": 10117, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "766 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65bca8fcbe62297d71b47c33", "name": "Ragnar Locker", "description": "\u2022 FBI Flash CU-000163-MW: RagnarLocker Ransomware Indicators of Compromise\n\u2022 Found in https://www.Esurance.com\n 108.26.193.165\nAS 701 (UUNET)\n\u2022108.26.193.165 Postal Code: 02465 Reverse Domain Lookup: pool-108-26-193-165.bstnma.fios.verizon.net \n| Ragnar Locker is ransomware for Windows and Linux that exfiltrates information from a compromised machine, encrypts files using the Salsa20 encryption algorithm, and demands that victims pay a ransom to recover their data. The Ragnar Locker group is known to employ a double extortion tactic.", "modified": "2024-03-03T08:00:03.432000", "created": "2024-02-02T08:34:04.425000", "tags": [ "referrer", "contacted", "whois record", "ssl certificate", "whois whois", "contacted urls", "execution", "historical ssl", "red team", "gang breached", "agent tesla", "redline stealer", "metro", "android", "urls url", "files", "kgs0", "kls0", "orgtechhandle", "orgtechref", "orgabusehandle", "orgdnshandle", "orgdnsref", "whois lookup", "netrange", "nethandle", "net108", "net1080000", "communicating", "urls http", "ransomware gang", "breached", "team", "first", "utc submissions", "submitters", "gandi sas", "psiusa", "domain robot", "porkbun llc", "keysystems gmbh", "csc corporate", "domains", "domain name", "network pty", "tucows", "com laude", "dynadot inc" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8354, "FileHash-MD5": 104, "FileHash-SHA1": 81, "FileHash-SHA256": 2711, "CIDR": 5, "CVE": 6, "domain": 1489, "hostname": 3058, "email": 5 }, "indicator_count": 15813, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "777 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://hagiangdiscovery.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://hagiangdiscovery.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776641623.5509796 }