{
"type": "URL",
"indicator": "https://html.backmonitorstats.com",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://html.backmonitorstats.com",
"type": "url",
"type_title": "URL",
"validation": [],
"base_indicator": {
"id": 3817684319,
"indicator": "https://html.backmonitorstats.com",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 19,
"pulses": [
{
"id": "69b2b76c9a490b69b6a085b3",
"name": "Exodus/cellbrite clone by Q Vashti",
"description": "",
"modified": "2026-03-12T12:54:04.160000",
"created": "2026-03-12T12:54:04.160000",
"tags": [
"ssl certificate",
"network",
"malware",
"whois record",
"contacted",
"pegasus",
"resolutions",
"communicating",
"sa victim",
"assaulter",
"quasar",
"brian sabey",
"go.sabey",
"ioc search",
"new ioc",
"teams api",
"contact",
"threat analyzer",
"threat",
"paste",
"iocs",
"urls https",
"samples",
"united",
"aaaa",
"status",
"susp",
"search",
"passive dns",
"urls",
"domain",
"creation date",
"date",
"next",
"show",
"domain related",
"feeds ioc",
"maltiverse",
"analyze",
"scan endpoints",
"all octoseek",
"url https",
"pulse pulses",
"http",
"ip address",
"related nids",
"files location",
"all search",
"otx octoseek",
"hostname",
"pulse submit",
"url analysis",
"files",
"china unknown",
"as4134 chinanet",
"unknown",
"name servers",
"showing",
"namesilo",
"domain name",
"dynadot llc",
"as8075",
"script urls",
"netherlands",
"a domains",
"capture",
"asnone united",
"record value",
"expiration date",
"entries",
"cname",
"tulach",
"algorithm",
"v3 serial",
"number",
"key algorithm",
"key identifier",
"subject key",
"identifier",
"x509v3 key",
"usage",
"x509v3 extended",
"info",
"first",
"server",
"available from",
"iana id",
"registrar abuse",
"registrar url",
"registrar whois",
"abuse contact",
"email",
"registry domain",
"code",
"win32 exe",
"ufed iphone",
"cellebrite ufed",
"setup",
"tjprojmain",
"ufed4pc",
"win32 dll",
"detections type",
"name",
"responder",
"exodus",
"android",
"office open",
"xml document",
"cellebrite",
"type name",
"pdf cellebrite",
"ufed release",
"cellbrite",
"privilege https",
"targets sa",
"survivor",
"getprocaddress",
"indicator",
"prefetch8",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"file",
"pattern match",
"observed email",
"path",
"factory",
"hybrid",
"general",
"model",
"comspec",
"click",
"title",
"page",
"body doctype",
"quoth",
"raven",
"gmt content",
"type",
"vary",
"accept",
"october",
"december",
"copy",
"execution",
"awful",
"referrer",
"april",
"kimsuky",
"malicious",
"crypto",
"startpage",
"hacktool",
"installer",
"tofsee",
"historical ssl",
"threat roundup",
"phishing",
"utc submissions",
"submitters",
"csc corporate",
"domains",
"twitter",
"dropbox",
"incapsula",
"summary iocs",
"graph community",
"registrarsafe",
"gandi sas",
"google llc",
"amazon02",
"google",
"akamaias",
"facebook",
"service",
"patch",
"namecheapnet",
"cloudflarenet",
"amazonaes",
"gmo internet",
"apple",
"tsara brashears",
"keylogger"
],
"references": [
"https://tulach.cc/",
"cellebrite.com | https://cellebrite.com/en/federal-government/",
"https://www.pornhub.com/video/search?search=tsara+brashears",
"https://twitter.com/PORNO_SEXYBABES",
"hanmail.net",
"114.114.114.114",
"work.a-poster.info",
"www-stage40.pornhub.com",
"go.sabey.com",
"sabey.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Exodus",
"display_name": "Exodus",
"target": null
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
},
{
"id": "PWS:Win32/Raven",
"display_name": "PWS:Win32/Raven",
"target": "/malware/PWS:Win32/Raven"
},
{
"id": "Kimsuky",
"display_name": "Kimsuky",
"target": null
},
{
"id": "VirTool:Win32/Tofsee",
"display_name": "VirTool:Win32/Tofsee",
"target": "/malware/VirTool:Win32/Tofsee"
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1588",
"name": "Obtain Capabilities",
"display_name": "T1588 - Obtain Capabilities"
},
{
"id": "T1056.001",
"name": "Keylogging",
"display_name": "T1056.001 - Keylogging"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "6916e098df39114161354b23",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4295,
"FileHash-MD5": 322,
"FileHash-SHA1": 296,
"FileHash-SHA256": 3255,
"domain": 2911,
"hostname": 2894,
"CVE": 2,
"email": 9,
"SSLCertFingerprint": 2
},
"indicator_count": 13986,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "38 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6952febb1dbcf05ee601f050",
"name": "Pegasus Ongoing l Cellbrite | Exodus | Brian Sabey | HallRender | Tulach (1.29.24)",
"description": "",
"modified": "2025-12-29T22:20:43.238000",
"created": "2025-12-29T22:20:43.238000",
"tags": [
"ssl certificate",
"network",
"malware",
"whois record",
"contacted",
"pegasus",
"resolutions",
"communicating",
"sa victim",
"assaulter",
"quasar",
"brian sabey",
"go.sabey",
"ioc search",
"new ioc",
"teams api",
"contact",
"threat analyzer",
"threat",
"paste",
"iocs",
"urls https",
"samples",
"united",
"aaaa",
"status",
"susp",
"search",
"passive dns",
"urls",
"domain",
"creation date",
"date",
"next",
"show",
"domain related",
"feeds ioc",
"maltiverse",
"analyze",
"scan endpoints",
"all octoseek",
"url https",
"pulse pulses",
"http",
"ip address",
"related nids",
"files location",
"all search",
"otx octoseek",
"hostname",
"pulse submit",
"url analysis",
"files",
"china unknown",
"as4134 chinanet",
"unknown",
"name servers",
"showing",
"namesilo",
"domain name",
"dynadot llc",
"as8075",
"script urls",
"netherlands",
"a domains",
"capture",
"asnone united",
"record value",
"expiration date",
"entries",
"cname",
"tulach",
"algorithm",
"v3 serial",
"number",
"key algorithm",
"key identifier",
"subject key",
"identifier",
"x509v3 key",
"usage",
"x509v3 extended",
"info",
"first",
"server",
"available from",
"iana id",
"registrar abuse",
"registrar url",
"registrar whois",
"abuse contact",
"email",
"registry domain",
"code",
"win32 exe",
"ufed iphone",
"cellebrite ufed",
"setup",
"tjprojmain",
"ufed4pc",
"win32 dll",
"detections type",
"name",
"responder",
"exodus",
"android",
"office open",
"xml document",
"cellebrite",
"type name",
"pdf cellebrite",
"ufed release",
"cellbrite",
"privilege https",
"targets sa",
"survivor",
"getprocaddress",
"indicator",
"prefetch8",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"file",
"pattern match",
"observed email",
"path",
"factory",
"hybrid",
"general",
"model",
"comspec",
"click",
"title",
"page",
"body doctype",
"quoth",
"raven",
"gmt content",
"type",
"vary",
"accept",
"october",
"december",
"copy",
"execution",
"awful",
"referrer",
"april",
"kimsuky",
"malicious",
"crypto",
"startpage",
"hacktool",
"installer",
"tofsee",
"historical ssl",
"threat roundup",
"phishing",
"utc submissions",
"submitters",
"csc corporate",
"domains",
"twitter",
"dropbox",
"incapsula",
"summary iocs",
"graph community",
"registrarsafe",
"gandi sas",
"google llc",
"amazon02",
"google",
"akamaias",
"facebook",
"service",
"patch",
"namecheapnet",
"cloudflarenet",
"amazonaes",
"gmo internet",
"apple",
"tsara brashears",
"keylogger"
],
"references": [
"https://tulach.cc/",
"cellebrite.com | https://cellebrite.com/en/federal-government/",
"https://www.pornhub.com/video/search?search=tsara+brashears",
"https://twitter.com/PORNO_SEXYBABES",
"hanmail.net",
"114.114.114.114",
"work.a-poster.info",
"www-stage40.pornhub.com",
"go.sabey.com",
"sabey.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Exodus",
"display_name": "Exodus",
"target": null
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
},
{
"id": "PWS:Win32/Raven",
"display_name": "PWS:Win32/Raven",
"target": "/malware/PWS:Win32/Raven"
},
{
"id": "Kimsuky",
"display_name": "Kimsuky",
"target": null
},
{
"id": "VirTool:Win32/Tofsee",
"display_name": "VirTool:Win32/Tofsee",
"target": "/malware/VirTool:Win32/Tofsee"
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1588",
"name": "Obtain Capabilities",
"display_name": "T1588 - Obtain Capabilities"
},
{
"id": "T1056.001",
"name": "Keylogging",
"display_name": "T1056.001 - Keylogging"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "65b80a20bbcd0eb305a740ec",
"export_count": 29097,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4101,
"FileHash-MD5": 322,
"FileHash-SHA1": 296,
"FileHash-SHA256": 3155,
"domain": 2894,
"hostname": 2847,
"CVE": 2,
"email": 9,
"SSLCertFingerprint": 2
},
"indicator_count": 13628,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "110 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6916e098df39114161354b23",
"name": "Exodus l Cellbrite \u2022 Pegasus | Brian Sabey | HallRender | Tulach ",
"description": "",
"modified": "2025-12-14T07:05:42.106000",
"created": "2025-11-14T07:56:08.872000",
"tags": [
"ssl certificate",
"network",
"malware",
"whois record",
"contacted",
"pegasus",
"resolutions",
"communicating",
"sa victim",
"assaulter",
"quasar",
"brian sabey",
"go.sabey",
"ioc search",
"new ioc",
"teams api",
"contact",
"threat analyzer",
"threat",
"paste",
"iocs",
"urls https",
"samples",
"united",
"aaaa",
"status",
"susp",
"search",
"passive dns",
"urls",
"domain",
"creation date",
"date",
"next",
"show",
"domain related",
"feeds ioc",
"maltiverse",
"analyze",
"scan endpoints",
"all octoseek",
"url https",
"pulse pulses",
"http",
"ip address",
"related nids",
"files location",
"all search",
"otx octoseek",
"hostname",
"pulse submit",
"url analysis",
"files",
"china unknown",
"as4134 chinanet",
"unknown",
"name servers",
"showing",
"namesilo",
"domain name",
"dynadot llc",
"as8075",
"script urls",
"netherlands",
"a domains",
"capture",
"asnone united",
"record value",
"expiration date",
"entries",
"cname",
"tulach",
"algorithm",
"v3 serial",
"number",
"key algorithm",
"key identifier",
"subject key",
"identifier",
"x509v3 key",
"usage",
"x509v3 extended",
"info",
"first",
"server",
"available from",
"iana id",
"registrar abuse",
"registrar url",
"registrar whois",
"abuse contact",
"email",
"registry domain",
"code",
"win32 exe",
"ufed iphone",
"cellebrite ufed",
"setup",
"tjprojmain",
"ufed4pc",
"win32 dll",
"detections type",
"name",
"responder",
"exodus",
"android",
"office open",
"xml document",
"cellebrite",
"type name",
"pdf cellebrite",
"ufed release",
"cellbrite",
"privilege https",
"targets sa",
"survivor",
"getprocaddress",
"indicator",
"prefetch8",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"file",
"pattern match",
"observed email",
"path",
"factory",
"hybrid",
"general",
"model",
"comspec",
"click",
"title",
"page",
"body doctype",
"quoth",
"raven",
"gmt content",
"type",
"vary",
"accept",
"october",
"december",
"copy",
"execution",
"awful",
"referrer",
"april",
"kimsuky",
"malicious",
"crypto",
"startpage",
"hacktool",
"installer",
"tofsee",
"historical ssl",
"threat roundup",
"phishing",
"utc submissions",
"submitters",
"csc corporate",
"domains",
"twitter",
"dropbox",
"incapsula",
"summary iocs",
"graph community",
"registrarsafe",
"gandi sas",
"google llc",
"amazon02",
"google",
"akamaias",
"facebook",
"service",
"patch",
"namecheapnet",
"cloudflarenet",
"amazonaes",
"gmo internet",
"apple",
"tsara brashears",
"keylogger"
],
"references": [
"https://tulach.cc/",
"cellebrite.com | https://cellebrite.com/en/federal-government/",
"https://www.pornhub.com/video/search?search=tsara+brashears",
"https://twitter.com/PORNO_SEXYBABES",
"hanmail.net",
"114.114.114.114",
"work.a-poster.info",
"www-stage40.pornhub.com",
"go.sabey.com",
"sabey.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Exodus",
"display_name": "Exodus",
"target": null
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
},
{
"id": "PWS:Win32/Raven",
"display_name": "PWS:Win32/Raven",
"target": "/malware/PWS:Win32/Raven"
},
{
"id": "Kimsuky",
"display_name": "Kimsuky",
"target": null
},
{
"id": "VirTool:Win32/Tofsee",
"display_name": "VirTool:Win32/Tofsee",
"target": "/malware/VirTool:Win32/Tofsee"
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1588",
"name": "Obtain Capabilities",
"display_name": "T1588 - Obtain Capabilities"
},
{
"id": "T1056.001",
"name": "Keylogging",
"display_name": "T1056.001 - Keylogging"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "65a76c2901b34c79a681596d",
"export_count": 14,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4295,
"FileHash-MD5": 322,
"FileHash-SHA1": 296,
"FileHash-SHA256": 3255,
"domain": 2911,
"hostname": 2894,
"CVE": 2,
"email": 9,
"SSLCertFingerprint": 2
},
"indicator_count": 13986,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "126 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68bbb31f6d91989d7fcd9592",
"name": "Who is Argus Health Systems in relation to United Healthcare",
"description": "Strange. Person/s handling a monitored targeted past accounts was contacted to have old bills paid. Told individual had Argus Health Insurance that wouldn\u2019t pay.\n\nIssues: \u2022 Individual wasn\u2019t a client of vendor in 2024\n\u2022 Was never an Argus client.\n\u2022 Social engineering type call. Angry employee demanding copy of front and back of Health Care Insurance card for UH payments for items purchased after approved prior authorization for in past purchases. \n\u2022 Gave an incredible amount of PHI over phone w/o appropriate new (or former) HIPPA standard verification. \u2022 Angrily refused to provide billing # or requesters name.\n*United Health Care has paid ZERO bills. \n* \n(Auto populated - Anel arauchealth cam) | https://www.argushealth.com. Argus Health Systems is a healthcare technology company based in Kansas City, MO. Specializing in pharmacy benefit management ...",
"modified": "2025-10-06T03:04:31.707000",
"created": "2025-09-06T04:05:50.955000",
"tags": [
"server",
"date",
"registrar abuse",
"csc corporate",
"domains",
"algorithm",
"key identifier",
"x509v3 subject",
"country",
"postal code",
"code",
"united",
"showing",
"entries",
"ip address",
"search",
"name servers",
"unknown aaaa",
"domain add",
"pulse submit",
"passive dns",
"content type",
"type content",
"all ipv4",
"url analysis",
"urls",
"files",
"title",
"meta",
"certificate",
"creation date",
"record value",
"hostname add",
"domain",
"unknown ns",
"china unknown",
"body",
"please",
"x msedge",
"pulse pulses",
"present aug",
"hong kong",
"extraction",
"data upload",
"levelbluelabs",
"search otx",
"pcap",
"stix",
"url or",
"texdr",
"failedto",
"drop",
"aaaa",
"record type",
"ttl value",
"historical ssl",
"certificates",
"thumbprint",
"present jan",
"next associated",
"urls show",
"date checked",
"url hostname",
"server response",
"google safe",
"results jul",
"present jun",
"moved",
"gmt content",
"a domains",
"next http",
"scans show",
"error",
"present sep",
"present may",
"present jul",
"present mar",
"present apr"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2091,
"domain": 817,
"URL": 7939,
"email": 5,
"FileHash-SHA256": 2960,
"FileHash-SHA1": 240,
"FileHash-MD5": 227
},
"indicator_count": 14279,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "195 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "688f4c5545b3f6aa22cd15ac",
"name": "www.anr.gov.pl",
"description": "https://www.virustotal.com/gui/domain/www.anr.gov.pl/relations\nhttps://crt.sh/?q=mail1.anr.gov.pl",
"modified": "2025-09-02T11:04:40.312000",
"created": "2025-08-03T11:47:33.053000",
"tags": [
"id03fam",
"id48576"
],
"references": [
"http://www.anr.gov.pl",
"www.anr.gov.pl"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 12,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Arek-BTC",
"id": "212764",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 14,
"FileHash-SHA1": 14,
"FileHash-SHA256": 744,
"URL": 1367,
"domain": 144,
"email": 1,
"hostname": 373,
"CVE": 1
},
"indicator_count": 2658,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 123,
"modified_text": "229 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6882b365b45b9c6ee0eb7abc",
"name": "Mold and Water Damage | Botnet - every search will remit false results",
"description": "Mold and Water Damage | Botnet - every search will remit false results. In this instance it was a lawfirm. https://www.wshblaw.com/\n#malware #packed #botnetresults #likely #botnettester",
"modified": "2025-08-23T20:02:25.025000",
"created": "2025-07-24T22:27:49.105000",
"tags": [
"redacted for",
"name servers",
"united",
"date",
"passive dns",
"urls",
"pulse submit",
"url analysis",
"files",
"domain",
"unknown",
"etpro trojan",
"possible virut",
"dga nxdomain",
"responses",
"entries",
"search",
"read c",
"show",
"read",
"win32",
"copy",
"write",
"malware",
"next",
"files ip",
"address",
"date hash",
"domain related",
"showing",
"ip address",
"ip related",
"pulses none",
"related tags",
"none indicator",
"facts domain",
"poland unknown",
"aaaa",
"present apr",
"domain add",
"pulse pulses",
"windows",
"windows nt",
"medium",
"high",
"cnc beacon",
"trojan",
"present may",
"present jun",
"present sep",
"present nov",
"present feb",
"present aug",
"present oct",
"backdoor",
"msil",
"united kingdom",
"great britain",
"susp",
"win64",
"content type",
"trojandropper",
"worm",
"ransom",
"expiration",
"no expiration",
"hostname",
"url http",
"embeddedwb",
"shellexecuteexw",
"whitelisted",
"msie",
"service",
"cloud",
"hostname add",
"extraction",
"data upload",
"enter soukue",
"url uk",
"teukau",
"drup uk",
"drows type",
"extre",
"include review",
"exclude sugges",
"find",
"a domains",
"gmt content",
"ipv4 add",
"canada unknown",
"meta",
"cloudflare",
"status",
"span",
"reverse dns",
"asn as13335",
"dns resolutions",
"domains top",
"body",
"apache",
"delete",
"ukraine",
"registrar",
"creation date",
"servers",
"present jul",
"self",
"date tue",
"gmt server",
"expires wed",
"apache vary",
"server google",
"tag manager",
"gmt etag",
"acceptranges",
"contentlength",
"pragma",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"defense evasion",
"spawns",
"itre att",
"unicode text",
"utf8 text",
"crlf",
"lf line",
"copy md5",
"sha1",
"copy sha1",
"sha256",
"copy sha256",
"size",
"truetype",
"ascii text",
"pattern match",
"mitre att",
"format",
"general",
"local",
"path",
"encrypt",
"click",
"strings"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 10,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1326,
"URL": 3745,
"domain": 778,
"email": 2,
"FileHash-SHA256": 2360,
"FileHash-MD5": 355,
"FileHash-SHA1": 347,
"SSLCertFingerprint": 3,
"CVE": 1
},
"indicator_count": 8917,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "239 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "687f0f210ec1de4316b22522",
"name": "Strange Medical Facility with Overt Bad Actors Spying on Disabled",
"description": "Strange Medical Facility with Overt Bad Actors already Spying on Disabled. Everything including bathroom is monitored.\nfounderintech.com\nwww.galbutfamilyfoundation.com\t\nwpengine.com\t\nhttps://foundry2sdbl.dvr.dn2.n-helix.com\nhttp://foundry2sdbl.dvr.dn2.n-helix.com\npegasusthruster.com\t\nhttps://www.pegasusthruster.com/\t\nsmtp.pegasustech.net\nhttp://pegasusthruster.com/shoppegasus/includes/att",
"modified": "2025-08-21T03:02:43.704000",
"created": "2025-07-22T04:10:09.158000",
"tags": [
"date",
"submit url",
"analysis",
"passive dns",
"urls",
"files",
"ip address",
"asn as13335",
"whois registrar",
"creation date",
"extraction",
"data",
"extri",
"include review",
"iocs",
"data upload",
"united",
"unknown aaaa",
"search",
"showing",
"moved",
"a domains",
"record value",
"body"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 13,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6560,
"FileHash-MD5": 121,
"FileHash-SHA1": 125,
"FileHash-SHA256": 3989,
"domain": 1616,
"hostname": 1876,
"email": 3,
"CVE": 2
},
"indicator_count": 14292,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "241 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6824aa10fa32899c33abc3be",
"name": "tp://adorno.pl and http://vgt.pl INVESTIGATION requstor user Axelo",
"description": "https://t.co/zTZNBTe8GV",
"modified": "2025-06-14T00:00:30.956000",
"created": "2025-05-14T14:34:56.497000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 13,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Arek-BTC",
"id": "212764",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 426,
"FileHash-SHA1": 455,
"FileHash-SHA256": 5596,
"URL": 15206,
"IPv4": 409,
"domain": 2473,
"hostname": 5059,
"CVE": 3
},
"indicator_count": 29627,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 122,
"modified_text": "309 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "66994bda3e150656cd5ac9dd",
"name": "Browser Session Hijacking Various MyChart Phishing Scams",
"description": "Ongoing issues with medical information hijacking. Various medical corporations affected. Tracking, medical, injection process, records retrieval, botnets.",
"modified": "2024-08-17T16:01:11.866000",
"created": "2024-07-18T17:07:38.719000",
"tags": [
"historical ssl",
"referrer",
"domains",
"august",
"phishingscams",
"domains part",
"domain tracker",
"roundup",
"new problems",
"privacy badger",
"startpage",
"self",
"httponly",
"samesitenone",
"http response",
"final url",
"ip address",
"status code",
"body length",
"b body",
"sha256",
"pragma",
"mychartlocale",
"urls",
"ip detections",
"country",
"contacted",
"files",
"file type",
"name file",
"gmbh",
"cloudflare",
"tucows",
"ii llc",
"alibaba cloud",
"computing",
"sample",
"media t1091",
"t1497 may",
"mitre att",
"access ta0001",
"replication",
"ta0004 process",
"injection t1055",
"defense evasion",
"http requests",
"get http",
"request",
"host",
"dns resolutions",
"ip traffic",
"hashes",
"tsara brashears",
"red team",
"hackers",
"highly targeted",
"critical risk",
"cyberstalking",
"apple",
"apple ios",
"logistics",
"cyber defense",
"guloader",
"hacktool",
"emotet",
"phishing",
"facebook",
"malware",
"hiddentear",
"maze",
"server",
"domain status",
"date",
"algorithm",
"google llc",
"registrar abuse",
"registrar",
"record type",
"ttl value",
"aaaa",
"whois lookup",
"admin country",
"ca creation",
"dnssec",
"markmonitor",
"siblings",
"whois lookups",
"expiration date",
"registrar iana",
"creation date",
"first",
"united",
"as15169 google",
"cname",
"status",
"virtool",
"cryp",
"as396982 google",
"search",
"name servers",
"win32",
"remote"
],
"references": [
"MyChart Phishing Scams",
"exploit_source IP's: 20.99.186.246 , 40.126.24.147 , 40.126.24.149 , 40.126.24.81 , 40.126.24.82",
"VirTool:Win32/Obfuscator: 0.googleusercontent.com [hacking]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/\t URL\thttp://45.159.189.105/bot/regex |\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Win64-Trojan/Pakes.Exp",
"display_name": "Win64-Trojan/Pakes.Exp",
"target": null
},
{
"id": "Win64:RansomX-gen",
"display_name": "Win64:RansomX-gen",
"target": null
}
],
"attack_ids": [
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1091",
"name": "Replication Through Removable Media",
"display_name": "T1091 - Replication Through Removable Media"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1120",
"name": "Peripheral Device Discovery",
"display_name": "T1120 - Peripheral Device Discovery"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
}
],
"industries": [
"Healthcare",
"Technology"
],
"TLP": "green",
"cloned_from": null,
"export_count": 27,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 37,
"FileHash-SHA1": 33,
"FileHash-SHA256": 3473,
"domain": 693,
"URL": 4384,
"hostname": 1610,
"CVE": 2,
"email": 3
},
"indicator_count": 10235,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 231,
"modified_text": "610 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "666de04fd3531dc0896346a1",
"name": "Skynet | Emotet | Nivdort | WhiteSky Communications_SPOOFED | Denver, Co",
"description": "ISP of targets very close associate is spoofed. Ad. Full CnC . It's all there. Pulse better NOT be modified. Jeffrey Scott Reimer DPT who allegedly SA'd target hasn't been put under ANY scrutiny, a weakly written police report exists. A very healthy very fit woman who went to physical therapy left with a spinal cord injury, ACM, TBI, central nervous system injuries, separated hips & SI joints due to the great force of 'SA'. A letter from an MD demanded investigation as to how target ended up with injuries she didn't arrive with. Minor injury. Placed at MMI by 1st PT. It was insisted she to go to Reimer. She has a power wheelchair now. Now victim is a suspect needing to be surveilled. PT is now victim of unnamed crime against this 6'3 brut. Hacker Brian Sabey states Reimer hired him. Surveillance, bold confrontations, physically, verbally & cyber attacks need to stop. Countless SA victims probably go through something, but this? Shhhh. Silence please. Reimer needs to live his life.",
"modified": "2024-08-14T06:01:01.267000",
"created": "2024-06-15T18:41:19.343000",
"tags": [
"historical ssl",
"referrer",
"project skynet",
"cyber army",
"page dow",
"poser",
"scammer",
"security",
"bitfender",
"parked",
"read c",
"search",
"show",
"high",
"unknown",
"united",
"pe32",
"intel",
"ms windows",
"entries",
"copy",
"hupigon",
"upatre",
"explorer",
"write",
"win32",
"malware",
"defender",
"passive dns",
"scan endpoints",
"all scoreblue",
"ipv4",
"pulse submit",
"url analysis",
"urls",
"files",
"get na",
"possible",
"sinkhole cookie",
"value snkz",
"medium",
"nivdort",
"service",
"next",
"arbor networks",
"pulse pulses",
"body",
"contact",
"date",
"sha256",
"sha1",
"et tor",
"known tor",
"relayrouter",
"exit",
"node traffic",
"misc attack",
"pattern match",
"ascii text",
"null",
"hybrid",
"refresh",
"span",
"june",
"local",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"ip address",
"domain",
"ip related",
"as55293 a2",
"status",
"as8068",
"creation date",
"otx telemetry",
"emails",
"expiration date",
"name servers",
"america asn",
"algorithm",
"data",
"v3 serial",
"number",
"cus olet",
"encrypt cnr3",
"validity",
"subject public",
"key info",
"key algorithm",
"key identifier",
"subject key",
"first",
"win32 exe",
"identifier",
"info",
"dns replication",
"technology",
"passive",
"user",
"downloads",
"text",
"internet files",
"storage",
"firefox c",
"pings c",
"written c",
"files deleted",
"destination ip",
"threat roundup",
"april",
"september",
"october",
"december",
"january",
"august",
"hr rtd",
"bot networks",
"listen",
"awful",
"skynet",
"ptls7",
"clng",
"cdate",
"ygjpaufscontext",
"flashpix",
"bhja",
"error resume",
"voun2hd",
"odx3x33jk9w3",
"false",
"template",
"crash",
"emotet",
"project",
"pe32 executable",
"win16 ne",
"os2 executable",
"generic windos",
"executable",
"vs2008",
"data rticon",
"kyrgyz default",
"default",
"rticon kyrgyz",
"info compiler",
"products",
"vs2005",
"header intel",
"name md5",
"domains",
"csc corporate",
"com laude",
"registrarsafe",
"namecheap inc",
"psiusa",
"domain robot",
"ii llc",
"hetzner online",
"gmbh",
"type name",
"file type",
"kb file",
"ip detections",
"country",
"contacted",
"hashes",
"file system",
"pegasus",
"targets sa",
"survivor",
"matches rule",
"virus network",
"comcast",
"hiddentear",
"critical",
"installer",
"targets tsara brashears",
"trojan evader",
"trojan malware",
"npzk765",
"content type",
"a domains",
"as16276",
"body doctype",
"public w3cdtd",
"xhtml",
"xmlns http",
"gmt server",
"accept",
"graph",
"http requests",
"connect",
"dns resolutions",
"ip traffic",
"remote debian spy",
"search debian available space",
"hacking",
"targeting",
"indostealer",
"law firm",
"showing",
"x00x00",
"trustinfo",
"registry",
"external ip",
"observed",
"administrator",
"persistence",
"execution",
"hallrender",
"west domains",
"trojan",
"memcommit",
"pe section",
"low software",
"packing t1045",
"t1045",
"pe resource",
"jeffrey scott reimer"
],
"references": [
"https://whiteskycommunications.com/_Spoofed",
"https://otx.alienvault.com/indicator/file/1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031",
"213.91.128.133 CnC AS 8866 (Vivacom Bulgaria EAD) BG - Miner",
"0039ca3853af262af65326399713d4e45340eec4c3ea789be19335f06f090993",
"Matches rule PROTOCOL-DNS SPOOF query response with TTL of 1 min. and no authority Matches rule ET POLICY Cryptocurrency Miner Checkin Matches rule PUA-OTHER Cryptocurrency Miner outbound connection attempt",
"https://twitter.com/PORNO_SEXYBABES",
"IDS Detections: Win32/Emotet CnC Activity (POST) M9 GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1",
"https://otx.alienvault.com/indicator/file/0274c7ffe81ebc6310a2857348a6653d0abbfca780238a854992b7b786bb1d72",
"https://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-sexual-misconduct.html - scrubbed and for sale.",
"https://mypornsnap.top/photos/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears thousands of sites surfaced online",
"It has taken years to slow the constant malicious DGA domains , they still keep smearing target only.",
"http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/",
"https://ladys.one/xxx/a-tsara-brashears-zafira-porn",
"http://www.metanetworks.org/tsara-lynn-brashears-dead",
"hxxps://onlyindianporn.net/videos/tsara-brashears/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Infostealer/Win.SmokeLoader.R439087",
"display_name": "Infostealer/Win.SmokeLoader.R439087",
"target": null
},
{
"id": "Alibaba Ransom:Win32/StopCrypt",
"display_name": "Alibaba Ransom:Win32/StopCrypt",
"target": "/malware/Alibaba Ransom:Win32/StopCrypt"
},
{
"id": "W32.AIDetect.malware2",
"display_name": "W32.AIDetect.malware2",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "ALF:TrojanSpy:Nivdort",
"display_name": "ALF:TrojanSpy:Nivdort",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Win32:Malware-gen",
"display_name": "Win32:Malware-gen",
"target": null
},
{
"id": "Trojan:Win32/Glupteba.RQ!MSR",
"display_name": "Trojan:Win32/Glupteba.RQ!MSR",
"target": "/malware/Trojan:Win32/Glupteba.RQ!MSR"
},
{
"id": "Win.Dropper.Tofsee-9799489-0",
"display_name": "Win.Dropper.Tofsee-9799489-0",
"target": null
},
{
"id": "Win32:DropperX-gen\\ [Drp]",
"display_name": "Win32:DropperX-gen\\ [Drp]",
"target": null
}
],
"attack_ids": [
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "TA0007",
"name": "Discovery",
"display_name": "TA0007 - Discovery"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1574.008",
"name": "Path Interception by Search Order Hijacking",
"display_name": "T1574.008 - Path Interception by Search Order Hijacking"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1222.002",
"name": "Linux and Mac File and Directory Permissions Modification",
"display_name": "T1222.002 - Linux and Mac File and Directory Permissions Modification"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
}
],
"industries": [
"Technology",
"Telecommunications",
"Civil Society"
],
"TLP": "green",
"cloned_from": null,
"export_count": 40,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 4,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 334,
"FileHash-SHA1": 332,
"FileHash-SHA256": 2760,
"URL": 3080,
"domain": 2294,
"hostname": 1436,
"CVE": 1,
"email": 7,
"CIDR": 1,
"SSLCertFingerprint": 2
},
"indicator_count": 10247,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 228,
"modified_text": "613 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "666a290827eb9a7dec1aa57f",
"name": "just checking",
"description": "",
"modified": "2024-07-12T21:02:00.286000",
"created": "2024-06-12T23:02:32.039000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 18,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "skocherhan",
"id": "249290",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 5,
"FileHash-SHA1": 5,
"FileHash-SHA256": 1278,
"URL": 5288,
"domain": 1217,
"hostname": 2980,
"CVE": 1
},
"indicator_count": 10774,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 178,
"modified_text": "645 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "66141ecabe8f1ab189351dd3",
"name": "Tofsee Botnet: Google.com.uy | Install | Injection | Pegasus Monitoring",
"description": "Installed remotely by nefarious actor by Trojan dropper. Typically not install via PlayStore/AppStore; can be with severe compromise/ VPNs will be fake. Examples: 1.1.1.1, 1.1.1.4, Proton AG or Proton.ch. Not visible: [.uy.]. All data, monitored, manipulated, tracked, location, vehicle tracking, webcams, IP track, data cryptocurrency mining, tracked 24/7, collection, DDoS attacks, ransom, full CnC.\nTweakers.net, .bv , etc., observed, pegasus related",
"modified": "2024-05-08T16:00:34.588000",
"created": "2024-04-08T16:43:54.908000",
"tags": [
"installer",
"tofsee",
"trojan",
"dropper",
"dns",
"as20940",
"united",
"aaaa",
"as15703",
"search",
"servers",
"as8455 schuberg",
"a domains",
"encrypt",
"code",
"tweakers",
"unknown",
"ransom",
"body",
"webcams",
"banker",
"location tracking",
"vehicle tracking",
"device tracking",
"exploitation",
"redirects",
"ip tracking",
"vpn nullify",
"vehicle keycodes",
"search threat",
"analyzer feeds",
"panel platform",
"search platform",
"profile user",
"iocs",
"redacted for",
"passive dns",
"all scoreblue",
"hostname",
"next",
"cnc",
"scanning host",
"milesone",
"virtual currency mining",
"crypto",
"regsetvalueexa",
"regdword",
"default",
"show",
"regbinary",
"read c",
"settingswpad",
"as15169",
"malware",
"copy",
"write",
"upatre",
"ids detections",
"scan endpoints",
"filehash",
"av detections",
"yara detections",
"alerts",
"analysis date",
"file score",
"ransom",
"related pulses",
"entries",
"icmp traffic",
"packing t1045",
"t1045",
"pe resource",
"august",
"win32",
"for privacy",
"creation date",
"name servers",
"urls",
"date",
"status",
"as15169 google",
"as44273 host",
"ipv4",
"pulse submit",
"url analysis",
"msie",
"chrome",
"moved",
"title",
"gmt content",
"apple",
"invalidate_gift_cards",
"tulach rebranded",
"hallrender rebranded",
"as8075",
"verdana",
"td tr",
"domain",
"germany unknown",
"as34011 host",
"etag",
"medium",
"module load",
"invalidate_google_play",
"algorithm",
"v3 serial",
"number",
"key algorithm",
"key identifier",
"subject key",
"identifier",
"x509v3 key",
"usage",
"x509v3 extended",
"info",
"first",
"win32 exe",
"win32 dll",
"javascript",
"mozilla firefox",
"edition",
"detections type",
"name",
"keeweb",
"setup",
"firefox setup",
"record type",
"ttl value",
"android",
"files",
"formbook",
"critical cmd",
"tracker",
"tsara brashears",
"remote",
"historical ssl",
"referrer",
"march",
"body html",
"head meta",
"moved title",
"head body",
"pegasus",
"nemtih",
"hit",
"men",
"gift_card_mining",
"google_play_card_mining",
"miner",
"htmladodb may",
"twitter",
"win64",
"as21342",
"as2914 ntt",
"as15334",
"error",
"certificate",
"checkbox",
"accept",
"record value",
"emails",
"domain name"
],
"references": [
"Virustotal - google.com.uy",
"https://hybrid-analysis.com/sample/79c5841a534b53013389ba76326a067895bdf5e41ad279d82b2002f6c8f2cda6",
"http://www.50calpaintballshop.com/phpinfo.php?a[]=lost+my+mercedes+key>Mercedes+benz+Key+programmer",
"http://www.50calpaintballshop.com/phpinfo.php?a[]=lost+my+mercedes+key",
"http://www.50calpaintballshop.com/phpinfo.php?a[]=webcam+models+livecambabes.webcam>korean+webcam+models",
"http://www.50calpaintballshop.com/phpinfo.php?a[]=www.livecambabes.Webcam>sexy+girls+dildoing",
"http://www.50calpaintballshop.com/phpinfo.php?a[]=avon+representative>50calpaintballshop.com>avon+representative+directory [Beware: redirects]",
"http://www.50calpaintballshop.com/phpinfo.php?a[]=how+to+join+avon+uk>how+do+i+join+avon+online [redirects to fraud representatives]",
"Reports of victims meeting fraud direct sales reps in home/coffee shops. Reps store PII, financial, SSN# on device. Orders in victims name. ID theft ring",
"https://www.herbgordonsubaru.com/?ddcref=careconnect_NM102-01&utm_campaign=newsconnect&utm_medium=email&utm_source=careconnect",
"https://www.herbgordonsubaru.com/new-inventory/index?search=&model=Outback&utm_source=careconnect&utm_medium=email&utm_campaign=marketdriver-sales&ddcref=careconnect_marketdriversales",
"nr-data.net [Apple Private Data Collection]",
"checkip.dyndns.org [command and control]",
"checkip.dyndns.org Alerts: dead_host network_icmp nolookup_communication modifies_proxy_wpad packer_polymorphic recon_beacon",
"144.76.108.82 [scanning host]",
"Yara Detections PEtite24",
"FormBook IP: 142.251.211.243",
"https://pegasusm2.bullsbikesusa.com",
"https://microcenterinsider.com/pub/cc?_ri_=X0Gzc2X=AQpglLjHJlTQG0amRRrN1tkKAFGSTzdEjURWMTwh5gzdnK5Wo4uRBMFITdmoHEE1NzdwpzaEqrzcUkeItzbfVXtpKX=BATA"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Netherlands"
],
"malware_families": [
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Trojan:MSIL/TrojanDropper",
"display_name": "Trojan:MSIL/TrojanDropper",
"target": "/malware/Trojan:MSIL/TrojanDropper"
},
{
"id": "Installer",
"display_name": "Installer",
"target": null
},
{
"id": "Sf:Agent-DQ\\ [Trj]",
"display_name": "Sf:Agent-DQ\\ [Trj]",
"target": null
},
{
"id": "TrojanDownloader:Win32/Upatre!rfn",
"display_name": "TrojanDownloader:Win32/Upatre!rfn",
"target": "/malware/TrojanDownloader:Win32/Upatre!rfn"
},
{
"id": "Win32:DropperX-gen\\ [Drp]",
"display_name": "Win32:DropperX-gen\\ [Drp]",
"target": null
},
{
"id": "Win.Trojan.Tofsee-9770082-1",
"display_name": "Win.Trojan.Tofsee-9770082-1",
"target": null
},
{
"id": "Ransom:Win32/StopCrypt.AK!MTB",
"display_name": "Ransom:Win32/StopCrypt.AK!MTB",
"target": "/malware/Ransom:Win32/StopCrypt.AK!MTB"
}
],
"attack_ids": [
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1100",
"name": "Web Shell",
"display_name": "T1100 - Web Shell"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1574.005",
"name": "Executable Installer File Permissions Weakness",
"display_name": "T1574.005 - Executable Installer File Permissions Weakness"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1493",
"name": "Transmitted Data Manipulation",
"display_name": "T1493 - Transmitted Data Manipulation"
},
{
"id": "T1029",
"name": "Scheduled Transfer",
"display_name": "T1029 - Scheduled Transfer"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1013",
"name": "Port Monitors",
"display_name": "T1013 - Port Monitors"
},
{
"id": "T1430",
"name": "Location Tracking",
"display_name": "T1430 - Location Tracking"
},
{
"id": "T1468",
"name": "Remotely Track Device Without Authorization",
"display_name": "T1468 - Remotely Track Device Without Authorization"
},
{
"id": "T1450",
"name": "Exploit SS7 to Track Device Location",
"display_name": "T1450 - Exploit SS7 to Track Device Location"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1483",
"name": "Domain Generation Algorithms",
"display_name": "T1483 - Domain Generation Algorithms"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1448",
"name": "Carrier Billing Fraud",
"display_name": "T1448 - Carrier Billing Fraud"
},
{
"id": "T1472",
"name": "Generate Fraudulent Advertising Revenue",
"display_name": "T1472 - Generate Fraudulent Advertising Revenue"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 40,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 392,
"FileHash-SHA1": 468,
"FileHash-SHA256": 3233,
"URL": 8667,
"domain": 2219,
"hostname": 3480,
"email": 8
},
"indicator_count": 18467,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 232,
"modified_text": "711 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65eff46bdd371899ca5be7d7",
"name": "CrypterX-gen | Video-lal.com | M. Brian Sabey \u2022 Hall Render | Rexxfield",
"description": "Videolal results. Parked. Owner of domain has subsidiaries including Huge Domains. It's possible for attacker to post a 404 error page, park, post it for sale, malvertize. HoneyPotBot? \n\nFireeye. A bit much. william.ballenthin@fireeye.com\t\ncontain a resource (.rsrc) section moritz.raabe@fireeye.com. Overkill. What would Scooby Doo? Scooby!? \nTarget reports opening her MacBook Pro after it was replaced by Apple. It hadn't been in use. She opened it, surprised it was on, automatically connected to a store wifi (she was home) A worker was typing away in terminal. Fought hacker for recordings app containing Jeffrey Reimers aggressions. She lost. Terrified she murdered her MacBook by drowning & dismemberment. Big mistake. Cloned MacBook. Clicked on links trigger malicious downloads, network & DNS issues.",
"modified": "2024-04-11T04:01:24.166000",
"created": "2024-03-12T06:21:31.484000",
"tags": [
"upatre malware",
"rwi dtools",
"page dow",
"security",
"bitfender",
"yandex",
"malware",
"all octoseek",
"av detections",
"ids detections",
"yara detections",
"alerts",
"file score",
"fireeye",
"injection",
"worm",
"trojan",
"network",
"poster",
"honeybots",
"united",
"unknown",
"win32upatre mar",
"passive dns",
"entries",
"ipv4",
"body",
"artro",
"generic malware",
"formbook",
"tag count",
"threat report",
"ip summary",
"url summary",
"generic",
"hostnames",
"pattern match",
"ascii text",
"png image",
"root ca",
"file",
"authority",
"indicator",
"mitre att",
"ck id",
"class",
"date",
"enterprise",
"hybrid",
"accept",
"general",
"local",
"click",
"strings",
"trident",
"as47846",
"germany unknown",
"as2906 netflix",
"scan endpoints",
"domain",
"urls",
"files",
"trojanspy",
"mozilla",
"dynamicloader",
"medium",
"title",
"ms windows",
"head",
"intel",
"inetsim http",
"delete c",
"show",
"winnt",
"copy",
"powershell",
"write",
"next",
"suspicious",
"shop",
"graph api",
"status",
"join",
"vt community",
"api key",
"xcitium verdict",
"cloud",
"contacted",
"contacted urls",
"ssl certificate",
"referrer",
"historical ssl",
"parent domain",
"apple ios",
"resolutions",
"execution",
"hacktool",
"outbound connection",
"detection list",
"blacklist"
],
"references": [
"http://videolal.com/tsara-brashears-dead.html \u2022 http://videolal.com/ \u2022",
"http://systemforex.de/search/redirect.php?f= | http://it.marksypark.com | dont-delete.hugedomains.com | http://selfsparkcentral.com",
"william.ballenthin@fireeye.com contain a resource (.rsrc) section\tmoritz.raabe@fireeye.com | Pattern match: \"jloup@gzip.org\" & \"fancybox@3.5.7\"",
"FormBook: 104.247.81.53 \u2022 http://www.nimtax.com/k9/,Formbook,Medium,9/9/2019,1/7/2020",
"Win32:CrypterX-gen\\ [Trj] | FileHash-MD5 6878e9896fdd84dcc11c997c9b7330ba",
"Win32:CrypterX-gen\\ [Trj] | FileHash-SHA1 2e586f8db46953532b5e25e07add4dbaeea83a79",
"Win32:CrypterX-gen\\ [Trj] | FileHash-SHA256 00027d11309d55312ae77f32d4ae79671c91f541e577bace7a5a5abde05563ad",
"Win32/Renos: https://otx.alienvault.com/malware/ALF:JASYP:TrojanDownloader:Win32%2FRenos/",
"Other:Malware-gen\\ [Trj] | FileHash-MD5 b5168dab50187b33460201b35b96dea7",
"Other:Malware-gen\\ [Trj] | FileHash-SHA1 68868b3d0115e3d06f5fddb9d2ea6ad54270166c",
"Other:Malware-gen\\ [Trj] | FileHash-SHA256 0000ba467dd40046e240c11251d9db03636d0e7c6f9f96354a46a441c2003143",
"allocates_execute_remote_process \u2022 injection_write_memory \u2022 injection_resumethread \u2022 packer_entropy \u2022 network _icmp \u2022 injection_runpe",
"injection_write_memory_exe \u2022 injection_ntsetcontextthread \u2022 dumped_buffer \u2022 checks_debugger \u2022 generates_crypto_key \u2022 antivm_memory_available",
"CnC IP Addresses: 104.247.81.53 \u2022 185.64.219.6 \u2022 199.191.50.82 \u2022 203.107.45.167 \u2022 91.195.240.94 \u2022 167.235.143.33",
"AA47 More AV Detection Ratio 984 / 1000 IDS Detections Win32.Renos/ArtroMALWARETrojan Checkin M1 Possible Fake AV Checkin Fakealert. AA47 More AV Detection Ratio 984 / 1000 IDS Detections /Trojan Checkin M1 Possible Fake AV Checkin Fakealert.",
"Videolal: 18.119.154.66:80 (endpoint request) \u2022 54.209.32.212 \u2022 http://videolal.com (phishing) \u2022 http://videolal.com/ \u2022 videolal.com \u2022 www.videolal.com \u2022",
"www.videolal.com \u2022 httpvideolal.com \u2022 https://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-sexual-misconduct.html",
"https://www.hugedomains.com/domain_profile.cfm?d=videolal.com \u2022 https://www.hugedomains.com/domain_profile.cfm?d=videolal.com\"",
"https://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-misconduct-miscinception.html \u2022",
"https://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-sexual-misconduct-miscinception.html",
"https://videolal.com/videos/tsara-brashears-assaulted-by-jeffrey-reimer-metlife-login-retirement.html \u2022 https://videolal.com/css/js/jquery-ui.min.js",
"https://videolal.com/videos/tsara-brashears-dead-by-daylight.html \u2022 https://videolal.com/css/jquery-ui.css \u2022 http://videolal.com/tsara-brashears.html",
"http://videolal.com/tsara-brashears-dead.html \u2022 http://videolal.com/tsara-brashears.html \u2022 http://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-misconduct-miscinception.html",
"http://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-misconduct-miscinception.html",
"http://videolal.com/jeffrey-reimer-dpt-sexual-misconduct.html \u2022 http://videolal.com/tsara-brashears.html",
"http://videolal.com/tsara-brashears-dead-or-alive-song-rap.html \u2022 http://videolal.com/the-man-who-built-america-1.html",
"http://videolal.com/the-man-who-built-america-1.html \u2022 http://videolal.com/pinnacol-assurance-assaulted-by-jeffrey-",
"http://videolal.com/jeffrey-reimer-dpt-physical-therapy-assaulted-patient.html \u2022 http://videolal.com/jeff-reimer-",
"http://videolal.com/jeffrey-reimer-dpt-assaulted-tsara-brashears-denver.html \u2022",
"http://videolal.com/jeff-reimer-dpt-buys-assault-victims-silence.html \u2022 http://videolal.com/jeffrey-reimer-dpt-assaulted-tsara-brashears-denver.html",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/4998a7eac2a056833d01ee1e60c68c1f83f9ad6cd790ced9511e73cc12780f3c",
"https://otx.alienvault.com/malware/Trojan:Win32%2FCrypterX/",
"\u2192https://otx.alienvault.com/pulse/65eedf74b7bdda41057bef3e",
"\u2192https://otx.alienvault.com/pulse/65ef3723d27863fc33a6b671",
"\u2192https://otx.alienvault.com/pulse/65e85fd4842119fff4e327cf",
"\u2192https://otx.alienvault.com/pulse/65e843669f4ba77affa4b297"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win32:CrypterX-gen\\ [Trj]",
"display_name": "Win32:CrypterX-gen\\ [Trj]",
"target": null
},
{
"id": "Other:Malware-gen\\ [Trj]",
"display_name": "Other:Malware-gen\\ [Trj]",
"target": null
},
{
"id": "Artro",
"display_name": "Artro",
"target": null
},
{
"id": "Win32.Renos/Artro",
"display_name": "Win32.Renos/Artro",
"target": null
},
{
"id": "Generic",
"display_name": "Generic",
"target": null
},
{
"id": "I-Worm/Bagle.QE",
"display_name": "I-Worm/Bagle.QE",
"target": null
},
{
"id": "Worm.Bagle-44",
"display_name": "Worm.Bagle-44",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "TrojanSpy:Win32/Nivdort.DE",
"display_name": "TrojanSpy:Win32/Nivdort.DE",
"target": "/malware/TrojanSpy:Win32/Nivdort.DE"
},
{
"id": "Win.Trojan.Generic-9897526-0",
"display_name": "Win.Trojan.Generic-9897526-0",
"target": null
},
{
"id": "Win.Trojan.Knigsfot-125",
"display_name": "Win.Trojan.Knigsfot-125",
"target": null
},
{
"id": "ALF:TrojanDownloader:Win32/Vadokrist.A",
"display_name": "ALF:TrojanDownloader:Win32/Vadokrist.A",
"target": null
},
{
"id": "Win.Trojan.Generic-9957168-0",
"display_name": "Win.Trojan.Generic-9957168-0",
"target": null
},
{
"id": "Win.Adware.RelevantKnowledge-9821121-0",
"display_name": "Win.Adware.RelevantKnowledge-9821121-0",
"target": null
},
{
"id": "ALF:HeraklezEval:Trojan:Win32/Neurevt",
"display_name": "ALF:HeraklezEval:Trojan:Win32/Neurevt",
"target": null
},
{
"id": "FormBook",
"display_name": "FormBook",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
}
],
"attack_ids": [
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1100",
"name": "Web Shell",
"display_name": "T1100 - Web Shell"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 42,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1622,
"FileHash-SHA1": 934,
"FileHash-SHA256": 3289,
"URL": 9605,
"domain": 2321,
"hostname": 2411,
"CVE": 1,
"email": 3
},
"indicator_count": 20186,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 221,
"modified_text": "738 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65a7e576b3cbdf2f86a32acc",
"name": "Skynet | prd.connectforhealthco.com | Identity theft |",
"description": "Remote interception of health insurance applicants call. Social engineering - threat actor will walk target through process beginning with; verification of phone model, browser used, phone number, email, ssn# entered in staged health insurance enrollment application. Auto forwards ssn# to Experian, locking consumer from of all accounts, credit information is stolen, consumer identity theft. New accounts cannot be created, a password reset is required for scam, all emails requested, bad actor will ask for entire households email accounts, device use, etc. Sends malicious forms to devices. Takes consumer through a lengthy phone transfer scheme +++",
"modified": "2024-02-16T13:04:46.804000",
"created": "2024-01-17T14:34:30.204000",
"tags": [
"whois record",
"historical ssl",
"ssl certificate",
"april",
"referrer",
"threat roundup",
"communicating",
"whois",
"rwi dtools",
"jekyll",
"metro",
"skynet",
"identity theft",
"parking crew",
"whois whois",
"resolutions",
"october",
"august",
"march",
"june",
"attack",
"goldfinder",
"sibot",
"hacktool",
"remote attack",
"social engineering",
"read c",
"get autoit",
"search",
"regsetvalueexa",
"show",
"entries",
"regdword",
"intel",
"ms windows",
"showing",
"autoit",
"write",
"worm",
"copy",
"unknown",
"win32",
"persistence",
"execution",
"malware",
"autorun",
"redacted for",
"for privacy",
"name servers",
"date",
"scan endpoints",
"all octoseek",
"hostname",
"pulse submit",
"url analysis",
"encrypt",
"next",
"sabey",
"no expiration",
"filehashsha256",
"filehashsha1",
"filehashmd5",
"iocs",
"create new",
"pulse use",
"pdf report",
"pcap",
"malware beacon",
"useragent",
"http request",
"hostile",
"autoit windows",
"automation tool",
"forbidden",
"algorithm",
"full name",
"v3 serial",
"number",
"issuer",
"key algorithm",
"key identifier",
"subject key",
"identifier",
"x509v3 key",
"info",
"first",
"detections type",
"name",
"javascript",
"pdf community",
"office open",
"xml spreadsheet",
"text",
"siblings",
"process32nextw",
"fjlsedauv",
"writeconsolea",
"medium",
"discovery",
"high",
"module load",
"t1129",
"united",
"as63949 linode",
"mtb jan",
"passive dns",
"backdoor",
"mtb dec",
"open",
"body",
"artro",
"creation date",
"servers",
"urls",
"record value",
"expiration date",
"vt graph",
"parent referrer",
"apple private",
"data collection",
"hidden privacy",
"malicious",
"verified",
"utc submissions",
"submitters",
"summary iocs",
"graph community",
"tucows",
"amazonaes",
"china telecom",
"group",
"cloudflarenet",
"akamaias",
"pty ltd",
"argon data",
"communication",
"limited",
"digitaloceanasn",
"twitter",
"dropbox",
"domainsite",
"alibaba cloud",
"computing",
"beijing",
"service",
"ip address",
"latest",
"virustotal",
"unclejohn",
"us autonomous",
"system46606",
"unified layer",
"urls latest",
"contacted",
"historical",
"subdomains",
"gootloader",
"http response",
"final url",
"status code",
"body length",
"kb body",
"sha256",
"headers",
"binary",
"sameorigin",
"scammer",
"spammer"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "GoldFinder",
"display_name": "GoldFinder",
"target": null
},
{
"id": "Sibot - S0589",
"display_name": "Sibot - S0589",
"target": null
},
{
"id": "Artro",
"display_name": "Artro",
"target": null
},
{
"id": "Verified",
"display_name": "Verified",
"target": null
},
{
"id": "Downloader.Cerber/JS!1.A59C (CLASSIC)",
"display_name": "Downloader.Cerber/JS!1.A59C (CLASSIC)",
"target": null
},
{
"id": "W32/Expiro.fam",
"display_name": "W32/Expiro.fam",
"target": null
},
{
"id": "Kimsuky",
"display_name": "Kimsuky",
"target": null
}
],
"attack_ids": [
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1056.001",
"name": "Keylogging",
"display_name": "T1056.001 - Keylogging"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1460",
"name": "Biometric Spoofing",
"display_name": "T1460 - Biometric Spoofing"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1122",
"name": "Component Object Model Hijacking",
"display_name": "T1122 - Component Object Model Hijacking"
},
{
"id": "T1184",
"name": "SSH Hijacking",
"display_name": "T1184 - SSH Hijacking"
},
{
"id": "T1415",
"name": "URL Scheme Hijacking",
"display_name": "T1415 - URL Scheme Hijacking"
},
{
"id": "T1416",
"name": "URI Hijacking",
"display_name": "T1416 - URI Hijacking"
}
],
"industries": [
"Healthcare",
"Insurance",
"Finance",
"Technology",
"Telecommunications",
"Government"
],
"TLP": "white",
"cloned_from": null,
"export_count": 18,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 515,
"FileHash-SHA1": 504,
"FileHash-SHA256": 3557,
"URL": 5450,
"domain": 1842,
"hostname": 2221,
"CVE": 2,
"email": 6
},
"indicator_count": 14097,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 221,
"modified_text": "793 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65b80a20bbcd0eb305a740ec",
"name": "Exodus l Cellbrite | Brian Sabey | HallRender | Tulach",
"description": "",
"modified": "2024-02-16T05:03:15.321000",
"created": "2024-01-29T20:27:12.899000",
"tags": [
"ssl certificate",
"network",
"malware",
"whois record",
"contacted",
"pegasus",
"resolutions",
"communicating",
"sa victim",
"assaulter",
"quasar",
"brian sabey",
"go.sabey",
"ioc search",
"new ioc",
"teams api",
"contact",
"threat analyzer",
"threat",
"paste",
"iocs",
"urls https",
"samples",
"united",
"aaaa",
"status",
"susp",
"search",
"passive dns",
"urls",
"domain",
"creation date",
"date",
"next",
"show",
"domain related",
"feeds ioc",
"maltiverse",
"analyze",
"scan endpoints",
"all octoseek",
"url https",
"pulse pulses",
"http",
"ip address",
"related nids",
"files location",
"all search",
"otx octoseek",
"hostname",
"pulse submit",
"url analysis",
"files",
"china unknown",
"as4134 chinanet",
"unknown",
"name servers",
"showing",
"namesilo",
"domain name",
"dynadot llc",
"as8075",
"script urls",
"netherlands",
"a domains",
"capture",
"asnone united",
"record value",
"expiration date",
"entries",
"cname",
"tulach",
"algorithm",
"v3 serial",
"number",
"key algorithm",
"key identifier",
"subject key",
"identifier",
"x509v3 key",
"usage",
"x509v3 extended",
"info",
"first",
"server",
"available from",
"iana id",
"registrar abuse",
"registrar url",
"registrar whois",
"abuse contact",
"email",
"registry domain",
"code",
"win32 exe",
"ufed iphone",
"cellebrite ufed",
"setup",
"tjprojmain",
"ufed4pc",
"win32 dll",
"detections type",
"name",
"responder",
"exodus",
"android",
"office open",
"xml document",
"cellebrite",
"type name",
"pdf cellebrite",
"ufed release",
"cellbrite",
"privilege https",
"targets sa",
"survivor",
"getprocaddress",
"indicator",
"prefetch8",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"file",
"pattern match",
"observed email",
"path",
"factory",
"hybrid",
"general",
"model",
"comspec",
"click",
"title",
"page",
"body doctype",
"quoth",
"raven",
"gmt content",
"type",
"vary",
"accept",
"october",
"december",
"copy",
"execution",
"awful",
"referrer",
"april",
"kimsuky",
"malicious",
"crypto",
"startpage",
"hacktool",
"installer",
"tofsee",
"historical ssl",
"threat roundup",
"phishing",
"utc submissions",
"submitters",
"csc corporate",
"domains",
"twitter",
"dropbox",
"incapsula",
"summary iocs",
"graph community",
"registrarsafe",
"gandi sas",
"google llc",
"amazon02",
"google",
"akamaias",
"facebook",
"service",
"patch",
"namecheapnet",
"cloudflarenet",
"amazonaes",
"gmo internet",
"apple",
"tsara brashears",
"keylogger"
],
"references": [
"https://tulach.cc/",
"cellebrite.com | https://cellebrite.com/en/federal-government/",
"https://www.pornhub.com/video/search?search=tsara+brashears",
"https://twitter.com/PORNO_SEXYBABES",
"hanmail.net",
"114.114.114.114",
"work.a-poster.info",
"www-stage40.pornhub.com",
"go.sabey.com",
"sabey.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Exodus",
"display_name": "Exodus",
"target": null
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
},
{
"id": "PWS:Win32/Raven",
"display_name": "PWS:Win32/Raven",
"target": "/malware/PWS:Win32/Raven"
},
{
"id": "Kimsuky",
"display_name": "Kimsuky",
"target": null
},
{
"id": "VirTool:Win32/Tofsee",
"display_name": "VirTool:Win32/Tofsee",
"target": "/malware/VirTool:Win32/Tofsee"
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1588",
"name": "Obtain Capabilities",
"display_name": "T1588 - Obtain Capabilities"
},
{
"id": "T1056.001",
"name": "Keylogging",
"display_name": "T1056.001 - Keylogging"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "65a76c2901b34c79a681596d",
"export_count": 10,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4101,
"FileHash-MD5": 322,
"FileHash-SHA1": 296,
"FileHash-SHA256": 3155,
"domain": 2894,
"hostname": 2847,
"CVE": 2,
"email": 9,
"SSLCertFingerprint": 2
},
"indicator_count": 13628,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 227,
"modified_text": "793 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65a77c6a22a236495c4548d6",
"name": "PEGASUS | Exodus l Cellbrite | Brian Sabey | HallRender | Tulach",
"description": "I'm unclear if the legitimatecy of use of Cellbrite considering Brashears was the attacked. Brashears has spoken with every authority on her own terms. Law enforcement 'you're not that important. You're not a suspect .' FBI -' Brashears victim of Identity theft case that lasted months. Alleged false reports removed.' PI's - 'someone is abusing privilege' Was a SA advocate Non Profit. Awareness Saves & social media deleted by hackers",
"modified": "2024-02-16T05:03:15.321000",
"created": "2024-01-17T07:06:18.453000",
"tags": [
"ssl certificate",
"network",
"malware",
"whois record",
"contacted",
"pegasus",
"resolutions",
"communicating",
"sa victim",
"assaulter",
"quasar",
"brian sabey",
"go.sabey",
"ioc search",
"new ioc",
"teams api",
"contact",
"threat analyzer",
"threat",
"paste",
"iocs",
"urls https",
"samples",
"united",
"aaaa",
"status",
"susp",
"search",
"passive dns",
"urls",
"domain",
"creation date",
"date",
"next",
"show",
"domain related",
"feeds ioc",
"maltiverse",
"analyze",
"scan endpoints",
"all octoseek",
"url https",
"pulse pulses",
"http",
"ip address",
"related nids",
"files location",
"all search",
"otx octoseek",
"hostname",
"pulse submit",
"url analysis",
"files",
"china unknown",
"as4134 chinanet",
"unknown",
"name servers",
"showing",
"namesilo",
"domain name",
"dynadot llc",
"as8075",
"script urls",
"netherlands",
"a domains",
"capture",
"asnone united",
"record value",
"expiration date",
"entries",
"cname",
"tulach",
"algorithm",
"v3 serial",
"number",
"key algorithm",
"key identifier",
"subject key",
"identifier",
"x509v3 key",
"usage",
"x509v3 extended",
"info",
"first",
"server",
"available from",
"iana id",
"registrar abuse",
"registrar url",
"registrar whois",
"abuse contact",
"email",
"registry domain",
"code",
"win32 exe",
"ufed iphone",
"cellebrite ufed",
"setup",
"tjprojmain",
"ufed4pc",
"win32 dll",
"detections type",
"name",
"responder",
"exodus",
"android",
"office open",
"xml document",
"cellebrite",
"type name",
"pdf cellebrite",
"ufed release",
"cellbrite",
"privilege https",
"targets sa",
"survivor",
"getprocaddress",
"indicator",
"prefetch8",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"file",
"pattern match",
"observed email",
"path",
"factory",
"hybrid",
"general",
"model",
"comspec",
"click",
"title",
"page",
"body doctype",
"quoth",
"raven",
"gmt content",
"type",
"vary",
"accept",
"october",
"december",
"copy",
"execution",
"awful",
"referrer",
"april",
"kimsuky",
"malicious",
"crypto",
"startpage",
"hacktool",
"installer",
"tofsee",
"historical ssl",
"threat roundup",
"phishing",
"utc submissions",
"submitters",
"csc corporate",
"domains",
"twitter",
"dropbox",
"incapsula",
"summary iocs",
"graph community",
"registrarsafe",
"gandi sas",
"google llc",
"amazon02",
"google",
"akamaias",
"facebook",
"service",
"patch",
"namecheapnet",
"cloudflarenet",
"amazonaes",
"gmo internet",
"remote",
"malvertizing",
"spying",
"cyber stalking"
],
"references": [
"https://tulach.cc/",
"go.sabey.com",
"sabey.com",
"cellebrite.com",
"https://cellebrite.com/en/federal-government/ [Pegasus ck privilege collection]",
"https://www.pornhub.com/video/search?search=tsara+brashears",
"remote.aciscomputers.com",
"https://track.toccha.com/978eb025-0a62-46fa-827c-d71aa0524818?zoneid=5939372&ua=high&subzone_id=3038557&set=social&country=SY®ion=49&isp=syriatelmobiletelecom&useragent=Mozilla/5.0",
"114.114.114.114 [Tulach]",
"nr-data.net [Apple Private Data Collection]",
"defenselawyernj.com",
"attorney-marketing-specialists.com ?",
"https://itunes.apple.com/app/apple-store/id284815942/us/app/image-recognition-and-searcher/id1450230225",
"http://www.apple.com/appleca/AppleIncRootCertificate.cer",
"http://flexlucky.com/isurvey/en/?devicemodel=iPhone&carrier=\u00aeion=Tbilisi&brand=Apple&browser=GoogleApp&prize=cur&u=track.bawiwia.com&isp=JSCGlobalErty&ts=29900ce7-726c-4c9f-b0c3-21ff2f859648&country=GE&click_id=wuo4jm6db011lufu2f8h138c&partner=5658402&skip=yes&frame={frame}&cost=0.010100&lang=en",
"https://t.me/hermitspyware/24",
"hyundai-smg.com | http://hyundai-smg.com/index.php?route=information/contact | http://hyundai-smg.com/index.php?route=information/contact",
"https://imazing.com/guides/detect-pegasus-and-other-spyware-on-iphone",
"http://watchhers.net/index.php [remote attackers | malware spreader]",
"api-stage.pornhub.com",
"newbrazzers.com [y8.com]",
"www.videolan.org [info solutions]",
"www2.blackbagtech.com [hidden users included]",
"http://subtitles.rest7.com/subs/The.Expanse.S03E11.720p.HDTV.x264-KILLERS[eztv].mkv",
"http://pegasus.diskel.co.uk/ [phishing]",
"wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Language",
"fds.cellebrite.com",
"http://www1.mychartahn.org/?tm=1&subid4=1671014887.0191400000&kw=Patient+Portal&KW1=Patient+Access+Network&KW2=Patient+Self+Check+In+System&KW3=Electronic+Health+Record+EHR+System&KW4=Patient+Appointment+Scheduling+System&KW5=Medical+Billing+System+Software&KW6=Patient+Financial+Assistance&searchbox=0&domainname=0&backfill=0",
"healthcare.greatcall.com [fake call centers | PHI & PII info stealers]",
"http://download.virtualbox.org/virtualbox/debian",
"match.pegasus.isi.edu",
"asp.net",
"http://dropbox.com/ [ intrusions/ dropbox stealer]"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Exodus",
"display_name": "Exodus",
"target": null
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
},
{
"id": "Sabey",
"display_name": "Sabey",
"target": null
},
{
"id": "VirTool:Win32/Tofsee",
"display_name": "VirTool:Win32/Tofsee",
"target": "/malware/VirTool:Win32/Tofsee"
},
{
"id": "Kimsuky",
"display_name": "Kimsuky",
"target": null
},
{
"id": "PWS:Win32/Raven",
"display_name": "PWS:Win32/Raven",
"target": "/malware/PWS:Win32/Raven"
},
{
"id": "Trojan:Win32/Comspec",
"display_name": "Trojan:Win32/Comspec",
"target": "/malware/Trojan:Win32/Comspec"
},
{
"id": "HallRender",
"display_name": "HallRender",
"target": null
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1588",
"name": "Obtain Capabilities",
"display_name": "T1588 - Obtain Capabilities"
},
{
"id": "T1056.001",
"name": "Keylogging",
"display_name": "T1056.001 - Keylogging"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1588.004",
"name": "Digital Certificates",
"display_name": "T1588.004 - Digital Certificates"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1546.015",
"name": "Component Object Model Hijacking",
"display_name": "T1546.015 - Component Object Model Hijacking"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
}
],
"industries": [
"Individual",
"Patient",
"Healthcare",
"Survivor"
],
"TLP": "white",
"cloned_from": null,
"export_count": 23,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 2,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4101,
"FileHash-MD5": 322,
"FileHash-SHA1": 296,
"FileHash-SHA256": 3157,
"domain": 2903,
"hostname": 2847,
"CVE": 2,
"email": 9,
"SSLCertFingerprint": 2
},
"indicator_count": 13639,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 222,
"modified_text": "793 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65a76c2901b34c79a681596d",
"name": "Exodus l Cellbrite | Brian Sabey | HallRender | Tulach",
"description": "Brian Sabey of Hall Render Law firm is incredibly entrenched in spying on a single target. Having made contact,impersonal invitations to meet, filing a lawsuit dismissed by a judge , paying to silence SA victim and spending many years spying, destroying digital profile m libel, malvertizing is concerning. \nConsidering Brashears death threats, following , being approached and attempts on her personal safety is unwarranted. Brashears was the confirmed victim of life threatening SA. How does the Federal Government allow this? Found embedded in Brashears link that came from her iPhone.",
"modified": "2024-02-16T05:03:15.321000",
"created": "2024-01-17T05:56:57.948000",
"tags": [
"ssl certificate",
"network",
"malware",
"whois record",
"contacted",
"pegasus",
"resolutions",
"communicating",
"sa victim",
"assaulter",
"quasar",
"brian sabey",
"go.sabey",
"ioc search",
"new ioc",
"teams api",
"contact",
"threat analyzer",
"threat",
"paste",
"iocs",
"urls https",
"samples",
"united",
"aaaa",
"status",
"susp",
"search",
"passive dns",
"urls",
"domain",
"creation date",
"date",
"next",
"show",
"domain related",
"feeds ioc",
"maltiverse",
"analyze",
"scan endpoints",
"all octoseek",
"url https",
"pulse pulses",
"http",
"ip address",
"related nids",
"files location",
"all search",
"otx octoseek",
"hostname",
"pulse submit",
"url analysis",
"files",
"china unknown",
"as4134 chinanet",
"unknown",
"name servers",
"showing",
"namesilo",
"domain name",
"dynadot llc",
"as8075",
"script urls",
"netherlands",
"a domains",
"capture",
"asnone united",
"record value",
"expiration date",
"entries",
"cname",
"tulach",
"algorithm",
"v3 serial",
"number",
"key algorithm",
"key identifier",
"subject key",
"identifier",
"x509v3 key",
"usage",
"x509v3 extended",
"info",
"first",
"server",
"available from",
"iana id",
"registrar abuse",
"registrar url",
"registrar whois",
"abuse contact",
"email",
"registry domain",
"code",
"win32 exe",
"ufed iphone",
"cellebrite ufed",
"setup",
"tjprojmain",
"ufed4pc",
"win32 dll",
"detections type",
"name",
"responder",
"exodus",
"android",
"office open",
"xml document",
"cellebrite",
"type name",
"pdf cellebrite",
"ufed release",
"cellbrite",
"privilege https",
"targets sa",
"survivor",
"getprocaddress",
"indicator",
"prefetch8",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"file",
"pattern match",
"observed email",
"path",
"factory",
"hybrid",
"general",
"model",
"comspec",
"click",
"title",
"page",
"body doctype",
"quoth",
"raven",
"gmt content",
"type",
"vary",
"accept",
"october",
"december",
"copy",
"execution",
"awful",
"referrer",
"april",
"kimsuky",
"malicious",
"crypto",
"startpage",
"hacktool",
"installer",
"tofsee",
"historical ssl",
"threat roundup",
"phishing",
"utc submissions",
"submitters",
"csc corporate",
"domains",
"twitter",
"dropbox",
"incapsula",
"summary iocs",
"graph community",
"registrarsafe",
"gandi sas",
"google llc",
"amazon02",
"google",
"akamaias",
"facebook",
"service",
"patch",
"namecheapnet",
"cloudflarenet",
"amazonaes",
"gmo internet",
"apple",
"tsara brashears",
"keylogger"
],
"references": [
"https://tulach.cc/",
"cellebrite.com | https://cellebrite.com/en/federal-government/",
"https://www.pornhub.com/video/search?search=tsara+brashears",
"https://twitter.com/PORNO_SEXYBABES",
"hanmail.net",
"114.114.114.114",
"work.a-poster.info",
"www-stage40.pornhub.com",
"go.sabey.com",
"sabey.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Exodus",
"display_name": "Exodus",
"target": null
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
},
{
"id": "PWS:Win32/Raven",
"display_name": "PWS:Win32/Raven",
"target": "/malware/PWS:Win32/Raven"
},
{
"id": "Kimsuky",
"display_name": "Kimsuky",
"target": null
},
{
"id": "VirTool:Win32/Tofsee",
"display_name": "VirTool:Win32/Tofsee",
"target": "/malware/VirTool:Win32/Tofsee"
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1588",
"name": "Obtain Capabilities",
"display_name": "T1588 - Obtain Capabilities"
},
{
"id": "T1056.001",
"name": "Keylogging",
"display_name": "T1056.001 - Keylogging"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 20,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4101,
"FileHash-MD5": 322,
"FileHash-SHA1": 296,
"FileHash-SHA256": 3155,
"domain": 2894,
"hostname": 2847,
"CVE": 2,
"email": 9,
"SSLCertFingerprint": 2
},
"indicator_count": 13628,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 219,
"modified_text": "793 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65a20ff8db3854e863dca324",
"name": "Shared Modules | Hijacker | Masquerading",
"description": "",
"modified": "2024-02-12T04:01:56.040000",
"created": "2024-01-13T04:22:16.961000",
"tags": [
"filehashmd5",
"no expiration",
"iocs",
"next",
"scan endpoints",
"all octoseek",
"create new",
"pulse use",
"pdf report",
"pcap",
"filehashsha1",
"filehashsha256",
"ipv4",
"hostname",
"expiration",
"domain",
"url https",
"url http",
"source",
"stix",
"email",
"email abuse",
"goreasonlimited",
"cc no",
"tompc",
"sum35",
"domain xn",
"searchbox0",
"domainname0",
"view",
"apple",
"apple id",
"hijacking",
"masquerading",
"exploit",
"cams",
"monitoring",
"loki bot",
"dns",
"open ports",
"malvertizing",
"malware hosting",
"apple script",
"js user",
"dga",
"dga domains",
"malware",
"multiple_versions",
"wagersta",
"decode",
"system information discovery",
"decrypt",
"evasion",
"defense evasion",
"emotet",
"android",
"ios",
"wannacry",
"trojan",
"worm",
"cyber threat",
"benjamin",
"whois record",
"ssl certificate",
"contacted",
"historical ssl",
"referrer",
"contacted urls",
"execution",
"whois whois",
"whois sslcert",
"and china",
"drop",
"uchealth",
"university of cincinnati health"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1122",
"name": "Component Object Model Hijacking",
"display_name": "T1122 - Component Object Model Hijacking"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1444",
"name": "Masquerade as Legitimate Application",
"display_name": "T1444 - Masquerade as Legitimate Application"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1546.015",
"name": "Component Object Model Hijacking",
"display_name": "T1546.015 - Component Object Model Hijacking"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 13,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2701,
"FileHash-SHA1": 2296,
"FileHash-SHA256": 3362,
"URL": 6191,
"domain": 2033,
"hostname": 3097,
"email": 37,
"CVE": 2
},
"indicator_count": 19719,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 220,
"modified_text": "797 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65944a8149f2479b2fbc6cd1",
"name": "Relic",
"description": "Malicious redirect to BotNet malvertizing of a business affecting both .command YouTube distribution. YouTube encoded logins. Hacker attack, geo tracking, passwords crack, decryption, C2. Retaliation. Found in referenced Twitter link shared with me.",
"modified": "2024-02-01T14:01:46.735000",
"created": "2024-01-02T17:40:17.890000",
"tags": [
"ioc search",
"new ioc",
"teams api",
"contact",
"threat analyzer",
"threat",
"paste",
"iocs",
"urls https",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"b body",
"sha256",
"headers nel",
"maxage5184000",
"name verdict",
"falcon sandbox",
"whois record",
"ssl certificate",
"tsara brashears",
"whois whois",
"historical ssl",
"contacted",
"highly targeted",
"hackers",
"botnet",
"apple ios",
"malicious",
"hacktool",
"quasar",
"download",
"malware",
"relic",
"monitoring",
"installer",
"tofsee",
"getprocaddress",
"indicator",
"prefetch8",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"united",
"file",
"pattern match",
"path",
"date",
"win64",
"factory",
"model",
"comspec",
"hybrid",
"general",
"click",
"strings",
"patch",
"song culture",
"tulach"
],
"references": [
"rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru [phishing] SongCulture.comm& YouTube redirected by hacker",
"https://hybrid-analysis.com/sample/3f1b1621818b3cfef7c58d8c3e382932a5a817579dffe8fbefc4cf6fdb8fc21d",
"https://www.virustotal.com/gui/url/4657cd9117ad26288f2af98767de164d9af64e9c22e3eda9580766688ec38652/community",
"https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/,",
"https://twitter.com/sheriffspurlock?lang=en",
"https://hybrid-analysis.com/sample/a728fc352e13fa39c7490ddcfff86b0919b3de6ea5786cf48b22095e0607bde9/6593b386f70b45c7c70419c8",
"http://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru",
"nr-data.net [Apple Private Data Collection]",
"init.ess.apple.com [backdoor, malicious script, access via media]",
"https://stackabuse.com/assets/images/apple",
"https://apple.find-tracking.us/?id=jit./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./err",
"location-icloud.com",
"https://www.sweetheartvideo.com/tsara-brashears/ [Tracking| Botnet Campaign]",
"mailtrack.io [tracking VirusTotal graphs, link trace back]",
"http://rawlucky.com/submit/prizepicker/iq?devicemodel=iPhone&carrier=\u00aeion=Baghdad&brand=Apple&browser=AlohaBrowserMobile&prize=300k&u=track.bawiwia.com&isp=EarthlinkTelecommunicationsEquipmentTradingServicesDmcc&ts=29900ce7-726c-4c9f-b0c3-21ff2f859648&country=IQ&click_id=woot0oed65crk85u2oe4vubu&partner=2423996&skip=yes",
"https://aheadofthegame.uk/about?utm_campaign=You%E2%80%99re%20nearly%20there!&utm_medium=email&utm_source=Eloqua&elqTrackId=e6385dd142e445f48aa17b4544780841&elq=0db2557254194121b23f3bec84f42097&elqaid=4059&elqat=1&elqCampaignId=",
"https://pin.it/ [faux Pinterest for TB]",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS Password Cracker [",
"114.114.114.114 [ Tulach Malware IP]",
"13.107.136.8 [ Tulach Malware IP redirect]",
"http://114.114.114.114:9421/proxycontrolwarn/ [Tulach cnc | probe]",
"http://114.114.114.114/d?dn=sinastorage.com [ storage of targeted individuals on and offline Behavior]",
"http://114.114.114.114:7777/c/msdownload/update/others/2022/01/29136388_",
"http://114.114.114.114/ipw.ps1",
"194.245.148.189 [CnC]",
"https://stackabuse.com/generating-command-line-interfaces-cli-with-fire-in-python/",
"http://109.206.241.129/666bins/666.mpsl",
"http://designspaceblog.com/?mystique=jquery_init&ver=2.4.2",
"143.244.50.213 |169.150.249.162 [malware_hosting]",
"http://watchhers.net/index.php [malware spreader]",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian No Expiration\t0\t Domain twitter.com No Expiration\t0\t Hostname www.pornhub.com No Expiration\t0\t URL https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 No Expiration\t0\t URL",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"xred.mooo.com [pornhub trojan]",
"https://twitter.com/PORNO_SEXYBABES [ malvertizing, contextualizing, malicious]",
"http://45.159.189.105/bot/online?key=7ee57b1f6d4aff08f9755119b18cf0754b677addcb6a3063066112b10a357a8e&guid=DESKTOP-B0T93D6\\george",
"https://otx.alienvault.com/indicator/url/https://www.hostinger.com/?REFERRALCODE=1ROCKY77 [ DGA parking]"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
},
{
"id": "Relic",
"display_name": "Relic",
"target": null
},
{
"id": "Comspec",
"display_name": "Comspec",
"target": null
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1588",
"name": "Obtain Capabilities",
"display_name": "T1588 - Obtain Capabilities"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 25,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8049,
"FileHash-MD5": 388,
"FileHash-SHA1": 212,
"FileHash-SHA256": 7062,
"domain": 4401,
"hostname": 2653,
"CVE": 2,
"SSLCertFingerprint": 2
},
"indicator_count": 22769,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 221,
"modified_text": "808 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"references": [
"https://pin.it/ [faux Pinterest for TB]",
"www.videolal.com \u2022 httpvideolal.com \u2022 https://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-sexual-misconduct.html",
"injection_write_memory_exe \u2022 injection_ntsetcontextthread \u2022 dumped_buffer \u2022 checks_debugger \u2022 generates_crypto_key \u2022 antivm_memory_available",
"http://114.114.114.114:9421/proxycontrolwarn/ [Tulach cnc | probe]",
"Other:Malware-gen\\ [Trj] | FileHash-SHA256 0000ba467dd40046e240c11251d9db03636d0e7c6f9f96354a46a441c2003143",
"allocates_execute_remote_process \u2022 injection_write_memory \u2022 injection_resumethread \u2022 packer_entropy \u2022 network _icmp \u2022 injection_runpe",
"https://itunes.apple.com/app/apple-store/id284815942/us/app/image-recognition-and-searcher/id1450230225",
"Reports of victims meeting fraud direct sales reps in home/coffee shops. Reps store PII, financial, SSN# on device. Orders in victims name. ID theft ring",
"Other:Malware-gen\\ [Trj] | FileHash-MD5 b5168dab50187b33460201b35b96dea7",
"https://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-sexual-misconduct-miscinception.html",
"asp.net",
"\u2192https://otx.alienvault.com/pulse/65eedf74b7bdda41057bef3e",
"13.107.136.8 [ Tulach Malware IP redirect]",
"http://114.114.114.114:7777/c/msdownload/update/others/2022/01/29136388_",
"http://download.virtualbox.org/virtualbox/debian",
"http://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru",
"Yara Detections PEtite24",
"https://videolal.com/videos/tsara-brashears-assaulted-by-jeffrey-reimer-metlife-login-retirement.html \u2022 https://videolal.com/css/js/jquery-ui.min.js",
"https://ladys.one/xxx/a-tsara-brashears-zafira-porn",
"go.sabey.com",
"https://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-sexual-misconduct.html - scrubbed and for sale.",
"VirTool:Win32/Obfuscator: 0.googleusercontent.com [hacking]",
"https://www.virustotal.com/gui/url/4657cd9117ad26288f2af98767de164d9af64e9c22e3eda9580766688ec38652/community",
"FormBook IP: 142.251.211.243",
"http://114.114.114.114/d?dn=sinastorage.com [ storage of targeted individuals on and offline Behavior]",
"213.91.128.133 CnC AS 8866 (Vivacom Bulgaria EAD) BG - Miner",
"https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/,",
"https://mypornsnap.top/photos/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears thousands of sites surfaced online",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"fds.cellebrite.com",
"https://hybrid-analysis.com/sample/79c5841a534b53013389ba76326a067895bdf5e41ad279d82b2002f6c8f2cda6",
"\u2192https://otx.alienvault.com/pulse/65e843669f4ba77affa4b297",
"144.76.108.82 [scanning host]",
"init.ess.apple.com [backdoor, malicious script, access via media]",
"https://stackabuse.com/generating-command-line-interfaces-cli-with-fire-in-python/",
"https://otx.alienvault.com/malware/Trojan:Win32%2FCrypterX/",
"https://pegasusm2.bullsbikesusa.com",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS Password Cracker [",
"https://www.hugedomains.com/domain_profile.cfm?d=videolal.com \u2022 https://www.hugedomains.com/domain_profile.cfm?d=videolal.com\"",
"https://twitter.com/PORNO_SEXYBABES [ malvertizing, contextualizing, malicious]",
"attorney-marketing-specialists.com ?",
"api-stage.pornhub.com",
"nr-data.net [Apple Private Data Collection]",
"www.anr.gov.pl",
"hyundai-smg.com | http://hyundai-smg.com/index.php?route=information/contact | http://hyundai-smg.com/index.php?route=information/contact",
"Win32/Renos: https://otx.alienvault.com/malware/ALF:JASYP:TrojanDownloader:Win32%2FRenos/",
"Win32:CrypterX-gen\\ [Trj] | FileHash-SHA256 00027d11309d55312ae77f32d4ae79671c91f541e577bace7a5a5abde05563ad",
"114.114.114.114",
"http://pegasus.diskel.co.uk/ [phishing]",
"http://www.metanetworks.org/tsara-lynn-brashears-dead",
"https://otx.alienvault.com/indicator/file/0274c7ffe81ebc6310a2857348a6653d0abbfca780238a854992b7b786bb1d72",
"www2.blackbagtech.com [hidden users included]",
"https://apple.find-tracking.us/?id=jit./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./err",
"FormBook: 104.247.81.53 \u2022 http://www.nimtax.com/k9/,Formbook,Medium,9/9/2019,1/7/2020",
"Other:Malware-gen\\ [Trj] | FileHash-SHA1 68868b3d0115e3d06f5fddb9d2ea6ad54270166c",
"http://videolal.com/tsara-brashears-dead.html \u2022 http://videolal.com/ \u2022",
"IDS Detections: Win32/Emotet CnC Activity (POST) M9 GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1",
"\u2192https://otx.alienvault.com/pulse/65e85fd4842119fff4e327cf",
"https://www.herbgordonsubaru.com/?ddcref=careconnect_NM102-01&utm_campaign=newsconnect&utm_medium=email&utm_source=careconnect",
"https://www.pornhub.com/video/search?search=tsara+brashears",
"http://designspaceblog.com/?mystique=jquery_init&ver=2.4.2",
"hxxps://onlyindianporn.net/videos/tsara-brashears/",
"rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru [phishing] SongCulture.comm& YouTube redirected by hacker",
"http://www.anr.gov.pl",
"https://videolal.com/videos/tsara-brashears-dead-by-daylight.html \u2022 https://videolal.com/css/jquery-ui.css \u2022 http://videolal.com/tsara-brashears.html",
"http://systemforex.de/search/redirect.php?f= | http://it.marksypark.com | dont-delete.hugedomains.com | http://selfsparkcentral.com",
"http://flexlucky.com/isurvey/en/?devicemodel=iPhone&carrier=\u00aeion=Tbilisi&brand=Apple&browser=GoogleApp&prize=cur&u=track.bawiwia.com&isp=JSCGlobalErty&ts=29900ce7-726c-4c9f-b0c3-21ff2f859648&country=GE&click_id=wuo4jm6db011lufu2f8h138c&partner=5658402&skip=yes&frame={frame}&cost=0.010100&lang=en",
"http://www.50calpaintballshop.com/phpinfo.php?a[]=lost+my+mercedes+key",
"Virustotal - google.com.uy",
"It has taken years to slow the constant malicious DGA domains , they still keep smearing target only.",
"checkip.dyndns.org [command and control]",
"https://twitter.com/sheriffspurlock?lang=en",
"194.245.148.189 [CnC]",
"http://videolal.com/tsara-brashears-dead.html \u2022 http://videolal.com/tsara-brashears.html \u2022 http://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-misconduct-miscinception.html",
"http://www.50calpaintballshop.com/phpinfo.php?a[]=www.livecambabes.Webcam>sexy+girls+dildoing",
"https://imazing.com/guides/detect-pegasus-and-other-spyware-on-iphone",
"cellebrite.com | https://cellebrite.com/en/federal-government/",
"0039ca3853af262af65326399713d4e45340eec4c3ea789be19335f06f090993",
"Matches rule PROTOCOL-DNS SPOOF query response with TTL of 1 min. and no authority Matches rule ET POLICY Cryptocurrency Miner Checkin Matches rule PUA-OTHER Cryptocurrency Miner outbound connection attempt",
"http://videolal.com/jeff-reimer-dpt-buys-assault-victims-silence.html \u2022 http://videolal.com/jeffrey-reimer-dpt-assaulted-tsara-brashears-denver.html",
"http://www1.mychartahn.org/?tm=1&subid4=1671014887.0191400000&kw=Patient+Portal&KW1=Patient+Access+Network&KW2=Patient+Self+Check+In+System&KW3=Electronic+Health+Record+EHR+System&KW4=Patient+Appointment+Scheduling+System&KW5=Medical+Billing+System+Software&KW6=Patient+Financial+Assistance&searchbox=0&domainname=0&backfill=0",
"www-stage40.pornhub.com",
"143.244.50.213 |169.150.249.162 [malware_hosting]",
"https://otx.alienvault.com/indicator/file/1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031",
"http://videolal.com/the-man-who-built-america-1.html \u2022 http://videolal.com/pinnacol-assurance-assaulted-by-jeffrey-",
"Videolal: 18.119.154.66:80 (endpoint request) \u2022 54.209.32.212 \u2022 http://videolal.com (phishing) \u2022 http://videolal.com/ \u2022 videolal.com \u2022 www.videolal.com \u2022",
"location-icloud.com",
"http://videolal.com/tsara-brashears-dead-or-alive-song-rap.html \u2022 http://videolal.com/the-man-who-built-america-1.html",
"https://hybrid-analysis.com/sample/a728fc352e13fa39c7490ddcfff86b0919b3de6ea5786cf48b22095e0607bde9/6593b386f70b45c7c70419c8",
"http://videolal.com/jeffrey-reimer-dpt-assaulted-tsara-brashears-denver.html \u2022",
"newbrazzers.com [y8.com]",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian No Expiration\t0\t Domain twitter.com No Expiration\t0\t Hostname www.pornhub.com No Expiration\t0\t URL https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 No Expiration\t0\t URL",
"http://www.50calpaintballshop.com/phpinfo.php?a[]=webcam+models+livecambabes.webcam>korean+webcam+models",
"william.ballenthin@fireeye.com contain a resource (.rsrc) section\tmoritz.raabe@fireeye.com | Pattern match: \"jloup@gzip.org\" & \"fancybox@3.5.7\"",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/4998a7eac2a056833d01ee1e60c68c1f83f9ad6cd790ced9511e73cc12780f3c",
"\u2192https://otx.alienvault.com/pulse/65ef3723d27863fc33a6b671",
"http://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-misconduct-miscinception.html",
"mailtrack.io [tracking VirusTotal graphs, link trace back]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/\t URL\thttp://45.159.189.105/bot/regex |\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"exploit_source IP's: 20.99.186.246 , 40.126.24.147 , 40.126.24.149 , 40.126.24.81 , 40.126.24.82",
"checkip.dyndns.org Alerts: dead_host network_icmp nolookup_communication modifies_proxy_wpad packer_polymorphic recon_beacon",
"http://www.50calpaintballshop.com/phpinfo.php?a[]=avon+representative>50calpaintballshop.com>avon+representative+directory [Beware: redirects]",
"https://t.me/hermitspyware/24",
"https://otx.alienvault.com/indicator/url/https://www.hostinger.com/?REFERRALCODE=1ROCKY77 [ DGA parking]",
"defenselawyernj.com",
"http://45.159.189.105/bot/online?key=7ee57b1f6d4aff08f9755119b18cf0754b677addcb6a3063066112b10a357a8e&guid=DESKTOP-B0T93D6\\george",
"Win32:CrypterX-gen\\ [Trj] | FileHash-SHA1 2e586f8db46953532b5e25e07add4dbaeea83a79",
"Win32:CrypterX-gen\\ [Trj] | FileHash-MD5 6878e9896fdd84dcc11c997c9b7330ba",
"www.videolan.org [info solutions]",
"cellebrite.com",
"wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Language",
"http://videolal.com/jeffrey-reimer-dpt-physical-therapy-assaulted-patient.html \u2022 http://videolal.com/jeff-reimer-",
"sabey.com",
"remote.aciscomputers.com",
"https://www.sweetheartvideo.com/tsara-brashears/ [Tracking| Botnet Campaign]",
"https://track.toccha.com/978eb025-0a62-46fa-827c-d71aa0524818?zoneid=5939372&ua=high&subzone_id=3038557&set=social&country=SY®ion=49&isp=syriatelmobiletelecom&useragent=Mozilla/5.0",
"http://videolal.com/jeffrey-reimer-dpt-sexual-misconduct.html \u2022 http://videolal.com/tsara-brashears.html",
"https://twitter.com/PORNO_SEXYBABES",
"https://hybrid-analysis.com/sample/3f1b1621818b3cfef7c58d8c3e382932a5a817579dffe8fbefc4cf6fdb8fc21d",
"http://www.50calpaintballshop.com/phpinfo.php?a[]=lost+my+mercedes+key>Mercedes+benz+Key+programmer",
"http://109.206.241.129/666bins/666.mpsl",
"match.pegasus.isi.edu",
"https://microcenterinsider.com/pub/cc?_ri_=X0Gzc2X=AQpglLjHJlTQG0amRRrN1tkKAFGSTzdEjURWMTwh5gzdnK5Wo4uRBMFITdmoHEE1NzdwpzaEqrzcUkeItzbfVXtpKX=BATA",
"http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/",
"https://cellebrite.com/en/federal-government/ [Pegasus ck privilege collection]",
"https://whiteskycommunications.com/_Spoofed",
"http://subtitles.rest7.com/subs/The.Expanse.S03E11.720p.HDTV.x264-KILLERS[eztv].mkv",
"http://dropbox.com/ [ intrusions/ dropbox stealer]",
"xred.mooo.com [pornhub trojan]",
"https://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-misconduct-miscinception.html \u2022",
"http://rawlucky.com/submit/prizepicker/iq?devicemodel=iPhone&carrier=\u00aeion=Baghdad&brand=Apple&browser=AlohaBrowserMobile&prize=300k&u=track.bawiwia.com&isp=EarthlinkTelecommunicationsEquipmentTradingServicesDmcc&ts=29900ce7-726c-4c9f-b0c3-21ff2f859648&country=IQ&click_id=woot0oed65crk85u2oe4vubu&partner=2423996&skip=yes",
"work.a-poster.info",
"https://tulach.cc/",
"healthcare.greatcall.com [fake call centers | PHI & PII info stealers]",
"https://www.herbgordonsubaru.com/new-inventory/index?search=&model=Outback&utm_source=careconnect&utm_medium=email&utm_campaign=marketdriver-sales&ddcref=careconnect_marketdriversales",
"http://watchhers.net/index.php [remote attackers | malware spreader]",
"CnC IP Addresses: 104.247.81.53 \u2022 185.64.219.6 \u2022 199.191.50.82 \u2022 203.107.45.167 \u2022 91.195.240.94 \u2022 167.235.143.33",
"AA47 More AV Detection Ratio 984 / 1000 IDS Detections Win32.Renos/ArtroMALWARETrojan Checkin M1 Possible Fake AV Checkin Fakealert. AA47 More AV Detection Ratio 984 / 1000 IDS Detections /Trojan Checkin M1 Possible Fake AV Checkin Fakealert.",
"https://aheadofthegame.uk/about?utm_campaign=You%E2%80%99re%20nearly%20there!&utm_medium=email&utm_source=Eloqua&elqTrackId=e6385dd142e445f48aa17b4544780841&elq=0db2557254194121b23f3bec84f42097&elqaid=4059&elqat=1&elqCampaignId=",
"hanmail.net",
"MyChart Phishing Scams",
"http://www.apple.com/appleca/AppleIncRootCertificate.cer",
"http://114.114.114.114/ipw.ps1",
"114.114.114.114 [Tulach]",
"114.114.114.114 [ Tulach Malware IP]",
"http://watchhers.net/index.php [malware spreader]",
"https://stackabuse.com/assets/images/apple",
"http://www.50calpaintballshop.com/phpinfo.php?a[]=how+to+join+avon+uk>how+do+i+join+avon+online [redirects to fraud representatives]"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": [],
"unique_indicators": 0
},
"other": {
"adversary": [],
"malware_families": [
"Win.trojan.generic-9957168-0",
"Formbook",
"Win32:malware-gen",
"Tulach",
"Pws:win32/raven",
"Win.trojan.knigsfot-125",
"Alf:heraklezeval:trojan:win32/neurevt",
"I-worm/bagle.qe",
"Trojan:win32/comspec",
"Installer",
"Win.dropper.tofsee-9799489-0",
"Kimsuky",
"Trojan:msil/trojandropper",
"Hallrender",
"Artro",
"Skynet",
"Hacktool",
"Trojan:win32/glupteba.rq!msr",
"Win.trojan.tofsee-9770082-1",
"Trojanspy:win32/nivdort.de",
"Win32:crypterx-gen\\ [trj]",
"Generic",
"Alf:trojanspy:nivdort",
"Win.trojan.generic-9897526-0",
"Alibaba ransom:win32/stopcrypt",
"W32/expiro.fam",
"Win32:dropperx-gen\\ [drp]",
"Ransom:win32/stopcrypt.ak!mtb",
"Win.adware.relevantknowledge-9821121-0",
"Sibot - s0589",
"Relic",
"Sf:agent-dq\\ [trj]",
"Virtool:win32/tofsee",
"Emotet",
"Win32.renos/artro",
"Tofsee",
"Win64:ransomx-gen",
"Worm.bagle-44",
"Alf:trojandownloader:win32/vadokrist.a",
"Other:malware-gen\\ [trj]",
"W32.aidetect.malware2",
"Quasar rat",
"Downloader.cerber/js!1.a59c (classic)",
"Trojandownloader:win32/upatre!rfn",
"Trojanspy",
"Comspec",
"Goldfinder",
"Win64-trojan/pakes.exp",
"Verified",
"Exodus",
"Sabey",
"Infostealer/win.smokeloader.r439087"
],
"industries": [
"Technology",
"Government",
"Individual",
"Civil society",
"Patient",
"Insurance",
"Survivor",
"Finance",
"Telecommunications",
"Healthcare"
],
"unique_indicators": 191128
}
}
},
"false_positive": [],
"alexa": "http://www.alexa.com/siteinfo/backmonitorstats.com",
"whois": "http://whois.domaintools.com/backmonitorstats.com",
"domain": "backmonitorstats.com",
"hostname": "html.backmonitorstats.com"
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 19,
"pulses": [
{
"id": "69b2b76c9a490b69b6a085b3",
"name": "Exodus/cellbrite clone by Q Vashti",
"description": "",
"modified": "2026-03-12T12:54:04.160000",
"created": "2026-03-12T12:54:04.160000",
"tags": [
"ssl certificate",
"network",
"malware",
"whois record",
"contacted",
"pegasus",
"resolutions",
"communicating",
"sa victim",
"assaulter",
"quasar",
"brian sabey",
"go.sabey",
"ioc search",
"new ioc",
"teams api",
"contact",
"threat analyzer",
"threat",
"paste",
"iocs",
"urls https",
"samples",
"united",
"aaaa",
"status",
"susp",
"search",
"passive dns",
"urls",
"domain",
"creation date",
"date",
"next",
"show",
"domain related",
"feeds ioc",
"maltiverse",
"analyze",
"scan endpoints",
"all octoseek",
"url https",
"pulse pulses",
"http",
"ip address",
"related nids",
"files location",
"all search",
"otx octoseek",
"hostname",
"pulse submit",
"url analysis",
"files",
"china unknown",
"as4134 chinanet",
"unknown",
"name servers",
"showing",
"namesilo",
"domain name",
"dynadot llc",
"as8075",
"script urls",
"netherlands",
"a domains",
"capture",
"asnone united",
"record value",
"expiration date",
"entries",
"cname",
"tulach",
"algorithm",
"v3 serial",
"number",
"key algorithm",
"key identifier",
"subject key",
"identifier",
"x509v3 key",
"usage",
"x509v3 extended",
"info",
"first",
"server",
"available from",
"iana id",
"registrar abuse",
"registrar url",
"registrar whois",
"abuse contact",
"email",
"registry domain",
"code",
"win32 exe",
"ufed iphone",
"cellebrite ufed",
"setup",
"tjprojmain",
"ufed4pc",
"win32 dll",
"detections type",
"name",
"responder",
"exodus",
"android",
"office open",
"xml document",
"cellebrite",
"type name",
"pdf cellebrite",
"ufed release",
"cellbrite",
"privilege https",
"targets sa",
"survivor",
"getprocaddress",
"indicator",
"prefetch8",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"file",
"pattern match",
"observed email",
"path",
"factory",
"hybrid",
"general",
"model",
"comspec",
"click",
"title",
"page",
"body doctype",
"quoth",
"raven",
"gmt content",
"type",
"vary",
"accept",
"october",
"december",
"copy",
"execution",
"awful",
"referrer",
"april",
"kimsuky",
"malicious",
"crypto",
"startpage",
"hacktool",
"installer",
"tofsee",
"historical ssl",
"threat roundup",
"phishing",
"utc submissions",
"submitters",
"csc corporate",
"domains",
"twitter",
"dropbox",
"incapsula",
"summary iocs",
"graph community",
"registrarsafe",
"gandi sas",
"google llc",
"amazon02",
"google",
"akamaias",
"facebook",
"service",
"patch",
"namecheapnet",
"cloudflarenet",
"amazonaes",
"gmo internet",
"apple",
"tsara brashears",
"keylogger"
],
"references": [
"https://tulach.cc/",
"cellebrite.com | https://cellebrite.com/en/federal-government/",
"https://www.pornhub.com/video/search?search=tsara+brashears",
"https://twitter.com/PORNO_SEXYBABES",
"hanmail.net",
"114.114.114.114",
"work.a-poster.info",
"www-stage40.pornhub.com",
"go.sabey.com",
"sabey.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Exodus",
"display_name": "Exodus",
"target": null
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
},
{
"id": "PWS:Win32/Raven",
"display_name": "PWS:Win32/Raven",
"target": "/malware/PWS:Win32/Raven"
},
{
"id": "Kimsuky",
"display_name": "Kimsuky",
"target": null
},
{
"id": "VirTool:Win32/Tofsee",
"display_name": "VirTool:Win32/Tofsee",
"target": "/malware/VirTool:Win32/Tofsee"
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1588",
"name": "Obtain Capabilities",
"display_name": "T1588 - Obtain Capabilities"
},
{
"id": "T1056.001",
"name": "Keylogging",
"display_name": "T1056.001 - Keylogging"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "6916e098df39114161354b23",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4295,
"FileHash-MD5": 322,
"FileHash-SHA1": 296,
"FileHash-SHA256": 3255,
"domain": 2911,
"hostname": 2894,
"CVE": 2,
"email": 9,
"SSLCertFingerprint": 2
},
"indicator_count": 13986,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "38 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6952febb1dbcf05ee601f050",
"name": "Pegasus Ongoing l Cellbrite | Exodus | Brian Sabey | HallRender | Tulach (1.29.24)",
"description": "",
"modified": "2025-12-29T22:20:43.238000",
"created": "2025-12-29T22:20:43.238000",
"tags": [
"ssl certificate",
"network",
"malware",
"whois record",
"contacted",
"pegasus",
"resolutions",
"communicating",
"sa victim",
"assaulter",
"quasar",
"brian sabey",
"go.sabey",
"ioc search",
"new ioc",
"teams api",
"contact",
"threat analyzer",
"threat",
"paste",
"iocs",
"urls https",
"samples",
"united",
"aaaa",
"status",
"susp",
"search",
"passive dns",
"urls",
"domain",
"creation date",
"date",
"next",
"show",
"domain related",
"feeds ioc",
"maltiverse",
"analyze",
"scan endpoints",
"all octoseek",
"url https",
"pulse pulses",
"http",
"ip address",
"related nids",
"files location",
"all search",
"otx octoseek",
"hostname",
"pulse submit",
"url analysis",
"files",
"china unknown",
"as4134 chinanet",
"unknown",
"name servers",
"showing",
"namesilo",
"domain name",
"dynadot llc",
"as8075",
"script urls",
"netherlands",
"a domains",
"capture",
"asnone united",
"record value",
"expiration date",
"entries",
"cname",
"tulach",
"algorithm",
"v3 serial",
"number",
"key algorithm",
"key identifier",
"subject key",
"identifier",
"x509v3 key",
"usage",
"x509v3 extended",
"info",
"first",
"server",
"available from",
"iana id",
"registrar abuse",
"registrar url",
"registrar whois",
"abuse contact",
"email",
"registry domain",
"code",
"win32 exe",
"ufed iphone",
"cellebrite ufed",
"setup",
"tjprojmain",
"ufed4pc",
"win32 dll",
"detections type",
"name",
"responder",
"exodus",
"android",
"office open",
"xml document",
"cellebrite",
"type name",
"pdf cellebrite",
"ufed release",
"cellbrite",
"privilege https",
"targets sa",
"survivor",
"getprocaddress",
"indicator",
"prefetch8",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"file",
"pattern match",
"observed email",
"path",
"factory",
"hybrid",
"general",
"model",
"comspec",
"click",
"title",
"page",
"body doctype",
"quoth",
"raven",
"gmt content",
"type",
"vary",
"accept",
"october",
"december",
"copy",
"execution",
"awful",
"referrer",
"april",
"kimsuky",
"malicious",
"crypto",
"startpage",
"hacktool",
"installer",
"tofsee",
"historical ssl",
"threat roundup",
"phishing",
"utc submissions",
"submitters",
"csc corporate",
"domains",
"twitter",
"dropbox",
"incapsula",
"summary iocs",
"graph community",
"registrarsafe",
"gandi sas",
"google llc",
"amazon02",
"google",
"akamaias",
"facebook",
"service",
"patch",
"namecheapnet",
"cloudflarenet",
"amazonaes",
"gmo internet",
"apple",
"tsara brashears",
"keylogger"
],
"references": [
"https://tulach.cc/",
"cellebrite.com | https://cellebrite.com/en/federal-government/",
"https://www.pornhub.com/video/search?search=tsara+brashears",
"https://twitter.com/PORNO_SEXYBABES",
"hanmail.net",
"114.114.114.114",
"work.a-poster.info",
"www-stage40.pornhub.com",
"go.sabey.com",
"sabey.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Exodus",
"display_name": "Exodus",
"target": null
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
},
{
"id": "PWS:Win32/Raven",
"display_name": "PWS:Win32/Raven",
"target": "/malware/PWS:Win32/Raven"
},
{
"id": "Kimsuky",
"display_name": "Kimsuky",
"target": null
},
{
"id": "VirTool:Win32/Tofsee",
"display_name": "VirTool:Win32/Tofsee",
"target": "/malware/VirTool:Win32/Tofsee"
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1588",
"name": "Obtain Capabilities",
"display_name": "T1588 - Obtain Capabilities"
},
{
"id": "T1056.001",
"name": "Keylogging",
"display_name": "T1056.001 - Keylogging"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "65b80a20bbcd0eb305a740ec",
"export_count": 29097,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4101,
"FileHash-MD5": 322,
"FileHash-SHA1": 296,
"FileHash-SHA256": 3155,
"domain": 2894,
"hostname": 2847,
"CVE": 2,
"email": 9,
"SSLCertFingerprint": 2
},
"indicator_count": 13628,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "110 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6916e098df39114161354b23",
"name": "Exodus l Cellbrite \u2022 Pegasus | Brian Sabey | HallRender | Tulach ",
"description": "",
"modified": "2025-12-14T07:05:42.106000",
"created": "2025-11-14T07:56:08.872000",
"tags": [
"ssl certificate",
"network",
"malware",
"whois record",
"contacted",
"pegasus",
"resolutions",
"communicating",
"sa victim",
"assaulter",
"quasar",
"brian sabey",
"go.sabey",
"ioc search",
"new ioc",
"teams api",
"contact",
"threat analyzer",
"threat",
"paste",
"iocs",
"urls https",
"samples",
"united",
"aaaa",
"status",
"susp",
"search",
"passive dns",
"urls",
"domain",
"creation date",
"date",
"next",
"show",
"domain related",
"feeds ioc",
"maltiverse",
"analyze",
"scan endpoints",
"all octoseek",
"url https",
"pulse pulses",
"http",
"ip address",
"related nids",
"files location",
"all search",
"otx octoseek",
"hostname",
"pulse submit",
"url analysis",
"files",
"china unknown",
"as4134 chinanet",
"unknown",
"name servers",
"showing",
"namesilo",
"domain name",
"dynadot llc",
"as8075",
"script urls",
"netherlands",
"a domains",
"capture",
"asnone united",
"record value",
"expiration date",
"entries",
"cname",
"tulach",
"algorithm",
"v3 serial",
"number",
"key algorithm",
"key identifier",
"subject key",
"identifier",
"x509v3 key",
"usage",
"x509v3 extended",
"info",
"first",
"server",
"available from",
"iana id",
"registrar abuse",
"registrar url",
"registrar whois",
"abuse contact",
"email",
"registry domain",
"code",
"win32 exe",
"ufed iphone",
"cellebrite ufed",
"setup",
"tjprojmain",
"ufed4pc",
"win32 dll",
"detections type",
"name",
"responder",
"exodus",
"android",
"office open",
"xml document",
"cellebrite",
"type name",
"pdf cellebrite",
"ufed release",
"cellbrite",
"privilege https",
"targets sa",
"survivor",
"getprocaddress",
"indicator",
"prefetch8",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"file",
"pattern match",
"observed email",
"path",
"factory",
"hybrid",
"general",
"model",
"comspec",
"click",
"title",
"page",
"body doctype",
"quoth",
"raven",
"gmt content",
"type",
"vary",
"accept",
"october",
"december",
"copy",
"execution",
"awful",
"referrer",
"april",
"kimsuky",
"malicious",
"crypto",
"startpage",
"hacktool",
"installer",
"tofsee",
"historical ssl",
"threat roundup",
"phishing",
"utc submissions",
"submitters",
"csc corporate",
"domains",
"twitter",
"dropbox",
"incapsula",
"summary iocs",
"graph community",
"registrarsafe",
"gandi sas",
"google llc",
"amazon02",
"google",
"akamaias",
"facebook",
"service",
"patch",
"namecheapnet",
"cloudflarenet",
"amazonaes",
"gmo internet",
"apple",
"tsara brashears",
"keylogger"
],
"references": [
"https://tulach.cc/",
"cellebrite.com | https://cellebrite.com/en/federal-government/",
"https://www.pornhub.com/video/search?search=tsara+brashears",
"https://twitter.com/PORNO_SEXYBABES",
"hanmail.net",
"114.114.114.114",
"work.a-poster.info",
"www-stage40.pornhub.com",
"go.sabey.com",
"sabey.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Exodus",
"display_name": "Exodus",
"target": null
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
},
{
"id": "PWS:Win32/Raven",
"display_name": "PWS:Win32/Raven",
"target": "/malware/PWS:Win32/Raven"
},
{
"id": "Kimsuky",
"display_name": "Kimsuky",
"target": null
},
{
"id": "VirTool:Win32/Tofsee",
"display_name": "VirTool:Win32/Tofsee",
"target": "/malware/VirTool:Win32/Tofsee"
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1588",
"name": "Obtain Capabilities",
"display_name": "T1588 - Obtain Capabilities"
},
{
"id": "T1056.001",
"name": "Keylogging",
"display_name": "T1056.001 - Keylogging"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "65a76c2901b34c79a681596d",
"export_count": 14,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4295,
"FileHash-MD5": 322,
"FileHash-SHA1": 296,
"FileHash-SHA256": 3255,
"domain": 2911,
"hostname": 2894,
"CVE": 2,
"email": 9,
"SSLCertFingerprint": 2
},
"indicator_count": 13986,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "126 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68bbb31f6d91989d7fcd9592",
"name": "Who is Argus Health Systems in relation to United Healthcare",
"description": "Strange. Person/s handling a monitored targeted past accounts was contacted to have old bills paid. Told individual had Argus Health Insurance that wouldn\u2019t pay.\n\nIssues: \u2022 Individual wasn\u2019t a client of vendor in 2024\n\u2022 Was never an Argus client.\n\u2022 Social engineering type call. Angry employee demanding copy of front and back of Health Care Insurance card for UH payments for items purchased after approved prior authorization for in past purchases. \n\u2022 Gave an incredible amount of PHI over phone w/o appropriate new (or former) HIPPA standard verification. \u2022 Angrily refused to provide billing # or requesters name.\n*United Health Care has paid ZERO bills. \n* \n(Auto populated - Anel arauchealth cam) | https://www.argushealth.com. Argus Health Systems is a healthcare technology company based in Kansas City, MO. Specializing in pharmacy benefit management ...",
"modified": "2025-10-06T03:04:31.707000",
"created": "2025-09-06T04:05:50.955000",
"tags": [
"server",
"date",
"registrar abuse",
"csc corporate",
"domains",
"algorithm",
"key identifier",
"x509v3 subject",
"country",
"postal code",
"code",
"united",
"showing",
"entries",
"ip address",
"search",
"name servers",
"unknown aaaa",
"domain add",
"pulse submit",
"passive dns",
"content type",
"type content",
"all ipv4",
"url analysis",
"urls",
"files",
"title",
"meta",
"certificate",
"creation date",
"record value",
"hostname add",
"domain",
"unknown ns",
"china unknown",
"body",
"please",
"x msedge",
"pulse pulses",
"present aug",
"hong kong",
"extraction",
"data upload",
"levelbluelabs",
"search otx",
"pcap",
"stix",
"url or",
"texdr",
"failedto",
"drop",
"aaaa",
"record type",
"ttl value",
"historical ssl",
"certificates",
"thumbprint",
"present jan",
"next associated",
"urls show",
"date checked",
"url hostname",
"server response",
"google safe",
"results jul",
"present jun",
"moved",
"gmt content",
"a domains",
"next http",
"scans show",
"error",
"present sep",
"present may",
"present jul",
"present mar",
"present apr"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2091,
"domain": 817,
"URL": 7939,
"email": 5,
"FileHash-SHA256": 2960,
"FileHash-SHA1": 240,
"FileHash-MD5": 227
},
"indicator_count": 14279,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "195 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "688f4c5545b3f6aa22cd15ac",
"name": "www.anr.gov.pl",
"description": "https://www.virustotal.com/gui/domain/www.anr.gov.pl/relations\nhttps://crt.sh/?q=mail1.anr.gov.pl",
"modified": "2025-09-02T11:04:40.312000",
"created": "2025-08-03T11:47:33.053000",
"tags": [
"id03fam",
"id48576"
],
"references": [
"http://www.anr.gov.pl",
"www.anr.gov.pl"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 12,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Arek-BTC",
"id": "212764",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 14,
"FileHash-SHA1": 14,
"FileHash-SHA256": 744,
"URL": 1367,
"domain": 144,
"email": 1,
"hostname": 373,
"CVE": 1
},
"indicator_count": 2658,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 123,
"modified_text": "229 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6882b365b45b9c6ee0eb7abc",
"name": "Mold and Water Damage | Botnet - every search will remit false results",
"description": "Mold and Water Damage | Botnet - every search will remit false results. In this instance it was a lawfirm. https://www.wshblaw.com/\n#malware #packed #botnetresults #likely #botnettester",
"modified": "2025-08-23T20:02:25.025000",
"created": "2025-07-24T22:27:49.105000",
"tags": [
"redacted for",
"name servers",
"united",
"date",
"passive dns",
"urls",
"pulse submit",
"url analysis",
"files",
"domain",
"unknown",
"etpro trojan",
"possible virut",
"dga nxdomain",
"responses",
"entries",
"search",
"read c",
"show",
"read",
"win32",
"copy",
"write",
"malware",
"next",
"files ip",
"address",
"date hash",
"domain related",
"showing",
"ip address",
"ip related",
"pulses none",
"related tags",
"none indicator",
"facts domain",
"poland unknown",
"aaaa",
"present apr",
"domain add",
"pulse pulses",
"windows",
"windows nt",
"medium",
"high",
"cnc beacon",
"trojan",
"present may",
"present jun",
"present sep",
"present nov",
"present feb",
"present aug",
"present oct",
"backdoor",
"msil",
"united kingdom",
"great britain",
"susp",
"win64",
"content type",
"trojandropper",
"worm",
"ransom",
"expiration",
"no expiration",
"hostname",
"url http",
"embeddedwb",
"shellexecuteexw",
"whitelisted",
"msie",
"service",
"cloud",
"hostname add",
"extraction",
"data upload",
"enter soukue",
"url uk",
"teukau",
"drup uk",
"drows type",
"extre",
"include review",
"exclude sugges",
"find",
"a domains",
"gmt content",
"ipv4 add",
"canada unknown",
"meta",
"cloudflare",
"status",
"span",
"reverse dns",
"asn as13335",
"dns resolutions",
"domains top",
"body",
"apache",
"delete",
"ukraine",
"registrar",
"creation date",
"servers",
"present jul",
"self",
"date tue",
"gmt server",
"expires wed",
"apache vary",
"server google",
"tag manager",
"gmt etag",
"acceptranges",
"contentlength",
"pragma",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"defense evasion",
"spawns",
"itre att",
"unicode text",
"utf8 text",
"crlf",
"lf line",
"copy md5",
"sha1",
"copy sha1",
"sha256",
"copy sha256",
"size",
"truetype",
"ascii text",
"pattern match",
"mitre att",
"format",
"general",
"local",
"path",
"encrypt",
"click",
"strings"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 10,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1326,
"URL": 3745,
"domain": 778,
"email": 2,
"FileHash-SHA256": 2360,
"FileHash-MD5": 355,
"FileHash-SHA1": 347,
"SSLCertFingerprint": 3,
"CVE": 1
},
"indicator_count": 8917,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "239 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "687f0f210ec1de4316b22522",
"name": "Strange Medical Facility with Overt Bad Actors Spying on Disabled",
"description": "Strange Medical Facility with Overt Bad Actors already Spying on Disabled. Everything including bathroom is monitored.\nfounderintech.com\nwww.galbutfamilyfoundation.com\t\nwpengine.com\t\nhttps://foundry2sdbl.dvr.dn2.n-helix.com\nhttp://foundry2sdbl.dvr.dn2.n-helix.com\npegasusthruster.com\t\nhttps://www.pegasusthruster.com/\t\nsmtp.pegasustech.net\nhttp://pegasusthruster.com/shoppegasus/includes/att",
"modified": "2025-08-21T03:02:43.704000",
"created": "2025-07-22T04:10:09.158000",
"tags": [
"date",
"submit url",
"analysis",
"passive dns",
"urls",
"files",
"ip address",
"asn as13335",
"whois registrar",
"creation date",
"extraction",
"data",
"extri",
"include review",
"iocs",
"data upload",
"united",
"unknown aaaa",
"search",
"showing",
"moved",
"a domains",
"record value",
"body"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 13,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6560,
"FileHash-MD5": 121,
"FileHash-SHA1": 125,
"FileHash-SHA256": 3989,
"domain": 1616,
"hostname": 1876,
"email": 3,
"CVE": 2
},
"indicator_count": 14292,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "241 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6824aa10fa32899c33abc3be",
"name": "tp://adorno.pl and http://vgt.pl INVESTIGATION requstor user Axelo",
"description": "https://t.co/zTZNBTe8GV",
"modified": "2025-06-14T00:00:30.956000",
"created": "2025-05-14T14:34:56.497000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 13,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Arek-BTC",
"id": "212764",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 426,
"FileHash-SHA1": 455,
"FileHash-SHA256": 5596,
"URL": 15206,
"IPv4": 409,
"domain": 2473,
"hostname": 5059,
"CVE": 3
},
"indicator_count": 29627,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 122,
"modified_text": "309 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "66994bda3e150656cd5ac9dd",
"name": "Browser Session Hijacking Various MyChart Phishing Scams",
"description": "Ongoing issues with medical information hijacking. Various medical corporations affected. Tracking, medical, injection process, records retrieval, botnets.",
"modified": "2024-08-17T16:01:11.866000",
"created": "2024-07-18T17:07:38.719000",
"tags": [
"historical ssl",
"referrer",
"domains",
"august",
"phishingscams",
"domains part",
"domain tracker",
"roundup",
"new problems",
"privacy badger",
"startpage",
"self",
"httponly",
"samesitenone",
"http response",
"final url",
"ip address",
"status code",
"body length",
"b body",
"sha256",
"pragma",
"mychartlocale",
"urls",
"ip detections",
"country",
"contacted",
"files",
"file type",
"name file",
"gmbh",
"cloudflare",
"tucows",
"ii llc",
"alibaba cloud",
"computing",
"sample",
"media t1091",
"t1497 may",
"mitre att",
"access ta0001",
"replication",
"ta0004 process",
"injection t1055",
"defense evasion",
"http requests",
"get http",
"request",
"host",
"dns resolutions",
"ip traffic",
"hashes",
"tsara brashears",
"red team",
"hackers",
"highly targeted",
"critical risk",
"cyberstalking",
"apple",
"apple ios",
"logistics",
"cyber defense",
"guloader",
"hacktool",
"emotet",
"phishing",
"facebook",
"malware",
"hiddentear",
"maze",
"server",
"domain status",
"date",
"algorithm",
"google llc",
"registrar abuse",
"registrar",
"record type",
"ttl value",
"aaaa",
"whois lookup",
"admin country",
"ca creation",
"dnssec",
"markmonitor",
"siblings",
"whois lookups",
"expiration date",
"registrar iana",
"creation date",
"first",
"united",
"as15169 google",
"cname",
"status",
"virtool",
"cryp",
"as396982 google",
"search",
"name servers",
"win32",
"remote"
],
"references": [
"MyChart Phishing Scams",
"exploit_source IP's: 20.99.186.246 , 40.126.24.147 , 40.126.24.149 , 40.126.24.81 , 40.126.24.82",
"VirTool:Win32/Obfuscator: 0.googleusercontent.com [hacking]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/\t URL\thttp://45.159.189.105/bot/regex |\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Win64-Trojan/Pakes.Exp",
"display_name": "Win64-Trojan/Pakes.Exp",
"target": null
},
{
"id": "Win64:RansomX-gen",
"display_name": "Win64:RansomX-gen",
"target": null
}
],
"attack_ids": [
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1091",
"name": "Replication Through Removable Media",
"display_name": "T1091 - Replication Through Removable Media"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1120",
"name": "Peripheral Device Discovery",
"display_name": "T1120 - Peripheral Device Discovery"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
}
],
"industries": [
"Healthcare",
"Technology"
],
"TLP": "green",
"cloned_from": null,
"export_count": 27,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 37,
"FileHash-SHA1": 33,
"FileHash-SHA256": 3473,
"domain": 693,
"URL": 4384,
"hostname": 1610,
"CVE": 2,
"email": 3
},
"indicator_count": 10235,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 231,
"modified_text": "610 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "666de04fd3531dc0896346a1",
"name": "Skynet | Emotet | Nivdort | WhiteSky Communications_SPOOFED | Denver, Co",
"description": "ISP of targets very close associate is spoofed. Ad. Full CnC . It's all there. Pulse better NOT be modified. Jeffrey Scott Reimer DPT who allegedly SA'd target hasn't been put under ANY scrutiny, a weakly written police report exists. A very healthy very fit woman who went to physical therapy left with a spinal cord injury, ACM, TBI, central nervous system injuries, separated hips & SI joints due to the great force of 'SA'. A letter from an MD demanded investigation as to how target ended up with injuries she didn't arrive with. Minor injury. Placed at MMI by 1st PT. It was insisted she to go to Reimer. She has a power wheelchair now. Now victim is a suspect needing to be surveilled. PT is now victim of unnamed crime against this 6'3 brut. Hacker Brian Sabey states Reimer hired him. Surveillance, bold confrontations, physically, verbally & cyber attacks need to stop. Countless SA victims probably go through something, but this? Shhhh. Silence please. Reimer needs to live his life.",
"modified": "2024-08-14T06:01:01.267000",
"created": "2024-06-15T18:41:19.343000",
"tags": [
"historical ssl",
"referrer",
"project skynet",
"cyber army",
"page dow",
"poser",
"scammer",
"security",
"bitfender",
"parked",
"read c",
"search",
"show",
"high",
"unknown",
"united",
"pe32",
"intel",
"ms windows",
"entries",
"copy",
"hupigon",
"upatre",
"explorer",
"write",
"win32",
"malware",
"defender",
"passive dns",
"scan endpoints",
"all scoreblue",
"ipv4",
"pulse submit",
"url analysis",
"urls",
"files",
"get na",
"possible",
"sinkhole cookie",
"value snkz",
"medium",
"nivdort",
"service",
"next",
"arbor networks",
"pulse pulses",
"body",
"contact",
"date",
"sha256",
"sha1",
"et tor",
"known tor",
"relayrouter",
"exit",
"node traffic",
"misc attack",
"pattern match",
"ascii text",
"null",
"hybrid",
"refresh",
"span",
"june",
"local",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"ip address",
"domain",
"ip related",
"as55293 a2",
"status",
"as8068",
"creation date",
"otx telemetry",
"emails",
"expiration date",
"name servers",
"america asn",
"algorithm",
"data",
"v3 serial",
"number",
"cus olet",
"encrypt cnr3",
"validity",
"subject public",
"key info",
"key algorithm",
"key identifier",
"subject key",
"first",
"win32 exe",
"identifier",
"info",
"dns replication",
"technology",
"passive",
"user",
"downloads",
"text",
"internet files",
"storage",
"firefox c",
"pings c",
"written c",
"files deleted",
"destination ip",
"threat roundup",
"april",
"september",
"october",
"december",
"january",
"august",
"hr rtd",
"bot networks",
"listen",
"awful",
"skynet",
"ptls7",
"clng",
"cdate",
"ygjpaufscontext",
"flashpix",
"bhja",
"error resume",
"voun2hd",
"odx3x33jk9w3",
"false",
"template",
"crash",
"emotet",
"project",
"pe32 executable",
"win16 ne",
"os2 executable",
"generic windos",
"executable",
"vs2008",
"data rticon",
"kyrgyz default",
"default",
"rticon kyrgyz",
"info compiler",
"products",
"vs2005",
"header intel",
"name md5",
"domains",
"csc corporate",
"com laude",
"registrarsafe",
"namecheap inc",
"psiusa",
"domain robot",
"ii llc",
"hetzner online",
"gmbh",
"type name",
"file type",
"kb file",
"ip detections",
"country",
"contacted",
"hashes",
"file system",
"pegasus",
"targets sa",
"survivor",
"matches rule",
"virus network",
"comcast",
"hiddentear",
"critical",
"installer",
"targets tsara brashears",
"trojan evader",
"trojan malware",
"npzk765",
"content type",
"a domains",
"as16276",
"body doctype",
"public w3cdtd",
"xhtml",
"xmlns http",
"gmt server",
"accept",
"graph",
"http requests",
"connect",
"dns resolutions",
"ip traffic",
"remote debian spy",
"search debian available space",
"hacking",
"targeting",
"indostealer",
"law firm",
"showing",
"x00x00",
"trustinfo",
"registry",
"external ip",
"observed",
"administrator",
"persistence",
"execution",
"hallrender",
"west domains",
"trojan",
"memcommit",
"pe section",
"low software",
"packing t1045",
"t1045",
"pe resource",
"jeffrey scott reimer"
],
"references": [
"https://whiteskycommunications.com/_Spoofed",
"https://otx.alienvault.com/indicator/file/1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031",
"213.91.128.133 CnC AS 8866 (Vivacom Bulgaria EAD) BG - Miner",
"0039ca3853af262af65326399713d4e45340eec4c3ea789be19335f06f090993",
"Matches rule PROTOCOL-DNS SPOOF query response with TTL of 1 min. and no authority Matches rule ET POLICY Cryptocurrency Miner Checkin Matches rule PUA-OTHER Cryptocurrency Miner outbound connection attempt",
"https://twitter.com/PORNO_SEXYBABES",
"IDS Detections: Win32/Emotet CnC Activity (POST) M9 GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1",
"https://otx.alienvault.com/indicator/file/0274c7ffe81ebc6310a2857348a6653d0abbfca780238a854992b7b786bb1d72",
"https://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-sexual-misconduct.html - scrubbed and for sale.",
"https://mypornsnap.top/photos/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears thousands of sites surfaced online",
"It has taken years to slow the constant malicious DGA domains , they still keep smearing target only.",
"http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/",
"https://ladys.one/xxx/a-tsara-brashears-zafira-porn",
"http://www.metanetworks.org/tsara-lynn-brashears-dead",
"hxxps://onlyindianporn.net/videos/tsara-brashears/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Infostealer/Win.SmokeLoader.R439087",
"display_name": "Infostealer/Win.SmokeLoader.R439087",
"target": null
},
{
"id": "Alibaba Ransom:Win32/StopCrypt",
"display_name": "Alibaba Ransom:Win32/StopCrypt",
"target": "/malware/Alibaba Ransom:Win32/StopCrypt"
},
{
"id": "W32.AIDetect.malware2",
"display_name": "W32.AIDetect.malware2",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "ALF:TrojanSpy:Nivdort",
"display_name": "ALF:TrojanSpy:Nivdort",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Win32:Malware-gen",
"display_name": "Win32:Malware-gen",
"target": null
},
{
"id": "Trojan:Win32/Glupteba.RQ!MSR",
"display_name": "Trojan:Win32/Glupteba.RQ!MSR",
"target": "/malware/Trojan:Win32/Glupteba.RQ!MSR"
},
{
"id": "Win.Dropper.Tofsee-9799489-0",
"display_name": "Win.Dropper.Tofsee-9799489-0",
"target": null
},
{
"id": "Win32:DropperX-gen\\ [Drp]",
"display_name": "Win32:DropperX-gen\\ [Drp]",
"target": null
}
],
"attack_ids": [
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "TA0007",
"name": "Discovery",
"display_name": "TA0007 - Discovery"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1574.008",
"name": "Path Interception by Search Order Hijacking",
"display_name": "T1574.008 - Path Interception by Search Order Hijacking"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1222.002",
"name": "Linux and Mac File and Directory Permissions Modification",
"display_name": "T1222.002 - Linux and Mac File and Directory Permissions Modification"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
}
],
"industries": [
"Technology",
"Telecommunications",
"Civil Society"
],
"TLP": "green",
"cloned_from": null,
"export_count": 40,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 4,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 334,
"FileHash-SHA1": 332,
"FileHash-SHA256": 2760,
"URL": 3080,
"domain": 2294,
"hostname": 1436,
"CVE": 1,
"email": 7,
"CIDR": 1,
"SSLCertFingerprint": 2
},
"indicator_count": 10247,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 228,
"modified_text": "613 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "https://html.backmonitorstats.com",
"type": "URL"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "https://html.backmonitorstats.com",
"type": "URL",
"found": false,
"verdict": "clean",
"error": null
},
"from_cache": true,
"_cached_at": 1776629335.6840994
}