{ "type": "URL", "indicator": "https://inferno.demonoid.me", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://inferno.demonoid.me", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3777712373, "indicator": "https://inferno.demonoid.me", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 31, "pulses": [ { "id": "66d8d8d8238606c85e7a3979", "name": "AS200019 alexhost srl", "description": "", "modified": "2025-06-07T15:39:05.533000", "created": "2024-09-04T22:02:00.596000", "tags": [], "references": [ "https://www.virustotal.com/graph/gf011ff2560014743857f4dc25899d89d7afb2779d5ae47a28a60412eb0de8f07" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1193, "hostname": 1141, "URL": 3301, "FileHash-SHA256": 626, "CVE": 3 }, "indicator_count": 6264, "is_author": false, "is_subscribing": null, "subscriber_count": 178, "modified_text": "316 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c607c354336e9c19aa3e1f", "name": "RansomEXX + Cyber attack \u2022 Premier Denver Recording Studio", "description": "Studio description: Adelio developed and managed A-list producer DJ Frank E, who has worked with the likes of Kanye West, B.O.B., Madonna, and Justin Bieber...\nResearch confirms target releases songs recorded @ Side3 studios.\nCreative differences aren't uncommon, research shows a common kink with m. Brian sabey if hallrender hacking everything from hospital is to insurance portals. He's nuts. Unclear if true nameof attacker is Brian Sabey /Tulach / using NSO grouo and various cyver attacks. A man representing an attorney named M. Brian Sabey socially engineered himself and others into targets world. If studio interns or management had malice towards target, social engineering access would be easy.", "modified": "2024-03-10T11:05:48.248000", "created": "2024-02-09T11:08:51.939000", "tags": [ "url http", "united", "unknown", "search", "status", "creation date", "date", "expiration date", "showing", "as201682 liquid", "as32244 liquid", "trojan", "passive dns", "entries", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "open", "win32", "body", "date hash", "avast avg", "lowfi", "ssl certificate", "contacted", "whois whois", "sdhyzbh7v http", "whois record", "execution", "apple ios", "historical ssl", "resolutions", "sdhyzbh7v", "attack", "ransomexx", "quasar", "asyncrat", "hacktool", "maze", "find", "hell", "crypto", "remcosrat", "worm", "first", "utc submissions", "submitters", "computer", "company limited", "gandi sas", "porkbun llc", "ovh sas", "summary iocs", "graph community", "as63949 linode", "for privacy", "asnone united", "as174 cogent", "as197695 domain", "russia unknown", "as16276", "france unknown", "encrypt", "next", "tsara brashears", "targeting", "cyber threat", "abuse", "malware spreading", "hallgrand", "tulach", "sabey data centers", "sav.com", "outbreak", "location united", "asn as63949", "whois registrar", "related tags", "interfacing", "malicious", "retaliation", "botnet", "porn", "teen porn", "illegal activities", "theft", "side3studios" ], "references": [ "http://mobilesmafia.com/applications/botnet.ex", "Found in: https://Side3.com/", "CnC IP's: 198.58.118.167 \u2022 45.33.18.44 \u2022 45.33.2.79 \u2022 45.33.20.235 \u2022 45.33.23.183 \u2022 45.33.30.197 \u2022 45.79.19.196 \u2022 45.33.30.197 \u2022 45.56.79.23 \u2022 72.14.178.174 \u2022 72.14.185.43 \u2022 96.126.123.244", "https://otx.alienvault.com/indicator/domain/findmy-apple.support", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing \u2022 malvertizing \u2022 apple data collection]", "nr-data.net [Apple Private Data Collection]", "WHOIS Registrar: SAV.COM, LLC - 35, Creation Date: Feb 5, 2024 - again?", "/addons/error.txt&reffer=http://www.mp3olimp.net/\" target=\"_blank\" class=\"nowrap ellipsis\">http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03", "http://c1.getapplicationmy.info/?step_id=1&installer_id=5230748627062792346&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=2&download_id=8693199875993334460&external_id=0&session_id=16805482311189156276&hardware_id=369127768221549700&product_name=cocina.rar&installer_file_name=cocina.rar&product_file_name=cocina.rar&product_download_url=http://fra-7m17-stor09.uploaded.net/dl/a2433760-879d-4562-b94d-461547fc758c&AddToPayload=StepReport=", "http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03&product_file_name=vintage+boxing&AddToPayload=StepReport=", "http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03&product_file_name=vintage+boxing&AddToPayload=StepReport=", "http://c1.downlloaddatamy.info/?step_id=1&installer_id=4472257684899349270&publisher_id=2213&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=2&download_id=5397224780012170065&external_id=0&installer_type=IX_2013&hardware_id=15739043569615579517&session_id=6869288066589810689&installer_type=IX_2013&=&=&=&q=solutionnice.info&product_name=Design%20and%20Implementation%20of%20a%20Home%20Embedded%20Surveillance%20System%20with%20Ultra%20Low%20Alert%20Power%20doc&installer_file_", "http://c2.getapplicationmy.info/?step_id=1&installer_id=2096894809025524155&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=6356079339412925470&external_id=0&session_id=14287130792570298399&hardware_id=11580995441620935677&product_name=rachel%20blaine%20-%20don%20t%20you%20want%20me&product_file_name=error.txt&AddToPayload=", "http://c2.getapplicationmy.info/?step_id=1&installer_id=2488504921480818878&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=4&download_id=2186029835193520054&external_id=0&session_id=16256931977914952487&hardware_id=14366935065466949181&product_name=Libro%23003119.pdf&installer_file_name=Libro%23003119.pdf&product_file_name=Libro%23003119.pdf&product_download_url=http://fra-7m21-stor06.uploaded.net/dl/780b5695-d022-4fab-9aa0-b967ecaf5828&AddToPayload=StepReport=", "http://c2.getapplicationmy.info/?step_id=1&installer_id=2488504921480818878&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=4&download_id=2186029835193520054&external_id=0&session_id=16256931977914952487&hardware_id=14366935065466949181&product_name=Libro%23003119.pdf&installer_file_name=Libro%23003119.pdf&product_file_name=Libro%23003119.pdf&product_download_url=http://fra-7m21-stor06.uploaded.net/dl/780b5695-d022-4fab-9aa0-b967ecaf5828&AddToPayload=StepReport=", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "https://sexpornimages.com.leechlink.net [Match: www.sexpornimages.com/lynn/lynn-brashears-tsara-porn/rc1j0g.html]", "pornhub.org", "ww12.indianpornxxxtube.com", "youporndownload.com [park logic -malicious] http://golddesisex.com/en/search/teen%20anal%20long%20porn" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:Inject-BCL\\ [Trj]", "display_name": "Win32:Inject-BCL\\ [Trj]", "target": null }, { "id": "#Lowfi:SuspiciousSectionName", "display_name": "#Lowfi:SuspiciousSectionName", "target": null }, { "id": "Win32:Evo-gen\\ [Trj]", "display_name": "Win32:Evo-gen\\ [Trj]", "target": null }, { "id": "Win.Trojan.Mbrlock-9779766-0", "display_name": "Win.Trojan.Mbrlock-9779766-0", "target": null }, { "id": "Win.Trojan.Agent-828507", "display_name": "Win.Trojan.Agent-828507", "target": null }, { "id": "SHeur4.CEOO", "display_name": "SHeur4.CEOO", "target": null }, { "id": "Win32/Cryptor", "display_name": "Win32/Cryptor", "target": null }, { "id": "Win32/Tanatos.A", "display_name": "Win32/Tanatos.A", "target": null }, { "id": "W32.Sality-73", "display_name": "W32.Sality-73", "target": null }, { "id": "Generic_r.BYW", "display_name": "Generic_r.BYW", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Trojan:Win32/RemcosRAT", "display_name": "Trojan:Win32/RemcosRAT", "target": "/malware/Trojan:Win32/RemcosRAT" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null } ], "attack_ids": [ { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [ "Entertainment", "Technology", "Telecommunications", "Media" ], "TLP": "white", "cloned_from": null, "export_count": 39, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 71387, "domain": 8768, "hostname": 17727, "email": 16, "FileHash-MD5": 195, "FileHash-SHA1": 168, "FileHash-SHA256": 15313, "CVE": 9, "CIDR": 7 }, "indicator_count": 113590, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "770 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659331589faf01b909c1802d", "name": "Agent Tesla | Spyware | Tracking Android & Apple users | Malware Attack", "description": "", "modified": "2024-01-31T14:03:30.344000", "created": "2024-01-01T21:40:40.413000", "tags": [ "maxads0", "kld1063", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "hostnames", "urls http", "ssl certificate", "whois record", "contacted", "referrer", "historical ssl", "march", "communicating", "copy", "january", "collections", "execution", "malware", "startpage", "malicious", "ransomware", "agent tesla", "attack", "android", "name verdict", "falcon sandbox", "reports", "falcon", "windir", "path", "programfiles", "pe32", "ms windows", "getprocaddress", "file type", "mitre att", "ck id", "show technique", "win64", "date", "open", "hybrid", "cookie", "tracking", "apple", "spyware", "malware", "tablet", "superwebbysearch", "hallrender", "pegasus", "briansabey", "aig", "abuse", "tulach" ], "references": [ "findbetterresults.com", "https://hybrid-analysis.com/sample/bba36b3ae7c49d1cffcc5f8e045d81e9307a2e1a86b923f89008e9377d171fb6", "https://www.virustotal.com/gui/url/eed406872c2e6ef550b948510fe0b7b4c71f752f58551c2f8e61d31a19d2a153/summary", "http://www.applerewards.website/pl/3/index.html?voluumdata=BASE64dmlkLi4wMDAwMDAwMi00NGFiLTQzNDktODAwMC0wMDAwMDAwMDAwMDBfX3ZwaWQuLjJhYWQzMDAwLWJiMzYtMTFlNi04YTYyLTBlYzcxZTllMDMzMV9fY2FpZC4uNjBhMjIwOWUtNWMzNC00OGQ4LWIyNDctYWM5YzVkOTM3MzZhX19ydC4uUl9fbGlkLi4yYTRjOTA4My0zY2RmLTQyNDktOGJmOS0yODMxZWYzNGRhYTlfX29pZDEuLjUwMGE4NDhjLTA2NGEtNDYyZi05MDNmLTgxYzY4ODNmODEwZl9fdmFyMS4uNjA4OTYxX192YXIyLi42NzEwMjhfX3JkLi5vbmNsaWNrYWRzXC5cbmV0X19haWQuLl9fYWIuLl9fc2lkLi4&zoneid=608961&campaignid=671028&visitor_id=4003954", "www2.megawebfind.com [command_and_control]", "https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command= [command_and_control] stolec kradnie krypto" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2368, "FileHash-SHA256": 4539, "hostname": 2892, "URL": 9741, "FileHash-MD5": 836, "FileHash-SHA1": 461, "CVE": 1 }, "indicator_count": 20838, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "809 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659331580cd1571f730b8de2", "name": "Agent Tesla | Spyware | Tracking Android & Apple users | Malware Attack", "description": "", "modified": "2024-01-31T14:03:30.344000", "created": "2024-01-01T21:40:40.242000", "tags": [ "maxads0", "kld1063", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "hostnames", "urls http", "ssl certificate", "whois record", "contacted", "referrer", "historical ssl", "march", "communicating", "copy", "january", "collections", "execution", "malware", "startpage", "malicious", "ransomware", "agent tesla", "attack", "android", "name verdict", "falcon sandbox", "reports", "falcon", "windir", "path", "programfiles", "pe32", "ms windows", "getprocaddress", "file type", "mitre att", "ck id", "show technique", "win64", "date", "open", "hybrid", "cookie", "tracking", "apple", "spyware", "malware", "tablet", "superwebbysearch", "hallrender", "pegasus", "briansabey", "aig", "abuse", "tulach" ], "references": [ "findbetterresults.com", "https://hybrid-analysis.com/sample/bba36b3ae7c49d1cffcc5f8e045d81e9307a2e1a86b923f89008e9377d171fb6", "https://www.virustotal.com/gui/url/eed406872c2e6ef550b948510fe0b7b4c71f752f58551c2f8e61d31a19d2a153/summary", "http://www.applerewards.website/pl/3/index.html?voluumdata=BASE64dmlkLi4wMDAwMDAwMi00NGFiLTQzNDktODAwMC0wMDAwMDAwMDAwMDBfX3ZwaWQuLjJhYWQzMDAwLWJiMzYtMTFlNi04YTYyLTBlYzcxZTllMDMzMV9fY2FpZC4uNjBhMjIwOWUtNWMzNC00OGQ4LWIyNDctYWM5YzVkOTM3MzZhX19ydC4uUl9fbGlkLi4yYTRjOTA4My0zY2RmLTQyNDktOGJmOS0yODMxZWYzNGRhYTlfX29pZDEuLjUwMGE4NDhjLTA2NGEtNDYyZi05MDNmLTgxYzY4ODNmODEwZl9fdmFyMS4uNjA4OTYxX192YXIyLi42NzEwMjhfX3JkLi5vbmNsaWNrYWRzXC5cbmV0X19haWQuLl9fYWIuLl9fc2lkLi4&zoneid=608961&campaignid=671028&visitor_id=4003954", "www2.megawebfind.com [command_and_control]", "https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command= [command_and_control] stolec kradnie krypto" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2368, "FileHash-SHA256": 4539, "hostname": 2892, "URL": 9741, "FileHash-MD5": 836, "FileHash-SHA1": 461, "CVE": 1 }, "indicator_count": 20838, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "809 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658303b7e2b4417d9e24a7cc", "name": "Reddit Honeypot | Cyber Defense Firm Attack", "description": "", "modified": "2024-01-19T12:02:13.495000", "created": "2023-12-20T15:09:43.783000", "tags": [ "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "sha1", "sha256", "runtime process", "date", "unknown", "error", "path", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "accept", "url http", "filehashmd5", "url https", "search otx", "octoseek report", "spam author", "reddit", "tulach c2", "created", "minutes ago", "added active", "related pulses", "am", "no expiration", "indicator role", "pulses url", "showing", "entries", "dded active", "copyright", "reserved", "cve cve20170199", "win32 exe", "android", "http response", "final url", "ip address", "status code", "body length", "kb body", "headers", "manager", "files", "detections type", "name", "lord krishna", "right", "tjprojmain", "windows", "secure", "headers nel", "ssl certificate", "whois whois", "historical ssl", "referrer", "logistics", "cyber defense", "firm collection", "ioc honeypot", "list for", "malware", "open", "attack", "contacted", "dropped", "bundled", "problems", "whois record", "domains", "execution", "agent tesla", "azorult", "project", "startpage", "vhash", "authentihash", "imphash", "rich pe", "ssdeep", "file type", "magic pe32", "installer", "compiler", "nsis", "serial number", "g4 code", "signing rsa4096", "sha384", "root g4", "valid from", "algorithm", "thumbprint", "fast corporate", "from", "pe resource", "collection", "vt graph", "paulsmith", "apple tv", "apple music", "$RTD4NQU.exe", "no data", "tag count", "ioc search", "new ioc", "teams api", "contact", "search", "iocs", "summary", "nisis", "executable", "ms windows", "trid win64", "generic", "sections", "sha256 file", "type type", "chi2", "dkey english", "xml rtmanifest", "english us", "overlay", "learn", "botnet", "honeypot", "ejkaej saBey k7-^Oa" ], "references": [ "https://www.reddit.com/user/", "https://www.virustotal.com/gui/url/6a627ce5fd6be7b3c0b5637e6b1facfa92c279d25ff9b1f50fe131c91591d804/summary", "Gowi Live Bot.exe", "https://www.virustotal.com/gui/file/2ab9e32cd78f2b538c36f145b790f78f1262bcfcf1a5d6d019e7a2a151a24424/summary", "https://www.hybrid-analysis.com/sample/d4f0fd95f42482e96d982df3d538f67ee9c8756834486dd2cf33e1679c90af50/65812fd9a34bc52aac0b910f", "nr-data.net [New Relic Tracking | Apple Private Data Collection]", "[w and w.o https] applemusic-spotlight.myunidays.com [Multilingual Portable.exe Apple music compromise]", "tv.apple.com [Apple Backdoor| Attack | Hacking]", "name-playatoms-pa.googleapis.com [ nr-data Apple tv tracking]", "browser.events.data.msn.com | events-sandbox.data.msn.com", "https://tulach.cc/ [phishing attacks]", "tulach.cc [AM | phishing]", "$RTD4NQU.exe - Sigma Rule: Audit Policy Tampering Via Auditpolicy", "$RTD4NQU.exe - Yara rule: INDICATOR TOOL UAC NSISUAC", "3.163.189.120 [Tracking]", "86.140.232.148 [scanning_host]", "https://seedbeej.pk/tin/index.php?QBOT.zip. [ phishing plus]", "http://iyfsearch.com/&ap=67&be=203&fe=198&dc=198&perf= [phishing]", "checkip.dyndns.org [command_and_control]", "104.86.182.8 [command_and_control]", "103.224.182.253 [command_and_control]", "103.224.182.246 [command_and_control]", "www.supernetforme.com [command_and_control]", "rp.downloadastrocdn.com [command_and_control]", "ddos.dnsnb8.net [command_and_control]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "AM", "display_name": "AM", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "adware.pcappstore/veryfast", "display_name": "adware.pcappstore/veryfast", "target": null }, { "id": "NSIS", "display_name": "NSIS", "target": null }, { "id": "Static AI - Malicious PE", "display_name": "Static AI - Malicious PE", "target": null }, { "id": "HoneyPot", "display_name": "HoneyPot", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 392, "FileHash-SHA1": 374, "FileHash-SHA256": 5560, "URL": 7433, "domain": 1461, "hostname": 2463, "CVE": 3, "email": 1 }, "indicator_count": 17687, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "821 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a48b6ea16eeb6b54dfad7c", "name": "https://neca.omeclk.com/portal/wts/uc^cn^ejkaejsaBeyk7-^Oa | Brian Sabey dangerous obsession with Tsara Brashears", "description": "", "modified": "2024-01-15T01:33:34.790000", "created": "2024-01-15T01:33:34.790000", "tags": [ "cisco umbrella", "site", "alexa top", "emotet", "telefonica co", "million", "malware", "detection list", "blacklist", "alexa", "installcore", "heur", "cyber threat", "united", "phishing", "engineering", "phishing site", "team phishing", "spammer", "malicious site", "team", "download", "cobalt strike", "facebook", "artemis", "pony", "binder", "suppobox", "virut", "ramnit", "dropper", "formbook", "azorult", "simda", "downloader", "service", "bank", "zbot", "trojanspy", "heodo", "hostname", "hostnames", "whois record", "kgs0", "kls0", "apple ios", "tsara brashears", "ssl certificate", "elf collection", "cyberstalking", "spyware", "hackers", "installer", "open", "banker", "keylogger", "malicious", "hacktool", "core", "noname057", "generic malware", "safe site", "malware site", "iframe", "riskware", "exploit", "fakealert", "unsafe", "acint", "win64", "nircmd", "agent", "opencandy", "conduit", "swrort", "crack", "installpack", "xtrat", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "unruy", "filetour", "floxif", "cleaner", "patcher", "adload", "presenoker", "wacatac", "fusioncore", "genkryptik", "webtoolbar", "maltiverse", "smokeloader", "download json", "urls", "blacklist http", "kyriazhs1975", "vidar", "strike", "china cobalt", "meterpreter", "nanocore rat", "njrat", "redline stealer", "stealer", "nymaim", "mirai", "ghost rat", "runescape", "bradesco", "msil", "bladabindi", "orkut", "cutwail", "bandoo", "matsnu", "inmortal", "domains", "redline", "control server", "services", "generic", "br", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "squirrelwaffle", "soc http", "soc https", "back", "download csv", "json sample", "injector", "malicious url", "downldr", "covid19 scam", "historical ssl", "referrer", "contacted", "whois whois", "contacted urls", "whois sslcert", "threat roundup", "copy", "august", "execution", "ransomware", "gopher", "remcos", "attack", "radar ineractive", "paypal", "covid19", "phishing chase", "phishing google", "tracker malware", "chase personal", "banking", "javascript", "please", "cnc server", "tracker", "cnc feodo", "phishtank", "threats et", "name verdict", "falcon sandbox", "pattern match", "file", "ascii text", "indicator", "windows nt", "jpeg image", "appdata", "jfif standard", "script", "show", "date", "span", "unknown", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "path", "http header", "tcp traffic", "mitre att", "ck id", "show technique", "ck matrix", "accept", "adware", "ip address", "hsbc", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "trojanx", "webshell", "systweak", "behav", "tiggre", "runtime process", "sha256", "sha1", "mark brian sabey", "brian sabey", "sabey", "apple", "114.114.114.114", "attorney", "law", "spammer", "fraud service", "hallrender", "malvertizing", "cybercrime", "social engineering", "malware hosting", "cyber threat", "iphone unlocker", "malicious", "attacker", "tulach", "tulach.cc", "adult content", "child pornographer", "sabey data centers", "hall render denver", "monitoring", "stalker", "dev", "developer", "cyber harassment", "defacement", "death threats", "miner", "agenttesla", "trojan", "detplock", "networm", "rms", "sneaky server", "replacement", "unauthorized", "steam route", "tool", "probe", "safebae.org", "safebae", "daisy", "daisy coleman", "benjamin", "colorado", "missouri", "telefonica", "boost mobile", "blackievirus.com", "TrojanX", "metro t-mobile", "t-mobile", "mile high media", "CNC", "C2", "malware host", "yixun" ], "references": [ "https://hybrid-analysis.com/sample/a1b9247b6ad18f1cda0304e406333459d4000fced5753f91e5c046f6577c388a", "https://www.hallrender.com/attorney/brian-sabey", "safebae.org", "poemhunter.com", "http://www.hallrender.com/resources/blog/", "http://benjamin.xww.de/", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Hybrid Analysis", "wTools", "Research" ], "public": 1, "adversary": "Tulach | Mark Brian Sabey | Hall Render Law Firm", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "BR", "display_name": "BR", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "Feodo Tracker", "display_name": "Feodo Tracker", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Zpevdo", "display_name": "Zpevdo", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "xRAT", "display_name": "xRAT", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "DarkSide .Beware", "display_name": "DarkSide .Beware", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "SLFPER:BrowserModifier:Win32/MediaMagnet", "display_name": "SLFPER:BrowserModifier:Win32/MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "FORMBOOK", "display_name": "FORMBOOK", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Yixun", "display_name": "Yixun", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": "6590f9b6b1fe0330c655c25f", "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1643, "hostname": 1438, "CVE": 30, "FileHash-MD5": 2853, "FileHash-SHA1": 1584, "FileHash-SHA256": 3001, "URL": 2904, "email": 1 }, "indicator_count": 13454, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "825 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6572622bba87d8d105a7259f", "name": "Lazarus Group _ 192.229.211.108", "description": "", "modified": "2024-01-06T05:02:33.698000", "created": "2023-12-08T00:24:11.801000", "tags": [ "as15133 verizon", "united", "unknown", "passive dns", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "trojandropper", "body", "orgtechhandle", "orgid", "w jefferson", "blvd", "city", "los angeles", "stateprov", "postalcode", "sawyer", "kleinart", "mtb dec", "win32upatre dec", "win32qqpass dec", "entries", "date hash", "avast avg", "name verdict", "falcon sandbox", "generic malware", "tag count", "wed sep", "threat report", "summary", "sample", "samples", "detection list", "blacklist", "count blacklist", "generic", "noname057", "csv behavior", "text", "win32 dll", "win32 exe", "javascript", "office open", "xml document", "text iocs", "mario", "csv test", "python", "ip summary", "text query16752", "text edge", "type name", "services", "net192", "net1920000", "cidr", "nethandle", "orgabusehandle", "orgabusephone", "as14153", "contacted", "ssl certificate", "tsara brashears", "whois whois", "ransomware", "apple ios", "family", "roots", "lolkek", "tzw variants", "emotet", "bluenoroff", "lazarus", "dark power", "play ransomware", "makop", "attack", "core", "hacktool", "chaos", "ransomexx", "quasar", "njrat", "installer", "banker", "keylogger", "execution", "ermac", "metasploit", "relic", "monitoring", "qakbot", "thu nov", "url summary", "first", "cobalt strike", "strike cobalt", "malicious url", "tld count", "sun sep", "china cobalt", "strike", "cyber threat", "maltiverse", "malware site", "malicious host", "malware", "host", "phishing", "team", "exploit", "mirai", "pony", "nanocore", "bradesco", "suppobox", "laplasclipper", "asyncrat", "fakealert", "ramnit", "cisco umbrella", "site", "safe site", "heur", "malicious site", "alexa top", "million", "phishing site", "artemis", "unsafe", "riskware", "bank", "outbreak", "dropper", "trojanx", "turla", "installcore", "acint", "conduit", "installpack", "iobit", "mediaget", "crack", "iframe", "downldr", "agent", "presenoker", "alexa", "blacknet rat", "stealer", "unruy", "cleaner", "union", "dbatloader", "downloader", "blocker", "ransom", "autoit", "bladabindi", "trojan", "irata", "azorult", "service", "runescape", "facebook", "download", "genkryptik", "opencandy", "trojanspy", "relacionada", "referrer", "formbook", "blacklist http", "control server", "firehol", "botnet command", "http spammer", "mail spammer", "phishtank", "dnspionage", "betabot", "wormx", "redline stealer", "solimba", "zbot", "webtoolbar", "utc submissions", "submitters", "tot public", "company limited", "gandi sas", "ovh sas", "mb iesettings", "mb acrotray", "kb program", "team alexa", "quasar rat", "spammer", "team proxy", "ip reputation", "cins active", "online fri", "online sat", "sat apr", "temp", "windir", "kontakt", "antivirus", "sat jun", "gmt0600", "programdata", "regexpandsz d", "allusersprofile", "soar", "malicious", "programfiles", "sun jun", "mbt", "info api", "http", "redlinestealer", "score integrate", "siem", "tencent", "rc7 bypassed", "mon jun", "api sample", "hybridanalysis", "online sun", "fri jun", "tue apr", "code", "date", "hackers", "lumma stealer", "ursnif", "open" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "MBT", "display_name": "MBT", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": "65715b49b95c13605856d6d0", "export_count": 234, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 882, "FileHash-SHA1": 497, "FileHash-SHA256": 3763, "URL": 3088, "hostname": 1203, "CIDR": 2, "domain": 680, "CVE": 9, "email": 13 }, "indicator_count": 10137, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "834 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65715b49b95c13605856d6d0", "name": "Lazarus Group _ 192.229.211.108", "description": "", "modified": "2024-01-06T05:02:33.698000", "created": "2023-12-07T05:42:33.281000", "tags": [ "as15133 verizon", "united", "unknown", "passive dns", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "trojandropper", "body", "orgtechhandle", "orgid", "w jefferson", "blvd", "city", "los angeles", "stateprov", "postalcode", "sawyer", "kleinart", "mtb dec", "win32upatre dec", "win32qqpass dec", "entries", "date hash", "avast avg", "name verdict", "falcon sandbox", "generic malware", "tag count", "wed sep", "threat report", "summary", "sample", "samples", "detection list", "blacklist", "count blacklist", "generic", "noname057", "csv behavior", "text", "win32 dll", "win32 exe", "javascript", "office open", "xml document", "text iocs", "mario", "csv test", "python", "ip summary", "text query16752", "text edge", "type name", "services", "net192", "net1920000", "cidr", "nethandle", "orgabusehandle", "orgabusephone", "as14153", "contacted", "ssl certificate", "tsara brashears", "whois whois", "ransomware", "apple ios", "family", "roots", "lolkek", "tzw variants", "emotet", "bluenoroff", "lazarus", "dark power", "play ransomware", "makop", "attack", "core", "hacktool", "chaos", "ransomexx", "quasar", "njrat", "installer", "banker", "keylogger", "execution", "ermac", "metasploit", "relic", "monitoring", "qakbot", "thu nov", "url summary", "first", "cobalt strike", "strike cobalt", "malicious url", "tld count", "sun sep", "china cobalt", "strike", "cyber threat", "maltiverse", "malware site", "malicious host", "malware", "host", "phishing", "team", "exploit", "mirai", "pony", "nanocore", "bradesco", "suppobox", "laplasclipper", "asyncrat", "fakealert", "ramnit", "cisco umbrella", "site", "safe site", "heur", "malicious site", "alexa top", "million", "phishing site", "artemis", "unsafe", "riskware", "bank", "outbreak", "dropper", "trojanx", "turla", "installcore", "acint", "conduit", "installpack", "iobit", "mediaget", "crack", "iframe", "downldr", "agent", "presenoker", "alexa", "blacknet rat", "stealer", "unruy", "cleaner", "union", "dbatloader", "downloader", "blocker", "ransom", "autoit", "bladabindi", "trojan", "irata", "azorult", "service", "runescape", "facebook", "download", "genkryptik", "opencandy", "trojanspy", "relacionada", "referrer", "formbook", "blacklist http", "control server", "firehol", "botnet command", "http spammer", "mail spammer", "phishtank", "dnspionage", "betabot", "wormx", "redline stealer", "solimba", "zbot", "webtoolbar", "utc submissions", "submitters", "tot public", "company limited", "gandi sas", "ovh sas", "mb iesettings", "mb acrotray", "kb program", "team alexa", "quasar rat", "spammer", "team proxy", "ip reputation", "cins active", "online fri", "online sat", "sat apr", "temp", "windir", "kontakt", "antivirus", "sat jun", "gmt0600", "programdata", "regexpandsz d", "allusersprofile", "soar", "malicious", "programfiles", "sun jun", "mbt", "info api", "http", "redlinestealer", "score integrate", "siem", "tencent", "rc7 bypassed", "mon jun", "api sample", "hybridanalysis", "online sun", "fri jun", "tue apr", "code", "date", "hackers", "lumma stealer", "ursnif", "open" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "MBT", "display_name": "MBT", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": "65715ad29ac565164664960b", "export_count": 210, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 882, "FileHash-SHA1": 497, "FileHash-SHA256": 3763, "URL": 3088, "hostname": 1203, "CIDR": 2, "domain": 680, "CVE": 9, "email": 13 }, "indicator_count": 10137, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "834 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65715ad29ac565164664960b", "name": "InstallMate", "description": "", "modified": "2024-01-06T05:02:33.698000", "created": "2023-12-07T05:40:34.888000", "tags": [ "as15133 verizon", "united", "unknown", "passive dns", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "trojandropper", "body", "orgtechhandle", "orgid", "w jefferson", "blvd", "city", "los angeles", "stateprov", "postalcode", "sawyer", "kleinart", "mtb dec", "win32upatre dec", "win32qqpass dec", "entries", "date hash", "avast avg", "name verdict", "falcon sandbox", "generic malware", "tag count", "wed sep", "threat report", "summary", "sample", "samples", "detection list", "blacklist", "count blacklist", "generic", "noname057", "csv behavior", "text", "win32 dll", "win32 exe", "javascript", "office open", "xml document", "text iocs", "mario", "csv test", "python", "ip summary", "text query16752", "text edge", "type name", "services", "net192", "net1920000", "cidr", "nethandle", "orgabusehandle", "orgabusephone", "as14153", "contacted", "ssl certificate", "tsara brashears", "whois whois", "ransomware", "apple ios", "family", "roots", "lolkek", "tzw variants", "emotet", "bluenoroff", "lazarus", "dark power", "play ransomware", "makop", "attack", "core", "hacktool", "chaos", "ransomexx", "quasar", "njrat", "installer", "banker", "keylogger", "execution", "ermac", "metasploit", "relic", "monitoring", "qakbot", "thu nov", "url summary", "first", "cobalt strike", "strike cobalt", "malicious url", "tld count", "sun sep", "china cobalt", "strike", "cyber threat", "maltiverse", "malware site", "malicious host", "malware", "host", "phishing", "team", "exploit", "mirai", "pony", "nanocore", "bradesco", "suppobox", "laplasclipper", "asyncrat", "fakealert", "ramnit", "cisco umbrella", "site", "safe site", "heur", "malicious site", "alexa top", "million", "phishing site", "artemis", "unsafe", "riskware", "bank", "outbreak", "dropper", "trojanx", "turla", "installcore", "acint", "conduit", "installpack", "iobit", "mediaget", "crack", "iframe", "downldr", "agent", "presenoker", "alexa", "blacknet rat", "stealer", "unruy", "cleaner", "union", "dbatloader", "downloader", "blocker", "ransom", "autoit", "bladabindi", "trojan", "irata", "azorult", "service", "runescape", "facebook", "download", "genkryptik", "opencandy", "trojanspy", "relacionada", "referrer", "formbook", "blacklist http", "control server", "firehol", "botnet command", "http spammer", "mail spammer", "phishtank", "dnspionage", "betabot", "wormx", "redline stealer", "solimba", "zbot", "webtoolbar", "utc submissions", "submitters", "tot public", "company limited", "gandi sas", "ovh sas", "mb iesettings", "mb acrotray", "kb program", "team alexa", "quasar rat", "spammer", "team proxy", "ip reputation", "cins active", "online fri", "online sat", "sat apr", "temp", "windir", "kontakt", "antivirus", "sat jun", "gmt0600", "programdata", "regexpandsz d", "allusersprofile", "soar", "malicious", "programfiles", "sun jun", "mbt", "info api", "http", "redlinestealer", "score integrate", "siem", "tencent", "rc7 bypassed", "mon jun", "api sample", "hybridanalysis", "online sun", "fri jun", "tue apr", "code", "date", "hackers", "lumma stealer", "ursnif", "open" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "MBT", "display_name": "MBT", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 210, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 882, "FileHash-SHA1": 497, "FileHash-SHA256": 3763, "URL": 3088, "hostname": 1203, "CIDR": 2, "domain": 680, "CVE": 9, "email": 13 }, "indicator_count": 10137, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "834 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6590f9b6b1fe0330c655c25f", "name": "https://neca.omeclk.com/portal/wts/uc^cn^ejkaejsaBeyk7-^Oa | Brian Sabey dangerous obsession with Tsara Brashears ", "description": "", "modified": "2023-12-31T05:18:46.519000", "created": "2023-12-31T05:18:46.519000", "tags": [ "cisco umbrella", "site", "alexa top", "emotet", "telefonica co", "million", "malware", "detection list", "blacklist", "alexa", "installcore", "heur", "cyber threat", "united", "phishing", "engineering", "phishing site", "team phishing", "spammer", "malicious site", "team", "download", "cobalt strike", "facebook", "artemis", "pony", "binder", "suppobox", "virut", "ramnit", "dropper", "formbook", "azorult", "simda", "downloader", "service", "bank", "zbot", "trojanspy", "heodo", "hostname", "hostnames", "whois record", "kgs0", "kls0", "apple ios", "tsara brashears", "ssl certificate", "elf collection", "cyberstalking", "spyware", "hackers", "installer", "open", "banker", "keylogger", "malicious", "hacktool", "core", "noname057", "generic malware", "safe site", "malware site", "iframe", "riskware", "exploit", "fakealert", "unsafe", "acint", "win64", "nircmd", "agent", "opencandy", "conduit", "swrort", "crack", "installpack", "xtrat", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "unruy", "filetour", "floxif", "cleaner", "patcher", "adload", "presenoker", "wacatac", "fusioncore", "genkryptik", "webtoolbar", "maltiverse", "smokeloader", "download json", "urls", "blacklist http", "kyriazhs1975", "vidar", "strike", "china cobalt", "meterpreter", "nanocore rat", "njrat", "redline stealer", "stealer", "nymaim", "mirai", "ghost rat", "runescape", "bradesco", "msil", "bladabindi", "orkut", "cutwail", "bandoo", "matsnu", "inmortal", "domains", "redline", "control server", "services", "generic", "br", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "squirrelwaffle", "soc http", "soc https", "back", "download csv", "json sample", "injector", "malicious url", "downldr", "covid19 scam", "historical ssl", "referrer", "contacted", "whois whois", "contacted urls", "whois sslcert", "threat roundup", "copy", "august", "execution", "ransomware", "gopher", "remcos", "attack", "radar ineractive", "paypal", "covid19", "phishing chase", "phishing google", "tracker malware", "chase personal", "banking", "javascript", "please", "cnc server", "tracker", "cnc feodo", "phishtank", "threats et", "name verdict", "falcon sandbox", "pattern match", "file", "ascii text", "indicator", "windows nt", "jpeg image", "appdata", "jfif standard", "script", "show", "date", "span", "unknown", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "path", "http header", "tcp traffic", "mitre att", "ck id", "show technique", "ck matrix", "accept", "adware", "ip address", "hsbc", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "trojanx", "webshell", "systweak", "behav", "tiggre", "runtime process", "sha256", "sha1", "mark brian sabey", "brian sabey", "sabey", "apple", "114.114.114.114", "attorney", "law", "spammer", "fraud service", "hallrender", "malvertizing", "cybercrime", "social engineering", "malware hosting", "cyber threat", "iphone unlocker", "malicious", "attacker", "tulach", "tulach.cc", "adult content", "child pornographer", "sabey data centers", "hall render denver", "monitoring", "stalker", "dev", "developer", "cyber harassment", "defacement", "death threats", "miner", "agenttesla", "trojan", "detplock", "networm", "rms", "sneaky server", "replacement", "unauthorized", "steam route", "tool", "probe", "safebae.org", "safebae", "daisy", "daisy coleman", "benjamin", "colorado", "missouri", "telefonica", "boost mobile", "blackievirus.com", "TrojanX", "metro t-mobile", "t-mobile", "mile high media", "CNC", "C2", "malware host", "yixun" ], "references": [ "https://hybrid-analysis.com/sample/a1b9247b6ad18f1cda0304e406333459d4000fced5753f91e5c046f6577c388a", "https://www.hallrender.com/attorney/brian-sabey", "safebae.org", "poemhunter.com", "http://www.hallrender.com/resources/blog/", "http://benjamin.xww.de/", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Hybrid Analysis", "wTools", "Research" ], "public": 1, "adversary": "Tulach | Mark Brian Sabey | Hall Render Law Firm", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "BR", "display_name": "BR", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "Feodo Tracker", "display_name": "Feodo Tracker", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Zpevdo", "display_name": "Zpevdo", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "xRAT", "display_name": "xRAT", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "DarkSide .Beware", "display_name": "DarkSide .Beware", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "SLFPER:BrowserModifier:Win32/MediaMagnet", "display_name": "SLFPER:BrowserModifier:Win32/MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "FORMBOOK", "display_name": "FORMBOOK", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Yixun", "display_name": "Yixun", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": "658741502e029e25c7152cc0", "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1643, "hostname": 1438, "CVE": 30, "FileHash-MD5": 2853, "FileHash-SHA1": 1584, "FileHash-SHA256": 3001, "URL": 2904, "email": 1 }, "indicator_count": 13454, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "840 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6561581c55aacc7f571968af", "name": "Mirai | Inmortal | Loki | SpyEye", "description": "attack, cyber threat, network, vehicle tracking, cnc, athena cyber stalking, betabot, social engineering, Cisco umbrella, bambernek simda, active threat, ongoing spreader, spyware, redline stealer, qakbot, anilise, milemighmedia, sweetheart videos botnetwork, targeting , redirects, network, targeted toyota tracking", "modified": "2023-12-25T01:00:05.300000", "created": "2023-11-25T02:12:44.278000", "tags": [ "replication", "date", "graph summary", "ssl certificate", "contacted", "whois record", "historical ssl", "threat roundup", "august", "tsara brashears", "whois whois", "execution", "dropped", "february", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "safe site", "million", "alexa top", "team", "malicious site", "malware", "phishing", "union", "bank", "unsafe", "united", "bambernek simda", "commerce", "pykspa", "bambernek", "ip reputation", "database", "vawtrak", "blacklist http", "search live", "api blog", "docs pricing", "login", "november", "de indicators", "domains", "hashes", "copyright", "gmbh version", "reverse dns", "software", "general full", "resource", "hash", "get h2", "protocol h2", "security tls", "url http", "main", "attention", "please", "adblock pro", "loki", "mon jul", "first", "linkid252669", "pjp3sltkz", "heur", "malware site", "phishing site", "artemis", "iframe", "riskware", "exploit", "fakealert", "nircmd", "swrort", "downldr", "crack", "filetour", "cleaner", "wacatac", "xtrat", "genkryptik", "opencandy", "tiggre", "presenoker", "agent", "conduit", "xrat", "coinminer", "dropper", "alexa", "acint", "systweak", "behav", "download", "zbot", "xtreme", "installcore", "unruy", "patcher", "adload", "win64", "applicunwnt", "trojanspy", "webtoolbar", "cyber threat", "engineering", "firehol", "phishtank", "emotet", "ransomware", "malicious", "cobalt strike", "suppobox", "bradesco", "facebook", "banco", "nymaim", "smsspy", "stealer", "service", "mirai", "pony", "nanocore", "asyncrat", "downloader", "deepscan", "virut", "qakbot", "name verdict", "falcon sandbox", "blacklist https", "malicious url", "filerepmetagen", "et cins", "active threat", "reputation ip", "threats et", "cins active", "poor reputation", "ip tcp", "C2", "command_and_control", "spyware", "tracking", "targeting", "cyber stalking", "hostname", "simda", "kraken", "betabot", "zeus", "ramnit", "plasma", "citadel", "athena", "neutrino", "alina", "andromeda", "dexter", "unknown", "keylogger", "hawkeye", "phase", "jackpos", "spyeye", "vskimmer", "spitmo", "slingshot", "warbot", "redline stealer", "steam", "bandoo", "matsnu", "maltiverse", "bambernek gen", "internet storm", "infy", "inmortal", "addtopayload", "attack", "malvertizing" ], "references": [ "https://networkpccontrol.com/video-player-1/?clickid=4030fe2twwhgxaa9&domain=standardtrackerchain.com&uclick=e2twwhgx&uclickhash=e2twwhgx-e2twwhgx-xoq53y-0-3zvc3y-oj1m9r-oj1m1n-5da44a", "https://www.hybrid-analysis.com/sample/ea8a341cbd3666af7bfce260d86b465844314d86faba75c80eab3ce4d3bc3b45/65609b66e63f64cae305c749", "https://www.hybrid-analysis.com/sample/347314196559e7fbc75fc532daa774727b897d3a2156ea1328861f3b66f677a5/656146284d68f73e2306b6ad", "http://dev.findatoyota.com/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "SpyEye", "display_name": "SpyEye", "target": null }, { "id": "Citadel", "display_name": "Citadel", "target": null }, { "id": "MilesMX", "display_name": "MilesMX", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 81, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2450, "FileHash-SHA256": 2684, "domain": 1254, "URL": 9244, "CVE": 13, "FileHash-MD5": 931, "FileHash-SHA1": 487 }, "indicator_count": 17063, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "846 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65612df2a7b287c614a94f94", "name": "BlackNET RAT | CIArmyTracking: http://dev.findatoyota.com/", "description": "Source: http://dev.findatoyota.com/\ntracking, vehicle tracking, mobile phone tracking, active threat , warbot, target tracking, tracking targeted associates, network, cyber stalking, boomrmq string, malvertizing\n\n\nResource: https://www.hybrid-analysis.com/sample/ea8a341cbd3666af7bfce260d86b465844314d86faba75c80eab3ce4d3bc3b45", "modified": "2023-12-24T22:02:36.942000", "created": "2023-11-24T23:12:50.158000", "tags": [ "adgroupid", "x350", "lwii", "ejan", "kfrontier", "qkvt0tvj ejan", "eja ota", "njii", "mqkvt0tvj ejan", "eqkoatlvqia", "unknown", "expiration", "no expiration", "url https", "url http", "iocs", "vj101", "slc1", "scan endpoints", "all octoseek", "create new", "uw1600", "uh1200", "next", "pulse use", "searchbox0", "kwwikipedia", "bit64", "oswindows", "cardstandard", "pack", "kw1download", "qchlemail no", "bit32bit", "ver9", "from", "mpass", "num0", "dig0", "kbetu1", "maxads0", "kld1040", "opnslfp1", "downloader", "pdf report", "clickid", "price", "campaignid", "domain", "text", "hostname", "aufffdufffd", "hostname xn", "pcap", "filehashsha256", "stix", "filehashmd5", "filehashsha1" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 805, "URL": 9065, "hostname": 3080, "FileHash-MD5": 1373, "domain": 1190, "FileHash-SHA256": 3468, "email": 6, "CIDR": 4, "CVE": 12 }, "indicator_count": 19003, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "846 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656e19dfeee6ead11dc6354e", "name": "BlackNET RAT | CIArmyTracking: http://dev.findatoyota.com/", "description": "", "modified": "2023-12-24T22:02:36.942000", "created": "2023-12-04T18:26:39.448000", "tags": [ "adgroupid", "x350", "lwii", "ejan", "kfrontier", "qkvt0tvj ejan", "eja ota", "njii", "mqkvt0tvj ejan", "eqkoatlvqia", "unknown", "expiration", "no expiration", "url https", "url http", "iocs", "vj101", "slc1", "scan endpoints", "all octoseek", "create new", "uw1600", "uh1200", "next", "pulse use", "searchbox0", "kwwikipedia", "bit64", "oswindows", "cardstandard", "pack", "kw1download", "qchlemail no", "bit32bit", "ver9", "from", "mpass", "num0", "dig0", "kbetu1", "maxads0", "kld1040", "opnslfp1", "downloader", "pdf report", "clickid", "price", "campaignid", "domain", "text", "hostname", "aufffdufffd", "hostname xn", "pcap", "filehashsha256", "stix", "filehashmd5", "filehashsha1" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "65612df2a7b287c614a94f94", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 805, "URL": 9065, "hostname": 3080, "FileHash-MD5": 1373, "domain": 1190, "FileHash-SHA256": 3468, "email": 6, "CIDR": 4, "CVE": 12 }, "indicator_count": 19003, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "846 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65612df1531ea0c35d79b1f4", "name": "BlackNET RAT | CIArmyTracking: http://dev.findatoyota.com/", "description": "Source: http://dev.findatoyota.com/\ntracking, vehicle tracking, mobile phone tracking, active threat , warbot, target tracking, tracking targeted associates, network, cyber stalking, boomrmq string, malvertizing\n\n\nResource: https://www.hybrid-analysis.com/sample/ea8a341cbd3666af7bfce260d86b465844314d86faba75c80eab3ce4d3bc3b45", "modified": "2023-12-24T22:02:36.942000", "created": "2023-11-24T23:12:49.909000", "tags": [ "adgroupid", "x350", "lwii", "ejan", "kfrontier", "qkvt0tvj ejan", "eja ota", "njii", "mqkvt0tvj ejan", "eqkoatlvqia", "unknown", "expiration", "no expiration", "url https", "url http", "iocs", "vj101", "slc1", "scan endpoints", "all octoseek", "create new", "uw1600", "uh1200", "next", "pulse use", "searchbox0", "kwwikipedia", "bit64", "oswindows", "cardstandard", "pack", "kw1download", "qchlemail no", "bit32bit", "ver9", "from", "mpass", "num0", "dig0", "kbetu1", "maxads0", "kld1040", "opnslfp1", "downloader", "pdf report", "clickid", "price", "campaignid", "domain", "text", "hostname", "aufffdufffd", "hostname xn", "pcap", "filehashsha256", "stix", "filehashmd5", "filehashsha1" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 805, "URL": 9065, "hostname": 3080, "FileHash-MD5": 1373, "domain": 1190, "FileHash-SHA256": 3468, "email": 6, "CIDR": 4, "CVE": 12 }, "indicator_count": 19003, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "846 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658741502e029e25c7152cc0", "name": "busted hijacking", "description": "", "modified": "2023-12-23T20:21:36.641000", "created": "2023-12-23T20:21:36.641000", "tags": [ "cisco umbrella", "site", "alexa top", "emotet", "telefonica co", "million", "malware", "detection list", "blacklist", "alexa", "installcore", "heur", "cyber threat", "united", "phishing", "engineering", "phishing site", "team phishing", "spammer", "malicious site", "team", "download", "cobalt strike", "facebook", "artemis", "pony", "binder", "suppobox", "virut", "ramnit", "dropper", "formbook", "azorult", "simda", "downloader", "service", "bank", "zbot", "trojanspy", "heodo", "hostname", "hostnames", "whois record", "kgs0", "kls0", "apple ios", "tsara brashears", "ssl certificate", "elf collection", "cyberstalking", "spyware", "hackers", "installer", "open", "banker", "keylogger", "malicious", "hacktool", "core", "noname057", "generic malware", "safe site", "malware site", "iframe", "riskware", "exploit", "fakealert", "unsafe", "acint", "win64", "nircmd", "agent", "opencandy", "conduit", "swrort", "crack", "installpack", "xtrat", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "unruy", "filetour", "floxif", "cleaner", "patcher", "adload", "presenoker", "wacatac", "fusioncore", "genkryptik", "webtoolbar", "maltiverse", "smokeloader", "download json", "urls", "blacklist http", "kyriazhs1975", "vidar", "strike", "china cobalt", "meterpreter", "nanocore rat", "njrat", "redline stealer", "stealer", "nymaim", "mirai", "ghost rat", "runescape", "bradesco", "msil", "bladabindi", "orkut", "cutwail", "bandoo", "matsnu", "inmortal", "domains", "redline", "control server", "services", "generic", "br", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "squirrelwaffle", "soc http", "soc https", "back", "download csv", "json sample", "injector", "malicious url", "downldr", "covid19 scam", "historical ssl", "referrer", "contacted", "whois whois", "contacted urls", "whois sslcert", "threat roundup", "copy", "august", "execution", "ransomware", "gopher", "remcos", "attack", "radar ineractive", "paypal", "covid19", "phishing chase", "phishing google", "tracker malware", "chase personal", "banking", "javascript", "please", "cnc server", "tracker", "cnc feodo", "phishtank", "threats et", "name verdict", "falcon sandbox", "pattern match", "file", "ascii text", "indicator", "windows nt", "jpeg image", "appdata", "jfif standard", "script", "show", "date", "span", "unknown", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "path", "http header", "tcp traffic", "mitre att", "ck id", "show technique", "ck matrix", "accept", "adware", "ip address", "hsbc", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "trojanx", "webshell", "systweak", "behav", "tiggre", "runtime process", "sha256", "sha1", "mark brian sabey", "brian sabey", "sabey", "apple", "114.114.114.114", "attorney", "law", "spammer", "fraud service", "hallrender", "malvertizing", "cybercrime", "social engineering", "malware hosting", "cyber threat", "iphone unlocker", "malicious", "attacker", "tulach", "tulach.cc", "adult content", "child pornographer", "sabey data centers", "hall render denver", "monitoring", "stalker", "dev", "developer", "cyber harassment", "defacement", "death threats", "miner", "agenttesla", "trojan", "detplock", "networm", "rms", "sneaky server", "replacement", "unauthorized", "steam route", "tool", "probe", "safebae.org", "safebae", "daisy", "daisy coleman", "benjamin", "colorado", "missouri", "telefonica", "boost mobile", "blackievirus.com", "TrojanX", "metro t-mobile", "t-mobile", "mile high media", "CNC", "C2", "malware host", "yixun" ], "references": [ "https://hybrid-analysis.com/sample/a1b9247b6ad18f1cda0304e406333459d4000fced5753f91e5c046f6577c388a", "https://www.hallrender.com/attorney/brian-sabey", "safebae.org", "poemhunter.com", "http://www.hallrender.com/resources/blog/", "http://benjamin.xww.de/", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Hybrid Analysis", "wTools", "Research" ], "public": 1, "adversary": "Tulach | Mark Brian Sabey | Hall Render Law Firm", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "BR", "display_name": "BR", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "Feodo Tracker", "display_name": "Feodo Tracker", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Zpevdo", "display_name": "Zpevdo", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "xRAT", "display_name": "xRAT", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "DarkSide .Beware", "display_name": "DarkSide .Beware", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "SLFPER:BrowserModifier:Win32/MediaMagnet", "display_name": "SLFPER:BrowserModifier:Win32/MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "FORMBOOK", "display_name": "FORMBOOK", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Yixun", "display_name": "Yixun", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": "6544c99af21a2fde7bd6927e", "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Machidian45", "id": "262704", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1643, "hostname": 1438, "CVE": 30, "FileHash-MD5": 2853, "FileHash-SHA1": 1584, "FileHash-SHA256": 3001, "URL": 2904, "email": 1 }, "indicator_count": 13454, "is_author": false, "is_subscribing": null, "subscriber_count": 32, "modified_text": "847 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6587414f2e029e25c7152cbf", "name": "busted hijacking", "description": "", "modified": "2023-12-23T20:21:35.725000", "created": "2023-12-23T20:21:35.725000", "tags": [ "cisco umbrella", "site", "alexa top", "emotet", "telefonica co", "million", "malware", "detection list", "blacklist", "alexa", "installcore", "heur", "cyber threat", "united", "phishing", "engineering", "phishing site", "team phishing", "spammer", "malicious site", "team", "download", "cobalt strike", "facebook", "artemis", "pony", "binder", "suppobox", "virut", "ramnit", "dropper", "formbook", "azorult", "simda", "downloader", "service", "bank", "zbot", "trojanspy", "heodo", "hostname", "hostnames", "whois record", "kgs0", "kls0", "apple ios", "tsara brashears", "ssl certificate", "elf collection", "cyberstalking", "spyware", "hackers", "installer", "open", "banker", "keylogger", "malicious", "hacktool", "core", "noname057", "generic malware", "safe site", "malware site", "iframe", "riskware", "exploit", "fakealert", "unsafe", "acint", "win64", "nircmd", "agent", "opencandy", "conduit", "swrort", "crack", "installpack", "xtrat", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "unruy", "filetour", "floxif", "cleaner", "patcher", "adload", "presenoker", "wacatac", "fusioncore", "genkryptik", "webtoolbar", "maltiverse", "smokeloader", "download json", "urls", "blacklist http", "kyriazhs1975", "vidar", "strike", "china cobalt", "meterpreter", "nanocore rat", "njrat", "redline stealer", "stealer", "nymaim", "mirai", "ghost rat", "runescape", "bradesco", "msil", "bladabindi", "orkut", "cutwail", "bandoo", "matsnu", "inmortal", "domains", "redline", "control server", "services", "generic", "br", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "squirrelwaffle", "soc http", "soc https", "back", "download csv", "json sample", "injector", "malicious url", "downldr", "covid19 scam", "historical ssl", "referrer", "contacted", "whois whois", "contacted urls", "whois sslcert", "threat roundup", "copy", "august", "execution", "ransomware", "gopher", "remcos", "attack", "radar ineractive", "paypal", "covid19", "phishing chase", "phishing google", "tracker malware", "chase personal", "banking", "javascript", "please", "cnc server", "tracker", "cnc feodo", "phishtank", "threats et", "name verdict", "falcon sandbox", "pattern match", "file", "ascii text", "indicator", "windows nt", "jpeg image", "appdata", "jfif standard", "script", "show", "date", "span", "unknown", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "path", "http header", "tcp traffic", "mitre att", "ck id", "show technique", "ck matrix", "accept", "adware", "ip address", "hsbc", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "trojanx", "webshell", "systweak", "behav", "tiggre", "runtime process", "sha256", "sha1", "mark brian sabey", "brian sabey", "sabey", "apple", "114.114.114.114", "attorney", "law", "spammer", "fraud service", "hallrender", "malvertizing", "cybercrime", "social engineering", "malware hosting", "cyber threat", "iphone unlocker", "malicious", "attacker", "tulach", "tulach.cc", "adult content", "child pornographer", "sabey data centers", "hall render denver", "monitoring", "stalker", "dev", "developer", "cyber harassment", "defacement", "death threats", "miner", "agenttesla", "trojan", "detplock", "networm", "rms", "sneaky server", "replacement", "unauthorized", "steam route", "tool", "probe", "safebae.org", "safebae", "daisy", "daisy coleman", "benjamin", "colorado", "missouri", "telefonica", "boost mobile", "blackievirus.com", "TrojanX", "metro t-mobile", "t-mobile", "mile high media", "CNC", "C2", "malware host", "yixun" ], "references": [ "https://hybrid-analysis.com/sample/a1b9247b6ad18f1cda0304e406333459d4000fced5753f91e5c046f6577c388a", "https://www.hallrender.com/attorney/brian-sabey", "safebae.org", "poemhunter.com", "http://www.hallrender.com/resources/blog/", "http://benjamin.xww.de/", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Hybrid Analysis", "wTools", "Research" ], "public": 1, "adversary": "Tulach | Mark Brian Sabey | Hall Render Law Firm", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "BR", "display_name": "BR", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "Feodo Tracker", "display_name": "Feodo Tracker", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Zpevdo", "display_name": "Zpevdo", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "xRAT", "display_name": "xRAT", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "DarkSide .Beware", "display_name": "DarkSide .Beware", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "SLFPER:BrowserModifier:Win32/MediaMagnet", "display_name": "SLFPER:BrowserModifier:Win32/MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "FORMBOOK", "display_name": "FORMBOOK", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Yixun", "display_name": "Yixun", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": "6544c99af21a2fde7bd6927e", "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Machidian45", "id": "262704", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1643, "hostname": 1438, "CVE": 30, "FileHash-MD5": 2853, "FileHash-SHA1": 1584, "FileHash-SHA256": 3001, "URL": 2904, "email": 1 }, "indicator_count": 13454, "is_author": false, "is_subscribing": null, "subscriber_count": 34, "modified_text": "847 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6544c7a11d7541bdb3bfe5ff", "name": "Radar Ineractive. Law Firm responsible for cyber crime.", "description": "Is this legal. Attorney from Hall Render law firm cyber stalking and malvertizing targets in adult content, dungeons, death scenarios, suicide threats? Pulse auto populates targets: Tsara Brashears 'alleged' SA victim. This may not be the forum for my , death threats should always be investigated as should allegations of assault. Malware, BotNet, car and phone tracking, monitoring, injection, .gov is found throughout. Monitoring of Safebae.org; online movement began by now deceased 'alleged' SA victim, Daisy Coleman of Audrey & Daisy. High Risk surviving target. Crazy cover up? Each target seems to have a state government power 'implicated' in attack. \n\nEd Said", "modified": "2023-12-16T19:40:11.047000", "created": "2023-11-03T10:12:49.539000", "tags": [ "cisco umbrella", "site", "alexa top", "emotet", "telefonica co", "million", "malware", "detection list", "blacklist", "alexa", "installcore", "heur", "cyber threat", "united", "phishing", "engineering", "phishing site", "team phishing", "spammer", "malicious site", "team", "download", "cobalt strike", "facebook", "artemis", "pony", "binder", "suppobox", "virut", "ramnit", "dropper", "formbook", "azorult", "simda", "downloader", "service", "bank", "zbot", "trojanspy", "heodo", "hostname", "hostnames", "whois record", "kgs0", "kls0", "apple ios", "tsara brashears", "ssl certificate", "elf collection", "cyberstalking", "spyware", "hackers", "installer", "open", "banker", "keylogger", "malicious", "hacktool", "core", "noname057", "generic malware", "safe site", "malware site", "iframe", "riskware", "exploit", "fakealert", "unsafe", "acint", "win64", "nircmd", "agent", "opencandy", "conduit", "swrort", "crack", "installpack", "xtrat", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "unruy", "filetour", "floxif", "cleaner", "patcher", "adload", "presenoker", "wacatac", "fusioncore", "genkryptik", "webtoolbar", "maltiverse", "smokeloader", "download json", "urls", "blacklist http", "kyriazhs1975", "vidar", "strike", "china cobalt", "meterpreter", "nanocore rat", "njrat", "redline stealer", "stealer", "nymaim", "mirai", "ghost rat", "runescape", "bradesco", "msil", "bladabindi", "orkut", "cutwail", "bandoo", "matsnu", "inmortal", "domains", "redline", "control server", "services", "generic", "br", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "squirrelwaffle", "soc http", "soc https", "back", "download csv", "json sample", "injector", "malicious url", "downldr", "covid19 scam", "historical ssl", "referrer", "contacted", "whois whois", "contacted urls", "whois sslcert", "threat roundup", "copy", "august", "execution", "ransomware", "gopher", "remcos", "attack", "radar ineractive", "paypal", "covid19", "phishing chase", "phishing google", "tracker malware", "chase personal", "banking", "javascript", "please", "cnc server", "tracker", "cnc feodo", "phishtank", "threats et", "name verdict", "falcon sandbox", "pattern match", "file", "ascii text", "indicator", "windows nt", "jpeg image", "appdata", "jfif standard", "script", "show", "date", "span", "unknown", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "path", "http header", "tcp traffic", "mitre att", "ck id", "show technique", "ck matrix", "accept", "adware", "ip address", "hsbc", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "trojanx", "webshell", "systweak", "behav", "tiggre", "runtime process", "sha256", "sha1", "mark brian sabey", "brian sabey", "sabey", "apple", "114.114.114.114", "attorney", "law", "spammer", "fraud service", "hallrender", "malvertizing", "cybercrime", "social engineering", "malware hosting", "cyber threat", "iphone unlocker", "malicious", "attacker", "tulach", "tulach.cc", "adult content", "child pornographer", "sabey data centers", "hall render denver", "monitoring", "stalker", "dev", "developer", "cyber harassment", "defacement", "death threats", "miner", "agenttesla", "trojan", "detplock", "networm", "rms", "sneaky server", "replacement", "unauthorized", "steam route", "tool", "probe", "safebae.org", "safebae", "daisy", "daisy coleman", "benjamin", "colorado", "missouri", "telefonica", "boost mobile", "blackievirus.com", "TrojanX", "metro t-mobile", "t-mobile", "mile high media", "CNC", "C2", "malware host", "yixun" ], "references": [ "https://hybrid-analysis.com/sample/a1b9247b6ad18f1cda0304e406333459d4000fced5753f91e5c046f6577c388a", "https://www.hallrender.com/attorney/brian-sabey", "safebae.org", "poemhunter.com", "http://www.hallrender.com/resources/blog/", "http://benjamin.xww.de/", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Hybrid Analysis", "wTools", "Research" ], "public": 1, "adversary": "Tulach | Mark Brian Sabey | Hall Render Law Firm", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "BR", "display_name": "BR", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "Feodo Tracker", "display_name": "Feodo Tracker", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Zpevdo", "display_name": "Zpevdo", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "xRAT", "display_name": "xRAT", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "DarkSide .Beware", "display_name": "DarkSide .Beware", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "SLFPER:BrowserModifier:Win32/MediaMagnet", "display_name": "SLFPER:BrowserModifier:Win32/MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "FORMBOOK", "display_name": "FORMBOOK", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Yixun", "display_name": "Yixun", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": null, "export_count": 82, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1644, "hostname": 1438, "CVE": 30, "FileHash-MD5": 2853, "FileHash-SHA1": 1584, "FileHash-SHA256": 3001, "URL": 2904, "email": 1 }, "indicator_count": 13455, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "855 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "654593cc8486ce8ed1254858", "name": "Apple iOS | Skynet", "description": "", "modified": "2023-12-03T12:00:16.446000", "created": "2023-11-04T00:43:56.830000", "tags": [], "references": [ "https://hybrid-analysis.com/sample/86479bf7c9a675913b93a0d399f5cbe0c0e8003239e93ae5e00f97cdbc5ec5ba", "Poemhunter.com", "iphone-track-service.info", "track-idevice-location.info", "http://45.159.189.105/bot/regex", "chat.pornhub.dev" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" } ], "industries": [], "TLP": "green", "cloned_from": "6544f195987ad886d609d965", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 124, "FileHash-SHA1": 117, "FileHash-SHA256": 2855, "domain": 686, "hostname": 1730, "URL": 5380, "email": 2, "CVE": 3 }, "indicator_count": 10897, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "868 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6544f195987ad886d609d965", "name": "Apple iOS | Skynet", "description": "PoemHunter.com\nAnti-Reverse Engineering Creates guarded memory regions (anti-debugging trick to avoid memory dumping)\ndetails , CNC\n tcp traffic, phishing, malicious, 24/7 tracking, monitoring, spyware, scanning host, malware host, command and control, adware, trojan, worm, apple iOS tracking, device location tracking, listening, information retrieval, malvertizing, BotNet service.", "modified": "2023-12-03T12:00:16.446000", "created": "2023-11-03T13:11:48.680000", "tags": [], "references": [ "https://hybrid-analysis.com/sample/86479bf7c9a675913b93a0d399f5cbe0c0e8003239e93ae5e00f97cdbc5ec5ba", "Poemhunter.com", "iphone-track-service.info", "track-idevice-location.info", "http://45.159.189.105/bot/regex", "chat.pornhub.dev" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 124, "FileHash-SHA1": 117, "FileHash-SHA256": 2855, "domain": 686, "hostname": 1730, "URL": 5380, "email": 2, "CVE": 3 }, "indicator_count": 10897, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "868 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6546d206936ee17a0828d9c9", "name": "Deptlock Browser Compromise attack initiated by malicious (SOC) Partner ", "description": "", "modified": "2023-12-03T06:04:06.473000", "created": "2023-11-04T23:21:42.110000", "tags": [ "cisco umbrella", "site", "alexa top", "emotet", "telefonica co", "million", "malware", "detection list", "blacklist", "alexa", "installcore", "heur", "cyber threat", "united", "phishing", "engineering", "phishing site", "team phishing", "spammer", "malicious site", "team", "download", "cobalt strike", "facebook", "artemis", "pony", "binder", "suppobox", "virut", "ramnit", "dropper", "formbook", "azorult", "simda", "downloader", "service", "bank", "zbot", "trojanspy", "heodo", "hostname", "hostnames", "whois record", "kgs0", "kls0", "apple ios", "tsara brashears", "ssl certificate", "elf collection", "cyberstalking", "spyware", "hackers", "installer", "open", "banker", "keylogger", "malicious", "hacktool", "core", "noname057", "generic malware", "safe site", "malware site", "iframe", "riskware", "exploit", "fakealert", "unsafe", "acint", "win64", "nircmd", "agent", "opencandy", "conduit", "swrort", "crack", "installpack", "xtrat", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "unruy", "filetour", "floxif", "cleaner", "patcher", "adload", "presenoker", "wacatac", "fusioncore", "genkryptik", "webtoolbar", "maltiverse", "smokeloader", "download json", "urls", "blacklist http", "kyriazhs1975", "vidar", "strike", "china cobalt", "meterpreter", "nanocore rat", "njrat", "redline stealer", "stealer", "nymaim", "mirai", "ghost rat", "runescape", "bradesco", "msil", "bladabindi", "orkut", "cutwail", "bandoo", "matsnu", "inmortal", "domains", "redline", "control server", "services", "generic", "br", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "squirrelwaffle", "soc http", "soc https", "back", "download csv", "json sample", "injector", "malicious url", "downldr", "covid19 scam", "historical ssl", "referrer", "contacted", "whois whois", "contacted urls", "whois sslcert", "threat roundup", "copy", "august", "execution", "ransomware", "gopher", "remcos", "attack", "radar ineractive", "paypal", "covid19", "phishing chase", "phishing google", "tracker malware", "chase personal", "banking", "javascript", "please", "cnc server", "tracker", "cnc feodo", "phishtank", "threats et", "name verdict", "falcon sandbox", "pattern match", "file", "ascii text", "indicator", "windows nt", "jpeg image", "appdata", "jfif standard", "script", "show", "date", "span", "unknown", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "path", "http header", "tcp traffic", "mitre att", "ck id", "show technique", "ck matrix", "accept", "adware", "ip address", "hsbc", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "trojanx", "webshell", "systweak", "behav", "tiggre", "runtime process", "sha256", "sha1", "mark brian sabey", "brian sabey", "sabey", "apple", "114.114.114.114", "attorney", "law", "spammer", "fraud service", "hallrender", "malvertizing", "cybercrime", "social engineering", "malware hosting", "cyber threat", "iphone unlocker", "malicious", "attacker", "tulach", "tulach.cc", "adult content", "child pornographer", "sabey data centers", "hall render denver", "monitoring", "stalker", "dev", "developer", "cyber harassment", "defacement", "death threats", "miner", "agenttesla", "trojan", "detplock", "networm", "rms", "sneaky server", "replacement", "unauthorized", "steam route", "tool", "probe", "safebae.org", "safebae", "daisy", "daisy coleman", "benjamin", "colorado", "missouri", "telefonica", "boost mobile", "blackievirus.com", "TrojanX", "metro t-mobile", "t-mobile", "mile high media", "CNC", "C2", "malware host", "yixun" ], "references": [ "https://hybrid-analysis.com/sample/a1b9247b6ad18f1cda0304e406333459d4000fced5753f91e5c046f6577c388a", "https://www.hallrender.com/attorney/brian-sabey", "safebae.org", "poemhunter.com", "http://www.hallrender.com/resources/blog/", "http://benjamin.xww.de/", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Hybrid Analysis", "wTools", "Research" ], "public": 1, "adversary": "Tulach | Mark Brian Sabey | Hall Render Law Firm", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "BR", "display_name": "BR", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "Feodo Tracker", "display_name": "Feodo Tracker", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Zpevdo", "display_name": "Zpevdo", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "xRAT", "display_name": "xRAT", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "DarkSide .Beware", "display_name": "DarkSide .Beware", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "SLFPER:BrowserModifier:Win32/MediaMagnet", "display_name": "SLFPER:BrowserModifier:Win32/MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "FORMBOOK", "display_name": "FORMBOOK", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Yixun", "display_name": "Yixun", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": "6544c7a11d7541bdb3bfe5ff", "export_count": 60, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1643, "hostname": 1438, "CVE": 30, "FileHash-MD5": 2853, "FileHash-SHA1": 1584, "FileHash-SHA256": 3001, "URL": 2904, "email": 1 }, "indicator_count": 13454, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "868 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656a94d1bdedd646afda170d", "name": "Resources Hijacking by Attorney 11_03_2023", "description": "", "modified": "2023-12-03T06:04:06.473000", "created": "2023-12-02T02:22:09.814000", "tags": [ "cisco umbrella", "site", "alexa top", "emotet", "telefonica co", "million", "malware", "detection list", "blacklist", "alexa", "installcore", "heur", "cyber threat", "united", "phishing", "engineering", "phishing site", "team phishing", "spammer", "malicious site", "team", "download", "cobalt strike", "facebook", "artemis", "pony", "binder", "suppobox", "virut", "ramnit", "dropper", "formbook", "azorult", "simda", "downloader", "service", "bank", "zbot", "trojanspy", "heodo", "hostname", "hostnames", "whois record", "kgs0", "kls0", "apple ios", "tsara brashears", "ssl certificate", "elf collection", "cyberstalking", "spyware", "hackers", "installer", "open", "banker", "keylogger", "malicious", "hacktool", "core", "noname057", "generic malware", "safe site", "malware site", "iframe", "riskware", "exploit", "fakealert", "unsafe", "acint", "win64", "nircmd", "agent", "opencandy", "conduit", "swrort", "crack", "installpack", "xtrat", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "unruy", "filetour", "floxif", "cleaner", "patcher", "adload", "presenoker", "wacatac", "fusioncore", "genkryptik", "webtoolbar", "maltiverse", "smokeloader", "download json", "urls", "blacklist http", "kyriazhs1975", "vidar", "strike", "china cobalt", "meterpreter", "nanocore rat", "njrat", "redline stealer", "stealer", "nymaim", "mirai", "ghost rat", "runescape", "bradesco", "msil", "bladabindi", "orkut", "cutwail", "bandoo", "matsnu", "inmortal", "domains", "redline", "control server", "services", "generic", "br", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "squirrelwaffle", "soc http", "soc https", "back", "download csv", "json sample", "injector", "malicious url", "downldr", "covid19 scam", "historical ssl", "referrer", "contacted", "whois whois", "contacted urls", "whois sslcert", "threat roundup", "copy", "august", "execution", "ransomware", "gopher", "remcos", "attack", "radar ineractive", "paypal", "covid19", "phishing chase", "phishing google", "tracker malware", "chase personal", "banking", "javascript", "please", "cnc server", "tracker", "cnc feodo", "phishtank", "threats et", "name verdict", "falcon sandbox", "pattern match", "file", "ascii text", "indicator", "windows nt", "jpeg image", "appdata", "jfif standard", "script", "show", "date", "span", "unknown", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "path", "http header", "tcp traffic", "mitre att", "ck id", "show technique", "ck matrix", "accept", "adware", "ip address", "hsbc", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "trojanx", "webshell", "systweak", "behav", "tiggre", "runtime process", "sha256", "sha1", "mark brian sabey", "brian sabey", "sabey", "apple", "114.114.114.114", "attorney", "law", "spammer", "fraud service", "hallrender", "malvertizing", "cybercrime", "social engineering", "malware hosting", "cyber threat", "iphone unlocker", "malicious", "attacker", "tulach", "tulach.cc", "adult content", "child pornographer", "sabey data centers", "hall render denver", "monitoring", "stalker", "dev", "developer", "cyber harassment", "defacement", "death threats", "miner", "agenttesla", "trojan", "detplock", "networm", "rms", "sneaky server", "replacement", "unauthorized", "steam route", "tool", "probe", "safebae.org", "safebae", "daisy", "daisy coleman", "benjamin", "colorado", "missouri", "telefonica", "boost mobile", "blackievirus.com", "TrojanX", "metro t-mobile", "t-mobile", "mile high media", "CNC", "C2", "malware host", "yixun" ], "references": [ "https://hybrid-analysis.com/sample/a1b9247b6ad18f1cda0304e406333459d4000fced5753f91e5c046f6577c388a", "https://www.hallrender.com/attorney/brian-sabey", "safebae.org", "poemhunter.com", "http://www.hallrender.com/resources/blog/", "http://benjamin.xww.de/", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Hybrid Analysis", "wTools", "Research" ], "public": 1, "adversary": "Tulach | Mark Brian Sabey | Hall Render Law Firm", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "BR", "display_name": "BR", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "Feodo Tracker", "display_name": "Feodo Tracker", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Zpevdo", "display_name": "Zpevdo", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "xRAT", "display_name": "xRAT", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "DarkSide .Beware", "display_name": "DarkSide .Beware", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "SLFPER:BrowserModifier:Win32/MediaMagnet", "display_name": "SLFPER:BrowserModifier:Win32/MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "FORMBOOK", "display_name": "FORMBOOK", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Yixun", "display_name": "Yixun", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": "6544d9b0f9b23205eb355210", "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1643, "hostname": 1438, "CVE": 30, "FileHash-MD5": 2853, "FileHash-SHA1": 1584, "FileHash-SHA256": 3001, "URL": 2904, "email": 1 }, "indicator_count": 13454, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "868 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6545bda27bd3a147ebac71a8", "name": "CNC Feodo Tracker | Resources Hijacking by Attorney ", "description": "", "modified": "2023-12-03T06:04:06.473000", "created": "2023-11-04T03:42:26.978000", "tags": [ "cisco umbrella", "site", "alexa top", "emotet", "telefonica co", "million", "malware", "detection list", "blacklist", "alexa", "installcore", "heur", "cyber threat", "united", "phishing", "engineering", "phishing site", "team phishing", "spammer", "malicious site", "team", "download", "cobalt strike", "facebook", "artemis", "pony", "binder", "suppobox", "virut", "ramnit", "dropper", "formbook", "azorult", "simda", "downloader", "service", "bank", "zbot", "trojanspy", "heodo", "hostname", "hostnames", "whois record", "kgs0", "kls0", "apple ios", "tsara brashears", "ssl certificate", "elf collection", "cyberstalking", "spyware", "hackers", "installer", "open", "banker", "keylogger", "malicious", "hacktool", "core", "noname057", "generic malware", "safe site", "malware site", "iframe", "riskware", "exploit", "fakealert", "unsafe", "acint", "win64", "nircmd", "agent", "opencandy", "conduit", "swrort", "crack", "installpack", "xtrat", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "unruy", "filetour", "floxif", "cleaner", "patcher", "adload", "presenoker", "wacatac", "fusioncore", "genkryptik", "webtoolbar", "maltiverse", "smokeloader", "download json", "urls", "blacklist http", "kyriazhs1975", "vidar", "strike", "china cobalt", "meterpreter", "nanocore rat", "njrat", "redline stealer", "stealer", "nymaim", "mirai", "ghost rat", "runescape", "bradesco", "msil", "bladabindi", "orkut", "cutwail", "bandoo", "matsnu", "inmortal", "domains", "redline", "control server", "services", "generic", "br", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "squirrelwaffle", "soc http", "soc https", "back", "download csv", "json sample", "injector", "malicious url", "downldr", "covid19 scam", "historical ssl", "referrer", "contacted", "whois whois", "contacted urls", "whois sslcert", "threat roundup", "copy", "august", "execution", "ransomware", "gopher", "remcos", "attack", "radar ineractive", "paypal", "covid19", "phishing chase", "phishing google", "tracker malware", "chase personal", "banking", "javascript", "please", "cnc server", "tracker", "cnc feodo", "phishtank", "threats et", "name verdict", "falcon sandbox", "pattern match", "file", "ascii text", "indicator", "windows nt", "jpeg image", "appdata", "jfif standard", "script", "show", "date", "span", "unknown", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "path", "http header", "tcp traffic", "mitre att", "ck id", "show technique", "ck matrix", "accept", "adware", "ip address", "hsbc", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "trojanx", "webshell", "systweak", "behav", "tiggre", "runtime process", "sha256", "sha1", "mark brian sabey", "brian sabey", "sabey", "apple", "114.114.114.114", "attorney", "law", "spammer", "fraud service", "hallrender", "malvertizing", "cybercrime", "social engineering", "malware hosting", "cyber threat", "iphone unlocker", "malicious", "attacker", "tulach", "tulach.cc", "adult content", "child pornographer", "sabey data centers", "hall render denver", "monitoring", "stalker", "dev", "developer", "cyber harassment", "defacement", "death threats", "miner", "agenttesla", "trojan", "detplock", "networm", "rms", "sneaky server", "replacement", "unauthorized", "steam route", "tool", "probe", "safebae.org", "safebae", "daisy", "daisy coleman", "benjamin", "colorado", "missouri", "telefonica", "boost mobile", "blackievirus.com", "TrojanX", "metro t-mobile", "t-mobile", "mile high media", "CNC", "C2", "malware host", "yixun" ], "references": [ "https://hybrid-analysis.com/sample/a1b9247b6ad18f1cda0304e406333459d4000fced5753f91e5c046f6577c388a", "https://www.hallrender.com/attorney/brian-sabey", "safebae.org", "poemhunter.com", "http://www.hallrender.com/resources/blog/", "http://benjamin.xww.de/", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Hybrid Analysis", "wTools", "Research" ], "public": 1, "adversary": "Tulach | Mark Brian Sabey | Hall Render Law Firm", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "BR", "display_name": "BR", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "Feodo Tracker", "display_name": "Feodo Tracker", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Zpevdo", "display_name": "Zpevdo", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "xRAT", "display_name": "xRAT", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "DarkSide .Beware", "display_name": "DarkSide .Beware", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "SLFPER:BrowserModifier:Win32/MediaMagnet", "display_name": "SLFPER:BrowserModifier:Win32/MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "FORMBOOK", "display_name": "FORMBOOK", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Yixun", "display_name": "Yixun", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": "6544d9b0f9b23205eb355210", "export_count": 57, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1643, "hostname": 1438, "CVE": 30, "FileHash-MD5": 2853, "FileHash-SHA1": 1584, "FileHash-SHA256": 3001, "URL": 2904, "email": 1 }, "indicator_count": 13454, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "868 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6545a303731b2df439eb1a3b", "name": "Occamy Remote PC / Device Control", "description": "", "modified": "2023-12-03T06:04:06.473000", "created": "2023-11-04T01:48:51.255000", "tags": [ "cisco umbrella", "site", "alexa top", "emotet", "telefonica co", "million", "malware", "detection list", "blacklist", "alexa", "installcore", "heur", "cyber threat", "united", "phishing", "engineering", "phishing site", "team phishing", "spammer", "malicious site", "team", "download", "cobalt strike", "facebook", "artemis", "pony", "binder", "suppobox", "virut", "ramnit", "dropper", "formbook", "azorult", "simda", "downloader", "service", "bank", "zbot", "trojanspy", "heodo", "hostname", "hostnames", "whois record", "kgs0", "kls0", "apple ios", "tsara brashears", "ssl certificate", "elf collection", "cyberstalking", "spyware", "hackers", "installer", "open", "banker", "keylogger", "malicious", "hacktool", "core", "noname057", "generic malware", "safe site", "malware site", "iframe", "riskware", "exploit", "fakealert", "unsafe", "acint", "win64", "nircmd", "agent", "opencandy", "conduit", "swrort", "crack", "installpack", "xtrat", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "unruy", "filetour", "floxif", "cleaner", "patcher", "adload", "presenoker", "wacatac", "fusioncore", "genkryptik", "webtoolbar", "maltiverse", "smokeloader", "download json", "urls", "blacklist http", "kyriazhs1975", "vidar", "strike", "china cobalt", "meterpreter", "nanocore rat", "njrat", "redline stealer", "stealer", "nymaim", "mirai", "ghost rat", "runescape", "bradesco", "msil", "bladabindi", "orkut", "cutwail", "bandoo", "matsnu", "inmortal", "domains", "redline", "control server", "services", "generic", "br", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "squirrelwaffle", "soc http", "soc https", "back", "download csv", "json sample", "injector", "malicious url", "downldr", "covid19 scam", "historical ssl", "referrer", "contacted", "whois whois", "contacted urls", "whois sslcert", "threat roundup", "copy", "august", "execution", "ransomware", "gopher", "remcos", "attack", "radar ineractive", "paypal", "covid19", "phishing chase", "phishing google", "tracker malware", "chase personal", "banking", "javascript", "please", "cnc server", "tracker", "cnc feodo", "phishtank", "threats et", "name verdict", "falcon sandbox", "pattern match", "file", "ascii text", "indicator", "windows nt", "jpeg image", "appdata", "jfif standard", "script", "show", "date", "span", "unknown", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "path", "http header", "tcp traffic", "mitre att", "ck id", "show technique", "ck matrix", "accept", "adware", "ip address", "hsbc", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "trojanx", "webshell", "systweak", "behav", "tiggre", "runtime process", "sha256", "sha1", "mark brian sabey", "brian sabey", "sabey", "apple", "114.114.114.114", "attorney", "law", "spammer", "fraud service", "hallrender", "malvertizing", "cybercrime", "social engineering", "malware hosting", "cyber threat", "iphone unlocker", "malicious", "attacker", "tulach", "tulach.cc", "adult content", "child pornographer", "sabey data centers", "hall render denver", "monitoring", "stalker", "dev", "developer", "cyber harassment", "defacement", "death threats", "miner", "agenttesla", "trojan", "detplock", "networm", "rms", "sneaky server", "replacement", "unauthorized", "steam route", "tool", "probe", "safebae.org", "safebae", "daisy", "daisy coleman", "benjamin", "colorado", "missouri", "telefonica", "boost mobile", "blackievirus.com", "TrojanX", "metro t-mobile", "t-mobile", "mile high media", "CNC", "C2", "malware host", "yixun" ], "references": [ "https://hybrid-analysis.com/sample/a1b9247b6ad18f1cda0304e406333459d4000fced5753f91e5c046f6577c388a", "https://www.hallrender.com/attorney/brian-sabey", "safebae.org", "poemhunter.com", "http://www.hallrender.com/resources/blog/", "http://benjamin.xww.de/", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Hybrid Analysis", "wTools", "Research" ], "public": 1, "adversary": "Tulach | Mark Brian Sabey | Hall Render Law Firm", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "BR", "display_name": "BR", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "Feodo Tracker", "display_name": "Feodo Tracker", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Zpevdo", "display_name": "Zpevdo", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "xRAT", "display_name": "xRAT", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "DarkSide .Beware", "display_name": "DarkSide .Beware", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "SLFPER:BrowserModifier:Win32/MediaMagnet", "display_name": "SLFPER:BrowserModifier:Win32/MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "FORMBOOK", "display_name": "FORMBOOK", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Yixun", "display_name": "Yixun", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": "6544c99af21a2fde7bd6927e", "export_count": 56, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1643, "hostname": 1438, "CVE": 30, "FileHash-MD5": 2853, "FileHash-SHA1": 1584, "FileHash-SHA256": 3001, "URL": 2904, "email": 1 }, "indicator_count": 13454, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "868 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65459cbd3069e99e327642b6", "name": "Resources Hijacking ", "description": "", "modified": "2023-12-03T06:04:06.473000", "created": "2023-11-04T01:22:05.691000", "tags": [ "cisco umbrella", "site", "alexa top", "emotet", "telefonica co", "million", "malware", "detection list", "blacklist", "alexa", "installcore", "heur", "cyber threat", "united", "phishing", "engineering", "phishing site", "team phishing", "spammer", "malicious site", "team", "download", "cobalt strike", "facebook", "artemis", "pony", "binder", "suppobox", "virut", "ramnit", "dropper", "formbook", "azorult", "simda", "downloader", "service", "bank", "zbot", "trojanspy", "heodo", "hostname", "hostnames", "whois record", "kgs0", "kls0", "apple ios", "tsara brashears", "ssl certificate", "elf collection", "cyberstalking", "spyware", "hackers", "installer", "open", "banker", "keylogger", "malicious", "hacktool", "core", "noname057", "generic malware", "safe site", "malware site", "iframe", "riskware", "exploit", "fakealert", "unsafe", "acint", "win64", "nircmd", "agent", "opencandy", "conduit", "swrort", "crack", "installpack", "xtrat", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "unruy", "filetour", "floxif", "cleaner", "patcher", "adload", "presenoker", "wacatac", "fusioncore", "genkryptik", "webtoolbar", "maltiverse", "smokeloader", "download json", "urls", "blacklist http", "kyriazhs1975", "vidar", "strike", "china cobalt", "meterpreter", "nanocore rat", "njrat", "redline stealer", "stealer", "nymaim", "mirai", "ghost rat", "runescape", "bradesco", "msil", "bladabindi", "orkut", "cutwail", "bandoo", "matsnu", "inmortal", "domains", "redline", "control server", "services", "generic", "br", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "squirrelwaffle", "soc http", "soc https", "back", "download csv", "json sample", "injector", "malicious url", "downldr", "covid19 scam", "historical ssl", "referrer", "contacted", "whois whois", "contacted urls", "whois sslcert", "threat roundup", "copy", "august", "execution", "ransomware", "gopher", "remcos", "attack", "radar ineractive", "paypal", "covid19", "phishing chase", "phishing google", "tracker malware", "chase personal", "banking", "javascript", "please", "cnc server", "tracker", "cnc feodo", "phishtank", "threats et", "name verdict", "falcon sandbox", "pattern match", "file", "ascii text", "indicator", "windows nt", "jpeg image", "appdata", "jfif standard", "script", "show", "date", "span", "unknown", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "path", "http header", "tcp traffic", "mitre att", "ck id", "show technique", "ck matrix", "accept", "adware", "ip address", "hsbc", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "trojanx", "webshell", "systweak", "behav", "tiggre", "runtime process", "sha256", "sha1", "mark brian sabey", "brian sabey", "sabey", "apple", "114.114.114.114", "attorney", "law", "spammer", "fraud service", "hallrender", "malvertizing", "cybercrime", "social engineering", "malware hosting", "cyber threat", "iphone unlocker", "malicious", "attacker", "tulach", "tulach.cc", "adult content", "child pornographer", "sabey data centers", "hall render denver", "monitoring", "stalker", "dev", "developer", "cyber harassment", "defacement", "death threats", "miner", "agenttesla", "trojan", "detplock", "networm", "rms", "sneaky server", "replacement", "unauthorized", "steam route", "tool", "probe", "safebae.org", "safebae", "daisy", "daisy coleman", "benjamin", "colorado", "missouri", "telefonica", "boost mobile", "blackievirus.com", "TrojanX", "metro t-mobile", "t-mobile", "mile high media", "CNC", "C2", "malware host", "yixun" ], "references": [ "https://hybrid-analysis.com/sample/a1b9247b6ad18f1cda0304e406333459d4000fced5753f91e5c046f6577c388a", "https://www.hallrender.com/attorney/brian-sabey", "safebae.org", "poemhunter.com", "http://www.hallrender.com/resources/blog/", "http://benjamin.xww.de/", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Hybrid Analysis", "wTools", "Research" ], "public": 1, "adversary": "Tulach | Mark Brian Sabey | Hall Render Law Firm", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "BR", "display_name": "BR", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "Feodo Tracker", "display_name": "Feodo Tracker", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Zpevdo", "display_name": "Zpevdo", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "xRAT", "display_name": "xRAT", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "DarkSide .Beware", "display_name": "DarkSide .Beware", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "SLFPER:BrowserModifier:Win32/MediaMagnet", "display_name": "SLFPER:BrowserModifier:Win32/MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "FORMBOOK", "display_name": "FORMBOOK", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Yixun", "display_name": "Yixun", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": "6544d9b0f9b23205eb355210", "export_count": 56, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1643, "hostname": 1438, "CVE": 30, "FileHash-MD5": 2853, "FileHash-SHA1": 1584, "FileHash-SHA256": 3001, "URL": 2904, "email": 1 }, "indicator_count": 13454, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "868 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6544d9b0f9b23205eb355210", "name": "Resources Hijacking by Attorney 11_03_2023", "description": "", "modified": "2023-12-03T06:04:06.473000", "created": "2023-11-03T11:29:52.652000", "tags": [ "cisco umbrella", "site", "alexa top", "emotet", "telefonica co", "million", "malware", "detection list", "blacklist", "alexa", "installcore", "heur", "cyber threat", "united", "phishing", "engineering", "phishing site", "team phishing", "spammer", "malicious site", "team", "download", "cobalt strike", "facebook", "artemis", "pony", "binder", "suppobox", "virut", "ramnit", "dropper", "formbook", "azorult", "simda", "downloader", "service", "bank", "zbot", "trojanspy", "heodo", "hostname", "hostnames", "whois record", "kgs0", "kls0", "apple ios", "tsara brashears", "ssl certificate", "elf collection", "cyberstalking", "spyware", "hackers", "installer", "open", "banker", "keylogger", "malicious", "hacktool", "core", "noname057", "generic malware", "safe site", "malware site", "iframe", "riskware", "exploit", "fakealert", "unsafe", "acint", "win64", "nircmd", "agent", "opencandy", "conduit", "swrort", "crack", "installpack", "xtrat", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "unruy", "filetour", "floxif", "cleaner", "patcher", "adload", "presenoker", "wacatac", "fusioncore", "genkryptik", "webtoolbar", "maltiverse", "smokeloader", "download json", "urls", "blacklist http", "kyriazhs1975", "vidar", "strike", "china cobalt", "meterpreter", "nanocore rat", "njrat", "redline stealer", "stealer", "nymaim", "mirai", "ghost rat", "runescape", "bradesco", "msil", "bladabindi", "orkut", "cutwail", "bandoo", "matsnu", "inmortal", "domains", "redline", "control server", "services", "generic", "br", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "squirrelwaffle", "soc http", "soc https", "back", "download csv", "json sample", "injector", "malicious url", "downldr", "covid19 scam", "historical ssl", "referrer", "contacted", "whois whois", "contacted urls", "whois sslcert", "threat roundup", "copy", "august", "execution", "ransomware", "gopher", "remcos", "attack", "radar ineractive", "paypal", "covid19", "phishing chase", "phishing google", "tracker malware", "chase personal", "banking", "javascript", "please", "cnc server", "tracker", "cnc feodo", "phishtank", "threats et", "name verdict", "falcon sandbox", "pattern match", "file", "ascii text", "indicator", "windows nt", "jpeg image", "appdata", "jfif standard", "script", "show", "date", "span", "unknown", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "path", "http header", "tcp traffic", "mitre att", "ck id", "show technique", "ck matrix", "accept", "adware", "ip address", "hsbc", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "trojanx", "webshell", "systweak", "behav", "tiggre", "runtime process", "sha256", "sha1", "mark brian sabey", "brian sabey", "sabey", "apple", "114.114.114.114", "attorney", "law", "spammer", "fraud service", "hallrender", "malvertizing", "cybercrime", "social engineering", "malware hosting", "cyber threat", "iphone unlocker", "malicious", "attacker", "tulach", "tulach.cc", "adult content", "child pornographer", "sabey data centers", "hall render denver", "monitoring", "stalker", "dev", "developer", "cyber harassment", "defacement", "death threats", "miner", "agenttesla", "trojan", "detplock", "networm", "rms", "sneaky server", "replacement", "unauthorized", "steam route", "tool", "probe", "safebae.org", "safebae", "daisy", "daisy coleman", "benjamin", "colorado", "missouri", "telefonica", "boost mobile", "blackievirus.com", "TrojanX", "metro t-mobile", "t-mobile", "mile high media", "CNC", "C2", "malware host", "yixun" ], "references": [ "https://hybrid-analysis.com/sample/a1b9247b6ad18f1cda0304e406333459d4000fced5753f91e5c046f6577c388a", "https://www.hallrender.com/attorney/brian-sabey", "safebae.org", "poemhunter.com", "http://www.hallrender.com/resources/blog/", "http://benjamin.xww.de/", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Hybrid Analysis", "wTools", "Research" ], "public": 1, "adversary": "Tulach | Mark Brian Sabey | Hall Render Law Firm", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "BR", "display_name": "BR", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "Feodo Tracker", "display_name": "Feodo Tracker", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Zpevdo", "display_name": "Zpevdo", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "xRAT", "display_name": "xRAT", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "DarkSide .Beware", "display_name": "DarkSide .Beware", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "SLFPER:BrowserModifier:Win32/MediaMagnet", "display_name": "SLFPER:BrowserModifier:Win32/MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "FORMBOOK", "display_name": "FORMBOOK", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Yixun", "display_name": "Yixun", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": "6544c7a11d7541bdb3bfe5ff", "export_count": 60, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1643, "hostname": 1438, "CVE": 30, "FileHash-MD5": 2853, "FileHash-SHA1": 1584, "FileHash-SHA256": 3001, "URL": 2904, "email": 1 }, "indicator_count": 13454, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "868 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6544c99af21a2fde7bd6927e", "name": "Occamy Remote PC / Device Control ", "description": "", "modified": "2023-12-03T06:04:06.473000", "created": "2023-11-03T10:21:14.428000", "tags": [ "cisco umbrella", "site", "alexa top", "emotet", "telefonica co", "million", "malware", "detection list", "blacklist", "alexa", "installcore", "heur", "cyber threat", "united", "phishing", "engineering", "phishing site", "team phishing", "spammer", "malicious site", "team", "download", "cobalt strike", "facebook", "artemis", "pony", "binder", "suppobox", "virut", "ramnit", "dropper", "formbook", "azorult", "simda", "downloader", "service", "bank", "zbot", "trojanspy", "heodo", "hostname", "hostnames", "whois record", "kgs0", "kls0", "apple ios", "tsara brashears", "ssl certificate", "elf collection", "cyberstalking", "spyware", "hackers", "installer", "open", "banker", "keylogger", "malicious", "hacktool", "core", "noname057", "generic malware", "safe site", "malware site", "iframe", "riskware", "exploit", "fakealert", "unsafe", "acint", "win64", "nircmd", "agent", "opencandy", "conduit", "swrort", "crack", "installpack", "xtrat", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "unruy", "filetour", "floxif", "cleaner", "patcher", "adload", "presenoker", "wacatac", "fusioncore", "genkryptik", "webtoolbar", "maltiverse", "smokeloader", "download json", "urls", "blacklist http", "kyriazhs1975", "vidar", "strike", "china cobalt", "meterpreter", "nanocore rat", "njrat", "redline stealer", "stealer", "nymaim", "mirai", "ghost rat", "runescape", "bradesco", "msil", "bladabindi", "orkut", "cutwail", "bandoo", "matsnu", "inmortal", "domains", "redline", "control server", "services", "generic", "br", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "squirrelwaffle", "soc http", "soc https", "back", "download csv", "json sample", "injector", "malicious url", "downldr", "covid19 scam", "historical ssl", "referrer", "contacted", "whois whois", "contacted urls", "whois sslcert", "threat roundup", "copy", "august", "execution", "ransomware", "gopher", "remcos", "attack", "radar ineractive", "paypal", "covid19", "phishing chase", "phishing google", "tracker malware", "chase personal", "banking", "javascript", "please", "cnc server", "tracker", "cnc feodo", "phishtank", "threats et", "name verdict", "falcon sandbox", "pattern match", "file", "ascii text", "indicator", "windows nt", "jpeg image", "appdata", "jfif standard", "script", "show", "date", "span", "unknown", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "path", "http header", "tcp traffic", "mitre att", "ck id", "show technique", "ck matrix", "accept", "adware", "ip address", "hsbc", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "trojanx", "webshell", "systweak", "behav", "tiggre", "runtime process", "sha256", "sha1", "mark brian sabey", "brian sabey", "sabey", "apple", "114.114.114.114", "attorney", "law", "spammer", "fraud service", "hallrender", "malvertizing", "cybercrime", "social engineering", "malware hosting", "cyber threat", "iphone unlocker", "malicious", "attacker", "tulach", "tulach.cc", "adult content", "child pornographer", "sabey data centers", "hall render denver", "monitoring", "stalker", "dev", "developer", "cyber harassment", "defacement", "death threats", "miner", "agenttesla", "trojan", "detplock", "networm", "rms", "sneaky server", "replacement", "unauthorized", "steam route", "tool", "probe", "safebae.org", "safebae", "daisy", "daisy coleman", "benjamin", "colorado", "missouri", "telefonica", "boost mobile", "blackievirus.com", "TrojanX", "metro t-mobile", "t-mobile", "mile high media", "CNC", "C2", "malware host", "yixun" ], "references": [ "https://hybrid-analysis.com/sample/a1b9247b6ad18f1cda0304e406333459d4000fced5753f91e5c046f6577c388a", "https://www.hallrender.com/attorney/brian-sabey", "safebae.org", "poemhunter.com", "http://www.hallrender.com/resources/blog/", "http://benjamin.xww.de/", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Hybrid Analysis", "wTools", "Research" ], "public": 1, "adversary": "Tulach | Mark Brian Sabey | Hall Render Law Firm", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "BR", "display_name": "BR", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "Feodo Tracker", "display_name": "Feodo Tracker", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Zpevdo", "display_name": "Zpevdo", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "xRAT", "display_name": "xRAT", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "DarkSide .Beware", "display_name": "DarkSide .Beware", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "SLFPER:BrowserModifier:Win32/MediaMagnet", "display_name": "SLFPER:BrowserModifier:Win32/MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "FORMBOOK", "display_name": "FORMBOOK", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Yixun", "display_name": "Yixun", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": "6544c7a11d7541bdb3bfe5ff", "export_count": 59, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1643, "hostname": 1438, "CVE": 30, "FileHash-MD5": 2853, "FileHash-SHA1": 1584, "FileHash-SHA256": 3001, "URL": 2904, "email": 1 }, "indicator_count": 13454, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "868 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "654136c1ac991f85328604d2", "name": "Cyber Espionage", "description": "Cyber warfare. Extravagant attack that includes, phishing, monitoring, spyware, tracking, remote vehicle tracking, API calls after identification of anything computerized; car, phone, mobile phone, mail, ups, television. Apple private data services nr-data.net. This may be a Honeypot. Interesting. Attacker alleging to be a government contractor actively attacks and porn smears alleged SA victim assaulted by someone with his last name. Coincidence or Honeypot?\nTarget still at risk.\nTarget again is Tsara Brashears. \nSevere privacy invasion.\nShhhh....Active Silencing", "modified": "2023-11-30T07:01:37.424000", "created": "2023-10-31T17:17:52.382000", "tags": [ "contacted", "resolutions", "origin1", "ip address", "list", "communicating", "cyber threat", "united", "phishing", "phishing site", "covid19", "threat report", "ip summary", "url summary", "summary", "detection list", "installcore", "nymaim", "suppobox", "malicious", "cisco umbrella", "site", "alexa top", "million", "safe site", "malware", "malware site", "malicious site", "heur", "exploit", "alexa", "riskware", "team", "blacklist https", "blacklist", "facebook", "engineering", "iframe", "downloader", "unsafe", "artemis", "trojanx", "agent", "unruy", "win64", "fakealert", "fusioncore", "redirector", "killav", "trojan", "lokibot", "emotet", "redline stealer", "cobalt strike", "citadel", "vawtrak", "qakbot", "qbot", "bankerx", "dropper", "nimda", "formbook", "swrort", "adwind", "crack", "generic", "wacatac", "opencandy", "nircmd", "downldr", "filetour", "cleaner", "conduit", "tiggre", "presenoker", "zpevdo", "webcompanion", "seraph", "tofsee", "xrat", "xtrat", "patcher", "adload", "stealer", "vidar", "raccoon", "bank", "urls", "generic malware", "noname057", "reimer", "agency", "charles", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "name verdict", "date", "root ca", "markmonitor", "name server", "windir", "unknown", "swisscom root", "post root", "trust", "hybrid", "general", "click", "strings", "class", "generator", "critical", "error", "defence", "fraud", "logistics", "ipv4", "scan endpoints", "all search", "otx octoseek", "report spam", "author", "cyber warfare", "created", "months ago", "modified", "next", "url https", "url http", "all octoseek", "month ago", "utmsourcemailer", "ck id", "t1140", "filehashsha256", "tsara brashears", "adult content", "pornography", "malvertizing", "privacy invasion", "privilege escalation", "packed", "aig.com", "aig.rastreator.mx", "apple", "ios", "tracking", "monitoring", "nr-data.net", "asp.net" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" } ], "industries": [ "Defense", "Government" ], "TLP": "green", "cloned_from": null, "export_count": 69, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 166, "FileHash-SHA1": 125, "FileHash-SHA256": 5806, "URL": 16475, "domain": 3302, "hostname": 5135, "CVE": 16, "email": 8 }, "indicator_count": 31033, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "871 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "654136c8e530066ae793dc64", "name": "Cyber Espionage", "description": "Cyber warfare. Extravagant attack that includes, phishing, monitoring, spyware, tracking, remote vehicle tracking, API calls after identification of anything computerized; car, phone, mobile phone, mail, ups, television. Apple private data services nr-data.net. This may be a Honeypot. Interesting. Attacker alleging to be a government contractor actively attacks and porn smears alleged SA victim assaulted by someone with his last name. Coincidence or Honeypot?\nTarget still at risk.\nTarget again is Tsara Brashears. \nSevere privacy invasion.\nShhhh....Active Silencing", "modified": "2023-11-30T07:01:37.424000", "created": "2023-10-31T17:18:00.623000", "tags": [ "contacted", "resolutions", "origin1", "ip address", "list", "communicating", "cyber threat", "united", "phishing", "phishing site", "covid19", "threat report", "ip summary", "url summary", "summary", "detection list", "installcore", "nymaim", "suppobox", "malicious", "cisco umbrella", "site", "alexa top", "million", "safe site", "malware", "malware site", "malicious site", "heur", "exploit", "alexa", "riskware", "team", "blacklist https", "blacklist", "facebook", "engineering", "iframe", "downloader", "unsafe", "artemis", "trojanx", "agent", "unruy", "win64", "fakealert", "fusioncore", "redirector", "killav", "trojan", "lokibot", "emotet", "redline stealer", "cobalt strike", "citadel", "vawtrak", "qakbot", "qbot", "bankerx", "dropper", "nimda", "formbook", "swrort", "adwind", "crack", "generic", "wacatac", "opencandy", "nircmd", "downldr", "filetour", "cleaner", "conduit", "tiggre", "presenoker", "zpevdo", "webcompanion", "seraph", "tofsee", "xrat", "xtrat", "patcher", "adload", "stealer", "vidar", "raccoon", "bank", "urls", "generic malware", "noname057", "reimer", "agency", "charles", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "name verdict", "date", "root ca", "markmonitor", "name server", "windir", "unknown", "swisscom root", "post root", "trust", "hybrid", "general", "click", "strings", "class", "generator", "critical", "error", "defence", "fraud", "logistics", "ipv4", "scan endpoints", "all search", "otx octoseek", "report spam", "author", "cyber warfare", "created", "months ago", "modified", "next", "url https", "url http", "all octoseek", "month ago", "utmsourcemailer", "ck id", "t1140", "filehashsha256", "tsara brashears", "adult content", "pornography", "malvertizing", "privacy invasion", "privilege escalation", "packed", "aig.com", "aig.rastreator.mx", "apple", "ios", "tracking", "monitoring", "nr-data.net", "asp.net" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" } ], "industries": [ "Defense", "Government" ], "TLP": "green", "cloned_from": null, "export_count": 69, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 166, "FileHash-SHA1": 125, "FileHash-SHA256": 5806, "URL": 16475, "domain": 3302, "hostname": 5135, "CVE": 16, "email": 8 }, "indicator_count": 31033, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "871 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65413ea960cc79abf6d446fb", "name": "Vawtrak credential stealer | CNC", "description": "Cyber warfare\nTracking\nMonitoring\nMalvertizing\nCNC\nKeylogging\nBotNet\nSever Privacy Invasion", "modified": "2023-11-30T07:01:37.424000", "created": "2023-10-31T17:51:37.016000", "tags": [ "contacted", "resolutions", "origin1", "ip address", "list", "communicating", "cyber threat", "united", "phishing", "phishing site", "covid19", "threat report", "ip summary", "url summary", "summary", "detection list", "installcore", "nymaim", "suppobox", "malicious", "cisco umbrella", "site", "alexa top", "million", "safe site", "malware", "malware site", "malicious site", "heur", "exploit", "alexa", "riskware", "team", "blacklist https", "blacklist", "facebook", "engineering", "iframe", "downloader", "unsafe", "artemis", "trojanx", "agent", "unruy", "win64", "fakealert", "fusioncore", "redirector", "killav", "trojan", "lokibot", "emotet", "redline stealer", "cobalt strike", "citadel", "vawtrak", "qakbot", "qbot", "bankerx", "dropper", "nimda", "formbook", "swrort", "adwind", "crack", "generic", "wacatac", "opencandy", "nircmd", "downldr", "filetour", "cleaner", "conduit", "tiggre", "presenoker", "zpevdo", "webcompanion", "seraph", "tofsee", "xrat", "xtrat", "patcher", "adload", "stealer", "vidar", "raccoon", "bank", "urls", "generic malware", "noname057", "reimer", "agency", "charles", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "name verdict", "date", "root ca", "markmonitor", "name server", "windir", "unknown", "swisscom root", "post root", "trust", "hybrid", "general", "click", "strings", "class", "generator", "critical", "error", "defence", "fraud", "logistics", "ipv4", "scan endpoints", "all search", "otx octoseek", "report spam", "author", "cyber warfare", "created", "months ago", "modified", "next", "url https", "url http", "all octoseek", "month ago", "utmsourcemailer", "ck id", "t1140", "filehashsha256", "keylogger", "sample path", "Miles IT" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 74, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 166, "FileHash-SHA1": 125, "FileHash-SHA256": 5688, "URL": 15015, "domain": 3262, "hostname": 4687, "CVE": 16, "email": 8 }, "indicator_count": 28967, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "871 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6545be6e02e0f9f82cb1febf", "name": "Vawtrak credential stealer | CNC", "description": "", "modified": "2023-11-30T07:01:37.424000", "created": "2023-11-04T03:45:50.234000", "tags": [ "contacted", "resolutions", "origin1", "ip address", "list", "communicating", "cyber threat", "united", "phishing", "phishing site", "covid19", "threat report", "ip summary", "url summary", "summary", "detection list", "installcore", "nymaim", "suppobox", "malicious", "cisco umbrella", "site", "alexa top", "million", "safe site", "malware", "malware site", "malicious site", "heur", "exploit", "alexa", "riskware", "team", "blacklist https", "blacklist", "facebook", "engineering", "iframe", "downloader", "unsafe", "artemis", "trojanx", "agent", "unruy", "win64", "fakealert", "fusioncore", "redirector", "killav", "trojan", "lokibot", "emotet", "redline stealer", "cobalt strike", "citadel", "vawtrak", "qakbot", "qbot", "bankerx", "dropper", "nimda", "formbook", "swrort", "adwind", "crack", "generic", "wacatac", "opencandy", "nircmd", "downldr", "filetour", "cleaner", "conduit", "tiggre", "presenoker", "zpevdo", "webcompanion", "seraph", "tofsee", "xrat", "xtrat", "patcher", "adload", "stealer", "vidar", "raccoon", "bank", "urls", "generic malware", "noname057", "reimer", "agency", "charles", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "name verdict", "date", "root ca", "markmonitor", "name server", "windir", "unknown", "swisscom root", "post root", "trust", "hybrid", "general", "click", "strings", "class", "generator", "critical", "error", "defence", "fraud", "logistics", "ipv4", "scan endpoints", "all search", "otx octoseek", "report spam", "author", "cyber warfare", "created", "months ago", "modified", "next", "url https", "url http", "all octoseek", "month ago", "utmsourcemailer", "ck id", "t1140", "filehashsha256", "keylogger", "sample path", "Miles IT" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "green", "cloned_from": "65413ea960cc79abf6d446fb", "export_count": 86, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 166, "FileHash-SHA1": 125, "FileHash-SHA256": 5688, "URL": 15015, "domain": 3262, "hostname": 4687, "CVE": 16, "email": 8 }, "indicator_count": 28967, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "871 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "654136b5eb9bdd21070ff9d7", "name": "Cyber Espionage", "description": "Cyber warfare. Extravagant attack that includes, phishing, monitoring, spyware, tracking, remote vehicle tracking, API calls after identification of anything computerized; car, phone, mobile phone, mail, ups, television. Apple private data services nr-data.net. This may be a Honeypot. Interesting. Attacker alleging to be a government contractor actively attacks and porn smears alleged SA victim assaulted by someone with his last name. Coincidence or Honeypot?\nTarget still at risk.\nTarget again is Tsara Brashears. \nSevere privacy invasion.\nShhhh....Active Silencing", "modified": "2023-11-30T07:01:37.424000", "created": "2023-10-31T17:17:41.263000", "tags": [ "contacted", "resolutions", "origin1", "ip address", "list", "communicating", "cyber threat", "united", "phishing", "phishing site", "covid19", "threat report", "ip summary", "url summary", "summary", "detection list", "installcore", "nymaim", "suppobox", "malicious", "cisco umbrella", "site", "alexa top", "million", "safe site", "malware", "malware site", "malicious site", "heur", "exploit", "alexa", "riskware", "team", "blacklist https", "blacklist", "facebook", "engineering", "iframe", "downloader", "unsafe", "artemis", "trojanx", "agent", "unruy", "win64", "fakealert", "fusioncore", "redirector", "killav", "trojan", "lokibot", "emotet", "redline stealer", "cobalt strike", "citadel", "vawtrak", "qakbot", "qbot", "bankerx", "dropper", "nimda", "formbook", "swrort", "adwind", "crack", "generic", "wacatac", "opencandy", "nircmd", "downldr", "filetour", "cleaner", "conduit", "tiggre", "presenoker", "zpevdo", "webcompanion", "seraph", "tofsee", "xrat", "xtrat", "patcher", "adload", "stealer", "vidar", "raccoon", "bank", "urls", "generic malware", "noname057", "reimer", "agency", "charles", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "name verdict", "date", "root ca", "markmonitor", "name server", "windir", "unknown", "swisscom root", "post root", "trust", "hybrid", "general", "click", "strings", "class", "generator", "critical", "error", "defence", "fraud", "logistics", "ipv4", "scan endpoints", "all search", "otx octoseek", "report spam", "author", "cyber warfare", "created", "months ago", "modified", "next", "url https", "url http", "all octoseek", "month ago", "utmsourcemailer", "ck id", "t1140", "filehashsha256", "tsara brashears", "adult content", "pornography", "malvertizing", "privacy invasion", "privilege escalation", "packed", "aig.com", "aig.rastreator.mx", "apple", "ios", "tracking", "monitoring", "nr-data.net", "asp.net" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" } ], "industries": [ "Defense", "Government" ], "TLP": "green", "cloned_from": null, "export_count": 70, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 166, "FileHash-SHA1": 125, "FileHash-SHA256": 5806, "URL": 16475, "domain": 3302, "hostname": 5135, "CVE": 16, "email": 8 }, "indicator_count": 31033, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "871 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Research", "[w and w.o https] applemusic-spotlight.myunidays.com [Multilingual Portable.exe Apple music compromise]", "http://alohatube.xyz/search/tsara-brashears", "tulach.cc [AM | phishing]", "wTools", "http://c1.downlloaddatamy.info/?step_id=1&installer_id=4472257684899349270&publisher_id=2213&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=2&download_id=5397224780012170065&external_id=0&installer_type=IX_2013&hardware_id=15739043569615579517&session_id=6869288066589810689&installer_type=IX_2013&=&=&=&q=solutionnice.info&product_name=Design%20and%20Implementation%20of%20a%20Home%20Embedded%20Surveillance%20System%20with%20Ultra%20Low%20Alert%20Power%20doc&installer_file_", "https://www.hybrid-analysis.com/sample/ea8a341cbd3666af7bfce260d86b465844314d86faba75c80eab3ce4d3bc3b45/65609b66e63f64cae305c749", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://tulach.cc/ [phishing attacks]", "https://www.reddit.com/user/", "3.163.189.120 [Tracking]", "https://seedbeej.pk/tin/index.php?QBOT.zip. [ phishing plus]", "http://iyfsearch.com/&ap=67&be=203&fe=198&dc=198&perf= [phishing]", "http://c2.getapplicationmy.info/?step_id=1&installer_id=2096894809025524155&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=6356079339412925470&external_id=0&session_id=14287130792570298399&hardware_id=11580995441620935677&product_name=rachel%20blaine%20-%20don%20t%20you%20want%20me&product_file_name=error.txt&AddToPayload=", "WHOIS Registrar: SAV.COM, LLC - 35, Creation Date: Feb 5, 2024 - again?", "ww12.indianpornxxxtube.com", "103.224.182.246 [command_and_control]", "http://45.159.189.105/bot/regex", "ddos.dnsnb8.net [command_and_control]", "https://www.virustotal.com/gui/url/6a627ce5fd6be7b3c0b5637e6b1facfa92c279d25ff9b1f50fe131c91591d804/summary", "browser.events.data.msn.com | events-sandbox.data.msn.com", "https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command= [command_and_control] stolec kradnie krypto", "tv.apple.com [Apple Backdoor| Attack | Hacking]", "http://benjamin.xww.de/", "https://www.virustotal.com/gui/url/eed406872c2e6ef550b948510fe0b7b4c71f752f58551c2f8e61d31a19d2a153/summary", "poemhunter.com", "http://mobilesmafia.com/applications/botnet.ex", "https://hybrid-analysis.com/sample/a1b9247b6ad18f1cda0304e406333459d4000fced5753f91e5c046f6577c388a", "nr-data.net [New Relic Tracking | Apple Private Data Collection]", "Hybrid Analysis", "$RTD4NQU.exe - Yara rule: INDICATOR TOOL UAC NSISUAC", "$RTD4NQU.exe - Sigma Rule: Audit Policy Tampering Via Auditpolicy", "Gowi Live Bot.exe", "https://hybrid-analysis.com/sample/bba36b3ae7c49d1cffcc5f8e045d81e9307a2e1a86b923f89008e9377d171fb6", "103.224.182.253 [command_and_control]", "86.140.232.148 [scanning_host]", "http://c1.getapplicationmy.info/?step_id=1&installer_id=5230748627062792346&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=2&download_id=8693199875993334460&external_id=0&session_id=16805482311189156276&hardware_id=369127768221549700&product_name=cocina.rar&installer_file_name=cocina.rar&product_file_name=cocina.rar&product_download_url=http://fra-7m17-stor09.uploaded.net/dl/a2433760-879d-4562-b94d-461547fc758c&AddToPayload=StepReport=", "https://networkpccontrol.com/video-player-1/?clickid=4030fe2twwhgxaa9&domain=standardtrackerchain.com&uclick=e2twwhgx&uclickhash=e2twwhgx-e2twwhgx-xoq53y-0-3zvc3y-oj1m9r-oj1m1n-5da44a", "http://www.applerewards.website/pl/3/index.html?voluumdata=BASE64dmlkLi4wMDAwMDAwMi00NGFiLTQzNDktODAwMC0wMDAwMDAwMDAwMDBfX3ZwaWQuLjJhYWQzMDAwLWJiMzYtMTFlNi04YTYyLTBlYzcxZTllMDMzMV9fY2FpZC4uNjBhMjIwOWUtNWMzNC00OGQ4LWIyNDctYWM5YzVkOTM3MzZhX19ydC4uUl9fbGlkLi4yYTRjOTA4My0zY2RmLTQyNDktOGJmOS0yODMxZWYzNGRhYTlfX29pZDEuLjUwMGE4NDhjLTA2NGEtNDYyZi05MDNmLTgxYzY4ODNmODEwZl9fdmFyMS4uNjA4OTYxX192YXIyLi42NzEwMjhfX3JkLi5vbmNsaWNrYWRzXC5cbmV0X19haWQuLl9fYWIuLl9fc2lkLi4&zoneid=608961&campaignid=671028&visitor_id=4003954", "Found in: https://Side3.com/", "https://hybrid-analysis.com/sample/86479bf7c9a675913b93a0d399f5cbe0c0e8003239e93ae5e00f97cdbc5ec5ba", "name-playatoms-pa.googleapis.com [ nr-data Apple tv tracking]", "https://www.virustotal.com/gui/file/2ab9e32cd78f2b538c36f145b790f78f1262bcfcf1a5d6d019e7a2a151a24424/summary", "www2.megawebfind.com [command_and_control]", "rp.downloadastrocdn.com [command_and_control]", "nr-data.net [Apple Private Data Collection]", "/addons/error.txt&reffer=http://www.mp3olimp.net/\" target=\"_blank\" class=\"nowrap ellipsis\">http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03", "http://www.hallrender.com/resources/blog/", "104.86.182.8 [command_and_control]", "track-idevice-location.info", "pornhub.org", "http://c2.getapplicationmy.info/?step_id=1&installer_id=2488504921480818878&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=4&download_id=2186029835193520054&external_id=0&session_id=16256931977914952487&hardware_id=14366935065466949181&product_name=Libro%23003119.pdf&installer_file_name=Libro%23003119.pdf&product_file_name=Libro%23003119.pdf&product_download_url=http://fra-7m21-stor06.uploaded.net/dl/780b5695-d022-4fab-9aa0-b967ecaf5828&AddToPayload=StepReport=", "http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03&product_file_name=vintage+boxing&AddToPayload=StepReport=", "http://dev.findatoyota.com/", "findbetterresults.com", "CnC IP's: 198.58.118.167 \u2022 45.33.18.44 \u2022 45.33.2.79 \u2022 45.33.20.235 \u2022 45.33.23.183 \u2022 45.33.30.197 \u2022 45.79.19.196 \u2022 45.33.30.197 \u2022 45.56.79.23 \u2022 72.14.178.174 \u2022 72.14.185.43 \u2022 96.126.123.244", "https://sexpornimages.com.leechlink.net [Match: www.sexpornimages.com/lynn/lynn-brashears-tsara-porn/rc1j0g.html]", "youporndownload.com [park logic -malicious] http://golddesisex.com/en/search/teen%20anal%20long%20porn", "checkip.dyndns.org [command_and_control]", "Poemhunter.com", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing \u2022 malvertizing \u2022 apple data collection]", "iphone-track-service.info", "chat.pornhub.dev", "https://www.hybrid-analysis.com/sample/347314196559e7fbc75fc532daa774727b897d3a2156ea1328861f3b66f677a5/656146284d68f73e2306b6ad", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "safebae.org", "https://www.hallrender.com/attorney/brian-sabey", "www.supernetforme.com [command_and_control]", "https://www.virustotal.com/graph/gf011ff2560014743857f4dc25899d89d7afb2779d5ae47a28a60412eb0de8f07", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.hybrid-analysis.com/sample/d4f0fd95f42482e96d982df3d538f67ee9c8756834486dd2cf33e1679c90af50/65812fd9a34bc52aac0b910f", "https://otx.alienvault.com/indicator/domain/findmy-apple.support" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Tulach | Mark Brian Sabey | Hall Render Law Firm" ], "malware_families": [ "Cutwail", "Generic", "Sality", "Ransomware", "Noname057", "Yixun", "Spyeye", "Win32:inject-bcl\\ [trj]", "Generic_r.byw", "Malware", "Nanocore rat", "Milesmx", "Win32:evo-gen\\ [trj]", "Honeypot", "Trojan:win32/remcosrat", "Redline", "Quasar rat", "Win.trojan.mbrlock-9779766-0", "Slfper:browsermodifier:win32/mediamagnet", "Hacktool", "Wacatac", "Emotet", "Webtoolbar", "Formbook", "Maltiverse", "W32.sality-73", "Br", "Opencandy", "Mbt", "Rms", "Am", "Occamy", "Domains", "Systweak", "Tiggre", "Win.trojan.agent-828507", "Sheur4.ceoo", "Static ai - malicious pe", "Inmortal", "Darkside .beware", "Feodo tracker", "Win32/tanatos.a", "Zbot", "Adware.pcappstore/veryfast", "Tulach malware", "Virut", "Citadel", "Suppobox", "Zpevdo", "Ransomexx", "Win32/cryptor", "Hsbc", "#lowfi:suspicioussectionname", "Agent tesla", "Nsis", "Radar ineractive", "Iobit", "Nymaim", "Xrat", "Trojanspy", "Vidar" ], "industries": [ "Technology", "Telecommunications", "Health", "Defense", "Government", "Media", "Entertainment" ], "unique_indicators": 139674 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/demonoid.me", "whois": "http://whois.domaintools.com/demonoid.me", "domain": "demonoid.me", "hostname": "inferno.demonoid.me" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 31, "pulses": [ { "id": "66d8d8d8238606c85e7a3979", "name": "AS200019 alexhost srl", "description": "", "modified": "2025-06-07T15:39:05.533000", "created": "2024-09-04T22:02:00.596000", "tags": [], "references": [ "https://www.virustotal.com/graph/gf011ff2560014743857f4dc25899d89d7afb2779d5ae47a28a60412eb0de8f07" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1193, "hostname": 1141, "URL": 3301, "FileHash-SHA256": 626, "CVE": 3 }, "indicator_count": 6264, "is_author": false, "is_subscribing": null, "subscriber_count": 178, "modified_text": "316 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c607c354336e9c19aa3e1f", "name": "RansomEXX + Cyber attack \u2022 Premier Denver Recording Studio", "description": "Studio description: Adelio developed and managed A-list producer DJ Frank E, who has worked with the likes of Kanye West, B.O.B., Madonna, and Justin Bieber...\nResearch confirms target releases songs recorded @ Side3 studios.\nCreative differences aren't uncommon, research shows a common kink with m. Brian sabey if hallrender hacking everything from hospital is to insurance portals. He's nuts. Unclear if true nameof attacker is Brian Sabey /Tulach / using NSO grouo and various cyver attacks. A man representing an attorney named M. Brian Sabey socially engineered himself and others into targets world. If studio interns or management had malice towards target, social engineering access would be easy.", "modified": "2024-03-10T11:05:48.248000", "created": "2024-02-09T11:08:51.939000", "tags": [ "url http", "united", "unknown", "search", "status", "creation date", "date", "expiration date", "showing", "as201682 liquid", "as32244 liquid", "trojan", "passive dns", "entries", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "open", "win32", "body", "date hash", "avast avg", "lowfi", "ssl certificate", "contacted", "whois whois", "sdhyzbh7v http", "whois record", "execution", "apple ios", "historical ssl", "resolutions", "sdhyzbh7v", "attack", "ransomexx", "quasar", "asyncrat", "hacktool", "maze", "find", "hell", "crypto", "remcosrat", "worm", "first", "utc submissions", "submitters", "computer", "company limited", "gandi sas", "porkbun llc", "ovh sas", "summary iocs", "graph community", "as63949 linode", "for privacy", "asnone united", "as174 cogent", "as197695 domain", "russia unknown", "as16276", "france unknown", "encrypt", "next", "tsara brashears", "targeting", "cyber threat", "abuse", "malware spreading", "hallgrand", "tulach", "sabey data centers", "sav.com", "outbreak", "location united", "asn as63949", "whois registrar", "related tags", "interfacing", "malicious", "retaliation", "botnet", "porn", "teen porn", "illegal activities", "theft", "side3studios" ], "references": [ "http://mobilesmafia.com/applications/botnet.ex", "Found in: https://Side3.com/", "CnC IP's: 198.58.118.167 \u2022 45.33.18.44 \u2022 45.33.2.79 \u2022 45.33.20.235 \u2022 45.33.23.183 \u2022 45.33.30.197 \u2022 45.79.19.196 \u2022 45.33.30.197 \u2022 45.56.79.23 \u2022 72.14.178.174 \u2022 72.14.185.43 \u2022 96.126.123.244", "https://otx.alienvault.com/indicator/domain/findmy-apple.support", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing \u2022 malvertizing \u2022 apple data collection]", "nr-data.net [Apple Private Data Collection]", "WHOIS Registrar: SAV.COM, LLC - 35, Creation Date: Feb 5, 2024 - again?", "/addons/error.txt&reffer=http://www.mp3olimp.net/\" target=\"_blank\" class=\"nowrap ellipsis\">http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03", "http://c1.getapplicationmy.info/?step_id=1&installer_id=5230748627062792346&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=2&download_id=8693199875993334460&external_id=0&session_id=16805482311189156276&hardware_id=369127768221549700&product_name=cocina.rar&installer_file_name=cocina.rar&product_file_name=cocina.rar&product_download_url=http://fra-7m17-stor09.uploaded.net/dl/a2433760-879d-4562-b94d-461547fc758c&AddToPayload=StepReport=", "http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03&product_file_name=vintage+boxing&AddToPayload=StepReport=", "http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03&product_file_name=vintage+boxing&AddToPayload=StepReport=", "http://c1.downlloaddatamy.info/?step_id=1&installer_id=4472257684899349270&publisher_id=2213&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=2&download_id=5397224780012170065&external_id=0&installer_type=IX_2013&hardware_id=15739043569615579517&session_id=6869288066589810689&installer_type=IX_2013&=&=&=&q=solutionnice.info&product_name=Design%20and%20Implementation%20of%20a%20Home%20Embedded%20Surveillance%20System%20with%20Ultra%20Low%20Alert%20Power%20doc&installer_file_", "http://c2.getapplicationmy.info/?step_id=1&installer_id=2096894809025524155&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=6356079339412925470&external_id=0&session_id=14287130792570298399&hardware_id=11580995441620935677&product_name=rachel%20blaine%20-%20don%20t%20you%20want%20me&product_file_name=error.txt&AddToPayload=", "http://c2.getapplicationmy.info/?step_id=1&installer_id=2488504921480818878&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=4&download_id=2186029835193520054&external_id=0&session_id=16256931977914952487&hardware_id=14366935065466949181&product_name=Libro%23003119.pdf&installer_file_name=Libro%23003119.pdf&product_file_name=Libro%23003119.pdf&product_download_url=http://fra-7m21-stor06.uploaded.net/dl/780b5695-d022-4fab-9aa0-b967ecaf5828&AddToPayload=StepReport=", "http://c2.getapplicationmy.info/?step_id=1&installer_id=2488504921480818878&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=4&download_id=2186029835193520054&external_id=0&session_id=16256931977914952487&hardware_id=14366935065466949181&product_name=Libro%23003119.pdf&installer_file_name=Libro%23003119.pdf&product_file_name=Libro%23003119.pdf&product_download_url=http://fra-7m21-stor06.uploaded.net/dl/780b5695-d022-4fab-9aa0-b967ecaf5828&AddToPayload=StepReport=", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "https://sexpornimages.com.leechlink.net [Match: www.sexpornimages.com/lynn/lynn-brashears-tsara-porn/rc1j0g.html]", "pornhub.org", "ww12.indianpornxxxtube.com", "youporndownload.com [park logic -malicious] http://golddesisex.com/en/search/teen%20anal%20long%20porn" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:Inject-BCL\\ [Trj]", "display_name": "Win32:Inject-BCL\\ [Trj]", "target": null }, { "id": "#Lowfi:SuspiciousSectionName", "display_name": "#Lowfi:SuspiciousSectionName", "target": null }, { "id": "Win32:Evo-gen\\ [Trj]", "display_name": "Win32:Evo-gen\\ [Trj]", "target": null }, { "id": "Win.Trojan.Mbrlock-9779766-0", "display_name": "Win.Trojan.Mbrlock-9779766-0", "target": null }, { "id": "Win.Trojan.Agent-828507", "display_name": "Win.Trojan.Agent-828507", "target": null }, { "id": "SHeur4.CEOO", "display_name": "SHeur4.CEOO", "target": null }, { "id": "Win32/Cryptor", "display_name": "Win32/Cryptor", "target": null }, { "id": "Win32/Tanatos.A", "display_name": "Win32/Tanatos.A", "target": null }, { "id": "W32.Sality-73", "display_name": "W32.Sality-73", "target": null }, { "id": "Generic_r.BYW", "display_name": "Generic_r.BYW", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Trojan:Win32/RemcosRAT", "display_name": "Trojan:Win32/RemcosRAT", "target": "/malware/Trojan:Win32/RemcosRAT" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null } ], "attack_ids": [ { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [ "Entertainment", "Technology", "Telecommunications", "Media" ], "TLP": "white", "cloned_from": null, "export_count": 39, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 71387, "domain": 8768, "hostname": 17727, "email": 16, "FileHash-MD5": 195, "FileHash-SHA1": 168, "FileHash-SHA256": 15313, "CVE": 9, "CIDR": 7 }, "indicator_count": 113590, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "770 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659331589faf01b909c1802d", "name": "Agent Tesla | Spyware | Tracking Android & Apple users | Malware Attack", "description": "", "modified": "2024-01-31T14:03:30.344000", "created": "2024-01-01T21:40:40.413000", "tags": [ "maxads0", "kld1063", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "hostnames", "urls http", "ssl certificate", "whois record", "contacted", "referrer", "historical ssl", "march", "communicating", "copy", "january", "collections", "execution", "malware", "startpage", "malicious", "ransomware", "agent tesla", "attack", "android", "name verdict", "falcon sandbox", "reports", "falcon", "windir", "path", "programfiles", "pe32", "ms windows", "getprocaddress", "file type", "mitre att", "ck id", "show technique", "win64", "date", "open", "hybrid", "cookie", "tracking", "apple", "spyware", "malware", "tablet", "superwebbysearch", "hallrender", "pegasus", "briansabey", "aig", "abuse", "tulach" ], "references": [ "findbetterresults.com", "https://hybrid-analysis.com/sample/bba36b3ae7c49d1cffcc5f8e045d81e9307a2e1a86b923f89008e9377d171fb6", "https://www.virustotal.com/gui/url/eed406872c2e6ef550b948510fe0b7b4c71f752f58551c2f8e61d31a19d2a153/summary", "http://www.applerewards.website/pl/3/index.html?voluumdata=BASE64dmlkLi4wMDAwMDAwMi00NGFiLTQzNDktODAwMC0wMDAwMDAwMDAwMDBfX3ZwaWQuLjJhYWQzMDAwLWJiMzYtMTFlNi04YTYyLTBlYzcxZTllMDMzMV9fY2FpZC4uNjBhMjIwOWUtNWMzNC00OGQ4LWIyNDctYWM5YzVkOTM3MzZhX19ydC4uUl9fbGlkLi4yYTRjOTA4My0zY2RmLTQyNDktOGJmOS0yODMxZWYzNGRhYTlfX29pZDEuLjUwMGE4NDhjLTA2NGEtNDYyZi05MDNmLTgxYzY4ODNmODEwZl9fdmFyMS4uNjA4OTYxX192YXIyLi42NzEwMjhfX3JkLi5vbmNsaWNrYWRzXC5cbmV0X19haWQuLl9fYWIuLl9fc2lkLi4&zoneid=608961&campaignid=671028&visitor_id=4003954", "www2.megawebfind.com [command_and_control]", "https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command= [command_and_control] stolec kradnie krypto" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2368, "FileHash-SHA256": 4539, "hostname": 2892, "URL": 9741, "FileHash-MD5": 836, "FileHash-SHA1": 461, "CVE": 1 }, "indicator_count": 20838, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "809 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659331580cd1571f730b8de2", "name": "Agent Tesla | Spyware | Tracking Android & Apple users | Malware Attack", "description": "", "modified": "2024-01-31T14:03:30.344000", "created": "2024-01-01T21:40:40.242000", "tags": [ "maxads0", "kld1063", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "hostnames", "urls http", "ssl certificate", "whois record", "contacted", "referrer", "historical ssl", "march", "communicating", "copy", "january", "collections", "execution", "malware", "startpage", "malicious", "ransomware", "agent tesla", "attack", "android", "name verdict", "falcon sandbox", "reports", "falcon", "windir", "path", "programfiles", "pe32", "ms windows", "getprocaddress", "file type", "mitre att", "ck id", "show technique", "win64", "date", "open", "hybrid", "cookie", "tracking", "apple", "spyware", "malware", "tablet", "superwebbysearch", "hallrender", "pegasus", "briansabey", "aig", "abuse", "tulach" ], "references": [ "findbetterresults.com", "https://hybrid-analysis.com/sample/bba36b3ae7c49d1cffcc5f8e045d81e9307a2e1a86b923f89008e9377d171fb6", "https://www.virustotal.com/gui/url/eed406872c2e6ef550b948510fe0b7b4c71f752f58551c2f8e61d31a19d2a153/summary", "http://www.applerewards.website/pl/3/index.html?voluumdata=BASE64dmlkLi4wMDAwMDAwMi00NGFiLTQzNDktODAwMC0wMDAwMDAwMDAwMDBfX3ZwaWQuLjJhYWQzMDAwLWJiMzYtMTFlNi04YTYyLTBlYzcxZTllMDMzMV9fY2FpZC4uNjBhMjIwOWUtNWMzNC00OGQ4LWIyNDctYWM5YzVkOTM3MzZhX19ydC4uUl9fbGlkLi4yYTRjOTA4My0zY2RmLTQyNDktOGJmOS0yODMxZWYzNGRhYTlfX29pZDEuLjUwMGE4NDhjLTA2NGEtNDYyZi05MDNmLTgxYzY4ODNmODEwZl9fdmFyMS4uNjA4OTYxX192YXIyLi42NzEwMjhfX3JkLi5vbmNsaWNrYWRzXC5cbmV0X19haWQuLl9fYWIuLl9fc2lkLi4&zoneid=608961&campaignid=671028&visitor_id=4003954", "www2.megawebfind.com [command_and_control]", "https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command= [command_and_control] stolec kradnie krypto" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2368, "FileHash-SHA256": 4539, "hostname": 2892, "URL": 9741, "FileHash-MD5": 836, "FileHash-SHA1": 461, "CVE": 1 }, "indicator_count": 20838, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "809 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658303b7e2b4417d9e24a7cc", "name": "Reddit Honeypot | Cyber Defense Firm Attack", "description": "", "modified": "2024-01-19T12:02:13.495000", "created": "2023-12-20T15:09:43.783000", "tags": [ "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "sha1", "sha256", "runtime process", "date", "unknown", "error", "path", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "accept", "url http", "filehashmd5", "url https", "search otx", "octoseek report", "spam author", "reddit", "tulach c2", "created", "minutes ago", "added active", "related pulses", "am", "no expiration", "indicator role", "pulses url", "showing", "entries", "dded active", "copyright", "reserved", "cve cve20170199", "win32 exe", "android", "http response", "final url", "ip address", "status code", "body length", "kb body", "headers", "manager", "files", "detections type", "name", "lord krishna", "right", "tjprojmain", "windows", "secure", "headers nel", "ssl certificate", "whois whois", "historical ssl", "referrer", "logistics", "cyber defense", "firm collection", "ioc honeypot", "list for", "malware", "open", "attack", "contacted", "dropped", "bundled", "problems", "whois record", "domains", "execution", "agent tesla", "azorult", "project", "startpage", "vhash", "authentihash", "imphash", "rich pe", "ssdeep", "file type", "magic pe32", "installer", "compiler", "nsis", "serial number", "g4 code", "signing rsa4096", "sha384", "root g4", "valid from", "algorithm", "thumbprint", "fast corporate", "from", "pe resource", "collection", "vt graph", "paulsmith", "apple tv", "apple music", "$RTD4NQU.exe", "no data", "tag count", "ioc search", "new ioc", "teams api", "contact", "search", "iocs", "summary", "nisis", "executable", "ms windows", "trid win64", "generic", "sections", "sha256 file", "type type", "chi2", "dkey english", "xml rtmanifest", "english us", "overlay", "learn", "botnet", "honeypot", "ejkaej saBey k7-^Oa" ], "references": [ "https://www.reddit.com/user/", "https://www.virustotal.com/gui/url/6a627ce5fd6be7b3c0b5637e6b1facfa92c279d25ff9b1f50fe131c91591d804/summary", "Gowi Live Bot.exe", "https://www.virustotal.com/gui/file/2ab9e32cd78f2b538c36f145b790f78f1262bcfcf1a5d6d019e7a2a151a24424/summary", "https://www.hybrid-analysis.com/sample/d4f0fd95f42482e96d982df3d538f67ee9c8756834486dd2cf33e1679c90af50/65812fd9a34bc52aac0b910f", "nr-data.net [New Relic Tracking | Apple Private Data Collection]", "[w and w.o https] applemusic-spotlight.myunidays.com [Multilingual Portable.exe Apple music compromise]", "tv.apple.com [Apple Backdoor| Attack | Hacking]", "name-playatoms-pa.googleapis.com [ nr-data Apple tv tracking]", "browser.events.data.msn.com | events-sandbox.data.msn.com", "https://tulach.cc/ [phishing attacks]", "tulach.cc [AM | phishing]", "$RTD4NQU.exe - Sigma Rule: Audit Policy Tampering Via Auditpolicy", "$RTD4NQU.exe - Yara rule: INDICATOR TOOL UAC NSISUAC", "3.163.189.120 [Tracking]", "86.140.232.148 [scanning_host]", "https://seedbeej.pk/tin/index.php?QBOT.zip. [ phishing plus]", "http://iyfsearch.com/&ap=67&be=203&fe=198&dc=198&perf= [phishing]", "checkip.dyndns.org [command_and_control]", "104.86.182.8 [command_and_control]", "103.224.182.253 [command_and_control]", "103.224.182.246 [command_and_control]", "www.supernetforme.com [command_and_control]", "rp.downloadastrocdn.com [command_and_control]", "ddos.dnsnb8.net [command_and_control]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "AM", "display_name": "AM", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "adware.pcappstore/veryfast", "display_name": "adware.pcappstore/veryfast", "target": null }, { "id": "NSIS", "display_name": "NSIS", "target": null }, { "id": "Static AI - Malicious PE", "display_name": "Static AI - Malicious PE", "target": null }, { "id": "HoneyPot", "display_name": "HoneyPot", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 392, "FileHash-SHA1": 374, "FileHash-SHA256": 5560, "URL": 7433, "domain": 1461, "hostname": 2463, "CVE": 3, "email": 1 }, "indicator_count": 17687, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "821 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a48b6ea16eeb6b54dfad7c", "name": "https://neca.omeclk.com/portal/wts/uc^cn^ejkaejsaBeyk7-^Oa | Brian Sabey dangerous obsession with Tsara Brashears", "description": "", "modified": "2024-01-15T01:33:34.790000", "created": "2024-01-15T01:33:34.790000", "tags": [ "cisco umbrella", "site", "alexa top", "emotet", "telefonica co", "million", "malware", "detection list", "blacklist", "alexa", "installcore", "heur", "cyber threat", "united", "phishing", "engineering", "phishing site", "team phishing", "spammer", "malicious site", "team", "download", "cobalt strike", "facebook", "artemis", "pony", "binder", "suppobox", "virut", "ramnit", "dropper", "formbook", "azorult", "simda", "downloader", "service", "bank", "zbot", "trojanspy", "heodo", "hostname", "hostnames", "whois record", "kgs0", "kls0", "apple ios", "tsara brashears", "ssl certificate", "elf collection", "cyberstalking", "spyware", "hackers", "installer", "open", "banker", "keylogger", "malicious", "hacktool", "core", "noname057", "generic malware", "safe site", "malware site", "iframe", "riskware", "exploit", "fakealert", "unsafe", "acint", "win64", "nircmd", "agent", "opencandy", "conduit", "swrort", "crack", "installpack", "xtrat", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "unruy", "filetour", "floxif", "cleaner", "patcher", "adload", "presenoker", "wacatac", "fusioncore", "genkryptik", "webtoolbar", "maltiverse", "smokeloader", "download json", "urls", "blacklist http", "kyriazhs1975", "vidar", "strike", "china cobalt", "meterpreter", "nanocore rat", "njrat", "redline stealer", "stealer", "nymaim", "mirai", "ghost rat", "runescape", "bradesco", "msil", "bladabindi", "orkut", "cutwail", "bandoo", "matsnu", "inmortal", "domains", "redline", "control server", "services", "generic", "br", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "squirrelwaffle", "soc http", "soc https", "back", "download csv", "json sample", "injector", "malicious url", "downldr", "covid19 scam", "historical ssl", "referrer", "contacted", "whois whois", "contacted urls", "whois sslcert", "threat roundup", "copy", "august", "execution", "ransomware", "gopher", "remcos", "attack", "radar ineractive", "paypal", "covid19", "phishing chase", "phishing google", "tracker malware", "chase personal", "banking", "javascript", "please", "cnc server", "tracker", "cnc feodo", "phishtank", "threats et", "name verdict", "falcon sandbox", "pattern match", "file", "ascii text", "indicator", "windows nt", "jpeg image", "appdata", "jfif standard", "script", "show", "date", "span", "unknown", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "path", "http header", "tcp traffic", "mitre att", "ck id", "show technique", "ck matrix", "accept", "adware", "ip address", "hsbc", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "trojanx", "webshell", "systweak", "behav", "tiggre", "runtime process", "sha256", "sha1", "mark brian sabey", "brian sabey", "sabey", "apple", "114.114.114.114", "attorney", "law", "spammer", "fraud service", "hallrender", "malvertizing", "cybercrime", "social engineering", "malware hosting", "cyber threat", "iphone unlocker", "malicious", "attacker", "tulach", "tulach.cc", "adult content", "child pornographer", "sabey data centers", "hall render denver", "monitoring", "stalker", "dev", "developer", "cyber harassment", "defacement", "death threats", "miner", "agenttesla", "trojan", "detplock", "networm", "rms", "sneaky server", "replacement", "unauthorized", "steam route", "tool", "probe", "safebae.org", "safebae", "daisy", "daisy coleman", "benjamin", "colorado", "missouri", "telefonica", "boost mobile", "blackievirus.com", "TrojanX", "metro t-mobile", "t-mobile", "mile high media", "CNC", "C2", "malware host", "yixun" ], "references": [ "https://hybrid-analysis.com/sample/a1b9247b6ad18f1cda0304e406333459d4000fced5753f91e5c046f6577c388a", "https://www.hallrender.com/attorney/brian-sabey", "safebae.org", "poemhunter.com", "http://www.hallrender.com/resources/blog/", "http://benjamin.xww.de/", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Hybrid Analysis", "wTools", "Research" ], "public": 1, "adversary": "Tulach | Mark Brian Sabey | Hall Render Law Firm", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "BR", "display_name": "BR", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "Feodo Tracker", "display_name": "Feodo Tracker", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Zpevdo", "display_name": "Zpevdo", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "xRAT", "display_name": "xRAT", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "DarkSide .Beware", "display_name": "DarkSide .Beware", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "SLFPER:BrowserModifier:Win32/MediaMagnet", "display_name": "SLFPER:BrowserModifier:Win32/MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "FORMBOOK", "display_name": "FORMBOOK", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Yixun", "display_name": "Yixun", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": "6590f9b6b1fe0330c655c25f", "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1643, "hostname": 1438, "CVE": 30, "FileHash-MD5": 2853, "FileHash-SHA1": 1584, "FileHash-SHA256": 3001, "URL": 2904, "email": 1 }, "indicator_count": 13454, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "825 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6572622bba87d8d105a7259f", "name": "Lazarus Group _ 192.229.211.108", "description": "", "modified": "2024-01-06T05:02:33.698000", "created": "2023-12-08T00:24:11.801000", "tags": [ "as15133 verizon", "united", "unknown", "passive dns", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "trojandropper", "body", "orgtechhandle", "orgid", "w jefferson", "blvd", "city", "los angeles", "stateprov", "postalcode", "sawyer", "kleinart", "mtb dec", "win32upatre dec", "win32qqpass dec", "entries", "date hash", "avast avg", "name verdict", "falcon sandbox", "generic malware", "tag count", "wed sep", "threat report", "summary", "sample", "samples", "detection list", "blacklist", "count blacklist", "generic", "noname057", "csv behavior", "text", "win32 dll", "win32 exe", "javascript", "office open", "xml document", "text iocs", "mario", "csv test", "python", "ip summary", "text query16752", "text edge", "type name", "services", "net192", "net1920000", "cidr", "nethandle", "orgabusehandle", "orgabusephone", "as14153", "contacted", "ssl certificate", "tsara brashears", "whois whois", "ransomware", "apple ios", "family", "roots", "lolkek", "tzw variants", "emotet", "bluenoroff", "lazarus", "dark power", "play ransomware", "makop", "attack", "core", "hacktool", "chaos", "ransomexx", "quasar", "njrat", "installer", "banker", "keylogger", "execution", "ermac", "metasploit", "relic", "monitoring", "qakbot", "thu nov", "url summary", "first", "cobalt strike", "strike cobalt", "malicious url", "tld count", "sun sep", "china cobalt", "strike", "cyber threat", "maltiverse", "malware site", "malicious host", "malware", "host", "phishing", "team", "exploit", "mirai", "pony", "nanocore", "bradesco", "suppobox", "laplasclipper", "asyncrat", "fakealert", "ramnit", "cisco umbrella", "site", "safe site", "heur", "malicious site", "alexa top", "million", "phishing site", "artemis", "unsafe", "riskware", "bank", "outbreak", "dropper", "trojanx", "turla", "installcore", "acint", "conduit", "installpack", "iobit", "mediaget", "crack", "iframe", "downldr", "agent", "presenoker", "alexa", "blacknet rat", "stealer", "unruy", "cleaner", "union", "dbatloader", "downloader", "blocker", "ransom", "autoit", "bladabindi", "trojan", "irata", "azorult", "service", "runescape", "facebook", "download", "genkryptik", "opencandy", "trojanspy", "relacionada", "referrer", "formbook", "blacklist http", "control server", "firehol", "botnet command", "http spammer", "mail spammer", "phishtank", "dnspionage", "betabot", "wormx", "redline stealer", "solimba", "zbot", "webtoolbar", "utc submissions", "submitters", "tot public", "company limited", "gandi sas", "ovh sas", "mb iesettings", "mb acrotray", "kb program", "team alexa", "quasar rat", "spammer", "team proxy", "ip reputation", "cins active", "online fri", "online sat", "sat apr", "temp", "windir", "kontakt", "antivirus", "sat jun", "gmt0600", "programdata", "regexpandsz d", "allusersprofile", "soar", "malicious", "programfiles", "sun jun", "mbt", "info api", "http", "redlinestealer", "score integrate", "siem", "tencent", "rc7 bypassed", "mon jun", "api sample", "hybridanalysis", "online sun", "fri jun", "tue apr", "code", "date", "hackers", "lumma stealer", "ursnif", "open" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "MBT", "display_name": "MBT", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": "65715b49b95c13605856d6d0", "export_count": 234, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 882, "FileHash-SHA1": 497, "FileHash-SHA256": 3763, "URL": 3088, "hostname": 1203, "CIDR": 2, "domain": 680, "CVE": 9, "email": 13 }, "indicator_count": 10137, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "834 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65715b49b95c13605856d6d0", "name": "Lazarus Group _ 192.229.211.108", "description": "", "modified": "2024-01-06T05:02:33.698000", "created": "2023-12-07T05:42:33.281000", "tags": [ "as15133 verizon", "united", "unknown", "passive dns", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "trojandropper", "body", "orgtechhandle", "orgid", "w jefferson", "blvd", "city", "los angeles", "stateprov", "postalcode", "sawyer", "kleinart", "mtb dec", "win32upatre dec", "win32qqpass dec", "entries", "date hash", "avast avg", "name verdict", "falcon sandbox", "generic malware", "tag count", "wed sep", "threat report", "summary", "sample", "samples", "detection list", "blacklist", "count blacklist", "generic", "noname057", "csv behavior", "text", "win32 dll", "win32 exe", "javascript", "office open", "xml document", "text iocs", "mario", "csv test", "python", "ip summary", "text query16752", "text edge", "type name", "services", "net192", "net1920000", "cidr", "nethandle", "orgabusehandle", "orgabusephone", "as14153", "contacted", "ssl certificate", "tsara brashears", "whois whois", "ransomware", "apple ios", "family", "roots", "lolkek", "tzw variants", "emotet", "bluenoroff", "lazarus", "dark power", "play ransomware", "makop", "attack", "core", "hacktool", "chaos", "ransomexx", "quasar", "njrat", "installer", "banker", "keylogger", "execution", "ermac", "metasploit", "relic", "monitoring", "qakbot", "thu nov", "url summary", "first", "cobalt strike", "strike cobalt", "malicious url", "tld count", "sun sep", "china cobalt", "strike", "cyber threat", "maltiverse", "malware site", "malicious host", "malware", "host", "phishing", "team", "exploit", "mirai", "pony", "nanocore", "bradesco", "suppobox", "laplasclipper", "asyncrat", "fakealert", "ramnit", "cisco umbrella", "site", "safe site", "heur", "malicious site", "alexa top", "million", "phishing site", "artemis", "unsafe", "riskware", "bank", "outbreak", "dropper", "trojanx", "turla", "installcore", "acint", "conduit", "installpack", "iobit", "mediaget", "crack", "iframe", "downldr", "agent", "presenoker", "alexa", "blacknet rat", "stealer", "unruy", "cleaner", "union", "dbatloader", "downloader", "blocker", "ransom", "autoit", "bladabindi", "trojan", "irata", "azorult", "service", "runescape", "facebook", "download", "genkryptik", "opencandy", "trojanspy", "relacionada", "referrer", "formbook", "blacklist http", "control server", "firehol", "botnet command", "http spammer", "mail spammer", "phishtank", "dnspionage", "betabot", "wormx", "redline stealer", "solimba", "zbot", "webtoolbar", "utc submissions", "submitters", "tot public", "company limited", "gandi sas", "ovh sas", "mb iesettings", "mb acrotray", "kb program", "team alexa", "quasar rat", "spammer", "team proxy", "ip reputation", "cins active", "online fri", "online sat", "sat apr", "temp", "windir", "kontakt", "antivirus", "sat jun", "gmt0600", "programdata", "regexpandsz d", "allusersprofile", "soar", "malicious", "programfiles", "sun jun", "mbt", "info api", "http", "redlinestealer", "score integrate", "siem", "tencent", "rc7 bypassed", "mon jun", "api sample", "hybridanalysis", "online sun", "fri jun", "tue apr", "code", "date", "hackers", "lumma stealer", "ursnif", "open" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "MBT", "display_name": "MBT", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": "65715ad29ac565164664960b", "export_count": 210, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 882, "FileHash-SHA1": 497, "FileHash-SHA256": 3763, "URL": 3088, "hostname": 1203, "CIDR": 2, "domain": 680, "CVE": 9, "email": 13 }, "indicator_count": 10137, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "834 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65715ad29ac565164664960b", "name": "InstallMate", "description": "", "modified": "2024-01-06T05:02:33.698000", "created": "2023-12-07T05:40:34.888000", "tags": [ "as15133 verizon", "united", "unknown", "passive dns", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "trojandropper", "body", "orgtechhandle", "orgid", "w jefferson", "blvd", "city", "los angeles", "stateprov", "postalcode", "sawyer", "kleinart", "mtb dec", "win32upatre dec", "win32qqpass dec", "entries", "date hash", "avast avg", "name verdict", "falcon sandbox", "generic malware", "tag count", "wed sep", "threat report", "summary", "sample", "samples", "detection list", "blacklist", "count blacklist", "generic", "noname057", "csv behavior", "text", "win32 dll", "win32 exe", "javascript", "office open", "xml document", "text iocs", "mario", "csv test", "python", "ip summary", "text query16752", "text edge", "type name", "services", "net192", "net1920000", "cidr", "nethandle", "orgabusehandle", "orgabusephone", "as14153", "contacted", "ssl certificate", "tsara brashears", "whois whois", "ransomware", "apple ios", "family", "roots", "lolkek", "tzw variants", "emotet", "bluenoroff", "lazarus", "dark power", "play ransomware", "makop", "attack", "core", "hacktool", "chaos", "ransomexx", "quasar", "njrat", "installer", "banker", "keylogger", "execution", "ermac", "metasploit", "relic", "monitoring", "qakbot", "thu nov", "url summary", "first", "cobalt strike", "strike cobalt", "malicious url", "tld count", "sun sep", "china cobalt", "strike", "cyber threat", "maltiverse", "malware site", "malicious host", "malware", "host", "phishing", "team", "exploit", "mirai", "pony", "nanocore", "bradesco", "suppobox", "laplasclipper", "asyncrat", "fakealert", "ramnit", "cisco umbrella", "site", "safe site", "heur", "malicious site", "alexa top", "million", "phishing site", "artemis", "unsafe", "riskware", "bank", "outbreak", "dropper", "trojanx", "turla", "installcore", "acint", "conduit", "installpack", "iobit", "mediaget", "crack", "iframe", "downldr", "agent", "presenoker", "alexa", "blacknet rat", "stealer", "unruy", "cleaner", "union", "dbatloader", "downloader", "blocker", "ransom", "autoit", "bladabindi", "trojan", "irata", "azorult", "service", "runescape", "facebook", "download", "genkryptik", "opencandy", "trojanspy", "relacionada", "referrer", "formbook", "blacklist http", "control server", "firehol", "botnet command", "http spammer", "mail spammer", "phishtank", "dnspionage", "betabot", "wormx", "redline stealer", "solimba", "zbot", "webtoolbar", "utc submissions", "submitters", "tot public", "company limited", "gandi sas", "ovh sas", "mb iesettings", "mb acrotray", "kb program", "team alexa", "quasar rat", "spammer", "team proxy", "ip reputation", "cins active", "online fri", "online sat", "sat apr", "temp", "windir", "kontakt", "antivirus", "sat jun", "gmt0600", "programdata", "regexpandsz d", "allusersprofile", "soar", "malicious", "programfiles", "sun jun", "mbt", "info api", "http", "redlinestealer", "score integrate", "siem", "tencent", "rc7 bypassed", "mon jun", "api sample", "hybridanalysis", "online sun", "fri jun", "tue apr", "code", "date", "hackers", "lumma stealer", "ursnif", "open" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "MBT", "display_name": "MBT", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 210, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 882, "FileHash-SHA1": 497, "FileHash-SHA256": 3763, "URL": 3088, "hostname": 1203, "CIDR": 2, "domain": 680, "CVE": 9, "email": 13 }, "indicator_count": 10137, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "834 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6590f9b6b1fe0330c655c25f", "name": "https://neca.omeclk.com/portal/wts/uc^cn^ejkaejsaBeyk7-^Oa | Brian Sabey dangerous obsession with Tsara Brashears ", "description": "", "modified": "2023-12-31T05:18:46.519000", "created": "2023-12-31T05:18:46.519000", "tags": [ "cisco umbrella", "site", "alexa top", "emotet", "telefonica co", "million", "malware", "detection list", "blacklist", "alexa", "installcore", "heur", "cyber threat", "united", "phishing", "engineering", "phishing site", "team phishing", "spammer", "malicious site", "team", "download", "cobalt strike", "facebook", "artemis", "pony", "binder", "suppobox", "virut", "ramnit", "dropper", "formbook", "azorult", "simda", "downloader", "service", "bank", "zbot", "trojanspy", "heodo", "hostname", "hostnames", "whois record", "kgs0", "kls0", "apple ios", "tsara brashears", "ssl certificate", "elf collection", "cyberstalking", "spyware", "hackers", "installer", "open", "banker", "keylogger", "malicious", "hacktool", "core", "noname057", "generic malware", "safe site", "malware site", "iframe", "riskware", "exploit", "fakealert", "unsafe", "acint", "win64", "nircmd", "agent", "opencandy", "conduit", "swrort", "crack", "installpack", "xtrat", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "unruy", "filetour", "floxif", "cleaner", "patcher", "adload", "presenoker", "wacatac", "fusioncore", "genkryptik", "webtoolbar", "maltiverse", "smokeloader", "download json", "urls", "blacklist http", "kyriazhs1975", "vidar", "strike", "china cobalt", "meterpreter", "nanocore rat", "njrat", "redline stealer", "stealer", "nymaim", "mirai", "ghost rat", "runescape", "bradesco", "msil", "bladabindi", "orkut", "cutwail", "bandoo", "matsnu", "inmortal", "domains", "redline", "control server", "services", "generic", "br", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "squirrelwaffle", "soc http", "soc https", "back", "download csv", "json sample", "injector", "malicious url", "downldr", "covid19 scam", "historical ssl", "referrer", "contacted", "whois whois", "contacted urls", "whois sslcert", "threat roundup", "copy", "august", "execution", "ransomware", "gopher", "remcos", "attack", "radar ineractive", "paypal", "covid19", "phishing chase", "phishing google", "tracker malware", "chase personal", "banking", "javascript", "please", "cnc server", "tracker", "cnc feodo", "phishtank", "threats et", "name verdict", "falcon sandbox", "pattern match", "file", "ascii text", "indicator", "windows nt", "jpeg image", "appdata", "jfif standard", "script", "show", "date", "span", "unknown", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "path", "http header", "tcp traffic", "mitre att", "ck id", "show technique", "ck matrix", "accept", "adware", "ip address", "hsbc", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "trojanx", "webshell", "systweak", "behav", "tiggre", "runtime process", "sha256", "sha1", "mark brian sabey", "brian sabey", "sabey", "apple", "114.114.114.114", "attorney", "law", "spammer", "fraud service", "hallrender", "malvertizing", "cybercrime", "social engineering", "malware hosting", "cyber threat", "iphone unlocker", "malicious", "attacker", "tulach", "tulach.cc", "adult content", "child pornographer", "sabey data centers", "hall render denver", "monitoring", "stalker", "dev", "developer", "cyber harassment", "defacement", "death threats", "miner", "agenttesla", "trojan", "detplock", "networm", "rms", "sneaky server", "replacement", "unauthorized", "steam route", "tool", "probe", "safebae.org", "safebae", "daisy", "daisy coleman", "benjamin", "colorado", "missouri", "telefonica", "boost mobile", "blackievirus.com", "TrojanX", "metro t-mobile", "t-mobile", "mile high media", "CNC", "C2", "malware host", "yixun" ], "references": [ "https://hybrid-analysis.com/sample/a1b9247b6ad18f1cda0304e406333459d4000fced5753f91e5c046f6577c388a", "https://www.hallrender.com/attorney/brian-sabey", "safebae.org", "poemhunter.com", "http://www.hallrender.com/resources/blog/", "http://benjamin.xww.de/", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Hybrid Analysis", "wTools", "Research" ], "public": 1, "adversary": "Tulach | Mark Brian Sabey | Hall Render Law Firm", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "BR", "display_name": "BR", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "Feodo Tracker", "display_name": "Feodo Tracker", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Zpevdo", "display_name": "Zpevdo", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "xRAT", "display_name": "xRAT", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "DarkSide .Beware", "display_name": "DarkSide .Beware", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "SLFPER:BrowserModifier:Win32/MediaMagnet", "display_name": "SLFPER:BrowserModifier:Win32/MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "FORMBOOK", "display_name": "FORMBOOK", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Yixun", "display_name": "Yixun", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": "658741502e029e25c7152cc0", "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1643, "hostname": 1438, "CVE": 30, "FileHash-MD5": 2853, "FileHash-SHA1": 1584, "FileHash-SHA256": 3001, "URL": 2904, "email": 1 }, "indicator_count": 13454, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "840 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://inferno.demonoid.me", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://inferno.demonoid.me", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776628328.8387876 }