{ "type": "URL", "indicator": "https://it.fxgm.com/open", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://it.fxgm.com/open", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3815588037, "indicator": "https://it.fxgm.com/open", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "67035385a884405e783f9a7e", "name": "Mirai_Botnet_Malware | Healthcare \u00bb savethemalesdenver.com |", "description": "Impacting multiple Colorado medical facilities and educational institutions and patients. || Malware Families\nBackdoor:Linux/Mirai.B\nELF:Mirai-BZ\\ [Trj]\nMirai\nMirai_Botnet_Malware\nTrojan:Win32/Zombie.A\nTrojanClicker:Win32/Frosparf\nTrojanDownloader:Win32/Fosniw\nUnix.Trojan.Mirai-6976991-0\nAd", "modified": "2024-11-06T01:02:24.390000", "created": "2024-10-07T03:20:37.224000", "tags": [ "canada unknown", "redacted for", "as25825", "all scoreblue", "passive dns", "ipv4", "reverse dns", "next", "for privacy", "cname", "united states", "nxdomain", "ns nxdomain", "united", "as21928", "south korea", "as9318 sk", "taiwan as3462", "as701 verizon", "search", "maxage apt", "minage apt", "maxsize apt", "malware", "as44273 host", "creation date", "status", "showing", "record value", "certificate", "date", "urls", "overview ip", "address", "related nids", "files location", "flag united", "domain", "files related", "intel", "ms windows", "users", "pe32", "number", "ascii text", "crlf line", "database", "english", "tue jun", "installer", "template", "trojan", "write", "registrar", "pulse submit", "url analysis", "files", "msie", "chrome", "rdds service", "record", "registrant", "admin", "tech contact", "name servers", "email please", "moved", "trojanproxy", "virtool", "as1221", "aaaa", "asnone united", "show", "filehash", "pulse pulses", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "script urls", "gmt path", "fedora", "open ports", "nginx http", "server", "a domains", "gmt content", "set cookie", "gmt etag", "accept", "expiration date", "backdoor", "mirai", "scan endpoints", "all search", "otx scoreblue", "hostname", "verdict", "unknown", "new pulse", "loveland", "america asn", "Generic36.ABKD", "domains", "location canada", "as32133", "files ip", "address domain", "path max", "age86400 set", "cookie", "type", "entries", "script domains", "downloader", "body", "servers", "emails", "gmt max", "title", "meta", "as20940", "as16625 akamai", "west domains", "as4230 claro", "copy", "sabey", "contacted" ], "references": [ "savethemalesdenver.com \u00bb https://www.uchealthcares.org | myuchealth.net | 168.200.5.63 | http://ITSupport.uchealth.org", "bestofus.org Location: United States of America ASN AS18693 university of colorado hospital", "https://floorgoddijn.nl/3798393-dad-dont-my-image-hole-fuck-ass.html", "https://hypnosen.fr/4306769-women-xxvideos-matured-village-african-scene-wapdam.html", "https://kayleighvandalen.nl/8455490-up-hot-bottoms-xxxonxxx-pics-galleries.html", "https://maisonduweb3.fr/6014324-porn-you-ebony-pics-black-xxx.html", "https://mtl-plomberie.fr/1210582-sperm-release-can-pictures-that-naija.html", "https://mtl-plomberie.fr/2536532-\u1200\u1260\u123b-video-xxx.html", "FileHash-SHA256 cc0f195fe54b9981b1ea3815e44b85a0fb3571be732bd5b4034f57690436f4c4", "Yara Detections: Mirai_Botnet_Malware Alerts: dead_host network_icmp nolookup_communication", "Domains Contacted: ntp.ubuntu.com", "IP\u2019s Contacted: 1.0.128.143 1.10.54.226 1.107.217.150 1.112.34.224 1.114.165.87 1.116.76.208 1.118.37.88 1.121.139.226 1.122.96.75 1.114.207.168", "device-290db215-637a-441f-b5f4-81bf8bd75ae5.remotewd.com", "Trojan:Win32/Zombie.A FileHash-SHA256 ff43920cf098063475b4c62cd63e550fb783e3be1cf7458688b5c1d2d94c6830", "Yara Detections: Nrv2x , upx_3 , UPX_OEP_place , UPX290LZMAMarkusOberhumerLaszloMolnarJohnReiser ,", "Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser , UPX", "cpe-1-159-170-17.wb05.wa.asp.telstra.net", "ELF:Mirai-BZ\\ [Trj] \u00bb device-290db215-637a-441f-b5f4-81bf8bd75ae5.remotewd.com | 1.159.170.17 | Perth, Australia ASN AS1221 telstra corporation", "ELF:Mirai-BZ\\ [Trj] cc0f195fe54b9981b1ea3815e44b85a0fb3571be732bd5b4034f57690436f4c4 | Australia ASN AS1221 telstra corporation", "Backdoor:Linux/Mirai.B FileHash-SHA1 5df4c3322a68750c6b0c931e8ebebaa60c0a0555", "Yara Detections: Mirai_Botnet_Malware , MAL_ELF_LNX_Mirai_Oct10_2 , SUSP_XORed_Mozilla , is__elf", "198.49.6.6 \u00bb Loveland, United States of America ASN AS25825 poudre valley health care inc." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan", "Taiwan", "Philippines", "India", "Italy", "Germany", "Netherlands" ], "malware_families": [ { "id": "ELF:Mirai-BZ\\ [Trj]", "display_name": "ELF:Mirai-BZ\\ [Trj]", "target": null }, { "id": "Mirai_Botnet_Malware", "display_name": "Mirai_Botnet_Malware", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Unix.Trojan.Mirai-6976991-0", "display_name": "Unix.Trojan.Mirai-6976991-0", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Backdoor:Linux/Mirai.B", "display_name": "Backdoor:Linux/Mirai.B", "target": "/malware/Backdoor:Linux/Mirai.B" }, { "id": "TrojanDownloader:Win32/Fosniw", "display_name": "TrojanDownloader:Win32/Fosniw", "target": "/malware/TrojanDownloader:Win32/Fosniw" }, { "id": "TrojanClicker:Win32/Frosparf", "display_name": "TrojanClicker:Win32/Frosparf", "target": "/malware/TrojanClicker:Win32/Frosparf" } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" } ], "industries": [ "Legal", "Healthcare", "Education" ], "TLP": "green", "cloned_from": null, "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1230, "email": 16, "hostname": 1560, "URL": 3400, "FileHash-SHA256": 1064, "FileHash-MD5": 544, "FileHash-SHA1": 496, "CVE": 1 }, "indicator_count": 8311, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "529 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b2909ffdc623904cbfd91d", "name": "PEXE - DOS executable (COM)", "description": "I don't have a very good description. I can say this was found in a law firms website and it's not uncommon. Certain attorneys may be under attack based on clients represented. I other instances attorneys use a tool box of malware and other cyber weaponry to track, intimidating and spy on opposition. Very aggressive tactics use. Unfortunately attacks against opponents aren't limited to \"contactless\" attacks. Tracking. cyber espionage, malvertizing, iOS 'remotwd' , location tracking, reputation abuse.", "modified": "2024-02-24T16:01:22.095000", "created": "2024-01-25T16:47:26.970000", "tags": [ "network_icmp", "sha256", "yara detections", "alerts", "icmp traffic", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "spain unknown", "search", "date", "status", "passive dns", "urls", "pulse submit", "url analysis", "files", "domain", "next", "as197068 hll", "russia unknown", "ipv4", "body", "alive", "belarus unknown", "aaaa", "moved", "domain names", "creation date", "record value", "expiration date", "a domains", "facebook", "twitter", "encrypt", "httponly", "url http", "http", "ip address", "related nids", "germany unknown", "united", "as3320 deutsche", "france unknown", "united kingdom", "italy unknown", "as7922 comcast", "as701 verizon", "as3209 vodafone", "china unknown", "unknown", "as44273 host", "msie", "chrome", "name servers", "hostname", "maxage86400", "ip asn", "maxage2592000", "gmt server", "amazons3", "unique", "as58061 scalaxy", "all search", "otx scoreblue", "cyprus unknown", "as26347", "customer", "entries", "sexkompas", "script urls", "meta", "as29182 jsc", "gmt content", "script domains", "gmt etag", "as61400", "screenshot", "apache", "path", "as59711 hz", "asn as59711", "dns resolutions", "non dsp", "cor cura", "url https", "as199386 zilore", "showing", "admitad meta", "as44066", "connection", "date sat", "server amazons3", "cloudfront", "xcache miss", "contentlength", "acceptranges", "server", "gmt expires", "code", "title error", "trojan", "body doctype", "html public", "w3cdtd html", "html head", "meta http", "win32", "as3326", "present jan", "reverse dns", "gmt path", "set cookie", "certificate", "pragma", "location united", "show", "medium", "authenticode", "delete", "productversion", "fileversion", "thawte", "copy", "malware", "write", "etpro", "as14061", "whitelisted", "as9009 m247", "paris", "otx telemetry", "for privacy", "redacted for", "dns", "DNSpionage", "apple", "ios", "global", "cyber threat", "tracking", "legal abuse", "privilege escalation", "network", "redirect", "exploit kit", "mey", "spyware", "dropper", "x adblock", "virgin islands", "type", "content length", "dga", "as3175 filanco", "cname", "thawte code", "as32244 liquid", "as24940 hetzner", "head body", "center hr", "gmt contenttype", "title", "registrar", "markmonitor", "internet", "iana", "nethandle", "net192", "net1920000", "iana special", "icann", "please refer", "ietf", "best current", "whois whois", "resolutions", "communicating", "referrer", "win32 exe", "putty", "java", "type name", "pe32 executable", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "info compiler", "products", "vs2005", "vs2008 sp1", "vs2008", "header x64", "name md5", "virtualalloc" ], "references": [ "PEXE - DOS executable (COM)", "redirect_keitaro_exploit_kit_compromised_site_se_referrer", "Found in: https://jbplegal.com", "http://sexkompas.xyz", "DGA Malware Mall Domains: hackingapple.com, video.import-apple.com, DGA- appledreamz.com", "tracking2youdu.com , cdn.livechatinc.com", "device-local-bf56eb52-6fc6-435b-aadb-9fa1dd89702c.remotewd.com | remotewd.com | 192.168.56.108", "http://www.mobiset.ru/photos/2011/march/15/samsung_s3850/img_9.jpg" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "China", "United States of America", "Chile", "Germany", "France" ], "malware_families": [ { "id": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "display_name": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "target": null }, { "id": "Win.Malware.Vtflooder-6260355-1", "display_name": "Win.Malware.Vtflooder-6260355-1", "target": null }, { "id": "Win.Trojan.Buzus-5453", "display_name": "Win.Trojan.Buzus-5453", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:PWSX-gen", "display_name": "Win32:PWSX-gen", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "ETPRO", "display_name": "ETPRO", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [ "Legal", "Healthcare", "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 153, "FileHash-SHA1": 71, "FileHash-SHA256": 1690, "URL": 9526, "domain": 4882, "hostname": 6120, "email": 250, "CVE": 2 }, "indicator_count": 22694, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "784 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b4757a662a146889c60b6c", "name": "PEXE - DOS executable (COM)", "description": "", "modified": "2024-02-24T16:01:22.095000", "created": "2024-01-27T03:16:10.970000", "tags": [ "network_icmp", "sha256", "yara detections", "alerts", "icmp traffic", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "spain unknown", "search", "date", "status", "passive dns", "urls", "pulse submit", "url analysis", "files", "domain", "next", "as197068 hll", "russia unknown", "ipv4", "body", "alive", "belarus unknown", "aaaa", "moved", "domain names", "creation date", "record value", "expiration date", "a domains", "facebook", "twitter", "encrypt", "httponly", "url http", "http", "ip address", "related nids", "germany unknown", "united", "as3320 deutsche", "france unknown", "united kingdom", "italy unknown", "as7922 comcast", "as701 verizon", "as3209 vodafone", "china unknown", "unknown", "as44273 host", "msie", "chrome", "name servers", "hostname", "maxage86400", "ip asn", "maxage2592000", "gmt server", "amazons3", "unique", "as58061 scalaxy", "all search", "otx scoreblue", "cyprus unknown", "as26347", "customer", "entries", "sexkompas", "script urls", "meta", "as29182 jsc", "gmt content", "script domains", "gmt etag", "as61400", "screenshot", "apache", "path", "as59711 hz", "asn as59711", "dns resolutions", "non dsp", "cor cura", "url https", "as199386 zilore", "showing", "admitad meta", "as44066", "connection", "date sat", "server amazons3", "cloudfront", "xcache miss", "contentlength", "acceptranges", "server", "gmt expires", "code", "title error", "trojan", "body doctype", "html public", "w3cdtd html", "html head", "meta http", "win32", "as3326", "present jan", "reverse dns", "gmt path", "set cookie", "certificate", "pragma", "location united", "show", "medium", "authenticode", "delete", "productversion", "fileversion", "thawte", "copy", "malware", "write", "etpro", "as14061", "whitelisted", "as9009 m247", "paris", "otx telemetry", "for privacy", "redacted for", "dns", "DNSpionage", "apple", "ios", "global", "cyber threat", "tracking", "legal abuse", "privilege escalation", "network", "redirect", "exploit kit", "mey", "spyware", "dropper", "x adblock", "virgin islands", "type", "content length", "dga", "as3175 filanco", "cname", "thawte code", "as32244 liquid", "as24940 hetzner", "head body", "center hr", "gmt contenttype", "title", "registrar", "markmonitor", "internet", "iana", "nethandle", "net192", "net1920000", "iana special", "icann", "please refer", "ietf", "best current", "whois whois", "resolutions", "communicating", "referrer", "win32 exe", "putty", "java", "type name", "pe32 executable", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "info compiler", "products", "vs2005", "vs2008 sp1", "vs2008", "header x64", "name md5", "virtualalloc" ], "references": [ "PEXE - DOS executable (COM)", "redirect_keitaro_exploit_kit_compromised_site_se_referrer", "Found in: https://jbplegal.com", "http://sexkompas.xyz", "DGA Malware Mall Domains: hackingapple.com, video.import-apple.com, DGA- appledreamz.com", "tracking2youdu.com , cdn.livechatinc.com", "device-local-bf56eb52-6fc6-435b-aadb-9fa1dd89702c.remotewd.com | remotewd.com | 192.168.56.108", "http://www.mobiset.ru/photos/2011/march/15/samsung_s3850/img_9.jpg" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "China", "United States of America", "Chile", "Germany", "France" ], "malware_families": [ { "id": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "display_name": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "target": null }, { "id": "Win.Malware.Vtflooder-6260355-1", "display_name": "Win.Malware.Vtflooder-6260355-1", "target": null }, { "id": "Win.Trojan.Buzus-5453", "display_name": "Win.Trojan.Buzus-5453", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:PWSX-gen", "display_name": "Win32:PWSX-gen", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "ETPRO", "display_name": "ETPRO", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [ "Legal", "Healthcare", "Civil Society" ], "TLP": "white", "cloned_from": "65b2909ffdc623904cbfd91d", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 153, "FileHash-SHA1": 71, "FileHash-SHA256": 1690, "URL": 9526, "domain": 4882, "hostname": 6120, "email": 250, "CVE": 2 }, "indicator_count": 22694, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "784 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b4757d6dd7dae344aed3f5", "name": "PEXE - DOS executable (COM)", "description": "", "modified": "2024-02-24T16:01:22.095000", "created": "2024-01-27T03:16:13.209000", "tags": [ "network_icmp", "sha256", "yara detections", "alerts", "icmp traffic", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "spain unknown", "search", "date", "status", "passive dns", "urls", "pulse submit", "url analysis", "files", "domain", "next", "as197068 hll", "russia unknown", "ipv4", "body", "alive", "belarus unknown", "aaaa", "moved", "domain names", "creation date", "record value", "expiration date", "a domains", "facebook", "twitter", "encrypt", "httponly", "url http", "http", "ip address", "related nids", "germany unknown", "united", "as3320 deutsche", "france unknown", "united kingdom", "italy unknown", "as7922 comcast", "as701 verizon", "as3209 vodafone", "china unknown", "unknown", "as44273 host", "msie", "chrome", "name servers", "hostname", "maxage86400", "ip asn", "maxage2592000", "gmt server", "amazons3", "unique", "as58061 scalaxy", "all search", "otx scoreblue", "cyprus unknown", "as26347", "customer", "entries", "sexkompas", "script urls", "meta", "as29182 jsc", "gmt content", "script domains", "gmt etag", "as61400", "screenshot", "apache", "path", "as59711 hz", "asn as59711", "dns resolutions", "non dsp", "cor cura", "url https", "as199386 zilore", "showing", "admitad meta", "as44066", "connection", "date sat", "server amazons3", "cloudfront", "xcache miss", "contentlength", "acceptranges", "server", "gmt expires", "code", "title error", "trojan", "body doctype", "html public", "w3cdtd html", "html head", "meta http", "win32", "as3326", "present jan", "reverse dns", "gmt path", "set cookie", "certificate", "pragma", "location united", "show", "medium", "authenticode", "delete", "productversion", "fileversion", "thawte", "copy", "malware", "write", "etpro", "as14061", "whitelisted", "as9009 m247", "paris", "otx telemetry", "for privacy", "redacted for", "dns", "DNSpionage", "apple", "ios", "global", "cyber threat", "tracking", "legal abuse", "privilege escalation", "network", "redirect", "exploit kit", "mey", "spyware", "dropper", "x adblock", "virgin islands", "type", "content length", "dga", "as3175 filanco", "cname", "thawte code", "as32244 liquid", "as24940 hetzner", "head body", "center hr", "gmt contenttype", "title", "registrar", "markmonitor", "internet", "iana", "nethandle", "net192", "net1920000", "iana special", "icann", "please refer", "ietf", "best current", "whois whois", "resolutions", "communicating", "referrer", "win32 exe", "putty", "java", "type name", "pe32 executable", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "info compiler", "products", "vs2005", "vs2008 sp1", "vs2008", "header x64", "name md5", "virtualalloc" ], "references": [ "PEXE - DOS executable (COM)", "redirect_keitaro_exploit_kit_compromised_site_se_referrer", "Found in: https://jbplegal.com", "http://sexkompas.xyz", "DGA Malware Mall Domains: hackingapple.com, video.import-apple.com, DGA- appledreamz.com", "tracking2youdu.com , cdn.livechatinc.com", "device-local-bf56eb52-6fc6-435b-aadb-9fa1dd89702c.remotewd.com | remotewd.com | 192.168.56.108", "http://www.mobiset.ru/photos/2011/march/15/samsung_s3850/img_9.jpg" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "China", "United States of America", "Chile", "Germany", "France" ], "malware_families": [ { "id": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "display_name": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "target": null }, { "id": "Win.Malware.Vtflooder-6260355-1", "display_name": "Win.Malware.Vtflooder-6260355-1", "target": null }, { "id": "Win.Trojan.Buzus-5453", "display_name": "Win.Trojan.Buzus-5453", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:PWSX-gen", "display_name": "Win32:PWSX-gen", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "ETPRO", "display_name": "ETPRO", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [ "Legal", "Healthcare", "Civil Society" ], "TLP": "white", "cloned_from": "65b2909ffdc623904cbfd91d", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 153, "FileHash-SHA1": 71, "FileHash-SHA256": 1690, "URL": 9526, "domain": 4882, "hostname": 6120, "email": 250, "CVE": 2 }, "indicator_count": 22694, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "784 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b85dca7d8bf0aea33abc3a", "name": "PEXE - DOS executable ", "description": "", "modified": "2024-02-24T16:01:22.095000", "created": "2024-01-30T02:24:10.454000", "tags": [ "network_icmp", "sha256", "yara detections", "alerts", "icmp traffic", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "spain unknown", "search", "date", "status", "passive dns", "urls", "pulse submit", "url analysis", "files", "domain", "next", "as197068 hll", "russia unknown", "ipv4", "body", "alive", "belarus unknown", "aaaa", "moved", "domain names", "creation date", "record value", "expiration date", "a domains", "facebook", "twitter", "encrypt", "httponly", "url http", "http", "ip address", "related nids", "germany unknown", "united", "as3320 deutsche", "france unknown", "united kingdom", "italy unknown", "as7922 comcast", "as701 verizon", "as3209 vodafone", "china unknown", "unknown", "as44273 host", "msie", "chrome", "name servers", "hostname", "maxage86400", "ip asn", "maxage2592000", "gmt server", "amazons3", "unique", "as58061 scalaxy", "all search", "otx scoreblue", "cyprus unknown", "as26347", "customer", "entries", "sexkompas", "script urls", "meta", "as29182 jsc", "gmt content", "script domains", "gmt etag", "as61400", "screenshot", "apache", "path", "as59711 hz", "asn as59711", "dns resolutions", "non dsp", "cor cura", "url https", "as199386 zilore", "showing", "admitad meta", "as44066", "connection", "date sat", "server amazons3", "cloudfront", "xcache miss", "contentlength", "acceptranges", "server", "gmt expires", "code", "title error", "trojan", "body doctype", "html public", "w3cdtd html", "html head", "meta http", "win32", "as3326", "present jan", "reverse dns", "gmt path", "set cookie", "certificate", "pragma", "location united", "show", "medium", "authenticode", "delete", "productversion", "fileversion", "thawte", "copy", "malware", "write", "etpro", "as14061", "whitelisted", "as9009 m247", "paris", "otx telemetry", "for privacy", "redacted for", "dns", "DNSpionage", "apple", "ios", "global", "cyber threat", "tracking", "legal abuse", "privilege escalation", "network", "redirect", "exploit kit", "mey", "spyware", "dropper", "x adblock", "virgin islands", "type", "content length", "dga", "as3175 filanco", "cname", "thawte code", "as32244 liquid", "as24940 hetzner", "head body", "center hr", "gmt contenttype", "title", "registrar", "markmonitor", "internet", "iana", "nethandle", "net192", "net1920000", "iana special", "icann", "please refer", "ietf", "best current", "whois whois", "resolutions", "communicating", "referrer", "win32 exe", "putty", "java", "type name", "pe32 executable", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "info compiler", "products", "vs2005", "vs2008 sp1", "vs2008", "header x64", "name md5", "virtualalloc" ], "references": [ "PEXE - DOS executable (COM)", "redirect_keitaro_exploit_kit_compromised_site_se_referrer", "Found in: https://jbplegal.com", "http://sexkompas.xyz", "DGA Malware Mall Domains: hackingapple.com, video.import-apple.com, DGA- appledreamz.com", "tracking2youdu.com , cdn.livechatinc.com", "device-local-bf56eb52-6fc6-435b-aadb-9fa1dd89702c.remotewd.com | remotewd.com | 192.168.56.108", "http://www.mobiset.ru/photos/2011/march/15/samsung_s3850/img_9.jpg" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "China", "United States of America", "Chile", "Germany", "France" ], "malware_families": [ { "id": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "display_name": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "target": null }, { "id": "Win.Malware.Vtflooder-6260355-1", "display_name": "Win.Malware.Vtflooder-6260355-1", "target": null }, { "id": "Win.Trojan.Buzus-5453", "display_name": "Win.Trojan.Buzus-5453", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:PWSX-gen", "display_name": "Win32:PWSX-gen", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "ETPRO", "display_name": "ETPRO", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [ "Legal", "Healthcare", "Civil Society" ], "TLP": "white", "cloned_from": "65b4757a662a146889c60b6c", "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 153, "FileHash-SHA1": 71, "FileHash-SHA256": 1690, "URL": 9526, "domain": 4882, "hostname": 6120, "email": 250, "CVE": 2 }, "indicator_count": 22694, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "784 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658f967a4fc7ebe8021b9382", "name": "Mirai Apple Attack +", "description": "This is hard to make sense of. All calls, clicks on a DGA Domain masquerading as desired service, lands you on the radar of a faux service where in turn bad actors attack everything. Target, remotely hack, follow, smear your life, same victim auto populates 79%, no hunt for assaulter.\n I'm assuming to see it one must 1st be in a Botnet. We keep seeing the same targets but no preparator. \nShe said \"Life was busy, life was good; full of health and hope. Then one sunny October day... I'm still grateful but what happened my body, thoughts and the world around me? Where's God? Am I a criminally responsible for getting attacked?\"", "modified": "2024-01-29T03:01:29.910000", "created": "2023-12-30T04:03:06.598000", "tags": [ "whois record", "ssl certificate", "contacted", "whois whois", "historical ssl", "referrer", "communicating", "resolutions", "apple", "collections", "core", "stealer", "execution", "ratel", "suspicious", "threat", "paste", "iocs", "hostnames", "urls https", "windir", "json data", "localappdata", "ascii text", "unicode text", "pattern match", "file", "indicator", "mitre att", "path", "factory", "hybrid", "general", "memcommit", "regsetvalueexa", "regdword", "t1055", "high", "regbinary", "dynamic dns", "regsetvalueexw", "regsz", "medium", "win32", "malware", "copy", "capture", "name servers", "creation date", "servers", "passive dns", "urls", "domain", "search", "expiration date", "scan endpoints", "all scoreblue", "date", "next", "applenoc", "showing", "status", "united", "as44273 host", "unknown", "all search", "otx scoreblue", "aaaa", "as54113", "privacy inc", "customer", "asnone united", "entries", "pulse pulses", "dga", "redacted for", "as20940", "body", "for privacy", "ipv4", "files", "location united", "america asn", "as54252", "type name", "dns replication", "iana", "whois lookup", "ipv4 address", "ripe ncc", "afrinic", "africa", "apnic", "asia pacific", "arin", "lacnic", "elf executable", "sysv", "linux", "elf wgetboat", "contacted urls", "red team", "tsara brashears", "apple phone", "unlocker", "fakedout threat", "hostname", "samples", "mirai", "ph elf", "telefonica de", "elf collection", "llwn", "text", "gp practice", "oracle", "apple ios", "password", "threat network", "kgs0", "kls0", "hacktool", "probe", "malicious" ], "references": [ "https://www.rmvictimlaw.org/about-us/board-directors/hazel-heckers", "https://hybrid-analysis.com/sample/1f75fd5ec731cc5b1f338a5f7f44b42c9f1988214c373bf582d766934399b525", "https://twitter.com/PORNO_SEXYBABES", "IPv4 199.59.243.224 and IPv4 67.21.93.249 - command_and_control", "103.246.145.111 phishing", "nr-data.net | Apple Private Data collection", "BitRAT CnC: File Hash SHA256 23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706", "00000000.apple.com | remote SIM Swap", "https://otx.alienvault.com/indicator/file/23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706#:~:text=%C3%97", "103.246.145.111 - scanning host", "https://app-portal.wsgc.com/saml20/idp/sso?SAMLRequest=jZFBb8IwDIX/SpR70zS0sEa0iA1NQ2IagrLDLlNII4jWJl2cwvj3qyhI7IJ2tPzs9/x5PPmpK3RQDrQ1GY4IxUgZaUttdhneFM/BA57kYxB1xRo+bf3erNR3q8CjbtAA7zsZbp3hVoAGbkStgHvJ19PXBWeE8sZZb6WtMJoCKOc7qydroK2VWyt30FJtVosM771vgIfhETTZCvkF3roTkXtnjZaVIqBk67Q/hUICRrMugzbCn3NfR0XTBI11XlTkCDtJpK3Dc0Ia6rIJASxG81mGP0dpOYqGVEZxGYkk3iaDVMZMKipGMR0kSScDaNXcgBfGZ5hRNghoGrC4YIzTlNMhidPkA6Pl5bhHbXpo90hsexHwl6JYBsu3dYHR+xV+J8AX1Pzs7m4Z318srmBx/m+M4/DWK7+Uf7+c/wI=&RelayState=AcE8QCtmc3hl5id4ZjN8p", "https://www.virustotal.com/en/domain/sipa.be (GoodCop - BadCop 404 error. This may have been a dorkingbeauty graph or collection. There seems to be several VT users experiencing similar issues w/overlap", "https://ms13p01if-qufw21344001.ms.if.apple.com:8083/", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 (Apple remote hacktool that enter via Apple media)", "usw2-platform-dmchat-avengers-prod-ext.apple.com", "https://otx.alienvault.com/indicator/hostname/00000000.apple.com#:~:text=%C3%97", "Malware Hosting * Spyware: http://141.98.6.249/boat.arm7, http://141.98.6.249/boat.ppc , http://141.98.6.249/boat.x86" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "RATel", "display_name": "RATel", "target": null }, { "id": "trojan.mirai/genericrxui", "display_name": "trojan.mirai/genericrxui", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 578, "FileHash-SHA1": 521, "FileHash-SHA256": 6392, "URL": 5741, "domain": 2243, "hostname": 1536, "SSLCertFingerprint": 2, "email": 8, "CVE": 1 }, "indicator_count": 17022, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "811 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659127f3265ec6306b607faa", "name": "Mirai Apple Attack +", "description": "", "modified": "2024-01-29T03:01:29.910000", "created": "2023-12-31T08:36:03.380000", "tags": [ "whois record", "ssl certificate", "contacted", "whois whois", "historical ssl", "referrer", "communicating", "resolutions", "apple", "collections", "core", "stealer", "execution", "ratel", "suspicious", "threat", "paste", "iocs", "hostnames", "urls https", "windir", "json data", "localappdata", "ascii text", "unicode text", "pattern match", "file", "indicator", "mitre att", "path", "factory", "hybrid", "general", "memcommit", "regsetvalueexa", "regdword", "t1055", "high", "regbinary", "dynamic dns", "regsetvalueexw", "regsz", "medium", "win32", "malware", "copy", "capture", "name servers", "creation date", "servers", "passive dns", "urls", "domain", "search", "expiration date", "scan endpoints", "all scoreblue", "date", "next", "applenoc", "showing", "status", "united", "as44273 host", "unknown", "all search", "otx scoreblue", "aaaa", "as54113", "privacy inc", "customer", "asnone united", "entries", "pulse pulses", "dga", "redacted for", "as20940", "body", "for privacy", "ipv4", "files", "location united", "america asn", "as54252", "type name", "dns replication", "iana", "whois lookup", "ipv4 address", "ripe ncc", "afrinic", "africa", "apnic", "asia pacific", "arin", "lacnic", "elf executable", "sysv", "linux", "elf wgetboat", "contacted urls", "red team", "tsara brashears", "apple phone", "unlocker", "fakedout threat", "hostname", "samples", "mirai", "ph elf", "telefonica de", "elf collection", "llwn", "text", "gp practice", "oracle", "apple ios", "password", "threat network", "kgs0", "kls0", "hacktool", "probe", "malicious" ], "references": [ "https://www.rmvictimlaw.org/about-us/board-directors/hazel-heckers", "https://hybrid-analysis.com/sample/1f75fd5ec731cc5b1f338a5f7f44b42c9f1988214c373bf582d766934399b525", "https://twitter.com/PORNO_SEXYBABES", "IPv4 199.59.243.224 and IPv4 67.21.93.249 - command_and_control", "103.246.145.111 phishing", "nr-data.net | Apple Private Data collection", "BitRAT CnC: File Hash SHA256 23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706", "00000000.apple.com | remote SIM Swap", "https://otx.alienvault.com/indicator/file/23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706#:~:text=%C3%97", "103.246.145.111 - scanning host", "https://app-portal.wsgc.com/saml20/idp/sso?SAMLRequest=jZFBb8IwDIX/SpR70zS0sEa0iA1NQ2IagrLDLlNII4jWJl2cwvj3qyhI7IJ2tPzs9/x5PPmpK3RQDrQ1GY4IxUgZaUttdhneFM/BA57kYxB1xRo+bf3erNR3q8CjbtAA7zsZbp3hVoAGbkStgHvJ19PXBWeE8sZZb6WtMJoCKOc7qydroK2VWyt30FJtVosM771vgIfhETTZCvkF3roTkXtnjZaVIqBk67Q/hUICRrMugzbCn3NfR0XTBI11XlTkCDtJpK3Dc0Ia6rIJASxG81mGP0dpOYqGVEZxGYkk3iaDVMZMKipGMR0kSScDaNXcgBfGZ5hRNghoGrC4YIzTlNMhidPkA6Pl5bhHbXpo90hsexHwl6JYBsu3dYHR+xV+J8AX1Pzs7m4Z318srmBx/m+M4/DWK7+Uf7+c/wI=&RelayState=AcE8QCtmc3hl5id4ZjN8p", "https://www.virustotal.com/en/domain/sipa.be (GoodCop - BadCop 404 error. This may have been a dorkingbeauty graph or collection. There seems to be several VT users experiencing similar issues w/overlap", "https://ms13p01if-qufw21344001.ms.if.apple.com:8083/", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 (Apple remote hacktool that enter via Apple media)", "usw2-platform-dmchat-avengers-prod-ext.apple.com", "https://otx.alienvault.com/indicator/hostname/00000000.apple.com#:~:text=%C3%97", "Malware Hosting * Spyware: http://141.98.6.249/boat.arm7, http://141.98.6.249/boat.ppc , http://141.98.6.249/boat.x86" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "RATel", "display_name": "RATel", "target": null }, { "id": "trojan.mirai/genericrxui", "display_name": "trojan.mirai/genericrxui", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "green", "cloned_from": "658f967a4fc7ebe8021b9382", "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 578, "FileHash-SHA1": 521, "FileHash-SHA256": 6392, "URL": 5741, "domain": 2243, "hostname": 1536, "SSLCertFingerprint": 2, "email": 8, "CVE": 1 }, "indicator_count": 17022, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "811 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65944b9812ea52ab41c0259d", "name": "Mirai Apple Attack +", "description": "", "modified": "2024-01-29T03:01:29.910000", "created": "2024-01-02T17:44:56.709000", "tags": [ "whois record", "ssl certificate", "contacted", "whois whois", "historical ssl", "referrer", "communicating", "resolutions", "apple", "collections", "core", "stealer", "execution", "ratel", "suspicious", "threat", "paste", "iocs", "hostnames", "urls https", "windir", "json data", "localappdata", "ascii text", "unicode text", "pattern match", "file", "indicator", "mitre att", "path", "factory", "hybrid", "general", "memcommit", "regsetvalueexa", "regdword", "t1055", "high", "regbinary", "dynamic dns", "regsetvalueexw", "regsz", "medium", "win32", "malware", "copy", "capture", "name servers", "creation date", "servers", "passive dns", "urls", "domain", "search", "expiration date", "scan endpoints", "all scoreblue", "date", "next", "applenoc", "showing", "status", "united", "as44273 host", "unknown", "all search", "otx scoreblue", "aaaa", "as54113", "privacy inc", "customer", "asnone united", "entries", "pulse pulses", "dga", "redacted for", "as20940", "body", "for privacy", "ipv4", "files", "location united", "america asn", "as54252", "type name", "dns replication", "iana", "whois lookup", "ipv4 address", "ripe ncc", "afrinic", "africa", "apnic", "asia pacific", "arin", "lacnic", "elf executable", "sysv", "linux", "elf wgetboat", "contacted urls", "red team", "tsara brashears", "apple phone", "unlocker", "fakedout threat", "hostname", "samples", "mirai", "ph elf", "telefonica de", "elf collection", "llwn", "text", "gp practice", "oracle", "apple ios", "password", "threat network", "kgs0", "kls0", "hacktool", "probe", "malicious" ], "references": [ "https://www.rmvictimlaw.org/about-us/board-directors/hazel-heckers", "https://hybrid-analysis.com/sample/1f75fd5ec731cc5b1f338a5f7f44b42c9f1988214c373bf582d766934399b525", "https://twitter.com/PORNO_SEXYBABES", "IPv4 199.59.243.224 and IPv4 67.21.93.249 - command_and_control", "103.246.145.111 phishing", "nr-data.net | Apple Private Data collection", "BitRAT CnC: File Hash SHA256 23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706", "00000000.apple.com | remote SIM Swap", "https://otx.alienvault.com/indicator/file/23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706#:~:text=%C3%97", "103.246.145.111 - scanning host", "https://app-portal.wsgc.com/saml20/idp/sso?SAMLRequest=jZFBb8IwDIX/SpR70zS0sEa0iA1NQ2IagrLDLlNII4jWJl2cwvj3qyhI7IJ2tPzs9/x5PPmpK3RQDrQ1GY4IxUgZaUttdhneFM/BA57kYxB1xRo+bf3erNR3q8CjbtAA7zsZbp3hVoAGbkStgHvJ19PXBWeE8sZZb6WtMJoCKOc7qydroK2VWyt30FJtVosM771vgIfhETTZCvkF3roTkXtnjZaVIqBk67Q/hUICRrMugzbCn3NfR0XTBI11XlTkCDtJpK3Dc0Ia6rIJASxG81mGP0dpOYqGVEZxGYkk3iaDVMZMKipGMR0kSScDaNXcgBfGZ5hRNghoGrC4YIzTlNMhidPkA6Pl5bhHbXpo90hsexHwl6JYBsu3dYHR+xV+J8AX1Pzs7m4Z318srmBx/m+M4/DWK7+Uf7+c/wI=&RelayState=AcE8QCtmc3hl5id4ZjN8p", "https://www.virustotal.com/en/domain/sipa.be (GoodCop - BadCop 404 error. This may have been a dorkingbeauty graph or collection. There seems to be several VT users experiencing similar issues w/overlap", "https://ms13p01if-qufw21344001.ms.if.apple.com:8083/", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 (Apple remote hacktool that enter via Apple media)", "usw2-platform-dmchat-avengers-prod-ext.apple.com", "https://otx.alienvault.com/indicator/hostname/00000000.apple.com#:~:text=%C3%97", "Malware Hosting * Spyware: http://141.98.6.249/boat.arm7, http://141.98.6.249/boat.ppc , http://141.98.6.249/boat.x86" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "RATel", "display_name": "RATel", "target": null }, { "id": "trojan.mirai/genericrxui", "display_name": "trojan.mirai/genericrxui", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "green", "cloned_from": "658f967a4fc7ebe8021b9382", "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 578, "FileHash-SHA1": 521, "FileHash-SHA256": 6392, "URL": 5741, "domain": 2243, "hostname": 1536, "SSLCertFingerprint": 2, "email": 8, "CVE": 1 }, "indicator_count": 17022, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "811 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://kayleighvandalen.nl/8455490-up-hot-bottoms-xxxonxxx-pics-galleries.html", "PEXE - DOS executable (COM)", "IPv4 199.59.243.224 and IPv4 67.21.93.249 - command_and_control", "103.246.145.111 phishing", "https://otx.alienvault.com/indicator/hostname/00000000.apple.com#:~:text=%C3%97", "Malware Hosting * Spyware: http://141.98.6.249/boat.arm7, http://141.98.6.249/boat.ppc , http://141.98.6.249/boat.x86", "Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser , UPX", "https://otx.alienvault.com/indicator/file/23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706#:~:text=%C3%97", "Domains Contacted: ntp.ubuntu.com", "http://sexkompas.xyz", "device-local-bf56eb52-6fc6-435b-aadb-9fa1dd89702c.remotewd.com | remotewd.com | 192.168.56.108", "https://ms13p01if-qufw21344001.ms.if.apple.com:8083/", "Yara Detections: Mirai_Botnet_Malware Alerts: dead_host network_icmp nolookup_communication", "https://www.virustotal.com/en/domain/sipa.be (GoodCop - BadCop 404 error. This may have been a dorkingbeauty graph or collection. There seems to be several VT users experiencing similar issues w/overlap", "tracking2youdu.com , cdn.livechatinc.com", "https://hypnosen.fr/4306769-women-xxvideos-matured-village-african-scene-wapdam.html", "198.49.6.6 \u00bb Loveland, United States of America ASN AS25825 poudre valley health care inc.", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 (Apple remote hacktool that enter via Apple media)", "FileHash-SHA256 cc0f195fe54b9981b1ea3815e44b85a0fb3571be732bd5b4034f57690436f4c4", "device-290db215-637a-441f-b5f4-81bf8bd75ae5.remotewd.com", "ELF:Mirai-BZ\\ [Trj] cc0f195fe54b9981b1ea3815e44b85a0fb3571be732bd5b4034f57690436f4c4 | Australia ASN AS1221 telstra corporation", "https://floorgoddijn.nl/3798393-dad-dont-my-image-hole-fuck-ass.html", "https://app-portal.wsgc.com/saml20/idp/sso?SAMLRequest=jZFBb8IwDIX/SpR70zS0sEa0iA1NQ2IagrLDLlNII4jWJl2cwvj3qyhI7IJ2tPzs9/x5PPmpK3RQDrQ1GY4IxUgZaUttdhneFM/BA57kYxB1xRo+bf3erNR3q8CjbtAA7zsZbp3hVoAGbkStgHvJ19PXBWeE8sZZb6WtMJoCKOc7qydroK2VWyt30FJtVosM771vgIfhETTZCvkF3roTkXtnjZaVIqBk67Q/hUICRrMugzbCn3NfR0XTBI11XlTkCDtJpK3Dc0Ia6rIJASxG81mGP0dpOYqGVEZxGYkk3iaDVMZMKipGMR0kSScDaNXcgBfGZ5hRNghoGrC4YIzTlNMhidPkA6Pl5bhHbXpo90hsexHwl6JYBsu3dYHR+xV+J8AX1Pzs7m4Z318srmBx/m+M4/DWK7+Uf7+c/wI=&RelayState=AcE8QCtmc3hl5id4ZjN8p", "https://hybrid-analysis.com/sample/1f75fd5ec731cc5b1f338a5f7f44b42c9f1988214c373bf582d766934399b525", "bestofus.org Location: United States of America ASN AS18693 university of colorado hospital", "IP\u2019s Contacted: 1.0.128.143 1.10.54.226 1.107.217.150 1.112.34.224 1.114.165.87 1.116.76.208 1.118.37.88 1.121.139.226 1.122.96.75 1.114.207.168", "https://twitter.com/PORNO_SEXYBABES", "usw2-platform-dmchat-avengers-prod-ext.apple.com", "103.246.145.111 - scanning host", "http://www.mobiset.ru/photos/2011/march/15/samsung_s3850/img_9.jpg", "Found in: https://jbplegal.com", "nr-data.net | Apple Private Data collection", "cpe-1-159-170-17.wb05.wa.asp.telstra.net", "https://mtl-plomberie.fr/2536532-\u1200\u1260\u123b-video-xxx.html", "ELF:Mirai-BZ\\ [Trj] \u00bb device-290db215-637a-441f-b5f4-81bf8bd75ae5.remotewd.com | 1.159.170.17 | Perth, Australia ASN AS1221 telstra corporation", "https://maisonduweb3.fr/6014324-porn-you-ebony-pics-black-xxx.html", "BitRAT CnC: File Hash SHA256 23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706", "https://mtl-plomberie.fr/1210582-sperm-release-can-pictures-that-naija.html", "DGA Malware Mall Domains: hackingapple.com, video.import-apple.com, DGA- appledreamz.com", "Trojan:Win32/Zombie.A FileHash-SHA256 ff43920cf098063475b4c62cd63e550fb783e3be1cf7458688b5c1d2d94c6830", "https://www.rmvictimlaw.org/about-us/board-directors/hazel-heckers", "Yara Detections: Nrv2x , upx_3 , UPX_OEP_place , UPX290LZMAMarkusOberhumerLaszloMolnarJohnReiser ,", "00000000.apple.com | remote SIM Swap", "savethemalesdenver.com \u00bb https://www.uchealthcares.org | myuchealth.net | 168.200.5.63 | http://ITSupport.uchealth.org", "Backdoor:Linux/Mirai.B FileHash-SHA1 5df4c3322a68750c6b0c931e8ebebaa60c0a0555", "redirect_keitaro_exploit_kit_compromised_site_se_referrer", "Yara Detections: Mirai_Botnet_Malware , MAL_ELF_LNX_Mirai_Oct10_2 , SUSP_XORed_Mozilla , is__elf" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Backdoor:linux/mirai.b", "Trojan:win32/zombie.a", "Unix.trojan.mirai-6976991-0", "Mirai_botnet_malware", "Win32:malware-gen", "Win32:pwsx-gen", "Win.malware.vtflooder-6260355-1", "Elf:mirai-bz\\ [trj]", "Trojan:win32/glupteba.mt!mtb", "Trojandownloader:win32/fosniw", "Trojanclicker:win32/frosparf", "Win32:injector-cvf\\ [trj]\t\twin.mal", "Win.trojan.buzus-5453", "Trojan.mirai/genericrxui", "Etpro", "Mirai", "Ratel" ], "industries": [ "Legal", "Civil society", "Healthcare", "Education" ], "unique_indicators": 49593 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/fxgm.com", "whois": "http://whois.domaintools.com/fxgm.com", "domain": "fxgm.com", "hostname": "it.fxgm.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "67035385a884405e783f9a7e", "name": "Mirai_Botnet_Malware | Healthcare \u00bb savethemalesdenver.com |", "description": "Impacting multiple Colorado medical facilities and educational institutions and patients. || Malware Families\nBackdoor:Linux/Mirai.B\nELF:Mirai-BZ\\ [Trj]\nMirai\nMirai_Botnet_Malware\nTrojan:Win32/Zombie.A\nTrojanClicker:Win32/Frosparf\nTrojanDownloader:Win32/Fosniw\nUnix.Trojan.Mirai-6976991-0\nAd", "modified": "2024-11-06T01:02:24.390000", "created": "2024-10-07T03:20:37.224000", "tags": [ "canada unknown", "redacted for", "as25825", "all scoreblue", "passive dns", "ipv4", "reverse dns", "next", "for privacy", "cname", "united states", "nxdomain", "ns nxdomain", "united", "as21928", "south korea", "as9318 sk", "taiwan as3462", "as701 verizon", "search", "maxage apt", "minage apt", "maxsize apt", "malware", "as44273 host", "creation date", "status", "showing", "record value", "certificate", "date", "urls", "overview ip", "address", "related nids", "files location", "flag united", "domain", "files related", "intel", "ms windows", "users", "pe32", "number", "ascii text", "crlf line", "database", "english", "tue jun", "installer", "template", "trojan", "write", "registrar", "pulse submit", "url analysis", "files", "msie", "chrome", "rdds service", "record", "registrant", "admin", "tech contact", "name servers", "email please", "moved", "trojanproxy", "virtool", "as1221", "aaaa", "asnone united", "show", "filehash", "pulse pulses", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "script urls", "gmt path", "fedora", "open ports", "nginx http", "server", "a domains", "gmt content", "set cookie", "gmt etag", "accept", "expiration date", "backdoor", "mirai", "scan endpoints", "all search", "otx scoreblue", "hostname", "verdict", "unknown", "new pulse", "loveland", "america asn", "Generic36.ABKD", "domains", "location canada", "as32133", "files ip", "address domain", "path max", "age86400 set", "cookie", "type", "entries", "script domains", "downloader", "body", "servers", "emails", "gmt max", "title", "meta", "as20940", "as16625 akamai", "west domains", "as4230 claro", "copy", "sabey", "contacted" ], "references": [ "savethemalesdenver.com \u00bb https://www.uchealthcares.org | myuchealth.net | 168.200.5.63 | http://ITSupport.uchealth.org", "bestofus.org Location: United States of America ASN AS18693 university of colorado hospital", "https://floorgoddijn.nl/3798393-dad-dont-my-image-hole-fuck-ass.html", "https://hypnosen.fr/4306769-women-xxvideos-matured-village-african-scene-wapdam.html", "https://kayleighvandalen.nl/8455490-up-hot-bottoms-xxxonxxx-pics-galleries.html", "https://maisonduweb3.fr/6014324-porn-you-ebony-pics-black-xxx.html", "https://mtl-plomberie.fr/1210582-sperm-release-can-pictures-that-naija.html", "https://mtl-plomberie.fr/2536532-\u1200\u1260\u123b-video-xxx.html", "FileHash-SHA256 cc0f195fe54b9981b1ea3815e44b85a0fb3571be732bd5b4034f57690436f4c4", "Yara Detections: Mirai_Botnet_Malware Alerts: dead_host network_icmp nolookup_communication", "Domains Contacted: ntp.ubuntu.com", "IP\u2019s Contacted: 1.0.128.143 1.10.54.226 1.107.217.150 1.112.34.224 1.114.165.87 1.116.76.208 1.118.37.88 1.121.139.226 1.122.96.75 1.114.207.168", "device-290db215-637a-441f-b5f4-81bf8bd75ae5.remotewd.com", "Trojan:Win32/Zombie.A FileHash-SHA256 ff43920cf098063475b4c62cd63e550fb783e3be1cf7458688b5c1d2d94c6830", "Yara Detections: Nrv2x , upx_3 , UPX_OEP_place , UPX290LZMAMarkusOberhumerLaszloMolnarJohnReiser ,", "Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser , UPX", "cpe-1-159-170-17.wb05.wa.asp.telstra.net", "ELF:Mirai-BZ\\ [Trj] \u00bb device-290db215-637a-441f-b5f4-81bf8bd75ae5.remotewd.com | 1.159.170.17 | Perth, Australia ASN AS1221 telstra corporation", "ELF:Mirai-BZ\\ [Trj] cc0f195fe54b9981b1ea3815e44b85a0fb3571be732bd5b4034f57690436f4c4 | Australia ASN AS1221 telstra corporation", "Backdoor:Linux/Mirai.B FileHash-SHA1 5df4c3322a68750c6b0c931e8ebebaa60c0a0555", "Yara Detections: Mirai_Botnet_Malware , MAL_ELF_LNX_Mirai_Oct10_2 , SUSP_XORed_Mozilla , is__elf", "198.49.6.6 \u00bb Loveland, United States of America ASN AS25825 poudre valley health care inc." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan", "Taiwan", "Philippines", "India", "Italy", "Germany", "Netherlands" ], "malware_families": [ { "id": "ELF:Mirai-BZ\\ [Trj]", "display_name": "ELF:Mirai-BZ\\ [Trj]", "target": null }, { "id": "Mirai_Botnet_Malware", "display_name": "Mirai_Botnet_Malware", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Unix.Trojan.Mirai-6976991-0", "display_name": "Unix.Trojan.Mirai-6976991-0", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Backdoor:Linux/Mirai.B", "display_name": "Backdoor:Linux/Mirai.B", "target": "/malware/Backdoor:Linux/Mirai.B" }, { "id": "TrojanDownloader:Win32/Fosniw", "display_name": "TrojanDownloader:Win32/Fosniw", "target": "/malware/TrojanDownloader:Win32/Fosniw" }, { "id": "TrojanClicker:Win32/Frosparf", "display_name": "TrojanClicker:Win32/Frosparf", "target": "/malware/TrojanClicker:Win32/Frosparf" } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" } ], "industries": [ "Legal", "Healthcare", "Education" ], "TLP": "green", "cloned_from": null, "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1230, "email": 16, "hostname": 1560, "URL": 3400, "FileHash-SHA256": 1064, "FileHash-MD5": 544, "FileHash-SHA1": 496, "CVE": 1 }, "indicator_count": 8311, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "529 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b2909ffdc623904cbfd91d", "name": "PEXE - DOS executable (COM)", "description": "I don't have a very good description. I can say this was found in a law firms website and it's not uncommon. Certain attorneys may be under attack based on clients represented. I other instances attorneys use a tool box of malware and other cyber weaponry to track, intimidating and spy on opposition. Very aggressive tactics use. Unfortunately attacks against opponents aren't limited to \"contactless\" attacks. Tracking. cyber espionage, malvertizing, iOS 'remotwd' , location tracking, reputation abuse.", "modified": "2024-02-24T16:01:22.095000", "created": "2024-01-25T16:47:26.970000", "tags": [ "network_icmp", "sha256", "yara detections", "alerts", "icmp traffic", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "spain unknown", "search", "date", "status", "passive dns", "urls", "pulse submit", "url analysis", "files", "domain", "next", "as197068 hll", "russia unknown", "ipv4", "body", "alive", "belarus unknown", "aaaa", "moved", "domain names", "creation date", "record value", "expiration date", "a domains", "facebook", "twitter", "encrypt", "httponly", "url http", "http", "ip address", "related nids", "germany unknown", "united", "as3320 deutsche", "france unknown", "united kingdom", "italy unknown", "as7922 comcast", "as701 verizon", "as3209 vodafone", "china unknown", "unknown", "as44273 host", "msie", "chrome", "name servers", "hostname", "maxage86400", "ip asn", "maxage2592000", "gmt server", "amazons3", "unique", "as58061 scalaxy", "all search", "otx scoreblue", "cyprus unknown", "as26347", "customer", "entries", "sexkompas", "script urls", "meta", "as29182 jsc", "gmt content", "script domains", "gmt etag", "as61400", "screenshot", "apache", "path", "as59711 hz", "asn as59711", "dns resolutions", "non dsp", "cor cura", "url https", "as199386 zilore", "showing", "admitad meta", "as44066", "connection", "date sat", "server amazons3", "cloudfront", "xcache miss", "contentlength", "acceptranges", "server", "gmt expires", "code", "title error", "trojan", "body doctype", "html public", "w3cdtd html", "html head", "meta http", "win32", "as3326", "present jan", "reverse dns", "gmt path", "set cookie", "certificate", "pragma", "location united", "show", "medium", "authenticode", "delete", "productversion", "fileversion", "thawte", "copy", "malware", "write", "etpro", "as14061", "whitelisted", "as9009 m247", "paris", "otx telemetry", "for privacy", "redacted for", "dns", "DNSpionage", "apple", "ios", "global", "cyber threat", "tracking", "legal abuse", "privilege escalation", "network", "redirect", "exploit kit", "mey", "spyware", "dropper", "x adblock", "virgin islands", "type", "content length", "dga", "as3175 filanco", "cname", "thawte code", "as32244 liquid", "as24940 hetzner", "head body", "center hr", "gmt contenttype", "title", "registrar", "markmonitor", "internet", "iana", "nethandle", "net192", "net1920000", "iana special", "icann", "please refer", "ietf", "best current", "whois whois", "resolutions", "communicating", "referrer", "win32 exe", "putty", "java", "type name", "pe32 executable", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "info compiler", "products", "vs2005", "vs2008 sp1", "vs2008", "header x64", "name md5", "virtualalloc" ], "references": [ "PEXE - DOS executable (COM)", "redirect_keitaro_exploit_kit_compromised_site_se_referrer", "Found in: https://jbplegal.com", "http://sexkompas.xyz", "DGA Malware Mall Domains: hackingapple.com, video.import-apple.com, DGA- appledreamz.com", "tracking2youdu.com , cdn.livechatinc.com", "device-local-bf56eb52-6fc6-435b-aadb-9fa1dd89702c.remotewd.com | remotewd.com | 192.168.56.108", "http://www.mobiset.ru/photos/2011/march/15/samsung_s3850/img_9.jpg" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "China", "United States of America", "Chile", "Germany", "France" ], "malware_families": [ { "id": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "display_name": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "target": null }, { "id": "Win.Malware.Vtflooder-6260355-1", "display_name": "Win.Malware.Vtflooder-6260355-1", "target": null }, { "id": "Win.Trojan.Buzus-5453", "display_name": "Win.Trojan.Buzus-5453", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:PWSX-gen", "display_name": "Win32:PWSX-gen", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "ETPRO", "display_name": "ETPRO", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [ "Legal", "Healthcare", "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 153, "FileHash-SHA1": 71, "FileHash-SHA256": 1690, "URL": 9526, "domain": 4882, "hostname": 6120, "email": 250, "CVE": 2 }, "indicator_count": 22694, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "784 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b4757a662a146889c60b6c", "name": "PEXE - DOS executable (COM)", "description": "", "modified": "2024-02-24T16:01:22.095000", "created": "2024-01-27T03:16:10.970000", "tags": [ "network_icmp", "sha256", "yara detections", "alerts", "icmp traffic", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "spain unknown", "search", "date", "status", "passive dns", "urls", "pulse submit", "url analysis", "files", "domain", "next", "as197068 hll", "russia unknown", "ipv4", "body", "alive", "belarus unknown", "aaaa", "moved", "domain names", "creation date", "record value", "expiration date", "a domains", "facebook", "twitter", "encrypt", "httponly", "url http", "http", "ip address", "related nids", "germany unknown", "united", "as3320 deutsche", "france unknown", "united kingdom", "italy unknown", "as7922 comcast", "as701 verizon", "as3209 vodafone", "china unknown", "unknown", "as44273 host", "msie", "chrome", "name servers", "hostname", "maxage86400", "ip asn", "maxage2592000", "gmt server", "amazons3", "unique", "as58061 scalaxy", "all search", "otx scoreblue", "cyprus unknown", "as26347", "customer", "entries", "sexkompas", "script urls", "meta", "as29182 jsc", "gmt content", "script domains", "gmt etag", "as61400", "screenshot", "apache", "path", "as59711 hz", "asn as59711", "dns resolutions", "non dsp", "cor cura", "url https", "as199386 zilore", "showing", "admitad meta", "as44066", "connection", "date sat", "server amazons3", "cloudfront", "xcache miss", "contentlength", "acceptranges", "server", "gmt expires", "code", "title error", "trojan", "body doctype", "html public", "w3cdtd html", "html head", "meta http", "win32", "as3326", "present jan", "reverse dns", "gmt path", "set cookie", "certificate", "pragma", "location united", "show", "medium", "authenticode", "delete", "productversion", "fileversion", "thawte", "copy", "malware", "write", "etpro", "as14061", "whitelisted", "as9009 m247", "paris", "otx telemetry", "for privacy", "redacted for", "dns", "DNSpionage", "apple", "ios", "global", "cyber threat", "tracking", "legal abuse", "privilege escalation", "network", "redirect", "exploit kit", "mey", "spyware", "dropper", "x adblock", "virgin islands", "type", "content length", "dga", "as3175 filanco", "cname", "thawte code", "as32244 liquid", "as24940 hetzner", "head body", "center hr", "gmt contenttype", "title", "registrar", "markmonitor", "internet", "iana", "nethandle", "net192", "net1920000", "iana special", "icann", "please refer", "ietf", "best current", "whois whois", "resolutions", "communicating", "referrer", "win32 exe", "putty", "java", "type name", "pe32 executable", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "info compiler", "products", "vs2005", "vs2008 sp1", "vs2008", "header x64", "name md5", "virtualalloc" ], "references": [ "PEXE - DOS executable (COM)", "redirect_keitaro_exploit_kit_compromised_site_se_referrer", "Found in: https://jbplegal.com", "http://sexkompas.xyz", "DGA Malware Mall Domains: hackingapple.com, video.import-apple.com, DGA- appledreamz.com", "tracking2youdu.com , cdn.livechatinc.com", "device-local-bf56eb52-6fc6-435b-aadb-9fa1dd89702c.remotewd.com | remotewd.com | 192.168.56.108", "http://www.mobiset.ru/photos/2011/march/15/samsung_s3850/img_9.jpg" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "China", "United States of America", "Chile", "Germany", "France" ], "malware_families": [ { "id": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "display_name": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "target": null }, { "id": "Win.Malware.Vtflooder-6260355-1", "display_name": "Win.Malware.Vtflooder-6260355-1", "target": null }, { "id": "Win.Trojan.Buzus-5453", "display_name": "Win.Trojan.Buzus-5453", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:PWSX-gen", "display_name": "Win32:PWSX-gen", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "ETPRO", "display_name": "ETPRO", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [ "Legal", "Healthcare", "Civil Society" ], "TLP": "white", "cloned_from": "65b2909ffdc623904cbfd91d", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 153, "FileHash-SHA1": 71, "FileHash-SHA256": 1690, "URL": 9526, "domain": 4882, "hostname": 6120, "email": 250, "CVE": 2 }, "indicator_count": 22694, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "784 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b4757d6dd7dae344aed3f5", "name": "PEXE - DOS executable (COM)", "description": "", "modified": "2024-02-24T16:01:22.095000", "created": "2024-01-27T03:16:13.209000", "tags": [ "network_icmp", "sha256", "yara detections", "alerts", "icmp traffic", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "spain unknown", "search", "date", "status", "passive dns", "urls", "pulse submit", "url analysis", "files", "domain", "next", "as197068 hll", "russia unknown", "ipv4", "body", "alive", "belarus unknown", "aaaa", "moved", "domain names", "creation date", "record value", "expiration date", "a domains", "facebook", "twitter", "encrypt", "httponly", "url http", "http", "ip address", "related nids", "germany unknown", "united", "as3320 deutsche", "france unknown", "united kingdom", "italy unknown", "as7922 comcast", "as701 verizon", "as3209 vodafone", "china unknown", "unknown", "as44273 host", "msie", "chrome", "name servers", "hostname", "maxage86400", "ip asn", "maxage2592000", "gmt server", "amazons3", "unique", "as58061 scalaxy", "all search", "otx scoreblue", "cyprus unknown", "as26347", "customer", "entries", "sexkompas", "script urls", "meta", "as29182 jsc", "gmt content", "script domains", "gmt etag", "as61400", "screenshot", "apache", "path", "as59711 hz", "asn as59711", "dns resolutions", "non dsp", "cor cura", "url https", "as199386 zilore", "showing", "admitad meta", "as44066", "connection", "date sat", "server amazons3", "cloudfront", "xcache miss", "contentlength", "acceptranges", "server", "gmt expires", "code", "title error", "trojan", "body doctype", "html public", "w3cdtd html", "html head", "meta http", "win32", "as3326", "present jan", "reverse dns", "gmt path", "set cookie", "certificate", "pragma", "location united", "show", "medium", "authenticode", "delete", "productversion", "fileversion", "thawte", "copy", "malware", "write", "etpro", "as14061", "whitelisted", "as9009 m247", "paris", "otx telemetry", "for privacy", "redacted for", "dns", "DNSpionage", "apple", "ios", "global", "cyber threat", "tracking", "legal abuse", "privilege escalation", "network", "redirect", "exploit kit", "mey", "spyware", "dropper", "x adblock", "virgin islands", "type", "content length", "dga", "as3175 filanco", "cname", "thawte code", "as32244 liquid", "as24940 hetzner", "head body", "center hr", "gmt contenttype", "title", "registrar", "markmonitor", "internet", "iana", "nethandle", "net192", "net1920000", "iana special", "icann", "please refer", "ietf", "best current", "whois whois", "resolutions", "communicating", "referrer", "win32 exe", "putty", "java", "type name", "pe32 executable", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "info compiler", "products", "vs2005", "vs2008 sp1", "vs2008", "header x64", "name md5", "virtualalloc" ], "references": [ "PEXE - DOS executable (COM)", "redirect_keitaro_exploit_kit_compromised_site_se_referrer", "Found in: https://jbplegal.com", "http://sexkompas.xyz", "DGA Malware Mall Domains: hackingapple.com, video.import-apple.com, DGA- appledreamz.com", "tracking2youdu.com , cdn.livechatinc.com", "device-local-bf56eb52-6fc6-435b-aadb-9fa1dd89702c.remotewd.com | remotewd.com | 192.168.56.108", "http://www.mobiset.ru/photos/2011/march/15/samsung_s3850/img_9.jpg" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "China", "United States of America", "Chile", "Germany", "France" ], "malware_families": [ { "id": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "display_name": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "target": null }, { "id": "Win.Malware.Vtflooder-6260355-1", "display_name": "Win.Malware.Vtflooder-6260355-1", "target": null }, { "id": "Win.Trojan.Buzus-5453", "display_name": "Win.Trojan.Buzus-5453", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:PWSX-gen", "display_name": "Win32:PWSX-gen", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "ETPRO", "display_name": "ETPRO", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [ "Legal", "Healthcare", "Civil Society" ], "TLP": "white", "cloned_from": "65b2909ffdc623904cbfd91d", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 153, "FileHash-SHA1": 71, "FileHash-SHA256": 1690, "URL": 9526, "domain": 4882, "hostname": 6120, "email": 250, "CVE": 2 }, "indicator_count": 22694, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "784 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b85dca7d8bf0aea33abc3a", "name": "PEXE - DOS executable ", "description": "", "modified": "2024-02-24T16:01:22.095000", "created": "2024-01-30T02:24:10.454000", "tags": [ "network_icmp", "sha256", "yara detections", "alerts", "icmp traffic", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "spain unknown", "search", "date", "status", "passive dns", "urls", "pulse submit", "url analysis", "files", "domain", "next", "as197068 hll", "russia unknown", "ipv4", "body", "alive", "belarus unknown", "aaaa", "moved", "domain names", "creation date", "record value", "expiration date", "a domains", "facebook", "twitter", "encrypt", "httponly", "url http", "http", "ip address", "related nids", "germany unknown", "united", "as3320 deutsche", "france unknown", "united kingdom", "italy unknown", "as7922 comcast", "as701 verizon", "as3209 vodafone", "china unknown", "unknown", "as44273 host", "msie", "chrome", "name servers", "hostname", "maxage86400", "ip asn", "maxage2592000", "gmt server", "amazons3", "unique", "as58061 scalaxy", "all search", "otx scoreblue", "cyprus unknown", "as26347", "customer", "entries", "sexkompas", "script urls", "meta", "as29182 jsc", "gmt content", "script domains", "gmt etag", "as61400", "screenshot", "apache", "path", "as59711 hz", "asn as59711", "dns resolutions", "non dsp", "cor cura", "url https", "as199386 zilore", "showing", "admitad meta", "as44066", "connection", "date sat", "server amazons3", "cloudfront", "xcache miss", "contentlength", "acceptranges", "server", "gmt expires", "code", "title error", "trojan", "body doctype", "html public", "w3cdtd html", "html head", "meta http", "win32", "as3326", "present jan", "reverse dns", "gmt path", "set cookie", "certificate", "pragma", "location united", "show", "medium", "authenticode", "delete", "productversion", "fileversion", "thawte", "copy", "malware", "write", "etpro", "as14061", "whitelisted", "as9009 m247", "paris", "otx telemetry", "for privacy", "redacted for", "dns", "DNSpionage", "apple", "ios", "global", "cyber threat", "tracking", "legal abuse", "privilege escalation", "network", "redirect", "exploit kit", "mey", "spyware", "dropper", "x adblock", "virgin islands", "type", "content length", "dga", "as3175 filanco", "cname", "thawte code", "as32244 liquid", "as24940 hetzner", "head body", "center hr", "gmt contenttype", "title", "registrar", "markmonitor", "internet", "iana", "nethandle", "net192", "net1920000", "iana special", "icann", "please refer", "ietf", "best current", "whois whois", "resolutions", "communicating", "referrer", "win32 exe", "putty", "java", "type name", "pe32 executable", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "info compiler", "products", "vs2005", "vs2008 sp1", "vs2008", "header x64", "name md5", "virtualalloc" ], "references": [ "PEXE - DOS executable (COM)", "redirect_keitaro_exploit_kit_compromised_site_se_referrer", "Found in: https://jbplegal.com", "http://sexkompas.xyz", "DGA Malware Mall Domains: hackingapple.com, video.import-apple.com, DGA- appledreamz.com", "tracking2youdu.com , cdn.livechatinc.com", "device-local-bf56eb52-6fc6-435b-aadb-9fa1dd89702c.remotewd.com | remotewd.com | 192.168.56.108", "http://www.mobiset.ru/photos/2011/march/15/samsung_s3850/img_9.jpg" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "China", "United States of America", "Chile", "Germany", "France" ], "malware_families": [ { "id": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "display_name": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "target": null }, { "id": "Win.Malware.Vtflooder-6260355-1", "display_name": "Win.Malware.Vtflooder-6260355-1", "target": null }, { "id": "Win.Trojan.Buzus-5453", "display_name": "Win.Trojan.Buzus-5453", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:PWSX-gen", "display_name": "Win32:PWSX-gen", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "ETPRO", "display_name": "ETPRO", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [ "Legal", "Healthcare", "Civil Society" ], "TLP": "white", "cloned_from": "65b4757a662a146889c60b6c", "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 153, "FileHash-SHA1": 71, "FileHash-SHA256": 1690, "URL": 9526, "domain": 4882, "hostname": 6120, "email": 250, "CVE": 2 }, "indicator_count": 22694, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "784 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658f967a4fc7ebe8021b9382", "name": "Mirai Apple Attack +", "description": "This is hard to make sense of. All calls, clicks on a DGA Domain masquerading as desired service, lands you on the radar of a faux service where in turn bad actors attack everything. Target, remotely hack, follow, smear your life, same victim auto populates 79%, no hunt for assaulter.\n I'm assuming to see it one must 1st be in a Botnet. We keep seeing the same targets but no preparator. \nShe said \"Life was busy, life was good; full of health and hope. Then one sunny October day... I'm still grateful but what happened my body, thoughts and the world around me? Where's God? Am I a criminally responsible for getting attacked?\"", "modified": "2024-01-29T03:01:29.910000", "created": "2023-12-30T04:03:06.598000", "tags": [ "whois record", "ssl certificate", "contacted", "whois whois", "historical ssl", "referrer", "communicating", "resolutions", "apple", "collections", "core", "stealer", "execution", "ratel", "suspicious", "threat", "paste", "iocs", "hostnames", "urls https", "windir", "json data", "localappdata", "ascii text", "unicode text", "pattern match", "file", "indicator", "mitre att", "path", "factory", "hybrid", "general", "memcommit", "regsetvalueexa", "regdword", "t1055", "high", "regbinary", "dynamic dns", "regsetvalueexw", "regsz", "medium", "win32", "malware", "copy", "capture", "name servers", "creation date", "servers", "passive dns", "urls", "domain", "search", "expiration date", "scan endpoints", "all scoreblue", "date", "next", "applenoc", "showing", "status", "united", "as44273 host", "unknown", "all search", "otx scoreblue", "aaaa", "as54113", "privacy inc", "customer", "asnone united", "entries", "pulse pulses", "dga", "redacted for", "as20940", "body", "for privacy", "ipv4", "files", "location united", "america asn", "as54252", "type name", "dns replication", "iana", "whois lookup", "ipv4 address", "ripe ncc", "afrinic", "africa", "apnic", "asia pacific", "arin", "lacnic", "elf executable", "sysv", "linux", "elf wgetboat", "contacted urls", "red team", "tsara brashears", "apple phone", "unlocker", "fakedout threat", "hostname", "samples", "mirai", "ph elf", "telefonica de", "elf collection", "llwn", "text", "gp practice", "oracle", "apple ios", "password", "threat network", "kgs0", "kls0", "hacktool", "probe", "malicious" ], "references": [ "https://www.rmvictimlaw.org/about-us/board-directors/hazel-heckers", "https://hybrid-analysis.com/sample/1f75fd5ec731cc5b1f338a5f7f44b42c9f1988214c373bf582d766934399b525", "https://twitter.com/PORNO_SEXYBABES", "IPv4 199.59.243.224 and IPv4 67.21.93.249 - command_and_control", "103.246.145.111 phishing", "nr-data.net | Apple Private Data collection", "BitRAT CnC: File Hash SHA256 23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706", "00000000.apple.com | remote SIM Swap", "https://otx.alienvault.com/indicator/file/23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706#:~:text=%C3%97", "103.246.145.111 - scanning host", "https://app-portal.wsgc.com/saml20/idp/sso?SAMLRequest=jZFBb8IwDIX/SpR70zS0sEa0iA1NQ2IagrLDLlNII4jWJl2cwvj3qyhI7IJ2tPzs9/x5PPmpK3RQDrQ1GY4IxUgZaUttdhneFM/BA57kYxB1xRo+bf3erNR3q8CjbtAA7zsZbp3hVoAGbkStgHvJ19PXBWeE8sZZb6WtMJoCKOc7qydroK2VWyt30FJtVosM771vgIfhETTZCvkF3roTkXtnjZaVIqBk67Q/hUICRrMugzbCn3NfR0XTBI11XlTkCDtJpK3Dc0Ia6rIJASxG81mGP0dpOYqGVEZxGYkk3iaDVMZMKipGMR0kSScDaNXcgBfGZ5hRNghoGrC4YIzTlNMhidPkA6Pl5bhHbXpo90hsexHwl6JYBsu3dYHR+xV+J8AX1Pzs7m4Z318srmBx/m+M4/DWK7+Uf7+c/wI=&RelayState=AcE8QCtmc3hl5id4ZjN8p", "https://www.virustotal.com/en/domain/sipa.be (GoodCop - BadCop 404 error. This may have been a dorkingbeauty graph or collection. There seems to be several VT users experiencing similar issues w/overlap", "https://ms13p01if-qufw21344001.ms.if.apple.com:8083/", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 (Apple remote hacktool that enter via Apple media)", "usw2-platform-dmchat-avengers-prod-ext.apple.com", "https://otx.alienvault.com/indicator/hostname/00000000.apple.com#:~:text=%C3%97", "Malware Hosting * Spyware: http://141.98.6.249/boat.arm7, http://141.98.6.249/boat.ppc , http://141.98.6.249/boat.x86" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "RATel", "display_name": "RATel", "target": null }, { "id": "trojan.mirai/genericrxui", "display_name": "trojan.mirai/genericrxui", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 578, "FileHash-SHA1": 521, "FileHash-SHA256": 6392, "URL": 5741, "domain": 2243, "hostname": 1536, "SSLCertFingerprint": 2, "email": 8, "CVE": 1 }, "indicator_count": 17022, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "811 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659127f3265ec6306b607faa", "name": "Mirai Apple Attack +", "description": "", "modified": "2024-01-29T03:01:29.910000", "created": "2023-12-31T08:36:03.380000", "tags": [ "whois record", "ssl certificate", "contacted", "whois whois", "historical ssl", "referrer", "communicating", "resolutions", "apple", "collections", "core", "stealer", "execution", "ratel", "suspicious", "threat", "paste", "iocs", "hostnames", "urls https", "windir", "json data", "localappdata", "ascii text", "unicode text", "pattern match", "file", "indicator", "mitre att", "path", "factory", "hybrid", "general", "memcommit", "regsetvalueexa", "regdword", "t1055", "high", "regbinary", "dynamic dns", "regsetvalueexw", "regsz", "medium", "win32", "malware", "copy", "capture", "name servers", "creation date", "servers", "passive dns", "urls", "domain", "search", "expiration date", "scan endpoints", "all scoreblue", "date", "next", "applenoc", "showing", "status", "united", "as44273 host", "unknown", "all search", "otx scoreblue", "aaaa", "as54113", "privacy inc", "customer", "asnone united", "entries", "pulse pulses", "dga", "redacted for", "as20940", "body", "for privacy", "ipv4", "files", "location united", "america asn", "as54252", "type name", "dns replication", "iana", "whois lookup", "ipv4 address", "ripe ncc", "afrinic", "africa", "apnic", "asia pacific", "arin", "lacnic", "elf executable", "sysv", "linux", "elf wgetboat", "contacted urls", "red team", "tsara brashears", "apple phone", "unlocker", "fakedout threat", "hostname", "samples", "mirai", "ph elf", "telefonica de", "elf collection", "llwn", "text", "gp practice", "oracle", "apple ios", "password", "threat network", "kgs0", "kls0", "hacktool", "probe", "malicious" ], "references": [ "https://www.rmvictimlaw.org/about-us/board-directors/hazel-heckers", "https://hybrid-analysis.com/sample/1f75fd5ec731cc5b1f338a5f7f44b42c9f1988214c373bf582d766934399b525", "https://twitter.com/PORNO_SEXYBABES", "IPv4 199.59.243.224 and IPv4 67.21.93.249 - command_and_control", "103.246.145.111 phishing", "nr-data.net | Apple Private Data collection", "BitRAT CnC: File Hash SHA256 23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706", "00000000.apple.com | remote SIM Swap", "https://otx.alienvault.com/indicator/file/23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706#:~:text=%C3%97", "103.246.145.111 - scanning host", "https://app-portal.wsgc.com/saml20/idp/sso?SAMLRequest=jZFBb8IwDIX/SpR70zS0sEa0iA1NQ2IagrLDLlNII4jWJl2cwvj3qyhI7IJ2tPzs9/x5PPmpK3RQDrQ1GY4IxUgZaUttdhneFM/BA57kYxB1xRo+bf3erNR3q8CjbtAA7zsZbp3hVoAGbkStgHvJ19PXBWeE8sZZb6WtMJoCKOc7qydroK2VWyt30FJtVosM771vgIfhETTZCvkF3roTkXtnjZaVIqBk67Q/hUICRrMugzbCn3NfR0XTBI11XlTkCDtJpK3Dc0Ia6rIJASxG81mGP0dpOYqGVEZxGYkk3iaDVMZMKipGMR0kSScDaNXcgBfGZ5hRNghoGrC4YIzTlNMhidPkA6Pl5bhHbXpo90hsexHwl6JYBsu3dYHR+xV+J8AX1Pzs7m4Z318srmBx/m+M4/DWK7+Uf7+c/wI=&RelayState=AcE8QCtmc3hl5id4ZjN8p", "https://www.virustotal.com/en/domain/sipa.be (GoodCop - BadCop 404 error. This may have been a dorkingbeauty graph or collection. There seems to be several VT users experiencing similar issues w/overlap", "https://ms13p01if-qufw21344001.ms.if.apple.com:8083/", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 (Apple remote hacktool that enter via Apple media)", "usw2-platform-dmchat-avengers-prod-ext.apple.com", "https://otx.alienvault.com/indicator/hostname/00000000.apple.com#:~:text=%C3%97", "Malware Hosting * Spyware: http://141.98.6.249/boat.arm7, http://141.98.6.249/boat.ppc , http://141.98.6.249/boat.x86" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "RATel", "display_name": "RATel", "target": null }, { "id": "trojan.mirai/genericrxui", "display_name": "trojan.mirai/genericrxui", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "green", "cloned_from": "658f967a4fc7ebe8021b9382", "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 578, "FileHash-SHA1": 521, "FileHash-SHA256": 6392, "URL": 5741, "domain": 2243, "hostname": 1536, "SSLCertFingerprint": 2, "email": 8, "CVE": 1 }, "indicator_count": 17022, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "811 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65944b9812ea52ab41c0259d", "name": "Mirai Apple Attack +", "description": "", "modified": "2024-01-29T03:01:29.910000", "created": "2024-01-02T17:44:56.709000", "tags": [ "whois record", "ssl certificate", "contacted", "whois whois", "historical ssl", "referrer", "communicating", "resolutions", "apple", "collections", "core", "stealer", "execution", "ratel", "suspicious", "threat", "paste", "iocs", "hostnames", "urls https", "windir", "json data", "localappdata", "ascii text", "unicode text", "pattern match", "file", "indicator", "mitre att", "path", "factory", "hybrid", "general", "memcommit", "regsetvalueexa", "regdword", "t1055", "high", "regbinary", "dynamic dns", "regsetvalueexw", "regsz", "medium", "win32", "malware", "copy", "capture", "name servers", "creation date", "servers", "passive dns", "urls", "domain", "search", "expiration date", "scan endpoints", "all scoreblue", "date", "next", "applenoc", "showing", "status", "united", "as44273 host", "unknown", "all search", "otx scoreblue", "aaaa", "as54113", "privacy inc", "customer", "asnone united", "entries", "pulse pulses", "dga", "redacted for", "as20940", "body", "for privacy", "ipv4", "files", "location united", "america asn", "as54252", "type name", "dns replication", "iana", "whois lookup", "ipv4 address", "ripe ncc", "afrinic", "africa", "apnic", "asia pacific", "arin", "lacnic", "elf executable", "sysv", "linux", "elf wgetboat", "contacted urls", "red team", "tsara brashears", "apple phone", "unlocker", "fakedout threat", "hostname", "samples", "mirai", "ph elf", "telefonica de", "elf collection", "llwn", "text", "gp practice", "oracle", "apple ios", "password", "threat network", "kgs0", "kls0", "hacktool", "probe", "malicious" ], "references": [ "https://www.rmvictimlaw.org/about-us/board-directors/hazel-heckers", "https://hybrid-analysis.com/sample/1f75fd5ec731cc5b1f338a5f7f44b42c9f1988214c373bf582d766934399b525", "https://twitter.com/PORNO_SEXYBABES", "IPv4 199.59.243.224 and IPv4 67.21.93.249 - command_and_control", "103.246.145.111 phishing", "nr-data.net | Apple Private Data collection", "BitRAT CnC: File Hash SHA256 23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706", "00000000.apple.com | remote SIM Swap", "https://otx.alienvault.com/indicator/file/23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706#:~:text=%C3%97", "103.246.145.111 - scanning host", "https://app-portal.wsgc.com/saml20/idp/sso?SAMLRequest=jZFBb8IwDIX/SpR70zS0sEa0iA1NQ2IagrLDLlNII4jWJl2cwvj3qyhI7IJ2tPzs9/x5PPmpK3RQDrQ1GY4IxUgZaUttdhneFM/BA57kYxB1xRo+bf3erNR3q8CjbtAA7zsZbp3hVoAGbkStgHvJ19PXBWeE8sZZb6WtMJoCKOc7qydroK2VWyt30FJtVosM771vgIfhETTZCvkF3roTkXtnjZaVIqBk67Q/hUICRrMugzbCn3NfR0XTBI11XlTkCDtJpK3Dc0Ia6rIJASxG81mGP0dpOYqGVEZxGYkk3iaDVMZMKipGMR0kSScDaNXcgBfGZ5hRNghoGrC4YIzTlNMhidPkA6Pl5bhHbXpo90hsexHwl6JYBsu3dYHR+xV+J8AX1Pzs7m4Z318srmBx/m+M4/DWK7+Uf7+c/wI=&RelayState=AcE8QCtmc3hl5id4ZjN8p", "https://www.virustotal.com/en/domain/sipa.be (GoodCop - BadCop 404 error. This may have been a dorkingbeauty graph or collection. There seems to be several VT users experiencing similar issues w/overlap", "https://ms13p01if-qufw21344001.ms.if.apple.com:8083/", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 (Apple remote hacktool that enter via Apple media)", "usw2-platform-dmchat-avengers-prod-ext.apple.com", "https://otx.alienvault.com/indicator/hostname/00000000.apple.com#:~:text=%C3%97", "Malware Hosting * Spyware: http://141.98.6.249/boat.arm7, http://141.98.6.249/boat.ppc , http://141.98.6.249/boat.x86" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "RATel", "display_name": "RATel", "target": null }, { "id": "trojan.mirai/genericrxui", "display_name": "trojan.mirai/genericrxui", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "green", "cloned_from": "658f967a4fc7ebe8021b9382", "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 578, "FileHash-SHA1": 521, "FileHash-SHA256": 6392, "URL": 5741, "domain": 2243, "hostname": 1536, "SSLCertFingerprint": 2, "email": 8, "CVE": 1 }, "indicator_count": 17022, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "811 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://it.fxgm.com/open", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://it.fxgm.com/open", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776597688.252727 }