{ "type": "URL", "indicator": "https://it.gfconsultant.org", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://it.gfconsultant.org", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3756453808, "indicator": "https://it.gfconsultant.org", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 14, "pulses": [ { "id": "69b7241a63b7527ac2b04d60", "name": "DoD_Cyber_Strategy | Umbald.A | Patched3_c.AKRV | DoD | Navy.mil extensions | Adult Content distribution [msudosos IoCs connects to]", "description": "I became curious about an IoC found in a Pulse labeled \u2018undefined\u2019 by msudosos notated in references and in parenthesis below this text. I did deep research on msudosos IoC. \nhttps://www.cybercom.mil/Portals/56/Document\ns/Strategy/DoD_Cyber_Strategy_2023.pdf | Apparent cyber warfare. Distribution of pornography potentially. The only use I have seen the type of attacks used for is reputation damage. | I am going to stick with the \u2018undefined\u2019 label given by msudosos because I don\u2019t know the purpose for the alleged Navy. mil & DoD for porn distribution. It\u2019s not to ensnare child predators. Possibly quasi government access to deter potential claimants. Possible hacker involvement. Going with \u2018undefined\u2019 for the moment.\n\n[444ea032708bb0d940de0ef72b944244 | credit msudosos || Patched3_c.AKRV -> https://otx.alienvault.com/indicator/file/444ea032708bb0d940de0ef72b944244]", "modified": "2026-04-14T18:06:37.524000", "created": "2026-03-15T21:26:50.218000", "tags": [ "man software", "destination", "port", "united", "delete", "read c", "virustotal", "patched3_c.akrv", "armadillov171", "dod", "thinkman", "win32", "trojan", "present mar", "backdoor", "urls", "files", "unknown", "search", "china as23724", "asnone", "artemis", "zeppelin", "drweb", "vipre", "panda", "malware", "suspicious", "cloud", "logic", "et trojan", "et info", "download", "windows", "embeddedwb", "shellexecuteexw", "msie", "windows nt", "writeconsolew", "displayname", "service", "ids detections", "yara detections", "crypt", "medium", "whitelisted", "passive dns", "worm", "mtb may", "mtb aug", "otx logo", "all ipv4", "pulse pulses", "dynamicloader", "yara rule", "ff d5", "high", "reg add", "regsz d", "write", "file type", "pexe", "pe32", "intel", "ms windows", "pe packer", "pm size", "pehash", "richhash", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "spawns", "found", "over", "sha256", "sha1", "ascii text", "size", "mitre att", "pattern match", "null", "span", "error", "body", "hybrid", "general", "local", "path", "click", "strings", "refresh", "tools", "title", "show technique", "look", "verify", "restart", "t1480 execution", "navy", "reputation", "adult content", "cyber warfare" ], "references": [ "AVDetections: Patched3_c.AKRV", "Yara Detections: Armadillov171", "Alerts: antiav_servicestop persistence_autorun network_bind antivirus_virustotal network_http", "IP\u2019s Contacted: 8.8.8.8 78.46.218.253 74.208.229.157 192.5.41.40", "Contacted Domains: tick.usno.navy.mil www.thinkman.com", "AS27064 DOD Network Information Center? | 192.5.41.40 | tick.usno.navy.mil tick.usno.navy.mil | United States", "AS8560 1&1 ionos se | 74.208.229.157 | www.thinkman.com\twww.thinkman.com | United States", "AS24940 hetzner online gmbh |78.46.218.253\t | static.253.218.46.78.clients.your-server.de | Germany", "AS15169 google llc | 8.8.8.8\t| dns.google | United States", "Email: d4@thinkman.com", "Domain: navy.mil DNS Files IP Address: 192.5.41.40 Location: United States", "ASN AS27064 dod network information center", "Nameservers: dns5.disa.mil. , dns4.disa.mil. , squad.navo.mil. , crnaone.navy.mil. , dns1.disa.mil.", "Nameservers: squid.navo. , squid.navo.mil. , dns2.disa.mil. , minnow.navo. , navy.mil. , dns3.disa.mil.", "tick.usno.navy.mil , navy.mil: trojan:Win32/Tiggre!rfn Win.Trojan.Rootkit-4668 Win32:Agent-ALXE\\ [Rtk] Win32:Malware-gen", "TrojanDownloader:Win32/Umbald.A\tMalware infection", "IDS Detections: Win32/Tofsee.AX google.com connectivity check", "Alerts: nolookup_communication persistence_autorun bypass_firewall network_http p2p_cnc", "Alerts: allocates_rwx antivm_disk_size creates_exe creates_service suspicious_process", "Alerts: stealth_window packer_entropy uses_windows_utilities", "Alerts: console_output antivm_memory_available pe_features", "Yara Detections: MS_Visual_Basic_6_0", "Alerts: process_creation_suspicious_location injection_write_exe_process persistence_autorun", "Alerts: procmem_yara static_pe_anomaly deletes_executed_files injection_runpe", "Alerts: mouse_movement_detect dynamic_function_loading resumethread_remote_process", "Alerts: injection_write_process reads_self stealth_window injection_rwx uses_windows_utilities", "Alerts: queries_user_name queries_keyboard_layout queries_locale_api", "Alerts: antidebug_setunhandledexceptionfilter dll_load_uncommon_file_types", "porn.nonstopvideos.pl \u2022 xxx-xvideo.com \u2022 essexmetals.com", "http://www.aerix.com/__media__/js/netsoltrademark.php?d=www.pornxxxgals.info/latex-porn/", "navy.mil \u2022 http://acts.navair.navy.mil \u2022 http://logistics.navair.navy.mil/rcm/", "https://www.cloud.mil/CVRC:/Users/joshua.colliflower/OneDrive/OneDrive%20-%20United%20States%20Department%20of%20the%20Navy/Documents/Archive%20Miscellaneous", "192.5.41.40 scanning_host\t\u2022 74.208.229.157 scanning_host", "444ea032708bb0d940de0ef72b944244 | credit msudosos", "Patched3_c.AKRV -> https://otx.alienvault.com/indicator/file/444ea032708bb0d940de0ef72b944244", "https://otx.alienvault.com/pulse/69b65d6a27024117a4cd3540 [credit msudosos]", "https://www.cybercom.mil/Portals/56/Documents/Strategy/DoD_Cyber_Strategy_2023.pdf", "DoD related: 192.5.41.40 scanning_host\t140.19.33.126 \u2022 199.9.2.136 \u2022 214.23.15.26", "https://encore360.omeclk.com/portal/wts/ug^cnOmfy6edod--a.gif", "https://encore360.omeclk.com/portal/wts/ug^cnOmfy6efyLw9|dod--a | (205.162.40.0/21) (Omeda Communications )", "205.162.42.171 (205.162.40.0/21) AS 53866 ( Omeda Communications )", "https://exchange.simply.ms/owa/auth/logon.aspx?url=https://exchange.simply.ms/owa/&reason=0", "mailbox.co.za", "fmx32.aig.com \u2022 167.230.105.81", "https://otx.alienvault.com/indicator/url/https://gossip.thedirty.com/cdn-cgi/l/chk_jschl?s=04e9c17f33a895764287ae3918f54f016b353177-1551745661-1800-AWU4eGCIAWcUFRuFo2RAigESClCdCQ/9FJquPKplzHISR2zmIZSTluV/jEDBqANqdDORIXIACOwCScDYumaSt5kRHUKVAK4z6Wlo0HzAhetn" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Patched3_c.AKRV", "display_name": "Patched3_c.AKRV", "target": null }, { "id": "Win32:Agent-ALXE\\ [Rtk]", "display_name": "Win32:Agent-ALXE\\ [Rtk]", "target": null }, { "id": "Win.Trojan.Rootkit-4668", "display_name": "Win.Trojan.Rootkit-4668", "target": null }, { "id": "Trojan:Win32/Tiggre!rfn", "display_name": "Trojan:Win32/Tiggre!rfn", "target": "/malware/Trojan:Win32/Tiggre!rfn" }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Inject2.BIVE", "display_name": "Inject2.BIVE", "target": null }, { "id": "Crypt3.CHZW", "display_name": "Crypt3.CHZW", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Crypt3.BXMJ", "display_name": "Crypt3.BXMJ", "target": null }, { "id": "Crypt3.BOQD\t\t Inject2.BHBW", "display_name": "Crypt3.BOQD\t\t Inject2.BHBW", "target": null }, { "id": "Crypt3.BMVU", "display_name": "Crypt3.BMVU", "target": null }, { "id": "Trojan.DownLoader12.43161", "display_name": "Trojan.DownLoader12.43161", "target": null }, { "id": "HEUR/UnSec", "display_name": "HEUR/UnSec", "target": null }, { "id": "ET Trojan", "display_name": "ET Trojan", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "TrojanDownloader:Win32/Umbald.A", "display_name": "TrojanDownloader:Win32/Umbald.A", "target": "/malware/TrojanDownloader:Win32/Umbald.A" } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1156", "name": "Malicious Shell Modification", "display_name": "T1156 - Malicious Shell Modification" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1048.001", "name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "display_name": "T1048.001 - Exfiltration Over Symmetric Encrypted Non-C2 Protocol" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Government", "Military", "Defense", "Insurance" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 165, "FileHash-SHA1": 165, "FileHash-SHA256": 3524, "URL": 11424, "email": 1, "hostname": 3954, "domain": 2523 }, "indicator_count": 21756, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6975c5cd4db6104ea1a3d69b", "name": "The Blender Foundation BouncyCastle-Virut | Malware /Stealer Empty FileHash | Eternal7 (Shadow Broker) Related", "description": "Empty FileHash isn\u2019t benign. Interesting relationships to the Eternal 7. Malware, Stealer and Suspicious History File Operation. BouncyCastle-Virut PublicKeyToken=cc7b13ffcd 2ddd51 1D11.tmp Ultimate-Chicken-Horse- T1O SteamRIP.com.rarys / Startul ErrorPageTemplate[1] netcore, BouncyCastle.", "modified": "2026-02-24T06:02:43.853000", "created": "2026-01-25T07:27:09.640000", "tags": [ "empty", "blender", "eurostile", "augustin", "butterfield", "cook", "drummer", "erickson", "fjsv", "flynn", "gorman", "holmes", "easy", "rada", "xanadu", "config", "reboot", "screen", "microsoft", "commerce server", "edition", "draw", "exchange server", "tools", "linux", "ideal link", "nsrl test", "nist", "file", "cultureneutral", "fix pack", "free download", "bouncycastle", "read c", "search", "et trojan", "w32kegotip cnc", "whitelisted", "ids detections", "intel", "write", "trojan", "malware", "yara detections", "productversion", "fileversion", "av detections", "alerts", "analysis date", "file score", "united", "aaaa", "passive dns", "ip address", "present dec", "body html", "head meta", "title", "urls", "url https", "http", "hostname", "files domain", "files related", "related tags", "beacon", "et", "ipv4", "files", "dns resolutions", "domains top", "level", "unique tlds", "related pulses", "show", "win32virut", "destination", "port", "ms windows", "pe32", "medium", "suspicious", "virustotal", "startul", "shadowbrokers", "total", "delete", "artemis", "win32.injector", "trendmicro", "data upload", "extraction", "included iocs" ], "references": [ "The Blender Foundation", "website \u2022 http://oldapps.com/blender.php?old_blender=7584", "oldapps \u2022 http://oldapps.com/blender.php?old_blender=7584?download", "Google android-cts-7.1_r6-linux_x86-arm.zip", "Google android-cts-7.1_r6-linux_x86-arm.zip", "android-cts-7.1_r6-linux_x86-arm.zip [e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855]", "Empty FileHash - e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "Empty FileHash -Matches rule Suspicious History File Operations by Mikhail Larin, oscd.community", "Empty FileHash - Malware,Stealer, Related to ShadowBrokers EternalRocks", "ET TROJAN W32/Kegotip CnC Beacon", "IDS Detections ET POLICY Suspicious User-Agent Containing .exe", "Extensions,.Trojan Age Win Version=4.2.0.168 Win32/1 Culture=neutral, amnit", "Virut PublicKeyToken=cc7b13ffcd 2ddd51 1D11.tmp Ultimate-Chicken-Horse- T1O SteamRIP.com.rarys /", "Startul ErrorPageTemplate[1] netcore, BouncyCastle.", "Secure Protocols: Provides APIs for TLS 1.3, S/MIME, OpenPGP & CMS (Cryptographic Message Syntax)" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "BouncyCastle", "display_name": "BouncyCastle", "target": null }, { "id": "Sf:ShellCode-AU", "display_name": "Sf:ShellCode-AU", "target": null }, { "id": "Win.Trojan.Fareit-82", "display_name": "Win.Trojan.Fareit-82", "target": null }, { "id": "Win.Trojan.Agent-245901", "display_name": "Win.Trojan.Agent-245901", "target": null }, { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "W32/Kegotip CnC", "display_name": "W32/Kegotip CnC", "target": null }, { "id": "W32.Virut.ci", "display_name": "W32.Virut.ci", "target": null }, { "id": "Downloader.Generic13.CMTW", "display_name": "Downloader.Generic13.CMTW", "target": null }, { "id": "Downloader.Generic13.BOBZ", "display_name": "Downloader.Generic13.BOBZ", "target": null }, { "id": "Win.Trojan.Injector-12138", "display_name": "Win.Trojan.Injector-12138", "target": null }, { "id": "Generic36.ADTY", "display_name": "Generic36.ADTY", "target": null }, { "id": "Generic36.AIAA.Dropper", "display_name": "Generic36.AIAA.Dropper", "target": null }, { "id": "Generic36.AJSM", "display_name": "Generic36.AJSM", "target": null }, { "id": "Win32/Virut", "display_name": "Win32/Virut", "target": null }, { "id": "Win32/Ramnit.A", "display_name": "Win32/Ramnit.A", "target": null }, { "id": "Worm.Autorun-6180", "display_name": "Worm.Autorun-6180", "target": null }, { "id": "Hider.BIY", "display_name": "Hider.BIY", "target": null }, { "id": "Win.Trojan.Rootkit-4532", "display_name": "Win.Trojan.Rootkit-4532", "target": null }, { "id": "Win32/Blacked", "display_name": "Win32/Blacked", "target": null }, { "id": "Win32.Injector", "display_name": "Win32.Injector", "target": null }, { "id": "TrendMicro", "display_name": "TrendMicro", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 71, "FileHash-SHA256": 853, "URL": 1639, "domain": 288, "FileHash-MD5": 78, "hostname": 545 }, "indicator_count": 3474, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "54 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655a13e4538e896c00f2077e", "name": "Spyware: http://browser.events.data.microsoftstart.cn", "description": "This report is generated by MITRE ATT&CK\u2122 and produced by the team at the University of California, San Francisco, and is available on the web, via the Microsoft Research website.\nTulach, 114.114.114.114, spyware, phishing, fraud, malvertizing, password cracker, iPhone unlocker, malicious, media sharing, miscellaneous attacks.", "modified": "2023-12-19T13:01:12.394000", "created": "2023-11-19T13:55:48.898000", "tags": [ "linkid246338", "whois record", "ssl certificate", "contacted", "execution", "historical ssl", "whois whois", "communicating", "resolutions", "referrer", "random", "august", "lockbit", "attack", "core", "name verdict", "falcon sandbox", "pattern match", "root ca", "done adding", "catalog file", "authority", "class", "mitre att", "script", "temp", "ascii text", "date", "unknown", "service", "generator", "critical", "error", "meta", "hybrid", "local", "click", "strings", "threat roundup" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 34, "FileHash-SHA1": 28, "FileHash-SHA256": 2526, "URL": 3515, "domain": 458, "hostname": 1092 }, "indicator_count": 7653, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "852 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655af35616dbd4781c681948", "name": "Spyware: http://browser.events.data.microsoftstart.cn", "description": "", "modified": "2023-12-19T13:01:12.394000", "created": "2023-11-20T05:49:10.586000", "tags": [ "linkid246338", "whois record", "ssl certificate", "contacted", "execution", "historical ssl", "whois whois", "communicating", "resolutions", "referrer", "random", "august", "lockbit", "attack", "core", "name verdict", "falcon sandbox", "pattern match", "root ca", "done adding", "catalog file", "authority", "class", "mitre att", "script", "temp", "ascii text", "date", "unknown", "service", "generator", "critical", "error", "meta", "hybrid", "local", "click", "strings", "threat roundup" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "green", "cloned_from": "655a13e4538e896c00f2077e", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 34, "FileHash-SHA1": 28, "FileHash-SHA256": 2526, "URL": 3515, "domain": 458, "hostname": 1092 }, "indicator_count": 7653, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "852 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6553b88c316cfb531b9c4c10", "name": "iOS Unlocker| Apple | ATT | Monitoring| http://mobile.suddenlink2go.com", "description": "spyware, 114.114.114.114, Tulach, C2, apple iOS, passwords, crack, unlock , click, att, hughesnet", "modified": "2023-12-14T15:03:30.417000", "created": "2023-11-14T18:12:28.459000", "tags": [ "united", "blacklist", "malicious site", "mail spammer", "detection list", "cisco umbrella", "site", "safe site", "malware", "phishing site", "heur", "malware site", "alexa top", "million", "unsafe", "artemis", "riskware", "conduit", "agent", "opencandy", "xtrat", "iframe", "cleaner", "team", "installpack", "xrat", "tiggre", "presenoker", "fusioncore", "wacatac", "azorult", "phishing", "service", "runescape", "facebook", "bank", "download", "crack", "softcnapp", "trojanspy", "maltiverse", "falcon sandbox", "pattern match", "root ca", "authority", "class", "script", "ascii text", "mitre att", "localappdata", "temp", "ck id", "date", "unknown", "generator", "critical", "error", "meta", "hybrid", "general", "local", "click", "strings", "expiressun", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "pt3uc1", "path", "movies", "watch", "html info", "meta tags", "suddenlink tv", "trackers amazon", "pt3rc1", "whois record", "whois whois", "ssl certificate", "historical", "historical ssl", "referrer", "communicating", "dropped", "contacted", "apple ios", "hacktool", "metro", "malicious", "crypto", "installer", "attack", "awful", "brian sabey", "aig", "civicaIg", "tracking", "password crack", "tulach", "target tsara brashears", "tylerknott", "att", "monitoring", "spyware", "spying", "cybercrime", "tulach", "hughesnet", "ios", "toshiba", "attack", "malvertizing", "cyber stalking", "porn", "pornhub" ], "references": [ "http://mobile.suddenlink2go.com/", "https://hybrid-analysis.com/sample/889790f55a8a29ee75463bbcf014c3ed6cc76e6cd0278e491ec9fa1ed14862c4/655374e9921d5d73860b7db3", "https://applemusic-spotlight.myunidays.com/US/en-US?", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "myhughesnet.com", "dishmail.net", "home.toshiba.com", "ytq2rs56.haogfw.com", "pornhub.com", "http://trk.brother-root-rich-of.xyz/campaign?id=4f1426e9-22f8-4e7a-9c32-1b2d42867559&var1=&extcid=w9A2DTCOAL56FRAK125KMLAI", "http://trk.reverseparameter.site/gg/izuyv?to=https://mine-top-gratis-application.pw/e29481e9-a792-46a8-bbf0-188ed2a816ae/f10439e6-e61a-4420-ba88-29e9d1c5d2ea?brand=Lenovo&btd=dHJrLm1vYmlsZXRvcDIwMTh0ZWNoaWUueHl6&exptoken=MTU1NzUxMjgzMjgyMw==&lang=ar&model=K6+Note&td=dHJrLnJldmVyc2VwYXJhbWV0ZXIuc2l0ZS9wcmNlZWQ", "monitor.cablelan.net", "https://monitor.rodgersmith.com", "https://www.everycloudtech.com/free-mail-flow-monitor" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 144, "FileHash-SHA1": 179, "FileHash-SHA256": 4528, "CVE": 7, "domain": 2024, "hostname": 3556, "URL": 10455 }, "indicator_count": 20893, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "857 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65568ab12429c394dc4b91ea", "name": "iOS Unlocker| Apple | ATT | Monitoring| http://mobile.suddenlink2go", "description": "", "modified": "2023-12-14T15:03:30.417000", "created": "2023-11-16T21:33:37.838000", "tags": [ "united", "blacklist", "malicious site", "mail spammer", "detection list", "cisco umbrella", "site", "safe site", "malware", "phishing site", "heur", "malware site", "alexa top", "million", "unsafe", "artemis", "riskware", "conduit", "agent", "opencandy", "xtrat", "iframe", "cleaner", "team", "installpack", "xrat", "tiggre", "presenoker", "fusioncore", "wacatac", "azorult", "phishing", "service", "runescape", "facebook", "bank", "download", "crack", "softcnapp", "trojanspy", "maltiverse", "falcon sandbox", "pattern match", "root ca", "authority", "class", "script", "ascii text", "mitre att", "localappdata", "temp", "ck id", "date", "unknown", "generator", "critical", "error", "meta", "hybrid", "general", "local", "click", "strings", "expiressun", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "pt3uc1", "path", "movies", "watch", "html info", "meta tags", "suddenlink tv", "trackers amazon", "pt3rc1", "whois record", "whois whois", "ssl certificate", "historical", "historical ssl", "referrer", "communicating", "dropped", "contacted", "apple ios", "hacktool", "metro", "malicious", "crypto", "installer", "attack", "awful", "brian sabey", "aig", "civicaIg", "tracking", "password crack", "tulach", "target tsara brashears", "tylerknott", "att", "monitoring", "spyware", "spying", "cybercrime", "tulach", "hughesnet", "ios", "toshiba", "attack", "malvertizing", "cyber stalking", "porn", "pornhub" ], "references": [ "http://mobile.suddenlink2go.com/", "https://hybrid-analysis.com/sample/889790f55a8a29ee75463bbcf014c3ed6cc76e6cd0278e491ec9fa1ed14862c4/655374e9921d5d73860b7db3", "https://applemusic-spotlight.myunidays.com/US/en-US?", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "myhughesnet.com", "dishmail.net", "home.toshiba.com", "ytq2rs56.haogfw.com", "pornhub.com", "http://trk.brother-root-rich-of.xyz/campaign?id=4f1426e9-22f8-4e7a-9c32-1b2d42867559&var1=&extcid=w9A2DTCOAL56FRAK125KMLAI", "http://trk.reverseparameter.site/gg/izuyv?to=https://mine-top-gratis-application.pw/e29481e9-a792-46a8-bbf0-188ed2a816ae/f10439e6-e61a-4420-ba88-29e9d1c5d2ea?brand=Lenovo&btd=dHJrLm1vYmlsZXRvcDIwMTh0ZWNoaWUueHl6&exptoken=MTU1NzUxMjgzMjgyMw==&lang=ar&model=K6+Note&td=dHJrLnJldmVyc2VwYXJhbWV0ZXIuc2l0ZS9wcmNlZWQ", "monitor.cablelan.net", "https://monitor.rodgersmith.com", "https://www.everycloudtech.com/free-mail-flow-monitor" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": "6553b88c316cfb531b9c4c10", "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 144, "FileHash-SHA1": 179, "FileHash-SHA256": 4528, "CVE": 7, "domain": 2024, "hostname": 3556, "URL": 10455 }, "indicator_count": 20893, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "857 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65536bc6301b7cdf7d04e095", "name": "TrojanDownloader:Win32/Cutwail.BS/Win.Trojan.Pushdo-20", "description": "backdoor,trojan downloaders, networm, phishing, tracking, spyware, device commands...", "modified": "2023-12-14T12:03:15.957000", "created": "2023-11-14T12:44:54.422000", "tags": [ "passive dns", "urls", "t1604023287", "scan endpoints", "all search", "otx octoseek", "url http", "pulse pulses", "http", "ip address", "ssl certificate", "whois record", "resolutions", "referrer", "historical ssl", "communicating", "threat roundup", "whois whois", "apple", "stopransomware", "core", "discord", "metro", "blister", "cobalt strike", "hacktool", "june", "name verdict", "pattern match", "et tor", "known tor", "misc attack", "link", "woff2", "relayrouter", "exit", "node traffic", "ascii text", "date", "click", "unknown", "meta", "hybrid", "general", "local", "strings", "class", "generator", "critical", "error", "execution", "malware", "network", "roblox", "united", "as13335", "a domains", "status", "aaaa", "search", "script urls", "creation date", "showing", "pixel", "win32", "download", "t1507537243" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Roblox", "display_name": "Roblox", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11333, "FileHash-MD5": 81, "FileHash-SHA1": 74, "FileHash-SHA256": 3269, "domain": 2748, "hostname": 3475, "email": 2, "CVE": 2 }, "indicator_count": 20984, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "857 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65536bdc3676a40633a619be", "name": "TrojanDownloader:Win32/Cutwail.BS/Win.Trojan.Pushdo-20", "description": "backdoor,trojan downloaders, networm, phishing, tracking, spyware, device commands...", "modified": "2023-12-14T12:03:15.957000", "created": "2023-11-14T12:45:16.667000", "tags": [ "passive dns", "urls", "t1604023287", "scan endpoints", "all search", "otx octoseek", "url http", "pulse pulses", "http", "ip address", "ssl certificate", "whois record", "resolutions", "referrer", "historical ssl", "communicating", "threat roundup", "whois whois", "apple", "stopransomware", "core", "discord", "metro", "blister", "cobalt strike", "hacktool", "june", "name verdict", "pattern match", "et tor", "known tor", "misc attack", "link", "woff2", "relayrouter", "exit", "node traffic", "ascii text", "date", "click", "unknown", "meta", "hybrid", "general", "local", "strings", "class", "generator", "critical", "error", "execution", "malware", "network", "roblox", "united", "as13335", "a domains", "status", "aaaa", "search", "script urls", "creation date", "showing", "pixel", "win32", "download", "t1507537243" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Roblox", "display_name": "Roblox", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11333, "FileHash-MD5": 81, "FileHash-SHA1": 74, "FileHash-SHA256": 3269, "domain": 2748, "hostname": 3475, "email": 2, "CVE": 2 }, "indicator_count": 20984, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "857 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65568d67bd96e06ab44b9b95", "name": "TrojanDownloader:Win32/Cutwail.BS/Win.Trojan.Pushdo-20", "description": "", "modified": "2023-12-14T12:03:15.957000", "created": "2023-11-16T21:45:11.721000", "tags": [ "passive dns", "urls", "t1604023287", "scan endpoints", "all search", "otx octoseek", "url http", "pulse pulses", "http", "ip address", "ssl certificate", "whois record", "resolutions", "referrer", "historical ssl", "communicating", "threat roundup", "whois whois", "apple", "stopransomware", "core", "discord", "metro", "blister", "cobalt strike", "hacktool", "june", "name verdict", "pattern match", "et tor", "known tor", "misc attack", "link", "woff2", "relayrouter", "exit", "node traffic", "ascii text", "date", "click", "unknown", "meta", "hybrid", "general", "local", "strings", "class", "generator", "critical", "error", "execution", "malware", "network", "roblox", "united", "as13335", "a domains", "status", "aaaa", "search", "script urls", "creation date", "showing", "pixel", "win32", "download", "t1507537243" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Roblox", "display_name": "Roblox", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [], "TLP": "green", "cloned_from": "65536bdc3676a40633a619be", "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11333, "FileHash-MD5": 81, "FileHash-SHA1": 74, "FileHash-SHA256": 3269, "domain": 2748, "hostname": 3475, "email": 2, "CVE": 2 }, "indicator_count": 20984, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "857 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656a980f14b5a32303bf865b", "name": "CNC server.telegrafix.com", "description": "", "modified": "2023-12-02T02:35:59.820000", "created": "2023-12-02T02:35:59.820000", "tags": [ "record type", "ttl value", "data", "v3 serial", "number", "issuer", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "key identifier", "server", "whois lookup", "creation date", "dnssec", "domain name", "status", "abuse contact", "email", "registrar abuse", "contact phone", "date", "whois lookups", "iana id", "domain status", "registrar url", "registrar whois", "first", "execution", "tsara brashears", "ssl certificate", "april", "threat roundup", "october", "december", "roundup", "september", "whois record", "blustealer", "raspberry robin", "redline stealer", "gopuram", "hacktool", "skynet", "android", "quasar", "download", "malware", "hijacker", "monitoring", "installer", "ermac", "attack", "blackguard", "core", "awful", "twitter", "agent tesla", "trickbot", "ursnif", "chaos", "metasploit", "formbook", "metro", "name verdict", "exit", "traffic", "node tcp", "et tor", "known tor", "relayrouter", "united", "team malware", "firehol et", "tor known", "redline", "detection list", "cisco umbrella", "site", "safe site", "alexa top", "million", "malicious url", "blacklist", "phishing", "union", "team", "bank", "unsafe", "contacted", "bundled", "project", "ransomexx" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Lithuania" ], "malware_families": [ { "id": "RedLine", "display_name": "RedLine", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "65423978ca5e5c9931b586a5", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 3674, "domain": 1422, "FileHash-SHA1": 117, "FileHash-SHA256": 3178, "URL": 8884, "email": 2, "CVE": 3, "FileHash-MD5": 167 }, "indicator_count": 17447, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "869 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656a978cf39ec3cdc99278cc", "name": "RedLine", "description": "", "modified": "2023-12-02T02:33:48.848000", "created": "2023-12-02T02:33:48.848000", "tags": [ "record type", "ttl value", "data", "v3 serial", "number", "issuer", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "key identifier", "server", "whois lookup", "creation date", "dnssec", "domain name", "status", "abuse contact", "email", "registrar abuse", "contact phone", "date", "whois lookups", "iana id", "domain status", "registrar url", "registrar whois", "first", "execution", "tsara brashears", "ssl certificate", "april", "threat roundup", "october", "december", "roundup", "september", "whois record", "blustealer", "raspberry robin", "redline stealer", "gopuram", "hacktool", "skynet", "android", "quasar", "download", "malware", "hijacker", "monitoring", "installer", "ermac", "attack", "blackguard", "core", "awful", "twitter", "agent tesla", "trickbot", "ursnif", "chaos", "metasploit", "formbook", "metro", "name verdict", "exit", "traffic", "node tcp", "et tor", "known tor", "relayrouter", "united", "team malware", "firehol et", "tor known", "redline", "detection list", "cisco umbrella", "site", "safe site", "alexa top", "million", "malicious url", "blacklist", "phishing", "union", "team", "bank", "unsafe", "contacted", "bundled", "project", "ransomexx" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Lithuania" ], "malware_families": [ { "id": "RedLine", "display_name": "RedLine", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "65423a941aa6527fbbe40a53", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 3674, "domain": 1422, "FileHash-SHA1": 117, "FileHash-SHA256": 3178, "URL": 8884, "email": 2, "CVE": 3, "FileHash-MD5": 167 }, "indicator_count": 17447, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "869 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65423978ca5e5c9931b586a5", "name": "CNC server.telegrafix.com", "description": "Brute force passwords using SSH on server RELAY\nTargeted individual, adult content, malvertizing, keylogging, monitoring, hacking, CNC, remoted devices, tracking, malware attack,etc.\n(Auto populated: The last HTTPS certificate was signed by the US government's Department of Homeland Security (DHS), but what exactly is it and what does the certificate actually say?. and how does it look?)", "modified": "2023-12-01T10:01:56.921000", "created": "2023-11-01T11:41:44.861000", "tags": [ "record type", "ttl value", "data", "v3 serial", "number", "issuer", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "key identifier", "server", "whois lookup", "creation date", "dnssec", "domain name", "status", "abuse contact", "email", "registrar abuse", "contact phone", "date", "whois lookups", "iana id", "domain status", "registrar url", "registrar whois", "first", "execution", "tsara brashears", "ssl certificate", "april", "threat roundup", "october", "december", "roundup", "september", "whois record", "blustealer", "raspberry robin", "redline stealer", "gopuram", "hacktool", "skynet", "android", "quasar", "download", "malware", "hijacker", "monitoring", "installer", "ermac", "attack", "blackguard", "core", "awful", "twitter", "agent tesla", "trickbot", "ursnif", "chaos", "metasploit", "formbook", "metro", "name verdict", "exit", "traffic", "node tcp", "et tor", "known tor", "relayrouter", "united", "team malware", "firehol et", "tor known", "redline", "detection list", "cisco umbrella", "site", "safe site", "alexa top", "million", "malicious url", "blacklist", "phishing", "union", "team", "bank", "unsafe", "contacted", "bundled", "project", "ransomexx" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Lithuania" ], "malware_families": [ { "id": "RedLine", "display_name": "RedLine", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 3674, "domain": 1422, "FileHash-SHA1": 117, "FileHash-SHA256": 3178, "URL": 8884, "email": 2, "CVE": 3, "FileHash-MD5": 167 }, "indicator_count": 17447, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "870 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65423a941aa6527fbbe40a53", "name": "RedLine", "description": "CNC server.telegrafix.com. Brute force passwords using SSH on server RELAY\nTargeted individual, monitoring, hacking, CNC, remoted devices, tracking, malware attack,etc.\n(Auto populated: The last HTTPS certificate was signed by the US government's Department of Homeland Security (DHS), but what exactly is it and what does the certificate actually say?. and how does it look?)", "modified": "2023-12-01T10:01:56.921000", "created": "2023-11-01T11:46:28.418000", "tags": [ "record type", "ttl value", "data", "v3 serial", "number", "issuer", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "key identifier", "server", "whois lookup", "creation date", "dnssec", "domain name", "status", "abuse contact", "email", "registrar abuse", "contact phone", "date", "whois lookups", "iana id", "domain status", "registrar url", "registrar whois", "first", "execution", "tsara brashears", "ssl certificate", "april", "threat roundup", "october", "december", "roundup", "september", "whois record", "blustealer", "raspberry robin", "redline stealer", "gopuram", "hacktool", "skynet", "android", "quasar", "download", "malware", "hijacker", "monitoring", "installer", "ermac", "attack", "blackguard", "core", "awful", "twitter", "agent tesla", "trickbot", "ursnif", "chaos", "metasploit", "formbook", "metro", "name verdict", "exit", "traffic", "node tcp", "et tor", "known tor", "relayrouter", "united", "team malware", "firehol et", "tor known", "redline", "detection list", "cisco umbrella", "site", "safe site", "alexa top", "million", "malicious url", "blacklist", "phishing", "union", "team", "bank", "unsafe", "contacted", "bundled", "project", "ransomexx" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Lithuania" ], "malware_families": [ { "id": "RedLine", "display_name": "RedLine", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 3674, "domain": 1422, "FileHash-SHA1": 117, "FileHash-SHA256": 3178, "URL": 8884, "email": 2, "CVE": 3, "FileHash-MD5": 167 }, "indicator_count": 17447, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "870 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6545a281ce7426288033f81e", "name": "CNC server.telegrafix.com", "description": "", "modified": "2023-12-01T10:01:56.921000", "created": "2023-11-04T01:46:41.933000", "tags": [ "record type", "ttl value", "data", "v3 serial", "number", "issuer", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "key identifier", "server", "whois lookup", "creation date", "dnssec", "domain name", "status", "abuse contact", "email", "registrar abuse", "contact phone", "date", "whois lookups", "iana id", "domain status", "registrar url", "registrar whois", "first", "execution", "tsara brashears", "ssl certificate", "april", "threat roundup", "october", "december", "roundup", "september", "whois record", "blustealer", "raspberry robin", "redline stealer", "gopuram", "hacktool", "skynet", "android", "quasar", "download", "malware", "hijacker", "monitoring", "installer", "ermac", "attack", "blackguard", "core", "awful", "twitter", "agent tesla", "trickbot", "ursnif", "chaos", "metasploit", "formbook", "metro", "name verdict", "exit", "traffic", "node tcp", "et tor", "known tor", "relayrouter", "united", "team malware", "firehol et", "tor known", "redline", "detection list", "cisco umbrella", "site", "safe site", "alexa top", "million", "malicious url", "blacklist", "phishing", "union", "team", "bank", "unsafe", "contacted", "bundled", "project", "ransomexx" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Lithuania" ], "malware_families": [ { "id": "RedLine", "display_name": "RedLine", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "65423978ca5e5c9931b586a5", "export_count": 46, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 3674, "domain": 1422, "FileHash-SHA1": 117, "FileHash-SHA256": 3178, "URL": 8884, "email": 2, "CVE": 3, "FileHash-MD5": 167 }, "indicator_count": 17447, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "870 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "ytq2rs56.haogfw.com", "Alerts: antiav_servicestop persistence_autorun network_bind antivirus_virustotal network_http", "http://trk.brother-root-rich-of.xyz/campaign?id=4f1426e9-22f8-4e7a-9c32-1b2d42867559&var1=&extcid=w9A2DTCOAL56FRAK125KMLAI", "http://mobile.suddenlink2go.com/", "DoD related: 192.5.41.40 scanning_host\t140.19.33.126 \u2022 199.9.2.136 \u2022 214.23.15.26", "https://exchange.simply.ms/owa/auth/logon.aspx?url=https://exchange.simply.ms/owa/&reason=0", "Alerts: queries_user_name queries_keyboard_layout queries_locale_api", "AVDetections: Patched3_c.AKRV", "Alerts: console_output antivm_memory_available pe_features", "https://www.cybercom.mil/Portals/56/Documents/Strategy/DoD_Cyber_Strategy_2023.pdf", "Alerts: nolookup_communication persistence_autorun bypass_firewall network_http p2p_cnc", "mailbox.co.za", "Secure Protocols: Provides APIs for TLS 1.3, S/MIME, OpenPGP & CMS (Cryptographic Message Syntax)", "TrojanDownloader:Win32/Umbald.A\tMalware infection", "Domain: navy.mil DNS Files IP Address: 192.5.41.40 Location: United States", "tick.usno.navy.mil , navy.mil: trojan:Win32/Tiggre!rfn Win.Trojan.Rootkit-4668 Win32:Agent-ALXE\\ [Rtk] Win32:Malware-gen", "Nameservers: dns5.disa.mil. , dns4.disa.mil. , squad.navo.mil. , crnaone.navy.mil. , dns1.disa.mil.", "IDS Detections: Win32/Tofsee.AX google.com connectivity check", "Alerts: process_creation_suspicious_location injection_write_exe_process persistence_autorun", "444ea032708bb0d940de0ef72b944244 | credit msudosos", "205.162.42.171 (205.162.40.0/21) AS 53866 ( Omeda Communications )", "Alerts: procmem_yara static_pe_anomaly deletes_executed_files injection_runpe", "website \u2022 http://oldapps.com/blender.php?old_blender=7584", "android-cts-7.1_r6-linux_x86-arm.zip [e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855]", "Empty FileHash - Malware,Stealer, Related to ShadowBrokers EternalRocks", "Nameservers: squid.navo. , squid.navo.mil. , dns2.disa.mil. , minnow.navo. , navy.mil. , dns3.disa.mil.", "https://www.cloud.mil/CVRC:/Users/joshua.colliflower/OneDrive/OneDrive%20-%20United%20States%20Department%20of%20the%20Navy/Documents/Archive%20Miscellaneous", "https://encore360.omeclk.com/portal/wts/ug^cnOmfy6efyLw9|dod--a | (205.162.40.0/21) (Omeda Communications )", "The Blender Foundation", "dishmail.net", "Email: d4@thinkman.com", "Alerts: mouse_movement_detect dynamic_function_loading resumethread_remote_process", "https://otx.alienvault.com/pulse/69b65d6a27024117a4cd3540 [credit msudosos]", "Extensions,.Trojan Age Win Version=4.2.0.168 Win32/1 Culture=neutral, amnit", "https://hybrid-analysis.com/sample/889790f55a8a29ee75463bbcf014c3ed6cc76e6cd0278e491ec9fa1ed14862c4/655374e9921d5d73860b7db3", "Yara Detections: Armadillov171", "Google android-cts-7.1_r6-linux_x86-arm.zip", "porn.nonstopvideos.pl \u2022 xxx-xvideo.com \u2022 essexmetals.com", "fmx32.aig.com \u2022 167.230.105.81", "oldapps \u2022 http://oldapps.com/blender.php?old_blender=7584?download", "Startul ErrorPageTemplate[1] netcore, BouncyCastle.", "https://www.everycloudtech.com/free-mail-flow-monitor", "Patched3_c.AKRV -> https://otx.alienvault.com/indicator/file/444ea032708bb0d940de0ef72b944244", "Yara Detections: MS_Visual_Basic_6_0", "https://encore360.omeclk.com/portal/wts/ug^cnOmfy6edod--a.gif", "IP\u2019s Contacted: 8.8.8.8 78.46.218.253 74.208.229.157 192.5.41.40", "monitor.cablelan.net", "pornhub.com", "myhughesnet.com", "home.toshiba.com", "navy.mil \u2022 http://acts.navair.navy.mil \u2022 http://logistics.navair.navy.mil/rcm/", "192.5.41.40 scanning_host\t\u2022 74.208.229.157 scanning_host", "http://trk.reverseparameter.site/gg/izuyv?to=https://mine-top-gratis-application.pw/e29481e9-a792-46a8-bbf0-188ed2a816ae/f10439e6-e61a-4420-ba88-29e9d1c5d2ea?brand=Lenovo&btd=dHJrLm1vYmlsZXRvcDIwMTh0ZWNoaWUueHl6&exptoken=MTU1NzUxMjgzMjgyMw==&lang=ar&model=K6+Note&td=dHJrLnJldmVyc2VwYXJhbWV0ZXIuc2l0ZS9wcmNlZWQ", "Alerts: allocates_rwx antivm_disk_size creates_exe creates_service suspicious_process", "AS15169 google llc | 8.8.8.8\t| dns.google | United States", "IDS Detections ET POLICY Suspicious User-Agent Containing .exe", "AS24940 hetzner online gmbh |78.46.218.253\t | static.253.218.46.78.clients.your-server.de | Germany", "Alerts: antidebug_setunhandledexceptionfilter dll_load_uncommon_file_types", "AS8560 1&1 ionos se | 74.208.229.157 | www.thinkman.com\twww.thinkman.com | United States", "https://applemusic-spotlight.myunidays.com/US/en-US?", "Alerts: injection_write_process reads_self stealth_window injection_rwx uses_windows_utilities", "Empty FileHash -Matches rule Suspicious History File Operations by Mikhail Larin, oscd.community", "Virut PublicKeyToken=cc7b13ffcd 2ddd51 1D11.tmp Ultimate-Chicken-Horse- T1O SteamRIP.com.rarys /", "https://monitor.rodgersmith.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "AS27064 DOD Network Information Center? | 192.5.41.40 | tick.usno.navy.mil tick.usno.navy.mil | United States", "http://www.aerix.com/__media__/js/netsoltrademark.php?d=www.pornxxxgals.info/latex-porn/", "https://otx.alienvault.com/indicator/url/https://gossip.thedirty.com/cdn-cgi/l/chk_jschl?s=04e9c17f33a895764287ae3918f54f016b353177-1551745661-1800-AWU4eGCIAWcUFRuFo2RAigESClCdCQ/9FJquPKplzHISR2zmIZSTluV/jEDBqANqdDORIXIACOwCScDYumaSt5kRHUKVAK4z6Wlo0HzAhetn", "Empty FileHash - e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "ET TROJAN W32/Kegotip CnC Beacon", "ASN AS27064 dod network information center", "Contacted Domains: tick.usno.navy.mil www.thinkman.com", "Alerts: stealth_window packer_entropy uses_windows_utilities" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Inject2.bive", "Trojan.downloader12.43161", "Crypt3.chzw", "Generic36.adty", "Heur/unsec", "Roblox", "Redline", "Sf:shellcode-au", "Maltiverse", "Win.trojan.rootkit-4532", "Et trojan", "Win32.injector", "W32.virut.ci", "Win32/ramnit.a", "Crypt3.boqd\t\t inject2.bhbw", "Trendmicro", "Generic36.ajsm", "Et", "Hider.biy", "Generic36.aiaa.dropper", "Win32/blacked", "#lowfienabledtcontinueafterunpacking", "Trojandownloader:win32/umbald.a", "W32/kegotip cnc", "Win.trojan.agent-245901", "Crypt3.bxvc", "Downloader.generic13.bobz", "Win.trojan.injector-12138", "Crypt3.bxmj", "Trojanspy", "Trojan:win32/tiggre!rfn", "Downloader.generic13.cmtw", "Bouncycastle", "Patched3_c.akrv", "Win32:agent-alxe\\ [rtk]", "Worm.autorun-6180", "Backdoor:win32/tofsee.t", "Win32:malware-gen", "Win.trojan.fareit-82", "Win32:trojan-gen", "Win32/virut", "Crypt3.bmvu", "Win.trojan.rootkit-4668" ], "industries": [ "Government", "Insurance", "Military", "Defense" ], "unique_indicators": 81387 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/gfconsultant.org", "whois": "http://whois.domaintools.com/gfconsultant.org", "domain": "gfconsultant.org", "hostname": "it.gfconsultant.org" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 14, "pulses": [ { "id": "69b7241a63b7527ac2b04d60", "name": "DoD_Cyber_Strategy | Umbald.A | Patched3_c.AKRV | DoD | Navy.mil extensions | Adult Content distribution [msudosos IoCs connects to]", "description": "I became curious about an IoC found in a Pulse labeled \u2018undefined\u2019 by msudosos notated in references and in parenthesis below this text. I did deep research on msudosos IoC. \nhttps://www.cybercom.mil/Portals/56/Document\ns/Strategy/DoD_Cyber_Strategy_2023.pdf | Apparent cyber warfare. Distribution of pornography potentially. The only use I have seen the type of attacks used for is reputation damage. | I am going to stick with the \u2018undefined\u2019 label given by msudosos because I don\u2019t know the purpose for the alleged Navy. mil & DoD for porn distribution. It\u2019s not to ensnare child predators. Possibly quasi government access to deter potential claimants. Possible hacker involvement. Going with \u2018undefined\u2019 for the moment.\n\n[444ea032708bb0d940de0ef72b944244 | credit msudosos || Patched3_c.AKRV -> https://otx.alienvault.com/indicator/file/444ea032708bb0d940de0ef72b944244]", "modified": "2026-04-14T18:06:37.524000", "created": "2026-03-15T21:26:50.218000", "tags": [ "man software", "destination", "port", "united", "delete", "read c", "virustotal", "patched3_c.akrv", "armadillov171", "dod", "thinkman", "win32", "trojan", "present mar", "backdoor", "urls", "files", "unknown", "search", "china as23724", "asnone", "artemis", "zeppelin", "drweb", "vipre", "panda", "malware", "suspicious", "cloud", "logic", "et trojan", "et info", "download", "windows", "embeddedwb", "shellexecuteexw", "msie", "windows nt", "writeconsolew", "displayname", "service", "ids detections", "yara detections", "crypt", "medium", "whitelisted", "passive dns", "worm", "mtb may", "mtb aug", "otx logo", "all ipv4", "pulse pulses", "dynamicloader", "yara rule", "ff d5", "high", "reg add", "regsz d", "write", "file type", "pexe", "pe32", "intel", "ms windows", "pe packer", "pm size", "pehash", "richhash", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "spawns", "found", "over", "sha256", "sha1", "ascii text", "size", "mitre att", "pattern match", "null", "span", "error", "body", "hybrid", "general", "local", "path", "click", "strings", "refresh", "tools", "title", "show technique", "look", "verify", "restart", "t1480 execution", "navy", "reputation", "adult content", "cyber warfare" ], "references": [ "AVDetections: Patched3_c.AKRV", "Yara Detections: Armadillov171", "Alerts: antiav_servicestop persistence_autorun network_bind antivirus_virustotal network_http", "IP\u2019s Contacted: 8.8.8.8 78.46.218.253 74.208.229.157 192.5.41.40", "Contacted Domains: tick.usno.navy.mil www.thinkman.com", "AS27064 DOD Network Information Center? | 192.5.41.40 | tick.usno.navy.mil tick.usno.navy.mil | United States", "AS8560 1&1 ionos se | 74.208.229.157 | www.thinkman.com\twww.thinkman.com | United States", "AS24940 hetzner online gmbh |78.46.218.253\t | static.253.218.46.78.clients.your-server.de | Germany", "AS15169 google llc | 8.8.8.8\t| dns.google | United States", "Email: d4@thinkman.com", "Domain: navy.mil DNS Files IP Address: 192.5.41.40 Location: United States", "ASN AS27064 dod network information center", "Nameservers: dns5.disa.mil. , dns4.disa.mil. , squad.navo.mil. , crnaone.navy.mil. , dns1.disa.mil.", "Nameservers: squid.navo. , squid.navo.mil. , dns2.disa.mil. , minnow.navo. , navy.mil. , dns3.disa.mil.", "tick.usno.navy.mil , navy.mil: trojan:Win32/Tiggre!rfn Win.Trojan.Rootkit-4668 Win32:Agent-ALXE\\ [Rtk] Win32:Malware-gen", "TrojanDownloader:Win32/Umbald.A\tMalware infection", "IDS Detections: Win32/Tofsee.AX google.com connectivity check", "Alerts: nolookup_communication persistence_autorun bypass_firewall network_http p2p_cnc", "Alerts: allocates_rwx antivm_disk_size creates_exe creates_service suspicious_process", "Alerts: stealth_window packer_entropy uses_windows_utilities", "Alerts: console_output antivm_memory_available pe_features", "Yara Detections: MS_Visual_Basic_6_0", "Alerts: process_creation_suspicious_location injection_write_exe_process persistence_autorun", "Alerts: procmem_yara static_pe_anomaly deletes_executed_files injection_runpe", "Alerts: mouse_movement_detect dynamic_function_loading resumethread_remote_process", "Alerts: injection_write_process reads_self stealth_window injection_rwx uses_windows_utilities", "Alerts: queries_user_name queries_keyboard_layout queries_locale_api", "Alerts: antidebug_setunhandledexceptionfilter dll_load_uncommon_file_types", "porn.nonstopvideos.pl \u2022 xxx-xvideo.com \u2022 essexmetals.com", "http://www.aerix.com/__media__/js/netsoltrademark.php?d=www.pornxxxgals.info/latex-porn/", "navy.mil \u2022 http://acts.navair.navy.mil \u2022 http://logistics.navair.navy.mil/rcm/", "https://www.cloud.mil/CVRC:/Users/joshua.colliflower/OneDrive/OneDrive%20-%20United%20States%20Department%20of%20the%20Navy/Documents/Archive%20Miscellaneous", "192.5.41.40 scanning_host\t\u2022 74.208.229.157 scanning_host", "444ea032708bb0d940de0ef72b944244 | credit msudosos", "Patched3_c.AKRV -> https://otx.alienvault.com/indicator/file/444ea032708bb0d940de0ef72b944244", "https://otx.alienvault.com/pulse/69b65d6a27024117a4cd3540 [credit msudosos]", "https://www.cybercom.mil/Portals/56/Documents/Strategy/DoD_Cyber_Strategy_2023.pdf", "DoD related: 192.5.41.40 scanning_host\t140.19.33.126 \u2022 199.9.2.136 \u2022 214.23.15.26", "https://encore360.omeclk.com/portal/wts/ug^cnOmfy6edod--a.gif", "https://encore360.omeclk.com/portal/wts/ug^cnOmfy6efyLw9|dod--a | (205.162.40.0/21) (Omeda Communications )", "205.162.42.171 (205.162.40.0/21) AS 53866 ( Omeda Communications )", "https://exchange.simply.ms/owa/auth/logon.aspx?url=https://exchange.simply.ms/owa/&reason=0", "mailbox.co.za", "fmx32.aig.com \u2022 167.230.105.81", "https://otx.alienvault.com/indicator/url/https://gossip.thedirty.com/cdn-cgi/l/chk_jschl?s=04e9c17f33a895764287ae3918f54f016b353177-1551745661-1800-AWU4eGCIAWcUFRuFo2RAigESClCdCQ/9FJquPKplzHISR2zmIZSTluV/jEDBqANqdDORIXIACOwCScDYumaSt5kRHUKVAK4z6Wlo0HzAhetn" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Patched3_c.AKRV", "display_name": "Patched3_c.AKRV", "target": null }, { "id": "Win32:Agent-ALXE\\ [Rtk]", "display_name": "Win32:Agent-ALXE\\ [Rtk]", "target": null }, { "id": "Win.Trojan.Rootkit-4668", "display_name": "Win.Trojan.Rootkit-4668", "target": null }, { "id": "Trojan:Win32/Tiggre!rfn", "display_name": "Trojan:Win32/Tiggre!rfn", "target": "/malware/Trojan:Win32/Tiggre!rfn" }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Inject2.BIVE", "display_name": "Inject2.BIVE", "target": null }, { "id": "Crypt3.CHZW", "display_name": "Crypt3.CHZW", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Crypt3.BXMJ", "display_name": "Crypt3.BXMJ", "target": null }, { "id": "Crypt3.BOQD\t\t Inject2.BHBW", "display_name": "Crypt3.BOQD\t\t Inject2.BHBW", "target": null }, { "id": "Crypt3.BMVU", "display_name": "Crypt3.BMVU", "target": null }, { "id": "Trojan.DownLoader12.43161", "display_name": "Trojan.DownLoader12.43161", "target": null }, { "id": "HEUR/UnSec", "display_name": "HEUR/UnSec", "target": null }, { "id": "ET Trojan", "display_name": "ET Trojan", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "TrojanDownloader:Win32/Umbald.A", "display_name": "TrojanDownloader:Win32/Umbald.A", "target": "/malware/TrojanDownloader:Win32/Umbald.A" } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1156", "name": "Malicious Shell Modification", "display_name": "T1156 - Malicious Shell Modification" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1048.001", "name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "display_name": "T1048.001 - Exfiltration Over Symmetric Encrypted Non-C2 Protocol" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Government", "Military", "Defense", "Insurance" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 165, "FileHash-SHA1": 165, "FileHash-SHA256": 3524, "URL": 11424, "email": 1, "hostname": 3954, "domain": 2523 }, "indicator_count": 21756, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6975c5cd4db6104ea1a3d69b", "name": "The Blender Foundation BouncyCastle-Virut | Malware /Stealer Empty FileHash | Eternal7 (Shadow Broker) Related", "description": "Empty FileHash isn\u2019t benign. Interesting relationships to the Eternal 7. Malware, Stealer and Suspicious History File Operation. BouncyCastle-Virut PublicKeyToken=cc7b13ffcd 2ddd51 1D11.tmp Ultimate-Chicken-Horse- T1O SteamRIP.com.rarys / Startul ErrorPageTemplate[1] netcore, BouncyCastle.", "modified": "2026-02-24T06:02:43.853000", "created": "2026-01-25T07:27:09.640000", "tags": [ "empty", "blender", "eurostile", "augustin", "butterfield", "cook", "drummer", "erickson", "fjsv", "flynn", "gorman", "holmes", "easy", "rada", "xanadu", "config", "reboot", "screen", "microsoft", "commerce server", "edition", "draw", "exchange server", "tools", "linux", "ideal link", "nsrl test", "nist", "file", "cultureneutral", "fix pack", "free download", "bouncycastle", "read c", "search", "et trojan", "w32kegotip cnc", "whitelisted", "ids detections", "intel", "write", "trojan", "malware", "yara detections", "productversion", "fileversion", "av detections", "alerts", "analysis date", "file score", "united", "aaaa", "passive dns", "ip address", "present dec", "body html", "head meta", "title", "urls", "url https", "http", "hostname", "files domain", "files related", "related tags", "beacon", "et", "ipv4", "files", "dns resolutions", "domains top", "level", "unique tlds", "related pulses", "show", "win32virut", "destination", "port", "ms windows", "pe32", "medium", "suspicious", "virustotal", "startul", "shadowbrokers", "total", "delete", "artemis", "win32.injector", "trendmicro", "data upload", "extraction", "included iocs" ], "references": [ "The Blender Foundation", "website \u2022 http://oldapps.com/blender.php?old_blender=7584", "oldapps \u2022 http://oldapps.com/blender.php?old_blender=7584?download", "Google android-cts-7.1_r6-linux_x86-arm.zip", "Google android-cts-7.1_r6-linux_x86-arm.zip", "android-cts-7.1_r6-linux_x86-arm.zip [e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855]", "Empty FileHash - e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "Empty FileHash -Matches rule Suspicious History File Operations by Mikhail Larin, oscd.community", "Empty FileHash - Malware,Stealer, Related to ShadowBrokers EternalRocks", "ET TROJAN W32/Kegotip CnC Beacon", "IDS Detections ET POLICY Suspicious User-Agent Containing .exe", "Extensions,.Trojan Age Win Version=4.2.0.168 Win32/1 Culture=neutral, amnit", "Virut PublicKeyToken=cc7b13ffcd 2ddd51 1D11.tmp Ultimate-Chicken-Horse- T1O SteamRIP.com.rarys /", "Startul ErrorPageTemplate[1] netcore, BouncyCastle.", "Secure Protocols: Provides APIs for TLS 1.3, S/MIME, OpenPGP & CMS (Cryptographic Message Syntax)" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "BouncyCastle", "display_name": "BouncyCastle", "target": null }, { "id": "Sf:ShellCode-AU", "display_name": "Sf:ShellCode-AU", "target": null }, { "id": "Win.Trojan.Fareit-82", "display_name": "Win.Trojan.Fareit-82", "target": null }, { "id": "Win.Trojan.Agent-245901", "display_name": "Win.Trojan.Agent-245901", "target": null }, { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "W32/Kegotip CnC", "display_name": "W32/Kegotip CnC", "target": null }, { "id": "W32.Virut.ci", "display_name": "W32.Virut.ci", "target": null }, { "id": "Downloader.Generic13.CMTW", "display_name": "Downloader.Generic13.CMTW", "target": null }, { "id": "Downloader.Generic13.BOBZ", "display_name": "Downloader.Generic13.BOBZ", "target": null }, { "id": "Win.Trojan.Injector-12138", "display_name": "Win.Trojan.Injector-12138", "target": null }, { "id": "Generic36.ADTY", "display_name": "Generic36.ADTY", "target": null }, { "id": "Generic36.AIAA.Dropper", "display_name": "Generic36.AIAA.Dropper", "target": null }, { "id": "Generic36.AJSM", "display_name": "Generic36.AJSM", "target": null }, { "id": "Win32/Virut", "display_name": "Win32/Virut", "target": null }, { "id": "Win32/Ramnit.A", "display_name": "Win32/Ramnit.A", "target": null }, { "id": "Worm.Autorun-6180", "display_name": "Worm.Autorun-6180", "target": null }, { "id": "Hider.BIY", "display_name": "Hider.BIY", "target": null }, { "id": "Win.Trojan.Rootkit-4532", "display_name": "Win.Trojan.Rootkit-4532", "target": null }, { "id": "Win32/Blacked", "display_name": "Win32/Blacked", "target": null }, { "id": "Win32.Injector", "display_name": "Win32.Injector", "target": null }, { "id": "TrendMicro", "display_name": "TrendMicro", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 71, "FileHash-SHA256": 853, "URL": 1639, "domain": 288, "FileHash-MD5": 78, "hostname": 545 }, "indicator_count": 3474, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "54 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655a13e4538e896c00f2077e", "name": "Spyware: http://browser.events.data.microsoftstart.cn", "description": "This report is generated by MITRE ATT&CK\u2122 and produced by the team at the University of California, San Francisco, and is available on the web, via the Microsoft Research website.\nTulach, 114.114.114.114, spyware, phishing, fraud, malvertizing, password cracker, iPhone unlocker, malicious, media sharing, miscellaneous attacks.", "modified": "2023-12-19T13:01:12.394000", "created": "2023-11-19T13:55:48.898000", "tags": [ "linkid246338", "whois record", "ssl certificate", "contacted", "execution", "historical ssl", "whois whois", "communicating", "resolutions", "referrer", "random", "august", "lockbit", "attack", "core", "name verdict", "falcon sandbox", "pattern match", "root ca", "done adding", "catalog file", "authority", "class", "mitre att", "script", "temp", "ascii text", "date", "unknown", "service", "generator", "critical", "error", "meta", "hybrid", "local", "click", "strings", "threat roundup" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 34, "FileHash-SHA1": 28, "FileHash-SHA256": 2526, "URL": 3515, "domain": 458, "hostname": 1092 }, "indicator_count": 7653, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "852 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655af35616dbd4781c681948", "name": "Spyware: http://browser.events.data.microsoftstart.cn", "description": "", "modified": "2023-12-19T13:01:12.394000", "created": "2023-11-20T05:49:10.586000", "tags": [ "linkid246338", "whois record", "ssl certificate", "contacted", "execution", "historical ssl", "whois whois", "communicating", "resolutions", "referrer", "random", "august", "lockbit", "attack", "core", "name verdict", "falcon sandbox", "pattern match", "root ca", "done adding", "catalog file", "authority", "class", "mitre att", "script", "temp", "ascii text", "date", "unknown", "service", "generator", "critical", "error", "meta", "hybrid", "local", "click", "strings", "threat roundup" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "green", "cloned_from": "655a13e4538e896c00f2077e", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 34, "FileHash-SHA1": 28, "FileHash-SHA256": 2526, "URL": 3515, "domain": 458, "hostname": 1092 }, "indicator_count": 7653, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "852 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6553b88c316cfb531b9c4c10", "name": "iOS Unlocker| Apple | ATT | Monitoring| http://mobile.suddenlink2go.com", "description": "spyware, 114.114.114.114, Tulach, C2, apple iOS, passwords, crack, unlock , click, att, hughesnet", "modified": "2023-12-14T15:03:30.417000", "created": "2023-11-14T18:12:28.459000", "tags": [ "united", "blacklist", "malicious site", "mail spammer", "detection list", "cisco umbrella", "site", "safe site", "malware", "phishing site", "heur", "malware site", "alexa top", "million", "unsafe", "artemis", "riskware", "conduit", "agent", "opencandy", "xtrat", "iframe", "cleaner", "team", "installpack", "xrat", "tiggre", "presenoker", "fusioncore", "wacatac", "azorult", "phishing", "service", "runescape", "facebook", "bank", "download", "crack", "softcnapp", "trojanspy", "maltiverse", "falcon sandbox", "pattern match", "root ca", "authority", "class", "script", "ascii text", "mitre att", "localappdata", "temp", "ck id", "date", "unknown", "generator", "critical", "error", "meta", "hybrid", "general", "local", "click", "strings", "expiressun", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "pt3uc1", "path", "movies", "watch", "html info", "meta tags", "suddenlink tv", "trackers amazon", "pt3rc1", "whois record", "whois whois", "ssl certificate", "historical", "historical ssl", "referrer", "communicating", "dropped", "contacted", "apple ios", "hacktool", "metro", "malicious", "crypto", "installer", "attack", "awful", "brian sabey", "aig", "civicaIg", "tracking", "password crack", "tulach", "target tsara brashears", "tylerknott", "att", "monitoring", "spyware", "spying", "cybercrime", "tulach", "hughesnet", "ios", "toshiba", "attack", "malvertizing", "cyber stalking", "porn", "pornhub" ], "references": [ "http://mobile.suddenlink2go.com/", "https://hybrid-analysis.com/sample/889790f55a8a29ee75463bbcf014c3ed6cc76e6cd0278e491ec9fa1ed14862c4/655374e9921d5d73860b7db3", "https://applemusic-spotlight.myunidays.com/US/en-US?", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "myhughesnet.com", "dishmail.net", "home.toshiba.com", "ytq2rs56.haogfw.com", "pornhub.com", "http://trk.brother-root-rich-of.xyz/campaign?id=4f1426e9-22f8-4e7a-9c32-1b2d42867559&var1=&extcid=w9A2DTCOAL56FRAK125KMLAI", "http://trk.reverseparameter.site/gg/izuyv?to=https://mine-top-gratis-application.pw/e29481e9-a792-46a8-bbf0-188ed2a816ae/f10439e6-e61a-4420-ba88-29e9d1c5d2ea?brand=Lenovo&btd=dHJrLm1vYmlsZXRvcDIwMTh0ZWNoaWUueHl6&exptoken=MTU1NzUxMjgzMjgyMw==&lang=ar&model=K6+Note&td=dHJrLnJldmVyc2VwYXJhbWV0ZXIuc2l0ZS9wcmNlZWQ", "monitor.cablelan.net", "https://monitor.rodgersmith.com", "https://www.everycloudtech.com/free-mail-flow-monitor" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 144, "FileHash-SHA1": 179, "FileHash-SHA256": 4528, "CVE": 7, "domain": 2024, "hostname": 3556, "URL": 10455 }, "indicator_count": 20893, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "857 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65568ab12429c394dc4b91ea", "name": "iOS Unlocker| Apple | ATT | Monitoring| http://mobile.suddenlink2go", "description": "", "modified": "2023-12-14T15:03:30.417000", "created": "2023-11-16T21:33:37.838000", "tags": [ "united", "blacklist", "malicious site", "mail spammer", "detection list", "cisco umbrella", "site", "safe site", "malware", "phishing site", "heur", "malware site", "alexa top", "million", "unsafe", "artemis", "riskware", "conduit", "agent", "opencandy", "xtrat", "iframe", "cleaner", "team", "installpack", "xrat", "tiggre", "presenoker", "fusioncore", "wacatac", "azorult", "phishing", "service", "runescape", "facebook", "bank", "download", "crack", "softcnapp", "trojanspy", "maltiverse", "falcon sandbox", "pattern match", "root ca", "authority", "class", "script", "ascii text", "mitre att", "localappdata", "temp", "ck id", "date", "unknown", "generator", "critical", "error", "meta", "hybrid", "general", "local", "click", "strings", "expiressun", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "pt3uc1", "path", "movies", "watch", "html info", "meta tags", "suddenlink tv", "trackers amazon", "pt3rc1", "whois record", "whois whois", "ssl certificate", "historical", "historical ssl", "referrer", "communicating", "dropped", "contacted", "apple ios", "hacktool", "metro", "malicious", "crypto", "installer", "attack", "awful", "brian sabey", "aig", "civicaIg", "tracking", "password crack", "tulach", "target tsara brashears", "tylerknott", "att", "monitoring", "spyware", "spying", "cybercrime", "tulach", "hughesnet", "ios", "toshiba", "attack", "malvertizing", "cyber stalking", "porn", "pornhub" ], "references": [ "http://mobile.suddenlink2go.com/", "https://hybrid-analysis.com/sample/889790f55a8a29ee75463bbcf014c3ed6cc76e6cd0278e491ec9fa1ed14862c4/655374e9921d5d73860b7db3", "https://applemusic-spotlight.myunidays.com/US/en-US?", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "myhughesnet.com", "dishmail.net", "home.toshiba.com", "ytq2rs56.haogfw.com", "pornhub.com", "http://trk.brother-root-rich-of.xyz/campaign?id=4f1426e9-22f8-4e7a-9c32-1b2d42867559&var1=&extcid=w9A2DTCOAL56FRAK125KMLAI", "http://trk.reverseparameter.site/gg/izuyv?to=https://mine-top-gratis-application.pw/e29481e9-a792-46a8-bbf0-188ed2a816ae/f10439e6-e61a-4420-ba88-29e9d1c5d2ea?brand=Lenovo&btd=dHJrLm1vYmlsZXRvcDIwMTh0ZWNoaWUueHl6&exptoken=MTU1NzUxMjgzMjgyMw==&lang=ar&model=K6+Note&td=dHJrLnJldmVyc2VwYXJhbWV0ZXIuc2l0ZS9wcmNlZWQ", "monitor.cablelan.net", "https://monitor.rodgersmith.com", "https://www.everycloudtech.com/free-mail-flow-monitor" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": "6553b88c316cfb531b9c4c10", "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 144, "FileHash-SHA1": 179, "FileHash-SHA256": 4528, "CVE": 7, "domain": 2024, "hostname": 3556, "URL": 10455 }, "indicator_count": 20893, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "857 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65536bc6301b7cdf7d04e095", "name": "TrojanDownloader:Win32/Cutwail.BS/Win.Trojan.Pushdo-20", "description": "backdoor,trojan downloaders, networm, phishing, tracking, spyware, device commands...", "modified": "2023-12-14T12:03:15.957000", "created": "2023-11-14T12:44:54.422000", "tags": [ "passive dns", "urls", "t1604023287", "scan endpoints", "all search", "otx octoseek", "url http", "pulse pulses", "http", "ip address", "ssl certificate", "whois record", "resolutions", "referrer", "historical ssl", "communicating", "threat roundup", "whois whois", "apple", "stopransomware", "core", "discord", "metro", "blister", "cobalt strike", "hacktool", "june", "name verdict", "pattern match", "et tor", "known tor", "misc attack", "link", "woff2", "relayrouter", "exit", "node traffic", "ascii text", "date", "click", "unknown", "meta", "hybrid", "general", "local", "strings", "class", "generator", "critical", "error", "execution", "malware", "network", "roblox", "united", "as13335", "a domains", "status", "aaaa", "search", "script urls", "creation date", "showing", "pixel", "win32", "download", "t1507537243" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Roblox", "display_name": "Roblox", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11333, "FileHash-MD5": 81, "FileHash-SHA1": 74, "FileHash-SHA256": 3269, "domain": 2748, "hostname": 3475, "email": 2, "CVE": 2 }, "indicator_count": 20984, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "857 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65536bdc3676a40633a619be", "name": "TrojanDownloader:Win32/Cutwail.BS/Win.Trojan.Pushdo-20", "description": "backdoor,trojan downloaders, networm, phishing, tracking, spyware, device commands...", "modified": "2023-12-14T12:03:15.957000", "created": "2023-11-14T12:45:16.667000", "tags": [ "passive dns", "urls", "t1604023287", "scan endpoints", "all search", "otx octoseek", "url http", "pulse pulses", "http", "ip address", "ssl certificate", "whois record", "resolutions", "referrer", "historical ssl", "communicating", "threat roundup", "whois whois", "apple", "stopransomware", "core", "discord", "metro", "blister", "cobalt strike", "hacktool", "june", "name verdict", "pattern match", "et tor", "known tor", "misc attack", "link", "woff2", "relayrouter", "exit", "node traffic", "ascii text", "date", "click", "unknown", "meta", "hybrid", "general", "local", "strings", "class", "generator", "critical", "error", "execution", "malware", "network", "roblox", "united", "as13335", "a domains", "status", "aaaa", "search", "script urls", "creation date", "showing", "pixel", "win32", "download", "t1507537243" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Roblox", "display_name": "Roblox", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11333, "FileHash-MD5": 81, "FileHash-SHA1": 74, "FileHash-SHA256": 3269, "domain": 2748, "hostname": 3475, "email": 2, "CVE": 2 }, "indicator_count": 20984, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "857 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65568d67bd96e06ab44b9b95", "name": "TrojanDownloader:Win32/Cutwail.BS/Win.Trojan.Pushdo-20", "description": "", "modified": "2023-12-14T12:03:15.957000", "created": "2023-11-16T21:45:11.721000", "tags": [ "passive dns", "urls", "t1604023287", "scan endpoints", "all search", "otx octoseek", "url http", "pulse pulses", "http", "ip address", "ssl certificate", "whois record", "resolutions", "referrer", "historical ssl", "communicating", "threat roundup", "whois whois", "apple", "stopransomware", "core", "discord", "metro", "blister", "cobalt strike", "hacktool", "june", "name verdict", "pattern match", "et tor", "known tor", "misc attack", "link", "woff2", "relayrouter", "exit", "node traffic", "ascii text", "date", "click", "unknown", "meta", "hybrid", "general", "local", "strings", "class", "generator", "critical", "error", "execution", "malware", "network", "roblox", "united", "as13335", "a domains", "status", "aaaa", "search", "script urls", "creation date", "showing", "pixel", "win32", "download", "t1507537243" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Roblox", "display_name": "Roblox", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [], "TLP": "green", "cloned_from": "65536bdc3676a40633a619be", "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11333, "FileHash-MD5": 81, "FileHash-SHA1": 74, "FileHash-SHA256": 3269, "domain": 2748, "hostname": 3475, "email": 2, "CVE": 2 }, "indicator_count": 20984, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "857 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656a980f14b5a32303bf865b", "name": "CNC server.telegrafix.com", "description": "", "modified": "2023-12-02T02:35:59.820000", "created": "2023-12-02T02:35:59.820000", "tags": [ "record type", "ttl value", "data", "v3 serial", "number", "issuer", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "key identifier", "server", "whois lookup", "creation date", "dnssec", "domain name", "status", "abuse contact", "email", "registrar abuse", "contact phone", "date", "whois lookups", "iana id", "domain status", "registrar url", "registrar whois", "first", "execution", "tsara brashears", "ssl certificate", "april", "threat roundup", "october", "december", "roundup", "september", "whois record", "blustealer", "raspberry robin", "redline stealer", "gopuram", "hacktool", "skynet", "android", "quasar", "download", "malware", "hijacker", "monitoring", "installer", "ermac", "attack", "blackguard", "core", "awful", "twitter", "agent tesla", "trickbot", "ursnif", "chaos", "metasploit", "formbook", "metro", "name verdict", "exit", "traffic", "node tcp", "et tor", "known tor", "relayrouter", "united", "team malware", "firehol et", "tor known", "redline", "detection list", "cisco umbrella", "site", "safe site", "alexa top", "million", "malicious url", "blacklist", "phishing", "union", "team", "bank", "unsafe", "contacted", "bundled", "project", "ransomexx" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Lithuania" ], "malware_families": [ { "id": "RedLine", "display_name": "RedLine", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "65423978ca5e5c9931b586a5", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 3674, "domain": 1422, "FileHash-SHA1": 117, "FileHash-SHA256": 3178, "URL": 8884, "email": 2, "CVE": 3, "FileHash-MD5": 167 }, "indicator_count": 17447, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "869 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://it.gfconsultant.org", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://it.gfconsultant.org", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776628883.5236218 }