{ "type": "URL", "indicator": "https://it.pornhub.com/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://it.pornhub.com/", "type": "url", "type_title": "URL", "validation": [ { "source": "alexa", "message": "Alexa rank: #80", "name": "Listed on Alexa" }, { "source": "akamai", "message": "Akamai rank: #894", "name": "Akamai Popular Domain" }, { "source": "whitelist", "message": "Whitelisted domain pornhub.com", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain pornhub.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 3932951466, "indicator": "https://it.pornhub.com/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "69bea5d2987c3d14aeb2b0c9", "name": "Delete service Deleted over 1200 Brian Sabeys Porn Revenge Campaign \u2022 LevelBlue? Dopple AI | Poem Hunter: Poems ", "description": "", "modified": "2026-03-21T14:06:10.007000", "created": "2026-03-21T14:06:10.007000", "tags": [ "active related", "search filter", "time tsara", "x show", "cidr", "email", "learn more", "information", "t1027", "t1036", "t1057", "discovery", "t1059", "t1071", "title added", "poem", "the day", "wild eyesand", "unknown power", "shakespeare", "repeats", "ere man", "dowell oreilly", "read poem", "snit", "website", "loading", "rl https", "y0 nov", "vj96", "uyebaaeabaaaaac", "jid442122029", "active", "url http", "url https", "types", "indicators show", "type indicator", "added active", "tbmvid", "sourcelnms", "zx1724209326040", "read c", "module load", "showing", "delphi", "delete", "rgba", "unicode", "malware", "write", "win32", "execution", "next", "extraction", "data upload", "extre", "include data", "sc type", "url tot", "role title", "tsara brashears", "live sex", "porn video", "levelblue", "porn", "pornhub", "porn videos", "watch tsara", "most relevant", "q estimation", "green", "tsara", "online chat", "spicychat ai", "visa", "sex chat", "miss stella", "january", "philadelphia", "dopple ai", "b1 dec", "videos", "red porn", "free porn", "sunny leone", "hardcore porn", "jeffrey reimer", "puts", "love", "super", "download", "top tsara", "google search", "la iniciacin", "xxx hd", "bdsm scene", "nsfw experience", "ck ids", "open threat", "filepath https", "foundry", "palantir", "brian sabey", "yas", "tiny penis", "slander", "indicator role", "pulses url", "search" ], "references": [ "OTX must have an issue. A delete app seen before has deleted a majority of malicious IoCs. Im", "I don\u2019t appreciate OTX populated Malware suggestion \u2018SNIT\u2019 \u2018 Dopple AI\u2019 NOT malware", "OTX description for SNIT- I love to compose letters of resignation; now and then I send one in", "and leave in a lemon- hued Huff da Country or a Snit with four on the MALWARE fOORILIES", "OTX description for Dopple AI - There\u2019s someone for everyone out there in the BDSM scene, you can enjoy the", "free NSFW experience offered by Dopple AI.MALWARE", "Makes zero sense. Malicious. I don\u2019t get it. I have a Malware gift for you too!", "Y.A.S:1Byte/TinyRod SeeDescription @ Y.A.S. OFFICIAL MUSIC VIDEO" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Snit", "display_name": "Snit", "target": null }, { "id": "Dopple AI", "display_name": "Dopple AI", "target": null }, { "id": "Y.A.S:1Byte/TinyRod", "display_name": "Y.A.S:1Byte/TinyRod", "target": "/malware/Y.A.S:1Byte/TinyRod" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" } ], "industries": [], "TLP": "green", "cloned_from": "691ead29f61101bfa3700998", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2497, "hostname": 742, "FileHash-SHA256": 523, "domain": 223, "FileHash-MD5": 85, "FileHash-SHA1": 56, "email": 4 }, "indicator_count": 4130, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "71 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "691ead29f61101bfa3700998", "name": "Dopple AI | Poem Hunter: Poems - Poets - Poetry", "description": "Online terms that sexulize SA victim : Tsara brashears slander red porn videos ,\nHardcore porn, is pornography that features detailed depictions of sexual organs or sexual acts such as vaginal, anal or oral intercourse, fingering, brashears , Red Porn Videos , Tsara brashears slandered red porn\nyoujizz sex\n, Tsara brashears submission on august 27 via manual free , College fuck fest Super japanese hd compilation , \none kinky student fucks tsara brashears porn xxx porn , the best internet porn site\n, tsara brashears slandered, porn video uploaded to hardcore ,\nxxxxxxxxxx sex videos\nsearch , xxxxxxxxxx hd porn. tsara brashears\u09ac\u09b2\u09a6\u09b6\u09b0 \u09a8\u09a4\u09a8 \u09ad\u09acfrench retro gangbang in the hotel room, You will Tsara brashears porn ,\nChunky babe loves to be on top Hot Milf , xxx Movies, updates hourly.\n tsara brashears slandered,\nfrench retro gangbang in the hotel room , free porn videos. You will Tsara brashears porn jeffrey reimer puts his love on top tsara brashears brother", "modified": "2025-12-20T03:00:41.407000", "created": "2025-11-20T05:54:49.968000", "tags": [ "active related", "search filter", "time tsara", "x show", "cidr", "email", "learn more", "information", "t1027", "t1036", "t1057", "discovery", "t1059", "t1071", "title added", "poem", "the day", "wild eyesand", "unknown power", "shakespeare", "repeats", "ere man", "dowell oreilly", "read poem", "snit", "website", "loading", "rl https", "y0 nov", "vj96", "uyebaaeabaaaaac", "jid442122029", "active", "url http", "url https", "types", "indicators show", "type indicator", "added active", "tbmvid", "sourcelnms", "zx1724209326040", "read c", "module load", "showing", "delphi", "delete", "rgba", "unicode", "malware", "write", "win32", "execution", "next", "extraction", "data upload", "extre", "include data", "sc type", "url tot", "role title", "tsara brashears", "live sex", "porn video", "levelblue", "porn", "pornhub", "porn videos", "watch tsara", "most relevant", "q estimation", "green", "tsara", "online chat", "spicychat ai", "visa", "sex chat", "miss stella", "january", "philadelphia", "dopple ai", "b1 dec", "videos", "red porn", "free porn", "sunny leone", "hardcore porn", "jeffrey reimer", "puts", "love", "super", "download", "top tsara", "google search", "la iniciacin", "xxx hd", "bdsm scene", "nsfw experience", "ck ids", "open threat", "filepath https", "foundry", "palantir", "brian sabey", "yas", "tiny penis", "slander", "indicator role", "pulses url", "search" ], "references": [ "OTX must have an issue. A delete app seen before has deleted a majority of malicious IoCs. Im", "I don\u2019t appreciate OTX populated Malware suggestion \u2018SNIT\u2019 \u2018 Dopple AI\u2019 NOT malware", "OTX description for SNIT- I love to compose letters of resignation; now and then I send one in", "and leave in a lemon- hued Huff da Country or a Snit with four on the MALWARE fOORILIES", "OTX description for Dopple AI - There\u2019s someone for everyone out there in the BDSM scene, you can enjoy the", "free NSFW experience offered by Dopple AI.MALWARE", "Makes zero sense. Malicious. I don\u2019t get it. I have a Malware gift for you too!", "Y.A.S:1Byte/TinyRod SeeDescription @ Y.A.S. OFFICIAL MUSIC VIDEO" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Snit", "display_name": "Snit", "target": null }, { "id": "Dopple AI", "display_name": "Dopple AI", "target": null }, { "id": "Y.A.S:1Byte/TinyRod", "display_name": "Y.A.S:1Byte/TinyRod", "target": "/malware/Y.A.S:1Byte/TinyRod" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2497, "hostname": 742, "FileHash-SHA256": 523, "domain": 223, "FileHash-MD5": 85, "FileHash-SHA1": 56, "email": 4 }, "indicator_count": 4130, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "163 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66ac1de146fa19aeb4bb119a", "name": "Ransom.Win32.Birele.gsg: affecting a global cyber security entity", "description": "Ransomware, hacking, Linux attacks. 7notrump.com has been in circulation for more than 1 year. Malicious, pre-existing and not the result of hackers attempting to suddenly attack recently made vulnerable entities. Backdoor:Linux/Tsunami.C!MTB\nBackdoor:Linux/Tsunami.C!MTB , Ransom.Win32.Birele.gsg , Trojan:Win32/Neconyd.A , VirTool:Win32/CeeInject.SN!bit , \nC!MTB ,\nCheckin Win32/ExpressDownloader , \nET ,\nRansom.Win32.Birele.gsg , \nTrojan:Win32/Neconyd.A\nVirTool:Win32/CeeInject.SN!bit , Win.Worm.Mydoom-5 ,\nWin32.Birele.gsg", "modified": "2024-10-01T16:04:13.437000", "created": "2024-08-01T23:44:33.058000", "tags": [ "no expiration", "domain", "expiration", "hostname", "filehashsha256", "url http", "ipv4", "url https", "iocs", "email abuse", "next", "all scoreblue", "create new", "pulse provide", "public tlp", "green", "adversary tags", "x509v3", "trojan", "virtool", "backdoor", "antivirus", "united", "et trojan", "possible", "sinkhole cookie", "et", "checkin win32/expressdownloader", "kw1ethical", "kw2ip", "kw3cloud", "kw4augmented", "filehashsha1", "filehashmd5", "termsurlhttp", "privacyurlhttp", "download", "ipv6", "versionid1", "pulse use", "pdf report", "pcap", "stix", "contact", "contacted", "adversaries", "adload", "dns", "activity", "acint", "aaaa", "analysis", "all scoreblue", "agent algorithm", "alexa top", "agent", "analyzer", "alexa", "alerts", "threat", "c!mtb", "win32.birele.gsg", "add malware", "ck t1027", "files", "xrat xtrat", "yara", "ransomware", "virus", "phishing", "paste analyzer", "threat anonymizer", "level as4230", "as32421", "gigenet", "as32181", "ntt", "as2914", "as20940", "as133618", "asyncrat", "ascii text", "claro", "babe", "pornhub", "av detections", "avast avg", "avatier ccir", "crack", "copy", "contact phone", "conduit", "command decode", "cnc", "command", "code command", "cobalt strike", "dos", "cnwe1 validity", "click", "cleaner", "ck techniques", "ck matrix", "backdoor", "ck id", "cisco umbrella", "choke", "bq jul", "body", "blacklist http", "module behav", "bcrypt", "bank", "zeus derivative", "yara rule", "yara detections", "crowdstrike", "xtrat", "xrat", "x509v3 key", "write", "worm", "windows nt", "win64", "win32", "network w", "network", "virus", "virtool virus", "validity", "v3 serial", "cus", "ogoogle", "cus olet", "cyber threat", "upxoepplace url", "upx alerts", "unsafe", "unknown", "united", "union", "twitter", "ttl value", "tsunami", "trust", "trojanspy", "trojan", "trident", "data redacted", "hash", "deepscan", "detection list", "malware", "potential ip", "exploit", "facebook", "false", "possible postal code", "files location", "port", "porno", "pink", "phishing site", "phishing", "files matching", "files related", "filetour", "firehol", "first", "flag united", "full name", "fusioncor", "genkryptik", "get na", "girlfriend", "hackers", "heur", "high", "high priority", "hostile", "html", "http spammer", "hybrid identifier", "ids detections", "iframe", "resource phish", "injection", "pattern match", "pe", "patcher", "passive dns", "null number", "nuance china", "nsis245zlib", "notice nsis", "no data", "nircmd", "namecheap inc", "name tactics", "name servers", "indicator", "informative", "installcore", "installpack", "invalid url", "iocs ip", "iocs ip", "ip summary", "ipv4", "javascript", "key algorithm", "key identifier", "key info", "crowdstrike", "known tor", "local", "luna host", "malicious", "malicious host", "malicious site", "malware", "malware site", "memscan", "meta", "million", "misc attack", "mitre att", "module load", "msdos", "mtb" ], "references": [ "crowdstrike.com \u00bb 7notrump.com contains pornhub.com and pastebin.com", "192.184.12.62 - Verdict: Suspicious Location: Los Angeles, United States of America ASN AS32421 Level 3 Parent Llc", "7notrump.com@privacy.above.com | Why are YOU hiding? Aren't you proud of your hateful and damaging works?", "Backdoor:Linux/Tsunami.C!MTB: FileHash-SHA256 94f82ebb09bc3ac922789af2ce272ecbf9fe303e5220c7ab3a31d6db1bea8ec4", "Backdoor:Linux/Tsunami.C!MTB: FileHash-MD5 c721d0c9d0daba37cc3e0d06331f7493", "Backdoor:Linux/Tsunami.C!MTB: FileHash-SHA1 8fceac50c534ddf1fc8d1c84b9f7fa06e41d891c", "Antivirus Detections: Win.Trojan.Tsunami-5 , Backdoor:Linux/Tsunami.C!MTB", "IDS Detections: Query to a .tk domain - Likely Hostile Yara Detections: is__elf , LinuxTsunami Alerts: suricata_alert", "VirTool:Win32/CeeInject.SN!bit: FileHash-MD5 d90dc74c1377355f3a58e3883fa8e38f", "VirTool:Win32/CeeInject.SN!bit: FileHash-SHA1 a6df4e57a54c4f9ecc5ed0d0759c57d8702f270f", "VirTool:Win32/CeeInject.SN!bit: FileHash-SHA256 9ae6df6d6c273c3037b083d3b3a78ed8329802f3ca065ceef644f5b1f7311269", "Antivirus Detections: Win32:TrojanX-gen\\ [Trj] , Win.Trojan.BlackMoon-7136668-0 , VirTool:Win32/CeeInject.SN!bit", "Hacktools_CN_WinEggDrop , CN_Portscan , Ping_Command_in_EXE More | Alerts: dead_host network_icmp persistence_autorun recon_beacon injection_resumethread creates_exe creates_service", "IDS Detections: ET TROJAN Win32/PurpleFox Related Domain in DNS Lookup Yara Detections: mimikatz , Mimikatz_Strings ,", "IDS Detections: Adware/Gertokr.C Variant Checkin MSIL/Linkury Toolbar Activity PUP.Win32.BoBrowser User-Agent (VersionDwl)", "IDS Detections: Rogue.Win32/FakeRean Checkin Win32/ExpressDownloader Variant CnC Beacon 1", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://hybrid-analysis.com/sample/db695a96adb70d5f6246273f4e6c218b2c44f02b3726c3dee4d56b6428bb0ddf", "Ransom.Win32.Birele.gsg: FileHash-MD5 06c2c738f40c310fb9eb2b6c35afe18d", "Ransom.Win32.Birele.gsg: FileHash-SHA1 51995c8b1002cf27d22a2026a825f1f4fedca280 955549cbca6acdbd617aebade070259efaf6cec6", "Ransom.Win32.Birele.gsg: FileHash-SHA256 00e1b6c35691a64a327eb642c80321e7c54956de106a254688062cdda3d265a9", "T1027 - Obfuscated Files or Information T1031 - Modify Existing Service T1040 - Network Sniffing T1045 - Software Packing T1057 - Process Discovery T1059 - Command and Scripting Interpreter T1059.007 - JavaScript T1060 - Registry Run Keys / Startup Folder T1071 - Application Layer Protocol T1071.001 - Web Protocols T1071.004 - DNS T1105 - Ingress Tool Transfer T1114 - Email Collection T1129 - Shared Modules T1132 - Data Encoding T1132.001 - Standard Encoding T1140 - Deobfuscate/Decode Files or Information T", "Antivirus Detections: Win32:Buterat-WQ\\ [Trj] , Win.Malware.Ulise-7170100-0 , Trojan:Win32/Neconyd.A", "IDS Detections: Ransom.Win32.Birele.gsg Checkin Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "ET TROJAN Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst", "Alerts: network_icmp creates_user_folder_exe disables_proxy modifies_proxy_wpad creates_exe", "Alerts: antivm_network_adapters packer_polymorphic network_cnc_http network_http" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Australia", "Brazil" ], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null }, { "id": "Checkin Win32/ExpressDownloader", "display_name": "Checkin Win32/ExpressDownloader", "target": null }, { "id": "Backdoor:Linux/Tsunami.C!MTB Ransom.Win32.Birele.gsg Trojan:Win32/Neconyd.A VirTool:Win32/CeeInject.SN!bit", "display_name": "Backdoor:Linux/Tsunami.C!MTB Ransom.Win32.Birele.gsg Trojan:Win32/Neconyd.A VirTool:Win32/CeeInject.SN!bit", "target": null }, { "id": "Win.Worm.Mydoom-5", "display_name": "Win.Worm.Mydoom-5", "target": null }, { "id": "Ransom.Win32.Birele.gsg", "display_name": "Ransom.Win32.Birele.gsg", "target": null }, { "id": "VirTool:Win32/CeeInject.SN!bit", "display_name": "VirTool:Win32/CeeInject.SN!bit", "target": "/malware/VirTool:Win32/CeeInject.SN!bit" }, { "id": "Trojan:Win32/Neconyd.A", "display_name": "Trojan:Win32/Neconyd.A", "target": "/malware/Trojan:Win32/Neconyd.A" }, { "id": "Backdoor:Linux/Tsunami.C!MTB", "display_name": "Backdoor:Linux/Tsunami.C!MTB", "target": "/malware/Backdoor:Linux/Tsunami.C!MTB" }, { "id": "C!MTB", "display_name": "C!MTB", "target": null }, { "id": "Win32.Birele.gsg", "display_name": "Win32.Birele.gsg", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" } ], "industries": [ "Media", "Technology", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 69, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2164, "FileHash-MD5": 2939, "FileHash-SHA1": 2271, "FileHash-SHA256": 3553, "domain": 1075, "email": 13, "hostname": 1064, "CVE": 8 }, "indicator_count": 13087, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "607 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d49947eaaf6c57bec78719", "name": "Ransom.Win32.Birele.gsg: affecting a global cyber security entity", "description": "", "modified": "2024-10-01T16:04:13.437000", "created": "2024-09-01T16:41:43.676000", "tags": [ "no expiration", "domain", "expiration", "hostname", "filehashsha256", "url http", "ipv4", "url https", "iocs", "email abuse", "next", "all scoreblue", "create new", "pulse provide", "public tlp", "green", "adversary tags", "x509v3", "trojan", "virtool", "backdoor", "antivirus", "united", "et trojan", "possible", "sinkhole cookie", "et", "checkin win32/expressdownloader", "kw1ethical", "kw2ip", "kw3cloud", "kw4augmented", "filehashsha1", "filehashmd5", "termsurlhttp", "privacyurlhttp", "download", "ipv6", "versionid1", "pulse use", "pdf report", "pcap", "stix", "contact", "contacted", "adversaries", "adload", "dns", "activity", "acint", "aaaa", "analysis", "all scoreblue", "agent algorithm", "alexa top", "agent", "analyzer", "alexa", "alerts", "threat", "c!mtb", "win32.birele.gsg", "add malware", "ck t1027", "files", "xrat xtrat", "yara", "ransomware", "virus", "phishing", "paste analyzer", "threat anonymizer", "level as4230", "as32421", "gigenet", "as32181", "ntt", "as2914", "as20940", "as133618", "asyncrat", "ascii text", "claro", "babe", "pornhub", "av detections", "avast avg", "avatier ccir", "crack", "copy", "contact phone", "conduit", "command decode", "cnc", "command", "code command", "cobalt strike", "dos", "cnwe1 validity", "click", "cleaner", "ck techniques", "ck matrix", "backdoor", "ck id", "cisco umbrella", "choke", "bq jul", "body", "blacklist http", "module behav", "bcrypt", "bank", "zeus derivative", "yara rule", "yara detections", "crowdstrike", "xtrat", "xrat", "x509v3 key", "write", "worm", "windows nt", "win64", "win32", "network w", "network", "virus", "virtool virus", "validity", "v3 serial", "cus", "ogoogle", "cus olet", "cyber threat", "upxoepplace url", "upx alerts", "unsafe", "unknown", "united", "union", "twitter", "ttl value", "tsunami", "trust", "trojanspy", "trojan", "trident", "data redacted", "hash", "deepscan", "detection list", "malware", "potential ip", "exploit", "facebook", "false", "possible postal code", "files location", "port", "porno", "pink", "phishing site", "phishing", "files matching", "files related", "filetour", "firehol", "first", "flag united", "full name", "fusioncor", "genkryptik", "get na", "girlfriend", "hackers", "heur", "high", "high priority", "hostile", "html", "http spammer", "hybrid identifier", "ids detections", "iframe", "resource phish", "injection", "pattern match", "pe", "patcher", "passive dns", "null number", "nuance china", "nsis245zlib", "notice nsis", "no data", "nircmd", "namecheap inc", "name tactics", "name servers", "indicator", "informative", "installcore", "installpack", "invalid url", "iocs ip", "iocs ip", "ip summary", "ipv4", "javascript", "key algorithm", "key identifier", "key info", "crowdstrike", "known tor", "local", "luna host", "malicious", "malicious host", "malicious site", "malware", "malware site", "memscan", "meta", "million", "misc attack", "mitre att", "module load", "msdos", "mtb" ], "references": [ "crowdstrike.com \u00bb 7notrump.com contains pornhub.com and pastebin.com", "192.184.12.62 - Verdict: Suspicious Location: Los Angeles, United States of America ASN AS32421 Level 3 Parent Llc", "7notrump.com@privacy.above.com | Why are YOU hiding? Aren't you proud of your hateful and damaging works?", "Backdoor:Linux/Tsunami.C!MTB: FileHash-SHA256 94f82ebb09bc3ac922789af2ce272ecbf9fe303e5220c7ab3a31d6db1bea8ec4", "Backdoor:Linux/Tsunami.C!MTB: FileHash-MD5 c721d0c9d0daba37cc3e0d06331f7493", "Backdoor:Linux/Tsunami.C!MTB: FileHash-SHA1 8fceac50c534ddf1fc8d1c84b9f7fa06e41d891c", "Antivirus Detections: Win.Trojan.Tsunami-5 , Backdoor:Linux/Tsunami.C!MTB", "IDS Detections: Query to a .tk domain - Likely Hostile Yara Detections: is__elf , LinuxTsunami Alerts: suricata_alert", "VirTool:Win32/CeeInject.SN!bit: FileHash-MD5 d90dc74c1377355f3a58e3883fa8e38f", "VirTool:Win32/CeeInject.SN!bit: FileHash-SHA1 a6df4e57a54c4f9ecc5ed0d0759c57d8702f270f", "VirTool:Win32/CeeInject.SN!bit: FileHash-SHA256 9ae6df6d6c273c3037b083d3b3a78ed8329802f3ca065ceef644f5b1f7311269", "Antivirus Detections: Win32:TrojanX-gen\\ [Trj] , Win.Trojan.BlackMoon-7136668-0 , VirTool:Win32/CeeInject.SN!bit", "Hacktools_CN_WinEggDrop , CN_Portscan , Ping_Command_in_EXE More | Alerts: dead_host network_icmp persistence_autorun recon_beacon injection_resumethread creates_exe creates_service", "IDS Detections: ET TROJAN Win32/PurpleFox Related Domain in DNS Lookup Yara Detections: mimikatz , Mimikatz_Strings ,", "IDS Detections: Adware/Gertokr.C Variant Checkin MSIL/Linkury Toolbar Activity PUP.Win32.BoBrowser User-Agent (VersionDwl)", "IDS Detections: Rogue.Win32/FakeRean Checkin Win32/ExpressDownloader Variant CnC Beacon 1", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://hybrid-analysis.com/sample/db695a96adb70d5f6246273f4e6c218b2c44f02b3726c3dee4d56b6428bb0ddf", "Ransom.Win32.Birele.gsg: FileHash-MD5 06c2c738f40c310fb9eb2b6c35afe18d", "Ransom.Win32.Birele.gsg: FileHash-SHA1 51995c8b1002cf27d22a2026a825f1f4fedca280 955549cbca6acdbd617aebade070259efaf6cec6", "Ransom.Win32.Birele.gsg: FileHash-SHA256 00e1b6c35691a64a327eb642c80321e7c54956de106a254688062cdda3d265a9", "T1027 - Obfuscated Files or Information T1031 - Modify Existing Service T1040 - Network Sniffing T1045 - Software Packing T1057 - Process Discovery T1059 - Command and Scripting Interpreter T1059.007 - JavaScript T1060 - Registry Run Keys / Startup Folder T1071 - Application Layer Protocol T1071.001 - Web Protocols T1071.004 - DNS T1105 - Ingress Tool Transfer T1114 - Email Collection T1129 - Shared Modules T1132 - Data Encoding T1132.001 - Standard Encoding T1140 - Deobfuscate/Decode Files or Information T", "Antivirus Detections: Win32:Buterat-WQ\\ [Trj] , Win.Malware.Ulise-7170100-0 , Trojan:Win32/Neconyd.A", "IDS Detections: Ransom.Win32.Birele.gsg Checkin Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "ET TROJAN Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst", "Alerts: network_icmp creates_user_folder_exe disables_proxy modifies_proxy_wpad creates_exe", "Alerts: antivm_network_adapters packer_polymorphic network_cnc_http network_http" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Australia", "Brazil" ], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null }, { "id": "Checkin Win32/ExpressDownloader", "display_name": "Checkin Win32/ExpressDownloader", "target": null }, { "id": "Backdoor:Linux/Tsunami.C!MTB Ransom.Win32.Birele.gsg Trojan:Win32/Neconyd.A VirTool:Win32/CeeInject.SN!bit", "display_name": "Backdoor:Linux/Tsunami.C!MTB Ransom.Win32.Birele.gsg Trojan:Win32/Neconyd.A VirTool:Win32/CeeInject.SN!bit", "target": null }, { "id": "Win.Worm.Mydoom-5", "display_name": "Win.Worm.Mydoom-5", "target": null }, { "id": "Ransom.Win32.Birele.gsg", "display_name": "Ransom.Win32.Birele.gsg", "target": null }, { "id": "VirTool:Win32/CeeInject.SN!bit", "display_name": "VirTool:Win32/CeeInject.SN!bit", "target": "/malware/VirTool:Win32/CeeInject.SN!bit" }, { "id": "Trojan:Win32/Neconyd.A", "display_name": "Trojan:Win32/Neconyd.A", "target": "/malware/Trojan:Win32/Neconyd.A" }, { "id": "Backdoor:Linux/Tsunami.C!MTB", "display_name": "Backdoor:Linux/Tsunami.C!MTB", "target": "/malware/Backdoor:Linux/Tsunami.C!MTB" }, { "id": "C!MTB", "display_name": "C!MTB", "target": null }, { "id": "Win32.Birele.gsg", "display_name": "Win32.Birele.gsg", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" } ], "industries": [ "Media", "Technology", "Government" ], "TLP": "white", "cloned_from": "66ac1de146fa19aeb4bb119a", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2164, "FileHash-MD5": 2939, "FileHash-SHA1": 2271, "FileHash-SHA256": 3553, "domain": 1075, "email": 13, "hostname": 1064, "CVE": 8 }, "indicator_count": 13087, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "607 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "and leave in a lemon- hued Huff da Country or a Snit with four on the MALWARE fOORILIES", "Antivirus Detections: Win.Trojan.Tsunami-5 , Backdoor:Linux/Tsunami.C!MTB", "IDS Detections: Adware/Gertokr.C Variant Checkin MSIL/Linkury Toolbar Activity PUP.Win32.BoBrowser User-Agent (VersionDwl)", "Alerts: network_icmp creates_user_folder_exe disables_proxy modifies_proxy_wpad creates_exe", "Backdoor:Linux/Tsunami.C!MTB: FileHash-SHA1 8fceac50c534ddf1fc8d1c84b9f7fa06e41d891c", "Antivirus Detections: Win32:TrojanX-gen\\ [Trj] , Win.Trojan.BlackMoon-7136668-0 , VirTool:Win32/CeeInject.SN!bit", "Backdoor:Linux/Tsunami.C!MTB: FileHash-SHA256 94f82ebb09bc3ac922789af2ce272ecbf9fe303e5220c7ab3a31d6db1bea8ec4", "Ransom.Win32.Birele.gsg: FileHash-SHA256 00e1b6c35691a64a327eb642c80321e7c54956de106a254688062cdda3d265a9", "I don\u2019t appreciate OTX populated Malware suggestion \u2018SNIT\u2019 \u2018 Dopple AI\u2019 NOT malware", "192.184.12.62 - Verdict: Suspicious Location: Los Angeles, United States of America ASN AS32421 Level 3 Parent Llc", "IDS Detections: Rogue.Win32/FakeRean Checkin Win32/ExpressDownloader Variant CnC Beacon 1", "IDS Detections: Query to a .tk domain - Likely Hostile Yara Detections: is__elf , LinuxTsunami Alerts: suricata_alert", "VirTool:Win32/CeeInject.SN!bit: FileHash-MD5 d90dc74c1377355f3a58e3883fa8e38f", "Hacktools_CN_WinEggDrop , CN_Portscan , Ping_Command_in_EXE More | Alerts: dead_host network_icmp persistence_autorun recon_beacon injection_resumethread creates_exe creates_service", "IDS Detections: Ransom.Win32.Birele.gsg Checkin Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "OTX description for Dopple AI - There\u2019s someone for everyone out there in the BDSM scene, you can enjoy the", "ET TROJAN Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst", "7notrump.com@privacy.above.com | Why are YOU hiding? Aren't you proud of your hateful and damaging works?", "T1027 - Obfuscated Files or Information T1031 - Modify Existing Service T1040 - Network Sniffing T1045 - Software Packing T1057 - Process Discovery T1059 - Command and Scripting Interpreter T1059.007 - JavaScript T1060 - Registry Run Keys / Startup Folder T1071 - Application Layer Protocol T1071.001 - Web Protocols T1071.004 - DNS T1105 - Ingress Tool Transfer T1114 - Email Collection T1129 - Shared Modules T1132 - Data Encoding T1132.001 - Standard Encoding T1140 - Deobfuscate/Decode Files or Information T", "Ransom.Win32.Birele.gsg: FileHash-MD5 06c2c738f40c310fb9eb2b6c35afe18d", "Y.A.S:1Byte/TinyRod SeeDescription @ Y.A.S. OFFICIAL MUSIC VIDEO", "Backdoor:Linux/Tsunami.C!MTB: FileHash-MD5 c721d0c9d0daba37cc3e0d06331f7493", "VirTool:Win32/CeeInject.SN!bit: FileHash-SHA256 9ae6df6d6c273c3037b083d3b3a78ed8329802f3ca065ceef644f5b1f7311269", "OTX must have an issue. A delete app seen before has deleted a majority of malicious IoCs. Im", "crowdstrike.com \u00bb 7notrump.com contains pornhub.com and pastebin.com", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://hybrid-analysis.com/sample/db695a96adb70d5f6246273f4e6c218b2c44f02b3726c3dee4d56b6428bb0ddf", "Antivirus Detections: Win32:Buterat-WQ\\ [Trj] , Win.Malware.Ulise-7170100-0 , Trojan:Win32/Neconyd.A", "OTX description for SNIT- I love to compose letters of resignation; now and then I send one in", "Makes zero sense. Malicious. I don\u2019t get it. I have a Malware gift for you too!", "Alerts: antivm_network_adapters packer_polymorphic network_cnc_http network_http", "free NSFW experience offered by Dopple AI.MALWARE", "IDS Detections: ET TROJAN Win32/PurpleFox Related Domain in DNS Lookup Yara Detections: mimikatz , Mimikatz_Strings ,", "VirTool:Win32/CeeInject.SN!bit: FileHash-SHA1 a6df4e57a54c4f9ecc5ed0d0759c57d8702f270f", "Ransom.Win32.Birele.gsg: FileHash-SHA1 51995c8b1002cf27d22a2026a825f1f4fedca280 955549cbca6acdbd617aebade070259efaf6cec6" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Ransom.win32.birele.gsg", "Win32.birele.gsg", "C!mtb", "Backdoor:linux/tsunami.c!mtb ransom.win32.birele.gsg trojan:win32/neconyd.a virtool:win32/ceeinject.sn!bit", "Virtool:win32/ceeinject.sn!bit", "Trojan:win32/neconyd.a", "Dopple ai", "Backdoor:linux/tsunami.c!mtb", "Win.worm.mydoom-5", "Y.a.s:1byte/tinyrod", "Snit", "Et", "Checkin win32/expressdownloader" ], "industries": [ "Media", "Government", "Technology" ], "unique_indicators": 16923 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/pornhub.com", "whois": "http://whois.domaintools.com/pornhub.com", "domain": "pornhub.com", "hostname": "it.pornhub.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "69bea5d2987c3d14aeb2b0c9", "name": "Delete service Deleted over 1200 Brian Sabeys Porn Revenge Campaign \u2022 LevelBlue? Dopple AI | Poem Hunter: Poems ", "description": "", "modified": "2026-03-21T14:06:10.007000", "created": "2026-03-21T14:06:10.007000", "tags": [ "active related", "search filter", "time tsara", "x show", "cidr", "email", "learn more", "information", "t1027", "t1036", "t1057", "discovery", "t1059", "t1071", "title added", "poem", "the day", "wild eyesand", "unknown power", "shakespeare", "repeats", "ere man", "dowell oreilly", "read poem", "snit", "website", "loading", "rl https", "y0 nov", "vj96", "uyebaaeabaaaaac", "jid442122029", "active", "url http", "url https", "types", "indicators show", "type indicator", "added active", "tbmvid", "sourcelnms", "zx1724209326040", "read c", "module load", "showing", "delphi", "delete", "rgba", "unicode", "malware", "write", "win32", "execution", "next", "extraction", "data upload", "extre", "include data", "sc type", "url tot", "role title", "tsara brashears", "live sex", "porn video", "levelblue", "porn", "pornhub", "porn videos", "watch tsara", "most relevant", "q estimation", "green", "tsara", "online chat", "spicychat ai", "visa", "sex chat", "miss stella", "january", "philadelphia", "dopple ai", "b1 dec", "videos", "red porn", "free porn", "sunny leone", "hardcore porn", "jeffrey reimer", "puts", "love", "super", "download", "top tsara", "google search", "la iniciacin", "xxx hd", "bdsm scene", "nsfw experience", "ck ids", "open threat", "filepath https", "foundry", "palantir", "brian sabey", "yas", "tiny penis", "slander", "indicator role", "pulses url", "search" ], "references": [ "OTX must have an issue. A delete app seen before has deleted a majority of malicious IoCs. Im", "I don\u2019t appreciate OTX populated Malware suggestion \u2018SNIT\u2019 \u2018 Dopple AI\u2019 NOT malware", "OTX description for SNIT- I love to compose letters of resignation; now and then I send one in", "and leave in a lemon- hued Huff da Country or a Snit with four on the MALWARE fOORILIES", "OTX description for Dopple AI - There\u2019s someone for everyone out there in the BDSM scene, you can enjoy the", "free NSFW experience offered by Dopple AI.MALWARE", "Makes zero sense. Malicious. I don\u2019t get it. I have a Malware gift for you too!", "Y.A.S:1Byte/TinyRod SeeDescription @ Y.A.S. OFFICIAL MUSIC VIDEO" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Snit", "display_name": "Snit", "target": null }, { "id": "Dopple AI", "display_name": "Dopple AI", "target": null }, { "id": "Y.A.S:1Byte/TinyRod", "display_name": "Y.A.S:1Byte/TinyRod", "target": "/malware/Y.A.S:1Byte/TinyRod" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" } ], "industries": [], "TLP": "green", "cloned_from": "691ead29f61101bfa3700998", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2497, "hostname": 742, "FileHash-SHA256": 523, "domain": 223, "FileHash-MD5": 85, "FileHash-SHA1": 56, "email": 4 }, "indicator_count": 4130, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "71 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "691ead29f61101bfa3700998", "name": "Dopple AI | Poem Hunter: Poems - Poets - Poetry", "description": "Online terms that sexulize SA victim : Tsara brashears slander red porn videos ,\nHardcore porn, is pornography that features detailed depictions of sexual organs or sexual acts such as vaginal, anal or oral intercourse, fingering, brashears , Red Porn Videos , Tsara brashears slandered red porn\nyoujizz sex\n, Tsara brashears submission on august 27 via manual free , College fuck fest Super japanese hd compilation , \none kinky student fucks tsara brashears porn xxx porn , the best internet porn site\n, tsara brashears slandered, porn video uploaded to hardcore ,\nxxxxxxxxxx sex videos\nsearch , xxxxxxxxxx hd porn. tsara brashears\u09ac\u09b2\u09a6\u09b6\u09b0 \u09a8\u09a4\u09a8 \u09ad\u09acfrench retro gangbang in the hotel room, You will Tsara brashears porn ,\nChunky babe loves to be on top Hot Milf , xxx Movies, updates hourly.\n tsara brashears slandered,\nfrench retro gangbang in the hotel room , free porn videos. You will Tsara brashears porn jeffrey reimer puts his love on top tsara brashears brother", "modified": "2025-12-20T03:00:41.407000", "created": "2025-11-20T05:54:49.968000", "tags": [ "active related", "search filter", "time tsara", "x show", "cidr", "email", "learn more", "information", "t1027", "t1036", "t1057", "discovery", "t1059", "t1071", "title added", "poem", "the day", "wild eyesand", "unknown power", "shakespeare", "repeats", "ere man", "dowell oreilly", "read poem", "snit", "website", "loading", "rl https", "y0 nov", "vj96", "uyebaaeabaaaaac", "jid442122029", "active", "url http", "url https", "types", "indicators show", "type indicator", "added active", "tbmvid", "sourcelnms", "zx1724209326040", "read c", "module load", "showing", "delphi", "delete", "rgba", "unicode", "malware", "write", "win32", "execution", "next", "extraction", "data upload", "extre", "include data", "sc type", "url tot", "role title", "tsara brashears", "live sex", "porn video", "levelblue", "porn", "pornhub", "porn videos", "watch tsara", "most relevant", "q estimation", "green", "tsara", "online chat", "spicychat ai", "visa", "sex chat", "miss stella", "january", "philadelphia", "dopple ai", "b1 dec", "videos", "red porn", "free porn", "sunny leone", "hardcore porn", "jeffrey reimer", "puts", "love", "super", "download", "top tsara", "google search", "la iniciacin", "xxx hd", "bdsm scene", "nsfw experience", "ck ids", "open threat", "filepath https", "foundry", "palantir", "brian sabey", "yas", "tiny penis", "slander", "indicator role", "pulses url", "search" ], "references": [ "OTX must have an issue. A delete app seen before has deleted a majority of malicious IoCs. Im", "I don\u2019t appreciate OTX populated Malware suggestion \u2018SNIT\u2019 \u2018 Dopple AI\u2019 NOT malware", "OTX description for SNIT- I love to compose letters of resignation; now and then I send one in", "and leave in a lemon- hued Huff da Country or a Snit with four on the MALWARE fOORILIES", "OTX description for Dopple AI - There\u2019s someone for everyone out there in the BDSM scene, you can enjoy the", "free NSFW experience offered by Dopple AI.MALWARE", "Makes zero sense. Malicious. I don\u2019t get it. I have a Malware gift for you too!", "Y.A.S:1Byte/TinyRod SeeDescription @ Y.A.S. OFFICIAL MUSIC VIDEO" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Snit", "display_name": "Snit", "target": null }, { "id": "Dopple AI", "display_name": "Dopple AI", "target": null }, { "id": "Y.A.S:1Byte/TinyRod", "display_name": "Y.A.S:1Byte/TinyRod", "target": "/malware/Y.A.S:1Byte/TinyRod" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2497, "hostname": 742, "FileHash-SHA256": 523, "domain": 223, "FileHash-MD5": 85, "FileHash-SHA1": 56, "email": 4 }, "indicator_count": 4130, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "163 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66ac1de146fa19aeb4bb119a", "name": "Ransom.Win32.Birele.gsg: affecting a global cyber security entity", "description": "Ransomware, hacking, Linux attacks. 7notrump.com has been in circulation for more than 1 year. Malicious, pre-existing and not the result of hackers attempting to suddenly attack recently made vulnerable entities. Backdoor:Linux/Tsunami.C!MTB\nBackdoor:Linux/Tsunami.C!MTB , Ransom.Win32.Birele.gsg , Trojan:Win32/Neconyd.A , VirTool:Win32/CeeInject.SN!bit , \nC!MTB ,\nCheckin Win32/ExpressDownloader , \nET ,\nRansom.Win32.Birele.gsg , \nTrojan:Win32/Neconyd.A\nVirTool:Win32/CeeInject.SN!bit , Win.Worm.Mydoom-5 ,\nWin32.Birele.gsg", "modified": "2024-10-01T16:04:13.437000", "created": "2024-08-01T23:44:33.058000", "tags": [ "no expiration", "domain", "expiration", "hostname", "filehashsha256", "url http", "ipv4", "url https", "iocs", "email abuse", "next", "all scoreblue", "create new", "pulse provide", "public tlp", "green", "adversary tags", "x509v3", "trojan", "virtool", "backdoor", "antivirus", "united", "et trojan", "possible", "sinkhole cookie", "et", "checkin win32/expressdownloader", "kw1ethical", "kw2ip", "kw3cloud", "kw4augmented", "filehashsha1", "filehashmd5", "termsurlhttp", "privacyurlhttp", "download", "ipv6", "versionid1", "pulse use", "pdf report", "pcap", "stix", "contact", "contacted", "adversaries", "adload", "dns", "activity", "acint", "aaaa", "analysis", "all scoreblue", "agent algorithm", "alexa top", "agent", "analyzer", "alexa", "alerts", "threat", "c!mtb", "win32.birele.gsg", "add malware", "ck t1027", "files", "xrat xtrat", "yara", "ransomware", "virus", "phishing", "paste analyzer", "threat anonymizer", "level as4230", "as32421", "gigenet", "as32181", "ntt", "as2914", "as20940", "as133618", "asyncrat", "ascii text", "claro", "babe", "pornhub", "av detections", "avast avg", "avatier ccir", "crack", "copy", "contact phone", "conduit", "command decode", "cnc", "command", "code command", "cobalt strike", "dos", "cnwe1 validity", "click", "cleaner", "ck techniques", "ck matrix", "backdoor", "ck id", "cisco umbrella", "choke", "bq jul", "body", "blacklist http", "module behav", "bcrypt", "bank", "zeus derivative", "yara rule", "yara detections", "crowdstrike", "xtrat", "xrat", "x509v3 key", "write", "worm", "windows nt", "win64", "win32", "network w", "network", "virus", "virtool virus", "validity", "v3 serial", "cus", "ogoogle", "cus olet", "cyber threat", "upxoepplace url", "upx alerts", "unsafe", "unknown", "united", "union", "twitter", "ttl value", "tsunami", "trust", "trojanspy", "trojan", "trident", "data redacted", "hash", "deepscan", "detection list", "malware", "potential ip", "exploit", "facebook", "false", "possible postal code", "files location", "port", "porno", "pink", "phishing site", "phishing", "files matching", "files related", "filetour", "firehol", "first", "flag united", "full name", "fusioncor", "genkryptik", "get na", "girlfriend", "hackers", "heur", "high", "high priority", "hostile", "html", "http spammer", "hybrid identifier", "ids detections", "iframe", "resource phish", "injection", "pattern match", "pe", "patcher", "passive dns", "null number", "nuance china", "nsis245zlib", "notice nsis", "no data", "nircmd", "namecheap inc", "name tactics", "name servers", "indicator", "informative", "installcore", "installpack", "invalid url", "iocs ip", "iocs ip", "ip summary", "ipv4", "javascript", "key algorithm", "key identifier", "key info", "crowdstrike", "known tor", "local", "luna host", "malicious", "malicious host", "malicious site", "malware", "malware site", "memscan", "meta", "million", "misc attack", "mitre att", "module load", "msdos", "mtb" ], "references": [ "crowdstrike.com \u00bb 7notrump.com contains pornhub.com and pastebin.com", "192.184.12.62 - Verdict: Suspicious Location: Los Angeles, United States of America ASN AS32421 Level 3 Parent Llc", "7notrump.com@privacy.above.com | Why are YOU hiding? Aren't you proud of your hateful and damaging works?", "Backdoor:Linux/Tsunami.C!MTB: FileHash-SHA256 94f82ebb09bc3ac922789af2ce272ecbf9fe303e5220c7ab3a31d6db1bea8ec4", "Backdoor:Linux/Tsunami.C!MTB: FileHash-MD5 c721d0c9d0daba37cc3e0d06331f7493", "Backdoor:Linux/Tsunami.C!MTB: FileHash-SHA1 8fceac50c534ddf1fc8d1c84b9f7fa06e41d891c", "Antivirus Detections: Win.Trojan.Tsunami-5 , Backdoor:Linux/Tsunami.C!MTB", "IDS Detections: Query to a .tk domain - Likely Hostile Yara Detections: is__elf , LinuxTsunami Alerts: suricata_alert", "VirTool:Win32/CeeInject.SN!bit: FileHash-MD5 d90dc74c1377355f3a58e3883fa8e38f", "VirTool:Win32/CeeInject.SN!bit: FileHash-SHA1 a6df4e57a54c4f9ecc5ed0d0759c57d8702f270f", "VirTool:Win32/CeeInject.SN!bit: FileHash-SHA256 9ae6df6d6c273c3037b083d3b3a78ed8329802f3ca065ceef644f5b1f7311269", "Antivirus Detections: Win32:TrojanX-gen\\ [Trj] , Win.Trojan.BlackMoon-7136668-0 , VirTool:Win32/CeeInject.SN!bit", "Hacktools_CN_WinEggDrop , CN_Portscan , Ping_Command_in_EXE More | Alerts: dead_host network_icmp persistence_autorun recon_beacon injection_resumethread creates_exe creates_service", "IDS Detections: ET TROJAN Win32/PurpleFox Related Domain in DNS Lookup Yara Detections: mimikatz , Mimikatz_Strings ,", "IDS Detections: Adware/Gertokr.C Variant Checkin MSIL/Linkury Toolbar Activity PUP.Win32.BoBrowser User-Agent (VersionDwl)", "IDS Detections: Rogue.Win32/FakeRean Checkin Win32/ExpressDownloader Variant CnC Beacon 1", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://hybrid-analysis.com/sample/db695a96adb70d5f6246273f4e6c218b2c44f02b3726c3dee4d56b6428bb0ddf", "Ransom.Win32.Birele.gsg: FileHash-MD5 06c2c738f40c310fb9eb2b6c35afe18d", "Ransom.Win32.Birele.gsg: FileHash-SHA1 51995c8b1002cf27d22a2026a825f1f4fedca280 955549cbca6acdbd617aebade070259efaf6cec6", "Ransom.Win32.Birele.gsg: FileHash-SHA256 00e1b6c35691a64a327eb642c80321e7c54956de106a254688062cdda3d265a9", "T1027 - Obfuscated Files or Information T1031 - Modify Existing Service T1040 - Network Sniffing T1045 - Software Packing T1057 - Process Discovery T1059 - Command and Scripting Interpreter T1059.007 - JavaScript T1060 - Registry Run Keys / Startup Folder T1071 - Application Layer Protocol T1071.001 - Web Protocols T1071.004 - DNS T1105 - Ingress Tool Transfer T1114 - Email Collection T1129 - Shared Modules T1132 - Data Encoding T1132.001 - Standard Encoding T1140 - Deobfuscate/Decode Files or Information T", "Antivirus Detections: Win32:Buterat-WQ\\ [Trj] , Win.Malware.Ulise-7170100-0 , Trojan:Win32/Neconyd.A", "IDS Detections: Ransom.Win32.Birele.gsg Checkin Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "ET TROJAN Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst", "Alerts: network_icmp creates_user_folder_exe disables_proxy modifies_proxy_wpad creates_exe", "Alerts: antivm_network_adapters packer_polymorphic network_cnc_http network_http" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Australia", "Brazil" ], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null }, { "id": "Checkin Win32/ExpressDownloader", "display_name": "Checkin Win32/ExpressDownloader", "target": null }, { "id": "Backdoor:Linux/Tsunami.C!MTB Ransom.Win32.Birele.gsg Trojan:Win32/Neconyd.A VirTool:Win32/CeeInject.SN!bit", "display_name": "Backdoor:Linux/Tsunami.C!MTB Ransom.Win32.Birele.gsg Trojan:Win32/Neconyd.A VirTool:Win32/CeeInject.SN!bit", "target": null }, { "id": "Win.Worm.Mydoom-5", "display_name": "Win.Worm.Mydoom-5", "target": null }, { "id": "Ransom.Win32.Birele.gsg", "display_name": "Ransom.Win32.Birele.gsg", "target": null }, { "id": "VirTool:Win32/CeeInject.SN!bit", "display_name": "VirTool:Win32/CeeInject.SN!bit", "target": "/malware/VirTool:Win32/CeeInject.SN!bit" }, { "id": "Trojan:Win32/Neconyd.A", "display_name": "Trojan:Win32/Neconyd.A", "target": "/malware/Trojan:Win32/Neconyd.A" }, { "id": "Backdoor:Linux/Tsunami.C!MTB", "display_name": "Backdoor:Linux/Tsunami.C!MTB", "target": "/malware/Backdoor:Linux/Tsunami.C!MTB" }, { "id": "C!MTB", "display_name": "C!MTB", "target": null }, { "id": "Win32.Birele.gsg", "display_name": "Win32.Birele.gsg", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" } ], "industries": [ "Media", "Technology", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 69, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2164, "FileHash-MD5": 2939, "FileHash-SHA1": 2271, "FileHash-SHA256": 3553, "domain": 1075, "email": 13, "hostname": 1064, "CVE": 8 }, "indicator_count": 13087, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "607 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d49947eaaf6c57bec78719", "name": "Ransom.Win32.Birele.gsg: affecting a global cyber security entity", "description": "", "modified": "2024-10-01T16:04:13.437000", "created": "2024-09-01T16:41:43.676000", "tags": [ "no expiration", "domain", "expiration", "hostname", "filehashsha256", "url http", "ipv4", "url https", "iocs", "email abuse", "next", "all scoreblue", "create new", "pulse provide", "public tlp", "green", "adversary tags", "x509v3", "trojan", "virtool", "backdoor", "antivirus", "united", "et trojan", "possible", "sinkhole cookie", "et", "checkin win32/expressdownloader", "kw1ethical", "kw2ip", "kw3cloud", "kw4augmented", "filehashsha1", "filehashmd5", "termsurlhttp", "privacyurlhttp", "download", "ipv6", "versionid1", "pulse use", "pdf report", "pcap", "stix", "contact", "contacted", "adversaries", "adload", "dns", "activity", "acint", "aaaa", "analysis", "all scoreblue", "agent algorithm", "alexa top", "agent", "analyzer", "alexa", "alerts", "threat", "c!mtb", "win32.birele.gsg", "add malware", "ck t1027", "files", "xrat xtrat", "yara", "ransomware", "virus", "phishing", "paste analyzer", "threat anonymizer", "level as4230", "as32421", "gigenet", "as32181", "ntt", "as2914", "as20940", "as133618", "asyncrat", "ascii text", "claro", "babe", "pornhub", "av detections", "avast avg", "avatier ccir", "crack", "copy", "contact phone", "conduit", "command decode", "cnc", "command", "code command", "cobalt strike", "dos", "cnwe1 validity", "click", "cleaner", "ck techniques", "ck matrix", "backdoor", "ck id", "cisco umbrella", "choke", "bq jul", "body", "blacklist http", "module behav", "bcrypt", "bank", "zeus derivative", "yara rule", "yara detections", "crowdstrike", "xtrat", "xrat", "x509v3 key", "write", "worm", "windows nt", "win64", "win32", "network w", "network", "virus", "virtool virus", "validity", "v3 serial", "cus", "ogoogle", "cus olet", "cyber threat", "upxoepplace url", "upx alerts", "unsafe", "unknown", "united", "union", "twitter", "ttl value", "tsunami", "trust", "trojanspy", "trojan", "trident", "data redacted", "hash", "deepscan", "detection list", "malware", "potential ip", "exploit", "facebook", "false", "possible postal code", "files location", "port", "porno", "pink", "phishing site", "phishing", "files matching", "files related", "filetour", "firehol", "first", "flag united", "full name", "fusioncor", "genkryptik", "get na", "girlfriend", "hackers", "heur", "high", "high priority", "hostile", "html", "http spammer", "hybrid identifier", "ids detections", "iframe", "resource phish", "injection", "pattern match", "pe", "patcher", "passive dns", "null number", "nuance china", "nsis245zlib", "notice nsis", "no data", "nircmd", "namecheap inc", "name tactics", "name servers", "indicator", "informative", "installcore", "installpack", "invalid url", "iocs ip", "iocs ip", "ip summary", "ipv4", "javascript", "key algorithm", "key identifier", "key info", "crowdstrike", "known tor", "local", "luna host", "malicious", "malicious host", "malicious site", "malware", "malware site", "memscan", "meta", "million", "misc attack", "mitre att", "module load", "msdos", "mtb" ], "references": [ "crowdstrike.com \u00bb 7notrump.com contains pornhub.com and pastebin.com", "192.184.12.62 - Verdict: Suspicious Location: Los Angeles, United States of America ASN AS32421 Level 3 Parent Llc", "7notrump.com@privacy.above.com | Why are YOU hiding? Aren't you proud of your hateful and damaging works?", "Backdoor:Linux/Tsunami.C!MTB: FileHash-SHA256 94f82ebb09bc3ac922789af2ce272ecbf9fe303e5220c7ab3a31d6db1bea8ec4", "Backdoor:Linux/Tsunami.C!MTB: FileHash-MD5 c721d0c9d0daba37cc3e0d06331f7493", "Backdoor:Linux/Tsunami.C!MTB: FileHash-SHA1 8fceac50c534ddf1fc8d1c84b9f7fa06e41d891c", "Antivirus Detections: Win.Trojan.Tsunami-5 , Backdoor:Linux/Tsunami.C!MTB", "IDS Detections: Query to a .tk domain - Likely Hostile Yara Detections: is__elf , LinuxTsunami Alerts: suricata_alert", "VirTool:Win32/CeeInject.SN!bit: FileHash-MD5 d90dc74c1377355f3a58e3883fa8e38f", "VirTool:Win32/CeeInject.SN!bit: FileHash-SHA1 a6df4e57a54c4f9ecc5ed0d0759c57d8702f270f", "VirTool:Win32/CeeInject.SN!bit: FileHash-SHA256 9ae6df6d6c273c3037b083d3b3a78ed8329802f3ca065ceef644f5b1f7311269", "Antivirus Detections: Win32:TrojanX-gen\\ [Trj] , Win.Trojan.BlackMoon-7136668-0 , VirTool:Win32/CeeInject.SN!bit", "Hacktools_CN_WinEggDrop , CN_Portscan , Ping_Command_in_EXE More | Alerts: dead_host network_icmp persistence_autorun recon_beacon injection_resumethread creates_exe creates_service", "IDS Detections: ET TROJAN Win32/PurpleFox Related Domain in DNS Lookup Yara Detections: mimikatz , Mimikatz_Strings ,", "IDS Detections: Adware/Gertokr.C Variant Checkin MSIL/Linkury Toolbar Activity PUP.Win32.BoBrowser User-Agent (VersionDwl)", "IDS Detections: Rogue.Win32/FakeRean Checkin Win32/ExpressDownloader Variant CnC Beacon 1", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://hybrid-analysis.com/sample/db695a96adb70d5f6246273f4e6c218b2c44f02b3726c3dee4d56b6428bb0ddf", "Ransom.Win32.Birele.gsg: FileHash-MD5 06c2c738f40c310fb9eb2b6c35afe18d", "Ransom.Win32.Birele.gsg: FileHash-SHA1 51995c8b1002cf27d22a2026a825f1f4fedca280 955549cbca6acdbd617aebade070259efaf6cec6", "Ransom.Win32.Birele.gsg: FileHash-SHA256 00e1b6c35691a64a327eb642c80321e7c54956de106a254688062cdda3d265a9", "T1027 - Obfuscated Files or Information T1031 - Modify Existing Service T1040 - Network Sniffing T1045 - Software Packing T1057 - Process Discovery T1059 - Command and Scripting Interpreter T1059.007 - JavaScript T1060 - Registry Run Keys / Startup Folder T1071 - Application Layer Protocol T1071.001 - Web Protocols T1071.004 - DNS T1105 - Ingress Tool Transfer T1114 - Email Collection T1129 - Shared Modules T1132 - Data Encoding T1132.001 - Standard Encoding T1140 - Deobfuscate/Decode Files or Information T", "Antivirus Detections: Win32:Buterat-WQ\\ [Trj] , Win.Malware.Ulise-7170100-0 , Trojan:Win32/Neconyd.A", "IDS Detections: Ransom.Win32.Birele.gsg Checkin Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "ET TROJAN Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst", "Alerts: network_icmp creates_user_folder_exe disables_proxy modifies_proxy_wpad creates_exe", "Alerts: antivm_network_adapters packer_polymorphic network_cnc_http network_http" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Australia", "Brazil" ], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null }, { "id": "Checkin Win32/ExpressDownloader", "display_name": "Checkin Win32/ExpressDownloader", "target": null }, { "id": "Backdoor:Linux/Tsunami.C!MTB Ransom.Win32.Birele.gsg Trojan:Win32/Neconyd.A VirTool:Win32/CeeInject.SN!bit", "display_name": "Backdoor:Linux/Tsunami.C!MTB Ransom.Win32.Birele.gsg Trojan:Win32/Neconyd.A VirTool:Win32/CeeInject.SN!bit", "target": null }, { "id": "Win.Worm.Mydoom-5", "display_name": "Win.Worm.Mydoom-5", "target": null }, { "id": "Ransom.Win32.Birele.gsg", "display_name": "Ransom.Win32.Birele.gsg", "target": null }, { "id": "VirTool:Win32/CeeInject.SN!bit", "display_name": "VirTool:Win32/CeeInject.SN!bit", "target": "/malware/VirTool:Win32/CeeInject.SN!bit" }, { "id": "Trojan:Win32/Neconyd.A", "display_name": "Trojan:Win32/Neconyd.A", "target": "/malware/Trojan:Win32/Neconyd.A" }, { "id": "Backdoor:Linux/Tsunami.C!MTB", "display_name": "Backdoor:Linux/Tsunami.C!MTB", "target": "/malware/Backdoor:Linux/Tsunami.C!MTB" }, { "id": "C!MTB", "display_name": "C!MTB", "target": null }, { "id": "Win32.Birele.gsg", "display_name": "Win32.Birele.gsg", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" } ], "industries": [ "Media", "Technology", "Government" ], "TLP": "white", "cloned_from": "66ac1de146fa19aeb4bb119a", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2164, "FileHash-MD5": 2939, "FileHash-SHA1": 2271, "FileHash-SHA256": 3553, "domain": 1075, "email": 13, "hostname": 1064, "CVE": 8 }, "indicator_count": 13087, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "607 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://it.pornhub.com/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://it.pornhub.com/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780315557.0449975 }