{ "type": "URL", "indicator": "https://jdnet.top", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://jdnet.top", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3938672656, "indicator": "https://jdnet.top", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 9, "pulses": [ { "id": "6a19ca7995e758e88e06a66d", "name": "credit scoreblue ['Injection | Target devices affected. Connected to N'] clone - note: many binaries unsigned", "description": "", "modified": "2026-05-29T17:18:49.381000", "created": "2026-05-29T17:18:49.381000", "tags": [ "ip addresses", "luna moth", "campaign", "norad tracking", "ipdomain", "investigation", "hr rtd", "hallrender", "brian sabey", "heuristic", "referrer", "pe resource", "first", "utc submissions", "submitters", "solutions", "namesilo", "amazon02", "digitaloceanasn", "limited", "aschoopa", "ovh sas", "generator", "data", "v3 serial", "number", "issuer", "everywhere dv", "tls ca", "g1 odigicert", "validity", "subject public", "key info", "date", "server", "email", "code", "registrar abuse", "registrar url", "whois lookup", "admin city", "admin country", "cn admin", "office open", "xml spreadsheet", "detections type", "name", "dns replication", "iana id", "contact phone", "dnssec", "domain status", "registrar whois", "historical ssl", "threat roundup", "october", "investigation c", "december", "september", "ngfw traffic", "malicious ip", "address", "raspberry robin", "stealer", "creation date", "passive dns", "urls", "search", "name servers", "status", "showing", "all scoreblue", "unknown", "next", "as47846", "germany unknown", "as44273 host", "united", "as12876 online", "domain", "cve-2016-2569", "yodaprot", "xorcrypt", "yoda", "aspack", "yara detections", "intel", "comments", "show", "productversion", "inno setup", "invalid", "format", "invalid variant", "delphi", "stack", "error", "iniciar download setup", "gui", "application/octet-stream", "tsara brashears", "targets", "cve-2017-0199", "aspack", "contains-pe", "contains-elf", "bobsoft", "cve-2010-3333", "contains-embedded-js", "cve-2014-3931", "cve-2017-11882", "adware.adload/adinstaller", "win32processor", "information", "flow t1574", "dll sideloading", "reads", "downloads", "win32process", "t1055 spawns", "access token", "modify access", "files", "catalog tree", "analysis ob0001", "b0001 process", "b0003 delayed", "analysis ob0002", "evasion ob0006", "self deletion", "f0007 discovery", "ob0007 analysis", "dead", "cybercrime", "cyber criminal group", "dynamicloader", "high", "medium", "trojan", "less see", "contacted", "yara rule", "installs", "windows", "windows startup", "february", "copy", "as14061", "as16276", "canada unknown", "united kingdom", "as63949 linode", "as202053", "finland unknown", "aaaa", "get http", "request", "windows nt", "khtml", "gecko", "wow64", "host", "connection", "cus cndigicert", "ca1 odigicert", "win32", "win64", "accept", "dataset", "system property", "lookups", "select family", "userprofile", "temp", "samplepath", "user", "runtime modules", "modules", "programfiles", "windir", "datacrashpad", "k netsvcs", "s ngcctnrsvc", "nameweb bvba", "domains", "csc corporate", "registrarsafe", "registrar", "namecheap inc", "nameweb", "win32 exe", "detections file", "win32 dll", "ip detections", "country", "highly targeted", "problems", "sneaky server", "replacement", "unauthorized", "high level", "hackers", "unknown win", "agent tesla", "worm", "formbook", "startpage", "dead drop resolver", "nxdomain", "ns nxdomain", "scan endpoints", "all search", "otx scoreblue", "pulse pulses", "hostname", "files ip", "address domain", "div div", "a li", "p div", "read more", "a div", "bq aug", "script script", "path max", "age86400 set", "cookie", "entries", "trojandropper", "body", "trojan features", "related pulses", "file samples", "files matching", "date hash", "copyright", "virtool", "trojanspy", "hashes c2ae", "capa", "cape sandbox", "moves", "tencent habo", "zenbox", "tls rsa", "sha256", "inc subject", "global g2", "odigicert inc", "cndigicert sha2", "high assurance", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinl", "javascripts", "iframes", "embedded", "x sucuri", "cookie policy", "jeffrey scott reimer dpt", "toni braxton", "police", "fbi va", "loudon county", "ashburn va", "douglas co", "douglas co sheriff", "sheriff", "justin bieber", "swipper" ], "references": [ "cnbd.net\t | d1.cnbd.net\t| localhost.cnbd.net | mail.cnbd.net | siteinlink.d1.cnbd.net cnbd.net hghltd.yandex.net", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Crowdsourced Sigma: Matches rule Potential Dead Drop Resolvers by Sorina Ionescu, X__Junior (Nextron Systems)", "Crowdsourced YARA: Matches rule Base64_Encoded_URL from ruleset Base64_Encoded_URL by InQuest Labs", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Unusual PING detected", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING Windows", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Echo Reply", "Yara Detections: Delphi", "\"Malware Behavior Catalog Tree: Anti-Behavioral Analysis OB0001 Debugger Detection B0001 Process Environment Block B0001.019 Dynamic Analysis Evasion B0003 Delayed Execution B0003.003", "\"Malware Behavior Catalog Tree: Anti-Static Analysis OB0002 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E102", "\"Malware Behavior Catalog Tree : Defense Evasion OB0006 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E1027.m02", "\"Malware Behavior Catalog Tree: Hidden Files and Directories F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 Analysis Tool Discovery B0013 Process detection B0013.001 System Information Discovery E1082 File and Directory Discovery E1083", "\"Malware Behavior Catalog Tree: Execution OB0009 Install Additional Program B0023 Command and Scripting Interpreter E1059", "\"Malware Behavior Catalog Tree: Analysis Tool Discovery F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 System Information Discovery B0013 Process detection B0013.001", "\"Malware Behavior Catalog Tree: Hidden Files and Directories E1082 File and Directory Discovery E1083", "Malware Behavior Catalog Tree: Command and Scripting Interpreter OB0009 Install Additional Program B0023", "\"Dataset actions -System Property Lookups: IIWbemServices::Connect", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: Execution OB0012 F0005 File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048 Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007 Change Memory Protection C0008 Process OC0003 Create Process C0017 Create Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001 Modulo C0058 Cryptography OC0005", "Researched: d569ab9b9e89ebd9e2ff995bcd6509bc.virus", "Apple Issues:\tapple-validsecure.serviceirc.com serviceirc.com http://apple-validsecure.serviceirc.com https://apple-validsecure.serviceirc.com", "Apple Issues:\tcheckapple.com http://www.checkapple.com/ https://bincc.xyz/bin-apple-music-1month-apple-tv-7days apple-marketing.com", "Apple Issues:\tapp-appleid.serveirc.com appleid-appleus.serveirc.com appleidapple.serveirc.com apples-uncek.serveirc.com", "Apple Issues:\thttp://www.apple-verifallert.serveirc.com/ http://www.appleid-lockid.serveirc.com/ http://www.appleid-seccure23.serveirc.com/", "Apple Issues:\thttp://www.appleid-secure20.serveirc.com/ http://www.appleid-secure22.serveirc.com/ serviceirc.com", "Apple Issues: http://www.appleid-supporthelp.serveirc.com/ http://www.appleids-security.serveirc.com/", "Apple Issues: URL https://bincc.xyz/bin-apple-music-1month-apple-tv-7days", "Apple Issues: http://checkapple.com/home/item/131-iOs-%E0%B9%80%E0%B8%A1%E0%B8%B7%E0%B8%AD%E0%B8%87%E0%B8%9C%E0%B8%B9%E0%B9%89%E0%B8%94%E0%B8%B5-%E0%B8%9F%E0%B8%B1%E0%B8%99%E0%B8%98%E0%B8%87-iPhone-4-%E0%B8%9A%E0%B8%B2%E0%B8%87%E0%B8%81%E0%B8%A7%E0%B9%88%E0%B8%B2-Galaxy-S-2.htm", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Terse HTTP 1.0 Request Possible Nivdort Worm.Mydoom Checkin User-Agent (explwer)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti/Mufanom Downloader Checkin Win32.Sality-GR Checkin Backdoor.Win32.Shiz.ivr", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Empty Checkin Upatre Retrieving encoded payload (Common Header Struct)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Checkin Win32/Nivdort", "Antivirus Detections: ALF:HeraklezEval:Ransom:Win32/CVE , ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn , ALF:HeraklezEval:Trojan:Win32/Zombie.A", "Antivirus Detections: ALF:Trojan:Win32/FormBook.F!MTB , Backdoor:Linux/Setag!rfn , Backdoor:Win32/Bifrose.IQ , Backdoor:Win32/Simda!rfn", "Antivirus Detections: ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn , ALF:PUA:Win32/InstallMate.P , ALF:Trojan:Win32/Cassini_f9070846!ibt", "\"Malware Behavior Catalog Tree: File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048", "\"Malware Behavior Catalog Tree: Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007", "\"Malware Behavior Catalog Tree: Change Memory Protection C0008 Process OC0003 Create Process C0017", "\"Malware Behavior Catalog Tree: Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004", "\"Malware Behavior Catalog Tree: Create 00001807 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001", "\"Malware Behavior Catalog Tree: Modulo C0058 Cryptography OC0005 Generate Pseudo-random Sequence C0021", "\"Malware Behavior Catalog Tree: Communication OC0006 HTTP Communication C0002 Operating System OC0008 Registry", "\"Malware Behavior Catalog Tree: Registry Value C0036.006 Capabilities Data-Manipulation\"", "\"Malware Behavior Catalog Tree: C0036 Open Registry Key C0036.003 Create Registry Key C0036.004 Query", "Capabilities Data: Manipulation Generate random numbers using the Delphi LCG Encode data using XOR Hash data with CRC32", "Capabilities Data: Linking Link function at runtime on Windows Collection Get geographical location Targeting Identify system language via API", "Capabilities Data: Executable Extract resource via kernel32 functions Contain a thread local storage (.tls) section Packaged as an Inno Setup installer", "Capabilities Data: Anti-Analysis Reference analysis tools strings Internal (Internal) installer file limitation", "Capabilities Data: Host-Interaction - Get file attributes Create process suspended Create process on Windows", "Capabilities Data: Host-Interaction - Allocate or change RWX memory Accept command line arguments Set thread local storage value", "Capabilities Data: Host-Interaction - Get system information on Windows Delete directory", "Capabilities Data: Host-Interaction - Get thread local storage value Read file on Windows Write file on Windows", "Capabilities Data: Host-Interaction - Get file size Query environment variable Get common file path", "Capabilities Data: Host-Interaction - Query or enumerate registry value Delete file Create directory Shutdown system", "Capabilities Data: Host-Interaction - Modify access privileges Check if file exists", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "United States of America" ], "malware_families": [ { "id": "PUP/Win32.Bundler.R1865", "display_name": "PUP/Win32.Bundler.R1865", "target": null }, { "id": "Inno:Downloader-J [PUP]", "display_name": "Inno:Downloader-J [PUP]", "target": null }, { "id": "AdWare:Win32/AdLoad.0e19dea6", "display_name": "AdWare:Win32/AdLoad.0e19dea6", "target": "/malware/AdWare:Win32/AdLoad.0e19dea6" }, { "id": "Adware.Adload/Adinstaller", "display_name": "Adware.Adload/Adinstaller", "target": null }, { "id": "Win.Packed.Razy-9828382-0", "display_name": "Win.Packed.Razy-9828382-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" }, { "id": "Trojan:Win32/Zombie", "display_name": "Trojan:Win32/Zombie", "target": "/malware/Trojan:Win32/Zombie" }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1516", "name": "Input Injection", "display_name": "T1516 - Input Injection" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" } ], "industries": [ "Technology", "Civilian Society" ], "TLP": "green", "cloned_from": "66bb7aa9d0ec86cff5b95b64", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1401, "FileHash-SHA1": 1365, "FileHash-SHA256": 6436, "URL": 5931, "domain": 1391, "hostname": 2165, "CVE": 5, "email": 6 }, "indicator_count": 18700, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "1 day ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a19ca775c858db5edfc4101", "name": "credit scoreblue ['Injection | Target devices affected. Connected to N'] clone - note: many binaries unsigned", "description": "", "modified": "2026-05-29T17:18:47.973000", "created": "2026-05-29T17:18:47.973000", "tags": [ "ip addresses", "luna moth", "campaign", "norad tracking", "ipdomain", "investigation", "hr rtd", "hallrender", "brian sabey", "heuristic", "referrer", "pe resource", "first", "utc submissions", "submitters", "solutions", "namesilo", "amazon02", "digitaloceanasn", "limited", "aschoopa", "ovh sas", "generator", "data", "v3 serial", "number", "issuer", "everywhere dv", "tls ca", "g1 odigicert", "validity", "subject public", "key info", "date", "server", "email", "code", "registrar abuse", "registrar url", "whois lookup", "admin city", "admin country", "cn admin", "office open", "xml spreadsheet", "detections type", "name", "dns replication", "iana id", "contact phone", "dnssec", "domain status", "registrar whois", "historical ssl", "threat roundup", "october", "investigation c", "december", "september", "ngfw traffic", "malicious ip", "address", "raspberry robin", "stealer", "creation date", "passive dns", "urls", "search", "name servers", "status", "showing", "all scoreblue", "unknown", "next", "as47846", "germany unknown", "as44273 host", "united", "as12876 online", "domain", "cve-2016-2569", "yodaprot", "xorcrypt", "yoda", "aspack", "yara detections", "intel", "comments", "show", "productversion", "inno setup", "invalid", "format", "invalid variant", "delphi", "stack", "error", "iniciar download setup", "gui", "application/octet-stream", "tsara brashears", "targets", "cve-2017-0199", "aspack", "contains-pe", "contains-elf", "bobsoft", "cve-2010-3333", "contains-embedded-js", "cve-2014-3931", "cve-2017-11882", "adware.adload/adinstaller", "win32processor", "information", "flow t1574", "dll sideloading", "reads", "downloads", "win32process", "t1055 spawns", "access token", "modify access", "files", "catalog tree", "analysis ob0001", "b0001 process", "b0003 delayed", "analysis ob0002", "evasion ob0006", "self deletion", "f0007 discovery", "ob0007 analysis", "dead", "cybercrime", "cyber criminal group", "dynamicloader", "high", "medium", "trojan", "less see", "contacted", "yara rule", "installs", "windows", "windows startup", "february", "copy", "as14061", "as16276", "canada unknown", "united kingdom", "as63949 linode", "as202053", "finland unknown", "aaaa", "get http", "request", "windows nt", "khtml", "gecko", "wow64", "host", "connection", "cus cndigicert", "ca1 odigicert", "win32", "win64", "accept", "dataset", "system property", "lookups", "select family", "userprofile", "temp", "samplepath", "user", "runtime modules", "modules", "programfiles", "windir", "datacrashpad", "k netsvcs", "s ngcctnrsvc", "nameweb bvba", "domains", "csc corporate", "registrarsafe", "registrar", "namecheap inc", "nameweb", "win32 exe", "detections file", "win32 dll", "ip detections", "country", "highly targeted", "problems", "sneaky server", "replacement", "unauthorized", "high level", "hackers", "unknown win", "agent tesla", "worm", "formbook", "startpage", "dead drop resolver", "nxdomain", "ns nxdomain", "scan endpoints", "all search", "otx scoreblue", "pulse pulses", "hostname", "files ip", "address domain", "div div", "a li", "p div", "read more", "a div", "bq aug", "script script", "path max", "age86400 set", "cookie", "entries", "trojandropper", "body", "trojan features", "related pulses", "file samples", "files matching", "date hash", "copyright", "virtool", "trojanspy", "hashes c2ae", "capa", "cape sandbox", "moves", "tencent habo", "zenbox", "tls rsa", "sha256", "inc subject", "global g2", "odigicert inc", "cndigicert sha2", "high assurance", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinl", "javascripts", "iframes", "embedded", "x sucuri", "cookie policy", "jeffrey scott reimer dpt", "toni braxton", "police", "fbi va", "loudon county", "ashburn va", "douglas co", "douglas co sheriff", "sheriff", "justin bieber", "swipper" ], "references": [ "cnbd.net\t | d1.cnbd.net\t| localhost.cnbd.net | mail.cnbd.net | siteinlink.d1.cnbd.net cnbd.net hghltd.yandex.net", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Crowdsourced Sigma: Matches rule Potential Dead Drop Resolvers by Sorina Ionescu, X__Junior (Nextron Systems)", "Crowdsourced YARA: Matches rule Base64_Encoded_URL from ruleset Base64_Encoded_URL by InQuest Labs", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Unusual PING detected", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING Windows", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Echo Reply", "Yara Detections: Delphi", "\"Malware Behavior Catalog Tree: Anti-Behavioral Analysis OB0001 Debugger Detection B0001 Process Environment Block B0001.019 Dynamic Analysis Evasion B0003 Delayed Execution B0003.003", "\"Malware Behavior Catalog Tree: Anti-Static Analysis OB0002 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E102", "\"Malware Behavior Catalog Tree : Defense Evasion OB0006 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E1027.m02", "\"Malware Behavior Catalog Tree: Hidden Files and Directories F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 Analysis Tool Discovery B0013 Process detection B0013.001 System Information Discovery E1082 File and Directory Discovery E1083", "\"Malware Behavior Catalog Tree: Execution OB0009 Install Additional Program B0023 Command and Scripting Interpreter E1059", "\"Malware Behavior Catalog Tree: Analysis Tool Discovery F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 System Information Discovery B0013 Process detection B0013.001", "\"Malware Behavior Catalog Tree: Hidden Files and Directories E1082 File and Directory Discovery E1083", "Malware Behavior Catalog Tree: Command and Scripting Interpreter OB0009 Install Additional Program B0023", "\"Dataset actions -System Property Lookups: IIWbemServices::Connect", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: Execution OB0012 F0005 File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048 Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007 Change Memory Protection C0008 Process OC0003 Create Process C0017 Create Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001 Modulo C0058 Cryptography OC0005", "Researched: d569ab9b9e89ebd9e2ff995bcd6509bc.virus", "Apple Issues:\tapple-validsecure.serviceirc.com serviceirc.com http://apple-validsecure.serviceirc.com https://apple-validsecure.serviceirc.com", "Apple Issues:\tcheckapple.com http://www.checkapple.com/ https://bincc.xyz/bin-apple-music-1month-apple-tv-7days apple-marketing.com", "Apple Issues:\tapp-appleid.serveirc.com appleid-appleus.serveirc.com appleidapple.serveirc.com apples-uncek.serveirc.com", "Apple Issues:\thttp://www.apple-verifallert.serveirc.com/ http://www.appleid-lockid.serveirc.com/ http://www.appleid-seccure23.serveirc.com/", "Apple Issues:\thttp://www.appleid-secure20.serveirc.com/ http://www.appleid-secure22.serveirc.com/ serviceirc.com", "Apple Issues: http://www.appleid-supporthelp.serveirc.com/ http://www.appleids-security.serveirc.com/", "Apple Issues: URL https://bincc.xyz/bin-apple-music-1month-apple-tv-7days", "Apple Issues: http://checkapple.com/home/item/131-iOs-%E0%B9%80%E0%B8%A1%E0%B8%B7%E0%B8%AD%E0%B8%87%E0%B8%9C%E0%B8%B9%E0%B9%89%E0%B8%94%E0%B8%B5-%E0%B8%9F%E0%B8%B1%E0%B8%99%E0%B8%98%E0%B8%87-iPhone-4-%E0%B8%9A%E0%B8%B2%E0%B8%87%E0%B8%81%E0%B8%A7%E0%B9%88%E0%B8%B2-Galaxy-S-2.htm", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Terse HTTP 1.0 Request Possible Nivdort Worm.Mydoom Checkin User-Agent (explwer)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti/Mufanom Downloader Checkin Win32.Sality-GR Checkin Backdoor.Win32.Shiz.ivr", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Empty Checkin Upatre Retrieving encoded payload (Common Header Struct)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Checkin Win32/Nivdort", "Antivirus Detections: ALF:HeraklezEval:Ransom:Win32/CVE , ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn , ALF:HeraklezEval:Trojan:Win32/Zombie.A", "Antivirus Detections: ALF:Trojan:Win32/FormBook.F!MTB , Backdoor:Linux/Setag!rfn , Backdoor:Win32/Bifrose.IQ , Backdoor:Win32/Simda!rfn", "Antivirus Detections: ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn , ALF:PUA:Win32/InstallMate.P , ALF:Trojan:Win32/Cassini_f9070846!ibt", "\"Malware Behavior Catalog Tree: File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048", "\"Malware Behavior Catalog Tree: Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007", "\"Malware Behavior Catalog Tree: Change Memory Protection C0008 Process OC0003 Create Process C0017", "\"Malware Behavior Catalog Tree: Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004", "\"Malware Behavior Catalog Tree: Create 00001807 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001", "\"Malware Behavior Catalog Tree: Modulo C0058 Cryptography OC0005 Generate Pseudo-random Sequence C0021", "\"Malware Behavior Catalog Tree: Communication OC0006 HTTP Communication C0002 Operating System OC0008 Registry", "\"Malware Behavior Catalog Tree: Registry Value C0036.006 Capabilities Data-Manipulation\"", "\"Malware Behavior Catalog Tree: C0036 Open Registry Key C0036.003 Create Registry Key C0036.004 Query", "Capabilities Data: Manipulation Generate random numbers using the Delphi LCG Encode data using XOR Hash data with CRC32", "Capabilities Data: Linking Link function at runtime on Windows Collection Get geographical location Targeting Identify system language via API", "Capabilities Data: Executable Extract resource via kernel32 functions Contain a thread local storage (.tls) section Packaged as an Inno Setup installer", "Capabilities Data: Anti-Analysis Reference analysis tools strings Internal (Internal) installer file limitation", "Capabilities Data: Host-Interaction - Get file attributes Create process suspended Create process on Windows", "Capabilities Data: Host-Interaction - Allocate or change RWX memory Accept command line arguments Set thread local storage value", "Capabilities Data: Host-Interaction - Get system information on Windows Delete directory", "Capabilities Data: Host-Interaction - Get thread local storage value Read file on Windows Write file on Windows", "Capabilities Data: Host-Interaction - Get file size Query environment variable Get common file path", "Capabilities Data: Host-Interaction - Query or enumerate registry value Delete file Create directory Shutdown system", "Capabilities Data: Host-Interaction - Modify access privileges Check if file exists", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "United States of America" ], "malware_families": [ { "id": "PUP/Win32.Bundler.R1865", "display_name": "PUP/Win32.Bundler.R1865", "target": null }, { "id": "Inno:Downloader-J [PUP]", "display_name": "Inno:Downloader-J [PUP]", "target": null }, { "id": "AdWare:Win32/AdLoad.0e19dea6", "display_name": "AdWare:Win32/AdLoad.0e19dea6", "target": "/malware/AdWare:Win32/AdLoad.0e19dea6" }, { "id": "Adware.Adload/Adinstaller", "display_name": "Adware.Adload/Adinstaller", "target": null }, { "id": "Win.Packed.Razy-9828382-0", "display_name": "Win.Packed.Razy-9828382-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" }, { "id": "Trojan:Win32/Zombie", "display_name": "Trojan:Win32/Zombie", "target": "/malware/Trojan:Win32/Zombie" }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1516", "name": "Input Injection", "display_name": "T1516 - Input Injection" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" } ], "industries": [ "Technology", "Civilian Society" ], "TLP": "green", "cloned_from": "66bb7aa9d0ec86cff5b95b64", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1401, "FileHash-SHA1": 1365, "FileHash-SHA256": 6436, "URL": 5931, "domain": 1391, "hostname": 2165, "CVE": 5, "email": 6 }, "indicator_count": 18700, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "1 day ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66bb7ac0b39138b588fa325b", "name": "Injection | Target devices affected. Connected to Notepad | Yandex| Brian Sabey & Associated", "description": "Targets devices injected with extremely malicious URL's. The links did everything imaginable. Pushed up Jeffrey Reimer DPT in search engine while suppressing all positive search engine results of his victim. Her business was completely halted and redirected. Views went to well known artists. It also contained content scrapers causing certain keywords [keylogger included] to generate results in Bing search engines attempt to frame target. Countless porn sites posted w/victims name appearing heaviest in Yandex moderately heavy in Google. Killed targets YouTube channel. Heavy use in victims Apple terminal. Death and bomb threats often. *http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/\n*http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "modified": "2024-10-11T00:04:00.735000", "created": "2024-08-13T15:24:48.834000", "tags": [ "ip addresses", "luna moth", "campaign", "norad tracking", "ipdomain", "investigation", "hr rtd", "hallrender", "brian sabey", "heuristic", "referrer", "pe resource", "first", "utc submissions", "submitters", "solutions", "namesilo", "amazon02", "digitaloceanasn", "limited", "aschoopa", "ovh sas", "generator", "data", "v3 serial", "number", "issuer", "everywhere dv", "tls ca", "g1 odigicert", "validity", "subject public", "key info", "date", "server", "email", "code", "registrar abuse", "registrar url", "whois lookup", "admin city", "admin country", "cn admin", "office open", "xml spreadsheet", "detections type", "name", "dns replication", "iana id", "contact phone", "dnssec", "domain status", "registrar whois", "historical ssl", "threat roundup", "october", "investigation c", "december", "september", "ngfw traffic", "malicious ip", "address", "raspberry robin", "stealer", "creation date", "passive dns", "urls", "search", "name servers", "status", "showing", "all scoreblue", "unknown", "next", "as47846", "germany unknown", "as44273 host", "united", "as12876 online", "domain", "cve-2016-2569", "yodaprot", "xorcrypt", "yoda", "aspack", "yara detections", "intel", "comments", "show", "productversion", "inno setup", "invalid", "format", "invalid variant", "delphi", "stack", "error", "iniciar download setup", "gui", "application/octet-stream", "tsara brashears", "targets", "cve-2017-0199", "aspack", "contains-pe", "contains-elf", "bobsoft", "cve-2010-3333", "contains-embedded-js", "cve-2014-3931", "cve-2017-11882", "adware.adload/adinstaller", "win32processor", "information", "flow t1574", "dll sideloading", "reads", "downloads", "win32process", "t1055 spawns", "access token", "modify access", "files", "catalog tree", "analysis ob0001", "b0001 process", "b0003 delayed", "analysis ob0002", "evasion ob0006", "self deletion", "f0007 discovery", "ob0007 analysis", "dead", "cybercrime", "cyber criminal group", "dynamicloader", "high", "medium", "trojan", "less see", "contacted", "yara rule", "installs", "windows", "windows startup", "february", "copy", "as14061", "as16276", "canada unknown", "united kingdom", "as63949 linode", "as202053", "finland unknown", "aaaa", "get http", "request", "windows nt", "khtml", "gecko", "wow64", "host", "connection", "cus cndigicert", "ca1 odigicert", "win32", "win64", "accept", "dataset", "system property", "lookups", "select family", "userprofile", "temp", "samplepath", "user", "runtime modules", "modules", "programfiles", "windir", "datacrashpad", "k netsvcs", "s ngcctnrsvc", "nameweb bvba", "domains", "csc corporate", "registrarsafe", "registrar", "namecheap inc", "nameweb", "win32 exe", "detections file", "win32 dll", "ip detections", "country", "highly targeted", "problems", "sneaky server", "replacement", "unauthorized", "high level", "hackers", "unknown win", "agent tesla", "worm", "formbook", "startpage", "dead drop resolver", "nxdomain", "ns nxdomain", "scan endpoints", "all search", "otx scoreblue", "pulse pulses", "hostname", "files ip", "address domain", "div div", "a li", "p div", "read more", "a div", "bq aug", "script script", "path max", "age86400 set", "cookie", "entries", "trojandropper", "body", "trojan features", "related pulses", "file samples", "files matching", "date hash", "copyright", "virtool", "trojanspy", "hashes c2ae", "capa", "cape sandbox", "moves", "tencent habo", "zenbox", "tls rsa", "sha256", "inc subject", "global g2", "odigicert inc", "cndigicert sha2", "high assurance", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinl", "javascripts", "iframes", "embedded", "x sucuri", "cookie policy", "jeffrey scott reimer dpt", "toni braxton", "police", "fbi va", "loudon county", "ashburn va", "douglas co", "douglas co sheriff", "sheriff", "justin bieber", "swipper" ], "references": [ "cnbd.net\t | d1.cnbd.net\t| localhost.cnbd.net | mail.cnbd.net | siteinlink.d1.cnbd.net cnbd.net hghltd.yandex.net", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Crowdsourced Sigma: Matches rule Potential Dead Drop Resolvers by Sorina Ionescu, X__Junior (Nextron Systems)", "Crowdsourced YARA: Matches rule Base64_Encoded_URL from ruleset Base64_Encoded_URL by InQuest Labs", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Unusual PING detected", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING Windows", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Echo Reply", "Yara Detections: Delphi", "\"Malware Behavior Catalog Tree: Anti-Behavioral Analysis OB0001 Debugger Detection B0001 Process Environment Block B0001.019 Dynamic Analysis Evasion B0003 Delayed Execution B0003.003", "\"Malware Behavior Catalog Tree: Anti-Static Analysis OB0002 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E102", "\"Malware Behavior Catalog Tree : Defense Evasion OB0006 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E1027.m02", "\"Malware Behavior Catalog Tree: Hidden Files and Directories F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 Analysis Tool Discovery B0013 Process detection B0013.001 System Information Discovery E1082 File and Directory Discovery E1083", "\"Malware Behavior Catalog Tree: Execution OB0009 Install Additional Program B0023 Command and Scripting Interpreter E1059", "\"Malware Behavior Catalog Tree: Analysis Tool Discovery F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 System Information Discovery B0013 Process detection B0013.001", "\"Malware Behavior Catalog Tree: Hidden Files and Directories E1082 File and Directory Discovery E1083", "Malware Behavior Catalog Tree: Command and Scripting Interpreter OB0009 Install Additional Program B0023", "\"Dataset actions -System Property Lookups: IIWbemServices::Connect", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: Execution OB0012 F0005 File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048 Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007 Change Memory Protection C0008 Process OC0003 Create Process C0017 Create Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001 Modulo C0058 Cryptography OC0005", "Researched: d569ab9b9e89ebd9e2ff995bcd6509bc.virus", "Apple Issues:\tapple-validsecure.serviceirc.com serviceirc.com http://apple-validsecure.serviceirc.com https://apple-validsecure.serviceirc.com", "Apple Issues:\tcheckapple.com http://www.checkapple.com/ https://bincc.xyz/bin-apple-music-1month-apple-tv-7days apple-marketing.com", "Apple Issues:\tapp-appleid.serveirc.com appleid-appleus.serveirc.com appleidapple.serveirc.com apples-uncek.serveirc.com", "Apple Issues:\thttp://www.apple-verifallert.serveirc.com/ http://www.appleid-lockid.serveirc.com/ http://www.appleid-seccure23.serveirc.com/", "Apple Issues:\thttp://www.appleid-secure20.serveirc.com/ http://www.appleid-secure22.serveirc.com/ serviceirc.com", "Apple Issues: http://www.appleid-supporthelp.serveirc.com/ http://www.appleids-security.serveirc.com/", "Apple Issues: URL https://bincc.xyz/bin-apple-music-1month-apple-tv-7days", "Apple Issues: http://checkapple.com/home/item/131-iOs-%E0%B9%80%E0%B8%A1%E0%B8%B7%E0%B8%AD%E0%B8%87%E0%B8%9C%E0%B8%B9%E0%B9%89%E0%B8%94%E0%B8%B5-%E0%B8%9F%E0%B8%B1%E0%B8%99%E0%B8%98%E0%B8%87-iPhone-4-%E0%B8%9A%E0%B8%B2%E0%B8%87%E0%B8%81%E0%B8%A7%E0%B9%88%E0%B8%B2-Galaxy-S-2.htm", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Terse HTTP 1.0 Request Possible Nivdort Worm.Mydoom Checkin User-Agent (explwer)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti/Mufanom Downloader Checkin Win32.Sality-GR Checkin Backdoor.Win32.Shiz.ivr", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Empty Checkin Upatre Retrieving encoded payload (Common Header Struct)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Checkin Win32/Nivdort", "Antivirus Detections: ALF:HeraklezEval:Ransom:Win32/CVE , ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn , ALF:HeraklezEval:Trojan:Win32/Zombie.A", "Antivirus Detections: ALF:Trojan:Win32/FormBook.F!MTB , Backdoor:Linux/Setag!rfn , Backdoor:Win32/Bifrose.IQ , Backdoor:Win32/Simda!rfn", "Antivirus Detections: ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn , ALF:PUA:Win32/InstallMate.P , ALF:Trojan:Win32/Cassini_f9070846!ibt", "\"Malware Behavior Catalog Tree: File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048", "\"Malware Behavior Catalog Tree: Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007", "\"Malware Behavior Catalog Tree: Change Memory Protection C0008 Process OC0003 Create Process C0017", "\"Malware Behavior Catalog Tree: Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004", "\"Malware Behavior Catalog Tree: Create 00001807 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001", "\"Malware Behavior Catalog Tree: Modulo C0058 Cryptography OC0005 Generate Pseudo-random Sequence C0021", "\"Malware Behavior Catalog Tree: Communication OC0006 HTTP Communication C0002 Operating System OC0008 Registry", "\"Malware Behavior Catalog Tree: Registry Value C0036.006 Capabilities Data-Manipulation\"", "\"Malware Behavior Catalog Tree: C0036 Open Registry Key C0036.003 Create Registry Key C0036.004 Query", "Capabilities Data: Manipulation Generate random numbers using the Delphi LCG Encode data using XOR Hash data with CRC32", "Capabilities Data: Linking Link function at runtime on Windows Collection Get geographical location Targeting Identify system language via API", "Capabilities Data: Executable Extract resource via kernel32 functions Contain a thread local storage (.tls) section Packaged as an Inno Setup installer", "Capabilities Data: Anti-Analysis Reference analysis tools strings Internal (Internal) installer file limitation", "Capabilities Data: Host-Interaction - Get file attributes Create process suspended Create process on Windows", "Capabilities Data: Host-Interaction - Allocate or change RWX memory Accept command line arguments Set thread local storage value", "Capabilities Data: Host-Interaction - Get system information on Windows Delete directory", "Capabilities Data: Host-Interaction - Get thread local storage value Read file on Windows Write file on Windows", "Capabilities Data: Host-Interaction - Get file size Query environment variable Get common file path", "Capabilities Data: Host-Interaction - Query or enumerate registry value Delete file Create directory Shutdown system", "Capabilities Data: Host-Interaction - Modify access privileges Check if file exists", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "United States of America" ], "malware_families": [ { "id": "PUP/Win32.Bundler.R1865", "display_name": "PUP/Win32.Bundler.R1865", "target": null }, { "id": "Inno:Downloader-J [PUP]", "display_name": "Inno:Downloader-J [PUP]", "target": null }, { "id": "AdWare:Win32/AdLoad.0e19dea6", "display_name": "AdWare:Win32/AdLoad.0e19dea6", "target": "/malware/AdWare:Win32/AdLoad.0e19dea6" }, { "id": "Adware.Adload/Adinstaller", "display_name": "Adware.Adload/Adinstaller", "target": null }, { "id": "Win.Packed.Razy-9828382-0", "display_name": "Win.Packed.Razy-9828382-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" }, { "id": "Trojan:Win32/Zombie", "display_name": "Trojan:Win32/Zombie", "target": "/malware/Trojan:Win32/Zombie" }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1516", "name": "Input Injection", "display_name": "T1516 - Input Injection" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" } ], "industries": [ "Technology", "Civilian Society" ], "TLP": "green", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1402, "FileHash-SHA1": 1366, "FileHash-SHA256": 6457, "URL": 6175, "domain": 1418, "hostname": 2287, "CVE": 10, "email": 6 }, "indicator_count": 19121, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "597 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66bb7bdba31f4d175b19d1ef", "name": "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "description": "Targets devices injected with extremely malicious URL's. The links did everything imaginable. Pushed up Jeffrey Reimer DPT in search engine while suppressing all positive search engine results of his victim. Her business was completely halted and redirected. Views went to well known artists. It also contained content scrapers causing certain keywords [keylogger included] to generate results in Bing search engines attempt to frame target. Countless porn sites posted w/victims name appearing heaviest in Yandex moderately heavy in Google. Killed targets YouTube channel. Heavy use in victims Apple terminal. Death and bomb threats often. *http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/\n*http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "modified": "2024-10-11T00:04:00.735000", "created": "2024-08-13T15:29:31.899000", "tags": [ "ip addresses", "luna moth", "campaign", "norad tracking", "ipdomain", "investigation", "hr rtd", "hallrender", "brian sabey", "heuristic", "referrer", "pe resource", "first", "utc submissions", "submitters", "solutions", "namesilo", "amazon02", "digitaloceanasn", "limited", "aschoopa", "ovh sas", "generator", "data", "v3 serial", "number", "issuer", "everywhere dv", "tls ca", "g1 odigicert", "validity", "subject public", "key info", "date", "server", "email", "code", "registrar abuse", "registrar url", "whois lookup", "admin city", "admin country", "cn admin", "office open", "xml spreadsheet", "detections type", "name", "dns replication", "iana id", "contact phone", "dnssec", "domain status", "registrar whois", "historical ssl", "threat roundup", "october", "investigation c", "december", "september", "ngfw traffic", "malicious ip", "address", "raspberry robin", "stealer", "creation date", "passive dns", "urls", "search", "name servers", "status", "showing", "all scoreblue", "unknown", "next", "as47846", "germany unknown", "as44273 host", "united", "as12876 online", "domain", "cve-2016-2569", "yodaprot", "xorcrypt", "yoda", "aspack", "yara detections", "intel", "comments", "show", "productversion", "inno setup", "invalid", "format", "invalid variant", "delphi", "stack", "error", "iniciar download setup", "gui", "application/octet-stream", "tsara brashears", "targets", "cve-2017-0199", "aspack", "contains-pe", "contains-elf", "bobsoft", "cve-2010-3333", "contains-embedded-js", "cve-2014-3931", "cve-2017-11882", "adware.adload/adinstaller", "win32processor", "information", "flow t1574", "dll sideloading", "reads", "downloads", "win32process", "t1055 spawns", "access token", "modify access", "files", "catalog tree", "analysis ob0001", "b0001 process", "b0003 delayed", "analysis ob0002", "evasion ob0006", "self deletion", "f0007 discovery", "ob0007 analysis", "dead", "cybercrime", "cyber criminal group", "dynamicloader", "high", "medium", "trojan", "less see", "contacted", "yara rule", "installs", "windows", "windows startup", "february", "copy", "as14061", "as16276", "canada unknown", "united kingdom", "as63949 linode", "as202053", "finland unknown", "aaaa", "get http", "request", "windows nt", "khtml", "gecko", "wow64", "host", "connection", "cus cndigicert", "ca1 odigicert", "win32", "win64", "accept", "dataset", "system property", "lookups", "select family", "userprofile", "temp", "samplepath", "user", "runtime modules", "modules", "programfiles", "windir", "datacrashpad", "k netsvcs", "s ngcctnrsvc", "nameweb bvba", "domains", "csc corporate", "registrarsafe", "registrar", "namecheap inc", "nameweb", "win32 exe", "detections file", "win32 dll", "ip detections", "country", "highly targeted", "problems", "sneaky server", "replacement", "unauthorized", "high level", "hackers", "unknown win", "agent tesla", "worm", "formbook", "startpage", "dead drop resolver", "nxdomain", "ns nxdomain", "scan endpoints", "all search", "otx scoreblue", "pulse pulses", "hostname", "files ip", "address domain", "div div", "a li", "p div", "read more", "a div", "bq aug", "script script", "path max", "age86400 set", "cookie", "entries", "trojandropper", "body", "trojan features", "related pulses", "file samples", "files matching", "date hash", "copyright", "virtool", "trojanspy", "hashes c2ae", "capa", "cape sandbox", "moves", "tencent habo", "zenbox", "tls rsa", "sha256", "inc subject", "global g2", "odigicert inc", "cndigicert sha2", "high assurance", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinl", "javascripts", "iframes", "embedded", "x sucuri", "cookie policy", "jeffrey scott reimer dpt", "toni braxton", "police", "fbi va", "loudon county", "ashburn va", "douglas co", "douglas co sheriff", "sheriff", "justin bieber", "swipper" ], "references": [ "cnbd.net\t | d1.cnbd.net\t| localhost.cnbd.net | mail.cnbd.net | siteinlink.d1.cnbd.net cnbd.net hghltd.yandex.net", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Crowdsourced Sigma: Matches rule Potential Dead Drop Resolvers by Sorina Ionescu, X__Junior (Nextron Systems)", "Crowdsourced YARA: Matches rule Base64_Encoded_URL from ruleset Base64_Encoded_URL by InQuest Labs", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Unusual PING detected", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING Windows", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Echo Reply", "Yara Detections: Delphi", "\"Malware Behavior Catalog Tree: Anti-Behavioral Analysis OB0001 Debugger Detection B0001 Process Environment Block B0001.019 Dynamic Analysis Evasion B0003 Delayed Execution B0003.003", "\"Malware Behavior Catalog Tree: Anti-Static Analysis OB0002 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E102", "\"Malware Behavior Catalog Tree : Defense Evasion OB0006 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E1027.m02", "\"Malware Behavior Catalog Tree: Hidden Files and Directories F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 Analysis Tool Discovery B0013 Process detection B0013.001 System Information Discovery E1082 File and Directory Discovery E1083", "\"Malware Behavior Catalog Tree: Execution OB0009 Install Additional Program B0023 Command and Scripting Interpreter E1059", "\"Malware Behavior Catalog Tree: Analysis Tool Discovery F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 System Information Discovery B0013 Process detection B0013.001", "\"Malware Behavior Catalog Tree: Hidden Files and Directories E1082 File and Directory Discovery E1083", "Malware Behavior Catalog Tree: Command and Scripting Interpreter OB0009 Install Additional Program B0023", "\"Dataset actions -System Property Lookups: IIWbemServices::Connect", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: Execution OB0012 F0005 File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048 Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007 Change Memory Protection C0008 Process OC0003 Create Process C0017 Create Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001 Modulo C0058 Cryptography OC0005", "Researched: d569ab9b9e89ebd9e2ff995bcd6509bc.virus", "Apple Issues:\tapple-validsecure.serviceirc.com serviceirc.com http://apple-validsecure.serviceirc.com https://apple-validsecure.serviceirc.com", "Apple Issues:\tcheckapple.com http://www.checkapple.com/ https://bincc.xyz/bin-apple-music-1month-apple-tv-7days apple-marketing.com", "Apple Issues:\tapp-appleid.serveirc.com appleid-appleus.serveirc.com appleidapple.serveirc.com apples-uncek.serveirc.com", "Apple Issues:\thttp://www.apple-verifallert.serveirc.com/ http://www.appleid-lockid.serveirc.com/ http://www.appleid-seccure23.serveirc.com/", "Apple Issues:\thttp://www.appleid-secure20.serveirc.com/ http://www.appleid-secure22.serveirc.com/ serviceirc.com", "Apple Issues: http://www.appleid-supporthelp.serveirc.com/ http://www.appleids-security.serveirc.com/", "Apple Issues: URL https://bincc.xyz/bin-apple-music-1month-apple-tv-7days", "Apple Issues: http://checkapple.com/home/item/131-iOs-%E0%B9%80%E0%B8%A1%E0%B8%B7%E0%B8%AD%E0%B8%87%E0%B8%9C%E0%B8%B9%E0%B9%89%E0%B8%94%E0%B8%B5-%E0%B8%9F%E0%B8%B1%E0%B8%99%E0%B8%98%E0%B8%87-iPhone-4-%E0%B8%9A%E0%B8%B2%E0%B8%87%E0%B8%81%E0%B8%A7%E0%B9%88%E0%B8%B2-Galaxy-S-2.htm", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Terse HTTP 1.0 Request Possible Nivdort Worm.Mydoom Checkin User-Agent (explwer)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti/Mufanom Downloader Checkin Win32.Sality-GR Checkin Backdoor.Win32.Shiz.ivr", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Empty Checkin Upatre Retrieving encoded payload (Common Header Struct)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Checkin Win32/Nivdort", "Antivirus Detections: ALF:HeraklezEval:Ransom:Win32/CVE , ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn , ALF:HeraklezEval:Trojan:Win32/Zombie.A", "Antivirus Detections: ALF:Trojan:Win32/FormBook.F!MTB , Backdoor:Linux/Setag!rfn , Backdoor:Win32/Bifrose.IQ , Backdoor:Win32/Simda!rfn", "Antivirus Detections: ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn , ALF:PUA:Win32/InstallMate.P , ALF:Trojan:Win32/Cassini_f9070846!ibt", "\"Malware Behavior Catalog Tree: File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048", "\"Malware Behavior Catalog Tree: Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007", "\"Malware Behavior Catalog Tree: Change Memory Protection C0008 Process OC0003 Create Process C0017", "\"Malware Behavior Catalog Tree: Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004", "\"Malware Behavior Catalog Tree: Create 00001807 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001", "\"Malware Behavior Catalog Tree: Modulo C0058 Cryptography OC0005 Generate Pseudo-random Sequence C0021", "\"Malware Behavior Catalog Tree: Communication OC0006 HTTP Communication C0002 Operating System OC0008 Registry", "\"Malware Behavior Catalog Tree: Registry Value C0036.006 Capabilities Data-Manipulation\"", "\"Malware Behavior Catalog Tree: C0036 Open Registry Key C0036.003 Create Registry Key C0036.004 Query", "Capabilities Data: Manipulation Generate random numbers using the Delphi LCG Encode data using XOR Hash data with CRC32", "Capabilities Data: Linking Link function at runtime on Windows Collection Get geographical location Targeting Identify system language via API", "Capabilities Data: Executable Extract resource via kernel32 functions Contain a thread local storage (.tls) section Packaged as an Inno Setup installer", "Capabilities Data: Anti-Analysis Reference analysis tools strings Internal (Internal) installer file limitation", "Capabilities Data: Host-Interaction - Get file attributes Create process suspended Create process on Windows", "Capabilities Data: Host-Interaction - Allocate or change RWX memory Accept command line arguments Set thread local storage value", "Capabilities Data: Host-Interaction - Get system information on Windows Delete directory", "Capabilities Data: Host-Interaction - Get thread local storage value Read file on Windows Write file on Windows", "Capabilities Data: Host-Interaction - Get file size Query environment variable Get common file path", "Capabilities Data: Host-Interaction - Query or enumerate registry value Delete file Create directory Shutdown system", "Capabilities Data: Host-Interaction - Modify access privileges Check if file exists", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "United States of America" ], "malware_families": [ { "id": "PUP/Win32.Bundler.R1865", "display_name": "PUP/Win32.Bundler.R1865", "target": null }, { "id": "Inno:Downloader-J [PUP]", "display_name": "Inno:Downloader-J [PUP]", "target": null }, { "id": "AdWare:Win32/AdLoad.0e19dea6", "display_name": "AdWare:Win32/AdLoad.0e19dea6", "target": "/malware/AdWare:Win32/AdLoad.0e19dea6" }, { "id": "Adware.Adload/Adinstaller", "display_name": "Adware.Adload/Adinstaller", "target": null }, { "id": "Win.Packed.Razy-9828382-0", "display_name": "Win.Packed.Razy-9828382-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" }, { "id": "Trojan:Win32/Zombie", "display_name": "Trojan:Win32/Zombie", "target": "/malware/Trojan:Win32/Zombie" }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1516", "name": "Input Injection", "display_name": "T1516 - Input Injection" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" } ], "industries": [ "Technology", "Civilian Society" ], "TLP": "white", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1403, "FileHash-SHA1": 1367, "FileHash-SHA256": 6478, "URL": 6415, "domain": 1445, "hostname": 2408, "CVE": 10, "email": 6 }, "indicator_count": 19532, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "597 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66bb7bf15d571906a0a5e1a3", "name": "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "description": "Targets devices injected with extremely malicious URL's. The links did everything imaginable. Pushed up Jeffrey Reimer DPT in search engine while suppressing all positive search engine results of his victim. Her business was completely halted and redirected. Views went to well known artists. It also contained content scrapers causing certain keywords [keylogger included] to generate results in Bing search engines attempt to frame target. Countless porn sites posted w/victims name appearing heaviest in Yandex moderately heavy in Google. Killed targets YouTube channel. Heavy use in victims Apple terminal. Death and bomb threats often. *http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/\n*http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "modified": "2024-10-11T00:04:00.735000", "created": "2024-08-13T15:29:53.002000", "tags": [ "ip addresses", "luna moth", "campaign", "norad tracking", "ipdomain", "investigation", "hr rtd", "hallrender", "brian sabey", "heuristic", "referrer", "pe resource", "first", "utc submissions", "submitters", "solutions", "namesilo", "amazon02", "digitaloceanasn", "limited", "aschoopa", "ovh sas", "generator", "data", "v3 serial", "number", "issuer", "everywhere dv", "tls ca", "g1 odigicert", "validity", "subject public", "key info", "date", "server", "email", "code", "registrar abuse", "registrar url", "whois lookup", "admin city", "admin country", "cn admin", "office open", "xml spreadsheet", "detections type", "name", "dns replication", "iana id", "contact phone", "dnssec", "domain status", "registrar whois", "historical ssl", "threat roundup", "october", "investigation c", "december", "september", "ngfw traffic", "malicious ip", "address", "raspberry robin", "stealer", "creation date", "passive dns", "urls", "search", "name servers", "status", "showing", "all scoreblue", "unknown", "next", "as47846", "germany unknown", "as44273 host", "united", "as12876 online", "domain", "cve-2016-2569", "yodaprot", "xorcrypt", "yoda", "aspack", "yara detections", "intel", "comments", "show", "productversion", "inno setup", "invalid", "format", "invalid variant", "delphi", "stack", "error", "iniciar download setup", "gui", "application/octet-stream", "tsara brashears", "targets", "cve-2017-0199", "aspack", "contains-pe", "contains-elf", "bobsoft", "cve-2010-3333", "contains-embedded-js", "cve-2014-3931", "cve-2017-11882", "adware.adload/adinstaller", "win32processor", "information", "flow t1574", "dll sideloading", "reads", "downloads", "win32process", "t1055 spawns", "access token", "modify access", "files", "catalog tree", "analysis ob0001", "b0001 process", "b0003 delayed", "analysis ob0002", "evasion ob0006", "self deletion", "f0007 discovery", "ob0007 analysis", "dead", "cybercrime", "cyber criminal group", "dynamicloader", "high", "medium", "trojan", "less see", "contacted", "yara rule", "installs", "windows", "windows startup", "february", "copy", "as14061", "as16276", "canada unknown", "united kingdom", "as63949 linode", "as202053", "finland unknown", "aaaa", "get http", "request", "windows nt", "khtml", "gecko", "wow64", "host", "connection", "cus cndigicert", "ca1 odigicert", "win32", "win64", "accept", "dataset", "system property", "lookups", "select family", "userprofile", "temp", "samplepath", "user", "runtime modules", "modules", "programfiles", "windir", "datacrashpad", "k netsvcs", "s ngcctnrsvc", "nameweb bvba", "domains", "csc corporate", "registrarsafe", "registrar", "namecheap inc", "nameweb", "win32 exe", "detections file", "win32 dll", "ip detections", "country", "highly targeted", "problems", "sneaky server", "replacement", "unauthorized", "high level", "hackers", "unknown win", "agent tesla", "worm", "formbook", "startpage", "dead drop resolver", "nxdomain", "ns nxdomain", "scan endpoints", "all search", "otx scoreblue", "pulse pulses", "hostname", "files ip", "address domain", "div div", "a li", "p div", "read more", "a div", "bq aug", "script script", "path max", "age86400 set", "cookie", "entries", "trojandropper", "body", "trojan features", "related pulses", "file samples", "files matching", "date hash", "copyright", "virtool", "trojanspy", "hashes c2ae", "capa", "cape sandbox", "moves", "tencent habo", "zenbox", "tls rsa", "sha256", "inc subject", "global g2", "odigicert inc", "cndigicert sha2", "high assurance", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinl", "javascripts", "iframes", "embedded", "x sucuri", "cookie policy", "jeffrey scott reimer dpt", "toni braxton", "police", "fbi va", "loudon county", "ashburn va", "douglas co", "douglas co sheriff", "sheriff", "justin bieber", "swipper" ], "references": [ "cnbd.net\t | d1.cnbd.net\t| localhost.cnbd.net | mail.cnbd.net | siteinlink.d1.cnbd.net cnbd.net hghltd.yandex.net", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Crowdsourced Sigma: Matches rule Potential Dead Drop Resolvers by Sorina Ionescu, X__Junior (Nextron Systems)", "Crowdsourced YARA: Matches rule Base64_Encoded_URL from ruleset Base64_Encoded_URL by InQuest Labs", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Unusual PING detected", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING Windows", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Echo Reply", "Yara Detections: Delphi", "\"Malware Behavior Catalog Tree: Anti-Behavioral Analysis OB0001 Debugger Detection B0001 Process Environment Block B0001.019 Dynamic Analysis Evasion B0003 Delayed Execution B0003.003", "\"Malware Behavior Catalog Tree: Anti-Static Analysis OB0002 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E102", "\"Malware Behavior Catalog Tree : Defense Evasion OB0006 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E1027.m02", "\"Malware Behavior Catalog Tree: Hidden Files and Directories F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 Analysis Tool Discovery B0013 Process detection B0013.001 System Information Discovery E1082 File and Directory Discovery E1083", "\"Malware Behavior Catalog Tree: Execution OB0009 Install Additional Program B0023 Command and Scripting Interpreter E1059", "\"Malware Behavior Catalog Tree: Analysis Tool Discovery F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 System Information Discovery B0013 Process detection B0013.001", "\"Malware Behavior Catalog Tree: Hidden Files and Directories E1082 File and Directory Discovery E1083", "Malware Behavior Catalog Tree: Command and Scripting Interpreter OB0009 Install Additional Program B0023", "\"Dataset actions -System Property Lookups: IIWbemServices::Connect", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: Execution OB0012 F0005 File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048 Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007 Change Memory Protection C0008 Process OC0003 Create Process C0017 Create Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001 Modulo C0058 Cryptography OC0005", "Researched: d569ab9b9e89ebd9e2ff995bcd6509bc.virus", "Apple Issues:\tapple-validsecure.serviceirc.com serviceirc.com http://apple-validsecure.serviceirc.com https://apple-validsecure.serviceirc.com", "Apple Issues:\tcheckapple.com http://www.checkapple.com/ https://bincc.xyz/bin-apple-music-1month-apple-tv-7days apple-marketing.com", "Apple Issues:\tapp-appleid.serveirc.com appleid-appleus.serveirc.com appleidapple.serveirc.com apples-uncek.serveirc.com", "Apple Issues:\thttp://www.apple-verifallert.serveirc.com/ http://www.appleid-lockid.serveirc.com/ http://www.appleid-seccure23.serveirc.com/", "Apple Issues:\thttp://www.appleid-secure20.serveirc.com/ http://www.appleid-secure22.serveirc.com/ serviceirc.com", "Apple Issues: http://www.appleid-supporthelp.serveirc.com/ http://www.appleids-security.serveirc.com/", "Apple Issues: URL https://bincc.xyz/bin-apple-music-1month-apple-tv-7days", "Apple Issues: http://checkapple.com/home/item/131-iOs-%E0%B9%80%E0%B8%A1%E0%B8%B7%E0%B8%AD%E0%B8%87%E0%B8%9C%E0%B8%B9%E0%B9%89%E0%B8%94%E0%B8%B5-%E0%B8%9F%E0%B8%B1%E0%B8%99%E0%B8%98%E0%B8%87-iPhone-4-%E0%B8%9A%E0%B8%B2%E0%B8%87%E0%B8%81%E0%B8%A7%E0%B9%88%E0%B8%B2-Galaxy-S-2.htm", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Terse HTTP 1.0 Request Possible Nivdort Worm.Mydoom Checkin User-Agent (explwer)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti/Mufanom Downloader Checkin Win32.Sality-GR Checkin Backdoor.Win32.Shiz.ivr", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Empty Checkin Upatre Retrieving encoded payload (Common Header Struct)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Checkin Win32/Nivdort", "Antivirus Detections: ALF:HeraklezEval:Ransom:Win32/CVE , ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn , ALF:HeraklezEval:Trojan:Win32/Zombie.A", "Antivirus Detections: ALF:Trojan:Win32/FormBook.F!MTB , Backdoor:Linux/Setag!rfn , Backdoor:Win32/Bifrose.IQ , Backdoor:Win32/Simda!rfn", "Antivirus Detections: ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn , ALF:PUA:Win32/InstallMate.P , ALF:Trojan:Win32/Cassini_f9070846!ibt", "\"Malware Behavior Catalog Tree: File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048", "\"Malware Behavior Catalog Tree: Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007", "\"Malware Behavior Catalog Tree: Change Memory Protection C0008 Process OC0003 Create Process C0017", "\"Malware Behavior Catalog Tree: Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004", "\"Malware Behavior Catalog Tree: Create 00001807 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001", "\"Malware Behavior Catalog Tree: Modulo C0058 Cryptography OC0005 Generate Pseudo-random Sequence C0021", "\"Malware Behavior Catalog Tree: Communication OC0006 HTTP Communication C0002 Operating System OC0008 Registry", "\"Malware Behavior Catalog Tree: Registry Value C0036.006 Capabilities Data-Manipulation\"", "\"Malware Behavior Catalog Tree: C0036 Open Registry Key C0036.003 Create Registry Key C0036.004 Query", "Capabilities Data: Manipulation Generate random numbers using the Delphi LCG Encode data using XOR Hash data with CRC32", "Capabilities Data: Linking Link function at runtime on Windows Collection Get geographical location Targeting Identify system language via API", "Capabilities Data: Executable Extract resource via kernel32 functions Contain a thread local storage (.tls) section Packaged as an Inno Setup installer", "Capabilities Data: Anti-Analysis Reference analysis tools strings Internal (Internal) installer file limitation", "Capabilities Data: Host-Interaction - Get file attributes Create process suspended Create process on Windows", "Capabilities Data: Host-Interaction - Allocate or change RWX memory Accept command line arguments Set thread local storage value", "Capabilities Data: Host-Interaction - Get system information on Windows Delete directory", "Capabilities Data: Host-Interaction - Get thread local storage value Read file on Windows Write file on Windows", "Capabilities Data: Host-Interaction - Get file size Query environment variable Get common file path", "Capabilities Data: Host-Interaction - Query or enumerate registry value Delete file Create directory Shutdown system", "Capabilities Data: Host-Interaction - Modify access privileges Check if file exists", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "United States of America" ], "malware_families": [ { "id": "PUP/Win32.Bundler.R1865", "display_name": "PUP/Win32.Bundler.R1865", "target": null }, { "id": "Inno:Downloader-J [PUP]", "display_name": "Inno:Downloader-J [PUP]", "target": null }, { "id": "AdWare:Win32/AdLoad.0e19dea6", "display_name": "AdWare:Win32/AdLoad.0e19dea6", "target": "/malware/AdWare:Win32/AdLoad.0e19dea6" }, { "id": "Adware.Adload/Adinstaller", "display_name": "Adware.Adload/Adinstaller", "target": null }, { "id": "Win.Packed.Razy-9828382-0", "display_name": "Win.Packed.Razy-9828382-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" }, { "id": "Trojan:Win32/Zombie", "display_name": "Trojan:Win32/Zombie", "target": "/malware/Trojan:Win32/Zombie" }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1516", "name": "Input Injection", "display_name": "T1516 - Input Injection" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" } ], "industries": [ "Technology", "Civilian Society" ], "TLP": "white", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1402, "FileHash-SHA1": 1366, "FileHash-SHA256": 6457, "URL": 6175, "domain": 1418, "hostname": 2288, "CVE": 10, "email": 6 }, "indicator_count": 19122, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "597 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66bb7f69cd76278113c22968", "name": "Remote | Inject | Access Token Manipulation | Jeffrey Reimer DPT Tsara Brashears Yandex Attack", "description": "Targets devices injected with extremely malicious URL's. The links did everything imaginable. Pushed up Jeffrey Reimer DPT in search engine while suppressing all positive search engine results of his victim. Her business was completely halted and redirected. Views went to well known artists. It also contained content scrapers causing certain keywords [keylogger included] to generate results in Bing search engines attempt to frame target. Countless porn sites posted w/victims name appearing heaviest in Yandex moderately heavy in Google. Killed targets YouTube channel. Heavy use in victims Apple terminal. Death and bomb threats often. *http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/\n*http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "modified": "2024-10-11T00:04:00.735000", "created": "2024-08-13T15:44:41.449000", "tags": [ "ip addresses", "luna moth", "campaign", "norad tracking", "ipdomain", "investigation", "hr rtd", "hallrender", "brian sabey", "heuristic", "referrer", "pe resource", "first", "utc submissions", "submitters", "solutions", "namesilo", "amazon02", "digitaloceanasn", "limited", "aschoopa", "ovh sas", "generator", "data", "v3 serial", "number", "issuer", "everywhere dv", "tls ca", "g1 odigicert", "validity", "subject public", "key info", "date", "server", "email", "code", "registrar abuse", "registrar url", "whois lookup", "admin city", "admin country", "cn admin", "office open", "xml spreadsheet", "detections type", "name", "dns replication", "iana id", "contact phone", "dnssec", "domain status", "registrar whois", "historical ssl", "threat roundup", "october", "investigation c", "december", "september", "ngfw traffic", "malicious ip", "address", "raspberry robin", "stealer", "creation date", "passive dns", "urls", "search", "name servers", "status", "showing", "all scoreblue", "unknown", "next", "as47846", "germany unknown", "as44273 host", "united", "as12876 online", "domain", "cve-2016-2569", "yodaprot", "xorcrypt", "yoda", "aspack", "yara detections", "intel", "comments", "show", "productversion", "inno setup", "invalid", "format", "invalid variant", "delphi", "stack", "error", "iniciar download setup", "gui", "application/octet-stream", "tsara brashears", "targets", "cve-2017-0199", "aspack", "contains-pe", "contains-elf", "bobsoft", "cve-2010-3333", "contains-embedded-js", "cve-2014-3931", "cve-2017-11882", "adware.adload/adinstaller", "win32processor", "information", "flow t1574", "dll sideloading", "reads", "downloads", "win32process", "t1055 spawns", "access token", "modify access", "files", "catalog tree", "analysis ob0001", "b0001 process", "b0003 delayed", "analysis ob0002", "evasion ob0006", "self deletion", "f0007 discovery", "ob0007 analysis", "dead", "cybercrime", "cyber criminal group", "dynamicloader", "high", "medium", "trojan", "less see", "contacted", "yara rule", "installs", "windows", "windows startup", "february", "copy", "as14061", "as16276", "canada unknown", "united kingdom", "as63949 linode", "as202053", "finland unknown", "aaaa", "get http", "request", "windows nt", "khtml", "gecko", "wow64", "host", "connection", "cus cndigicert", "ca1 odigicert", "win32", "win64", "accept", "dataset", "system property", "lookups", "select family", "userprofile", "temp", "samplepath", "user", "runtime modules", "modules", "programfiles", "windir", "datacrashpad", "k netsvcs", "s ngcctnrsvc", "nameweb bvba", "domains", "csc corporate", "registrarsafe", "registrar", "namecheap inc", "nameweb", "win32 exe", "detections file", "win32 dll", "ip detections", "country", "highly targeted", "problems", "sneaky server", "replacement", "unauthorized", "high level", "hackers", "unknown win", "agent tesla", "worm", "formbook", "startpage", "dead drop resolver", "nxdomain", "ns nxdomain", "scan endpoints", "all search", "otx scoreblue", "pulse pulses", "hostname", "files ip", "address domain", "div div", "a li", "p div", "read more", "a div", "bq aug", "script script", "path max", "age86400 set", "cookie", "entries", "trojandropper", "body", "trojan features", "related pulses", "file samples", "files matching", "date hash", "copyright", "virtool", "trojanspy", "hashes c2ae", "capa", "cape sandbox", "moves", "tencent habo", "zenbox", "tls rsa", "sha256", "inc subject", "global g2", "odigicert inc", "cndigicert sha2", "high assurance", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinl", "javascripts", "iframes", "embedded", "x sucuri", "cookie policy", "jeffrey scott reimer dpt", "toni braxton", "police", "fbi va", "loudon county", "ashburn va", "douglas co", "douglas co sheriff", "sheriff", "justin bieber", "swipper", "cape" ], "references": [ "cnbd.net\t | d1.cnbd.net\t| localhost.cnbd.net | mail.cnbd.net | siteinlink.d1.cnbd.net cnbd.net hghltd.yandex.net", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Crowdsourced Sigma: Matches rule Potential Dead Drop Resolvers by Sorina Ionescu, X__Junior (Nextron Systems)", "Crowdsourced YARA: Matches rule Base64_Encoded_URL from ruleset Base64_Encoded_URL by InQuest Labs", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Unusual PING detected", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING Windows", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Echo Reply", "Yara Detections: Delphi", "\"Malware Behavior Catalog Tree: Anti-Behavioral Analysis OB0001 Debugger Detection B0001 Process Environment Block B0001.019 Dynamic Analysis Evasion B0003 Delayed Execution B0003.003", "\"Malware Behavior Catalog Tree: Anti-Static Analysis OB0002 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E102", "\"Malware Behavior Catalog Tree : Defense Evasion OB0006 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E1027.m02", "\"Malware Behavior Catalog Tree: Hidden Files and Directories F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Execution OB0009 Install Additional Program B0023 Command and Scripting Interpreter E1059", "\"Malware Behavior Catalog Tree: Analysis Tool Discovery F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 System Information Discovery B0013 Process detection B0013.001", "\"Malware Behavior Catalog Tree: Hidden Files and Directories E1082 File and Directory Discovery E1083", "Malware Behavior Catalog Tree: Command and Scripting Interpreter OB0009 Install Additional Program B0023", "\"Dataset actions -System Property Lookups: IIWbemServices::Connect", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: Execution OB0012 F0005 File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048 Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007 Change Memory Protection C0008 Process OC0003 Create Process C0017 Create Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001 Modulo C0058 Cryptography OC0005", "Researched: d569ab9b9e89ebd9e2ff995bcd6509bc.virus", "Apple Issues:\tapple-validsecure.serviceirc.com serviceirc.com http://apple-validsecure.serviceirc.com https://apple-validsecure.serviceirc.com", "Apple Issues:\tcheckapple.com http://www.checkapple.com/ https://bincc.xyz/bin-apple-music-1month-apple-tv-7days apple-marketing.com", "Apple Issues:\tapp-appleid.serveirc.com appleid-appleus.serveirc.com appleidapple.serveirc.com apples-uncek.serveirc.com", "Apple Issues:\thttp://www.apple-verifallert.serveirc.com/ http://www.appleid-lockid.serveirc.com/ http://www.appleid-seccure23.serveirc.com/", "Apple Issues:\thttp://www.appleid-secure20.serveirc.com/ http://www.appleid-secure22.serveirc.com/ serviceirc.com", "Apple Issues: http://www.appleid-supporthelp.serveirc.com/ http://www.appleids-security.serveirc.com/", "Apple Issues: URL https://bincc.xyz/bin-apple-music-1month-apple-tv-7days", "Apple Issues: http://checkapple.com/home/item/131-iOs-%E0%B9%80%E0%B8%A1%E0%B8%B7%E0%B8%AD%E0%B8%87%E0%B8%9C%E0%B8%B9%E0%B9%89%E0%B8%94%E0%B8%B5-%E0%B8%9F%E0%B8%B1%E0%B8%99%E0%B8%98%E0%B8%87-iPhone-4-%E0%B8%9A%E0%B8%B2%E0%B8%87%E0%B8%81%E0%B8%A7%E0%B9%88%E0%B8%B2-Galaxy-S-2.htm", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Terse HTTP 1.0 Request Possible Nivdort Worm.Mydoom Checkin User-Agent (explwer)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti/Mufanom Downloader Checkin Win32.Sality-GR Checkin Backdoor.Win32.Shiz.ivr", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Empty Checkin Upatre Retrieving encoded payload (Common Header Struct)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Checkin Win32/Nivdort", "Antivirus Detections: ALF:HeraklezEval:Ransom:Win32/CVE , ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn , ALF:HeraklezEval:Trojan:Win32/Zombie.A", "Antivirus Detections: ALF:Trojan:Win32/FormBook.F!MTB , Backdoor:Linux/Setag!rfn , Backdoor:Win32/Bifrose.IQ , Backdoor:Win32/Simda!rfn", "Antivirus Detections: ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn , ALF:PUA:Win32/InstallMate.P , ALF:Trojan:Win32/Cassini_f9070846!ibt", "\"Malware Behavior Catalog Tree: File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048", "\"Malware Behavior Catalog Tree: Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007", "\"Malware Behavior Catalog Tree: Change Memory Protection C0008 Process OC0003 Create Process C0017", "\"Malware Behavior Catalog Tree: Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004", "\"Malware Behavior Catalog Tree: Create 00001807 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001", "\"Malware Behavior Catalog Tree: Modulo C0058 Cryptography OC0005 Generate Pseudo-random Sequence C0021", "\"Malware Behavior Catalog Tree: Communication OC0006 HTTP Communication C0002 Operating System OC0008 Registry", "\"Malware Behavior Catalog Tree: Registry Value C0036.006 Capabilities Data-Manipulation\"", "\"Malware Behavior Catalog Tree: C0036 Open Registry Key C0036.003 Create Registry Key C0036.004 Query", "Capabilities Data: Manipulation Generate random numbers using the Delphi LCG Encode data using XOR Hash data with CRC32", "Capabilities Data: Linking Link function at runtime on Windows Collection Get geographical location Targeting Identify system language via API", "Capabilities Data: Executable Extract resource via kernel32 functions Contain a thread local storage (.tls) section Packaged as an Inno Setup installer", "Capabilities Data: Anti-Analysis Reference analysis tools strings Internal (Internal) installer file limitation", "Capabilities Data: Host-Interaction - Get file attributes Create process suspended Create process on Windows", "Capabilities Data: Host-Interaction - Allocate or change RWX memory Accept command line arguments Set thread local storage value", "Capabilities Data: Host-Interaction - Get system information on Windows Delete directory", "Capabilities Data: Host-Interaction - Get thread local storage value Read file on Windows Write file on Windows", "Capabilities Data: Host-Interaction - Get file size Query environment variable Get common file path", "Capabilities Data: Host-Interaction - Query or enumerate registry value Delete file Create directory Shutdown system", "Capabilities Data: Host-Interaction - Modify access privileges Check if file exists", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "United States of America" ], "malware_families": [ { "id": "PUP/Win32.Bundler.R1865", "display_name": "PUP/Win32.Bundler.R1865", "target": null }, { "id": "Inno:Downloader-J [PUP]", "display_name": "Inno:Downloader-J [PUP]", "target": null }, { "id": "AdWare:Win32/AdLoad.0e19dea6", "display_name": "AdWare:Win32/AdLoad.0e19dea6", "target": "/malware/AdWare:Win32/AdLoad.0e19dea6" }, { "id": "Adware.Adload/Adinstaller", "display_name": "Adware.Adload/Adinstaller", "target": null }, { "id": "Win.Packed.Razy-9828382-0", "display_name": "Win.Packed.Razy-9828382-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" }, { "id": "Trojan:Win32/Zombie", "display_name": "Trojan:Win32/Zombie", "target": "/malware/Trojan:Win32/Zombie" }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1516", "name": "Input Injection", "display_name": "T1516 - Input Injection" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" } ], "industries": [ "Technology", "Civilian Society" ], "TLP": "white", "cloned_from": null, "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1402, "FileHash-SHA1": 1366, "FileHash-SHA256": 6457, "URL": 6175, "domain": 1418, "hostname": 2288, "CVE": 10, "email": 6 }, "indicator_count": 19122, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "597 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66b759cf57d491a9dcca8c17", "name": "Yoda Crypter | Vtapi Virustotal Ransomware | X.Com | Twitter | Remote Job", "description": "Miscellaneous Virustotal attack found. A malicious hash found while researching a malicious Twitter template regarding post found re: otx.alienvault.com pulse.\nFound BorpaToken [moved] attacking X Vercel servers, impacting Azure, impacts X.com, Google.com, YouTube, androids, apple id, (otx seems impacted) with and /w/o header and every versions of related links, Malicious x.com 'REMOTELY' redirects to malicious Twitter templates with recognized names.", "modified": "2024-10-08T11:00:59.828000", "created": "2024-08-10T12:15:11.526000", "tags": [ "win32 exe", "pe32", "intel", "ms windows", "yoda", "crypter", "win16 ne", "os2 executable", "sections", "md5 upx0", "upx1", "upx2", "downloads", "http posts", "mitre att", "evasion ta0005", "ta0006 input", "capture t1056", "remote system", "discovery t1018", "reads", "discovery t1082", "windows nt", "get http", "request", "pragma", "response", "memory pattern", "g2 tls", "rsa sha256", "ca1 odigicert", "inc cus", "hashes", "peexe", "deleted c", "files dropped", "json", "registry keys", "ssl protocol", "de ff", "c4 a6", "fe b9", "d7 e8", "ed f6", "c5 c1", "dd f1", "e0 ee", "dword", "samplepath", "process", "created", "shell commands", "windir", "runtime modules", "urls", "ip detections", "country", "us a83f81100", "microsoft stuff", "malicious proxy", "june", "referrer", "historical ssl", "threat roundup", "domains", "threat network", "tracker radar", "hunting service", "vt ransomware", "malicious", "ermac", "probe", "vhash", "authentihash", "rich pe", "ssdeep", "magic pe32", "trid upx", "portable", "info compiler", "products", "vs2008", "vs2010 sp1", "vs2010", "header target", "machine intel", "utc entry", "point", "registrar", "csc corporate", "markmonitor inc", "ta0009 command", "control ta0011", "catalog tree", "analysis ob0001", "analysis ob0002", "command", "control ob0004", "defense evasion", "sample", "upx software", "upx packed", "evasion t1497", "may sleep", "packing f0001", "evasion b0003", "f0001 upx", "ob0006 software", "file", "post http", "hashes c2ae", "capa", "cape sandbox", "zenbox", "user", "files deleted", "files", "calls", "as15169 google", "united", "status", "date", "name servers", "cname", "passive dns", "search", "record value", "next", "error", "code", "unknown", "trojan", "found", "gmt contenttype", "sameorigin", "all scoreblue", "trojandropper", "matches rule", "et info", "generic http", "exe upload", "vtapi", "emails", "servers", "aaaa", "domain", "as13414 twitter", "backdoor", "ipv4", "pulse pulses", "virtool", "mirai", "analyzer paste", "iocs", "hostnames", "urls https", "borpa loading", "expiration", "url https", "akamai rank", "hostname", "twitter", "tsara brashears", "ip address", "pe resource", "apple ios", "threats", "malware", "scripts", "norton", "excel", "hacktool", "problem", "njrat", "ransomware", "open", "samples", "url http", "vercel", "server attack", "yara detections", "push", "scan endpoints", "filehash", "av detections", "ids detections", "alerts", "analysis date", "code overlap", "related pulses", "top source", "top destination", "source source", "copy", "host", "contentlength", "malware beacon", "show", "entries", "cape", "write", "expiration date", "tulach topic", "brian sabey", "hallrender", "apple id", "malicious url", "tag count", "tld count", "detection list", "blacklist https", "count blacklist", "tag tag", "no data", "tld aggregation", "combined", "contact", "as206834 team", "canada unknown", "div div", "redacted for", "unknown xn", "script script", "msie", "chrome", "precondition", "mtb oct", "body", "worm", "trojanspy", "xpire.info", "searchmeup", "as61969 team", "creation date", "domain robot", "win32", "et smtp", "message", "high", "mailrubar", "trojanclicker", "parking crew", "parking logic", "category", "trojan features", "file samples", "files matching", "date hash", "showing", "creates largekey", "threat sniper", "crouching yeti", "kitten", "camaro dragon", "google phish", "macros", "hiddentear", "plugins", "removes headers", "hitmen" ], "references": [ "trojan.vtflooder/vflooder FileHash-SHA256 e8d7208330c634fad06d1b12bfea92435cdd7e63d01fde5ed8f3493b9deefad4", "Crowdsourced IDS rules: Matches rule MALWARE-CNC Win.Trojan.Occamy variant outbound connection", "Crowdsourced IDS rules: Matches rule ET INFO Generic HTTP EXE Upload Outbound", "Crowdsourced IDS rules: Matches rule (stream_tcp) data sent on stream not accepting data", "Crowdsourced YARA rules: Matches rule UPX from ruleset UPX by kevoreilly", "https://fixupx.com/Yoda4ever/status/1819058165264404527", "Malicious IP: 1.3.6.1 ASNone Generic.Malware has also been named in ransomware and other highly malicious attacks.", "http://borpatoken.com/ borpatoken.com", "Sourced: https://twitter.com/ootiosum/status/1812208222150726029a4dmHAxV0M0QIHawADl4Qr4kDegUI-QEQAA&usg=AOvVaw37yALadqlgoR9_xlQ5B4Hm", "This IP carried out Apache Log4j RCE attempt(s) (also known as CVE-2021-44228 or Log4Shell). @parthmaniar on Twitter", "For more information, or to report interesting/incorrect findings, give me a shoutout on @parthmaniar on Twitter.", "analytics.x.com | https://analytics.x.com | https://localhost.twitter.com:3443", "X Vercel Servers", "FileHash-MD5: b7e1dc2c46a9b972943a08b09c4dd6db", "FileHash-SHA1: d20959337b099526ed5250b60d9250ab865a7c6c", "FileHash-SHA256: 7b749ef9d91c1f0fe7513ece148409f2254317be8b0487603a2b333ebbb927ae", "Yara: RansomWin32Betisrypt , TrojanClickerWin32NightClick , TrojanDropperWin32Jscrpt , TrojanWin32Notepices TrojanClickerWin32NightClick", "apple.twitter.com | https://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js | vine.co | appleid.cdn-apple.com", "Vtapi: scanter.comwww.twitter.comx.com", "IDS Detections: ETPRO TROJAN Possible Win32/Zbot.AHJ CnC Traffic ET SMTP Abuseat.org Block Message", "IDS Detections: ET TROJAN Pushdo v3 Checkin ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain", "Crypt3.BWVY: FileHash-SHA256 9235583481d06530ef1ce04fa4f9a3bf3b6735dcdef0486cf6181c7868c9c249", "Crypt3.BWVY: FileHash-SHA1 4c60cf6b7e2981f1c05c5a34f880c6020923014c", "Crypt3.BWVY: FileHash-MD5 947f28c8ab697548aca370c080187e6e" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Win.Trojan.Occamy", "display_name": "Win.Trojan.Occamy", "target": null }, { "id": "W32.AIDetectMalware", "display_name": "W32.AIDetectMalware", "target": null }, { "id": "Trojan.Vtflooder/Vflooder", "display_name": "Trojan.Vtflooder/Vflooder", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Trojan:Win32/Vflooder.A", "display_name": "Trojan:Win32/Vflooder.A", "target": "/malware/Trojan:Win32/Vflooder.A" }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Xpire.info", "display_name": "Xpire.info", "target": null }, { "id": "Searchmeup", "display_name": "Searchmeup", "target": null }, { "id": "Trojan:Win32/Trickler", "display_name": "Trojan:Win32/Trickler", "target": "/malware/Trojan:Win32/Trickler" }, { "id": "Trojan:Win32/Comame", "display_name": "Trojan:Win32/Comame", "target": "/malware/Trojan:Win32/Comame" }, { "id": "#VirTool:Win32/Obfuscator", "display_name": "#VirTool:Win32/Obfuscator", "target": "/malware/#VirTool:Win32/Obfuscator" }, { "id": "Trojan:Win32/Pariham", "display_name": "Trojan:Win32/Pariham", "target": "/malware/Trojan:Win32/Pariham" } ], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 55, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1943, "FileHash-SHA1": 1637, "FileHash-SHA256": 3321, "URL": 1014, "domain": 645, "hostname": 1472, "email": 7, "CVE": 2 }, "indicator_count": 10041, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "599 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66b75a315eac0ff46fa4510d", "name": "Yoda Crypter | Vtapi Virustotal Ransomware | X.Com | Twitter | Remote Job", "description": "Miscellaneous Virustotal attack found. A malicious hash found while researching a malicious Twitter template regarding post found re: otx.alienvault.com pulse.\nFound BorpaToken [moved] attacking X Vercel servers, impacting Azure, impacts X.com, Google.com, YouTube, androids, apple id, (otx seems impacted) with and /w/o header and every versions of related links, Malicious x.com 'REMOTELY' redirects to malicious Twitter templates with recognized names.", "modified": "2024-10-08T11:00:59.828000", "created": "2024-08-10T12:16:49.869000", "tags": [ "win32 exe", "pe32", "intel", "ms windows", "yoda", "crypter", "win16 ne", "os2 executable", "sections", "md5 upx0", "upx1", "upx2", "downloads", "http posts", "mitre att", "evasion ta0005", "ta0006 input", "capture t1056", "remote system", "discovery t1018", "reads", "discovery t1082", "windows nt", "get http", "request", "pragma", "response", "memory pattern", "g2 tls", "rsa sha256", "ca1 odigicert", "inc cus", "hashes", "peexe", "deleted c", "files dropped", "json", "registry keys", "ssl protocol", "de ff", "c4 a6", "fe b9", "d7 e8", "ed f6", "c5 c1", "dd f1", "e0 ee", "dword", "samplepath", "process", "created", "shell commands", "windir", "runtime modules", "urls", "ip detections", "country", "us a83f81100", "microsoft stuff", "malicious proxy", "june", "referrer", "historical ssl", "threat roundup", "domains", "threat network", "tracker radar", "hunting service", "vt ransomware", "malicious", "ermac", "probe", "vhash", "authentihash", "rich pe", "ssdeep", "magic pe32", "trid upx", "portable", "info compiler", "products", "vs2008", "vs2010 sp1", "vs2010", "header target", "machine intel", "utc entry", "point", "registrar", "csc corporate", "markmonitor inc", "ta0009 command", "control ta0011", "catalog tree", "analysis ob0001", "analysis ob0002", "command", "control ob0004", "defense evasion", "sample", "upx software", "upx packed", "evasion t1497", "may sleep", "packing f0001", "evasion b0003", "f0001 upx", "ob0006 software", "file", "post http", "hashes c2ae", "capa", "cape sandbox", "zenbox", "user", "files deleted", "files", "calls", "as15169 google", "united", "status", "date", "name servers", "cname", "passive dns", "search", "record value", "next", "error", "code", "unknown", "trojan", "found", "gmt contenttype", "sameorigin", "all scoreblue", "trojandropper", "matches rule", "et info", "generic http", "exe upload", "vtapi", "emails", "servers", "aaaa", "domain", "as13414 twitter", "backdoor", "ipv4", "pulse pulses", "virtool", "mirai", "analyzer paste", "iocs", "hostnames", "urls https", "borpa loading", "expiration", "url https", "akamai rank", "hostname", "twitter", "tsara brashears", "ip address", "pe resource", "apple ios", "threats", "malware", "scripts", "norton", "excel", "hacktool", "problem", "njrat", "ransomware", "open", "samples", "url http", "vercel", "server attack", "yara detections", "push", "scan endpoints", "filehash", "av detections", "ids detections", "alerts", "analysis date", "code overlap", "related pulses", "top source", "top destination", "source source", "copy", "host", "contentlength", "malware beacon", "show", "entries", "cape", "write", "expiration date", "tulach topic", "brian sabey", "hallrender", "apple id", "malicious url", "tag count", "tld count", "detection list", "blacklist https", "count blacklist", "tag tag", "no data", "tld aggregation", "combined", "contact", "as206834 team", "canada unknown", "div div", "redacted for", "unknown xn", "script script", "msie", "chrome", "precondition", "mtb oct", "body", "worm", "trojanspy", "xpire.info", "searchmeup", "as61969 team", "creation date", "domain robot", "win32", "et smtp", "message", "high", "mailrubar", "trojanclicker", "parking crew", "parking logic", "category", "trojan features", "file samples", "files matching", "date hash", "showing", "creates largekey", "threat sniper", "crouching yeti", "kitten", "camaro dragon", "google phish", "macros", "hiddentear", "plugins", "removes headers", "hitmen" ], "references": [ "trojan.vtflooder/vflooder FileHash-SHA256 e8d7208330c634fad06d1b12bfea92435cdd7e63d01fde5ed8f3493b9deefad4", "Crowdsourced IDS rules: Matches rule MALWARE-CNC Win.Trojan.Occamy variant outbound connection", "Crowdsourced IDS rules: Matches rule ET INFO Generic HTTP EXE Upload Outbound", "Crowdsourced IDS rules: Matches rule (stream_tcp) data sent on stream not accepting data", "Crowdsourced YARA rules: Matches rule UPX from ruleset UPX by kevoreilly", "https://fixupx.com/Yoda4ever/status/1819058165264404527", "Malicious IP: 1.3.6.1 ASNone Generic.Malware has also been named in ransomware and other highly malicious attacks.", "http://borpatoken.com/ borpatoken.com", "Sourced: https://twitter.com/ootiosum/status/1812208222150726029a4dmHAxV0M0QIHawADl4Qr4kDegUI-QEQAA&usg=AOvVaw37yALadqlgoR9_xlQ5B4Hm", "This IP carried out Apache Log4j RCE attempt(s) (also known as CVE-2021-44228 or Log4Shell). @parthmaniar on Twitter", "For more information, or to report interesting/incorrect findings, give me a shoutout on @parthmaniar on Twitter.", "analytics.x.com | https://analytics.x.com | https://localhost.twitter.com:3443", "X Vercel Servers", "FileHash-MD5: b7e1dc2c46a9b972943a08b09c4dd6db", "FileHash-SHA1: d20959337b099526ed5250b60d9250ab865a7c6c", "FileHash-SHA256: 7b749ef9d91c1f0fe7513ece148409f2254317be8b0487603a2b333ebbb927ae", "Yara: RansomWin32Betisrypt , TrojanClickerWin32NightClick , TrojanDropperWin32Jscrpt , TrojanWin32Notepices TrojanClickerWin32NightClick", "apple.twitter.com | https://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js | vine.co | appleid.cdn-apple.com", "Vtapi: scanter.comwww.twitter.comx.com", "IDS Detections: ETPRO TROJAN Possible Win32/Zbot.AHJ CnC Traffic ET SMTP Abuseat.org Block Message", "IDS Detections: ET TROJAN Pushdo v3 Checkin ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain", "Crypt3.BWVY: FileHash-SHA256 9235583481d06530ef1ce04fa4f9a3bf3b6735dcdef0486cf6181c7868c9c249", "Crypt3.BWVY: FileHash-SHA1 4c60cf6b7e2981f1c05c5a34f880c6020923014c", "Crypt3.BWVY: FileHash-MD5 947f28c8ab697548aca370c080187e6e" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Win.Trojan.Occamy", "display_name": "Win.Trojan.Occamy", "target": null }, { "id": "W32.AIDetectMalware", "display_name": "W32.AIDetectMalware", "target": null }, { "id": "Trojan.Vtflooder/Vflooder", "display_name": "Trojan.Vtflooder/Vflooder", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Trojan:Win32/Vflooder.A", "display_name": "Trojan:Win32/Vflooder.A", "target": "/malware/Trojan:Win32/Vflooder.A" }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Xpire.info", "display_name": "Xpire.info", "target": null }, { "id": "Searchmeup", "display_name": "Searchmeup", "target": null }, { "id": "Trojan:Win32/Trickler", "display_name": "Trojan:Win32/Trickler", "target": "/malware/Trojan:Win32/Trickler" }, { "id": "Trojan:Win32/Comame", "display_name": "Trojan:Win32/Comame", "target": "/malware/Trojan:Win32/Comame" }, { "id": "#VirTool:Win32/Obfuscator", "display_name": "#VirTool:Win32/Obfuscator", "target": "/malware/#VirTool:Win32/Obfuscator" }, { "id": "Trojan:Win32/Pariham", "display_name": "Trojan:Win32/Pariham", "target": "/malware/Trojan:Win32/Pariham" } ], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 57, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1943, "FileHash-SHA1": 1637, "FileHash-SHA256": 3321, "URL": 1030, "domain": 646, "hostname": 1473, "email": 7, "CVE": 2 }, "indicator_count": 10059, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "599 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66bb7aa9d0ec86cff5b95b64", "name": "Injection | Target devices affected. Connected to Notepad | Yandex| Brian Sabey & Associated", "description": "Targets devices injected with extremely malicious URL's. The links did everything imaginable. Pushed up Jeffrey Reimer DPT in search engine while suppressing all positive search engine results of his victim. Her business was completely halted and redirected. Views went to well known artists. It also contained content scrapers causing certain keywords [keylogger included] to generate results in Bing search engines attempt to frame target. Countless porn sites posted w/victims name appearing heaviest in Yandex moderately heavy in Google. Killed targets YouTube channel. Heavy use in victims Apple terminal. Death and bomb threats often. *http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/\n*http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "modified": "2024-09-12T14:01:56.106000", "created": "2024-08-13T15:24:25.284000", "tags": [ "ip addresses", "luna moth", "campaign", "norad tracking", "ipdomain", "investigation", "hr rtd", "hallrender", "brian sabey", "heuristic", "referrer", "pe resource", "first", "utc submissions", "submitters", "solutions", "namesilo", "amazon02", "digitaloceanasn", "limited", "aschoopa", "ovh sas", "generator", "data", "v3 serial", "number", "issuer", "everywhere dv", "tls ca", "g1 odigicert", "validity", "subject public", "key info", "date", "server", "email", "code", "registrar abuse", "registrar url", "whois lookup", "admin city", "admin country", "cn admin", "office open", "xml spreadsheet", "detections type", "name", "dns replication", "iana id", "contact phone", "dnssec", "domain status", "registrar whois", "historical ssl", "threat roundup", "october", "investigation c", "december", "september", "ngfw traffic", "malicious ip", "address", "raspberry robin", "stealer", "creation date", "passive dns", "urls", "search", "name servers", "status", "showing", "all scoreblue", "unknown", "next", "as47846", "germany unknown", "as44273 host", "united", "as12876 online", "domain", "cve-2016-2569", "yodaprot", "xorcrypt", "yoda", "aspack", "yara detections", "intel", "comments", "show", "productversion", "inno setup", "invalid", "format", "invalid variant", "delphi", "stack", "error", "iniciar download setup", "gui", "application/octet-stream", "tsara brashears", "targets", "cve-2017-0199", "aspack", "contains-pe", "contains-elf", "bobsoft", "cve-2010-3333", "contains-embedded-js", "cve-2014-3931", "cve-2017-11882", "adware.adload/adinstaller", "win32processor", "information", "flow t1574", "dll sideloading", "reads", "downloads", "win32process", "t1055 spawns", "access token", "modify access", "files", "catalog tree", "analysis ob0001", "b0001 process", "b0003 delayed", "analysis ob0002", "evasion ob0006", "self deletion", "f0007 discovery", "ob0007 analysis", "dead", "cybercrime", "cyber criminal group", "dynamicloader", "high", "medium", "trojan", "less see", "contacted", "yara rule", "installs", "windows", "windows startup", "february", "copy", "as14061", "as16276", "canada unknown", "united kingdom", "as63949 linode", "as202053", "finland unknown", "aaaa", "get http", "request", "windows nt", "khtml", "gecko", "wow64", "host", "connection", "cus cndigicert", "ca1 odigicert", "win32", "win64", "accept", "dataset", "system property", "lookups", "select family", "userprofile", "temp", "samplepath", "user", "runtime modules", "modules", "programfiles", "windir", "datacrashpad", "k netsvcs", "s ngcctnrsvc", "nameweb bvba", "domains", "csc corporate", "registrarsafe", "registrar", "namecheap inc", "nameweb", "win32 exe", "detections file", "win32 dll", "ip detections", "country", "highly targeted", "problems", "sneaky server", "replacement", "unauthorized", "high level", "hackers", "unknown win", "agent tesla", "worm", "formbook", "startpage", "dead drop resolver", "nxdomain", "ns nxdomain", "scan endpoints", "all search", "otx scoreblue", "pulse pulses", "hostname", "files ip", "address domain", "div div", "a li", "p div", "read more", "a div", "bq aug", "script script", "path max", "age86400 set", "cookie", "entries", "trojandropper", "body", "trojan features", "related pulses", "file samples", "files matching", "date hash", "copyright", "virtool", "trojanspy", "hashes c2ae", "capa", "cape sandbox", "moves", "tencent habo", "zenbox", "tls rsa", "sha256", "inc subject", "global g2", "odigicert inc", "cndigicert sha2", "high assurance", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinl", "javascripts", "iframes", "embedded", "x sucuri", "cookie policy", "jeffrey scott reimer dpt", "toni braxton", "police", "fbi va", "loudon county", "ashburn va", "douglas co", "douglas co sheriff", "sheriff", "justin bieber", "swipper" ], "references": [ "cnbd.net\t | d1.cnbd.net\t| localhost.cnbd.net | mail.cnbd.net | siteinlink.d1.cnbd.net cnbd.net hghltd.yandex.net", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Crowdsourced Sigma: Matches rule Potential Dead Drop Resolvers by Sorina Ionescu, X__Junior (Nextron Systems)", "Crowdsourced YARA: Matches rule Base64_Encoded_URL from ruleset Base64_Encoded_URL by InQuest Labs", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Unusual PING detected", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING Windows", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Echo Reply", "Yara Detections: Delphi", "\"Malware Behavior Catalog Tree: Anti-Behavioral Analysis OB0001 Debugger Detection B0001 Process Environment Block B0001.019 Dynamic Analysis Evasion B0003 Delayed Execution B0003.003", "\"Malware Behavior Catalog Tree: Anti-Static Analysis OB0002 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E102", "\"Malware Behavior Catalog Tree : Defense Evasion OB0006 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E1027.m02", "\"Malware Behavior Catalog Tree: Hidden Files and Directories F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 Analysis Tool Discovery B0013 Process detection B0013.001 System Information Discovery E1082 File and Directory Discovery E1083", "\"Malware Behavior Catalog Tree: Execution OB0009 Install Additional Program B0023 Command and Scripting Interpreter E1059", "\"Malware Behavior Catalog Tree: Analysis Tool Discovery F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 System Information Discovery B0013 Process detection B0013.001", "\"Malware Behavior Catalog Tree: Hidden Files and Directories E1082 File and Directory Discovery E1083", "Malware Behavior Catalog Tree: Command and Scripting Interpreter OB0009 Install Additional Program B0023", "\"Dataset actions -System Property Lookups: IIWbemServices::Connect", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: Execution OB0012 F0005 File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048 Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007 Change Memory Protection C0008 Process OC0003 Create Process C0017 Create Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001 Modulo C0058 Cryptography OC0005", "Researched: d569ab9b9e89ebd9e2ff995bcd6509bc.virus", "Apple Issues:\tapple-validsecure.serviceirc.com serviceirc.com http://apple-validsecure.serviceirc.com https://apple-validsecure.serviceirc.com", "Apple Issues:\tcheckapple.com http://www.checkapple.com/ https://bincc.xyz/bin-apple-music-1month-apple-tv-7days apple-marketing.com", "Apple Issues:\tapp-appleid.serveirc.com appleid-appleus.serveirc.com appleidapple.serveirc.com apples-uncek.serveirc.com", "Apple Issues:\thttp://www.apple-verifallert.serveirc.com/ http://www.appleid-lockid.serveirc.com/ http://www.appleid-seccure23.serveirc.com/", "Apple Issues:\thttp://www.appleid-secure20.serveirc.com/ http://www.appleid-secure22.serveirc.com/ serviceirc.com", "Apple Issues: http://www.appleid-supporthelp.serveirc.com/ http://www.appleids-security.serveirc.com/", "Apple Issues: URL https://bincc.xyz/bin-apple-music-1month-apple-tv-7days", "Apple Issues: http://checkapple.com/home/item/131-iOs-%E0%B9%80%E0%B8%A1%E0%B8%B7%E0%B8%AD%E0%B8%87%E0%B8%9C%E0%B8%B9%E0%B9%89%E0%B8%94%E0%B8%B5-%E0%B8%9F%E0%B8%B1%E0%B8%99%E0%B8%98%E0%B8%87-iPhone-4-%E0%B8%9A%E0%B8%B2%E0%B8%87%E0%B8%81%E0%B8%A7%E0%B9%88%E0%B8%B2-Galaxy-S-2.htm", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Terse HTTP 1.0 Request Possible Nivdort Worm.Mydoom Checkin User-Agent (explwer)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti/Mufanom Downloader Checkin Win32.Sality-GR Checkin Backdoor.Win32.Shiz.ivr", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Empty Checkin Upatre Retrieving encoded payload (Common Header Struct)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Checkin Win32/Nivdort", "Antivirus Detections: ALF:HeraklezEval:Ransom:Win32/CVE , ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn , ALF:HeraklezEval:Trojan:Win32/Zombie.A", "Antivirus Detections: ALF:Trojan:Win32/FormBook.F!MTB , Backdoor:Linux/Setag!rfn , Backdoor:Win32/Bifrose.IQ , Backdoor:Win32/Simda!rfn", "Antivirus Detections: ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn , ALF:PUA:Win32/InstallMate.P , ALF:Trojan:Win32/Cassini_f9070846!ibt", "\"Malware Behavior Catalog Tree: File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048", "\"Malware Behavior Catalog Tree: Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007", "\"Malware Behavior Catalog Tree: Change Memory Protection C0008 Process OC0003 Create Process C0017", "\"Malware Behavior Catalog Tree: Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004", "\"Malware Behavior Catalog Tree: Create 00001807 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001", "\"Malware Behavior Catalog Tree: Modulo C0058 Cryptography OC0005 Generate Pseudo-random Sequence C0021", "\"Malware Behavior Catalog Tree: Communication OC0006 HTTP Communication C0002 Operating System OC0008 Registry", "\"Malware Behavior Catalog Tree: Registry Value C0036.006 Capabilities Data-Manipulation\"", "\"Malware Behavior Catalog Tree: C0036 Open Registry Key C0036.003 Create Registry Key C0036.004 Query", "Capabilities Data: Manipulation Generate random numbers using the Delphi LCG Encode data using XOR Hash data with CRC32", "Capabilities Data: Linking Link function at runtime on Windows Collection Get geographical location Targeting Identify system language via API", "Capabilities Data: Executable Extract resource via kernel32 functions Contain a thread local storage (.tls) section Packaged as an Inno Setup installer", "Capabilities Data: Anti-Analysis Reference analysis tools strings Internal (Internal) installer file limitation", "Capabilities Data: Host-Interaction - Get file attributes Create process suspended Create process on Windows", "Capabilities Data: Host-Interaction - Allocate or change RWX memory Accept command line arguments Set thread local storage value", "Capabilities Data: Host-Interaction - Get system information on Windows Delete directory", "Capabilities Data: Host-Interaction - Get thread local storage value Read file on Windows Write file on Windows", "Capabilities Data: Host-Interaction - Get file size Query environment variable Get common file path", "Capabilities Data: Host-Interaction - Query or enumerate registry value Delete file Create directory Shutdown system", "Capabilities Data: Host-Interaction - Modify access privileges Check if file exists", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "United States of America" ], "malware_families": [ { "id": "PUP/Win32.Bundler.R1865", "display_name": "PUP/Win32.Bundler.R1865", "target": null }, { "id": "Inno:Downloader-J [PUP]", "display_name": "Inno:Downloader-J [PUP]", "target": null }, { "id": "AdWare:Win32/AdLoad.0e19dea6", "display_name": "AdWare:Win32/AdLoad.0e19dea6", "target": "/malware/AdWare:Win32/AdLoad.0e19dea6" }, { "id": "Adware.Adload/Adinstaller", "display_name": "Adware.Adload/Adinstaller", "target": null }, { "id": "Win.Packed.Razy-9828382-0", "display_name": "Win.Packed.Razy-9828382-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" }, { "id": "Trojan:Win32/Zombie", "display_name": "Trojan:Win32/Zombie", "target": "/malware/Trojan:Win32/Zombie" }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1516", "name": "Input Injection", "display_name": "T1516 - Input Injection" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" } ], "industries": [ "Technology", "Civilian Society" ], "TLP": "green", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1401, "FileHash-SHA1": 1365, "FileHash-SHA256": 6436, "URL": 5931, "domain": 1391, "hostname": 2165, "CVE": 5, "email": 6 }, "indicator_count": 18700, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "625 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "Crowdsourced Sigma: Matches rule Potential Dead Drop Resolvers by Sorina Ionescu, X__Junior (Nextron Systems)", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Echo Reply", "IDS Detections: ETPRO TROJAN Possible Win32/Zbot.AHJ CnC Traffic ET SMTP Abuseat.org Block Message", "analytics.x.com | https://analytics.x.com | https://localhost.twitter.com:3443", "Capabilities Data: Host-Interaction - Get file size Query environment variable Get common file path", "\"Malware Behavior Catalog Tree: Modulo C0058 Cryptography OC0005 Generate Pseudo-random Sequence C0021", "Capabilities Data: Host-Interaction - Get file attributes Create process suspended Create process on Windows", "Yara Detections: Delphi", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Checkin Win32/Nivdort", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti/Mufanom Downloader Checkin Win32.Sality-GR Checkin Backdoor.Win32.Shiz.ivr", "Crypt3.BWVY: FileHash-SHA1 4c60cf6b7e2981f1c05c5a34f880c6020923014c", "Crypt3.BWVY: FileHash-MD5 947f28c8ab697548aca370c080187e6e", "Apple Issues:\tcheckapple.com http://www.checkapple.com/ https://bincc.xyz/bin-apple-music-1month-apple-tv-7days apple-marketing.com", "Apple Issues: http://checkapple.com/home/item/131-iOs-%E0%B9%80%E0%B8%A1%E0%B8%B7%E0%B8%AD%E0%B8%87%E0%B8%9C%E0%B8%B9%E0%B9%89%E0%B8%94%E0%B8%B5-%E0%B8%9F%E0%B8%B1%E0%B8%99%E0%B8%98%E0%B8%87-iPhone-4-%E0%B8%9A%E0%B8%B2%E0%B8%87%E0%B8%81%E0%B8%A7%E0%B9%88%E0%B8%B2-Galaxy-S-2.htm", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Unusual PING detected", "Malware Behavior Catalog Tree: Command and Scripting Interpreter OB0009 Install Additional Program B0023", "Capabilities Data: Manipulation Generate random numbers using the Delphi LCG Encode data using XOR Hash data with CRC32", "\"Malware Behavior Catalog Tree: File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048", "Apple Issues:\thttp://www.appleid-secure20.serveirc.com/ http://www.appleid-secure22.serveirc.com/ serviceirc.com", "Crowdsourced IDS rules: Matches rule ET INFO Generic HTTP EXE Upload Outbound", "FileHash-SHA256: 7b749ef9d91c1f0fe7513ece148409f2254317be8b0487603a2b333ebbb927ae", "Researched: d569ab9b9e89ebd9e2ff995bcd6509bc.virus", "Crowdsourced YARA rules: Matches rule UPX from ruleset UPX by kevoreilly", "\"Malware Behavior Catalog Tree: Registry Value C0036.006 Capabilities Data-Manipulation\"", "Capabilities Data: Anti-Analysis Reference analysis tools strings Internal (Internal) installer file limitation", "Apple Issues:\tapp-appleid.serveirc.com appleid-appleus.serveirc.com appleidapple.serveirc.com apples-uncek.serveirc.com", "\"Malware Behavior Catalog Tree: Hidden Files and Directories E1082 File and Directory Discovery E1083", "\"Dataset actions -System Property Lookups: IIWbemServices::Connect", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "apple.twitter.com | https://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js | vine.co | appleid.cdn-apple.com", "\"Malware Behavior Catalog Tree: Analysis Tool Discovery F0005 Self Deletion F0007", "Capabilities Data: Host-Interaction - Query or enumerate registry value Delete file Create directory Shutdown system", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Terse HTTP 1.0 Request Possible Nivdort Worm.Mydoom Checkin User-Agent (explwer)", "Crypt3.BWVY: FileHash-SHA256 9235583481d06530ef1ce04fa4f9a3bf3b6735dcdef0486cf6181c7868c9c249", "Capabilities Data: Host-Interaction - Get thread local storage value Read file on Windows Write file on Windows", "\"Malware Behavior Catalog Tree: Communication OC0006 HTTP Communication C0002 Operating System OC0008 Registry", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING Windows", "cnbd.net\t | d1.cnbd.net\t| localhost.cnbd.net | mail.cnbd.net | siteinlink.d1.cnbd.net cnbd.net hghltd.yandex.net", "IDS Detections: ET TROJAN Pushdo v3 Checkin ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain", "Crowdsourced IDS rules: Matches rule (stream_tcp) data sent on stream not accepting data", "This IP carried out Apache Log4j RCE attempt(s) (also known as CVE-2021-44228 or Log4Shell). @parthmaniar on Twitter", "trojan.vtflooder/vflooder FileHash-SHA256 e8d7208330c634fad06d1b12bfea92435cdd7e63d01fde5ed8f3493b9deefad4", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/", "Sourced: https://twitter.com/ootiosum/status/1812208222150726029a4dmHAxV0M0QIHawADl4Qr4kDegUI-QEQAA&usg=AOvVaw37yALadqlgoR9_xlQ5B4Hm", "For more information, or to report interesting/incorrect findings, give me a shoutout on @parthmaniar on Twitter.", "Vtapi: scanter.comwww.twitter.comx.com", "\"Malware Behavior Catalog Tree: Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007", "FileHash-SHA1: d20959337b099526ed5250b60d9250ab865a7c6c", "\"Malware Behavior Catalog Tree: Discovery OB0007 System Information Discovery B0013 Process detection B0013.001", "\"Malware Behavior Catalog Tree: Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004", "\"Malware Behavior Catalog Tree: C0036 Open Registry Key C0036.003 Create Registry Key C0036.004 Query", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING", "Crowdsourced YARA: Matches rule Base64_Encoded_URL from ruleset Base64_Encoded_URL by InQuest Labs", "\"Malware Behavior Catalog Tree: Hidden Files and Directories F0005 Self Deletion F0007", "X Vercel Servers", "\"Malware Behavior Catalog Tree: Execution OB0009 Install Additional Program B0023 Command and Scripting Interpreter E1059", "Apple Issues:\thttp://www.apple-verifallert.serveirc.com/ http://www.appleid-lockid.serveirc.com/ http://www.appleid-seccure23.serveirc.com/", "FileHash-MD5: b7e1dc2c46a9b972943a08b09c4dd6db", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://borpatoken.com/ borpatoken.com", "Apple Issues:\tapple-validsecure.serviceirc.com serviceirc.com http://apple-validsecure.serviceirc.com https://apple-validsecure.serviceirc.com", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Empty Checkin Upatre Retrieving encoded payload (Common Header Struct)", "Capabilities Data: Host-Interaction - Allocate or change RWX memory Accept command line arguments Set thread local storage value", "\"Malware Behavior Catalog Tree: Anti-Static Analysis OB0002 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E102", "\"Malware Behavior Catalog Tree: Change Memory Protection C0008 Process OC0003 Create Process C0017", "\"Malware Behavior Catalog Tree: Create 00001807 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001", "Yara: RansomWin32Betisrypt , TrojanClickerWin32NightClick , TrojanDropperWin32Jscrpt , TrojanWin32Notepices TrojanClickerWin32NightClick", "\"Malware Behavior Catalog Tree: Discovery OB0007 Analysis Tool Discovery B0013 Process detection B0013.001 System Information Discovery E1082 File and Directory Discovery E1083", "Capabilities Data: Executable Extract resource via kernel32 functions Contain a thread local storage (.tls) section Packaged as an Inno Setup installer", "Crowdsourced IDS rules: Matches rule MALWARE-CNC Win.Trojan.Occamy variant outbound connection", "Capabilities Data: Linking Link function at runtime on Windows Collection Get geographical location Targeting Identify system language via API", "Apple Issues: http://www.appleid-supporthelp.serveirc.com/ http://www.appleids-security.serveirc.com/", "Apple Issues: URL https://bincc.xyz/bin-apple-music-1month-apple-tv-7days", "Capabilities Data: Host-Interaction - Modify access privileges Check if file exists", "Capabilities Data: Host-Interaction - Get system information on Windows Delete directory", "Antivirus Detections: ALF:Trojan:Win32/FormBook.F!MTB , Backdoor:Linux/Setag!rfn , Backdoor:Win32/Bifrose.IQ , Backdoor:Win32/Simda!rfn", "Antivirus Detections: ALF:HeraklezEval:Ransom:Win32/CVE , ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn , ALF:HeraklezEval:Trojan:Win32/Zombie.A", "Malicious IP: 1.3.6.1 ASNone Generic.Malware has also been named in ransomware and other highly malicious attacks.", "Antivirus Detections: ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn , ALF:PUA:Win32/InstallMate.P , ALF:Trojan:Win32/Cassini_f9070846!ibt", "https://fixupx.com/Yoda4ever/status/1819058165264404527", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: Execution OB0012 F0005 File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048 Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007 Change Memory Protection C0008 Process OC0003 Create Process C0017 Create Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001 Modulo C0058 Cryptography OC0005", "\"Malware Behavior Catalog Tree : Defense Evasion OB0006 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E1027.m02", "\"Malware Behavior Catalog Tree: Anti-Behavioral Analysis OB0001 Debugger Detection B0001 Process Environment Block B0001.019 Dynamic Analysis Evasion B0003 Delayed Execution B0003.003" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Trojan.vtflooder/vflooder", "Trojan:win32/zombie", "Trojan:win32/comame", "Trojanspy:win32/nivdort", "Adware:win32/adload.0e19dea6", "Trojan:win32/vflooder.a", "Trojan:win32/glupteba.mt!mtb", "#virtool:win32/obfuscator", "Trojan:win32/trickler", "Virtool:win32/injector", "Malware", "Trojan:win32/pariham", "Win.packed.razy-9828382-0", "Mirai", "W32.aidetectmalware", "Win.trojan.occamy", "Searchmeup", "Adware.adload/adinstaller", "Trojandropper:win32/muldrop", "Xpire.info", "Trojanspy", "Inno:downloader-j [pup]", "Pup/win32.bundler.r1865" ], "industries": [ "Civilian society", "Technology" ], "unique_indicators": 29282 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/jdnet.top", "whois": "http://whois.domaintools.com/jdnet.top", "domain": "jdnet.top", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 9, "pulses": [ { "id": "6a19ca7995e758e88e06a66d", "name": "credit scoreblue ['Injection | Target devices affected. Connected to N'] clone - note: many binaries unsigned", "description": "", "modified": "2026-05-29T17:18:49.381000", "created": "2026-05-29T17:18:49.381000", "tags": [ "ip addresses", "luna moth", "campaign", "norad tracking", "ipdomain", "investigation", "hr rtd", "hallrender", "brian sabey", "heuristic", "referrer", "pe resource", "first", "utc submissions", "submitters", "solutions", "namesilo", "amazon02", "digitaloceanasn", "limited", "aschoopa", "ovh sas", "generator", "data", "v3 serial", "number", "issuer", "everywhere dv", "tls ca", "g1 odigicert", "validity", "subject public", "key info", "date", "server", "email", "code", "registrar abuse", "registrar url", "whois lookup", "admin city", "admin country", "cn admin", "office open", "xml spreadsheet", "detections type", "name", "dns replication", "iana id", "contact phone", "dnssec", "domain status", "registrar whois", "historical ssl", "threat roundup", "october", "investigation c", "december", "september", "ngfw traffic", "malicious ip", "address", "raspberry robin", "stealer", "creation date", "passive dns", "urls", "search", "name servers", "status", "showing", "all scoreblue", "unknown", "next", "as47846", "germany unknown", "as44273 host", "united", "as12876 online", "domain", "cve-2016-2569", "yodaprot", "xorcrypt", "yoda", "aspack", "yara detections", "intel", "comments", "show", "productversion", "inno setup", "invalid", "format", "invalid variant", "delphi", "stack", "error", "iniciar download setup", "gui", "application/octet-stream", "tsara brashears", "targets", "cve-2017-0199", "aspack", "contains-pe", "contains-elf", "bobsoft", "cve-2010-3333", "contains-embedded-js", "cve-2014-3931", "cve-2017-11882", "adware.adload/adinstaller", "win32processor", "information", "flow t1574", "dll sideloading", "reads", "downloads", "win32process", "t1055 spawns", "access token", "modify access", "files", "catalog tree", "analysis ob0001", "b0001 process", "b0003 delayed", "analysis ob0002", "evasion ob0006", "self deletion", "f0007 discovery", "ob0007 analysis", "dead", "cybercrime", "cyber criminal group", "dynamicloader", "high", "medium", "trojan", "less see", "contacted", "yara rule", "installs", "windows", "windows startup", "february", "copy", "as14061", "as16276", "canada unknown", "united kingdom", "as63949 linode", "as202053", "finland unknown", "aaaa", "get http", "request", "windows nt", "khtml", "gecko", "wow64", "host", "connection", "cus cndigicert", "ca1 odigicert", "win32", "win64", "accept", "dataset", "system property", "lookups", "select family", "userprofile", "temp", "samplepath", "user", "runtime modules", "modules", "programfiles", "windir", "datacrashpad", "k netsvcs", "s ngcctnrsvc", "nameweb bvba", "domains", "csc corporate", "registrarsafe", "registrar", "namecheap inc", "nameweb", "win32 exe", "detections file", "win32 dll", "ip detections", "country", "highly targeted", "problems", "sneaky server", "replacement", "unauthorized", "high level", "hackers", "unknown win", "agent tesla", "worm", "formbook", "startpage", "dead drop resolver", "nxdomain", "ns nxdomain", "scan endpoints", "all search", "otx scoreblue", "pulse pulses", "hostname", "files ip", "address domain", "div div", "a li", "p div", "read more", "a div", "bq aug", "script script", "path max", "age86400 set", "cookie", "entries", "trojandropper", "body", "trojan features", "related pulses", "file samples", "files matching", "date hash", "copyright", "virtool", "trojanspy", "hashes c2ae", "capa", "cape sandbox", "moves", "tencent habo", "zenbox", "tls rsa", "sha256", "inc subject", "global g2", "odigicert inc", "cndigicert sha2", "high assurance", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinl", "javascripts", "iframes", "embedded", "x sucuri", "cookie policy", "jeffrey scott reimer dpt", "toni braxton", "police", "fbi va", "loudon county", "ashburn va", "douglas co", "douglas co sheriff", "sheriff", "justin bieber", "swipper" ], "references": [ "cnbd.net\t | d1.cnbd.net\t| localhost.cnbd.net | mail.cnbd.net | siteinlink.d1.cnbd.net cnbd.net hghltd.yandex.net", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Crowdsourced Sigma: Matches rule Potential Dead Drop Resolvers by Sorina Ionescu, X__Junior (Nextron Systems)", "Crowdsourced YARA: Matches rule Base64_Encoded_URL from ruleset Base64_Encoded_URL by InQuest Labs", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Unusual PING detected", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING Windows", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Echo Reply", "Yara Detections: Delphi", "\"Malware Behavior Catalog Tree: Anti-Behavioral Analysis OB0001 Debugger Detection B0001 Process Environment Block B0001.019 Dynamic Analysis Evasion B0003 Delayed Execution B0003.003", "\"Malware Behavior Catalog Tree: Anti-Static Analysis OB0002 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E102", "\"Malware Behavior Catalog Tree : Defense Evasion OB0006 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E1027.m02", "\"Malware Behavior Catalog Tree: Hidden Files and Directories F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 Analysis Tool Discovery B0013 Process detection B0013.001 System Information Discovery E1082 File and Directory Discovery E1083", "\"Malware Behavior Catalog Tree: Execution OB0009 Install Additional Program B0023 Command and Scripting Interpreter E1059", "\"Malware Behavior Catalog Tree: Analysis Tool Discovery F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 System Information Discovery B0013 Process detection B0013.001", "\"Malware Behavior Catalog Tree: Hidden Files and Directories E1082 File and Directory Discovery E1083", "Malware Behavior Catalog Tree: Command and Scripting Interpreter OB0009 Install Additional Program B0023", "\"Dataset actions -System Property Lookups: IIWbemServices::Connect", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: Execution OB0012 F0005 File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048 Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007 Change Memory Protection C0008 Process OC0003 Create Process C0017 Create Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001 Modulo C0058 Cryptography OC0005", "Researched: d569ab9b9e89ebd9e2ff995bcd6509bc.virus", "Apple Issues:\tapple-validsecure.serviceirc.com serviceirc.com http://apple-validsecure.serviceirc.com https://apple-validsecure.serviceirc.com", "Apple Issues:\tcheckapple.com http://www.checkapple.com/ https://bincc.xyz/bin-apple-music-1month-apple-tv-7days apple-marketing.com", "Apple Issues:\tapp-appleid.serveirc.com appleid-appleus.serveirc.com appleidapple.serveirc.com apples-uncek.serveirc.com", "Apple Issues:\thttp://www.apple-verifallert.serveirc.com/ http://www.appleid-lockid.serveirc.com/ http://www.appleid-seccure23.serveirc.com/", "Apple Issues:\thttp://www.appleid-secure20.serveirc.com/ http://www.appleid-secure22.serveirc.com/ serviceirc.com", "Apple Issues: http://www.appleid-supporthelp.serveirc.com/ http://www.appleids-security.serveirc.com/", "Apple Issues: URL https://bincc.xyz/bin-apple-music-1month-apple-tv-7days", "Apple Issues: http://checkapple.com/home/item/131-iOs-%E0%B9%80%E0%B8%A1%E0%B8%B7%E0%B8%AD%E0%B8%87%E0%B8%9C%E0%B8%B9%E0%B9%89%E0%B8%94%E0%B8%B5-%E0%B8%9F%E0%B8%B1%E0%B8%99%E0%B8%98%E0%B8%87-iPhone-4-%E0%B8%9A%E0%B8%B2%E0%B8%87%E0%B8%81%E0%B8%A7%E0%B9%88%E0%B8%B2-Galaxy-S-2.htm", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Terse HTTP 1.0 Request Possible Nivdort Worm.Mydoom Checkin User-Agent (explwer)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti/Mufanom Downloader Checkin Win32.Sality-GR Checkin Backdoor.Win32.Shiz.ivr", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Empty Checkin Upatre Retrieving encoded payload (Common Header Struct)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Checkin Win32/Nivdort", "Antivirus Detections: ALF:HeraklezEval:Ransom:Win32/CVE , ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn , ALF:HeraklezEval:Trojan:Win32/Zombie.A", "Antivirus Detections: ALF:Trojan:Win32/FormBook.F!MTB , Backdoor:Linux/Setag!rfn , Backdoor:Win32/Bifrose.IQ , Backdoor:Win32/Simda!rfn", "Antivirus Detections: ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn , ALF:PUA:Win32/InstallMate.P , ALF:Trojan:Win32/Cassini_f9070846!ibt", "\"Malware Behavior Catalog Tree: File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048", "\"Malware Behavior Catalog Tree: Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007", "\"Malware Behavior Catalog Tree: Change Memory Protection C0008 Process OC0003 Create Process C0017", "\"Malware Behavior Catalog Tree: Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004", "\"Malware Behavior Catalog Tree: Create 00001807 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001", "\"Malware Behavior Catalog Tree: Modulo C0058 Cryptography OC0005 Generate Pseudo-random Sequence C0021", "\"Malware Behavior Catalog Tree: Communication OC0006 HTTP Communication C0002 Operating System OC0008 Registry", "\"Malware Behavior Catalog Tree: Registry Value C0036.006 Capabilities Data-Manipulation\"", "\"Malware Behavior Catalog Tree: C0036 Open Registry Key C0036.003 Create Registry Key C0036.004 Query", "Capabilities Data: Manipulation Generate random numbers using the Delphi LCG Encode data using XOR Hash data with CRC32", "Capabilities Data: Linking Link function at runtime on Windows Collection Get geographical location Targeting Identify system language via API", "Capabilities Data: Executable Extract resource via kernel32 functions Contain a thread local storage (.tls) section Packaged as an Inno Setup installer", "Capabilities Data: Anti-Analysis Reference analysis tools strings Internal (Internal) installer file limitation", "Capabilities Data: Host-Interaction - Get file attributes Create process suspended Create process on Windows", "Capabilities Data: Host-Interaction - Allocate or change RWX memory Accept command line arguments Set thread local storage value", "Capabilities Data: Host-Interaction - Get system information on Windows Delete directory", "Capabilities Data: Host-Interaction - Get thread local storage value Read file on Windows Write file on Windows", "Capabilities Data: Host-Interaction - Get file size Query environment variable Get common file path", "Capabilities Data: Host-Interaction - Query or enumerate registry value Delete file Create directory Shutdown system", "Capabilities Data: Host-Interaction - Modify access privileges Check if file exists", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "United States of America" ], "malware_families": [ { "id": "PUP/Win32.Bundler.R1865", "display_name": "PUP/Win32.Bundler.R1865", "target": null }, { "id": "Inno:Downloader-J [PUP]", "display_name": "Inno:Downloader-J [PUP]", "target": null }, { "id": "AdWare:Win32/AdLoad.0e19dea6", "display_name": "AdWare:Win32/AdLoad.0e19dea6", "target": "/malware/AdWare:Win32/AdLoad.0e19dea6" }, { "id": "Adware.Adload/Adinstaller", "display_name": "Adware.Adload/Adinstaller", "target": null }, { "id": "Win.Packed.Razy-9828382-0", "display_name": "Win.Packed.Razy-9828382-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" }, { "id": "Trojan:Win32/Zombie", "display_name": "Trojan:Win32/Zombie", "target": "/malware/Trojan:Win32/Zombie" }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1516", "name": "Input Injection", "display_name": "T1516 - Input Injection" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" } ], "industries": [ "Technology", "Civilian Society" ], "TLP": "green", "cloned_from": "66bb7aa9d0ec86cff5b95b64", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1401, "FileHash-SHA1": 1365, "FileHash-SHA256": 6436, "URL": 5931, "domain": 1391, "hostname": 2165, "CVE": 5, "email": 6 }, "indicator_count": 18700, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "1 day ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a19ca775c858db5edfc4101", "name": "credit scoreblue ['Injection | Target devices affected. Connected to N'] clone - note: many binaries unsigned", "description": "", "modified": "2026-05-29T17:18:47.973000", "created": "2026-05-29T17:18:47.973000", "tags": [ "ip addresses", "luna moth", "campaign", "norad tracking", "ipdomain", "investigation", "hr rtd", "hallrender", "brian sabey", "heuristic", "referrer", "pe resource", "first", "utc submissions", "submitters", "solutions", "namesilo", "amazon02", "digitaloceanasn", "limited", "aschoopa", "ovh sas", "generator", "data", "v3 serial", "number", "issuer", "everywhere dv", "tls ca", "g1 odigicert", "validity", "subject public", "key info", "date", "server", "email", "code", "registrar abuse", "registrar url", "whois lookup", "admin city", "admin country", "cn admin", "office open", "xml spreadsheet", "detections type", "name", "dns replication", "iana id", "contact phone", "dnssec", "domain status", "registrar whois", "historical ssl", "threat roundup", "october", "investigation c", "december", "september", "ngfw traffic", "malicious ip", "address", "raspberry robin", "stealer", "creation date", "passive dns", "urls", "search", "name servers", "status", "showing", "all scoreblue", "unknown", "next", "as47846", "germany unknown", "as44273 host", "united", "as12876 online", "domain", "cve-2016-2569", "yodaprot", "xorcrypt", "yoda", "aspack", "yara detections", "intel", "comments", "show", "productversion", "inno setup", "invalid", "format", "invalid variant", "delphi", "stack", "error", "iniciar download setup", "gui", "application/octet-stream", "tsara brashears", "targets", "cve-2017-0199", "aspack", "contains-pe", "contains-elf", "bobsoft", "cve-2010-3333", "contains-embedded-js", "cve-2014-3931", "cve-2017-11882", "adware.adload/adinstaller", "win32processor", "information", "flow t1574", "dll sideloading", "reads", "downloads", "win32process", "t1055 spawns", "access token", "modify access", "files", "catalog tree", "analysis ob0001", "b0001 process", "b0003 delayed", "analysis ob0002", "evasion ob0006", "self deletion", "f0007 discovery", "ob0007 analysis", "dead", "cybercrime", "cyber criminal group", "dynamicloader", "high", "medium", "trojan", "less see", "contacted", "yara rule", "installs", "windows", "windows startup", "february", "copy", "as14061", "as16276", "canada unknown", "united kingdom", "as63949 linode", "as202053", "finland unknown", "aaaa", "get http", "request", "windows nt", "khtml", "gecko", "wow64", "host", "connection", "cus cndigicert", "ca1 odigicert", "win32", "win64", "accept", "dataset", "system property", "lookups", "select family", "userprofile", "temp", "samplepath", "user", "runtime modules", "modules", "programfiles", "windir", "datacrashpad", "k netsvcs", "s ngcctnrsvc", "nameweb bvba", "domains", "csc corporate", "registrarsafe", "registrar", "namecheap inc", "nameweb", "win32 exe", "detections file", "win32 dll", "ip detections", "country", "highly targeted", "problems", "sneaky server", "replacement", "unauthorized", "high level", "hackers", "unknown win", "agent tesla", "worm", "formbook", "startpage", "dead drop resolver", "nxdomain", "ns nxdomain", "scan endpoints", "all search", "otx scoreblue", "pulse pulses", "hostname", "files ip", "address domain", "div div", "a li", "p div", "read more", "a div", "bq aug", "script script", "path max", "age86400 set", "cookie", "entries", "trojandropper", "body", "trojan features", "related pulses", "file samples", "files matching", "date hash", "copyright", "virtool", "trojanspy", "hashes c2ae", "capa", "cape sandbox", "moves", "tencent habo", "zenbox", "tls rsa", "sha256", "inc subject", "global g2", "odigicert inc", "cndigicert sha2", "high assurance", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinl", "javascripts", "iframes", "embedded", "x sucuri", "cookie policy", "jeffrey scott reimer dpt", "toni braxton", "police", "fbi va", "loudon county", "ashburn va", "douglas co", "douglas co sheriff", "sheriff", "justin bieber", "swipper" ], "references": [ "cnbd.net\t | d1.cnbd.net\t| localhost.cnbd.net | mail.cnbd.net | siteinlink.d1.cnbd.net cnbd.net hghltd.yandex.net", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Crowdsourced Sigma: Matches rule Potential Dead Drop Resolvers by Sorina Ionescu, X__Junior (Nextron Systems)", "Crowdsourced YARA: Matches rule Base64_Encoded_URL from ruleset Base64_Encoded_URL by InQuest Labs", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Unusual PING detected", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING Windows", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Echo Reply", "Yara Detections: Delphi", "\"Malware Behavior Catalog Tree: Anti-Behavioral Analysis OB0001 Debugger Detection B0001 Process Environment Block B0001.019 Dynamic Analysis Evasion B0003 Delayed Execution B0003.003", "\"Malware Behavior Catalog Tree: Anti-Static Analysis OB0002 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E102", "\"Malware Behavior Catalog Tree : Defense Evasion OB0006 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E1027.m02", "\"Malware Behavior Catalog Tree: Hidden Files and Directories F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 Analysis Tool Discovery B0013 Process detection B0013.001 System Information Discovery E1082 File and Directory Discovery E1083", "\"Malware Behavior Catalog Tree: Execution OB0009 Install Additional Program B0023 Command and Scripting Interpreter E1059", "\"Malware Behavior Catalog Tree: Analysis Tool Discovery F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 System Information Discovery B0013 Process detection B0013.001", "\"Malware Behavior Catalog Tree: Hidden Files and Directories E1082 File and Directory Discovery E1083", "Malware Behavior Catalog Tree: Command and Scripting Interpreter OB0009 Install Additional Program B0023", "\"Dataset actions -System Property Lookups: IIWbemServices::Connect", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: Execution OB0012 F0005 File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048 Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007 Change Memory Protection C0008 Process OC0003 Create Process C0017 Create Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001 Modulo C0058 Cryptography OC0005", "Researched: d569ab9b9e89ebd9e2ff995bcd6509bc.virus", "Apple Issues:\tapple-validsecure.serviceirc.com serviceirc.com http://apple-validsecure.serviceirc.com https://apple-validsecure.serviceirc.com", "Apple Issues:\tcheckapple.com http://www.checkapple.com/ https://bincc.xyz/bin-apple-music-1month-apple-tv-7days apple-marketing.com", "Apple Issues:\tapp-appleid.serveirc.com appleid-appleus.serveirc.com appleidapple.serveirc.com apples-uncek.serveirc.com", "Apple Issues:\thttp://www.apple-verifallert.serveirc.com/ http://www.appleid-lockid.serveirc.com/ http://www.appleid-seccure23.serveirc.com/", "Apple Issues:\thttp://www.appleid-secure20.serveirc.com/ http://www.appleid-secure22.serveirc.com/ serviceirc.com", "Apple Issues: http://www.appleid-supporthelp.serveirc.com/ http://www.appleids-security.serveirc.com/", "Apple Issues: URL https://bincc.xyz/bin-apple-music-1month-apple-tv-7days", "Apple Issues: http://checkapple.com/home/item/131-iOs-%E0%B9%80%E0%B8%A1%E0%B8%B7%E0%B8%AD%E0%B8%87%E0%B8%9C%E0%B8%B9%E0%B9%89%E0%B8%94%E0%B8%B5-%E0%B8%9F%E0%B8%B1%E0%B8%99%E0%B8%98%E0%B8%87-iPhone-4-%E0%B8%9A%E0%B8%B2%E0%B8%87%E0%B8%81%E0%B8%A7%E0%B9%88%E0%B8%B2-Galaxy-S-2.htm", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Terse HTTP 1.0 Request Possible Nivdort Worm.Mydoom Checkin User-Agent (explwer)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti/Mufanom Downloader Checkin Win32.Sality-GR Checkin Backdoor.Win32.Shiz.ivr", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Empty Checkin Upatre Retrieving encoded payload (Common Header Struct)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Checkin Win32/Nivdort", "Antivirus Detections: ALF:HeraklezEval:Ransom:Win32/CVE , ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn , ALF:HeraklezEval:Trojan:Win32/Zombie.A", "Antivirus Detections: ALF:Trojan:Win32/FormBook.F!MTB , Backdoor:Linux/Setag!rfn , Backdoor:Win32/Bifrose.IQ , Backdoor:Win32/Simda!rfn", "Antivirus Detections: ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn , ALF:PUA:Win32/InstallMate.P , ALF:Trojan:Win32/Cassini_f9070846!ibt", "\"Malware Behavior Catalog Tree: File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048", "\"Malware Behavior Catalog Tree: Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007", "\"Malware Behavior Catalog Tree: Change Memory Protection C0008 Process OC0003 Create Process C0017", "\"Malware Behavior Catalog Tree: Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004", "\"Malware Behavior Catalog Tree: Create 00001807 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001", "\"Malware Behavior Catalog Tree: Modulo C0058 Cryptography OC0005 Generate Pseudo-random Sequence C0021", "\"Malware Behavior Catalog Tree: Communication OC0006 HTTP Communication C0002 Operating System OC0008 Registry", "\"Malware Behavior Catalog Tree: Registry Value C0036.006 Capabilities Data-Manipulation\"", "\"Malware Behavior Catalog Tree: C0036 Open Registry Key C0036.003 Create Registry Key C0036.004 Query", "Capabilities Data: Manipulation Generate random numbers using the Delphi LCG Encode data using XOR Hash data with CRC32", "Capabilities Data: Linking Link function at runtime on Windows Collection Get geographical location Targeting Identify system language via API", "Capabilities Data: Executable Extract resource via kernel32 functions Contain a thread local storage (.tls) section Packaged as an Inno Setup installer", "Capabilities Data: Anti-Analysis Reference analysis tools strings Internal (Internal) installer file limitation", "Capabilities Data: Host-Interaction - Get file attributes Create process suspended Create process on Windows", "Capabilities Data: Host-Interaction - Allocate or change RWX memory Accept command line arguments Set thread local storage value", "Capabilities Data: Host-Interaction - Get system information on Windows Delete directory", "Capabilities Data: Host-Interaction - Get thread local storage value Read file on Windows Write file on Windows", "Capabilities Data: Host-Interaction - Get file size Query environment variable Get common file path", "Capabilities Data: Host-Interaction - Query or enumerate registry value Delete file Create directory Shutdown system", "Capabilities Data: Host-Interaction - Modify access privileges Check if file exists", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "United States of America" ], "malware_families": [ { "id": "PUP/Win32.Bundler.R1865", "display_name": "PUP/Win32.Bundler.R1865", "target": null }, { "id": "Inno:Downloader-J [PUP]", "display_name": "Inno:Downloader-J [PUP]", "target": null }, { "id": "AdWare:Win32/AdLoad.0e19dea6", "display_name": "AdWare:Win32/AdLoad.0e19dea6", "target": "/malware/AdWare:Win32/AdLoad.0e19dea6" }, { "id": "Adware.Adload/Adinstaller", "display_name": "Adware.Adload/Adinstaller", "target": null }, { "id": "Win.Packed.Razy-9828382-0", "display_name": "Win.Packed.Razy-9828382-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" }, { "id": "Trojan:Win32/Zombie", "display_name": "Trojan:Win32/Zombie", "target": "/malware/Trojan:Win32/Zombie" }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1516", "name": "Input Injection", "display_name": "T1516 - Input Injection" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" } ], "industries": [ "Technology", "Civilian Society" ], "TLP": "green", "cloned_from": "66bb7aa9d0ec86cff5b95b64", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1401, "FileHash-SHA1": 1365, "FileHash-SHA256": 6436, "URL": 5931, "domain": 1391, "hostname": 2165, "CVE": 5, "email": 6 }, "indicator_count": 18700, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "1 day ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66bb7ac0b39138b588fa325b", "name": "Injection | Target devices affected. Connected to Notepad | Yandex| Brian Sabey & Associated", "description": "Targets devices injected with extremely malicious URL's. The links did everything imaginable. Pushed up Jeffrey Reimer DPT in search engine while suppressing all positive search engine results of his victim. Her business was completely halted and redirected. Views went to well known artists. It also contained content scrapers causing certain keywords [keylogger included] to generate results in Bing search engines attempt to frame target. Countless porn sites posted w/victims name appearing heaviest in Yandex moderately heavy in Google. Killed targets YouTube channel. Heavy use in victims Apple terminal. Death and bomb threats often. *http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/\n*http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "modified": "2024-10-11T00:04:00.735000", "created": "2024-08-13T15:24:48.834000", "tags": [ "ip addresses", "luna moth", "campaign", "norad tracking", "ipdomain", "investigation", "hr rtd", "hallrender", "brian sabey", "heuristic", "referrer", "pe resource", "first", "utc submissions", "submitters", "solutions", "namesilo", "amazon02", "digitaloceanasn", "limited", "aschoopa", "ovh sas", "generator", "data", "v3 serial", "number", "issuer", "everywhere dv", "tls ca", "g1 odigicert", "validity", "subject public", "key info", "date", "server", "email", "code", "registrar abuse", "registrar url", "whois lookup", "admin city", "admin country", "cn admin", "office open", "xml spreadsheet", "detections type", "name", "dns replication", "iana id", "contact phone", "dnssec", "domain status", "registrar whois", "historical ssl", "threat roundup", "october", "investigation c", "december", "september", "ngfw traffic", "malicious ip", "address", "raspberry robin", "stealer", "creation date", "passive dns", "urls", "search", "name servers", "status", "showing", "all scoreblue", "unknown", "next", "as47846", "germany unknown", "as44273 host", "united", "as12876 online", "domain", "cve-2016-2569", "yodaprot", "xorcrypt", "yoda", "aspack", "yara detections", "intel", "comments", "show", "productversion", "inno setup", "invalid", "format", "invalid variant", "delphi", "stack", "error", "iniciar download setup", "gui", "application/octet-stream", "tsara brashears", "targets", "cve-2017-0199", "aspack", "contains-pe", "contains-elf", "bobsoft", "cve-2010-3333", "contains-embedded-js", "cve-2014-3931", "cve-2017-11882", "adware.adload/adinstaller", "win32processor", "information", "flow t1574", "dll sideloading", "reads", "downloads", "win32process", "t1055 spawns", "access token", "modify access", "files", "catalog tree", "analysis ob0001", "b0001 process", "b0003 delayed", "analysis ob0002", "evasion ob0006", "self deletion", "f0007 discovery", "ob0007 analysis", "dead", "cybercrime", "cyber criminal group", "dynamicloader", "high", "medium", "trojan", "less see", "contacted", "yara rule", "installs", "windows", "windows startup", "february", "copy", "as14061", "as16276", "canada unknown", "united kingdom", "as63949 linode", "as202053", "finland unknown", "aaaa", "get http", "request", "windows nt", "khtml", "gecko", "wow64", "host", "connection", "cus cndigicert", "ca1 odigicert", "win32", "win64", "accept", "dataset", "system property", "lookups", "select family", "userprofile", "temp", "samplepath", "user", "runtime modules", "modules", "programfiles", "windir", "datacrashpad", "k netsvcs", "s ngcctnrsvc", "nameweb bvba", "domains", "csc corporate", "registrarsafe", "registrar", "namecheap inc", "nameweb", "win32 exe", "detections file", "win32 dll", "ip detections", "country", "highly targeted", "problems", "sneaky server", "replacement", "unauthorized", "high level", "hackers", "unknown win", "agent tesla", "worm", "formbook", "startpage", "dead drop resolver", "nxdomain", "ns nxdomain", "scan endpoints", "all search", "otx scoreblue", "pulse pulses", "hostname", "files ip", "address domain", "div div", "a li", "p div", "read more", "a div", "bq aug", "script script", "path max", "age86400 set", "cookie", "entries", "trojandropper", "body", "trojan features", "related pulses", "file samples", "files matching", "date hash", "copyright", "virtool", "trojanspy", "hashes c2ae", "capa", "cape sandbox", "moves", "tencent habo", "zenbox", "tls rsa", "sha256", "inc subject", "global g2", "odigicert inc", "cndigicert sha2", "high assurance", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinl", "javascripts", "iframes", "embedded", "x sucuri", "cookie policy", "jeffrey scott reimer dpt", "toni braxton", "police", "fbi va", "loudon county", "ashburn va", "douglas co", "douglas co sheriff", "sheriff", "justin bieber", "swipper" ], "references": [ "cnbd.net\t | d1.cnbd.net\t| localhost.cnbd.net | mail.cnbd.net | siteinlink.d1.cnbd.net cnbd.net hghltd.yandex.net", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Crowdsourced Sigma: Matches rule Potential Dead Drop Resolvers by Sorina Ionescu, X__Junior (Nextron Systems)", "Crowdsourced YARA: Matches rule Base64_Encoded_URL from ruleset Base64_Encoded_URL by InQuest Labs", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Unusual PING detected", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING Windows", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Echo Reply", "Yara Detections: Delphi", "\"Malware Behavior Catalog Tree: Anti-Behavioral Analysis OB0001 Debugger Detection B0001 Process Environment Block B0001.019 Dynamic Analysis Evasion B0003 Delayed Execution B0003.003", "\"Malware Behavior Catalog Tree: Anti-Static Analysis OB0002 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E102", "\"Malware Behavior Catalog Tree : Defense Evasion OB0006 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E1027.m02", "\"Malware Behavior Catalog Tree: Hidden Files and Directories F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 Analysis Tool Discovery B0013 Process detection B0013.001 System Information Discovery E1082 File and Directory Discovery E1083", "\"Malware Behavior Catalog Tree: Execution OB0009 Install Additional Program B0023 Command and Scripting Interpreter E1059", "\"Malware Behavior Catalog Tree: Analysis Tool Discovery F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 System Information Discovery B0013 Process detection B0013.001", "\"Malware Behavior Catalog Tree: Hidden Files and Directories E1082 File and Directory Discovery E1083", "Malware Behavior Catalog Tree: Command and Scripting Interpreter OB0009 Install Additional Program B0023", "\"Dataset actions -System Property Lookups: IIWbemServices::Connect", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: Execution OB0012 F0005 File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048 Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007 Change Memory Protection C0008 Process OC0003 Create Process C0017 Create Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001 Modulo C0058 Cryptography OC0005", "Researched: d569ab9b9e89ebd9e2ff995bcd6509bc.virus", "Apple Issues:\tapple-validsecure.serviceirc.com serviceirc.com http://apple-validsecure.serviceirc.com https://apple-validsecure.serviceirc.com", "Apple Issues:\tcheckapple.com http://www.checkapple.com/ https://bincc.xyz/bin-apple-music-1month-apple-tv-7days apple-marketing.com", "Apple Issues:\tapp-appleid.serveirc.com appleid-appleus.serveirc.com appleidapple.serveirc.com apples-uncek.serveirc.com", "Apple Issues:\thttp://www.apple-verifallert.serveirc.com/ http://www.appleid-lockid.serveirc.com/ http://www.appleid-seccure23.serveirc.com/", "Apple Issues:\thttp://www.appleid-secure20.serveirc.com/ http://www.appleid-secure22.serveirc.com/ serviceirc.com", "Apple Issues: http://www.appleid-supporthelp.serveirc.com/ http://www.appleids-security.serveirc.com/", "Apple Issues: URL https://bincc.xyz/bin-apple-music-1month-apple-tv-7days", "Apple Issues: http://checkapple.com/home/item/131-iOs-%E0%B9%80%E0%B8%A1%E0%B8%B7%E0%B8%AD%E0%B8%87%E0%B8%9C%E0%B8%B9%E0%B9%89%E0%B8%94%E0%B8%B5-%E0%B8%9F%E0%B8%B1%E0%B8%99%E0%B8%98%E0%B8%87-iPhone-4-%E0%B8%9A%E0%B8%B2%E0%B8%87%E0%B8%81%E0%B8%A7%E0%B9%88%E0%B8%B2-Galaxy-S-2.htm", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Terse HTTP 1.0 Request Possible Nivdort Worm.Mydoom Checkin User-Agent (explwer)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti/Mufanom Downloader Checkin Win32.Sality-GR Checkin Backdoor.Win32.Shiz.ivr", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Empty Checkin Upatre Retrieving encoded payload (Common Header Struct)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Checkin Win32/Nivdort", "Antivirus Detections: ALF:HeraklezEval:Ransom:Win32/CVE , ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn , ALF:HeraklezEval:Trojan:Win32/Zombie.A", "Antivirus Detections: ALF:Trojan:Win32/FormBook.F!MTB , Backdoor:Linux/Setag!rfn , Backdoor:Win32/Bifrose.IQ , Backdoor:Win32/Simda!rfn", "Antivirus Detections: ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn , ALF:PUA:Win32/InstallMate.P , ALF:Trojan:Win32/Cassini_f9070846!ibt", "\"Malware Behavior Catalog Tree: File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048", "\"Malware Behavior Catalog Tree: Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007", "\"Malware Behavior Catalog Tree: Change Memory Protection C0008 Process OC0003 Create Process C0017", "\"Malware Behavior Catalog Tree: Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004", "\"Malware Behavior Catalog Tree: Create 00001807 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001", "\"Malware Behavior Catalog Tree: Modulo C0058 Cryptography OC0005 Generate Pseudo-random Sequence C0021", "\"Malware Behavior Catalog Tree: Communication OC0006 HTTP Communication C0002 Operating System OC0008 Registry", "\"Malware Behavior Catalog Tree: Registry Value C0036.006 Capabilities Data-Manipulation\"", "\"Malware Behavior Catalog Tree: C0036 Open Registry Key C0036.003 Create Registry Key C0036.004 Query", "Capabilities Data: Manipulation Generate random numbers using the Delphi LCG Encode data using XOR Hash data with CRC32", "Capabilities Data: Linking Link function at runtime on Windows Collection Get geographical location Targeting Identify system language via API", "Capabilities Data: Executable Extract resource via kernel32 functions Contain a thread local storage (.tls) section Packaged as an Inno Setup installer", "Capabilities Data: Anti-Analysis Reference analysis tools strings Internal (Internal) installer file limitation", "Capabilities Data: Host-Interaction - Get file attributes Create process suspended Create process on Windows", "Capabilities Data: Host-Interaction - Allocate or change RWX memory Accept command line arguments Set thread local storage value", "Capabilities Data: Host-Interaction - Get system information on Windows Delete directory", "Capabilities Data: Host-Interaction - Get thread local storage value Read file on Windows Write file on Windows", "Capabilities Data: Host-Interaction - Get file size Query environment variable Get common file path", "Capabilities Data: Host-Interaction - Query or enumerate registry value Delete file Create directory Shutdown system", "Capabilities Data: Host-Interaction - Modify access privileges Check if file exists", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "United States of America" ], "malware_families": [ { "id": "PUP/Win32.Bundler.R1865", "display_name": "PUP/Win32.Bundler.R1865", "target": null }, { "id": "Inno:Downloader-J [PUP]", "display_name": "Inno:Downloader-J [PUP]", "target": null }, { "id": "AdWare:Win32/AdLoad.0e19dea6", "display_name": "AdWare:Win32/AdLoad.0e19dea6", "target": "/malware/AdWare:Win32/AdLoad.0e19dea6" }, { "id": "Adware.Adload/Adinstaller", "display_name": "Adware.Adload/Adinstaller", "target": null }, { "id": "Win.Packed.Razy-9828382-0", "display_name": "Win.Packed.Razy-9828382-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" }, { "id": "Trojan:Win32/Zombie", "display_name": "Trojan:Win32/Zombie", "target": "/malware/Trojan:Win32/Zombie" }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1516", "name": "Input Injection", "display_name": "T1516 - Input Injection" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" } ], "industries": [ "Technology", "Civilian Society" ], "TLP": "green", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1402, "FileHash-SHA1": 1366, "FileHash-SHA256": 6457, "URL": 6175, "domain": 1418, "hostname": 2287, "CVE": 10, "email": 6 }, "indicator_count": 19121, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "597 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66bb7bdba31f4d175b19d1ef", "name": "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "description": "Targets devices injected with extremely malicious URL's. The links did everything imaginable. Pushed up Jeffrey Reimer DPT in search engine while suppressing all positive search engine results of his victim. Her business was completely halted and redirected. Views went to well known artists. It also contained content scrapers causing certain keywords [keylogger included] to generate results in Bing search engines attempt to frame target. Countless porn sites posted w/victims name appearing heaviest in Yandex moderately heavy in Google. Killed targets YouTube channel. Heavy use in victims Apple terminal. Death and bomb threats often. *http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/\n*http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "modified": "2024-10-11T00:04:00.735000", "created": "2024-08-13T15:29:31.899000", "tags": [ "ip addresses", "luna moth", "campaign", "norad tracking", "ipdomain", "investigation", "hr rtd", "hallrender", "brian sabey", "heuristic", "referrer", "pe resource", "first", "utc submissions", "submitters", "solutions", "namesilo", "amazon02", "digitaloceanasn", "limited", "aschoopa", "ovh sas", "generator", "data", "v3 serial", "number", "issuer", "everywhere dv", "tls ca", "g1 odigicert", "validity", "subject public", "key info", "date", "server", "email", "code", "registrar abuse", "registrar url", "whois lookup", "admin city", "admin country", "cn admin", "office open", "xml spreadsheet", "detections type", "name", "dns replication", "iana id", "contact phone", "dnssec", "domain status", "registrar whois", "historical ssl", "threat roundup", "october", "investigation c", "december", "september", "ngfw traffic", "malicious ip", "address", "raspberry robin", "stealer", "creation date", "passive dns", "urls", "search", "name servers", "status", "showing", "all scoreblue", "unknown", "next", "as47846", "germany unknown", "as44273 host", "united", "as12876 online", "domain", "cve-2016-2569", "yodaprot", "xorcrypt", "yoda", "aspack", "yara detections", "intel", "comments", "show", "productversion", "inno setup", "invalid", "format", "invalid variant", "delphi", "stack", "error", "iniciar download setup", "gui", "application/octet-stream", "tsara brashears", "targets", "cve-2017-0199", "aspack", "contains-pe", "contains-elf", "bobsoft", "cve-2010-3333", "contains-embedded-js", "cve-2014-3931", "cve-2017-11882", "adware.adload/adinstaller", "win32processor", "information", "flow t1574", "dll sideloading", "reads", "downloads", "win32process", "t1055 spawns", "access token", "modify access", "files", "catalog tree", "analysis ob0001", "b0001 process", "b0003 delayed", "analysis ob0002", "evasion ob0006", "self deletion", "f0007 discovery", "ob0007 analysis", "dead", "cybercrime", "cyber criminal group", "dynamicloader", "high", "medium", "trojan", "less see", "contacted", "yara rule", "installs", "windows", "windows startup", "february", "copy", "as14061", "as16276", "canada unknown", "united kingdom", "as63949 linode", "as202053", "finland unknown", "aaaa", "get http", "request", "windows nt", "khtml", "gecko", "wow64", "host", "connection", "cus cndigicert", "ca1 odigicert", "win32", "win64", "accept", "dataset", "system property", "lookups", "select family", "userprofile", "temp", "samplepath", "user", "runtime modules", "modules", "programfiles", "windir", "datacrashpad", "k netsvcs", "s ngcctnrsvc", "nameweb bvba", "domains", "csc corporate", "registrarsafe", "registrar", "namecheap inc", "nameweb", "win32 exe", "detections file", "win32 dll", "ip detections", "country", "highly targeted", "problems", "sneaky server", "replacement", "unauthorized", "high level", "hackers", "unknown win", "agent tesla", "worm", "formbook", "startpage", "dead drop resolver", "nxdomain", "ns nxdomain", "scan endpoints", "all search", "otx scoreblue", "pulse pulses", "hostname", "files ip", "address domain", "div div", "a li", "p div", "read more", "a div", "bq aug", "script script", "path max", "age86400 set", "cookie", "entries", "trojandropper", "body", "trojan features", "related pulses", "file samples", "files matching", "date hash", "copyright", "virtool", "trojanspy", "hashes c2ae", "capa", "cape sandbox", "moves", "tencent habo", "zenbox", "tls rsa", "sha256", "inc subject", "global g2", "odigicert inc", "cndigicert sha2", "high assurance", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinl", "javascripts", "iframes", "embedded", "x sucuri", "cookie policy", "jeffrey scott reimer dpt", "toni braxton", "police", "fbi va", "loudon county", "ashburn va", "douglas co", "douglas co sheriff", "sheriff", "justin bieber", "swipper" ], "references": [ "cnbd.net\t | d1.cnbd.net\t| localhost.cnbd.net | mail.cnbd.net | siteinlink.d1.cnbd.net cnbd.net hghltd.yandex.net", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Crowdsourced Sigma: Matches rule Potential Dead Drop Resolvers by Sorina Ionescu, X__Junior (Nextron Systems)", "Crowdsourced YARA: Matches rule Base64_Encoded_URL from ruleset Base64_Encoded_URL by InQuest Labs", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Unusual PING detected", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING Windows", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Echo Reply", "Yara Detections: Delphi", "\"Malware Behavior Catalog Tree: Anti-Behavioral Analysis OB0001 Debugger Detection B0001 Process Environment Block B0001.019 Dynamic Analysis Evasion B0003 Delayed Execution B0003.003", "\"Malware Behavior Catalog Tree: Anti-Static Analysis OB0002 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E102", "\"Malware Behavior Catalog Tree : Defense Evasion OB0006 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E1027.m02", "\"Malware Behavior Catalog Tree: Hidden Files and Directories F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 Analysis Tool Discovery B0013 Process detection B0013.001 System Information Discovery E1082 File and Directory Discovery E1083", "\"Malware Behavior Catalog Tree: Execution OB0009 Install Additional Program B0023 Command and Scripting Interpreter E1059", "\"Malware Behavior Catalog Tree: Analysis Tool Discovery F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 System Information Discovery B0013 Process detection B0013.001", "\"Malware Behavior Catalog Tree: Hidden Files and Directories E1082 File and Directory Discovery E1083", "Malware Behavior Catalog Tree: Command and Scripting Interpreter OB0009 Install Additional Program B0023", "\"Dataset actions -System Property Lookups: IIWbemServices::Connect", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: Execution OB0012 F0005 File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048 Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007 Change Memory Protection C0008 Process OC0003 Create Process C0017 Create Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001 Modulo C0058 Cryptography OC0005", "Researched: d569ab9b9e89ebd9e2ff995bcd6509bc.virus", "Apple Issues:\tapple-validsecure.serviceirc.com serviceirc.com http://apple-validsecure.serviceirc.com https://apple-validsecure.serviceirc.com", "Apple Issues:\tcheckapple.com http://www.checkapple.com/ https://bincc.xyz/bin-apple-music-1month-apple-tv-7days apple-marketing.com", "Apple Issues:\tapp-appleid.serveirc.com appleid-appleus.serveirc.com appleidapple.serveirc.com apples-uncek.serveirc.com", "Apple Issues:\thttp://www.apple-verifallert.serveirc.com/ http://www.appleid-lockid.serveirc.com/ http://www.appleid-seccure23.serveirc.com/", "Apple Issues:\thttp://www.appleid-secure20.serveirc.com/ http://www.appleid-secure22.serveirc.com/ serviceirc.com", "Apple Issues: http://www.appleid-supporthelp.serveirc.com/ http://www.appleids-security.serveirc.com/", "Apple Issues: URL https://bincc.xyz/bin-apple-music-1month-apple-tv-7days", "Apple Issues: http://checkapple.com/home/item/131-iOs-%E0%B9%80%E0%B8%A1%E0%B8%B7%E0%B8%AD%E0%B8%87%E0%B8%9C%E0%B8%B9%E0%B9%89%E0%B8%94%E0%B8%B5-%E0%B8%9F%E0%B8%B1%E0%B8%99%E0%B8%98%E0%B8%87-iPhone-4-%E0%B8%9A%E0%B8%B2%E0%B8%87%E0%B8%81%E0%B8%A7%E0%B9%88%E0%B8%B2-Galaxy-S-2.htm", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Terse HTTP 1.0 Request Possible Nivdort Worm.Mydoom Checkin User-Agent (explwer)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti/Mufanom Downloader Checkin Win32.Sality-GR Checkin Backdoor.Win32.Shiz.ivr", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Empty Checkin Upatre Retrieving encoded payload (Common Header Struct)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Checkin Win32/Nivdort", "Antivirus Detections: ALF:HeraklezEval:Ransom:Win32/CVE , ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn , ALF:HeraklezEval:Trojan:Win32/Zombie.A", "Antivirus Detections: ALF:Trojan:Win32/FormBook.F!MTB , Backdoor:Linux/Setag!rfn , Backdoor:Win32/Bifrose.IQ , Backdoor:Win32/Simda!rfn", "Antivirus Detections: ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn , ALF:PUA:Win32/InstallMate.P , ALF:Trojan:Win32/Cassini_f9070846!ibt", "\"Malware Behavior Catalog Tree: File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048", "\"Malware Behavior Catalog Tree: Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007", "\"Malware Behavior Catalog Tree: Change Memory Protection C0008 Process OC0003 Create Process C0017", "\"Malware Behavior Catalog Tree: Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004", "\"Malware Behavior Catalog Tree: Create 00001807 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001", "\"Malware Behavior Catalog Tree: Modulo C0058 Cryptography OC0005 Generate Pseudo-random Sequence C0021", "\"Malware Behavior Catalog Tree: Communication OC0006 HTTP Communication C0002 Operating System OC0008 Registry", "\"Malware Behavior Catalog Tree: Registry Value C0036.006 Capabilities Data-Manipulation\"", "\"Malware Behavior Catalog Tree: C0036 Open Registry Key C0036.003 Create Registry Key C0036.004 Query", "Capabilities Data: Manipulation Generate random numbers using the Delphi LCG Encode data using XOR Hash data with CRC32", "Capabilities Data: Linking Link function at runtime on Windows Collection Get geographical location Targeting Identify system language via API", "Capabilities Data: Executable Extract resource via kernel32 functions Contain a thread local storage (.tls) section Packaged as an Inno Setup installer", "Capabilities Data: Anti-Analysis Reference analysis tools strings Internal (Internal) installer file limitation", "Capabilities Data: Host-Interaction - Get file attributes Create process suspended Create process on Windows", "Capabilities Data: Host-Interaction - Allocate or change RWX memory Accept command line arguments Set thread local storage value", "Capabilities Data: Host-Interaction - Get system information on Windows Delete directory", "Capabilities Data: Host-Interaction - Get thread local storage value Read file on Windows Write file on Windows", "Capabilities Data: Host-Interaction - Get file size Query environment variable Get common file path", "Capabilities Data: Host-Interaction - Query or enumerate registry value Delete file Create directory Shutdown system", "Capabilities Data: Host-Interaction - Modify access privileges Check if file exists", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "United States of America" ], "malware_families": [ { "id": "PUP/Win32.Bundler.R1865", "display_name": "PUP/Win32.Bundler.R1865", "target": null }, { "id": "Inno:Downloader-J [PUP]", "display_name": "Inno:Downloader-J [PUP]", "target": null }, { "id": "AdWare:Win32/AdLoad.0e19dea6", "display_name": "AdWare:Win32/AdLoad.0e19dea6", "target": "/malware/AdWare:Win32/AdLoad.0e19dea6" }, { "id": "Adware.Adload/Adinstaller", "display_name": "Adware.Adload/Adinstaller", "target": null }, { "id": "Win.Packed.Razy-9828382-0", "display_name": "Win.Packed.Razy-9828382-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" }, { "id": "Trojan:Win32/Zombie", "display_name": "Trojan:Win32/Zombie", "target": "/malware/Trojan:Win32/Zombie" }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1516", "name": "Input Injection", "display_name": "T1516 - Input Injection" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" } ], "industries": [ "Technology", "Civilian Society" ], "TLP": "white", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1403, "FileHash-SHA1": 1367, "FileHash-SHA256": 6478, "URL": 6415, "domain": 1445, "hostname": 2408, "CVE": 10, "email": 6 }, "indicator_count": 19532, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "597 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66bb7bf15d571906a0a5e1a3", "name": "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "description": "Targets devices injected with extremely malicious URL's. The links did everything imaginable. Pushed up Jeffrey Reimer DPT in search engine while suppressing all positive search engine results of his victim. Her business was completely halted and redirected. Views went to well known artists. It also contained content scrapers causing certain keywords [keylogger included] to generate results in Bing search engines attempt to frame target. Countless porn sites posted w/victims name appearing heaviest in Yandex moderately heavy in Google. Killed targets YouTube channel. Heavy use in victims Apple terminal. Death and bomb threats often. *http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/\n*http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "modified": "2024-10-11T00:04:00.735000", "created": "2024-08-13T15:29:53.002000", "tags": [ "ip addresses", "luna moth", "campaign", "norad tracking", "ipdomain", "investigation", "hr rtd", "hallrender", "brian sabey", "heuristic", "referrer", "pe resource", "first", "utc submissions", "submitters", "solutions", "namesilo", "amazon02", "digitaloceanasn", "limited", "aschoopa", "ovh sas", "generator", "data", "v3 serial", "number", "issuer", "everywhere dv", "tls ca", "g1 odigicert", "validity", "subject public", "key info", "date", "server", "email", "code", "registrar abuse", "registrar url", "whois lookup", "admin city", "admin country", "cn admin", "office open", "xml spreadsheet", "detections type", "name", "dns replication", "iana id", "contact phone", "dnssec", "domain status", "registrar whois", "historical ssl", "threat roundup", "october", "investigation c", "december", "september", "ngfw traffic", "malicious ip", "address", "raspberry robin", "stealer", "creation date", "passive dns", "urls", "search", "name servers", "status", "showing", "all scoreblue", "unknown", "next", "as47846", "germany unknown", "as44273 host", "united", "as12876 online", "domain", "cve-2016-2569", "yodaprot", "xorcrypt", "yoda", "aspack", "yara detections", "intel", "comments", "show", "productversion", "inno setup", "invalid", "format", "invalid variant", "delphi", "stack", "error", "iniciar download setup", "gui", "application/octet-stream", "tsara brashears", "targets", "cve-2017-0199", "aspack", "contains-pe", "contains-elf", "bobsoft", "cve-2010-3333", "contains-embedded-js", "cve-2014-3931", "cve-2017-11882", "adware.adload/adinstaller", "win32processor", "information", "flow t1574", "dll sideloading", "reads", "downloads", "win32process", "t1055 spawns", "access token", "modify access", "files", "catalog tree", "analysis ob0001", "b0001 process", "b0003 delayed", "analysis ob0002", "evasion ob0006", "self deletion", "f0007 discovery", "ob0007 analysis", "dead", "cybercrime", "cyber criminal group", "dynamicloader", "high", "medium", "trojan", "less see", "contacted", "yara rule", "installs", "windows", "windows startup", "february", "copy", "as14061", "as16276", "canada unknown", "united kingdom", "as63949 linode", "as202053", "finland unknown", "aaaa", "get http", "request", "windows nt", "khtml", "gecko", "wow64", "host", "connection", "cus cndigicert", "ca1 odigicert", "win32", "win64", "accept", "dataset", "system property", "lookups", "select family", "userprofile", "temp", "samplepath", "user", "runtime modules", "modules", "programfiles", "windir", "datacrashpad", "k netsvcs", "s ngcctnrsvc", "nameweb bvba", "domains", "csc corporate", "registrarsafe", "registrar", "namecheap inc", "nameweb", "win32 exe", "detections file", "win32 dll", "ip detections", "country", "highly targeted", "problems", "sneaky server", "replacement", "unauthorized", "high level", "hackers", "unknown win", "agent tesla", "worm", "formbook", "startpage", "dead drop resolver", "nxdomain", "ns nxdomain", "scan endpoints", "all search", "otx scoreblue", "pulse pulses", "hostname", "files ip", "address domain", "div div", "a li", "p div", "read more", "a div", "bq aug", "script script", "path max", "age86400 set", "cookie", "entries", "trojandropper", "body", "trojan features", "related pulses", "file samples", "files matching", "date hash", "copyright", "virtool", "trojanspy", "hashes c2ae", "capa", "cape sandbox", "moves", "tencent habo", "zenbox", "tls rsa", "sha256", "inc subject", "global g2", "odigicert inc", "cndigicert sha2", "high assurance", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinl", "javascripts", "iframes", "embedded", "x sucuri", "cookie policy", "jeffrey scott reimer dpt", "toni braxton", "police", "fbi va", "loudon county", "ashburn va", "douglas co", "douglas co sheriff", "sheriff", "justin bieber", "swipper" ], "references": [ "cnbd.net\t | d1.cnbd.net\t| localhost.cnbd.net | mail.cnbd.net | siteinlink.d1.cnbd.net cnbd.net hghltd.yandex.net", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Crowdsourced Sigma: Matches rule Potential Dead Drop Resolvers by Sorina Ionescu, X__Junior (Nextron Systems)", "Crowdsourced YARA: Matches rule Base64_Encoded_URL from ruleset Base64_Encoded_URL by InQuest Labs", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Unusual PING detected", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING Windows", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Echo Reply", "Yara Detections: Delphi", "\"Malware Behavior Catalog Tree: Anti-Behavioral Analysis OB0001 Debugger Detection B0001 Process Environment Block B0001.019 Dynamic Analysis Evasion B0003 Delayed Execution B0003.003", "\"Malware Behavior Catalog Tree: Anti-Static Analysis OB0002 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E102", "\"Malware Behavior Catalog Tree : Defense Evasion OB0006 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E1027.m02", "\"Malware Behavior Catalog Tree: Hidden Files and Directories F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 Analysis Tool Discovery B0013 Process detection B0013.001 System Information Discovery E1082 File and Directory Discovery E1083", "\"Malware Behavior Catalog Tree: Execution OB0009 Install Additional Program B0023 Command and Scripting Interpreter E1059", "\"Malware Behavior Catalog Tree: Analysis Tool Discovery F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 System Information Discovery B0013 Process detection B0013.001", "\"Malware Behavior Catalog Tree: Hidden Files and Directories E1082 File and Directory Discovery E1083", "Malware Behavior Catalog Tree: Command and Scripting Interpreter OB0009 Install Additional Program B0023", "\"Dataset actions -System Property Lookups: IIWbemServices::Connect", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: Execution OB0012 F0005 File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048 Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007 Change Memory Protection C0008 Process OC0003 Create Process C0017 Create Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001 Modulo C0058 Cryptography OC0005", "Researched: d569ab9b9e89ebd9e2ff995bcd6509bc.virus", "Apple Issues:\tapple-validsecure.serviceirc.com serviceirc.com http://apple-validsecure.serviceirc.com https://apple-validsecure.serviceirc.com", "Apple Issues:\tcheckapple.com http://www.checkapple.com/ https://bincc.xyz/bin-apple-music-1month-apple-tv-7days apple-marketing.com", "Apple Issues:\tapp-appleid.serveirc.com appleid-appleus.serveirc.com appleidapple.serveirc.com apples-uncek.serveirc.com", "Apple Issues:\thttp://www.apple-verifallert.serveirc.com/ http://www.appleid-lockid.serveirc.com/ http://www.appleid-seccure23.serveirc.com/", "Apple Issues:\thttp://www.appleid-secure20.serveirc.com/ http://www.appleid-secure22.serveirc.com/ serviceirc.com", "Apple Issues: http://www.appleid-supporthelp.serveirc.com/ http://www.appleids-security.serveirc.com/", "Apple Issues: URL https://bincc.xyz/bin-apple-music-1month-apple-tv-7days", "Apple Issues: http://checkapple.com/home/item/131-iOs-%E0%B9%80%E0%B8%A1%E0%B8%B7%E0%B8%AD%E0%B8%87%E0%B8%9C%E0%B8%B9%E0%B9%89%E0%B8%94%E0%B8%B5-%E0%B8%9F%E0%B8%B1%E0%B8%99%E0%B8%98%E0%B8%87-iPhone-4-%E0%B8%9A%E0%B8%B2%E0%B8%87%E0%B8%81%E0%B8%A7%E0%B9%88%E0%B8%B2-Galaxy-S-2.htm", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Terse HTTP 1.0 Request Possible Nivdort Worm.Mydoom Checkin User-Agent (explwer)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti/Mufanom Downloader Checkin Win32.Sality-GR Checkin Backdoor.Win32.Shiz.ivr", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Empty Checkin Upatre Retrieving encoded payload (Common Header Struct)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Checkin Win32/Nivdort", "Antivirus Detections: ALF:HeraklezEval:Ransom:Win32/CVE , ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn , ALF:HeraklezEval:Trojan:Win32/Zombie.A", "Antivirus Detections: ALF:Trojan:Win32/FormBook.F!MTB , Backdoor:Linux/Setag!rfn , Backdoor:Win32/Bifrose.IQ , Backdoor:Win32/Simda!rfn", "Antivirus Detections: ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn , ALF:PUA:Win32/InstallMate.P , ALF:Trojan:Win32/Cassini_f9070846!ibt", "\"Malware Behavior Catalog Tree: File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048", "\"Malware Behavior Catalog Tree: Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007", "\"Malware Behavior Catalog Tree: Change Memory Protection C0008 Process OC0003 Create Process C0017", "\"Malware Behavior Catalog Tree: Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004", "\"Malware Behavior Catalog Tree: Create 00001807 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001", "\"Malware Behavior Catalog Tree: Modulo C0058 Cryptography OC0005 Generate Pseudo-random Sequence C0021", "\"Malware Behavior Catalog Tree: Communication OC0006 HTTP Communication C0002 Operating System OC0008 Registry", "\"Malware Behavior Catalog Tree: Registry Value C0036.006 Capabilities Data-Manipulation\"", "\"Malware Behavior Catalog Tree: C0036 Open Registry Key C0036.003 Create Registry Key C0036.004 Query", "Capabilities Data: Manipulation Generate random numbers using the Delphi LCG Encode data using XOR Hash data with CRC32", "Capabilities Data: Linking Link function at runtime on Windows Collection Get geographical location Targeting Identify system language via API", "Capabilities Data: Executable Extract resource via kernel32 functions Contain a thread local storage (.tls) section Packaged as an Inno Setup installer", "Capabilities Data: Anti-Analysis Reference analysis tools strings Internal (Internal) installer file limitation", "Capabilities Data: Host-Interaction - Get file attributes Create process suspended Create process on Windows", "Capabilities Data: Host-Interaction - Allocate or change RWX memory Accept command line arguments Set thread local storage value", "Capabilities Data: Host-Interaction - Get system information on Windows Delete directory", "Capabilities Data: Host-Interaction - Get thread local storage value Read file on Windows Write file on Windows", "Capabilities Data: Host-Interaction - Get file size Query environment variable Get common file path", "Capabilities Data: Host-Interaction - Query or enumerate registry value Delete file Create directory Shutdown system", "Capabilities Data: Host-Interaction - Modify access privileges Check if file exists", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "United States of America" ], "malware_families": [ { "id": "PUP/Win32.Bundler.R1865", "display_name": "PUP/Win32.Bundler.R1865", "target": null }, { "id": "Inno:Downloader-J [PUP]", "display_name": "Inno:Downloader-J [PUP]", "target": null }, { "id": "AdWare:Win32/AdLoad.0e19dea6", "display_name": "AdWare:Win32/AdLoad.0e19dea6", "target": "/malware/AdWare:Win32/AdLoad.0e19dea6" }, { "id": "Adware.Adload/Adinstaller", "display_name": "Adware.Adload/Adinstaller", "target": null }, { "id": "Win.Packed.Razy-9828382-0", "display_name": "Win.Packed.Razy-9828382-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" }, { "id": "Trojan:Win32/Zombie", "display_name": "Trojan:Win32/Zombie", "target": "/malware/Trojan:Win32/Zombie" }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1516", "name": "Input Injection", "display_name": "T1516 - Input Injection" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" } ], "industries": [ "Technology", "Civilian Society" ], "TLP": "white", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1402, "FileHash-SHA1": 1366, "FileHash-SHA256": 6457, "URL": 6175, "domain": 1418, "hostname": 2288, "CVE": 10, "email": 6 }, "indicator_count": 19122, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "597 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66bb7f69cd76278113c22968", "name": "Remote | Inject | Access Token Manipulation | Jeffrey Reimer DPT Tsara Brashears Yandex Attack", "description": "Targets devices injected with extremely malicious URL's. The links did everything imaginable. Pushed up Jeffrey Reimer DPT in search engine while suppressing all positive search engine results of his victim. Her business was completely halted and redirected. Views went to well known artists. It also contained content scrapers causing certain keywords [keylogger included] to generate results in Bing search engines attempt to frame target. Countless porn sites posted w/victims name appearing heaviest in Yandex moderately heavy in Google. Killed targets YouTube channel. Heavy use in victims Apple terminal. Death and bomb threats often. *http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/\n*http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "modified": "2024-10-11T00:04:00.735000", "created": "2024-08-13T15:44:41.449000", "tags": [ "ip addresses", "luna moth", "campaign", "norad tracking", "ipdomain", "investigation", "hr rtd", "hallrender", "brian sabey", "heuristic", "referrer", "pe resource", "first", "utc submissions", "submitters", "solutions", "namesilo", "amazon02", "digitaloceanasn", "limited", "aschoopa", "ovh sas", "generator", "data", "v3 serial", "number", "issuer", "everywhere dv", "tls ca", "g1 odigicert", "validity", "subject public", "key info", "date", "server", "email", "code", "registrar abuse", "registrar url", "whois lookup", "admin city", "admin country", "cn admin", "office open", "xml spreadsheet", "detections type", "name", "dns replication", "iana id", "contact phone", "dnssec", "domain status", "registrar whois", "historical ssl", "threat roundup", "october", "investigation c", "december", "september", "ngfw traffic", "malicious ip", "address", "raspberry robin", "stealer", "creation date", "passive dns", "urls", "search", "name servers", "status", "showing", "all scoreblue", "unknown", "next", "as47846", "germany unknown", "as44273 host", "united", "as12876 online", "domain", "cve-2016-2569", "yodaprot", "xorcrypt", "yoda", "aspack", "yara detections", "intel", "comments", "show", "productversion", "inno setup", "invalid", "format", "invalid variant", "delphi", "stack", "error", "iniciar download setup", "gui", "application/octet-stream", "tsara brashears", "targets", "cve-2017-0199", "aspack", "contains-pe", "contains-elf", "bobsoft", "cve-2010-3333", "contains-embedded-js", "cve-2014-3931", "cve-2017-11882", "adware.adload/adinstaller", "win32processor", "information", "flow t1574", "dll sideloading", "reads", "downloads", "win32process", "t1055 spawns", "access token", "modify access", "files", "catalog tree", "analysis ob0001", "b0001 process", "b0003 delayed", "analysis ob0002", "evasion ob0006", "self deletion", "f0007 discovery", "ob0007 analysis", "dead", "cybercrime", "cyber criminal group", "dynamicloader", "high", "medium", "trojan", "less see", "contacted", "yara rule", "installs", "windows", "windows startup", "february", "copy", "as14061", "as16276", "canada unknown", "united kingdom", "as63949 linode", "as202053", "finland unknown", "aaaa", "get http", "request", "windows nt", "khtml", "gecko", "wow64", "host", "connection", "cus cndigicert", "ca1 odigicert", "win32", "win64", "accept", "dataset", "system property", "lookups", "select family", "userprofile", "temp", "samplepath", "user", "runtime modules", "modules", "programfiles", "windir", "datacrashpad", "k netsvcs", "s ngcctnrsvc", "nameweb bvba", "domains", "csc corporate", "registrarsafe", "registrar", "namecheap inc", "nameweb", "win32 exe", "detections file", "win32 dll", "ip detections", "country", "highly targeted", "problems", "sneaky server", "replacement", "unauthorized", "high level", "hackers", "unknown win", "agent tesla", "worm", "formbook", "startpage", "dead drop resolver", "nxdomain", "ns nxdomain", "scan endpoints", "all search", "otx scoreblue", "pulse pulses", "hostname", "files ip", "address domain", "div div", "a li", "p div", "read more", "a div", "bq aug", "script script", "path max", "age86400 set", "cookie", "entries", "trojandropper", "body", "trojan features", "related pulses", "file samples", "files matching", "date hash", "copyright", "virtool", "trojanspy", "hashes c2ae", "capa", "cape sandbox", "moves", "tencent habo", "zenbox", "tls rsa", "sha256", "inc subject", "global g2", "odigicert inc", "cndigicert sha2", "high assurance", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinl", "javascripts", "iframes", "embedded", "x sucuri", "cookie policy", "jeffrey scott reimer dpt", "toni braxton", "police", "fbi va", "loudon county", "ashburn va", "douglas co", "douglas co sheriff", "sheriff", "justin bieber", "swipper", "cape" ], "references": [ "cnbd.net\t | d1.cnbd.net\t| localhost.cnbd.net | mail.cnbd.net | siteinlink.d1.cnbd.net cnbd.net hghltd.yandex.net", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Crowdsourced Sigma: Matches rule Potential Dead Drop Resolvers by Sorina Ionescu, X__Junior (Nextron Systems)", "Crowdsourced YARA: Matches rule Base64_Encoded_URL from ruleset Base64_Encoded_URL by InQuest Labs", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Unusual PING detected", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING Windows", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Echo Reply", "Yara Detections: Delphi", "\"Malware Behavior Catalog Tree: Anti-Behavioral Analysis OB0001 Debugger Detection B0001 Process Environment Block B0001.019 Dynamic Analysis Evasion B0003 Delayed Execution B0003.003", "\"Malware Behavior Catalog Tree: Anti-Static Analysis OB0002 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E102", "\"Malware Behavior Catalog Tree : Defense Evasion OB0006 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E1027.m02", "\"Malware Behavior Catalog Tree: Hidden Files and Directories F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Execution OB0009 Install Additional Program B0023 Command and Scripting Interpreter E1059", "\"Malware Behavior Catalog Tree: Analysis Tool Discovery F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 System Information Discovery B0013 Process detection B0013.001", "\"Malware Behavior Catalog Tree: Hidden Files and Directories E1082 File and Directory Discovery E1083", "Malware Behavior Catalog Tree: Command and Scripting Interpreter OB0009 Install Additional Program B0023", "\"Dataset actions -System Property Lookups: IIWbemServices::Connect", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: Execution OB0012 F0005 File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048 Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007 Change Memory Protection C0008 Process OC0003 Create Process C0017 Create Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001 Modulo C0058 Cryptography OC0005", "Researched: d569ab9b9e89ebd9e2ff995bcd6509bc.virus", "Apple Issues:\tapple-validsecure.serviceirc.com serviceirc.com http://apple-validsecure.serviceirc.com https://apple-validsecure.serviceirc.com", "Apple Issues:\tcheckapple.com http://www.checkapple.com/ https://bincc.xyz/bin-apple-music-1month-apple-tv-7days apple-marketing.com", "Apple Issues:\tapp-appleid.serveirc.com appleid-appleus.serveirc.com appleidapple.serveirc.com apples-uncek.serveirc.com", "Apple Issues:\thttp://www.apple-verifallert.serveirc.com/ http://www.appleid-lockid.serveirc.com/ http://www.appleid-seccure23.serveirc.com/", "Apple Issues:\thttp://www.appleid-secure20.serveirc.com/ http://www.appleid-secure22.serveirc.com/ serviceirc.com", "Apple Issues: http://www.appleid-supporthelp.serveirc.com/ http://www.appleids-security.serveirc.com/", "Apple Issues: URL https://bincc.xyz/bin-apple-music-1month-apple-tv-7days", "Apple Issues: http://checkapple.com/home/item/131-iOs-%E0%B9%80%E0%B8%A1%E0%B8%B7%E0%B8%AD%E0%B8%87%E0%B8%9C%E0%B8%B9%E0%B9%89%E0%B8%94%E0%B8%B5-%E0%B8%9F%E0%B8%B1%E0%B8%99%E0%B8%98%E0%B8%87-iPhone-4-%E0%B8%9A%E0%B8%B2%E0%B8%87%E0%B8%81%E0%B8%A7%E0%B9%88%E0%B8%B2-Galaxy-S-2.htm", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Terse HTTP 1.0 Request Possible Nivdort Worm.Mydoom Checkin User-Agent (explwer)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti/Mufanom Downloader Checkin Win32.Sality-GR Checkin Backdoor.Win32.Shiz.ivr", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Empty Checkin Upatre Retrieving encoded payload (Common Header Struct)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Checkin Win32/Nivdort", "Antivirus Detections: ALF:HeraklezEval:Ransom:Win32/CVE , ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn , ALF:HeraklezEval:Trojan:Win32/Zombie.A", "Antivirus Detections: ALF:Trojan:Win32/FormBook.F!MTB , Backdoor:Linux/Setag!rfn , Backdoor:Win32/Bifrose.IQ , Backdoor:Win32/Simda!rfn", "Antivirus Detections: ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn , ALF:PUA:Win32/InstallMate.P , ALF:Trojan:Win32/Cassini_f9070846!ibt", "\"Malware Behavior Catalog Tree: File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048", "\"Malware Behavior Catalog Tree: Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007", "\"Malware Behavior Catalog Tree: Change Memory Protection C0008 Process OC0003 Create Process C0017", "\"Malware Behavior Catalog Tree: Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004", "\"Malware Behavior Catalog Tree: Create 00001807 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001", "\"Malware Behavior Catalog Tree: Modulo C0058 Cryptography OC0005 Generate Pseudo-random Sequence C0021", "\"Malware Behavior Catalog Tree: Communication OC0006 HTTP Communication C0002 Operating System OC0008 Registry", "\"Malware Behavior Catalog Tree: Registry Value C0036.006 Capabilities Data-Manipulation\"", "\"Malware Behavior Catalog Tree: C0036 Open Registry Key C0036.003 Create Registry Key C0036.004 Query", "Capabilities Data: Manipulation Generate random numbers using the Delphi LCG Encode data using XOR Hash data with CRC32", "Capabilities Data: Linking Link function at runtime on Windows Collection Get geographical location Targeting Identify system language via API", "Capabilities Data: Executable Extract resource via kernel32 functions Contain a thread local storage (.tls) section Packaged as an Inno Setup installer", "Capabilities Data: Anti-Analysis Reference analysis tools strings Internal (Internal) installer file limitation", "Capabilities Data: Host-Interaction - Get file attributes Create process suspended Create process on Windows", "Capabilities Data: Host-Interaction - Allocate or change RWX memory Accept command line arguments Set thread local storage value", "Capabilities Data: Host-Interaction - Get system information on Windows Delete directory", "Capabilities Data: Host-Interaction - Get thread local storage value Read file on Windows Write file on Windows", "Capabilities Data: Host-Interaction - Get file size Query environment variable Get common file path", "Capabilities Data: Host-Interaction - Query or enumerate registry value Delete file Create directory Shutdown system", "Capabilities Data: Host-Interaction - Modify access privileges Check if file exists", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "United States of America" ], "malware_families": [ { "id": "PUP/Win32.Bundler.R1865", "display_name": "PUP/Win32.Bundler.R1865", "target": null }, { "id": "Inno:Downloader-J [PUP]", "display_name": "Inno:Downloader-J [PUP]", "target": null }, { "id": "AdWare:Win32/AdLoad.0e19dea6", "display_name": "AdWare:Win32/AdLoad.0e19dea6", "target": "/malware/AdWare:Win32/AdLoad.0e19dea6" }, { "id": "Adware.Adload/Adinstaller", "display_name": "Adware.Adload/Adinstaller", "target": null }, { "id": "Win.Packed.Razy-9828382-0", "display_name": "Win.Packed.Razy-9828382-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" }, { "id": "Trojan:Win32/Zombie", "display_name": "Trojan:Win32/Zombie", "target": "/malware/Trojan:Win32/Zombie" }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1516", "name": "Input Injection", "display_name": "T1516 - Input Injection" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" } ], "industries": [ "Technology", "Civilian Society" ], "TLP": "white", "cloned_from": null, "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1402, "FileHash-SHA1": 1366, "FileHash-SHA256": 6457, "URL": 6175, "domain": 1418, "hostname": 2288, "CVE": 10, "email": 6 }, "indicator_count": 19122, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "597 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66b759cf57d491a9dcca8c17", "name": "Yoda Crypter | Vtapi Virustotal Ransomware | X.Com | Twitter | Remote Job", "description": "Miscellaneous Virustotal attack found. A malicious hash found while researching a malicious Twitter template regarding post found re: otx.alienvault.com pulse.\nFound BorpaToken [moved] attacking X Vercel servers, impacting Azure, impacts X.com, Google.com, YouTube, androids, apple id, (otx seems impacted) with and /w/o header and every versions of related links, Malicious x.com 'REMOTELY' redirects to malicious Twitter templates with recognized names.", "modified": "2024-10-08T11:00:59.828000", "created": "2024-08-10T12:15:11.526000", "tags": [ "win32 exe", "pe32", "intel", "ms windows", "yoda", "crypter", "win16 ne", "os2 executable", "sections", "md5 upx0", "upx1", "upx2", "downloads", "http posts", "mitre att", "evasion ta0005", "ta0006 input", "capture t1056", "remote system", "discovery t1018", "reads", "discovery t1082", "windows nt", "get http", "request", "pragma", "response", "memory pattern", "g2 tls", "rsa sha256", "ca1 odigicert", "inc cus", "hashes", "peexe", "deleted c", "files dropped", "json", "registry keys", "ssl protocol", "de ff", "c4 a6", "fe b9", "d7 e8", "ed f6", "c5 c1", "dd f1", "e0 ee", "dword", "samplepath", "process", "created", "shell commands", "windir", "runtime modules", "urls", "ip detections", "country", "us a83f81100", "microsoft stuff", "malicious proxy", "june", "referrer", "historical ssl", "threat roundup", "domains", "threat network", "tracker radar", "hunting service", "vt ransomware", "malicious", "ermac", "probe", "vhash", "authentihash", "rich pe", "ssdeep", "magic pe32", "trid upx", "portable", "info compiler", "products", "vs2008", "vs2010 sp1", "vs2010", "header target", "machine intel", "utc entry", "point", "registrar", "csc corporate", "markmonitor inc", "ta0009 command", "control ta0011", "catalog tree", "analysis ob0001", "analysis ob0002", "command", "control ob0004", "defense evasion", "sample", "upx software", "upx packed", "evasion t1497", "may sleep", "packing f0001", "evasion b0003", "f0001 upx", "ob0006 software", "file", "post http", "hashes c2ae", "capa", "cape sandbox", "zenbox", "user", "files deleted", "files", "calls", "as15169 google", "united", "status", "date", "name servers", "cname", "passive dns", "search", "record value", "next", "error", "code", "unknown", "trojan", "found", "gmt contenttype", "sameorigin", "all scoreblue", "trojandropper", "matches rule", "et info", "generic http", "exe upload", "vtapi", "emails", "servers", "aaaa", "domain", "as13414 twitter", "backdoor", "ipv4", "pulse pulses", "virtool", "mirai", "analyzer paste", "iocs", "hostnames", "urls https", "borpa loading", "expiration", "url https", "akamai rank", "hostname", "twitter", "tsara brashears", "ip address", "pe resource", "apple ios", "threats", "malware", "scripts", "norton", "excel", "hacktool", "problem", "njrat", "ransomware", "open", "samples", "url http", "vercel", "server attack", "yara detections", "push", "scan endpoints", "filehash", "av detections", "ids detections", "alerts", "analysis date", "code overlap", "related pulses", "top source", "top destination", "source source", "copy", "host", "contentlength", "malware beacon", "show", "entries", "cape", "write", "expiration date", "tulach topic", "brian sabey", "hallrender", "apple id", "malicious url", "tag count", "tld count", "detection list", "blacklist https", "count blacklist", "tag tag", "no data", "tld aggregation", "combined", "contact", "as206834 team", "canada unknown", "div div", "redacted for", "unknown xn", "script script", "msie", "chrome", "precondition", "mtb oct", "body", "worm", "trojanspy", "xpire.info", "searchmeup", "as61969 team", "creation date", "domain robot", "win32", "et smtp", "message", "high", "mailrubar", "trojanclicker", "parking crew", "parking logic", "category", "trojan features", "file samples", "files matching", "date hash", "showing", "creates largekey", "threat sniper", "crouching yeti", "kitten", "camaro dragon", "google phish", "macros", "hiddentear", "plugins", "removes headers", "hitmen" ], "references": [ "trojan.vtflooder/vflooder FileHash-SHA256 e8d7208330c634fad06d1b12bfea92435cdd7e63d01fde5ed8f3493b9deefad4", "Crowdsourced IDS rules: Matches rule MALWARE-CNC Win.Trojan.Occamy variant outbound connection", "Crowdsourced IDS rules: Matches rule ET INFO Generic HTTP EXE Upload Outbound", "Crowdsourced IDS rules: Matches rule (stream_tcp) data sent on stream not accepting data", "Crowdsourced YARA rules: Matches rule UPX from ruleset UPX by kevoreilly", "https://fixupx.com/Yoda4ever/status/1819058165264404527", "Malicious IP: 1.3.6.1 ASNone Generic.Malware has also been named in ransomware and other highly malicious attacks.", "http://borpatoken.com/ borpatoken.com", "Sourced: https://twitter.com/ootiosum/status/1812208222150726029a4dmHAxV0M0QIHawADl4Qr4kDegUI-QEQAA&usg=AOvVaw37yALadqlgoR9_xlQ5B4Hm", "This IP carried out Apache Log4j RCE attempt(s) (also known as CVE-2021-44228 or Log4Shell). @parthmaniar on Twitter", "For more information, or to report interesting/incorrect findings, give me a shoutout on @parthmaniar on Twitter.", "analytics.x.com | https://analytics.x.com | https://localhost.twitter.com:3443", "X Vercel Servers", "FileHash-MD5: b7e1dc2c46a9b972943a08b09c4dd6db", "FileHash-SHA1: d20959337b099526ed5250b60d9250ab865a7c6c", "FileHash-SHA256: 7b749ef9d91c1f0fe7513ece148409f2254317be8b0487603a2b333ebbb927ae", "Yara: RansomWin32Betisrypt , TrojanClickerWin32NightClick , TrojanDropperWin32Jscrpt , TrojanWin32Notepices TrojanClickerWin32NightClick", "apple.twitter.com | https://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js | vine.co | appleid.cdn-apple.com", "Vtapi: scanter.comwww.twitter.comx.com", "IDS Detections: ETPRO TROJAN Possible Win32/Zbot.AHJ CnC Traffic ET SMTP Abuseat.org Block Message", "IDS Detections: ET TROJAN Pushdo v3 Checkin ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain", "Crypt3.BWVY: FileHash-SHA256 9235583481d06530ef1ce04fa4f9a3bf3b6735dcdef0486cf6181c7868c9c249", "Crypt3.BWVY: FileHash-SHA1 4c60cf6b7e2981f1c05c5a34f880c6020923014c", "Crypt3.BWVY: FileHash-MD5 947f28c8ab697548aca370c080187e6e" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Win.Trojan.Occamy", "display_name": "Win.Trojan.Occamy", "target": null }, { "id": "W32.AIDetectMalware", "display_name": "W32.AIDetectMalware", "target": null }, { "id": "Trojan.Vtflooder/Vflooder", "display_name": "Trojan.Vtflooder/Vflooder", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Trojan:Win32/Vflooder.A", "display_name": "Trojan:Win32/Vflooder.A", "target": "/malware/Trojan:Win32/Vflooder.A" }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Xpire.info", "display_name": "Xpire.info", "target": null }, { "id": "Searchmeup", "display_name": "Searchmeup", "target": null }, { "id": "Trojan:Win32/Trickler", "display_name": "Trojan:Win32/Trickler", "target": "/malware/Trojan:Win32/Trickler" }, { "id": "Trojan:Win32/Comame", "display_name": "Trojan:Win32/Comame", "target": "/malware/Trojan:Win32/Comame" }, { "id": "#VirTool:Win32/Obfuscator", "display_name": "#VirTool:Win32/Obfuscator", "target": "/malware/#VirTool:Win32/Obfuscator" }, { "id": "Trojan:Win32/Pariham", "display_name": "Trojan:Win32/Pariham", "target": "/malware/Trojan:Win32/Pariham" } ], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 55, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1943, "FileHash-SHA1": 1637, "FileHash-SHA256": 3321, "URL": 1014, "domain": 645, "hostname": 1472, "email": 7, "CVE": 2 }, "indicator_count": 10041, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "599 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66b75a315eac0ff46fa4510d", "name": "Yoda Crypter | Vtapi Virustotal Ransomware | X.Com | Twitter | Remote Job", "description": "Miscellaneous Virustotal attack found. A malicious hash found while researching a malicious Twitter template regarding post found re: otx.alienvault.com pulse.\nFound BorpaToken [moved] attacking X Vercel servers, impacting Azure, impacts X.com, Google.com, YouTube, androids, apple id, (otx seems impacted) with and /w/o header and every versions of related links, Malicious x.com 'REMOTELY' redirects to malicious Twitter templates with recognized names.", "modified": "2024-10-08T11:00:59.828000", "created": "2024-08-10T12:16:49.869000", "tags": [ "win32 exe", "pe32", "intel", "ms windows", "yoda", "crypter", "win16 ne", "os2 executable", "sections", "md5 upx0", "upx1", "upx2", "downloads", "http posts", "mitre att", "evasion ta0005", "ta0006 input", "capture t1056", "remote system", "discovery t1018", "reads", "discovery t1082", "windows nt", "get http", "request", "pragma", "response", "memory pattern", "g2 tls", "rsa sha256", "ca1 odigicert", "inc cus", "hashes", "peexe", "deleted c", "files dropped", "json", "registry keys", "ssl protocol", "de ff", "c4 a6", "fe b9", "d7 e8", "ed f6", "c5 c1", "dd f1", "e0 ee", "dword", "samplepath", "process", "created", "shell commands", "windir", "runtime modules", "urls", "ip detections", "country", "us a83f81100", "microsoft stuff", "malicious proxy", "june", "referrer", "historical ssl", "threat roundup", "domains", "threat network", "tracker radar", "hunting service", "vt ransomware", "malicious", "ermac", "probe", "vhash", "authentihash", "rich pe", "ssdeep", "magic pe32", "trid upx", "portable", "info compiler", "products", "vs2008", "vs2010 sp1", "vs2010", "header target", "machine intel", "utc entry", "point", "registrar", "csc corporate", "markmonitor inc", "ta0009 command", "control ta0011", "catalog tree", "analysis ob0001", "analysis ob0002", "command", "control ob0004", "defense evasion", "sample", "upx software", "upx packed", "evasion t1497", "may sleep", "packing f0001", "evasion b0003", "f0001 upx", "ob0006 software", "file", "post http", "hashes c2ae", "capa", "cape sandbox", "zenbox", "user", "files deleted", "files", "calls", "as15169 google", "united", "status", "date", "name servers", "cname", "passive dns", "search", "record value", "next", "error", "code", "unknown", "trojan", "found", "gmt contenttype", "sameorigin", "all scoreblue", "trojandropper", "matches rule", "et info", "generic http", "exe upload", "vtapi", "emails", "servers", "aaaa", "domain", "as13414 twitter", "backdoor", "ipv4", "pulse pulses", "virtool", "mirai", "analyzer paste", "iocs", "hostnames", "urls https", "borpa loading", "expiration", "url https", "akamai rank", "hostname", "twitter", "tsara brashears", "ip address", "pe resource", "apple ios", "threats", "malware", "scripts", "norton", "excel", "hacktool", "problem", "njrat", "ransomware", "open", "samples", "url http", "vercel", "server attack", "yara detections", "push", "scan endpoints", "filehash", "av detections", "ids detections", "alerts", "analysis date", "code overlap", "related pulses", "top source", "top destination", "source source", "copy", "host", "contentlength", "malware beacon", "show", "entries", "cape", "write", "expiration date", "tulach topic", "brian sabey", "hallrender", "apple id", "malicious url", "tag count", "tld count", "detection list", "blacklist https", "count blacklist", "tag tag", "no data", "tld aggregation", "combined", "contact", "as206834 team", "canada unknown", "div div", "redacted for", "unknown xn", "script script", "msie", "chrome", "precondition", "mtb oct", "body", "worm", "trojanspy", "xpire.info", "searchmeup", "as61969 team", "creation date", "domain robot", "win32", "et smtp", "message", "high", "mailrubar", "trojanclicker", "parking crew", "parking logic", "category", "trojan features", "file samples", "files matching", "date hash", "showing", "creates largekey", "threat sniper", "crouching yeti", "kitten", "camaro dragon", "google phish", "macros", "hiddentear", "plugins", "removes headers", "hitmen" ], "references": [ "trojan.vtflooder/vflooder FileHash-SHA256 e8d7208330c634fad06d1b12bfea92435cdd7e63d01fde5ed8f3493b9deefad4", "Crowdsourced IDS rules: Matches rule MALWARE-CNC Win.Trojan.Occamy variant outbound connection", "Crowdsourced IDS rules: Matches rule ET INFO Generic HTTP EXE Upload Outbound", "Crowdsourced IDS rules: Matches rule (stream_tcp) data sent on stream not accepting data", "Crowdsourced YARA rules: Matches rule UPX from ruleset UPX by kevoreilly", "https://fixupx.com/Yoda4ever/status/1819058165264404527", "Malicious IP: 1.3.6.1 ASNone Generic.Malware has also been named in ransomware and other highly malicious attacks.", "http://borpatoken.com/ borpatoken.com", "Sourced: https://twitter.com/ootiosum/status/1812208222150726029a4dmHAxV0M0QIHawADl4Qr4kDegUI-QEQAA&usg=AOvVaw37yALadqlgoR9_xlQ5B4Hm", "This IP carried out Apache Log4j RCE attempt(s) (also known as CVE-2021-44228 or Log4Shell). @parthmaniar on Twitter", "For more information, or to report interesting/incorrect findings, give me a shoutout on @parthmaniar on Twitter.", "analytics.x.com | https://analytics.x.com | https://localhost.twitter.com:3443", "X Vercel Servers", "FileHash-MD5: b7e1dc2c46a9b972943a08b09c4dd6db", "FileHash-SHA1: d20959337b099526ed5250b60d9250ab865a7c6c", "FileHash-SHA256: 7b749ef9d91c1f0fe7513ece148409f2254317be8b0487603a2b333ebbb927ae", "Yara: RansomWin32Betisrypt , TrojanClickerWin32NightClick , TrojanDropperWin32Jscrpt , TrojanWin32Notepices TrojanClickerWin32NightClick", "apple.twitter.com | https://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js | vine.co | appleid.cdn-apple.com", "Vtapi: scanter.comwww.twitter.comx.com", "IDS Detections: ETPRO TROJAN Possible Win32/Zbot.AHJ CnC Traffic ET SMTP Abuseat.org Block Message", "IDS Detections: ET TROJAN Pushdo v3 Checkin ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain", "Crypt3.BWVY: FileHash-SHA256 9235583481d06530ef1ce04fa4f9a3bf3b6735dcdef0486cf6181c7868c9c249", "Crypt3.BWVY: FileHash-SHA1 4c60cf6b7e2981f1c05c5a34f880c6020923014c", "Crypt3.BWVY: FileHash-MD5 947f28c8ab697548aca370c080187e6e" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Win.Trojan.Occamy", "display_name": "Win.Trojan.Occamy", "target": null }, { "id": "W32.AIDetectMalware", "display_name": "W32.AIDetectMalware", "target": null }, { "id": "Trojan.Vtflooder/Vflooder", "display_name": "Trojan.Vtflooder/Vflooder", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Trojan:Win32/Vflooder.A", "display_name": "Trojan:Win32/Vflooder.A", "target": "/malware/Trojan:Win32/Vflooder.A" }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Xpire.info", "display_name": "Xpire.info", "target": null }, { "id": "Searchmeup", "display_name": "Searchmeup", "target": null }, { "id": "Trojan:Win32/Trickler", "display_name": "Trojan:Win32/Trickler", "target": "/malware/Trojan:Win32/Trickler" }, { "id": "Trojan:Win32/Comame", "display_name": "Trojan:Win32/Comame", "target": "/malware/Trojan:Win32/Comame" }, { "id": "#VirTool:Win32/Obfuscator", "display_name": "#VirTool:Win32/Obfuscator", "target": "/malware/#VirTool:Win32/Obfuscator" }, { "id": "Trojan:Win32/Pariham", "display_name": "Trojan:Win32/Pariham", "target": "/malware/Trojan:Win32/Pariham" } ], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 57, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1943, "FileHash-SHA1": 1637, "FileHash-SHA256": 3321, "URL": 1030, "domain": 646, "hostname": 1473, "email": 7, "CVE": 2 }, "indicator_count": 10059, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "599 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66bb7aa9d0ec86cff5b95b64", "name": "Injection | Target devices affected. Connected to Notepad | Yandex| Brian Sabey & Associated", "description": "Targets devices injected with extremely malicious URL's. The links did everything imaginable. Pushed up Jeffrey Reimer DPT in search engine while suppressing all positive search engine results of his victim. Her business was completely halted and redirected. Views went to well known artists. It also contained content scrapers causing certain keywords [keylogger included] to generate results in Bing search engines attempt to frame target. Countless porn sites posted w/victims name appearing heaviest in Yandex moderately heavy in Google. Killed targets YouTube channel. Heavy use in victims Apple terminal. Death and bomb threats often. *http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/\n*http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "modified": "2024-09-12T14:01:56.106000", "created": "2024-08-13T15:24:25.284000", "tags": [ "ip addresses", "luna moth", "campaign", "norad tracking", "ipdomain", "investigation", "hr rtd", "hallrender", "brian sabey", "heuristic", "referrer", "pe resource", "first", "utc submissions", "submitters", "solutions", "namesilo", "amazon02", "digitaloceanasn", "limited", "aschoopa", "ovh sas", "generator", "data", "v3 serial", "number", "issuer", "everywhere dv", "tls ca", "g1 odigicert", "validity", "subject public", "key info", "date", "server", "email", "code", "registrar abuse", "registrar url", "whois lookup", "admin city", "admin country", "cn admin", "office open", "xml spreadsheet", "detections type", "name", "dns replication", "iana id", "contact phone", "dnssec", "domain status", "registrar whois", "historical ssl", "threat roundup", "october", "investigation c", "december", "september", "ngfw traffic", "malicious ip", "address", "raspberry robin", "stealer", "creation date", "passive dns", "urls", "search", "name servers", "status", "showing", "all scoreblue", "unknown", "next", "as47846", "germany unknown", "as44273 host", "united", "as12876 online", "domain", "cve-2016-2569", "yodaprot", "xorcrypt", "yoda", "aspack", "yara detections", "intel", "comments", "show", "productversion", "inno setup", "invalid", "format", "invalid variant", "delphi", "stack", "error", "iniciar download setup", "gui", "application/octet-stream", "tsara brashears", "targets", "cve-2017-0199", "aspack", "contains-pe", "contains-elf", "bobsoft", "cve-2010-3333", "contains-embedded-js", "cve-2014-3931", "cve-2017-11882", "adware.adload/adinstaller", "win32processor", "information", "flow t1574", "dll sideloading", "reads", "downloads", "win32process", "t1055 spawns", "access token", "modify access", "files", "catalog tree", "analysis ob0001", "b0001 process", "b0003 delayed", "analysis ob0002", "evasion ob0006", "self deletion", "f0007 discovery", "ob0007 analysis", "dead", "cybercrime", "cyber criminal group", "dynamicloader", "high", "medium", "trojan", "less see", "contacted", "yara rule", "installs", "windows", "windows startup", "february", "copy", "as14061", "as16276", "canada unknown", "united kingdom", "as63949 linode", "as202053", "finland unknown", "aaaa", "get http", "request", "windows nt", "khtml", "gecko", "wow64", "host", "connection", "cus cndigicert", "ca1 odigicert", "win32", "win64", "accept", "dataset", "system property", "lookups", "select family", "userprofile", "temp", "samplepath", "user", "runtime modules", "modules", "programfiles", "windir", "datacrashpad", "k netsvcs", "s ngcctnrsvc", "nameweb bvba", "domains", "csc corporate", "registrarsafe", "registrar", "namecheap inc", "nameweb", "win32 exe", "detections file", "win32 dll", "ip detections", "country", "highly targeted", "problems", "sneaky server", "replacement", "unauthorized", "high level", "hackers", "unknown win", "agent tesla", "worm", "formbook", "startpage", "dead drop resolver", "nxdomain", "ns nxdomain", "scan endpoints", "all search", "otx scoreblue", "pulse pulses", "hostname", "files ip", "address domain", "div div", "a li", "p div", "read more", "a div", "bq aug", "script script", "path max", "age86400 set", "cookie", "entries", "trojandropper", "body", "trojan features", "related pulses", "file samples", "files matching", "date hash", "copyright", "virtool", "trojanspy", "hashes c2ae", "capa", "cape sandbox", "moves", "tencent habo", "zenbox", "tls rsa", "sha256", "inc subject", "global g2", "odigicert inc", "cndigicert sha2", "high assurance", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinl", "javascripts", "iframes", "embedded", "x sucuri", "cookie policy", "jeffrey scott reimer dpt", "toni braxton", "police", "fbi va", "loudon county", "ashburn va", "douglas co", "douglas co sheriff", "sheriff", "justin bieber", "swipper" ], "references": [ "cnbd.net\t | d1.cnbd.net\t| localhost.cnbd.net | mail.cnbd.net | siteinlink.d1.cnbd.net cnbd.net hghltd.yandex.net", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Crowdsourced Sigma: Matches rule Potential Dead Drop Resolvers by Sorina Ionescu, X__Junior (Nextron Systems)", "Crowdsourced YARA: Matches rule Base64_Encoded_URL from ruleset Base64_Encoded_URL by InQuest Labs", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Unusual PING detected", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING Windows", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Echo Reply", "Yara Detections: Delphi", "\"Malware Behavior Catalog Tree: Anti-Behavioral Analysis OB0001 Debugger Detection B0001 Process Environment Block B0001.019 Dynamic Analysis Evasion B0003 Delayed Execution B0003.003", "\"Malware Behavior Catalog Tree: Anti-Static Analysis OB0002 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E102", "\"Malware Behavior Catalog Tree : Defense Evasion OB0006 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E1027.m02", "\"Malware Behavior Catalog Tree: Hidden Files and Directories F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 Analysis Tool Discovery B0013 Process detection B0013.001 System Information Discovery E1082 File and Directory Discovery E1083", "\"Malware Behavior Catalog Tree: Execution OB0009 Install Additional Program B0023 Command and Scripting Interpreter E1059", "\"Malware Behavior Catalog Tree: Analysis Tool Discovery F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 System Information Discovery B0013 Process detection B0013.001", "\"Malware Behavior Catalog Tree: Hidden Files and Directories E1082 File and Directory Discovery E1083", "Malware Behavior Catalog Tree: Command and Scripting Interpreter OB0009 Install Additional Program B0023", "\"Dataset actions -System Property Lookups: IIWbemServices::Connect", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: Execution OB0012 F0005 File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048 Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007 Change Memory Protection C0008 Process OC0003 Create Process C0017 Create Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001 Modulo C0058 Cryptography OC0005", "Researched: d569ab9b9e89ebd9e2ff995bcd6509bc.virus", "Apple Issues:\tapple-validsecure.serviceirc.com serviceirc.com http://apple-validsecure.serviceirc.com https://apple-validsecure.serviceirc.com", "Apple Issues:\tcheckapple.com http://www.checkapple.com/ https://bincc.xyz/bin-apple-music-1month-apple-tv-7days apple-marketing.com", "Apple Issues:\tapp-appleid.serveirc.com appleid-appleus.serveirc.com appleidapple.serveirc.com apples-uncek.serveirc.com", "Apple Issues:\thttp://www.apple-verifallert.serveirc.com/ http://www.appleid-lockid.serveirc.com/ http://www.appleid-seccure23.serveirc.com/", "Apple Issues:\thttp://www.appleid-secure20.serveirc.com/ http://www.appleid-secure22.serveirc.com/ serviceirc.com", "Apple Issues: http://www.appleid-supporthelp.serveirc.com/ http://www.appleids-security.serveirc.com/", "Apple Issues: URL https://bincc.xyz/bin-apple-music-1month-apple-tv-7days", "Apple Issues: http://checkapple.com/home/item/131-iOs-%E0%B9%80%E0%B8%A1%E0%B8%B7%E0%B8%AD%E0%B8%87%E0%B8%9C%E0%B8%B9%E0%B9%89%E0%B8%94%E0%B8%B5-%E0%B8%9F%E0%B8%B1%E0%B8%99%E0%B8%98%E0%B8%87-iPhone-4-%E0%B8%9A%E0%B8%B2%E0%B8%87%E0%B8%81%E0%B8%A7%E0%B9%88%E0%B8%B2-Galaxy-S-2.htm", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Terse HTTP 1.0 Request Possible Nivdort Worm.Mydoom Checkin User-Agent (explwer)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti/Mufanom Downloader Checkin Win32.Sality-GR Checkin Backdoor.Win32.Shiz.ivr", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Empty Checkin Upatre Retrieving encoded payload (Common Header Struct)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Checkin Win32/Nivdort", "Antivirus Detections: ALF:HeraklezEval:Ransom:Win32/CVE , ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn , ALF:HeraklezEval:Trojan:Win32/Zombie.A", "Antivirus Detections: ALF:Trojan:Win32/FormBook.F!MTB , Backdoor:Linux/Setag!rfn , Backdoor:Win32/Bifrose.IQ , Backdoor:Win32/Simda!rfn", "Antivirus Detections: ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn , ALF:PUA:Win32/InstallMate.P , ALF:Trojan:Win32/Cassini_f9070846!ibt", "\"Malware Behavior Catalog Tree: File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048", "\"Malware Behavior Catalog Tree: Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007", "\"Malware Behavior Catalog Tree: Change Memory Protection C0008 Process OC0003 Create Process C0017", "\"Malware Behavior Catalog Tree: Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004", "\"Malware Behavior Catalog Tree: Create 00001807 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001", "\"Malware Behavior Catalog Tree: Modulo C0058 Cryptography OC0005 Generate Pseudo-random Sequence C0021", "\"Malware Behavior Catalog Tree: Communication OC0006 HTTP Communication C0002 Operating System OC0008 Registry", "\"Malware Behavior Catalog Tree: Registry Value C0036.006 Capabilities Data-Manipulation\"", "\"Malware Behavior Catalog Tree: C0036 Open Registry Key C0036.003 Create Registry Key C0036.004 Query", "Capabilities Data: Manipulation Generate random numbers using the Delphi LCG Encode data using XOR Hash data with CRC32", "Capabilities Data: Linking Link function at runtime on Windows Collection Get geographical location Targeting Identify system language via API", "Capabilities Data: Executable Extract resource via kernel32 functions Contain a thread local storage (.tls) section Packaged as an Inno Setup installer", "Capabilities Data: Anti-Analysis Reference analysis tools strings Internal (Internal) installer file limitation", "Capabilities Data: Host-Interaction - Get file attributes Create process suspended Create process on Windows", "Capabilities Data: Host-Interaction - Allocate or change RWX memory Accept command line arguments Set thread local storage value", "Capabilities Data: Host-Interaction - Get system information on Windows Delete directory", "Capabilities Data: Host-Interaction - Get thread local storage value Read file on Windows Write file on Windows", "Capabilities Data: Host-Interaction - Get file size Query environment variable Get common file path", "Capabilities Data: Host-Interaction - Query or enumerate registry value Delete file Create directory Shutdown system", "Capabilities Data: Host-Interaction - Modify access privileges Check if file exists", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "United States of America" ], "malware_families": [ { "id": "PUP/Win32.Bundler.R1865", "display_name": "PUP/Win32.Bundler.R1865", "target": null }, { "id": "Inno:Downloader-J [PUP]", "display_name": "Inno:Downloader-J [PUP]", "target": null }, { "id": "AdWare:Win32/AdLoad.0e19dea6", "display_name": "AdWare:Win32/AdLoad.0e19dea6", "target": "/malware/AdWare:Win32/AdLoad.0e19dea6" }, { "id": "Adware.Adload/Adinstaller", "display_name": "Adware.Adload/Adinstaller", "target": null }, { "id": "Win.Packed.Razy-9828382-0", "display_name": "Win.Packed.Razy-9828382-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" }, { "id": "Trojan:Win32/Zombie", "display_name": "Trojan:Win32/Zombie", "target": "/malware/Trojan:Win32/Zombie" }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1516", "name": "Input Injection", "display_name": "T1516 - Input Injection" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" } ], "industries": [ "Technology", "Civilian Society" ], "TLP": "green", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1401, "FileHash-SHA1": 1365, "FileHash-SHA256": 6436, "URL": 5931, "domain": 1391, "hostname": 2165, "CVE": 5, "email": 6 }, "indicator_count": 18700, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "625 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://jdnet.top", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://jdnet.top", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780212381.140962 }