{ "type": "URL", "indicator": "https://jrkan.zuqiulive2.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://jrkan.zuqiulive2.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3876757054, "indicator": "https://jrkan.zuqiulive2.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 13, "pulses": [ { "id": "69d1396bb42208f8aa25b8ae", "name": "Zergeca + Mirai + Salat + Autorun = Bigger Stronger packed Botnet Nightmare | Affecting untold infrastructure. Virtually undetectable", "description": "The sample is a packed malicious loader, likely a first-stage component. Key indicators include: 1) A custom implementation of an LZMA-style decompression algorithm within the '_start' function, used to unpack an embedded payload. 2) Use of direct syscalls (sys_open, sys_mmap) in 'sub_16d1efc' to manually map executable memory and transfer control to the second stage ('jump(rdx_2)'). 3) Extremely high entropy and a lack of standard ELF sections/imports, typical of obfuscated malware. 4) The use of '/proc/self/exe' and low-level I/O instructions (in/out) in 'sub_16d271e' suggests anti-analysis or self-replication capabilities. Relevant IOC: SHA256 [6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29.] Name: 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29\n703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf\ngeomi\n*Infrastructure Obfuscation\n*Low Detection Rate: Zergeca samples, packed with a modified UPX packer, continues to yield very low detection rates on VirusTotal.", "modified": "2026-04-04T16:16:43.680000", "created": "2026-04-04T16:16:43.680000", "tags": [ "binary", "yara rule", "binary file", "yara", "pe section", "av detections", "ip address", "url analysis", "urls", "singapore", "singapore asn", "as14061", "edgeview drive", "suite", "broomfield", "colorado", "key usage", "handle", "v3 serial", "number", "cert validity", "asia pacific", "traefik default", "cert", "thumbprint", "name", "all filehash", "learn", "adversaries", "calls", "ck id", "name tactics", "suspicious", "informative", "reads", "defense evasion", "loads", "model", "call", "getprocaddress", "span", "path", "mitre att", "ck matrix", "access type", "value", "windir", "open", "error", "click", "contact", "meta", "april", "hybrid", "format", "strings", "united", "b778b1", "div div", "d9e4f4", "edf2f8", "status", "fastest privacy", "first dns", "trojan", "pegasus", "title", "dynamicloader", "ms windows", "intel", "pe32 executable", "win32", "medium", "pe32", "high", "mozilla", "delphi", "injectdll", "write", "malware", "observer", "stream", "unknown", "lredmond", "stwa", "omicrosoft", "stwashington", "server ca", "https domain", "accept", "read c", "ogoogle trust", "worm", "code", "td td", "td tr", "a td", "dynamic dns", "name servers", "arial", "zeppelin", "null", "enough", "hosts", "fast", "tls sni", "cloudflare dns", "google dns", "showing", "get icarus", "show", "ascii text", "global", "next", "cc fd", "d4 dc", "a3 ad", "a8 c7", "bb c7", "f0 f1", "f4 ca", "bc a1", "win64", "local", "otx logo", "hostname", "passive dns", "files", "less", "related tags", "servers", "certificate", "domain", "cloudflare", "khtml", "gecko", "ids detections", "yara detections", "ip lookup", "encrypt", "elf executable", "sysv", "linux", "elf64 operation", "unix", "exec amd6464", "elf geomi", "modify system", "process l", "t1543", "systemd service", "ta0004", "techniques", "process create", "modify syst", "t1036 indicator", "remc t1070", "file", "directoi t1222", "t1027 masquerac", "t1070", "data upload", "extraction", "failed", "ta0005", "t1027", "memory pattern", "domains", "dns resolutions", "full reports", "v ip", "traffic tcp", "g sh", "c tmpsample", "binrm f", "usrbinid id", "usrbinsystemctl", "proc1environ", "proccpuinfo", "include", "review exclude", "sample", "https", "performs dns", "tls version", "mitre attack", "network info", "file type", "persistence", "include review", "exclude sugges", "find s", "unique ru", "review occ", "exclude data", "alvoes", "include data", "suggest", "find c", "typ filet", "filet ce", "layer protocol", "http performs", "reads cpu", "proc indicative", "filet filet", "pulse", "file hach", "h1256", "filer data", "typ data", "filer filehuon", "filet filer", "exchange all", "typ no", "no entri", "exclude", "suggested ocs", "manualy", "hua muicalul", "find", "indicatore", "typ innicatad", "new threat", "dive into", "zergeca botnet", "reference", "report publish", "zergeca", "all se", "matches edolavd", "matches data", "matches matches", "type", "extr", "tico data", "get hello", "mirai variant", "useragent", "hello", "outbound", "world", "search", "hackingtrio ua", "inbound", "mirai", "info", "shell", "pulse pulses", "files ip", "address domain", "ip related", "labs pulses", "pulses", "post", "http traffic", "tocstut", "reference id", "xor key", "canada", "america", "germany", "doh", "ddos", "botnet", "en", "xor", "twitter", "stop", "loader", "downloader", "zerg", "mirai", "golang", "c2 resolution", "germany", "c2 ip", "virustotal", "smux", "ck ids", "t1082", "applescript", "t1190", "application", "private server", "t1609", "command", "unix shell", "software supply", "service", "chain", "t1499", "entries", "otx telemetry", "next associated", "backdoor", "detections", "sha256 add", "alerts", "heur", "all domain", "creation date", "record value", "aaaa", "date", "unknown ns", "ponmocup post", "infection dns", "mtb nov", "ipv4 add", "external ip", "copy" ], "references": [ "www.joewa.com", "Win.Malware.Salat-10058846-0 Alerts binary_yara packer_unknown_pe_section_name", "Yara Detections: MacSync_AppleScript_Stealer , UPX ,", "Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser", "apple.k8s.joewa.com \u2022 joewa.com \u2022 http://apple.k8s.joewa.com/ \u2022 https://apple.k8s.joewa.com/", "Interlocken Business Park Address. 105 Edgeview Drive, Broomfield, CO", "blackbox-exporter.lenovo-k8s.home.local.advena.io", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena/", "Calls an API typically used to retrieve function addresses, load a resource T1129\tShared Modules\t Execution Adversaries may execute malicious payloads via loading shared modules. Learn more", "Loads modules at runtime Looks up procedures from modules", "(excluding apphelp.dll, kernel32.dll, user32.dll, gdi32.dll, ole32.dll, comctl32.dll, uxtheme.dll, oleaut32.dll, version.dll, msctfime.ime) Calls an API typically used to load libraries Loads the RPC (Remote Procedure Call) module DLL T1059.007", "https://cloudflare-dns.com/dns | cloudflare-dns.com", "https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-522", "https://www.cloudflare.com/5xx-error-landing?utm_source=errorcode_522&utm_campaign=www.joewa.com", "https://hybrid-analysis.com/sample/60d74d52f3b90530a1bc0dd1e26c694c6339bca6f249a4a1818694cd6aeea618/69cf2d0230de22b88e055a1f", "6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 (Can't access file)", "\u2018Can't access file\u2019 Trojan.Sagnt/R011c0dfs24 | Trojan/Linux.Zergeca", "\u2018Can't access file\u2019[Found in Zergeca Botnet]", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "IDS: Possible External IP Lookup ipinfo.io Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Yara Detections: is__elf , LZMA , ELFHighEntropy , elf_empty_sections", "IP\u2019s Contacted: 116.203.98.109 34.117.59.81 104.16.248.249 44.209.201.56", "Domains Contacted: cloudflare-dns.com checkip.amazonaws.com ipinfo.io api.opennic.org", "Crowdsourced SIGMA Below:", "Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke", "Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)", "Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community", "Crowdsourced IDS Below:", "Matches rule ET POLICY External IP Lookup ipinfo.io", "Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Matches rule ET INFO External IP Check (checkip .amazonaws .com)", "Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "Unique rule identifier: This rule belongs to a private collection.", "geomi.service 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf geomi", "https://vtbehaviour.commondatastorage.googleapis.com/6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775233275&Signature=vkbdhKnRjzLDcOeMxSE64WCgRJRN28vyp5o%2BMZIxIXbQxUz%2BB%2Beagggbj%2FVYVgAbXypupb2f1UXvcCVp7nMx6zqWvOYXl%2FsBnIislk5NatiGtExGV4WBAU3iE7lNBAjbnmf6HTwhBZCrJts4swSKX3iu%2FZ%2F0%2FwHPNnH%2FygP8AnfbECEroOxz%2FRqDso4jfiSs5dHVkZ%2BFx7fgRfqgt7QeR4IMwju2UyRQQJkwOjQO", "Reference: https://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet/", "crypto-pool.fr", "i\u0628\u0627\u0645\u0633\u0644\u0645\u0648\u0646 \u0644\u0645\u0647\u0645\u0645\u0644\u0645\u0645\u0646\u0627\u0645\u0635\u0646\u0627\u0621\u0648\u0627\u0645\u0645\u0633\u0627\u0646\u062f | \u0645\u0637\u0639\u0645+ \u0645\u0645\u0627\u0645\u0627\u0645", "Muslims have built, supported, and assisted. or Muslims: Support and Solidarity", "LIE. Built American. Attorneys , hackers , Sabey, Ahmann , US quasi government, SOCs , Red Teams , Hacker Fest | Colorado", "IDS Detections: Mirai Variant User-Agent (Outbound) WebShell Generic - wget http - POST", "IDS Detections: MVPower DVR Shell UCE \u2022 HackingTrio UA (Hello, World)", "IDS Detections: JAWS Webserver Unauthenticated Shell Command Execution", "IDS Detections: HackingTrio UA (Hello, World) \u2022 HTTP traffic on port 443 (POST)", "IDS Detections: Mirai Variant User-Agent (Inbound) \u2022 HackingTrio UA (Hello, World)", "IDS: Observed Suspicious UA (Hello, World)", "Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , LZMA , UPX ,", "Yara Detections: ELFHighEntropy , ElfUPX , elf_empty_sections", "Alerts: cape_detected_threat", "IP\u2019s Contacted: 210.101.166.243 117.61.31.95 118.173.103.172 2.159.67.181 117.80.58.104 .231.34 109.33.155.184", "IP\u2019s Contacted: 212.88.65.130 94.160.172.104 5.164.111.219 5.248", "Contacted: bot.hamsterrace.space [Unix.Trojan.Mirai-7669677-0]", "https://dns.google/resolve?name=SELECT", "31.6.16.33\t\u2022 network.target [Found in Zergeca Botnet]", "multi-user.target \u2022 ootheca.top \u2022 network.target \u2022 ootheca.pw [Found in Zergeca Botnet]", "84.54.51.82 \u2022 http://bot.hamsterrace.space:5966 [Found in Zergeca Botnet]", "Zergeca botnet based on Golang language still operating in the same language as the Mirai botnets", "Since September 2023, according to an analysis by cyber security firm XLab CTIA.", "Address shows an place of origin: Broomfield , Co", "Believed to be originating from Germany and Russia", "BGP Hurricane Electric seen", "Potentially Pegasus related . Found to be affecting an IOS device", "Indicators seen may have affected a few OTX users. Is ongoing", "Zergeca related URLs , URI\u2019s , Domains, inaccessible files referenced", "apple.k8s.joewa.com \u2022 joewa.com \u2022 com.apple", "This pulse is so huge it\u2019s a mess. Will break down." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Thailand", "Germany", "Canada" ], "malware_families": [ { "id": "Win.Malware.Salat-10058846-0", "display_name": "Win.Malware.Salat-10058846-0", "target": null }, { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "#LowFiDetectsVmWare", "display_name": "#LowFiDetectsVmWare", "target": null }, { "id": "Win.Trojan.VBGeneric-6735875-0", "display_name": "Win.Trojan.VBGeneric-6735875-0", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!atmn", "target": null }, { "id": "Trojan.Sagnt/R011c0dfs24", "display_name": "Trojan.Sagnt/R011c0dfs24", "target": null }, { "id": "Zergeca", "display_name": "Zergeca", "target": null }, { "id": "Unix.Trojan.Mirai", "display_name": "Unix.Trojan.Mirai", "target": null }, { "id": "Unix.Trojan.Mirai-7669677-0", "display_name": "Unix.Trojan.Mirai-7669677-0", "target": null }, { "id": "CVE-2018-10562", "display_name": "CVE-2018-10562", "target": null }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "CVE-2024-6387", "display_name": "CVE-2024-6387", "target": null }, { "id": "CVE-2025-20393", "display_name": "CVE-2025-20393", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1055.003", "name": "Thread Execution Hijacking", "display_name": "T1055.003 - Thread Execution Hijacking" }, { "id": "T1037.002", "name": "Logon Script (Mac)", "display_name": "T1037.002 - Logon Script (Mac)" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1590.005", "name": "IP Addresses", "display_name": "T1590.005 - IP Addresses" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1056.004", "name": "Credential API Hooking", "display_name": "T1056.004 - Credential API Hooking" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1543.002", "name": "Systemd Service", "display_name": "T1543.002 - Systemd Service" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1608.002", "name": "Upload Tool", "display_name": "T1608.002 - Upload Tool" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1499", "name": "Endpoint Denial of Service", "display_name": "T1499 - Endpoint Denial of Service" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1609", "name": "Container Administration Command", "display_name": "T1609 - Container Administration Command" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 795, "FileHash-SHA1": 648, "FileHash-SHA256": 3708, "IPv4": 294, "URL": 2587, "domain": 739, "hostname": 1129, "email": 14, "CIDR": 15, "IPv6": 27, "SSLCertFingerprint": 18, "CVE": 4 }, "indicator_count": 9978, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "15 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d1395ab63bf8e8d2c384eb", "name": "Zergeca + Mirai + Salat + Autorun = Bigger Stronger packed Botnet Nightmare | Affecting untold infrastructure. Virtually undetectable", "description": "The sample is a packed malicious loader, likely a first-stage component. Key indicators include: 1) A custom implementation of an LZMA-style decompression algorithm within the '_start' function, used to unpack an embedded payload. 2) Use of direct syscalls (sys_open, sys_mmap) in 'sub_16d1efc' to manually map executable memory and transfer control to the second stage ('jump(rdx_2)'). 3) Extremely high entropy and a lack of standard ELF sections/imports, typical of obfuscated malware. 4) The use of '/proc/self/exe' and low-level I/O instructions (in/out) in 'sub_16d271e' suggests anti-analysis or self-replication capabilities. Relevant IOC: SHA256 [6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29.] Name: 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29\n703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf\ngeomi\n*Infrastructure Obfuscation\n*Low Detection Rate: Zergeca samples, packed with a modified UPX packer, continues to yield very low detection rates on VirusTotal.", "modified": "2026-04-04T16:16:26.128000", "created": "2026-04-04T16:16:26.128000", "tags": [ "binary", "yara rule", "binary file", "yara", "pe section", "av detections", "ip address", "url analysis", "urls", "singapore", "singapore asn", "as14061", "edgeview drive", "suite", "broomfield", "colorado", "key usage", "handle", "v3 serial", "number", "cert validity", "asia pacific", "traefik default", "cert", "thumbprint", "name", "all filehash", "learn", "adversaries", "calls", "ck id", "name tactics", "suspicious", "informative", "reads", "defense evasion", "loads", "model", "call", "getprocaddress", "span", "path", "mitre att", "ck matrix", "access type", "value", "windir", "open", "error", "click", "contact", "meta", "april", "hybrid", "format", "strings", "united", "b778b1", "div div", "d9e4f4", "edf2f8", "status", "fastest privacy", "first dns", "trojan", "pegasus", "title", "dynamicloader", "ms windows", "intel", "pe32 executable", "win32", "medium", "pe32", "high", "mozilla", "delphi", "injectdll", "write", "malware", "observer", "stream", "unknown", "lredmond", "stwa", "omicrosoft", "stwashington", "server ca", "https domain", "accept", "read c", "ogoogle trust", "worm", "code", "td td", "td tr", "a td", "dynamic dns", "name servers", "arial", "zeppelin", "null", "enough", "hosts", "fast", "tls sni", "cloudflare dns", "google dns", "showing", "get icarus", "show", "ascii text", "global", "next", "cc fd", "d4 dc", "a3 ad", "a8 c7", "bb c7", "f0 f1", "f4 ca", "bc a1", "win64", "local", "otx logo", "hostname", "passive dns", "files", "less", "related tags", "servers", "certificate", "domain", "cloudflare", "khtml", "gecko", "ids detections", "yara detections", "ip lookup", "encrypt", "elf executable", "sysv", "linux", "elf64 operation", "unix", "exec amd6464", "elf geomi", "modify system", "process l", "t1543", "systemd service", "ta0004", "techniques", "process create", "modify syst", "t1036 indicator", "remc t1070", "file", "directoi t1222", "t1027 masquerac", "t1070", "data upload", "extraction", "failed", "ta0005", "t1027", "memory pattern", "domains", "dns resolutions", "full reports", "v ip", "traffic tcp", "g sh", "c tmpsample", "binrm f", "usrbinid id", "usrbinsystemctl", "proc1environ", "proccpuinfo", "include", "review exclude", "sample", "https", "performs dns", "tls version", "mitre attack", "network info", "file type", "persistence", "include review", "exclude sugges", "find s", "unique ru", "review occ", "exclude data", "alvoes", "include data", "suggest", "find c", "typ filet", "filet ce", "layer protocol", "http performs", "reads cpu", "proc indicative", "filet filet", "pulse", "file hach", "h1256", "filer data", "typ data", "filer filehuon", "filet filer", "exchange all", "typ no", "no entri", "exclude", "suggested ocs", "manualy", "hua muicalul", "find", "indicatore", "typ innicatad", "new threat", "dive into", "zergeca botnet", "reference", "report publish", "zergeca", "all se", "matches edolavd", "matches data", "matches matches", "type", "extr", "tico data", "get hello", "mirai variant", "useragent", "hello", "outbound", "world", "search", "hackingtrio ua", "inbound", "mirai", "info", "shell", "pulse pulses", "files ip", "address domain", "ip related", "labs pulses", "pulses", "post", "http traffic", "tocstut", "reference id", "xor key", "canada", "america", "germany", "doh", "ddos", "botnet", "en", "xor", "twitter", "stop", "loader", "downloader", "zerg", "mirai", "golang", "c2 resolution", "germany", "c2 ip", "virustotal", "smux", "ck ids", "t1082", "applescript", "t1190", "application", "private server", "t1609", "command", "unix shell", "software supply", "service", "chain", "t1499", "entries", "otx telemetry", "next associated", "backdoor", "detections", "sha256 add", "alerts", "heur", "all domain", "creation date", "record value", "aaaa", "date", "unknown ns", "ponmocup post", "infection dns", "mtb nov", "ipv4 add", "external ip", "copy" ], "references": [ "www.joewa.com", "Win.Malware.Salat-10058846-0 Alerts binary_yara packer_unknown_pe_section_name", "Yara Detections: MacSync_AppleScript_Stealer , UPX ,", "Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser", "apple.k8s.joewa.com \u2022 joewa.com \u2022 http://apple.k8s.joewa.com/ \u2022 https://apple.k8s.joewa.com/", "Interlocken Business Park Address. 105 Edgeview Drive, Broomfield, CO", "blackbox-exporter.lenovo-k8s.home.local.advena.io", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena/", "Calls an API typically used to retrieve function addresses, load a resource T1129\tShared Modules\t Execution Adversaries may execute malicious payloads via loading shared modules. Learn more", "Loads modules at runtime Looks up procedures from modules", "(excluding apphelp.dll, kernel32.dll, user32.dll, gdi32.dll, ole32.dll, comctl32.dll, uxtheme.dll, oleaut32.dll, version.dll, msctfime.ime) Calls an API typically used to load libraries Loads the RPC (Remote Procedure Call) module DLL T1059.007", "https://cloudflare-dns.com/dns | cloudflare-dns.com", "https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-522", "https://www.cloudflare.com/5xx-error-landing?utm_source=errorcode_522&utm_campaign=www.joewa.com", "https://hybrid-analysis.com/sample/60d74d52f3b90530a1bc0dd1e26c694c6339bca6f249a4a1818694cd6aeea618/69cf2d0230de22b88e055a1f", "6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 (Can't access file)", "\u2018Can't access file\u2019 Trojan.Sagnt/R011c0dfs24 | Trojan/Linux.Zergeca", "\u2018Can't access file\u2019[Found in Zergeca Botnet]", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "IDS: Possible External IP Lookup ipinfo.io Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Yara Detections: is__elf , LZMA , ELFHighEntropy , elf_empty_sections", "IP\u2019s Contacted: 116.203.98.109 34.117.59.81 104.16.248.249 44.209.201.56", "Domains Contacted: cloudflare-dns.com checkip.amazonaws.com ipinfo.io api.opennic.org", "Crowdsourced SIGMA Below:", "Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke", "Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)", "Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community", "Crowdsourced IDS Below:", "Matches rule ET POLICY External IP Lookup ipinfo.io", "Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Matches rule ET INFO External IP Check (checkip .amazonaws .com)", "Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "Unique rule identifier: This rule belongs to a private collection.", "geomi.service 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf geomi", "https://vtbehaviour.commondatastorage.googleapis.com/6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775233275&Signature=vkbdhKnRjzLDcOeMxSE64WCgRJRN28vyp5o%2BMZIxIXbQxUz%2BB%2Beagggbj%2FVYVgAbXypupb2f1UXvcCVp7nMx6zqWvOYXl%2FsBnIislk5NatiGtExGV4WBAU3iE7lNBAjbnmf6HTwhBZCrJts4swSKX3iu%2FZ%2F0%2FwHPNnH%2FygP8AnfbECEroOxz%2FRqDso4jfiSs5dHVkZ%2BFx7fgRfqgt7QeR4IMwju2UyRQQJkwOjQO", "Reference: https://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet/", "crypto-pool.fr", "i\u0628\u0627\u0645\u0633\u0644\u0645\u0648\u0646 \u0644\u0645\u0647\u0645\u0645\u0644\u0645\u0645\u0646\u0627\u0645\u0635\u0646\u0627\u0621\u0648\u0627\u0645\u0645\u0633\u0627\u0646\u062f | \u0645\u0637\u0639\u0645+ \u0645\u0645\u0627\u0645\u0627\u0645", "Muslims have built, supported, and assisted. or Muslims: Support and Solidarity", "LIE. Built American. Attorneys , hackers , Sabey, Ahmann , US quasi government, SOCs , Red Teams , Hacker Fest | Colorado", "IDS Detections: Mirai Variant User-Agent (Outbound) WebShell Generic - wget http - POST", "IDS Detections: MVPower DVR Shell UCE \u2022 HackingTrio UA (Hello, World)", "IDS Detections: JAWS Webserver Unauthenticated Shell Command Execution", "IDS Detections: HackingTrio UA (Hello, World) \u2022 HTTP traffic on port 443 (POST)", "IDS Detections: Mirai Variant User-Agent (Inbound) \u2022 HackingTrio UA (Hello, World)", "IDS: Observed Suspicious UA (Hello, World)", "Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , LZMA , UPX ,", "Yara Detections: ELFHighEntropy , ElfUPX , elf_empty_sections", "Alerts: cape_detected_threat", "IP\u2019s Contacted: 210.101.166.243 117.61.31.95 118.173.103.172 2.159.67.181 117.80.58.104 .231.34 109.33.155.184", "IP\u2019s Contacted: 212.88.65.130 94.160.172.104 5.164.111.219 5.248", "Contacted: bot.hamsterrace.space [Unix.Trojan.Mirai-7669677-0]", "https://dns.google/resolve?name=SELECT", "31.6.16.33\t\u2022 network.target [Found in Zergeca Botnet]", "multi-user.target \u2022 ootheca.top \u2022 network.target \u2022 ootheca.pw [Found in Zergeca Botnet]", "84.54.51.82 \u2022 http://bot.hamsterrace.space:5966 [Found in Zergeca Botnet]", "Zergeca botnet based on Golang language still operating in the same language as the Mirai botnets", "Since September 2023, according to an analysis by cyber security firm XLab CTIA.", "Address shows an place of origin: Broomfield , Co", "Believed to be originating from Germany and Russia", "BGP Hurricane Electric seen", "Potentially Pegasus related . Found to be affecting an IOS device", "Indicators seen may have affected a few OTX users. Is ongoing", "Zergeca related URLs , URI\u2019s , Domains, inaccessible files referenced", "apple.k8s.joewa.com \u2022 joewa.com \u2022 com.apple", "This pulse is so huge it\u2019s a mess. Will break down." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Thailand", "Germany", "Canada" ], "malware_families": [ { "id": "Win.Malware.Salat-10058846-0", "display_name": "Win.Malware.Salat-10058846-0", "target": null }, { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "#LowFiDetectsVmWare", "display_name": "#LowFiDetectsVmWare", "target": null }, { "id": "Win.Trojan.VBGeneric-6735875-0", "display_name": "Win.Trojan.VBGeneric-6735875-0", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!atmn", "target": null }, { "id": "Trojan.Sagnt/R011c0dfs24", "display_name": "Trojan.Sagnt/R011c0dfs24", "target": null }, { "id": "Zergeca", "display_name": "Zergeca", "target": null }, { "id": "Unix.Trojan.Mirai", "display_name": "Unix.Trojan.Mirai", "target": null }, { "id": "Unix.Trojan.Mirai-7669677-0", "display_name": "Unix.Trojan.Mirai-7669677-0", "target": null }, { "id": "CVE-2018-10562", "display_name": "CVE-2018-10562", "target": null }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "CVE-2024-6387", "display_name": "CVE-2024-6387", "target": null }, { "id": "CVE-2025-20393", "display_name": "CVE-2025-20393", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1055.003", "name": "Thread Execution Hijacking", "display_name": "T1055.003 - Thread Execution Hijacking" }, { "id": "T1037.002", "name": "Logon Script (Mac)", "display_name": "T1037.002 - Logon Script (Mac)" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1590.005", "name": "IP Addresses", "display_name": "T1590.005 - IP Addresses" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1056.004", "name": "Credential API Hooking", "display_name": "T1056.004 - Credential API Hooking" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1543.002", "name": "Systemd Service", "display_name": "T1543.002 - Systemd Service" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1608.002", "name": "Upload Tool", "display_name": "T1608.002 - Upload Tool" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1499", "name": "Endpoint Denial of Service", "display_name": "T1499 - Endpoint Denial of Service" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1609", "name": "Container Administration Command", "display_name": "T1609 - Container Administration Command" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 795, "FileHash-SHA1": 648, "FileHash-SHA256": 3708, "IPv4": 294, "URL": 2587, "domain": 739, "hostname": 1129, "email": 14, "CIDR": 15, "IPv6": 27, "SSLCertFingerprint": 18, "CVE": 4 }, "indicator_count": 9978, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "15 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695c7b40f5d2f292a7512e81", "name": "USteal Reputation Smear | Malicious Media | TrojanSpy - CrazyFrost.com", "description": "Who is CrazyFrost? USteal Reputation Smear | Malicious Media | TrojanSpy would affect anyone who clicks on honeypot / dga domain. iPhone spyware. We\u2019ve been working on exposing spyware. Emotet / AutoIT , cabs, password stealer, and more found. Investigators and attorneys from the past Investigators reported victims life, was being promoted over the dark web. From bathing to cooking , conversations to arguments, getting dressed to passing gas. Haha. Small cameras were accessed remotely in her former. Castle Pines, Co hideaway. A third investigator confirmed tiny cameras were installed when victim was in staycationing. When family arrived home garage door and secured doors were boldly left open. Crazy True. [otx auto generated- The following is the full text of the public-key-precert-scts, which has been posted on the website of Redporn.video, the site of an unauthorised sex tape.]", "modified": "2026-02-05T02:03:26.707000", "created": "2026-01-06T03:02:24.932000", "tags": [ "gmtn", "log id", "ca issuers", "b0n timestamp", "signature", "d097", "f2334482", "fc46", "b10b2898797d", "fingerprintsha1", "tsara", "we1 certificate", "dynamicloader", "medium", "write c", "host", "yara rule", "myapp", "delphi", "worm", "win32", "error", "write", "code", "malware", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "ssl certificate", "execution att", "t1204 user", "united", "mitre att", "ck matrix", "flag", "ogoogle trust", "href", "network traffic", "span", "babe", "super", "close", "general", "local", "path", "encrypt", "click", "strings", "form", "extraction", "data upload", "all ht", "enter source", "one on", "tezunau", "daut un", "dauwol lype", "ur extraction", "extrac", "n tezunau", "one opa", "included review", "faileextra", "include data", "review exclude", "sugges", "delete c", "json", "ascii text", "high", "data", "search", "stream", "unknown", "push", "next", "dirty", "enter s", "type", "extr data", "include", "ff d5", "ee fc", "eb d8", "f0 ff", "ff bb", "fd ff", "ff eb", "ed b8", "agent", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "read c", "execution", "dock", "persistence", "sc data", "present jan", "present mar", "present dec", "unknown aaaa", "passive dns", "urls", "trojanspy", "date", "present feb", "susp", "moved", "ip address", "backdoor", "usteal", "body", "title", "hybrid", "regopenkeyexa", "memcommit", "regsz", "english", "copy", "ufr stealer", "markus", "april", "updater", "entries", "rsds", "c reg", "environment", "launch" ], "references": [ "https://www.redporn.video/tsara-brashears-slandered-.htm \u2022 www.redporn.video \u2022 http://www.redporn", "guidepaparazzisurface.com", "http://www.crazyfrost.com\t\u2022 http://www.crazyfrost", "http://chaturbate.com/notabottom/\t\u2022 http://chaturbate.com/notabottom/\\", "iPhone Spyware - https://bam.nr-data.net/1/6f524845d1?a=24279235&v=1169.7b094c0&to=MwYEbUdYXxJQWhULDApMIExbWkUIXldOAQsFF0hPXFxGEgtrDg0OMgoDThteVBU%3D&rst=6546&ck=1&ref=https://chaturbate.com/notabottom/&ap=123&fe=4218&dc=4218&af=err", "iPhone Spyware - https://bam.nr-data.net/jserrors/ping/6f524845d1?a=24279235&v=1169.7b094c0&to=MwYEbUdYXxJQWhULDApMIExbWkUIXldOAQsFF0hPXFxGEgtrDg0OMgoDThteVBU%3D&rst=6546&ck=1&ref=https://chaturbate.com/notabottom/", "https://chaturbate.com/notabottom/", "https://www.google-analytics.com/r/collect?v=1&_v=j83&a=1390847564&t=pageview&_s=1&dl=https%3A%2F%2Fchaturbate.com%2Fnotabottom%2F&ul=en-us&de=utf-8&dt=Chaturbate%20-%20100%25%20Free%20Chat%20%26%20Webcams&sd=32-bit&sr=1024x768&vp=780x439&je=0&_u=YEBAAE~&jid=915940444&gjid=1686072238&cid=922362881.1595496808&tid=UA-23607725-1&_gid=1317601001.1595496808&_r=1&cd1=chaturbate.com&cd2=&cd3=-&cd4=&cd5=anonymous&z=762468946" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "AutoIT", "display_name": "AutoIT", "target": null }, { "id": "TrojanSpy:Win32/Usteal", "display_name": "TrojanSpy:Win32/Usteal", "target": "/malware/TrojanSpy:Win32/Usteal" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1204.003", "name": "Malicious Image", "display_name": "T1204.003 - Malicious Image" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2543, "hostname": 848, "FileHash-SHA256": 1320, "SSLCertFingerprint": 25, "domain": 463, "FileHash-MD5": 418, "FileHash-SHA1": 197, "email": 2 }, "indicator_count": 5816, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "73 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6920c43c3772bb24f26f70cc", "name": "Xred_Malware \u2022 Dark Comet \u2022 Darkgate \u2022 Elex \u2022 Glassworm | AutoRun", "description": "Attack originates from government contractors/ quasi governmental entities. Criminal Defense and Government contracted Law firms commonly abuse these tactics. Targeting. Found in data of a target. Focused on (1) FILE HASH and (1) IP address .[referenced] *XRed _Mal\n* EXE Infection | OTX auto populated - Adversaries may be able to gain access to victim systems using a variety of techniques to evade detection and conceal their actions. and their intentions, as well as using other techniques, to avoid detection.", "modified": "2025-12-21T18:01:07.268000", "created": "2025-11-21T19:57:48.145000", "tags": [ "dynamicloader", "write c", "write", "high", "yara rule", "myapp", "delphi", "worm", "win32", "error", "code", "malware", "defender", "medium", "binary file", "heavensgate", "bochs", "dynamic", "td td", "td tr", "united", "a td", "a domains", "dynamic dns", "static dns", "dd wrt", "twitter", "trojan", "trojandropper", "null", "enough", "simple", "click", "easy", "premium", "associated urls", "server response", "google safe", "results nov", "avast avg", "11.21.2025", "11.20.2025", "borland delphi", "pe32", "intel", "ms windows", "inno setup", "win32 exe", "pecompact", "delphi generic", "pe32 compiler", "dark comet", "dark gate", "glassworm", "md5 code", "data", "porkbun llc", "windows match", "getprocaddress", "peb idrdata", "match peb", "t1547", "t1059 t1112", "shared modules", "t1129", "boot", "logon autostart", "execu", "t1134 boot", "encoding", "capture e1113", "file attributes", "analysis ob0001", "b0001 software", "virtual machine", "detection b0009", "analysis ob0002", "ob0003 screen", "windows get", "check", "encode", "check internet", "wininet set", "clear file", "enumerate gui", "get hostname", "get keyboard", "set registry", "find", "capture", "url http", "consolefoundry", "console foundry", "foundry", "malware catalog tree", "autorun keys", "modification", "alexander karp", "peter theil", "christoper ahmann", "christopher pool", "mercedes", "apple", "palantir", "adversarial", "adversaries", "hostile", "quasi", "empty hash", "denver", "mal_xred_backdoor", "backdoor", "xred", "brian sabey", "first-send-petikvx", "stop", "glassworm", "elex", "darkgate", "dark-comet", "search", "entries", "show", "yara detections", "icmp traffic", "rtf file", "top source", "top destination", "format", "host", "copy", "next", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "found", "access att", "font", "copy md5", "copy sha1", "copy sha256", "sha1", "ascii text", "pattern match", "sha256", "mitre att", "title", "meta", "hybrid", "local", "path", "strings", "body", "contact", "trace", "form", "bitcoin", "core", "jeffrey reimer", "exe infection", "cve", "porn" ], "references": [ "FILEHASH-SHA256 d0ce79b3e0f4798423871dd66c14172b1a0eac34131c1b92d210a7b5c31a8aa0", "Name 2025-11-19_b627882129bf281be5a3df318fff678b_dark-comet_darkgate_elex_glassworm_stop", "Antivirus Detection: Worm:Win32/AutoRun!atmn [Win.Trojan.Emotet relationship]", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com", "IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "Yara : Zeppelin_30 , compromised_site_redirector_fromcharcode ,", "Yara : BobSoft Mini Delphi -> BoB / BobSoft , Delphi", "Alerts : suspicious_iocontrol_codes process_creation_suspicious_location network_dyndns", "Alerts: multiple_useragents persistence_autorun binary_yara procmem_yara suricata_alert", "Alerts: antivm_bochs_keys antivm_generic_disk enumerates_physical_drives antisandbox_sleep", "Alerts: physical_drive_access mouse_movement_detect dynamic_function_loading", "Alerts: http_request resumethread_remote_process antianalysis_tls_section network_httpn", "Alerts: packer_unknown", "Malicious IP Contacted: 69.42.215.252", "Abused Domains Contacted: xred.mooo.com freedns.afraid.org", "IP 69.42.215.252: http://nginx.com/ \u2022nginx.com\t\u2022 http://nginx.org/ \u2022 nginx.org \u2022 afraid.org \u2022 afraid.org", "IP 69.42.215.252: nginx.com\u2022 vb.cu \u2022 vb.il \u2022 yourdomain.com \u2022 yourdomain.com", "IP 69.42.215.252: theirname.yourdomain.com \u2022 www.freebsd.org freebsd.org \u2022 your.domain.com", "Windows Match api: GetProcAddress fs access *access PEB Idr_data Match PEB access fs access", "consolefoundry.date \u2022 http://consolefoundry.date \u2022 http://consolefoundry", "Matches rule Wow6432Node CurrentVersion Autorun Keys Modification - Credits (split) below", "by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "http://freedns.afraid.org/images/apple.gif", "https://www.nextron-systems.com/notes-on-virustotal-matches/", "https://www.mumuplayer.com/redirect/customerservice/_wig", "https://www.mumuplayer.com/redirect/customerservice/fB)y", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 http://www.anyxxxtube/", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t| Truth", "https://www.semena.cz/exoticke-okrasne/78-plumerie-havajska-kvetina-semena-3-ks.html", "http://www.anyxxxtube.net/search-porn/tsara-brashears", "http://consolefoundry.date/one/gate.php", "https://hybrid-analysis.com/sample/ba5890ad431b894b0dfd6c9d3f3d6cbd7fedae1bd5a51483f54b22ba0209e3b8/6920be8a548209db740dd354" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Emotet-9850453", "display_name": "Win.Trojan.Emotet-9850453", "target": null }, { "id": "Win.Trojan.BlackNetRAT-7838854-0", "display_name": "Win.Trojan.BlackNetRAT-7838854-0", "target": null }, { "id": "Win.Dropper.Nanocore-10021490-0", "display_name": "Win.Dropper.Nanocore-10021490-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "Win.Packed.Remcos-10024510-0", "display_name": "Win.Packed.Remcos-10024510-0", "target": null }, { "id": "Code Overlap", "display_name": "Code Overlap", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "PSW:Win32/VB.CU", "display_name": "PSW:Win32/VB.CU", "target": "/malware/PSW:Win32/VB.CU" } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1541", "name": "Foreground Persistence", "display_name": "T1541 - Foreground Persistence" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 460, "FileHash-SHA1": 437, "FileHash-SHA256": 4483, "SSLCertFingerprint": 2, "URL": 6487, "hostname": 1772, "domain": 652, "CVE": 3, "email": 5 }, "indicator_count": 14301, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "118 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f7ced2cf17d264b49628bc", "name": "NIDS - Affecting targeted Dropbox & EBay Accounts accessing , using or deleting information", "description": "Multiple malware\u2019s targeting Dropbox & Ebay accounts. Referenced in earlier pukses. Further investigation shows link found in apps on multiple Apple devices. Afraid. Org still running & wreaking havoc globally. Currently targets a Music studio in Clear Creek County Co. The signal bounces from Fire station directly to studio gaining full access to everything.\n\nI am very disappointed with the abuses in f the Palantir , Gotham , Foundry products being abused by law firms and Private Investigators.\nIt is very destructive, causing loss, these firms are literally stealing and making money with other people\u2019s intellectual property and tough luck on the actual inventor, artist, writer because they even steal , cancel your insurance or back accounts leaving you unable to make a claim. \n\nGreat discretion should be used to qualify for these tools used to track, terrorize and access private information as well as tarnish the names of civilians , family ,businesses, stalking tracking known location.", "modified": "2025-11-20T17:00:05.377000", "created": "2025-10-21T18:20:02.120000", "tags": [ "united", "urls", "domain", "files", "files ip", "td td", "td tr", "a td", "dynamic dns", "arial", "worm", "trojandropper", "meta", "null", "enough", "hosts", "win32", "fast", "present oct", "present jul", "present sep", "present aug", "moved", "ip address", "error", "title", "ipv4 add", "url analysis", "hosting", "reverse dns", "america flag", "name servers", "body", "a domains", "passive dns", "welcome", "ok server", "gmt content", "twitter", "dynamicloader", "write c", "medium", "myapp", "high", "host", "delphi", "write", "code", "malware", "device driver", "backdoor", "msil", "present mar", "apanas", "regsetvalueexa", "msie", "windows nt", "wow64", "slcc2", "media center", "langturkish", "sublangdefault", "regdword", "persistence", "execution", "nids", "zegost", "trojan", "win32fugrafa", "malwarexgen att", "ck ids", "t1040", "sniffing", "location united", "united states", "KeyAuth Open-source Authentication System Domain (keyauth .win) ", "yara rule", "search", "blobx00x00x00", "guard", "encrypt", "afraid", "smartphone", "laptop", "tablet", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "defense evasion", "t1480 execution", "sha256", "sha1", "ascii text", "size", "mitre att", "show technique", "refresh", "span", "hybrid", "local", "path", "click", "strings", "tools", "look", "verify", "restart", "access att", "t1566 phishing", "font", "pattern match", "general", "contact", "premium", "never", "core", "external system", "http header", "network traffic", "sample", "antivirus", "systems found", "ipurl artifact", "network related", "sends traffic", "http outbound", "hostname add", "address", "registrar", "internet ltd", "livedomains", "creation date", "hostname", "domain add", "modrg", "sincpoatia", "utf8", "appdata", "temp", "fyfdz", "iepgq", "trlew", "copy", "kentuchy", "oljnmrfghb", "powershell", "sabey", "sokolove law" ], "references": [ "afraid.org | evergreen.afraid.org", "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1\t \twww.dropbox.com", "https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1", "https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1", "Interesting: i.circusslaves.com \u2022 linkupdateuser.circusslaves.com \u2022 https://rip.circusslaves.com/", "Interesting: demo.emaa.cl \u2022 wanndemo.de \u2022 songmeanings.net", "KeyAuth Open-source Authentication System Domain (keyauth .win) in TLS SNI", "https://api.strem.io/api/addonCollectionGet%", "http://freedns.afraid.org/safety/?host=signin.ebay.com.ws.ebayisapi.dll.signin.usingssl.www.ebay.com.fr.am", "aohhpesayw.lawsonengineers.co.", "Very Disappointing- foundry.neconsside.com \u2022 ftp.koldunmansurov.ru", "gitea.neconsside.com \u2022 http://f7194.vip/login", "2012647\tDropbox.com Offsite File Backup in Use", "target.dropboxbusiness.com", "consolefoundry.date \u2022 http://consolefoundry.date", "http://consolefoundry.date/one/gate.php \u2022 foundry.neconsside.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "Neshta", "display_name": "Neshta", "target": null }, { "id": "Backdoor:Win32/Fynloski.A", "display_name": "Backdoor:Win32/Fynloski.A", "target": "/malware/Backdoor:Win32/Fynloski.A" }, { "id": "Zegost", "display_name": "Zegost", "target": null }, { "id": "Worm:Win32/AutoRun.XXY!bit", "display_name": "Worm:Win32/AutoRun.XXY!bit", "target": "/malware/Worm:Win32/AutoRun.XXY!bit" }, { "id": "MalwareX-Gen", "display_name": "MalwareX-Gen", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Worm:Win32/AutoRun.B", "display_name": "Worm:Win32/AutoRun.B", "target": "/malware/Worm:Win32/AutoRun.B" }, { "id": "Trojan:Win32/Pariham.A", "display_name": "Trojan:Win32/Pariham.A", "target": "/malware/Trojan:Win32/Pariham.A" }, { "id": "Kentuchy", "display_name": "Kentuchy", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 483, "hostname": 1397, "URL": 2874, "email": 2, "FileHash-MD5": 369, "FileHash-SHA1": 355, "FileHash-SHA256": 1534, "SSLCertFingerprint": 7 }, "indicator_count": 7021, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "149 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f80c6bcd3fff3a4f126a68", "name": "Sventore \u2022 Agent Tesla Affecting targeted Dropbox & EBay Accounts accessing , using or deleting information ", "description": "", "modified": "2025-11-20T17:00:05.377000", "created": "2025-10-21T22:42:51.657000", "tags": [ "united", "urls", "domain", "files", "files ip", "td td", "td tr", "a td", "dynamic dns", "arial", "worm", "trojandropper", "meta", "null", "enough", "hosts", "win32", "fast", "present oct", "present jul", "present sep", "present aug", "moved", "ip address", "error", "title", "ipv4 add", "url analysis", "hosting", "reverse dns", "america flag", "name servers", "body", "a domains", "passive dns", "welcome", "ok server", "gmt content", "twitter", "dynamicloader", "write c", "medium", "myapp", "high", "host", "delphi", "write", "code", "malware", "device driver", "backdoor", "msil", "present mar", "apanas", "regsetvalueexa", "msie", "windows nt", "wow64", "slcc2", "media center", "langturkish", "sublangdefault", "regdword", "persistence", "execution", "nids", "zegost", "trojan", "win32fugrafa", "malwarexgen att", "ck ids", "t1040", "sniffing", "location united", "united states", "KeyAuth Open-source Authentication System Domain (keyauth .win) ", "yara rule", "search", "blobx00x00x00", "guard", "encrypt", "afraid", "smartphone", "laptop", "tablet", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "defense evasion", "t1480 execution", "sha256", "sha1", "ascii text", "size", "mitre att", "show technique", "refresh", "span", "hybrid", "local", "path", "click", "strings", "tools", "look", "verify", "restart", "access att", "t1566 phishing", "font", "pattern match", "general", "contact", "premium", "never", "core", "external system", "http header", "network traffic", "sample", "antivirus", "systems found", "ipurl artifact", "network related", "sends traffic", "http outbound", "hostname add", "address", "registrar", "internet ltd", "livedomains", "creation date", "hostname", "domain add", "modrg", "sincpoatia", "utf8", "appdata", "temp", "fyfdz", "iepgq", "trlew", "copy", "kentuchy", "oljnmrfghb", "powershell", "sabey", "sokolove law" ], "references": [ "afraid.org | evergreen.afraid.org", "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1\t \twww.dropbox.com", "https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1", "https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1", "Interesting: i.circusslaves.com \u2022 linkupdateuser.circusslaves.com \u2022 https://rip.circusslaves.com/", "Interesting: demo.emaa.cl \u2022 wanndemo.de \u2022 songmeanings.net", "KeyAuth Open-source Authentication System Domain (keyauth .win) in TLS SNI", "https://api.strem.io/api/addonCollectionGet%", "http://freedns.afraid.org/safety/?host=signin.ebay.com.ws.ebayisapi.dll.signin.usingssl.www.ebay.com.fr.am", "aohhpesayw.lawsonengineers.co.", "Very Disappointing- foundry.neconsside.com \u2022 ftp.koldunmansurov.ru", "gitea.neconsside.com \u2022 http://f7194.vip/login", "2012647\tDropbox.com Offsite File Backup in Use", "target.dropboxbusiness.com", "consolefoundry.date \u2022 http://consolefoundry.date", "http://consolefoundry.date/one/gate.php \u2022 foundry.neconsside.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "Neshta", "display_name": "Neshta", "target": null }, { "id": "Backdoor:Win32/Fynloski.A", "display_name": "Backdoor:Win32/Fynloski.A", "target": "/malware/Backdoor:Win32/Fynloski.A" }, { "id": "Zegost", "display_name": "Zegost", "target": null }, { "id": "Worm:Win32/AutoRun.XXY!bit", "display_name": "Worm:Win32/AutoRun.XXY!bit", "target": "/malware/Worm:Win32/AutoRun.XXY!bit" }, { "id": "MalwareX-Gen", "display_name": "MalwareX-Gen", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Worm:Win32/AutoRun.B", "display_name": "Worm:Win32/AutoRun.B", "target": "/malware/Worm:Win32/AutoRun.B" }, { "id": "Trojan:Win32/Pariham.A", "display_name": "Trojan:Win32/Pariham.A", "target": "/malware/Trojan:Win32/Pariham.A" }, { "id": "Kentuchy", "display_name": "Kentuchy", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": "68f7ced2cf17d264b49628bc", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 483, "hostname": 1397, "URL": 2874, "email": 2, "FileHash-MD5": 369, "FileHash-SHA1": 355, "FileHash-SHA256": 1534, "SSLCertFingerprint": 7 }, "indicator_count": 7021, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "149 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f5cfa9b74d6faa43eb6585", "name": "Indicator Removal service affecting Threat Hunters | Brian Sabey", "description": "Indicator removal used by M. Brian Sabey to for the purpose of attacking networks and removing malicious indicators related to entities and attacks deployed by & Co. Impacts: Threat hunting services. * Worm:Win32/AutoRun.XXY!bit (Emotet and Neshta relationship).\nThere are many other malicious indicators.\n\n* foundryvttcasero.roleros.cl", "modified": "2025-11-19T05:02:39.961000", "created": "2025-10-20T05:59:04.173000", "tags": [ "url https", "url http", "hostname", "b9sdwan", "b9 no", "united", "passive dns", "ipv4 add", "urls", "location united", "america flag", "san jose", "trojan", "canada unknown", "hostname add", "url analysis", "http", "ip address", "related nids", "path", "america asn", "as4983 intel", "canada", "gmt p3p", "cp noi", "adm dev", "psai com", "unknown ns", "united states", "twitter", "url add", "files location", "flag united", "status", "emails", "servers", "mtb aug", "win32", "invalid url", "lowfi", "body html", "head title", "files", "files ip", "filehashmd5", "iocs", "type indicator", "role title", "related pulses", "dynamicloader", "directui", "write c", "element", "classinfobase", "forbidden", "write", "high", "worm", "delphi", "guard", "error", "vmprotect", "malware", "defender", "suspicious", "port", "read c", "destination", "crlf line", "rgba", "unicode", "png image", "td td", "td tr", "a td", "dynamic dns", "search", "arial", "trojandropper", "null", "enough", "hosts", "fast", "afraid", "a domains", "welcome", "ok server", "gmt content", "present sep", "unknown soa", "unknown cname", "present oct", "present aug", "event rocket", "title", "cookie", "encrypt", "sabey type" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Worm:Win32/AutoRun.XXY!bit", "display_name": "Worm:Win32/AutoRun.XXY!bit", "target": "/malware/Worm:Win32/AutoRun.XXY!bit" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1434, "URL": 3982, "FileHash-MD5": 391, "FileHash-SHA1": 309, "FileHash-SHA256": 1525, "domain": 758, "email": 10, "SSLCertFingerprint": 3, "CVE": 1 }, "indicator_count": 8413, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "151 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f80aa152fdd795fa008e2e", "name": "Small & Comisproc Indicator Removal service Affects Threat Hunter Sevices", "description": "", "modified": "2025-11-19T05:02:39.961000", "created": "2025-10-21T22:35:13.128000", "tags": [ "url https", "url http", "hostname", "b9sdwan", "b9 no", "united", "passive dns", "ipv4 add", "urls", "location united", "america flag", "san jose", "trojan", "canada unknown", "hostname add", "url analysis", "http", "ip address", "related nids", "path", "america asn", "as4983 intel", "canada", "gmt p3p", "cp noi", "adm dev", "psai com", "unknown ns", "united states", "twitter", "url add", "files location", "flag united", "status", "emails", "servers", "mtb aug", "win32", "invalid url", "lowfi", "body html", "head title", "files", "files ip", "filehashmd5", "iocs", "type indicator", "role title", "related pulses", "dynamicloader", "directui", "write c", "element", "classinfobase", "forbidden", "write", "high", "worm", "delphi", "guard", "error", "vmprotect", "malware", "defender", "suspicious", "port", "read c", "destination", "crlf line", "rgba", "unicode", "png image", "td td", "td tr", "a td", "dynamic dns", "search", "arial", "trojandropper", "null", "enough", "hosts", "fast", "afraid", "a domains", "welcome", "ok server", "gmt content", "present sep", "unknown soa", "unknown cname", "present oct", "present aug", "event rocket", "title", "cookie", "encrypt", "sabey type" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Worm:Win32/AutoRun.XXY!bit", "display_name": "Worm:Win32/AutoRun.XXY!bit", "target": "/malware/Worm:Win32/AutoRun.XXY!bit" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": "68f5cfa9b74d6faa43eb6585", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1434, "URL": 3982, "FileHash-MD5": 391, "FileHash-SHA1": 309, "FileHash-SHA256": 1525, "domain": 758, "email": 10, "SSLCertFingerprint": 3, "CVE": 1 }, "indicator_count": 8413, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "151 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66eb1585832bcf4f494f0335", "name": "Telco - Swipper | Emotet and other malware spreader. BGP Bridging", "description": "", "modified": "2024-10-20T13:04:44.866000", "created": "2024-09-18T18:01:41.013000", "tags": [ "net152", "net1520000", "loudoun county", "ans core", "nethandle", "as1321", "parkway city", "as701 orgnocref", "swipper", "verizon", "high", "intel", "icmp traffic", "dns query", "object", "all scoreblue", "filehash", "malware", "comcast", "cve1102", "actors", "investigation", "bad domains", "emotet am", "iocs", "first", "utc submissions", "submitters", "summary iocs", "graph community", "webcc", "gmo internet", "csc corporate", "domains", "alibaba cloud", "computing", "beijing", "dynadot", "ltd dba", "china telecom", "group", "google", "cloudflarenet", "kb txtresse", "mb smartsaver", "admin cmd", "mb threatsniper", "mb history", "mb gadget", "installer", "referrer", "styes worm", "historical ssl", "script script", "i span", "ie script", "win64", "span", "urls", "levelblue labs", "pulses", "nastya", "meta", "open", "date", "vj92", "uagdaaeqcqaaaag", "ukgbagaqcqaaaae", "slfrd1", "hostnames", "urls http", "ukgbagaqcq", "jid1886833764", "jid882556742", "samples", "unknown", "united", "as20940", "as2914 ntt", "nxdomain", "status", "as6461 zayo", "united kingdom", "as15169 google", "as33438", "search", "creation date", "name servers", "showing", "hungary unknown", "entries", "scan endpoints", "next", "cape", "show", "copy", "emotet malware", "read", "write", "delete", "june", "emotet", "as14627", "passive dns", "ipv4", "pulse pulses", "win32", "months ago", "created", "modified", "email", "glupteba", "hostname", "cyber", "read c", "port", "medium", "msie", "windows nt", "wow64", "slcc2", "media center", "dock", "execution", "method status", "url hostname", "ip country", "type get", "cachecontrol", "location https", "date thu", "gmt server", "code", "ve234 server", "aaaa", "whitelisted", "as44273 host", "as46691", "domain", "script urls", "path max", "age86400 set", "cookie", "script domains", "trojan", "body" ], "references": [ "Stranger Things | http://hopto.org/colocrossing/192.3.13.56/telco", "Antivirus Detections: Other:Malware-gen\\ [Trj]", "Yara Detections: UPXProtectorv10x2 , UPX Alerts dead_host network_icmp nolookup_communication", "Antivirus Detections: Other:Malware-gen\\ [Trj] , Win.Trojan.Emotet-9951800-0", "Yara Detections: osx_GoLang", ".trino-11062202-1d32.stress-11061903-3b4c.westus2.projecthilo.net\tprojecthilo.net", "0-courier.push.apple.com | https://apple-accouut.sytes.net/ | appupdate-logapple.ddnsking.com | appleidi-iforgot.3utilities.com", "http://appleidi-iforgot.3utilities.com/\t | https://appupdate-logapple.ddnsking.com/?reset | http://appleidi-iforgot.3utilities.com/Upload-Identity.php |", "http://appleidi-iforgot.3utilities.com/Verify.php", "device-ccf717a6-ed4f-4771-abfa-ccaafbfb6526.remotewd.com | device-local-359704df-0b29-4ae8-bbc5-f48b0a4de73c.remotewd.com | remotedev.org | dan.remotedev.org", "152.199.171.19 : USDA Fort Collins, Colorado", "Swipper: swipper@verizonbusiness.com | help4u@verizonbusiness.com", "152.199.161.19: ANS Communications, Inc (ANS)", "OrgTechHandle: SWIPP-ARIN OrgTechName: swipper OrgTechPhone: +1-800-900-0241 OrgTechEmail: swipper@verizonbusiness.com", "http://bat.bing.com/bat.js | bounceme.net | bounceme.net | hopto.org | hopto.org |,serveblog.net | serveblog.net", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://hopto.org/colocrossing/192.3.13.56/telco", "Emotet: FileHash-SHA256 9c9459e9a5f0102c034ec013b9d801d38ed474bcd73b7aeded931e5c2a4f75cc", "Win.Virus.PolyRansom-5704625-0: FileHash-SHA256 f46de5d0c5dd13f5de6114372542efd1ea048e14f051b64b34c33e96c175cb09", "Other:Malware-gen\\ [Trj: FileHash-SHA256 4ef29fd29fd95990a36379ad7a4320f04da64e7ec63546e047e2491e533c71a3", "Injection Source: www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Injection Source: http://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Injection Source: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "SLF:Trojan:Win32/Grandoreiro.A", "display_name": "SLF:Trojan:Win32/Grandoreiro.A", "target": null }, { "id": "Other:Malware-gen\\ [Trj]", "display_name": "Other:Malware-gen\\ [Trj]", "target": null }, { "id": "Win.Trojan.Emotet-9951800-0", "display_name": "Win.Trojan.Emotet-9951800-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": "66ca37ac60cb425a2b3856c6", "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 2, "URL": 4635, "domain": 771, "email": 11, "hostname": 1993, "FileHash-SHA256": 3185, "FileHash-MD5": 113, "FileHash-SHA1": 101, "CVE": 3 }, "indicator_count": 10814, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "546 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66c661131c5003925e9bfe15", "name": "Telco - Swipper | Emoted and other malware spreader. BGP related ?", "description": "I'm not sure what to make of this. I'm unnerved. As far back as I have been able to research, Swipper has been ever present, not even hiding in the attacks target who noticed this for themselves.Some information is no longer on the Internet , yet there are continuous command multiple IP's. This relates directly to the suspect hacker & co. Use of FreeDNS and many other tools related to this resource with the Net Handle Name: Swipper. It's seems to be prominent on Colorado, Ohio Constantly moving to the British Virgin Islands while having am Ashburn, Va [Loudon, Co]- Verizon Business address ont he MCI block [FBI nearby] Swipper was connected to targets Notepad for years,; with FBI name and address prominently displayed. Mysterious emails, and false MD referral locations of victim pointed back to a Swipper or Stephen Middleton IP address. It's always has a variant of Emotet. I don't know. Abuse of use by same attorney.", "modified": "2024-09-20T20:04:19.210000", "created": "2024-08-21T21:50:11.612000", "tags": [ "net152", "net1520000", "loudoun county", "ans core", "nethandle", "as1321", "parkway city", "as701 orgnocref", "swipper", "verizon", "high", "intel", "icmp traffic", "dns query", "object", "all scoreblue", "filehash", "malware", "comcast", "cve1102", "actors", "investigation", "bad domains", "emotet am", "iocs", "first", "utc submissions", "submitters", "summary iocs", "graph community", "webcc", "gmo internet", "csc corporate", "domains", "alibaba cloud", "computing", "beijing", "dynadot", "ltd dba", "china telecom", "group", "google", "cloudflarenet", "kb txtresse", "mb smartsaver", "admin cmd", "mb threatsniper", "mb history", "mb gadget", "installer", "referrer", "styes worm", "historical ssl", "script script", "i span", "ie script", "win64", "span", "urls", "levelblue labs", "pulses", "nastya", "meta", "open", "date", "vj92", "uagdaaeqcqaaaag", "ukgbagaqcqaaaae", "slfrd1", "hostnames", "urls http", "ukgbagaqcq", "jid1886833764", "jid882556742", "samples", "unknown", "united", "as20940", "as2914 ntt", "nxdomain", "status", "as6461 zayo", "united kingdom", "as15169 google", "as33438", "search", "creation date", "name servers", "showing", "hungary unknown", "entries", "scan endpoints", "next", "cape", "show", "copy", "emotet malware", "read", "write", "delete", "june", "emotet", "as14627", "passive dns", "ipv4", "pulse pulses", "win32", "months ago", "created", "modified", "email", "glupteba", "hostname", "cyber", "read c", "port", "medium", "msie", "windows nt", "wow64", "slcc2", "media center", "dock", "execution", "method status", "url hostname", "ip country", "type get", "cachecontrol", "location https", "date thu", "gmt server", "code", "ve234 server", "aaaa", "whitelisted", "as44273 host", "as46691", "domain", "script urls", "path max", "age86400 set", "cookie", "script domains", "trojan", "body" ], "references": [ "Stranger Things | http://hopto.org/colocrossing/192.3.13.56/telco", "Antivirus Detections: Other:Malware-gen\\ [Trj]", "Yara Detections: UPXProtectorv10x2 , UPX Alerts dead_host network_icmp nolookup_communication", "Antivirus Detections: Other:Malware-gen\\ [Trj] , Win.Trojan.Emotet-9951800-0", "Yara Detections: osx_GoLang", ".trino-11062202-1d32.stress-11061903-3b4c.westus2.projecthilo.net\tprojecthilo.net", "0-courier.push.apple.com | https://apple-accouut.sytes.net/ | appupdate-logapple.ddnsking.com | appleidi-iforgot.3utilities.com", "http://appleidi-iforgot.3utilities.com/\t | https://appupdate-logapple.ddnsking.com/?reset | http://appleidi-iforgot.3utilities.com/Upload-Identity.php |", "http://appleidi-iforgot.3utilities.com/Verify.php", "device-ccf717a6-ed4f-4771-abfa-ccaafbfb6526.remotewd.com | device-local-359704df-0b29-4ae8-bbc5-f48b0a4de73c.remotewd.com | remotedev.org | dan.remotedev.org", "152.199.171.19 : USDA Fort Collins, Colorado", "Swipper: swipper@verizonbusiness.com | help4u@verizonbusiness.com", "152.199.161.19: ANS Communications, Inc (ANS)", "OrgTechHandle: SWIPP-ARIN OrgTechName: swipper OrgTechPhone: +1-800-900-0241 OrgTechEmail: swipper@verizonbusiness.com", "http://bat.bing.com/bat.js | bounceme.net | bounceme.net | hopto.org | hopto.org |,serveblog.net | serveblog.net", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://hopto.org/colocrossing/192.3.13.56/telco", "Emotet: FileHash-SHA256 9c9459e9a5f0102c034ec013b9d801d38ed474bcd73b7aeded931e5c2a4f75cc", "Win.Virus.PolyRansom-5704625-0: FileHash-SHA256 f46de5d0c5dd13f5de6114372542efd1ea048e14f051b64b34c33e96c175cb09", "Other:Malware-gen\\ [Trj: FileHash-SHA256 4ef29fd29fd95990a36379ad7a4320f04da64e7ec63546e047e2491e533c71a3", "Injection Source: www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Injection Source: http://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Injection Source: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "SLF:Trojan:Win32/Grandoreiro.A", "display_name": "SLF:Trojan:Win32/Grandoreiro.A", "target": null }, { "id": "Other:Malware-gen\\ [Trj]", "display_name": "Other:Malware-gen\\ [Trj]", "target": null }, { "id": "Win.Trojan.Emotet-9951800-0", "display_name": "Win.Trojan.Emotet-9951800-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 2, "URL": 4338, "domain": 753, "email": 9, "hostname": 1799, "FileHash-SHA256": 3098, "FileHash-MD5": 110, "FileHash-SHA1": 98, "CVE": 3 }, "indicator_count": 10210, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "575 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66c66114103f15aab3b00d6c", "name": "Telco - Swipper | Emoted and other malware spreader. BGP related ?", "description": "I'm not sure what to make of this. I'm unnerved. As far back as I have been able to research, Swipper has been ever present, not even hiding in the attacks target who noticed this for themselves.Some information is no longer on the Internet , yet there are continuous command multiple IP's. This relates directly to the suspect hacker & co. Use of FreeDNS and many other tools related to this resource with the Net Handle Name: Swipper. It's seems to be prominent on Colorado, Ohio Constantly moving to the British Virgin Islands while having am Ashburn, Va [Loudon, Co]- Verizon Business address ont he MCI block [FBI nearby] Swipper was connected to targets Notepad for years,; with FBI name and address prominently displayed. Mysterious emails, and false MD referral locations of victim pointed back to a Swipper or Stephen Middleton IP address. It's always has a variant of Emotet. I don't know. Abuse of use by same attorney.", "modified": "2024-09-20T20:04:19.210000", "created": "2024-08-21T21:50:12.543000", "tags": [ "net152", "net1520000", "loudoun county", "ans core", "nethandle", "as1321", "parkway city", "as701 orgnocref", "swipper", "verizon", "high", "intel", "icmp traffic", "dns query", "object", "all scoreblue", "filehash", "malware", "comcast", "cve1102", "actors", "investigation", "bad domains", "emotet am", "iocs", "first", "utc submissions", "submitters", "summary iocs", "graph community", "webcc", "gmo internet", "csc corporate", "domains", "alibaba cloud", "computing", "beijing", "dynadot", "ltd dba", "china telecom", "group", "google", "cloudflarenet", "kb txtresse", "mb smartsaver", "admin cmd", "mb threatsniper", "mb history", "mb gadget", "installer", "referrer", "styes worm", "historical ssl", "script script", "i span", "ie script", "win64", "span", "urls", "levelblue labs", "pulses", "nastya", "meta", "open", "date", "vj92", "uagdaaeqcqaaaag", "ukgbagaqcqaaaae", "slfrd1", "hostnames", "urls http", "ukgbagaqcq", "jid1886833764", "jid882556742", "samples", "unknown", "united", "as20940", "as2914 ntt", "nxdomain", "status", "as6461 zayo", "united kingdom", "as15169 google", "as33438", "search", "creation date", "name servers", "showing", "hungary unknown", "entries", "scan endpoints", "next", "cape", "show", "copy", "emotet malware", "read", "write", "delete", "june", "emotet", "as14627", "passive dns", "ipv4", "pulse pulses", "win32", "months ago", "created", "modified", "email", "glupteba", "hostname", "cyber", "read c", "port", "medium", "msie", "windows nt", "wow64", "slcc2", "media center", "dock", "execution", "method status", "url hostname", "ip country", "type get", "cachecontrol", "location https", "date thu", "gmt server", "code", "ve234 server", "aaaa", "whitelisted", "as44273 host", "as46691", "domain", "script urls", "path max", "age86400 set", "cookie", "script domains", "trojan", "body" ], "references": [ "Stranger Things | http://hopto.org/colocrossing/192.3.13.56/telco", "Antivirus Detections: Other:Malware-gen\\ [Trj]", "Yara Detections: UPXProtectorv10x2 , UPX Alerts dead_host network_icmp nolookup_communication", "Antivirus Detections: Other:Malware-gen\\ [Trj] , Win.Trojan.Emotet-9951800-0", "Yara Detections: osx_GoLang", ".trino-11062202-1d32.stress-11061903-3b4c.westus2.projecthilo.net\tprojecthilo.net", "0-courier.push.apple.com | https://apple-accouut.sytes.net/ | appupdate-logapple.ddnsking.com | appleidi-iforgot.3utilities.com", "http://appleidi-iforgot.3utilities.com/\t | https://appupdate-logapple.ddnsking.com/?reset | http://appleidi-iforgot.3utilities.com/Upload-Identity.php |", "http://appleidi-iforgot.3utilities.com/Verify.php", "device-ccf717a6-ed4f-4771-abfa-ccaafbfb6526.remotewd.com | device-local-359704df-0b29-4ae8-bbc5-f48b0a4de73c.remotewd.com | remotedev.org | dan.remotedev.org", "152.199.171.19 : USDA Fort Collins, Colorado", "Swipper: swipper@verizonbusiness.com | help4u@verizonbusiness.com", "152.199.161.19: ANS Communications, Inc (ANS)", "OrgTechHandle: SWIPP-ARIN OrgTechName: swipper OrgTechPhone: +1-800-900-0241 OrgTechEmail: swipper@verizonbusiness.com", "http://bat.bing.com/bat.js | bounceme.net | bounceme.net | hopto.org | hopto.org |,serveblog.net | serveblog.net", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://hopto.org/colocrossing/192.3.13.56/telco", "Emotet: FileHash-SHA256 9c9459e9a5f0102c034ec013b9d801d38ed474bcd73b7aeded931e5c2a4f75cc", "Win.Virus.PolyRansom-5704625-0: FileHash-SHA256 f46de5d0c5dd13f5de6114372542efd1ea048e14f051b64b34c33e96c175cb09", "Other:Malware-gen\\ [Trj: FileHash-SHA256 4ef29fd29fd95990a36379ad7a4320f04da64e7ec63546e047e2491e533c71a3", "Injection Source: www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Injection Source: http://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Injection Source: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "SLF:Trojan:Win32/Grandoreiro.A", "display_name": "SLF:Trojan:Win32/Grandoreiro.A", "target": null }, { "id": "Other:Malware-gen\\ [Trj]", "display_name": "Other:Malware-gen\\ [Trj]", "target": null }, { "id": "Win.Trojan.Emotet-9951800-0", "display_name": "Win.Trojan.Emotet-9951800-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 2, "URL": 4338, "domain": 753, "email": 9, "hostname": 1799, "FileHash-SHA256": 3098, "FileHash-MD5": 110, "FileHash-SHA1": 98, "CVE": 3 }, "indicator_count": 10210, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "575 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66ca37ac60cb425a2b3856c6", "name": "Telco - Swipper | Emotet and other malware spreader. BGP Hurricane Electric related ", "description": "", "modified": "2024-09-20T20:04:19.210000", "created": "2024-08-24T19:42:36.642000", "tags": [ "net152", "net1520000", "loudoun county", "ans core", "nethandle", "as1321", "parkway city", "as701 orgnocref", "swipper", "verizon", "high", "intel", "icmp traffic", "dns query", "object", "all scoreblue", "filehash", "malware", "comcast", "cve1102", "actors", "investigation", "bad domains", "emotet am", "iocs", "first", "utc submissions", "submitters", "summary iocs", "graph community", "webcc", "gmo internet", "csc corporate", "domains", "alibaba cloud", "computing", "beijing", "dynadot", "ltd dba", "china telecom", "group", "google", "cloudflarenet", "kb txtresse", "mb smartsaver", "admin cmd", "mb threatsniper", "mb history", "mb gadget", "installer", "referrer", "styes worm", "historical ssl", "script script", "i span", "ie script", "win64", "span", "urls", "levelblue labs", "pulses", "nastya", "meta", "open", "date", "vj92", "uagdaaeqcqaaaag", "ukgbagaqcqaaaae", "slfrd1", "hostnames", "urls http", "ukgbagaqcq", "jid1886833764", "jid882556742", "samples", "unknown", "united", "as20940", "as2914 ntt", "nxdomain", "status", "as6461 zayo", "united kingdom", "as15169 google", "as33438", "search", "creation date", "name servers", "showing", "hungary unknown", "entries", "scan endpoints", "next", "cape", "show", "copy", "emotet malware", "read", "write", "delete", "june", "emotet", "as14627", "passive dns", "ipv4", "pulse pulses", "win32", "months ago", "created", "modified", "email", "glupteba", "hostname", "cyber", "read c", "port", "medium", "msie", "windows nt", "wow64", "slcc2", "media center", "dock", "execution", "method status", "url hostname", "ip country", "type get", "cachecontrol", "location https", "date thu", "gmt server", "code", "ve234 server", "aaaa", "whitelisted", "as44273 host", "as46691", "domain", "script urls", "path max", "age86400 set", "cookie", "script domains", "trojan", "body" ], "references": [ "Stranger Things | http://hopto.org/colocrossing/192.3.13.56/telco", "Antivirus Detections: Other:Malware-gen\\ [Trj]", "Yara Detections: UPXProtectorv10x2 , UPX Alerts dead_host network_icmp nolookup_communication", "Antivirus Detections: Other:Malware-gen\\ [Trj] , Win.Trojan.Emotet-9951800-0", "Yara Detections: osx_GoLang", ".trino-11062202-1d32.stress-11061903-3b4c.westus2.projecthilo.net\tprojecthilo.net", "0-courier.push.apple.com | https://apple-accouut.sytes.net/ | appupdate-logapple.ddnsking.com | appleidi-iforgot.3utilities.com", "http://appleidi-iforgot.3utilities.com/\t | https://appupdate-logapple.ddnsking.com/?reset | http://appleidi-iforgot.3utilities.com/Upload-Identity.php |", "http://appleidi-iforgot.3utilities.com/Verify.php", "device-ccf717a6-ed4f-4771-abfa-ccaafbfb6526.remotewd.com | device-local-359704df-0b29-4ae8-bbc5-f48b0a4de73c.remotewd.com | remotedev.org | dan.remotedev.org", "152.199.171.19 : USDA Fort Collins, Colorado", "Swipper: swipper@verizonbusiness.com | help4u@verizonbusiness.com", "152.199.161.19: ANS Communications, Inc (ANS)", "OrgTechHandle: SWIPP-ARIN OrgTechName: swipper OrgTechPhone: +1-800-900-0241 OrgTechEmail: swipper@verizonbusiness.com", "http://bat.bing.com/bat.js | bounceme.net | bounceme.net | hopto.org | hopto.org |,serveblog.net | serveblog.net", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://hopto.org/colocrossing/192.3.13.56/telco", "Emotet: FileHash-SHA256 9c9459e9a5f0102c034ec013b9d801d38ed474bcd73b7aeded931e5c2a4f75cc", "Win.Virus.PolyRansom-5704625-0: FileHash-SHA256 f46de5d0c5dd13f5de6114372542efd1ea048e14f051b64b34c33e96c175cb09", "Other:Malware-gen\\ [Trj: FileHash-SHA256 4ef29fd29fd95990a36379ad7a4320f04da64e7ec63546e047e2491e533c71a3", "Injection Source: www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Injection Source: http://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Injection Source: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "SLF:Trojan:Win32/Grandoreiro.A", "display_name": "SLF:Trojan:Win32/Grandoreiro.A", "target": null }, { "id": "Other:Malware-gen\\ [Trj]", "display_name": "Other:Malware-gen\\ [Trj]", "target": null }, { "id": "Win.Trojan.Emotet-9951800-0", "display_name": "Win.Trojan.Emotet-9951800-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": "66c66114103f15aab3b00d6c", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 2, "URL": 4338, "domain": 753, "email": 9, "hostname": 1799, "FileHash-SHA256": 3098, "FileHash-MD5": 110, "FileHash-SHA1": 98, "CVE": 3 }, "indicator_count": 10210, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "575 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d4b052225d396d18e395c3", "name": " Telco - SWIPPER | Emotet and other malware spreader. BGP Hurricane Electric ", "description": "", "modified": "2024-09-20T20:04:19.210000", "created": "2024-09-01T18:20:02.256000", "tags": [ "net152", "net1520000", "loudoun county", "ans core", "nethandle", "as1321", "parkway city", "as701 orgnocref", "swipper", "verizon", "high", "intel", "icmp traffic", "dns query", "object", "all scoreblue", "filehash", "malware", "comcast", "cve1102", "actors", "investigation", "bad domains", "emotet am", "iocs", "first", "utc submissions", "submitters", "summary iocs", "graph community", "webcc", "gmo internet", "csc corporate", "domains", "alibaba cloud", "computing", "beijing", "dynadot", "ltd dba", "china telecom", "group", "google", "cloudflarenet", "kb txtresse", "mb smartsaver", "admin cmd", "mb threatsniper", "mb history", "mb gadget", "installer", "referrer", "styes worm", "historical ssl", "script script", "i span", "ie script", "win64", "span", "urls", "levelblue labs", "pulses", "nastya", "meta", "open", "date", "vj92", "uagdaaeqcqaaaag", "ukgbagaqcqaaaae", "slfrd1", "hostnames", "urls http", "ukgbagaqcq", "jid1886833764", "jid882556742", "samples", "unknown", "united", "as20940", "as2914 ntt", "nxdomain", "status", "as6461 zayo", "united kingdom", "as15169 google", "as33438", "search", "creation date", "name servers", "showing", "hungary unknown", "entries", "scan endpoints", "next", "cape", "show", "copy", "emotet malware", "read", "write", "delete", "june", "emotet", "as14627", "passive dns", "ipv4", "pulse pulses", "win32", "months ago", "created", "modified", "email", "glupteba", "hostname", "cyber", "read c", "port", "medium", "msie", "windows nt", "wow64", "slcc2", "media center", "dock", "execution", "method status", "url hostname", "ip country", "type get", "cachecontrol", "location https", "date thu", "gmt server", "code", "ve234 server", "aaaa", "whitelisted", "as44273 host", "as46691", "domain", "script urls", "path max", "age86400 set", "cookie", "script domains", "trojan", "body" ], "references": [ "Stranger Things | http://hopto.org/colocrossing/192.3.13.56/telco", "Antivirus Detections: Other:Malware-gen\\ [Trj]", "Yara Detections: UPXProtectorv10x2 , UPX Alerts dead_host network_icmp nolookup_communication", "Antivirus Detections: Other:Malware-gen\\ [Trj] , Win.Trojan.Emotet-9951800-0", "Yara Detections: osx_GoLang", ".trino-11062202-1d32.stress-11061903-3b4c.westus2.projecthilo.net\tprojecthilo.net", "0-courier.push.apple.com | https://apple-accouut.sytes.net/ | appupdate-logapple.ddnsking.com | appleidi-iforgot.3utilities.com", "http://appleidi-iforgot.3utilities.com/\t | https://appupdate-logapple.ddnsking.com/?reset | http://appleidi-iforgot.3utilities.com/Upload-Identity.php |", "http://appleidi-iforgot.3utilities.com/Verify.php", "device-ccf717a6-ed4f-4771-abfa-ccaafbfb6526.remotewd.com | device-local-359704df-0b29-4ae8-bbc5-f48b0a4de73c.remotewd.com | remotedev.org | dan.remotedev.org", "152.199.171.19 : USDA Fort Collins, Colorado", "Swipper: swipper@verizonbusiness.com | help4u@verizonbusiness.com", "152.199.161.19: ANS Communications, Inc (ANS)", "OrgTechHandle: SWIPP-ARIN OrgTechName: swipper OrgTechPhone: +1-800-900-0241 OrgTechEmail: swipper@verizonbusiness.com", "http://bat.bing.com/bat.js | bounceme.net | bounceme.net | hopto.org | hopto.org |,serveblog.net | serveblog.net", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://hopto.org/colocrossing/192.3.13.56/telco", "Emotet: FileHash-SHA256 9c9459e9a5f0102c034ec013b9d801d38ed474bcd73b7aeded931e5c2a4f75cc", "Win.Virus.PolyRansom-5704625-0: FileHash-SHA256 f46de5d0c5dd13f5de6114372542efd1ea048e14f051b64b34c33e96c175cb09", "Other:Malware-gen\\ [Trj: FileHash-SHA256 4ef29fd29fd95990a36379ad7a4320f04da64e7ec63546e047e2491e533c71a3", "Injection Source: www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Injection Source: http://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Injection Source: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "SLF:Trojan:Win32/Grandoreiro.A", "display_name": "SLF:Trojan:Win32/Grandoreiro.A", "target": null }, { "id": "Other:Malware-gen\\ [Trj]", "display_name": "Other:Malware-gen\\ [Trj]", "target": null }, { "id": "Win.Trojan.Emotet-9951800-0", "display_name": "Win.Trojan.Emotet-9951800-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": "66ca37ac60cb425a2b3856c6", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 2, "URL": 4338, "domain": 753, "email": 9, "hostname": 1799, "FileHash-SHA256": 3098, "FileHash-MD5": 110, "FileHash-SHA1": 98, "CVE": 3 }, "indicator_count": 10210, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "575 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://hopto.org/colocrossing/192.3.13.56/telco", "Contacted: bot.hamsterrace.space [Unix.Trojan.Mirai-7669677-0]", "84.54.51.82 \u2022 http://bot.hamsterrace.space:5966 [Found in Zergeca Botnet]", "IDS Detections: JAWS Webserver Unauthenticated Shell Command Execution", "https://www.cloudflare.com/5xx-error-landing?utm_source=errorcode_522&utm_campaign=www.joewa.com", "Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Unique rule identifier: This rule belongs to a private collection.", "Loads modules at runtime Looks up procedures from modules", "Interesting: demo.emaa.cl \u2022 wanndemo.de \u2022 songmeanings.net", "\u2018Can't access file\u2019 Trojan.Sagnt/R011c0dfs24 | Trojan/Linux.Zergeca", "Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser", "Zergeca related URLs , URI\u2019s , Domains, inaccessible files referenced", "http://freedns.afraid.org/safety/?host=signin.ebay.com.ws.ebayisapi.dll.signin.usingssl.www.ebay.com.fr.am", "0-courier.push.apple.com | https://apple-accouut.sytes.net/ | appupdate-logapple.ddnsking.com | appleidi-iforgot.3utilities.com", "https://dns.google/resolve?name=SELECT", "6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 (Can't access file)", "Domains Contacted: cloudflare-dns.com checkip.amazonaws.com ipinfo.io api.opennic.org", "https://www.redporn.video/tsara-brashears-slandered-.htm \u2022 www.redporn.video \u2022 http://www.redporn", "Very Disappointing- foundry.neconsside.com \u2022 ftp.koldunmansurov.ru", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com", "Win.Virus.PolyRansom-5704625-0: FileHash-SHA256 f46de5d0c5dd13f5de6114372542efd1ea048e14f051b64b34c33e96c175cb09", "Crowdsourced IDS Below:", "iPhone Spyware - https://bam.nr-data.net/jserrors/ping/6f524845d1?a=24279235&v=1169.7b094c0&to=MwYEbUdYXxJQWhULDApMIExbWkUIXldOAQsFF0hPXFxGEgtrDg0OMgoDThteVBU%3D&rst=6546&ck=1&ref=https://chaturbate.com/notabottom/", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://www.nextron-systems.com/notes-on-virustotal-matches/", "Interesting: i.circusslaves.com \u2022 linkupdateuser.circusslaves.com \u2022 https://rip.circusslaves.com/", "Injection Source: www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "https://www.semena.cz/exoticke-okrasne/78-plumerie-havajska-kvetina-semena-3-ks.html", "multi-user.target \u2022 ootheca.top \u2022 network.target \u2022 ootheca.pw [Found in Zergeca Botnet]", "BGP Hurricane Electric seen", "KeyAuth Open-source Authentication System Domain (keyauth .win) in TLS SNI", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t| Truth", "IDS: Observed Suspicious UA (Hello, World)", "http://consolefoundry.date/one/gate.php \u2022 foundry.neconsside.com", "i\u0628\u0627\u0645\u0633\u0644\u0645\u0648\u0646 \u0644\u0645\u0647\u0645\u0645\u0644\u0645\u0645\u0646\u0627\u0645\u0635\u0646\u0627\u0621\u0648\u0627\u0645\u0645\u0633\u0627\u0646\u062f | \u0645\u0637\u0639\u0645+ \u0645\u0645\u0627\u0645\u0627\u0645", "Abused Domains Contacted: xred.mooo.com freedns.afraid.org", "\u2018Can't access file\u2019[Found in Zergeca Botnet]", "Yara : BobSoft Mini Delphi -> BoB / BobSoft , Delphi", "http://freedns.afraid.org/images/apple.gif", "Swipper: swipper@verizonbusiness.com | help4u@verizonbusiness.com", "https://www.mumuplayer.com/redirect/customerservice/fB)y", "Antivirus Detection: Worm:Win32/AutoRun!atmn [Win.Trojan.Emotet relationship]", "https://www.google-analytics.com/r/collect?v=1&_v=j83&a=1390847564&t=pageview&_s=1&dl=https%3A%2F%2Fchaturbate.com%2Fnotabottom%2F&ul=en-us&de=utf-8&dt=Chaturbate%20-%20100%25%20Free%20Chat%20%26%20Webcams&sd=32-bit&sr=1024x768&vp=780x439&je=0&_u=YEBAAE~&jid=915940444&gjid=1686072238&cid=922362881.1595496808&tid=UA-23607725-1&_gid=1317601001.1595496808&_r=1&cd1=chaturbate.com&cd2=&cd3=-&cd4=&cd5=anonymous&z=762468946", "(excluding apphelp.dll, kernel32.dll, user32.dll, gdi32.dll, ole32.dll, comctl32.dll, uxtheme.dll, oleaut32.dll, version.dll, msctfime.ime) Calls an API typically used to load libraries Loads the RPC (Remote Procedure Call) module DLL T1059.007", "consolefoundry.date \u2022 http://consolefoundry.date", "Alerts : suspicious_iocontrol_codes process_creation_suspicious_location network_dyndns", "Matches rule ET INFO External IP Check (checkip .amazonaws .com)", "Indicators seen may have affected a few OTX users. Is ongoing", "Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , LZMA , UPX ,", "Interlocken Business Park Address. 105 Edgeview Drive, Broomfield, CO", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "http://chaturbate.com/notabottom/\t\u2022 http://chaturbate.com/notabottom/\\", "https://hybrid-analysis.com/sample/ba5890ad431b894b0dfd6c9d3f3d6cbd7fedae1bd5a51483f54b22ba0209e3b8/6920be8a548209db740dd354", "Yara Detections: UPXProtectorv10x2 , UPX Alerts dead_host network_icmp nolookup_communication", "Other:Malware-gen\\ [Trj: FileHash-SHA256 4ef29fd29fd95990a36379ad7a4320f04da64e7ec63546e047e2491e533c71a3", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 http://www.anyxxxtube/", "afraid.org | evergreen.afraid.org", "IDS: Possible External IP Lookup ipinfo.io Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Alerts: packer_unknown", "IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community", "https://cloudflare-dns.com/dns | cloudflare-dns.com", "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1\t \twww.dropbox.com", "Matches rule ET POLICY External IP Lookup ipinfo.io", "geomi.service 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf geomi", "consolefoundry.date \u2022 http://consolefoundry.date \u2022 http://consolefoundry", "Injection Source: http://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Address shows an place of origin: Broomfield , Co", "Yara Detections: MacSync_AppleScript_Stealer , UPX ,", "https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1", "Matches rule Wow6432Node CurrentVersion Autorun Keys Modification - Credits (split) below", "Antivirus Detections: Other:Malware-gen\\ [Trj]", "http://appleidi-iforgot.3utilities.com/\t | https://appupdate-logapple.ddnsking.com/?reset | http://appleidi-iforgot.3utilities.com/Upload-Identity.php |", "http://www.crazyfrost.com\t\u2022 http://www.crazyfrost", "https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1", "Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke", "IDS Detections: MVPower DVR Shell UCE \u2022 HackingTrio UA (Hello, World)", "guidepaparazzisurface.com", "Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", ".trino-11062202-1d32.stress-11061903-3b4c.westus2.projecthilo.net\tprojecthilo.net", "Alerts: antivm_bochs_keys antivm_generic_disk enumerates_physical_drives antisandbox_sleep", "OrgTechHandle: SWIPP-ARIN OrgTechName: swipper OrgTechPhone: +1-800-900-0241 OrgTechEmail: swipper@verizonbusiness.com", "IP\u2019s Contacted: 212.88.65.130 94.160.172.104 5.164.111.219 5.248", "Calls an API typically used to retrieve function addresses, load a resource T1129\tShared Modules\t Execution Adversaries may execute malicious payloads via loading shared modules. Learn more", "crypto-pool.fr", "https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-522", "IDS Detections: Mirai Variant User-Agent (Outbound) WebShell Generic - wget http - POST", "IP 69.42.215.252: http://nginx.com/ \u2022nginx.com\t\u2022 http://nginx.org/ \u2022 nginx.org \u2022 afraid.org \u2022 afraid.org", "Reference: https://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet/", "IP\u2019s Contacted: 116.203.98.109 34.117.59.81 104.16.248.249 44.209.201.56", "Antivirus Detections: Other:Malware-gen\\ [Trj] , Win.Trojan.Emotet-9951800-0", "device-ccf717a6-ed4f-4771-abfa-ccaafbfb6526.remotewd.com | device-local-359704df-0b29-4ae8-bbc5-f48b0a4de73c.remotewd.com | remotedev.org | dan.remotedev.org", "Emotet: FileHash-SHA256 9c9459e9a5f0102c034ec013b9d801d38ed474bcd73b7aeded931e5c2a4f75cc", "Alerts: physical_drive_access mouse_movement_detect dynamic_function_loading", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "Since September 2023, according to an analysis by cyber security firm XLab CTIA.", "apple.k8s.joewa.com \u2022 joewa.com \u2022 http://apple.k8s.joewa.com/ \u2022 https://apple.k8s.joewa.com/", "iPhone Spyware - https://bam.nr-data.net/1/6f524845d1?a=24279235&v=1169.7b094c0&to=MwYEbUdYXxJQWhULDApMIExbWkUIXldOAQsFF0hPXFxGEgtrDg0OMgoDThteVBU%3D&rst=6546&ck=1&ref=https://chaturbate.com/notabottom/&ap=123&fe=4218&dc=4218&af=err", "http://consolefoundry.date/one/gate.php", "152.199.171.19 : USDA Fort Collins, Colorado", "https://www.mumuplayer.com/redirect/customerservice/_wig", "IP 69.42.215.252: nginx.com\u2022 vb.cu \u2022 vb.il \u2022 yourdomain.com \u2022 yourdomain.com", "Alerts: multiple_useragents persistence_autorun binary_yara procmem_yara suricata_alert", "Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "https://hybrid-analysis.com/sample/60d74d52f3b90530a1bc0dd1e26c694c6339bca6f249a4a1818694cd6aeea618/69cf2d0230de22b88e055a1f", "blackbox-exporter.lenovo-k8s.home.local.advena.io", "Yara Detections: ELFHighEntropy , ElfUPX , elf_empty_sections", "This pulse is so huge it\u2019s a mess. Will break down.", "IP 69.42.215.252: theirname.yourdomain.com \u2022 www.freebsd.org freebsd.org \u2022 your.domain.com", "by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "Malicious IP Contacted: 69.42.215.252", "Injection Source: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "2012647\tDropbox.com Offsite File Backup in Use", "Zergeca botnet based on Golang language still operating in the same language as the Mirai botnets", "Yara Detections: is__elf , LZMA , ELFHighEntropy , elf_empty_sections", "http://www.anyxxxtube.net/search-porn/tsara-brashears", "Potentially Pegasus related . Found to be affecting an IOS device", "Yara Detections: osx_GoLang", "IDS Detections: Mirai Variant User-Agent (Inbound) \u2022 HackingTrio UA (Hello, World)", "Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)", "Yara : Zeppelin_30 , compromised_site_redirector_fromcharcode ,", "Stranger Things | http://hopto.org/colocrossing/192.3.13.56/telco", "FILEHASH-SHA256 d0ce79b3e0f4798423871dd66c14172b1a0eac34131c1b92d210a7b5c31a8aa0", "gitea.neconsside.com \u2022 http://f7194.vip/login", "http://appleidi-iforgot.3utilities.com/Verify.php", "aohhpesayw.lawsonengineers.co.", "Crowdsourced SIGMA Below:", "https://api.strem.io/api/addonCollectionGet%", "Windows Match api: GetProcAddress fs access *access PEB Idr_data Match PEB access fs access", "apple.k8s.joewa.com \u2022 joewa.com \u2022 com.apple", "Alerts: http_request resumethread_remote_process antianalysis_tls_section network_httpn", "LIE. Built American. Attorneys , hackers , Sabey, Ahmann , US quasi government, SOCs , Red Teams , Hacker Fest | Colorado", "http://bat.bing.com/bat.js | bounceme.net | bounceme.net | hopto.org | hopto.org |,serveblog.net | serveblog.net", "IDS Detections: HackingTrio UA (Hello, World) \u2022 HTTP traffic on port 443 (POST)", "IP\u2019s Contacted: 210.101.166.243 117.61.31.95 118.173.103.172 2.159.67.181 117.80.58.104 .231.34 109.33.155.184", "31.6.16.33\t\u2022 network.target [Found in Zergeca Botnet]", "Muslims have built, supported, and assisted. or Muslims: Support and Solidarity", "https://chaturbate.com/notabottom/", "Win.Malware.Salat-10058846-0 Alerts binary_yara packer_unknown_pe_section_name", "https://blackbox-exporter.lenovo-k8s.home.local.advena/", "152.199.161.19: ANS Communications, Inc (ANS)", "www.joewa.com", "target.dropboxbusiness.com", "https://vtbehaviour.commondatastorage.googleapis.com/6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775233275&Signature=vkbdhKnRjzLDcOeMxSE64WCgRJRN28vyp5o%2BMZIxIXbQxUz%2BB%2Beagggbj%2FVYVgAbXypupb2f1UXvcCVp7nMx6zqWvOYXl%2FsBnIislk5NatiGtExGV4WBAU3iE7lNBAjbnmf6HTwhBZCrJts4swSKX3iu%2FZ%2F0%2FwHPNnH%2FygP8AnfbECEroOxz%2FRqDso4jfiSs5dHVkZ%2BFx7fgRfqgt7QeR4IMwju2UyRQQJkwOjQO", "Alerts: cape_detected_threat", "Believed to be originating from Germany and Russia", "Name 2025-11-19_b627882129bf281be5a3df318fff678b_dark-comet_darkgate_elex_glassworm_stop" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Cve-2025-20393", "Kentuchy", "Win.trojan.emotet-9850453", "Code overlap", "Other:malware-gen\\ [trj]", "Backdoor:win32/fynloski.a", "Win.trojan.emotet-9951800-0", "Win.trojan.tofsee-7102058-0", "Cve-2024-6387", "Slf:trojan:win32/grandoreiro.a", "Unix.trojan.mirai", "Autoit", "Trojan:win32/pariham.a", "#lowfidetectsvmware", "Win.trojan.blacknetrat-7838854-0", "Virtool:win32/injector", "Neshta", "Trojan.sagnt/r011c0dfs24", "Zegost", "Win.trojan.vbgeneric-6735875-0", "Alf:jasyp:trojandownloader:win32/smallagent!atmn", "Backdoor:win32/tofsee.t", "Malwarex-gen", "Worm:win32/autorun.xxy!bit", "Zergeca", "Win.packed.remcos-10024510-0", "Worm:win32/autorun.b", "Unix.trojan.mirai-7669677-0", "Psw:win32/vb.cu", "Nids", "Win.malware.salat-10058846-0", "Win.trojan.emotet-9850453-0", "Cve-2023-22518", "Other malware", "Trojanspy:win32/usteal", "Worm:win32/mofksys.rnd!mtb", "Win.dropper.nanocore-10021490-0", "Cve-2018-10562", "Worm:win32/autorun!atmn" ], "industries": [], "unique_indicators": 52895 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/zuqiulive2.com", "whois": "http://whois.domaintools.com/zuqiulive2.com", "domain": "zuqiulive2.com", "hostname": "jrkan.zuqiulive2.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 13, "pulses": [ { "id": "69d1396bb42208f8aa25b8ae", "name": "Zergeca + Mirai + Salat + Autorun = Bigger Stronger packed Botnet Nightmare | Affecting untold infrastructure. Virtually undetectable", "description": "The sample is a packed malicious loader, likely a first-stage component. Key indicators include: 1) A custom implementation of an LZMA-style decompression algorithm within the '_start' function, used to unpack an embedded payload. 2) Use of direct syscalls (sys_open, sys_mmap) in 'sub_16d1efc' to manually map executable memory and transfer control to the second stage ('jump(rdx_2)'). 3) Extremely high entropy and a lack of standard ELF sections/imports, typical of obfuscated malware. 4) The use of '/proc/self/exe' and low-level I/O instructions (in/out) in 'sub_16d271e' suggests anti-analysis or self-replication capabilities. Relevant IOC: SHA256 [6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29.] Name: 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29\n703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf\ngeomi\n*Infrastructure Obfuscation\n*Low Detection Rate: Zergeca samples, packed with a modified UPX packer, continues to yield very low detection rates on VirusTotal.", "modified": "2026-04-04T16:16:43.680000", "created": "2026-04-04T16:16:43.680000", "tags": [ "binary", "yara rule", "binary file", "yara", "pe section", "av detections", "ip address", "url analysis", "urls", "singapore", "singapore asn", "as14061", "edgeview drive", "suite", "broomfield", "colorado", "key usage", "handle", "v3 serial", "number", "cert validity", "asia pacific", "traefik default", "cert", "thumbprint", "name", "all filehash", "learn", "adversaries", "calls", "ck id", "name tactics", "suspicious", "informative", "reads", "defense evasion", "loads", "model", "call", "getprocaddress", "span", "path", "mitre att", "ck matrix", "access type", "value", "windir", "open", "error", "click", "contact", "meta", "april", "hybrid", "format", "strings", "united", "b778b1", "div div", "d9e4f4", "edf2f8", "status", "fastest privacy", "first dns", "trojan", "pegasus", "title", "dynamicloader", "ms windows", "intel", "pe32 executable", "win32", "medium", "pe32", "high", "mozilla", "delphi", "injectdll", "write", "malware", "observer", "stream", "unknown", "lredmond", "stwa", "omicrosoft", "stwashington", "server ca", "https domain", "accept", "read c", "ogoogle trust", "worm", "code", "td td", "td tr", "a td", "dynamic dns", "name servers", "arial", "zeppelin", "null", "enough", "hosts", "fast", "tls sni", "cloudflare dns", "google dns", "showing", "get icarus", "show", "ascii text", "global", "next", "cc fd", "d4 dc", "a3 ad", "a8 c7", "bb c7", "f0 f1", "f4 ca", "bc a1", "win64", "local", "otx logo", "hostname", "passive dns", "files", "less", "related tags", "servers", "certificate", "domain", "cloudflare", "khtml", "gecko", "ids detections", "yara detections", "ip lookup", "encrypt", "elf executable", "sysv", "linux", "elf64 operation", "unix", "exec amd6464", "elf geomi", "modify system", "process l", "t1543", "systemd service", "ta0004", "techniques", "process create", "modify syst", "t1036 indicator", "remc t1070", "file", "directoi t1222", "t1027 masquerac", "t1070", "data upload", "extraction", "failed", "ta0005", "t1027", "memory pattern", "domains", "dns resolutions", "full reports", "v ip", "traffic tcp", "g sh", "c tmpsample", "binrm f", "usrbinid id", "usrbinsystemctl", "proc1environ", "proccpuinfo", "include", "review exclude", "sample", "https", "performs dns", "tls version", "mitre attack", "network info", "file type", "persistence", "include review", "exclude sugges", "find s", "unique ru", "review occ", "exclude data", "alvoes", "include data", "suggest", "find c", "typ filet", "filet ce", "layer protocol", "http performs", "reads cpu", "proc indicative", "filet filet", "pulse", "file hach", "h1256", "filer data", "typ data", "filer filehuon", "filet filer", "exchange all", "typ no", "no entri", "exclude", "suggested ocs", "manualy", "hua muicalul", "find", "indicatore", "typ innicatad", "new threat", "dive into", "zergeca botnet", "reference", "report publish", "zergeca", "all se", "matches edolavd", "matches data", "matches matches", "type", "extr", "tico data", "get hello", "mirai variant", "useragent", "hello", "outbound", "world", "search", "hackingtrio ua", "inbound", "mirai", "info", "shell", "pulse pulses", "files ip", "address domain", "ip related", "labs pulses", "pulses", "post", "http traffic", "tocstut", "reference id", "xor key", "canada", "america", "germany", "doh", "ddos", "botnet", "en", "xor", "twitter", "stop", "loader", "downloader", "zerg", "mirai", "golang", "c2 resolution", "germany", "c2 ip", "virustotal", "smux", "ck ids", "t1082", "applescript", "t1190", "application", "private server", "t1609", "command", "unix shell", "software supply", "service", "chain", "t1499", "entries", "otx telemetry", "next associated", "backdoor", "detections", "sha256 add", "alerts", "heur", "all domain", "creation date", "record value", "aaaa", "date", "unknown ns", "ponmocup post", "infection dns", "mtb nov", "ipv4 add", "external ip", "copy" ], "references": [ "www.joewa.com", "Win.Malware.Salat-10058846-0 Alerts binary_yara packer_unknown_pe_section_name", "Yara Detections: MacSync_AppleScript_Stealer , UPX ,", "Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser", "apple.k8s.joewa.com \u2022 joewa.com \u2022 http://apple.k8s.joewa.com/ \u2022 https://apple.k8s.joewa.com/", "Interlocken Business Park Address. 105 Edgeview Drive, Broomfield, CO", "blackbox-exporter.lenovo-k8s.home.local.advena.io", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena/", "Calls an API typically used to retrieve function addresses, load a resource T1129\tShared Modules\t Execution Adversaries may execute malicious payloads via loading shared modules. Learn more", "Loads modules at runtime Looks up procedures from modules", "(excluding apphelp.dll, kernel32.dll, user32.dll, gdi32.dll, ole32.dll, comctl32.dll, uxtheme.dll, oleaut32.dll, version.dll, msctfime.ime) Calls an API typically used to load libraries Loads the RPC (Remote Procedure Call) module DLL T1059.007", "https://cloudflare-dns.com/dns | cloudflare-dns.com", "https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-522", "https://www.cloudflare.com/5xx-error-landing?utm_source=errorcode_522&utm_campaign=www.joewa.com", "https://hybrid-analysis.com/sample/60d74d52f3b90530a1bc0dd1e26c694c6339bca6f249a4a1818694cd6aeea618/69cf2d0230de22b88e055a1f", "6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 (Can't access file)", "\u2018Can't access file\u2019 Trojan.Sagnt/R011c0dfs24 | Trojan/Linux.Zergeca", "\u2018Can't access file\u2019[Found in Zergeca Botnet]", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "IDS: Possible External IP Lookup ipinfo.io Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Yara Detections: is__elf , LZMA , ELFHighEntropy , elf_empty_sections", "IP\u2019s Contacted: 116.203.98.109 34.117.59.81 104.16.248.249 44.209.201.56", "Domains Contacted: cloudflare-dns.com checkip.amazonaws.com ipinfo.io api.opennic.org", "Crowdsourced SIGMA Below:", "Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke", "Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)", "Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community", "Crowdsourced IDS Below:", "Matches rule ET POLICY External IP Lookup ipinfo.io", "Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Matches rule ET INFO External IP Check (checkip .amazonaws .com)", "Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "Unique rule identifier: This rule belongs to a private collection.", "geomi.service 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf geomi", "https://vtbehaviour.commondatastorage.googleapis.com/6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775233275&Signature=vkbdhKnRjzLDcOeMxSE64WCgRJRN28vyp5o%2BMZIxIXbQxUz%2BB%2Beagggbj%2FVYVgAbXypupb2f1UXvcCVp7nMx6zqWvOYXl%2FsBnIislk5NatiGtExGV4WBAU3iE7lNBAjbnmf6HTwhBZCrJts4swSKX3iu%2FZ%2F0%2FwHPNnH%2FygP8AnfbECEroOxz%2FRqDso4jfiSs5dHVkZ%2BFx7fgRfqgt7QeR4IMwju2UyRQQJkwOjQO", "Reference: https://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet/", "crypto-pool.fr", "i\u0628\u0627\u0645\u0633\u0644\u0645\u0648\u0646 \u0644\u0645\u0647\u0645\u0645\u0644\u0645\u0645\u0646\u0627\u0645\u0635\u0646\u0627\u0621\u0648\u0627\u0645\u0645\u0633\u0627\u0646\u062f | \u0645\u0637\u0639\u0645+ \u0645\u0645\u0627\u0645\u0627\u0645", "Muslims have built, supported, and assisted. or Muslims: Support and Solidarity", "LIE. Built American. Attorneys , hackers , Sabey, Ahmann , US quasi government, SOCs , Red Teams , Hacker Fest | Colorado", "IDS Detections: Mirai Variant User-Agent (Outbound) WebShell Generic - wget http - POST", "IDS Detections: MVPower DVR Shell UCE \u2022 HackingTrio UA (Hello, World)", "IDS Detections: JAWS Webserver Unauthenticated Shell Command Execution", "IDS Detections: HackingTrio UA (Hello, World) \u2022 HTTP traffic on port 443 (POST)", "IDS Detections: Mirai Variant User-Agent (Inbound) \u2022 HackingTrio UA (Hello, World)", "IDS: Observed Suspicious UA (Hello, World)", "Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , LZMA , UPX ,", "Yara Detections: ELFHighEntropy , ElfUPX , elf_empty_sections", "Alerts: cape_detected_threat", "IP\u2019s Contacted: 210.101.166.243 117.61.31.95 118.173.103.172 2.159.67.181 117.80.58.104 .231.34 109.33.155.184", "IP\u2019s Contacted: 212.88.65.130 94.160.172.104 5.164.111.219 5.248", "Contacted: bot.hamsterrace.space [Unix.Trojan.Mirai-7669677-0]", "https://dns.google/resolve?name=SELECT", "31.6.16.33\t\u2022 network.target [Found in Zergeca Botnet]", "multi-user.target \u2022 ootheca.top \u2022 network.target \u2022 ootheca.pw [Found in Zergeca Botnet]", "84.54.51.82 \u2022 http://bot.hamsterrace.space:5966 [Found in Zergeca Botnet]", "Zergeca botnet based on Golang language still operating in the same language as the Mirai botnets", "Since September 2023, according to an analysis by cyber security firm XLab CTIA.", "Address shows an place of origin: Broomfield , Co", "Believed to be originating from Germany and Russia", "BGP Hurricane Electric seen", "Potentially Pegasus related . Found to be affecting an IOS device", "Indicators seen may have affected a few OTX users. Is ongoing", "Zergeca related URLs , URI\u2019s , Domains, inaccessible files referenced", "apple.k8s.joewa.com \u2022 joewa.com \u2022 com.apple", "This pulse is so huge it\u2019s a mess. Will break down." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Thailand", "Germany", "Canada" ], "malware_families": [ { "id": "Win.Malware.Salat-10058846-0", "display_name": "Win.Malware.Salat-10058846-0", "target": null }, { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "#LowFiDetectsVmWare", "display_name": "#LowFiDetectsVmWare", "target": null }, { "id": "Win.Trojan.VBGeneric-6735875-0", "display_name": "Win.Trojan.VBGeneric-6735875-0", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!atmn", "target": null }, { "id": "Trojan.Sagnt/R011c0dfs24", "display_name": "Trojan.Sagnt/R011c0dfs24", "target": null }, { "id": "Zergeca", "display_name": "Zergeca", "target": null }, { "id": "Unix.Trojan.Mirai", "display_name": "Unix.Trojan.Mirai", "target": null }, { "id": "Unix.Trojan.Mirai-7669677-0", "display_name": "Unix.Trojan.Mirai-7669677-0", "target": null }, { "id": "CVE-2018-10562", "display_name": "CVE-2018-10562", "target": null }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "CVE-2024-6387", "display_name": "CVE-2024-6387", "target": null }, { "id": "CVE-2025-20393", "display_name": "CVE-2025-20393", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1055.003", "name": "Thread Execution Hijacking", "display_name": "T1055.003 - Thread Execution Hijacking" }, { "id": "T1037.002", "name": "Logon Script (Mac)", "display_name": "T1037.002 - Logon Script (Mac)" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1590.005", "name": "IP Addresses", "display_name": "T1590.005 - IP Addresses" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1056.004", "name": "Credential API Hooking", "display_name": "T1056.004 - Credential API Hooking" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1543.002", "name": "Systemd Service", "display_name": "T1543.002 - Systemd Service" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1608.002", "name": "Upload Tool", "display_name": "T1608.002 - Upload Tool" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1499", "name": "Endpoint Denial of Service", "display_name": "T1499 - Endpoint Denial of Service" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1609", "name": "Container Administration Command", "display_name": "T1609 - Container Administration Command" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 795, "FileHash-SHA1": 648, "FileHash-SHA256": 3708, "IPv4": 294, "URL": 2587, "domain": 739, "hostname": 1129, "email": 14, "CIDR": 15, "IPv6": 27, "SSLCertFingerprint": 18, "CVE": 4 }, "indicator_count": 9978, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "15 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d1395ab63bf8e8d2c384eb", "name": "Zergeca + Mirai + Salat + Autorun = Bigger Stronger packed Botnet Nightmare | Affecting untold infrastructure. Virtually undetectable", "description": "The sample is a packed malicious loader, likely a first-stage component. Key indicators include: 1) A custom implementation of an LZMA-style decompression algorithm within the '_start' function, used to unpack an embedded payload. 2) Use of direct syscalls (sys_open, sys_mmap) in 'sub_16d1efc' to manually map executable memory and transfer control to the second stage ('jump(rdx_2)'). 3) Extremely high entropy and a lack of standard ELF sections/imports, typical of obfuscated malware. 4) The use of '/proc/self/exe' and low-level I/O instructions (in/out) in 'sub_16d271e' suggests anti-analysis or self-replication capabilities. Relevant IOC: SHA256 [6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29.] Name: 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29\n703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf\ngeomi\n*Infrastructure Obfuscation\n*Low Detection Rate: Zergeca samples, packed with a modified UPX packer, continues to yield very low detection rates on VirusTotal.", "modified": "2026-04-04T16:16:26.128000", "created": "2026-04-04T16:16:26.128000", "tags": [ "binary", "yara rule", "binary file", "yara", "pe section", "av detections", "ip address", "url analysis", "urls", "singapore", "singapore asn", "as14061", "edgeview drive", "suite", "broomfield", "colorado", "key usage", "handle", "v3 serial", "number", "cert validity", "asia pacific", "traefik default", "cert", "thumbprint", "name", "all filehash", "learn", "adversaries", "calls", "ck id", "name tactics", "suspicious", "informative", "reads", "defense evasion", "loads", "model", "call", "getprocaddress", "span", "path", "mitre att", "ck matrix", "access type", "value", "windir", "open", "error", "click", "contact", "meta", "april", "hybrid", "format", "strings", "united", "b778b1", "div div", "d9e4f4", "edf2f8", "status", "fastest privacy", "first dns", "trojan", "pegasus", "title", "dynamicloader", "ms windows", "intel", "pe32 executable", "win32", "medium", "pe32", "high", "mozilla", "delphi", "injectdll", "write", "malware", "observer", "stream", "unknown", "lredmond", "stwa", "omicrosoft", "stwashington", "server ca", "https domain", "accept", "read c", "ogoogle trust", "worm", "code", "td td", "td tr", "a td", "dynamic dns", "name servers", "arial", "zeppelin", "null", "enough", "hosts", "fast", "tls sni", "cloudflare dns", "google dns", "showing", "get icarus", "show", "ascii text", "global", "next", "cc fd", "d4 dc", "a3 ad", "a8 c7", "bb c7", "f0 f1", "f4 ca", "bc a1", "win64", "local", "otx logo", "hostname", "passive dns", "files", "less", "related tags", "servers", "certificate", "domain", "cloudflare", "khtml", "gecko", "ids detections", "yara detections", "ip lookup", "encrypt", "elf executable", "sysv", "linux", "elf64 operation", "unix", "exec amd6464", "elf geomi", "modify system", "process l", "t1543", "systemd service", "ta0004", "techniques", "process create", "modify syst", "t1036 indicator", "remc t1070", "file", "directoi t1222", "t1027 masquerac", "t1070", "data upload", "extraction", "failed", "ta0005", "t1027", "memory pattern", "domains", "dns resolutions", "full reports", "v ip", "traffic tcp", "g sh", "c tmpsample", "binrm f", "usrbinid id", "usrbinsystemctl", "proc1environ", "proccpuinfo", "include", "review exclude", "sample", "https", "performs dns", "tls version", "mitre attack", "network info", "file type", "persistence", "include review", "exclude sugges", "find s", "unique ru", "review occ", "exclude data", "alvoes", "include data", "suggest", "find c", "typ filet", "filet ce", "layer protocol", "http performs", "reads cpu", "proc indicative", "filet filet", "pulse", "file hach", "h1256", "filer data", "typ data", "filer filehuon", "filet filer", "exchange all", "typ no", "no entri", "exclude", "suggested ocs", "manualy", "hua muicalul", "find", "indicatore", "typ innicatad", "new threat", "dive into", "zergeca botnet", "reference", "report publish", "zergeca", "all se", "matches edolavd", "matches data", "matches matches", "type", "extr", "tico data", "get hello", "mirai variant", "useragent", "hello", "outbound", "world", "search", "hackingtrio ua", "inbound", "mirai", "info", "shell", "pulse pulses", "files ip", "address domain", "ip related", "labs pulses", "pulses", "post", "http traffic", "tocstut", "reference id", "xor key", "canada", "america", "germany", "doh", "ddos", "botnet", "en", "xor", "twitter", "stop", "loader", "downloader", "zerg", "mirai", "golang", "c2 resolution", "germany", "c2 ip", "virustotal", "smux", "ck ids", "t1082", "applescript", "t1190", "application", "private server", "t1609", "command", "unix shell", "software supply", "service", "chain", "t1499", "entries", "otx telemetry", "next associated", "backdoor", "detections", "sha256 add", "alerts", "heur", "all domain", "creation date", "record value", "aaaa", "date", "unknown ns", "ponmocup post", "infection dns", "mtb nov", "ipv4 add", "external ip", "copy" ], "references": [ "www.joewa.com", "Win.Malware.Salat-10058846-0 Alerts binary_yara packer_unknown_pe_section_name", "Yara Detections: MacSync_AppleScript_Stealer , UPX ,", "Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser", "apple.k8s.joewa.com \u2022 joewa.com \u2022 http://apple.k8s.joewa.com/ \u2022 https://apple.k8s.joewa.com/", "Interlocken Business Park Address. 105 Edgeview Drive, Broomfield, CO", "blackbox-exporter.lenovo-k8s.home.local.advena.io", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena/", "Calls an API typically used to retrieve function addresses, load a resource T1129\tShared Modules\t Execution Adversaries may execute malicious payloads via loading shared modules. Learn more", "Loads modules at runtime Looks up procedures from modules", "(excluding apphelp.dll, kernel32.dll, user32.dll, gdi32.dll, ole32.dll, comctl32.dll, uxtheme.dll, oleaut32.dll, version.dll, msctfime.ime) Calls an API typically used to load libraries Loads the RPC (Remote Procedure Call) module DLL T1059.007", "https://cloudflare-dns.com/dns | cloudflare-dns.com", "https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-522", "https://www.cloudflare.com/5xx-error-landing?utm_source=errorcode_522&utm_campaign=www.joewa.com", "https://hybrid-analysis.com/sample/60d74d52f3b90530a1bc0dd1e26c694c6339bca6f249a4a1818694cd6aeea618/69cf2d0230de22b88e055a1f", "6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 (Can't access file)", "\u2018Can't access file\u2019 Trojan.Sagnt/R011c0dfs24 | Trojan/Linux.Zergeca", "\u2018Can't access file\u2019[Found in Zergeca Botnet]", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "IDS: Possible External IP Lookup ipinfo.io Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Yara Detections: is__elf , LZMA , ELFHighEntropy , elf_empty_sections", "IP\u2019s Contacted: 116.203.98.109 34.117.59.81 104.16.248.249 44.209.201.56", "Domains Contacted: cloudflare-dns.com checkip.amazonaws.com ipinfo.io api.opennic.org", "Crowdsourced SIGMA Below:", "Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke", "Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)", "Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community", "Crowdsourced IDS Below:", "Matches rule ET POLICY External IP Lookup ipinfo.io", "Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Matches rule ET INFO External IP Check (checkip .amazonaws .com)", "Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "Unique rule identifier: This rule belongs to a private collection.", "geomi.service 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf geomi", "https://vtbehaviour.commondatastorage.googleapis.com/6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775233275&Signature=vkbdhKnRjzLDcOeMxSE64WCgRJRN28vyp5o%2BMZIxIXbQxUz%2BB%2Beagggbj%2FVYVgAbXypupb2f1UXvcCVp7nMx6zqWvOYXl%2FsBnIislk5NatiGtExGV4WBAU3iE7lNBAjbnmf6HTwhBZCrJts4swSKX3iu%2FZ%2F0%2FwHPNnH%2FygP8AnfbECEroOxz%2FRqDso4jfiSs5dHVkZ%2BFx7fgRfqgt7QeR4IMwju2UyRQQJkwOjQO", "Reference: https://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet/", "crypto-pool.fr", "i\u0628\u0627\u0645\u0633\u0644\u0645\u0648\u0646 \u0644\u0645\u0647\u0645\u0645\u0644\u0645\u0645\u0646\u0627\u0645\u0635\u0646\u0627\u0621\u0648\u0627\u0645\u0645\u0633\u0627\u0646\u062f | \u0645\u0637\u0639\u0645+ \u0645\u0645\u0627\u0645\u0627\u0645", "Muslims have built, supported, and assisted. or Muslims: Support and Solidarity", "LIE. Built American. Attorneys , hackers , Sabey, Ahmann , US quasi government, SOCs , Red Teams , Hacker Fest | Colorado", "IDS Detections: Mirai Variant User-Agent (Outbound) WebShell Generic - wget http - POST", "IDS Detections: MVPower DVR Shell UCE \u2022 HackingTrio UA (Hello, World)", "IDS Detections: JAWS Webserver Unauthenticated Shell Command Execution", "IDS Detections: HackingTrio UA (Hello, World) \u2022 HTTP traffic on port 443 (POST)", "IDS Detections: Mirai Variant User-Agent (Inbound) \u2022 HackingTrio UA (Hello, World)", "IDS: Observed Suspicious UA (Hello, World)", "Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , LZMA , UPX ,", "Yara Detections: ELFHighEntropy , ElfUPX , elf_empty_sections", "Alerts: cape_detected_threat", "IP\u2019s Contacted: 210.101.166.243 117.61.31.95 118.173.103.172 2.159.67.181 117.80.58.104 .231.34 109.33.155.184", "IP\u2019s Contacted: 212.88.65.130 94.160.172.104 5.164.111.219 5.248", "Contacted: bot.hamsterrace.space [Unix.Trojan.Mirai-7669677-0]", "https://dns.google/resolve?name=SELECT", "31.6.16.33\t\u2022 network.target [Found in Zergeca Botnet]", "multi-user.target \u2022 ootheca.top \u2022 network.target \u2022 ootheca.pw [Found in Zergeca Botnet]", "84.54.51.82 \u2022 http://bot.hamsterrace.space:5966 [Found in Zergeca Botnet]", "Zergeca botnet based on Golang language still operating in the same language as the Mirai botnets", "Since September 2023, according to an analysis by cyber security firm XLab CTIA.", "Address shows an place of origin: Broomfield , Co", "Believed to be originating from Germany and Russia", "BGP Hurricane Electric seen", "Potentially Pegasus related . Found to be affecting an IOS device", "Indicators seen may have affected a few OTX users. Is ongoing", "Zergeca related URLs , URI\u2019s , Domains, inaccessible files referenced", "apple.k8s.joewa.com \u2022 joewa.com \u2022 com.apple", "This pulse is so huge it\u2019s a mess. Will break down." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Thailand", "Germany", "Canada" ], "malware_families": [ { "id": "Win.Malware.Salat-10058846-0", "display_name": "Win.Malware.Salat-10058846-0", "target": null }, { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "#LowFiDetectsVmWare", "display_name": "#LowFiDetectsVmWare", "target": null }, { "id": "Win.Trojan.VBGeneric-6735875-0", "display_name": "Win.Trojan.VBGeneric-6735875-0", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!atmn", "target": null }, { "id": "Trojan.Sagnt/R011c0dfs24", "display_name": "Trojan.Sagnt/R011c0dfs24", "target": null }, { "id": "Zergeca", "display_name": "Zergeca", "target": null }, { "id": "Unix.Trojan.Mirai", "display_name": "Unix.Trojan.Mirai", "target": null }, { "id": "Unix.Trojan.Mirai-7669677-0", "display_name": "Unix.Trojan.Mirai-7669677-0", "target": null }, { "id": "CVE-2018-10562", "display_name": "CVE-2018-10562", "target": null }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "CVE-2024-6387", "display_name": "CVE-2024-6387", "target": null }, { "id": "CVE-2025-20393", "display_name": "CVE-2025-20393", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1055.003", "name": "Thread Execution Hijacking", "display_name": "T1055.003 - Thread Execution Hijacking" }, { "id": "T1037.002", "name": "Logon Script (Mac)", "display_name": "T1037.002 - Logon Script (Mac)" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1590.005", "name": "IP Addresses", "display_name": "T1590.005 - IP Addresses" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1056.004", "name": "Credential API Hooking", "display_name": "T1056.004 - Credential API Hooking" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1543.002", "name": "Systemd Service", "display_name": "T1543.002 - Systemd Service" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1608.002", "name": "Upload Tool", "display_name": "T1608.002 - Upload Tool" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1499", "name": "Endpoint Denial of Service", "display_name": "T1499 - Endpoint Denial of Service" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1609", "name": "Container Administration Command", "display_name": "T1609 - Container Administration Command" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 795, "FileHash-SHA1": 648, "FileHash-SHA256": 3708, "IPv4": 294, "URL": 2587, "domain": 739, "hostname": 1129, "email": 14, "CIDR": 15, "IPv6": 27, "SSLCertFingerprint": 18, "CVE": 4 }, "indicator_count": 9978, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "15 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695c7b40f5d2f292a7512e81", "name": "USteal Reputation Smear | Malicious Media | TrojanSpy - CrazyFrost.com", "description": "Who is CrazyFrost? USteal Reputation Smear | Malicious Media | TrojanSpy would affect anyone who clicks on honeypot / dga domain. iPhone spyware. We\u2019ve been working on exposing spyware. Emotet / AutoIT , cabs, password stealer, and more found. Investigators and attorneys from the past Investigators reported victims life, was being promoted over the dark web. From bathing to cooking , conversations to arguments, getting dressed to passing gas. Haha. Small cameras were accessed remotely in her former. Castle Pines, Co hideaway. A third investigator confirmed tiny cameras were installed when victim was in staycationing. When family arrived home garage door and secured doors were boldly left open. Crazy True. [otx auto generated- The following is the full text of the public-key-precert-scts, which has been posted on the website of Redporn.video, the site of an unauthorised sex tape.]", "modified": "2026-02-05T02:03:26.707000", "created": "2026-01-06T03:02:24.932000", "tags": [ "gmtn", "log id", "ca issuers", "b0n timestamp", "signature", "d097", "f2334482", "fc46", "b10b2898797d", "fingerprintsha1", "tsara", "we1 certificate", "dynamicloader", "medium", "write c", "host", "yara rule", "myapp", "delphi", "worm", "win32", "error", "write", "code", "malware", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "ssl certificate", "execution att", "t1204 user", "united", "mitre att", "ck matrix", "flag", "ogoogle trust", "href", "network traffic", "span", "babe", "super", "close", "general", "local", "path", "encrypt", "click", "strings", "form", "extraction", "data upload", "all ht", "enter source", "one on", "tezunau", "daut un", "dauwol lype", "ur extraction", "extrac", "n tezunau", "one opa", "included review", "faileextra", "include data", "review exclude", "sugges", "delete c", "json", "ascii text", "high", "data", "search", "stream", "unknown", "push", "next", "dirty", "enter s", "type", "extr data", "include", "ff d5", "ee fc", "eb d8", "f0 ff", "ff bb", "fd ff", "ff eb", "ed b8", "agent", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "read c", "execution", "dock", "persistence", "sc data", "present jan", "present mar", "present dec", "unknown aaaa", "passive dns", "urls", "trojanspy", "date", "present feb", "susp", "moved", "ip address", "backdoor", "usteal", "body", "title", "hybrid", "regopenkeyexa", "memcommit", "regsz", "english", "copy", "ufr stealer", "markus", "april", "updater", "entries", "rsds", "c reg", "environment", "launch" ], "references": [ "https://www.redporn.video/tsara-brashears-slandered-.htm \u2022 www.redporn.video \u2022 http://www.redporn", "guidepaparazzisurface.com", "http://www.crazyfrost.com\t\u2022 http://www.crazyfrost", "http://chaturbate.com/notabottom/\t\u2022 http://chaturbate.com/notabottom/\\", "iPhone Spyware - https://bam.nr-data.net/1/6f524845d1?a=24279235&v=1169.7b094c0&to=MwYEbUdYXxJQWhULDApMIExbWkUIXldOAQsFF0hPXFxGEgtrDg0OMgoDThteVBU%3D&rst=6546&ck=1&ref=https://chaturbate.com/notabottom/&ap=123&fe=4218&dc=4218&af=err", "iPhone Spyware - https://bam.nr-data.net/jserrors/ping/6f524845d1?a=24279235&v=1169.7b094c0&to=MwYEbUdYXxJQWhULDApMIExbWkUIXldOAQsFF0hPXFxGEgtrDg0OMgoDThteVBU%3D&rst=6546&ck=1&ref=https://chaturbate.com/notabottom/", "https://chaturbate.com/notabottom/", "https://www.google-analytics.com/r/collect?v=1&_v=j83&a=1390847564&t=pageview&_s=1&dl=https%3A%2F%2Fchaturbate.com%2Fnotabottom%2F&ul=en-us&de=utf-8&dt=Chaturbate%20-%20100%25%20Free%20Chat%20%26%20Webcams&sd=32-bit&sr=1024x768&vp=780x439&je=0&_u=YEBAAE~&jid=915940444&gjid=1686072238&cid=922362881.1595496808&tid=UA-23607725-1&_gid=1317601001.1595496808&_r=1&cd1=chaturbate.com&cd2=&cd3=-&cd4=&cd5=anonymous&z=762468946" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "AutoIT", "display_name": "AutoIT", "target": null }, { "id": "TrojanSpy:Win32/Usteal", "display_name": "TrojanSpy:Win32/Usteal", "target": "/malware/TrojanSpy:Win32/Usteal" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1204.003", "name": "Malicious Image", "display_name": "T1204.003 - Malicious Image" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2543, "hostname": 848, "FileHash-SHA256": 1320, "SSLCertFingerprint": 25, "domain": 463, "FileHash-MD5": 418, "FileHash-SHA1": 197, "email": 2 }, "indicator_count": 5816, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "73 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6920c43c3772bb24f26f70cc", "name": "Xred_Malware \u2022 Dark Comet \u2022 Darkgate \u2022 Elex \u2022 Glassworm | AutoRun", "description": "Attack originates from government contractors/ quasi governmental entities. Criminal Defense and Government contracted Law firms commonly abuse these tactics. Targeting. Found in data of a target. Focused on (1) FILE HASH and (1) IP address .[referenced] *XRed _Mal\n* EXE Infection | OTX auto populated - Adversaries may be able to gain access to victim systems using a variety of techniques to evade detection and conceal their actions. and their intentions, as well as using other techniques, to avoid detection.", "modified": "2025-12-21T18:01:07.268000", "created": "2025-11-21T19:57:48.145000", "tags": [ "dynamicloader", "write c", "write", "high", "yara rule", "myapp", "delphi", "worm", "win32", "error", "code", "malware", "defender", "medium", "binary file", "heavensgate", "bochs", "dynamic", "td td", "td tr", "united", "a td", "a domains", "dynamic dns", "static dns", "dd wrt", "twitter", "trojan", "trojandropper", "null", "enough", "simple", "click", "easy", "premium", "associated urls", "server response", "google safe", "results nov", "avast avg", "11.21.2025", "11.20.2025", "borland delphi", "pe32", "intel", "ms windows", "inno setup", "win32 exe", "pecompact", "delphi generic", "pe32 compiler", "dark comet", "dark gate", "glassworm", "md5 code", "data", "porkbun llc", "windows match", "getprocaddress", "peb idrdata", "match peb", "t1547", "t1059 t1112", "shared modules", "t1129", "boot", "logon autostart", "execu", "t1134 boot", "encoding", "capture e1113", "file attributes", "analysis ob0001", "b0001 software", "virtual machine", "detection b0009", "analysis ob0002", "ob0003 screen", "windows get", "check", "encode", "check internet", "wininet set", "clear file", "enumerate gui", "get hostname", "get keyboard", "set registry", "find", "capture", "url http", "consolefoundry", "console foundry", "foundry", "malware catalog tree", "autorun keys", "modification", "alexander karp", "peter theil", "christoper ahmann", "christopher pool", "mercedes", "apple", "palantir", "adversarial", "adversaries", "hostile", "quasi", "empty hash", "denver", "mal_xred_backdoor", "backdoor", "xred", "brian sabey", "first-send-petikvx", "stop", "glassworm", "elex", "darkgate", "dark-comet", "search", "entries", "show", "yara detections", "icmp traffic", "rtf file", "top source", "top destination", "format", "host", "copy", "next", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "found", "access att", "font", "copy md5", "copy sha1", "copy sha256", "sha1", "ascii text", "pattern match", "sha256", "mitre att", "title", "meta", "hybrid", "local", "path", "strings", "body", "contact", "trace", "form", "bitcoin", "core", "jeffrey reimer", "exe infection", "cve", "porn" ], "references": [ "FILEHASH-SHA256 d0ce79b3e0f4798423871dd66c14172b1a0eac34131c1b92d210a7b5c31a8aa0", "Name 2025-11-19_b627882129bf281be5a3df318fff678b_dark-comet_darkgate_elex_glassworm_stop", "Antivirus Detection: Worm:Win32/AutoRun!atmn [Win.Trojan.Emotet relationship]", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com", "IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "Yara : Zeppelin_30 , compromised_site_redirector_fromcharcode ,", "Yara : BobSoft Mini Delphi -> BoB / BobSoft , Delphi", "Alerts : suspicious_iocontrol_codes process_creation_suspicious_location network_dyndns", "Alerts: multiple_useragents persistence_autorun binary_yara procmem_yara suricata_alert", "Alerts: antivm_bochs_keys antivm_generic_disk enumerates_physical_drives antisandbox_sleep", "Alerts: physical_drive_access mouse_movement_detect dynamic_function_loading", "Alerts: http_request resumethread_remote_process antianalysis_tls_section network_httpn", "Alerts: packer_unknown", "Malicious IP Contacted: 69.42.215.252", "Abused Domains Contacted: xred.mooo.com freedns.afraid.org", "IP 69.42.215.252: http://nginx.com/ \u2022nginx.com\t\u2022 http://nginx.org/ \u2022 nginx.org \u2022 afraid.org \u2022 afraid.org", "IP 69.42.215.252: nginx.com\u2022 vb.cu \u2022 vb.il \u2022 yourdomain.com \u2022 yourdomain.com", "IP 69.42.215.252: theirname.yourdomain.com \u2022 www.freebsd.org freebsd.org \u2022 your.domain.com", "Windows Match api: GetProcAddress fs access *access PEB Idr_data Match PEB access fs access", "consolefoundry.date \u2022 http://consolefoundry.date \u2022 http://consolefoundry", "Matches rule Wow6432Node CurrentVersion Autorun Keys Modification - Credits (split) below", "by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "http://freedns.afraid.org/images/apple.gif", "https://www.nextron-systems.com/notes-on-virustotal-matches/", "https://www.mumuplayer.com/redirect/customerservice/_wig", "https://www.mumuplayer.com/redirect/customerservice/fB)y", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 http://www.anyxxxtube/", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t| Truth", "https://www.semena.cz/exoticke-okrasne/78-plumerie-havajska-kvetina-semena-3-ks.html", "http://www.anyxxxtube.net/search-porn/tsara-brashears", "http://consolefoundry.date/one/gate.php", "https://hybrid-analysis.com/sample/ba5890ad431b894b0dfd6c9d3f3d6cbd7fedae1bd5a51483f54b22ba0209e3b8/6920be8a548209db740dd354" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Emotet-9850453", "display_name": "Win.Trojan.Emotet-9850453", "target": null }, { "id": "Win.Trojan.BlackNetRAT-7838854-0", "display_name": "Win.Trojan.BlackNetRAT-7838854-0", "target": null }, { "id": "Win.Dropper.Nanocore-10021490-0", "display_name": "Win.Dropper.Nanocore-10021490-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "Win.Packed.Remcos-10024510-0", "display_name": "Win.Packed.Remcos-10024510-0", "target": null }, { "id": "Code Overlap", "display_name": "Code Overlap", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "PSW:Win32/VB.CU", "display_name": "PSW:Win32/VB.CU", "target": "/malware/PSW:Win32/VB.CU" } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1541", "name": "Foreground Persistence", "display_name": "T1541 - Foreground Persistence" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 460, "FileHash-SHA1": 437, "FileHash-SHA256": 4483, "SSLCertFingerprint": 2, "URL": 6487, "hostname": 1772, "domain": 652, "CVE": 3, "email": 5 }, "indicator_count": 14301, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "118 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f7ced2cf17d264b49628bc", "name": "NIDS - Affecting targeted Dropbox & EBay Accounts accessing , using or deleting information", "description": "Multiple malware\u2019s targeting Dropbox & Ebay accounts. Referenced in earlier pukses. Further investigation shows link found in apps on multiple Apple devices. Afraid. Org still running & wreaking havoc globally. Currently targets a Music studio in Clear Creek County Co. The signal bounces from Fire station directly to studio gaining full access to everything.\n\nI am very disappointed with the abuses in f the Palantir , Gotham , Foundry products being abused by law firms and Private Investigators.\nIt is very destructive, causing loss, these firms are literally stealing and making money with other people\u2019s intellectual property and tough luck on the actual inventor, artist, writer because they even steal , cancel your insurance or back accounts leaving you unable to make a claim. \n\nGreat discretion should be used to qualify for these tools used to track, terrorize and access private information as well as tarnish the names of civilians , family ,businesses, stalking tracking known location.", "modified": "2025-11-20T17:00:05.377000", "created": "2025-10-21T18:20:02.120000", "tags": [ "united", "urls", "domain", "files", "files ip", "td td", "td tr", "a td", "dynamic dns", "arial", "worm", "trojandropper", "meta", "null", "enough", "hosts", "win32", "fast", "present oct", "present jul", "present sep", "present aug", "moved", "ip address", "error", "title", "ipv4 add", "url analysis", "hosting", "reverse dns", "america flag", "name servers", "body", "a domains", "passive dns", "welcome", "ok server", "gmt content", "twitter", "dynamicloader", "write c", "medium", "myapp", "high", "host", "delphi", "write", "code", "malware", "device driver", "backdoor", "msil", "present mar", "apanas", "regsetvalueexa", "msie", "windows nt", "wow64", "slcc2", "media center", "langturkish", "sublangdefault", "regdword", "persistence", "execution", "nids", "zegost", "trojan", "win32fugrafa", "malwarexgen att", "ck ids", "t1040", "sniffing", "location united", "united states", "KeyAuth Open-source Authentication System Domain (keyauth .win) ", "yara rule", "search", "blobx00x00x00", "guard", "encrypt", "afraid", "smartphone", "laptop", "tablet", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "defense evasion", "t1480 execution", "sha256", "sha1", "ascii text", "size", "mitre att", "show technique", "refresh", "span", "hybrid", "local", "path", "click", "strings", "tools", "look", "verify", "restart", "access att", "t1566 phishing", "font", "pattern match", "general", "contact", "premium", "never", "core", "external system", "http header", "network traffic", "sample", "antivirus", "systems found", "ipurl artifact", "network related", "sends traffic", "http outbound", "hostname add", "address", "registrar", "internet ltd", "livedomains", "creation date", "hostname", "domain add", "modrg", "sincpoatia", "utf8", "appdata", "temp", "fyfdz", "iepgq", "trlew", "copy", "kentuchy", "oljnmrfghb", "powershell", "sabey", "sokolove law" ], "references": [ "afraid.org | evergreen.afraid.org", "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1\t \twww.dropbox.com", "https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1", "https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1", "Interesting: i.circusslaves.com \u2022 linkupdateuser.circusslaves.com \u2022 https://rip.circusslaves.com/", "Interesting: demo.emaa.cl \u2022 wanndemo.de \u2022 songmeanings.net", "KeyAuth Open-source Authentication System Domain (keyauth .win) in TLS SNI", "https://api.strem.io/api/addonCollectionGet%", "http://freedns.afraid.org/safety/?host=signin.ebay.com.ws.ebayisapi.dll.signin.usingssl.www.ebay.com.fr.am", "aohhpesayw.lawsonengineers.co.", "Very Disappointing- foundry.neconsside.com \u2022 ftp.koldunmansurov.ru", "gitea.neconsside.com \u2022 http://f7194.vip/login", "2012647\tDropbox.com Offsite File Backup in Use", "target.dropboxbusiness.com", "consolefoundry.date \u2022 http://consolefoundry.date", "http://consolefoundry.date/one/gate.php \u2022 foundry.neconsside.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "Neshta", "display_name": "Neshta", "target": null }, { "id": "Backdoor:Win32/Fynloski.A", "display_name": "Backdoor:Win32/Fynloski.A", "target": "/malware/Backdoor:Win32/Fynloski.A" }, { "id": "Zegost", "display_name": "Zegost", "target": null }, { "id": "Worm:Win32/AutoRun.XXY!bit", "display_name": "Worm:Win32/AutoRun.XXY!bit", "target": "/malware/Worm:Win32/AutoRun.XXY!bit" }, { "id": "MalwareX-Gen", "display_name": "MalwareX-Gen", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Worm:Win32/AutoRun.B", "display_name": "Worm:Win32/AutoRun.B", "target": "/malware/Worm:Win32/AutoRun.B" }, { "id": "Trojan:Win32/Pariham.A", "display_name": "Trojan:Win32/Pariham.A", "target": "/malware/Trojan:Win32/Pariham.A" }, { "id": "Kentuchy", "display_name": "Kentuchy", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 483, "hostname": 1397, "URL": 2874, "email": 2, "FileHash-MD5": 369, "FileHash-SHA1": 355, "FileHash-SHA256": 1534, "SSLCertFingerprint": 7 }, "indicator_count": 7021, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "149 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f80c6bcd3fff3a4f126a68", "name": "Sventore \u2022 Agent Tesla Affecting targeted Dropbox & EBay Accounts accessing , using or deleting information ", "description": "", "modified": "2025-11-20T17:00:05.377000", "created": "2025-10-21T22:42:51.657000", "tags": [ "united", "urls", "domain", "files", "files ip", "td td", "td tr", "a td", "dynamic dns", "arial", "worm", "trojandropper", "meta", "null", "enough", "hosts", "win32", "fast", "present oct", "present jul", "present sep", "present aug", "moved", "ip address", "error", "title", "ipv4 add", "url analysis", "hosting", "reverse dns", "america flag", "name servers", "body", "a domains", "passive dns", "welcome", "ok server", "gmt content", "twitter", "dynamicloader", "write c", "medium", "myapp", "high", "host", "delphi", "write", "code", "malware", "device driver", "backdoor", "msil", "present mar", "apanas", "regsetvalueexa", "msie", "windows nt", "wow64", "slcc2", "media center", "langturkish", "sublangdefault", "regdword", "persistence", "execution", "nids", "zegost", "trojan", "win32fugrafa", "malwarexgen att", "ck ids", "t1040", "sniffing", "location united", "united states", "KeyAuth Open-source Authentication System Domain (keyauth .win) ", "yara rule", "search", "blobx00x00x00", "guard", "encrypt", "afraid", "smartphone", "laptop", "tablet", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "defense evasion", "t1480 execution", "sha256", "sha1", "ascii text", "size", "mitre att", "show technique", "refresh", "span", "hybrid", "local", "path", "click", "strings", "tools", "look", "verify", "restart", "access att", "t1566 phishing", "font", "pattern match", "general", "contact", "premium", "never", "core", "external system", "http header", "network traffic", "sample", "antivirus", "systems found", "ipurl artifact", "network related", "sends traffic", "http outbound", "hostname add", "address", "registrar", "internet ltd", "livedomains", "creation date", "hostname", "domain add", "modrg", "sincpoatia", "utf8", "appdata", "temp", "fyfdz", "iepgq", "trlew", "copy", "kentuchy", "oljnmrfghb", "powershell", "sabey", "sokolove law" ], "references": [ "afraid.org | evergreen.afraid.org", "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1\t \twww.dropbox.com", "https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1", "https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1", "Interesting: i.circusslaves.com \u2022 linkupdateuser.circusslaves.com \u2022 https://rip.circusslaves.com/", "Interesting: demo.emaa.cl \u2022 wanndemo.de \u2022 songmeanings.net", "KeyAuth Open-source Authentication System Domain (keyauth .win) in TLS SNI", "https://api.strem.io/api/addonCollectionGet%", "http://freedns.afraid.org/safety/?host=signin.ebay.com.ws.ebayisapi.dll.signin.usingssl.www.ebay.com.fr.am", "aohhpesayw.lawsonengineers.co.", "Very Disappointing- foundry.neconsside.com \u2022 ftp.koldunmansurov.ru", "gitea.neconsside.com \u2022 http://f7194.vip/login", "2012647\tDropbox.com Offsite File Backup in Use", "target.dropboxbusiness.com", "consolefoundry.date \u2022 http://consolefoundry.date", "http://consolefoundry.date/one/gate.php \u2022 foundry.neconsside.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "Neshta", "display_name": "Neshta", "target": null }, { "id": "Backdoor:Win32/Fynloski.A", "display_name": "Backdoor:Win32/Fynloski.A", "target": "/malware/Backdoor:Win32/Fynloski.A" }, { "id": "Zegost", "display_name": "Zegost", "target": null }, { "id": "Worm:Win32/AutoRun.XXY!bit", "display_name": "Worm:Win32/AutoRun.XXY!bit", "target": "/malware/Worm:Win32/AutoRun.XXY!bit" }, { "id": "MalwareX-Gen", "display_name": "MalwareX-Gen", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Worm:Win32/AutoRun.B", "display_name": "Worm:Win32/AutoRun.B", "target": "/malware/Worm:Win32/AutoRun.B" }, { "id": "Trojan:Win32/Pariham.A", "display_name": "Trojan:Win32/Pariham.A", "target": "/malware/Trojan:Win32/Pariham.A" }, { "id": "Kentuchy", "display_name": "Kentuchy", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": "68f7ced2cf17d264b49628bc", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 483, "hostname": 1397, "URL": 2874, "email": 2, "FileHash-MD5": 369, "FileHash-SHA1": 355, "FileHash-SHA256": 1534, "SSLCertFingerprint": 7 }, "indicator_count": 7021, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "149 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f5cfa9b74d6faa43eb6585", "name": "Indicator Removal service affecting Threat Hunters | Brian Sabey", "description": "Indicator removal used by M. Brian Sabey to for the purpose of attacking networks and removing malicious indicators related to entities and attacks deployed by & Co. Impacts: Threat hunting services. * Worm:Win32/AutoRun.XXY!bit (Emotet and Neshta relationship).\nThere are many other malicious indicators.\n\n* foundryvttcasero.roleros.cl", "modified": "2025-11-19T05:02:39.961000", "created": "2025-10-20T05:59:04.173000", "tags": [ "url https", "url http", "hostname", "b9sdwan", "b9 no", "united", "passive dns", "ipv4 add", "urls", "location united", "america flag", "san jose", "trojan", "canada unknown", "hostname add", "url analysis", "http", "ip address", "related nids", "path", "america asn", "as4983 intel", "canada", "gmt p3p", "cp noi", "adm dev", "psai com", "unknown ns", "united states", "twitter", "url add", "files location", "flag united", "status", "emails", "servers", "mtb aug", "win32", "invalid url", "lowfi", "body html", "head title", "files", "files ip", "filehashmd5", "iocs", "type indicator", "role title", "related pulses", "dynamicloader", "directui", "write c", "element", "classinfobase", "forbidden", "write", "high", "worm", "delphi", "guard", "error", "vmprotect", "malware", "defender", "suspicious", "port", "read c", "destination", "crlf line", "rgba", "unicode", "png image", "td td", "td tr", "a td", "dynamic dns", "search", "arial", "trojandropper", "null", "enough", "hosts", "fast", "afraid", "a domains", "welcome", "ok server", "gmt content", "present sep", "unknown soa", "unknown cname", "present oct", "present aug", "event rocket", "title", "cookie", "encrypt", "sabey type" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Worm:Win32/AutoRun.XXY!bit", "display_name": "Worm:Win32/AutoRun.XXY!bit", "target": "/malware/Worm:Win32/AutoRun.XXY!bit" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1434, "URL": 3982, "FileHash-MD5": 391, "FileHash-SHA1": 309, "FileHash-SHA256": 1525, "domain": 758, "email": 10, "SSLCertFingerprint": 3, "CVE": 1 }, "indicator_count": 8413, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "151 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f80aa152fdd795fa008e2e", "name": "Small & Comisproc Indicator Removal service Affects Threat Hunter Sevices", "description": "", "modified": "2025-11-19T05:02:39.961000", "created": "2025-10-21T22:35:13.128000", "tags": [ "url https", "url http", "hostname", "b9sdwan", "b9 no", "united", "passive dns", "ipv4 add", "urls", "location united", "america flag", "san jose", "trojan", "canada unknown", "hostname add", "url analysis", "http", "ip address", "related nids", "path", "america asn", "as4983 intel", "canada", "gmt p3p", "cp noi", "adm dev", "psai com", "unknown ns", "united states", "twitter", "url add", "files location", "flag united", "status", "emails", "servers", "mtb aug", "win32", "invalid url", "lowfi", "body html", "head title", "files", "files ip", "filehashmd5", "iocs", "type indicator", "role title", "related pulses", "dynamicloader", "directui", "write c", "element", "classinfobase", "forbidden", "write", "high", "worm", "delphi", "guard", "error", "vmprotect", "malware", "defender", "suspicious", "port", "read c", "destination", "crlf line", "rgba", "unicode", "png image", "td td", "td tr", "a td", "dynamic dns", "search", "arial", "trojandropper", "null", "enough", "hosts", "fast", "afraid", "a domains", "welcome", "ok server", "gmt content", "present sep", "unknown soa", "unknown cname", "present oct", "present aug", "event rocket", "title", "cookie", "encrypt", "sabey type" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Worm:Win32/AutoRun.XXY!bit", "display_name": "Worm:Win32/AutoRun.XXY!bit", "target": "/malware/Worm:Win32/AutoRun.XXY!bit" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": "68f5cfa9b74d6faa43eb6585", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1434, "URL": 3982, "FileHash-MD5": 391, "FileHash-SHA1": 309, "FileHash-SHA256": 1525, "domain": 758, "email": 10, "SSLCertFingerprint": 3, "CVE": 1 }, "indicator_count": 8413, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "151 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66eb1585832bcf4f494f0335", "name": "Telco - Swipper | Emotet and other malware spreader. BGP Bridging", "description": "", "modified": "2024-10-20T13:04:44.866000", "created": "2024-09-18T18:01:41.013000", "tags": [ "net152", "net1520000", "loudoun county", "ans core", "nethandle", "as1321", "parkway city", "as701 orgnocref", "swipper", "verizon", "high", "intel", "icmp traffic", "dns query", "object", "all scoreblue", "filehash", "malware", "comcast", "cve1102", "actors", "investigation", "bad domains", "emotet am", "iocs", "first", "utc submissions", "submitters", "summary iocs", "graph community", "webcc", "gmo internet", "csc corporate", "domains", "alibaba cloud", "computing", "beijing", "dynadot", "ltd dba", "china telecom", "group", "google", "cloudflarenet", "kb txtresse", "mb smartsaver", "admin cmd", "mb threatsniper", "mb history", "mb gadget", "installer", "referrer", "styes worm", "historical ssl", "script script", "i span", "ie script", "win64", "span", "urls", "levelblue labs", "pulses", "nastya", "meta", "open", "date", "vj92", "uagdaaeqcqaaaag", "ukgbagaqcqaaaae", "slfrd1", "hostnames", "urls http", "ukgbagaqcq", "jid1886833764", "jid882556742", "samples", "unknown", "united", "as20940", "as2914 ntt", "nxdomain", "status", "as6461 zayo", "united kingdom", "as15169 google", "as33438", "search", "creation date", "name servers", "showing", "hungary unknown", "entries", "scan endpoints", "next", "cape", "show", "copy", "emotet malware", "read", "write", "delete", "june", "emotet", "as14627", "passive dns", "ipv4", "pulse pulses", "win32", "months ago", "created", "modified", "email", "glupteba", "hostname", "cyber", "read c", "port", "medium", "msie", "windows nt", "wow64", "slcc2", "media center", "dock", "execution", "method status", "url hostname", "ip country", "type get", "cachecontrol", "location https", "date thu", "gmt server", "code", "ve234 server", "aaaa", "whitelisted", "as44273 host", "as46691", "domain", "script urls", "path max", "age86400 set", "cookie", "script domains", "trojan", "body" ], "references": [ "Stranger Things | http://hopto.org/colocrossing/192.3.13.56/telco", "Antivirus Detections: Other:Malware-gen\\ [Trj]", "Yara Detections: UPXProtectorv10x2 , UPX Alerts dead_host network_icmp nolookup_communication", "Antivirus Detections: Other:Malware-gen\\ [Trj] , Win.Trojan.Emotet-9951800-0", "Yara Detections: osx_GoLang", ".trino-11062202-1d32.stress-11061903-3b4c.westus2.projecthilo.net\tprojecthilo.net", "0-courier.push.apple.com | https://apple-accouut.sytes.net/ | appupdate-logapple.ddnsking.com | appleidi-iforgot.3utilities.com", "http://appleidi-iforgot.3utilities.com/\t | https://appupdate-logapple.ddnsking.com/?reset | http://appleidi-iforgot.3utilities.com/Upload-Identity.php |", "http://appleidi-iforgot.3utilities.com/Verify.php", "device-ccf717a6-ed4f-4771-abfa-ccaafbfb6526.remotewd.com | device-local-359704df-0b29-4ae8-bbc5-f48b0a4de73c.remotewd.com | remotedev.org | dan.remotedev.org", "152.199.171.19 : USDA Fort Collins, Colorado", "Swipper: swipper@verizonbusiness.com | help4u@verizonbusiness.com", "152.199.161.19: ANS Communications, Inc (ANS)", "OrgTechHandle: SWIPP-ARIN OrgTechName: swipper OrgTechPhone: +1-800-900-0241 OrgTechEmail: swipper@verizonbusiness.com", "http://bat.bing.com/bat.js | bounceme.net | bounceme.net | hopto.org | hopto.org |,serveblog.net | serveblog.net", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://hopto.org/colocrossing/192.3.13.56/telco", "Emotet: FileHash-SHA256 9c9459e9a5f0102c034ec013b9d801d38ed474bcd73b7aeded931e5c2a4f75cc", "Win.Virus.PolyRansom-5704625-0: FileHash-SHA256 f46de5d0c5dd13f5de6114372542efd1ea048e14f051b64b34c33e96c175cb09", "Other:Malware-gen\\ [Trj: FileHash-SHA256 4ef29fd29fd95990a36379ad7a4320f04da64e7ec63546e047e2491e533c71a3", "Injection Source: www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Injection Source: http://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Injection Source: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "SLF:Trojan:Win32/Grandoreiro.A", "display_name": "SLF:Trojan:Win32/Grandoreiro.A", "target": null }, { "id": "Other:Malware-gen\\ [Trj]", "display_name": "Other:Malware-gen\\ [Trj]", "target": null }, { "id": "Win.Trojan.Emotet-9951800-0", "display_name": "Win.Trojan.Emotet-9951800-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": "66ca37ac60cb425a2b3856c6", "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 2, "URL": 4635, "domain": 771, "email": 11, "hostname": 1993, "FileHash-SHA256": 3185, "FileHash-MD5": 113, "FileHash-SHA1": 101, "CVE": 3 }, "indicator_count": 10814, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "546 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66c661131c5003925e9bfe15", "name": "Telco - Swipper | Emoted and other malware spreader. BGP related ?", "description": "I'm not sure what to make of this. I'm unnerved. As far back as I have been able to research, Swipper has been ever present, not even hiding in the attacks target who noticed this for themselves.Some information is no longer on the Internet , yet there are continuous command multiple IP's. This relates directly to the suspect hacker & co. Use of FreeDNS and many other tools related to this resource with the Net Handle Name: Swipper. It's seems to be prominent on Colorado, Ohio Constantly moving to the British Virgin Islands while having am Ashburn, Va [Loudon, Co]- Verizon Business address ont he MCI block [FBI nearby] Swipper was connected to targets Notepad for years,; with FBI name and address prominently displayed. Mysterious emails, and false MD referral locations of victim pointed back to a Swipper or Stephen Middleton IP address. It's always has a variant of Emotet. I don't know. Abuse of use by same attorney.", "modified": "2024-09-20T20:04:19.210000", "created": "2024-08-21T21:50:11.612000", "tags": [ "net152", "net1520000", "loudoun county", "ans core", "nethandle", "as1321", "parkway city", "as701 orgnocref", "swipper", "verizon", "high", "intel", "icmp traffic", "dns query", "object", "all scoreblue", "filehash", "malware", "comcast", "cve1102", "actors", "investigation", "bad domains", "emotet am", "iocs", "first", "utc submissions", "submitters", "summary iocs", "graph community", "webcc", "gmo internet", "csc corporate", "domains", "alibaba cloud", "computing", "beijing", "dynadot", "ltd dba", "china telecom", "group", "google", "cloudflarenet", "kb txtresse", "mb smartsaver", "admin cmd", "mb threatsniper", "mb history", "mb gadget", "installer", "referrer", "styes worm", "historical ssl", "script script", "i span", "ie script", "win64", "span", "urls", "levelblue labs", "pulses", "nastya", "meta", "open", "date", "vj92", "uagdaaeqcqaaaag", "ukgbagaqcqaaaae", "slfrd1", "hostnames", "urls http", "ukgbagaqcq", "jid1886833764", "jid882556742", "samples", "unknown", "united", "as20940", "as2914 ntt", "nxdomain", "status", "as6461 zayo", "united kingdom", "as15169 google", "as33438", "search", "creation date", "name servers", "showing", "hungary unknown", "entries", "scan endpoints", "next", "cape", "show", "copy", "emotet malware", "read", "write", "delete", "june", "emotet", "as14627", "passive dns", "ipv4", "pulse pulses", "win32", "months ago", "created", "modified", "email", "glupteba", "hostname", "cyber", "read c", "port", "medium", "msie", "windows nt", "wow64", "slcc2", "media center", "dock", "execution", "method status", "url hostname", "ip country", "type get", "cachecontrol", "location https", "date thu", "gmt server", "code", "ve234 server", "aaaa", "whitelisted", "as44273 host", "as46691", "domain", "script urls", "path max", "age86400 set", "cookie", "script domains", "trojan", "body" ], "references": [ "Stranger Things | http://hopto.org/colocrossing/192.3.13.56/telco", "Antivirus Detections: Other:Malware-gen\\ [Trj]", "Yara Detections: UPXProtectorv10x2 , UPX Alerts dead_host network_icmp nolookup_communication", "Antivirus Detections: Other:Malware-gen\\ [Trj] , Win.Trojan.Emotet-9951800-0", "Yara Detections: osx_GoLang", ".trino-11062202-1d32.stress-11061903-3b4c.westus2.projecthilo.net\tprojecthilo.net", "0-courier.push.apple.com | https://apple-accouut.sytes.net/ | appupdate-logapple.ddnsking.com | appleidi-iforgot.3utilities.com", "http://appleidi-iforgot.3utilities.com/\t | https://appupdate-logapple.ddnsking.com/?reset | http://appleidi-iforgot.3utilities.com/Upload-Identity.php |", "http://appleidi-iforgot.3utilities.com/Verify.php", "device-ccf717a6-ed4f-4771-abfa-ccaafbfb6526.remotewd.com | device-local-359704df-0b29-4ae8-bbc5-f48b0a4de73c.remotewd.com | remotedev.org | dan.remotedev.org", "152.199.171.19 : USDA Fort Collins, Colorado", "Swipper: swipper@verizonbusiness.com | help4u@verizonbusiness.com", "152.199.161.19: ANS Communications, Inc (ANS)", "OrgTechHandle: SWIPP-ARIN OrgTechName: swipper OrgTechPhone: +1-800-900-0241 OrgTechEmail: swipper@verizonbusiness.com", "http://bat.bing.com/bat.js | bounceme.net | bounceme.net | hopto.org | hopto.org |,serveblog.net | serveblog.net", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://hopto.org/colocrossing/192.3.13.56/telco", "Emotet: FileHash-SHA256 9c9459e9a5f0102c034ec013b9d801d38ed474bcd73b7aeded931e5c2a4f75cc", "Win.Virus.PolyRansom-5704625-0: FileHash-SHA256 f46de5d0c5dd13f5de6114372542efd1ea048e14f051b64b34c33e96c175cb09", "Other:Malware-gen\\ [Trj: FileHash-SHA256 4ef29fd29fd95990a36379ad7a4320f04da64e7ec63546e047e2491e533c71a3", "Injection Source: www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Injection Source: http://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Injection Source: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "SLF:Trojan:Win32/Grandoreiro.A", "display_name": "SLF:Trojan:Win32/Grandoreiro.A", "target": null }, { "id": "Other:Malware-gen\\ [Trj]", "display_name": "Other:Malware-gen\\ [Trj]", "target": null }, { "id": "Win.Trojan.Emotet-9951800-0", "display_name": "Win.Trojan.Emotet-9951800-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 2, "URL": 4338, "domain": 753, "email": 9, "hostname": 1799, "FileHash-SHA256": 3098, "FileHash-MD5": 110, "FileHash-SHA1": 98, "CVE": 3 }, "indicator_count": 10210, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "575 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://jrkan.zuqiulive2.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://jrkan.zuqiulive2.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776616279.6019993 }