{ "type": "URL", "indicator": "https://js.upchinafund.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://js.upchinafund.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3840942063, "indicator": "https://js.upchinafund.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "6a16afb92680fcea084bb7b0", "name": "credit: scoreblue ['Eternal Blue_Wana Cry MS'] clone - user notes: interesting name tagged", "description": "", "modified": "2026-05-27T08:54:31.968000", "created": "2026-05-27T08:47:53.724000", "tags": [ "sha256", "sha1", "pattern match", "ascii text", "document file", "v2 document", "crlf line", "size", "unicode", "beginstring", "null", "hybrid", "refresh", "body", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "external-resources", "dom-modification", "third-party-cookies", "iframes", "trackers", "text/html", "twitter", "final url", "ip address", "status code", "body length", "kb body", "headers", "deny", "express", "referrer", "impacting azure", "proofpoint", "sneaky server", "replacement", "unauthorized", "switch dns", "query", "vy binh", "hiddentear", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "date", "meta", "form", "submission", "expiresthu", "path", "secure", "self", "xcitium verdict", "cloud", "sophos", "history first", "analysis", "cp", "cyber", "threat", "redrum", "hit", "men", "triangulation", "historical ssl", "apt suspects", "critical cmd", "hide", "asyncrat", "jeremy", "government", "malicious", "yuming", "name servers", "united", "passive dns", "urls", "creation date", "search", "expiration date", "showing", "unknown", "next", "windows nt", "malware beacon", "memcommit", "generic http", "exe upload", "outbound", "etpro trojan", "show", "trojan", "copy", "write", "win32", "malware", "read c", "entries", "medium", "markus", "contentlength", "write c", "delete c", "create c", "yara detections", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "next pe", "as32934", "hitmen", "local government", "scene unit", "crime", "denver police", "address", "status", "aaaa", "apple", "less whois", "registrar", "wannacry", "http", "unique", "url https", "related nids", "code", "screenshot", "anity", "nsa", "shadow", "saudi telecom", "riyadh address", "saudi arabia", "abuse", "ripe", "company isp", "number", "label saudi", "telecom company", "jsc regional", "riyadh", "ripe ncc", "registry techc", "campus", "saudi", "ripe network", "domain", "internet se", "emails", "system", "server tsa", "b server", "certificate", "digicert inc", "moved", "record value" ], "references": [ "http://x.com/denverpolice/status/", "Redirects to >https://twitter.com/x/migrate?tok=eyJlIjoiL2RlbnZlcnBvbGljZS9zdGF0dXMvIiwidCI6MTcxNjcwMzc3M33oZya0EO4PtEbRwq4XZboX", "Redirects to https://twitter.com?mx=1", "IP address: 104.244.42.1 Hosting: Unknown Running on: Tsa B CMS: Express", "Crouching Yeti: Appendixes - according to source ArcSight Threat Intelligence", "https://otx.alienvault.com/indicator/file/00001aff2ea1acd6087f9fba8d8316d90d29e391d9969bc70cc607461467797e", "Alerts: nids_malware_alert network_icmp dumped_buffer network_cnc_http network_http network_http_post allocates_rwx", "Alerts: packer_entropy packer_upx antivm_memory_available pe_features", "Yara Detections: Yara Detections Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , Toxoplasmosis , UPX", "Packer UPX v0.89.6 - v1.02 / v1.05 -v1.24 -> Markus & Laszlo [overlay]", "Yara Detections: ConventionEngine_Term_Desktop , LZMA , mpress_2_xx_x86 , dbgdetect_procs", "pornhub.dev, http://matrix.pornhub.dev, https://twitter.com/PORNO_SEXYBABES, https://www.anon-v.com/porno/fenella/", "Hostname device-local-fb18804d-348e-49ea-8c17-cc8a29f18082.remotewd.com | 192.168.56.104: IPv4", "https://otx.alienvault.com/indicator/file/f7636eef1d9df0664cd0f205ad8864b659bf9898ce6231376778c4411986912e", "https://otx.alienvault.com/indicator/file/000054fa2b0d1004464350ee9acc40707fec51223dba36c702a3db4139af9717", "Domain: hicloudcam.com | https://otx.alienvault.com/indicator/hostname/alarmeu.sslproxy.gatewayvvlilly3lilly.alpha.hicloudcam.com", "originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com | 108.160.165.139 Location: USA |ASN AS19679 dropbox inc. Nameservers ns-136.awsdns-17.com. ns-1518.awsdns-61.org. ,\u00a0 ns-1573.awsdns-04.co.uk. ,\u00a0 ns-809.awsdns-37.net. Less WHOIS Registrar: https://www.101domain.com/,\u00a0\u00a0 Creation Date: Oct 21, 2010 Related Pulses None Related Tags None Indicator Facts Running webserver External Resources Whois,\u00a0 UrlVoid,\u00a0 VirusTotal Analysis Related Pulses Comments (0) Whois Show 100 entr", "https://otx.alienvault.com/indicator/hostname/originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com", "PATHETIC redirect: rainn.org | victims of violence & abuse disclose extremely sensitive details. Reported false information given to disorient victims.", "WannaCry | NSA -Anity Cert: https://otx.alienvault.com/indicator/url/https://www.antiy.com/response/Antiy_Wannacry_NSA.html", "WannaCry MS17-010 'Shadow' https://otx.alienvault.com/otxapi/indicators/url/screenshot/https://www.antiy.com/response/wannacry.html", "Command and Control IP: 5.41.21.250 | Location Saudi Arabia flag Jeddah, Saudi Arabia ASN AS39891 saudi telecom company jsc", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "uploads-cserver-alumni-profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32/Vflooder.B Checkin", "display_name": "Win32/Vflooder.B Checkin", "target": null }, { "id": "Win.Malware.Vtflooder-6723768-0", "display_name": "Win.Malware.Vtflooder-6723768-0", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32/Vflooder.B vtapi DOS", "display_name": "Win32/Vflooder.B vtapi DOS", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Trojan.Downloader-63174", "display_name": "Win.Trojan.Downloader-63174", "target": null }, { "id": "Clicker.BGOU", "display_name": "Clicker.BGOU", "target": null }, { "id": "Win.Trojan.Agent-752791", "display_name": "Win.Trojan.Agent-752791", "target": null }, { "id": "Win.Dropper.QQpass-9895638-0", "display_name": "Win.Dropper.QQpass-9895638-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "WannaCry", "display_name": "WannaCry", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1038", "name": "DLL Search Order Hijacking", "display_name": "T1038 - DLL Search Order Hijacking" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [], "TLP": "green", "cloned_from": "66536c8eee8d42d670e27723", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 350, "FileHash-SHA1": 348, "FileHash-SHA256": 2662, "URL": 7850, "domain": 2245, "hostname": 3611, "SSLCertFingerprint": 4, "email": 10, "CIDR": 4 }, "indicator_count": 17084, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a16ab45548ef01419902c8f", "name": "Credit: Scoreblue - \"iOS Attack - Crouching Yeti: http://x.[com]/denverpolice/status/| CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by scoreblue Public", "description": "", "modified": "2026-05-27T08:28:53.256000", "created": "2026-05-27T08:28:53.256000", "tags": [ "sha256", "sha1", "pattern match", "ascii text", "document file", "v2 document", "crlf line", "size", "unicode", "beginstring", "null", "hybrid", "refresh", "body", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "external-resources", "dom-modification", "third-party-cookies", "iframes", "trackers", "text/html", "twitter", "final url", "ip address", "status code", "body length", "kb body", "headers", "deny", "express", "referrer", "impacting azure", "proofpoint", "sneaky server", "replacement", "unauthorized", "switch dns", "query", "vy binh", "hiddentear", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "date", "meta", "form", "submission", "expiresthu", "path", "secure", "self", "xcitium verdict", "cloud", "sophos", "history first", "analysis", "cp", "cyber", "threat", "redrum", "hit", "men", "triangulation", "historical ssl", "apt suspects", "critical cmd", "hide", "asyncrat", "jeremy", "government", "malicious", "yuming", "name servers", "united", "passive dns", "urls", "creation date", "search", "expiration date", "showing", "unknown", "next", "windows nt", "malware beacon", "memcommit", "generic http", "exe upload", "outbound", "etpro trojan", "show", "trojan", "copy", "write", "win32", "malware", "read c", "entries", "medium", "markus", "contentlength", "write c", "delete c", "create c", "yara detections", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "next pe", "as32934", "hitmen", "local government", "scene unit", "crime", "denver police", "address", "status", "aaaa", "apple", "less whois", "registrar", "wannacry", "http", "unique", "url https", "related nids", "code", "screenshot", "anity", "nsa", "shadow", "saudi telecom", "riyadh address", "saudi arabia", "abuse", "ripe", "company isp", "number", "label saudi", "telecom company", "jsc regional", "riyadh", "ripe ncc", "registry techc", "campus", "saudi", "ripe network", "domain", "internet se", "emails", "system", "server tsa", "b server", "certificate", "digicert inc", "moved", "record value" ], "references": [ "http://x.com/denverpolice/status/", "Redirects to >https://twitter.com/x/migrate?tok=eyJlIjoiL2RlbnZlcnBvbGljZS9zdGF0dXMvIiwidCI6MTcxNjcwMzc3M33oZya0EO4PtEbRwq4XZboX", "Redirects to https://twitter.com?mx=1", "IP address: 104.244.42.1 Hosting: Unknown Running on: Tsa B CMS: Express", "Crouching Yeti: Appendixes - according to source ArcSight Threat Intelligence", "https://otx.alienvault.com/indicator/file/00001aff2ea1acd6087f9fba8d8316d90d29e391d9969bc70cc607461467797e", "Alerts: nids_malware_alert network_icmp dumped_buffer network_cnc_http network_http network_http_post allocates_rwx", "Alerts: packer_entropy packer_upx antivm_memory_available pe_features", "Yara Detections: Yara Detections Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , Toxoplasmosis , UPX", "Packer UPX v0.89.6 - v1.02 / v1.05 -v1.24 -> Markus & Laszlo [overlay]", "Yara Detections: ConventionEngine_Term_Desktop , LZMA , mpress_2_xx_x86 , dbgdetect_procs", "pornhub.dev, http://matrix.pornhub.dev, https://twitter.com/PORNO_SEXYBABES, https://www.anon-v.com/porno/fenella/", "Hostname device-local-fb18804d-348e-49ea-8c17-cc8a29f18082.remotewd.com | 192.168.56.104: IPv4", "https://otx.alienvault.com/indicator/file/f7636eef1d9df0664cd0f205ad8864b659bf9898ce6231376778c4411986912e", "https://otx.alienvault.com/indicator/file/000054fa2b0d1004464350ee9acc40707fec51223dba36c702a3db4139af9717", "Domain: hicloudcam.com | https://otx.alienvault.com/indicator/hostname/alarmeu.sslproxy.gatewayvvlilly3lilly.alpha.hicloudcam.com", "originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com | 108.160.165.139 Location: USA |ASN AS19679 dropbox inc. Nameservers ns-136.awsdns-17.com. ns-1518.awsdns-61.org. ,\u00a0 ns-1573.awsdns-04.co.uk. ,\u00a0 ns-809.awsdns-37.net. Less WHOIS Registrar: https://www.101domain.com/,\u00a0\u00a0 Creation Date: Oct 21, 2010 Related Pulses None Related Tags None Indicator Facts Running webserver External Resources Whois,\u00a0 UrlVoid,\u00a0 VirusTotal Analysis Related Pulses Comments (0) Whois Show 100 entr", "https://otx.alienvault.com/indicator/hostname/originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com", "PATHETIC redirect: rainn.org | victims of violence & abuse disclose extremely sensitive details. Reported false information given to disorient victims.", "WannaCry | NSA -Anity Cert: https://otx.alienvault.com/indicator/url/https://www.antiy.com/response/Antiy_Wannacry_NSA.html", "WannaCry MS17-010 'Shadow' https://otx.alienvault.com/otxapi/indicators/url/screenshot/https://www.antiy.com/response/wannacry.html", "Command and Control IP: 5.41.21.250 | Location Saudi Arabia flag Jeddah, Saudi Arabia ASN AS39891 saudi telecom company jsc", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "uploads-cserver-alumni-profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32/Vflooder.B Checkin", "display_name": "Win32/Vflooder.B Checkin", "target": null }, { "id": "Win.Malware.Vtflooder-6723768-0", "display_name": "Win.Malware.Vtflooder-6723768-0", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32/Vflooder.B vtapi DOS", "display_name": "Win32/Vflooder.B vtapi DOS", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Trojan.Downloader-63174", "display_name": "Win.Trojan.Downloader-63174", "target": null }, { "id": "Clicker.BGOU", "display_name": "Clicker.BGOU", "target": null }, { "id": "Win.Trojan.Agent-752791", "display_name": "Win.Trojan.Agent-752791", "target": null }, { "id": "Win.Dropper.QQpass-9895638-0", "display_name": "Win.Dropper.QQpass-9895638-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "WannaCry", "display_name": "WannaCry", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1038", "name": "DLL Search Order Hijacking", "display_name": "T1038 - DLL Search Order Hijacking" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [], "TLP": "green", "cloned_from": "66536881127f5ee988306394", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 350, "FileHash-SHA1": 348, "FileHash-SHA256": 2659, "URL": 7850, "domain": 2245, "hostname": 3611, "SSLCertFingerprint": 4, "email": 10, "CIDR": 4 }, "indicator_count": 17081, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "4 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a16ab3f9578fcc7ffd52a3a", "name": "Credit: Scoreblue - \"iOS Attack - Crouching Yeti: http://x.[com]/denverpolice/status/| CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by scoreblue Public", "description": "", "modified": "2026-05-27T08:28:47.467000", "created": "2026-05-27T08:28:47.467000", "tags": [ "sha256", "sha1", "pattern match", "ascii text", "document file", "v2 document", "crlf line", "size", "unicode", "beginstring", "null", "hybrid", "refresh", "body", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "external-resources", "dom-modification", "third-party-cookies", "iframes", "trackers", "text/html", "twitter", "final url", "ip address", "status code", "body length", "kb body", "headers", "deny", "express", "referrer", "impacting azure", "proofpoint", "sneaky server", "replacement", "unauthorized", "switch dns", "query", "vy binh", "hiddentear", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "date", "meta", "form", "submission", "expiresthu", "path", "secure", "self", "xcitium verdict", "cloud", "sophos", "history first", "analysis", "cp", "cyber", "threat", "redrum", "hit", "men", "triangulation", "historical ssl", "apt suspects", "critical cmd", "hide", "asyncrat", "jeremy", "government", "malicious", "yuming", "name servers", "united", "passive dns", "urls", "creation date", "search", "expiration date", "showing", "unknown", "next", "windows nt", "malware beacon", "memcommit", "generic http", "exe upload", "outbound", "etpro trojan", "show", "trojan", "copy", "write", "win32", "malware", "read c", "entries", "medium", "markus", "contentlength", "write c", "delete c", "create c", "yara detections", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "next pe", "as32934", "hitmen", "local government", "scene unit", "crime", "denver police", "address", "status", "aaaa", "apple", "less whois", "registrar", "wannacry", "http", "unique", "url https", "related nids", "code", "screenshot", "anity", "nsa", "shadow", "saudi telecom", "riyadh address", "saudi arabia", "abuse", "ripe", "company isp", "number", "label saudi", "telecom company", "jsc regional", "riyadh", "ripe ncc", "registry techc", "campus", "saudi", "ripe network", "domain", "internet se", "emails", "system", "server tsa", "b server", "certificate", "digicert inc", "moved", "record value" ], "references": [ "http://x.com/denverpolice/status/", "Redirects to >https://twitter.com/x/migrate?tok=eyJlIjoiL2RlbnZlcnBvbGljZS9zdGF0dXMvIiwidCI6MTcxNjcwMzc3M33oZya0EO4PtEbRwq4XZboX", "Redirects to https://twitter.com?mx=1", "IP address: 104.244.42.1 Hosting: Unknown Running on: Tsa B CMS: Express", "Crouching Yeti: Appendixes - according to source ArcSight Threat Intelligence", "https://otx.alienvault.com/indicator/file/00001aff2ea1acd6087f9fba8d8316d90d29e391d9969bc70cc607461467797e", "Alerts: nids_malware_alert network_icmp dumped_buffer network_cnc_http network_http network_http_post allocates_rwx", "Alerts: packer_entropy packer_upx antivm_memory_available pe_features", "Yara Detections: Yara Detections Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , Toxoplasmosis , UPX", "Packer UPX v0.89.6 - v1.02 / v1.05 -v1.24 -> Markus & Laszlo [overlay]", "Yara Detections: ConventionEngine_Term_Desktop , LZMA , mpress_2_xx_x86 , dbgdetect_procs", "pornhub.dev, http://matrix.pornhub.dev, https://twitter.com/PORNO_SEXYBABES, https://www.anon-v.com/porno/fenella/", "Hostname device-local-fb18804d-348e-49ea-8c17-cc8a29f18082.remotewd.com | 192.168.56.104: IPv4", "https://otx.alienvault.com/indicator/file/f7636eef1d9df0664cd0f205ad8864b659bf9898ce6231376778c4411986912e", "https://otx.alienvault.com/indicator/file/000054fa2b0d1004464350ee9acc40707fec51223dba36c702a3db4139af9717", "Domain: hicloudcam.com | https://otx.alienvault.com/indicator/hostname/alarmeu.sslproxy.gatewayvvlilly3lilly.alpha.hicloudcam.com", "originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com | 108.160.165.139 Location: USA |ASN AS19679 dropbox inc. Nameservers ns-136.awsdns-17.com. ns-1518.awsdns-61.org. ,\u00a0 ns-1573.awsdns-04.co.uk. ,\u00a0 ns-809.awsdns-37.net. Less WHOIS Registrar: https://www.101domain.com/,\u00a0\u00a0 Creation Date: Oct 21, 2010 Related Pulses None Related Tags None Indicator Facts Running webserver External Resources Whois,\u00a0 UrlVoid,\u00a0 VirusTotal Analysis Related Pulses Comments (0) Whois Show 100 entr", "https://otx.alienvault.com/indicator/hostname/originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com", "PATHETIC redirect: rainn.org | victims of violence & abuse disclose extremely sensitive details. Reported false information given to disorient victims.", "WannaCry | NSA -Anity Cert: https://otx.alienvault.com/indicator/url/https://www.antiy.com/response/Antiy_Wannacry_NSA.html", "WannaCry MS17-010 'Shadow' https://otx.alienvault.com/otxapi/indicators/url/screenshot/https://www.antiy.com/response/wannacry.html", "Command and Control IP: 5.41.21.250 | Location Saudi Arabia flag Jeddah, Saudi Arabia ASN AS39891 saudi telecom company jsc", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "uploads-cserver-alumni-profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32/Vflooder.B Checkin", "display_name": "Win32/Vflooder.B Checkin", "target": null }, { "id": "Win.Malware.Vtflooder-6723768-0", "display_name": "Win.Malware.Vtflooder-6723768-0", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32/Vflooder.B vtapi DOS", "display_name": "Win32/Vflooder.B vtapi DOS", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Trojan.Downloader-63174", "display_name": "Win.Trojan.Downloader-63174", "target": null }, { "id": "Clicker.BGOU", "display_name": "Clicker.BGOU", "target": null }, { "id": "Win.Trojan.Agent-752791", "display_name": "Win.Trojan.Agent-752791", "target": null }, { "id": "Win.Dropper.QQpass-9895638-0", "display_name": "Win.Dropper.QQpass-9895638-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "WannaCry", "display_name": "WannaCry", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1038", "name": "DLL Search Order Hijacking", "display_name": "T1038 - DLL Search Order Hijacking" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [], "TLP": "green", "cloned_from": "66536881127f5ee988306394", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 350, "FileHash-SHA1": 348, "FileHash-SHA256": 2659, "URL": 7850, "domain": 2245, "hostname": 3611, "SSLCertFingerprint": 4, "email": 10, "CIDR": 4 }, "indicator_count": 17081, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "4 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "670224ac3c8cce621843a477", "name": "Man in Browser Multi-systems attack | Ransom", "description": "System wide issues. Internal and external attack affecting medical and educational institution \u2022 Man in Browser \u2022 Mail spammer. Many other priority vulnerabilities.\nShort List of Malware Families\nAtros3.AHFB\nETPRO\nNOD32\nSAPE.Heur.9B552\nSpammer:MSIL/Misnt.A\nSymantec\nTrojan:Win32/Zonsterarch\nWin.Ransomware.Sodinokibi-7013612-0\nIDS Detections\nW32/Emotet.v4 Checkin", "modified": "2024-11-05T05:02:29.649000", "created": "2024-10-06T05:48:28.806000", "tags": [ "as32934", "passive dns", "urls", "address", "search", "unknown", "aaaa", "as13414 twitter", "as19679 dropbox", "germany unknown", "france unknown", "hong kong", "asnone hong", "kong unknown", "kong", "all scoreblue", "ipv4", "files", "http", "ip address", "related nids", "files location", "flag united", "hostname", "a domains", "meta", "moved", "body", "as13768 aptum", "canada", "asnone united", "whitelisted", "url analysis", "location united", "cookie", "united states", "record type", "ttl value", "key identifier", "full name", "data", "v3 serial", "number", "cus odigicert", "cndigicert sha2", "high assurance", "server ca", "validity", "united", "as2914 ntt", "yuming", "name servers", "date", "next", "as32780 hosting", "welcome", "pulse pulses", "accept", "domainmaster", "creation date", "expiration date", "as35280 acorus", "as396982 google", "status", "cname", "united kingdom", "trojan", "service", "ransom", "pulse submit", "asn as35280", "error", "japan unknown", "post https", "post method", "medium", "high", "registry", "creates", "alerts", "contacted", "tools", "win32", "malware", "copy", "persistence", "execution", "powershell e", "script urls", "httponly set", "general", "read c", "show", "entries", "etpro trojan", "intel", "ms windows", "file", "virustotal", "write", "baidu", "vipre", "panda", "download", "main", "look", "install", "push", "sape.heur.9b552", "nod32", "symantec", "etpro", "dynamicloader", "yara rule", "stack pivoting", "cape", "maninbrowser", "mitb", "t1055", "server", "registrar abuse", "contact phone", "registrar url", "registrar", "whois lookup", "dnssec", "domain name", "attempts", "performs", "packing t1045", "browse scan", "august", "as174 cogent", "canada unknown", "overview ip", "files domain", "files related", "pulses none", "related tags", "gmt content", "type", "content length", "svr id", "encrypt", "trojandropper", "virtool", "msie", "chrome", "as45012 dogado", "tr tr", "die domain", "td tr", "gmt server", "scan endpoints", "scoreblue ipv4", "ripe route", "ip location", "asn as45012", "cloudpit dogado", "gmbh", "whois server", "reverse ip", "abuse contact", "de adminc", "ssh attacker", "mysql", "tor relays", "sabey type", "showing", "pulses", "indicator facts", "hichina zhicheng technology ltd.,", "domain", "as4837 china", "china unknown", "default", "tlsv1", "germany as34788", "post", "windows nt", "dotted quad", "fake browser", "artemis", "emotet", "as9808 china", "as56047 china", "as56040 china", "as58541 qingdao", "et trojan", "sinkhole cookie", "macoute", "sha256", "yara detections", "worm", "explorer", "possible", "april", "uchealth", "ogoogle inc", "lsalford", "ocomodo ca", "limited", "secure server", "c2087940" ], "references": [ "\u00bb 2preprod-sonar-data-preprod-sonar-data5z.redirectme.netmovilpreprod-sonar-datappmovilpreprod-sonar-datafentryd.0025.ali.zomans.com", "prfsmtppr01ccd.uchospitals.edu \u2022 165.68.13.55", "IDS Detections: ETPRO TROJAN Spammer MSIL/Misnt.A Get MX ETPRO TROJAN Spammer MSIL/Misnt.A Fetching Spam List", "IDS Detections: ETPRO TROJAN Spammer MSIL/Misnt.A Spam Payload Download", "Spammer:MSIL/Misnt.A PLUS - FileHash-SHA256 5966e329cb56a0cc4956f1ca0da2b337aa3e6145d4622ac1152bfc29ab96304d", "YARA Detections: WinRAR_SFX", "High Priority Alerts: antisandbox_unhook antivirus_virustotal", "utmmail.bcw.edu | 166.78.44.213 11/04/24 | isu.edu | iup.edu | siu.edu | stcloudstate.edu | ucr.edu | router9.mail.cornell.edu", "dmz-mailsec-scanner-6.mit.edu | external-relay.iupui.edu | fresno.ucsf.edu | mail.virginia.edu | mailfilter2.cgu.edu | mx.gonzaga.edu", "mx3.stanford.edu | my-stjohns-edu.mail.protection.outlook.com | prfsmtppr01ccd.uchospitals.edu", "extdomembers-2022.bounceme.netoppofrobledevradiod.devkissflowd-netoppofweblatedevradio-krd-kr-finance-fw.devkissflowd-netoppofweblatedevradio-krd-kr.ali.zomans.com", "trojan.msil.spammer.ai = spammer.ai", "interact.f5.com", "https://0-enakamai-lanwpradio-pornos4-dd-engine.redirectme.netoppofe2znetoppofindnetoppofcassandraddd-production.neto46cassandra.ali.zomans.com", "http://apple.phishing.91tbc.com/ | apple.phishing.491459.top http://apple.phishing.91tbc.com/?ZYUKUR=8049183536181170.html", "https://bd-server.com/user/JasminMcVey2/", "http://google.com.demo-box.cognito.svcgateway.foodsigned-php.ppp.canva-apps.cn/", "(Invalid IP) 022.12.7.75 Chrome \\\\ user data \\\\ crowd deny \\\\ rData \\\\ crowd deny \\\\ 28 \\\\ metadata \\\\ ve", "(Invalid IP) 022.12.7.75 redirect \u00bb 18.12.7.75 AS 3 (MIT-GATEWAYS) US", "High Priority IDS Detections: W32/Emotet.v4 FileHash-SHA256 613ed78c024ee7744c5b53c18b315d10faa39d18975f1634f82da61c02ea8a4f", "Suspicious of NSO Pegasus type spyware campaign (possibly)" ], "public": 1, "adversary": "", "targeted_countries": [ "Singapore", "Malaysia", "United States of America", "Argentina", "France", "Sweden", "Ireland", "Romania", "Taiwan", "Germany", "Netherlands", "Brazil", "Colombia", "Indonesia", "Hong Kong", "Poland", "Slovakia", "Lithuania", "United Kingdom of Great Britain and Northern Ireland", "Denmark", "Slovenia", "Greece", "Italy", "Aruba", "China", "Japan" ], "malware_families": [ { "id": "Trojan:Win32/Zonsterarch", "display_name": "Trojan:Win32/Zonsterarch", "target": "/malware/Trojan:Win32/Zonsterarch" }, { "id": "Win.Ransomware.Sodinokibi-7013612-0", "display_name": "Win.Ransomware.Sodinokibi-7013612-0", "target": null }, { "id": "Atros3.AHFB", "display_name": "Atros3.AHFB", "target": null }, { "id": "Spammer:MSIL/Misnt.A", "display_name": "Spammer:MSIL/Misnt.A", "target": "/malware/Spammer:MSIL/Misnt.A" }, { "id": "SAPE.Heur.9B552", "display_name": "SAPE.Heur.9B552", "target": null }, { "id": "NOD32", "display_name": "NOD32", "target": null }, { "id": "Symantec", "display_name": "Symantec", "target": null }, { "id": "ETPRO", "display_name": "ETPRO", "target": null }, { "id": "Worm:Win32/Macoute.A", "display_name": "Worm:Win32/Macoute.A", "target": "/malware/Worm:Win32/Macoute.A" }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "C2087940", "display_name": "C2087940", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" } ], "industries": [ "Healthcare", "Civilian Society", "Technology", "Education" ], "TLP": "green", "cloned_from": null, "export_count": 55, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1287, "hostname": 2995, "URL": 3606, "email": 22, "FileHash-MD5": 173, "FileHash-SHA256": 1059, "FileHash-SHA1": 163, "CIDR": 1, "SSLCertFingerprint": 43 }, "indicator_count": 9349, "is_author": false, "is_subscribing": null, "subscriber_count": 236, "modified_text": "572 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66dfa5a84844f3703fea6b84", "name": "Maktub Locker Ransomware", "description": "Maktub Locker Ransomware is old, works and arrives to victims like typical ransomware. I . I'm can't make a valuable contribution regarding link that populates fbi.gov node without security header. . Tulach -114.114.114.114 is at the center of most of the vulnerabilities I've researched. I've removed Tsara Brashears and name and organizations relating Brian Sabey from pulse. VT Alexo auto populated in tags. Internet search shows he referenced link and 'black suits' I did not research VT-Alexo and I don't know his significance to the Ransomware link [link appears 1st in references]. \nThere has been so much government, healthcare, legal, and law enforcement entanglement and/or/likely impersonation regarding a main issue I've been researching. Lost in this moment...", "modified": "2024-10-09T21:01:40.228000", "created": "2024-09-10T01:49:28.437000", "tags": [ "axeljg", "kulinskiarkadi", "ip hostname", "reverse ip", "united", "regopenkeyexw", "cryptexportkey", "regsetvalueexa", "ip address", "medium", "regdword", "t1047", "instrumentation", "rpcs", "high", "win32", "malware", "showing", "entries disa", "entrypoint", "fbi.gov", "alexo", "germany", "united states", "brian sabey", "thebrotherssabey", "alexo virustotal", "yara detections", "ids detections", "contacted", "show", "medium windows", "alerts", "maktub locker", "tsara brashness dead", "aig", "soc", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 compiler", "compiler", "vs2008", "vs2005", "contained", "info compiler", "products", "vs2008 sp1", "header intel", "name md5", "type", "language", "virus", "urls", "javascript", "b file", "files", "file type", "rich text", "format", "found", "downloads", "injection t1055", "spawns", "t1497 may", "https", "mitre att", "ta0002 shared", "modules t1129", "window", "get file", "check mutex", "print debug", "get disk", "check", "enumerate gui", "create mutex", "query", "enumerate", "create shortcut", "capture", "get http", "windows nt", "request", "response", "number", "algorithm", "ja3s", "cus cnr3", "subject", "http requests", "samplepath", "runtime modules", "referrer", "threat network", "infrastructure", "historical ssl", "approach", "ta413", "tibetan targets", "vy binh", "march", "tulach", "114.114.114.114", "libreoffice.org", "as174 cogent", "china unknown", "china", "passive dns", "entries", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "twitter", "problems", "domainabuse", "creation date", "search", "domain", "domain name", "expiration date", "nanjing", "date", "all search", "trojan", "trojan features", "related pulses", "file samples", "files matching", "sort" ], "references": [ "Ransomware\u00bbTrojanDownloader:Win32/Dalexis | FileHash-SHA256 01da63fd3b935be956657d8f7212e976c553a6e040d5db9592fab807441b3e32", "Antivirus Detections Win32:Filecoder-AD\\ [Trj] , Win.Malware.Cabby-6803812-0 , TrojanDownloader:Win32/Dalexis!rfn!rfn", "IDS Detections: Maktub Locker TOR Status Check TOR Consensus Data Requested TOR 1.0 Server Key Retrieval Tor Get Server Request TLS Handshake", "Domains Contacted: fbi.gov", "IP\u2019s Contacted: 104.16.149.244 128.31.0.39 131.188.40.189 14.200.177.98 148.251.79.57", "IP\u2019s Contacted: 185.220.100.255 199.249.230.142 199.254.238.52 23.128.248.20 45.58.156.76", "tulach.cc| 114.114.114.114 [public1.114dns.com] | thebrotherssabey | bian sabey under multiple WP & DGA domains , various titles , various roles", "External Hosts Top Country United States, Germany | IP Hostname: 104.16.149.244: fbi.gov | United States: AS13335 cloudflare", "Type Indicator Reason: IPv4 104.16.149.244 In CDN range: provider=cloudflare IPv4 131.188.40.189 IP Associated with Tor Exit Nodes", "Type Indicator Reason: IPv4 192.168.56.108 Private IP Address: IPv4 46.20.35.112 IP Associated with Tor Exit Nodes: Domain: fbi.gov", "PE Anomalies: entropy_based | Yara Detections: Yara Detections stack_string | Stack_String: stack_string E\u000fEEEE\u000fEEEE\u000fEEEE\u000fEEEE\u000fEE\u000fEE\u000fEE\u000fEE\u000f", "DISA Entrypoint: call 0x41259b jmp 0x40b3ac int3 int3 int3 int3 int3 int3 int3 int3", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/01da63fd3b935be956657d8f7212e976c553a6e040d5db9592fab807441b3e32", "Alerts: dead_host network_icmp nolookup_communication modifies_proxy_wpad network_cnc_http network_http packer_entropy", "Alerts: allocates_rwx creates_hidden_file dropper has_wmi protection_rx antivm_network_adapters raises_exception", "Alerts: queries_programs wmi_antivm checks_debugger generates_crypto_key recon_fingerprint pe_unknown_resource_name", "Interesting Strings: http://ns.adobe.com/xap/1.0/mm/ http://ns.adobe.com/xap/1.0/ http://ns.adobe.com/xap/1.0/sType/ResourceRef", "Interesting Strings: http://www.w3.org/1999/02/22", "Virus: \"ba30376f915afa868763f84299fae5d2.virus.rtf - LibreOffice Writer\"", "Cryptographical plain text c\ufffdh\u000f\u00107\ufffd\ufffd1Q\ufffd\u0286\ufffd\u0254E\ufffdW\u0014\ufffd\u0382\ufffd Rw\ufffde\ufffd\ufffd%\u000b\ufffd\ufffd\ufffdreudt\ufffd\ufffd\ufffd", "IDS: Matches rule ET JA3 Hash - Possible Malware - Dridex", "ET TOR Known Tor Relay/Router (Not Exit) Node Traffic Groups: 129, 750, 824, 439, 282, 820, 21 , 63, 896, 91, 11, 202, 684 919,31 ,156, 743", "ET TOR Known Tor Relay/Router (Not Exit) Node Traffic Groups: 869, 42, 6, 443, 85, 416, 688, 117, 217, 217, 443, 709, 703, 879, 338, 682", "Matches rule Wow6432Node CurrentVersion Autorun Keys Modification by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "IDS: Matches rule POLICY-OTHER HTTP request by IPv4 address attempt Matches rule POLICY-OTHER TOR traffic anonymizer server request Matches rule ET POLICY TOR Consensus Data Requested Matches rule ET P2P Tor Get Server Request Matches rule ET P2P TOR 1.0 Server Key Retrieval", "IDS: Matches rule POLICY-OTHER HTTP request by IPv4 address attempt Matches rule POLICY-OTHER TOR traffic anonymizer server request Matches rule ET POLICY TOR Consensus Data Requested Matches rule ET P2P Tor Get Server Request Matches rule ET P2P TOR 1.0 Server Key Retrieval", "IDS: Matches rule POLICY-OTHER HTTP request by IPv4 address attempt Matches rule POLICY-OTHER TOR traffic anonymizer server request Matches rule ET POLICY TOR Consensus Data Requested Matches rule ET P2P Tor Get Server Request Matches rule ET P2P TOR 1.0 Server Key Retrieval", "IDS: Matches rule POLICY-OTHER HTTP request by IPv4 address attempt Matches rule POLICY-OTHER TOR traffic anonymizer server request Matches rule ET POLICY TOR Consensus Data Requested Matches rule ET P2P Tor Get Server Request Matches rule ET P2P TOR 1.0 Server Key Retrieval", "IDS: Matches rule POLICY-OTHER HTTP request by IPv4 address attempt Matches rule POLICY-OTHER TOR traffic anonymizer server request Matches rule ET POLICY TOR Consensus Data Requested Matches rule ET P2P Tor Get Server Request Matches rule ET P2P TOR 1.0 Server Key Retrieval", "IDS: Matches rule (http_inspect) white space before or between HTTP messages Matches rule SURICATA HTTP Request abnormal Content-Encoding", "Sigma: Matches rule Failed Code Integrity Checks by Thomas Patzke Matches rule Process Creation Using Sysnative Folder by Max Altgelt", "YARA Signature Match - THOR APT Scanner - RULE_AUTHOR: Florian Roth", "RULE: MAL_Agent_May20_1 RULE_SET: Livehunt - Default22 Indicators RULE_TYPE: VALHALLA rule feed only \u26a1- RULE_AUTHOR: Florian Roth", "RULE_LINK: https://valhalla.nextron-systems.com/info/rule/MAL_Agent_May20_1 DESCRIPTION:", "Detects malware used in activity noticed 05/2020 likely related to Chinese actor", "REFERENCE: ACSC IOCs May 2020 pivoting RULE_AUTHOR: Florian Roth", "https://www.nextron-systems.com/notes-on-virustotal-matches/", "114.114.114.114 IDS Detections DYNAMIC_DNS Query to a *.ns1.name Domain Query to a *.top domain - Likely Hostile Observed DNS Query to .work", "IP 114.114.114.114 Antivirus Detections: !#SIGATTR:IEProxyChange , ALF:Backdoor:Win64/Meterpreter.AB!MTB ,", "IP 114.114.114.114 Antivirus Detections: ALF:PUA:Block:VrBrothers.R!MTB , ALF:Trojan:MSIL/AgentTesla.KM , ALFPER:RefLoadApiHash ,", "IP 114.114.114.114 Antivirus Detections: Backdoor:Linux/Dofloo.A!MTB , Backdoor:Linux/Gafgyt.AF!MTB , Can't access file ,", "IP 114.114.114.114 Antivirus Detections: Trojan:Win32/Magania.DSK!MTB , TEL:SIGATTR:CreateRemoteThread", "IP 114.114.114.114 Domain 114dns.com: PegasusPlus", "Emails: pegasusplus@gmail.com Name: Zhao Zhenping Name Servers: NS1000.114DNS.COM Org: Nanjing XinFeng Network Technologies, Inc.", "Address:\tRoom 301, Building 3B, Startup park, High Tech park, Shiyang Road 56, Baixia District, Nanjing, Jiangsu, China City nan jing shi Country", "https://blog.malwarebytes.org/intelligence/2016/03/maktub-locker-beautiful-and-dangerous/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "China" ], "malware_families": [ { "id": "Maktub Locker", "display_name": "Maktub Locker", "target": null }, { "id": "TrojanDownloader:Win32/Dalexis!rfn!rfn", "display_name": "TrojanDownloader:Win32/Dalexis!rfn!rfn", "target": "/malware/TrojanDownloader:Win32/Dalexis!rfn!rfn" }, { "id": "Trojan:Win32/Magania", "display_name": "Trojan:Win32/Magania", "target": "/malware/Trojan:Win32/Magania" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" } ], "industries": [ "Government", "Technology", "Telecommunications" ], "TLP": "green", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 182, "FileHash-SHA1": 199, "FileHash-SHA256": 2383, "domain": 395, "URL": 1382, "hostname": 699, "email": 2, "CVE": 1 }, "indicator_count": 5243, "is_author": false, "is_subscribing": null, "subscriber_count": 234, "modified_text": "598 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "668cebf4b3498d2f9b9e9596", "name": "Trojan:Win32/Predator - walmartmobile.cn", "description": "Monitoring, invalid URLs, malicious redirects, cams,cyber crime, red team contract. Collects targets, calls, photos, network, dns, disables proxy, movies services,, messages, shopping habits, contacts. Intrusive as always.", "modified": "2024-08-08T07:05:50.946000", "created": "2024-07-09T07:51:16.371000", "tags": [ "popularity", "ingestion time", "utc cisco", "umbrella", "utc statvoo", "record type", "server", "dnssec", "email", "dns replication", "android", "files", "china unknown", "as4837 china", "aaaa", "search", "moved", "net technology", "for privacy", "name servers", "redacted for", "encrypt", "body", "next", "passive dns", "urls", "scan endpoints", "all scoreblue", "url http", "http", "ip address", "related nids", "files location", "ipv4", "url analysis", "location china", "script script", "td tr", "please", "please enter", "za z0", "server ca", "meta", "a li", "a domains", "ul div", "443 ma2592000", "gmt content", "servers", "https", "self", "hostname", "window", "icloud_apple_id", "apple", "apple ios", "apple id", "apple message", "msie", "chrome", "title", "head body", "center hr", "united", "unknown", "as32934", "as13414 twitter", "as19679 dropbox", "as20940", "kos", "walmart", "calls", "checking", "latest version", "invoked methods", "highlighted", "shell commands", "written", "files deleted", "files copied", "file", "process", "post http", "request", "get http", "dns resolutions", "ip traffic", "process32nextw", "shellexecuteexw", "get na", "entries", "medium", "show", "china as4837", "yara detections", "regsetvalueexw", "dock", "write", "win32", "persistence", "execution", "copy", "cname", "asnone united", "registrar", "as2914 ntt", "hichina", "certificate", "showing", "as142403 yisu", "china asn", "suspicious", "open", "write c", "create c", "read c", "windows nt", "wow64", "slcc2", "media center", "default", "discovery", "xebrbxeax1ezxf0", "sxe0x0cx1cxf8", "invalid url", "status", "reflection", "telephony", "yuming", "domain", "expiration date", "div div", "a div", "span a", "script urls", "p span", "pragma", "trident", "form", "applei_imessage_ios", "as4134 chinanet", "as3356 level", "asnone china", "date", "tsara brashears", "rwi dtools", "pyinstaller", "password", "cybercrime", "valid from", "number", "thumbprint", "ipwnderv1", "hacktool", "phishing", "facebook", "all search", "otx scoreblue", "pulse submit", "injection", "mobile", "tmobile" ], "references": [ "walmartmobile.cn", "malware_hosting IP's:42.177.83.115 | IPv4 42.177.83.134 malware_hosting", "Apple Spy: iphone-say.com apple-prompt-iphone.com http://www.apple-prompt-iphone.com/", "Apple Spy: 113-dd-hppg.redirectme.netiphonepofentrydstaging2zsendlabstryd.0-enakamai-lanwpradiocen6.ali.zomans.com", "Apple Spy: cmlinki-img-3radio-iphone-web-cmlinki3-iphone-web-cmlinkiradio.redirectme.netoppofentryd.0-iphone-web-cmlinkiradio-iphone-web-cm", "Apple Spy: redirectme.netiphonepofentrydstaging2znetoppofindlabstryd.netoppofindhypernova.ali.zomans.com", "Apple Spy: 113-dd-hppg.redirectme.netiphonepofentrydiotging2znetoppofindlabstryd.0-enakamai-lanwpradiocen6.ali.zomans.com", "Trojan:Win32/Predator!: FileHash-SHA256 1cf6574bb7edda08a539fdb2885a959071b60d9c9bfb44ee1b9912b3864ff758", "Trojan:Win32/Predator!: FileHash-SHA256 493323dd39ebb91b861e63c7341d037877886bc3a6cf4deaef08ef76bb9db15e", "Trojan:Win32/Predator!: FileHash-SHA256 f7da3472e0f81fa37ea05cc91338b6a693a1fcd4d30025fdfbfc7f2f0119fa20", "traceability-qa.walmartmobile.cn", "http://img01.mifile.cn/m/apk/mishop_3.0.20141212_1.1.1.apk", "http://tshop.doido.com", "Antivirus Detections Win32:Malware-gen: Yara Detections: stack_string", "Alerts: dead_host network_icmp antivm_generic_services creates_largekey disables_proxy dumped_buffer network_cnc_http", "Alerts: network_http allocates_rwx stealth_window injection_process_search process_interest", "Antivirus Detections: ALF:HeraklezEval:Trojan:Win32/Asacky!rfn , ALF:HeraklezEval:Trojan:Win32/Predator!rfn , Win.Trojan.Generic-9789164-0", "IDS Detections: : Suspicious User-Agent (HTTP Downloader) Suspicious User-Agent containing Loader Observed", "Unique antivirus detections for files communicating with IP address", "hpcc-page.cnc.ccgslb.com.cn 121.30.192.9 58.20.206.154 139.209.89.125 124.67.23.253 61.180.227.172 61.162.172.185 IP Traffic", "TCP 123.125.159.119:80 (gad.page.cnc.ccgslb.com.cn) TCP 121.30.192.9:80 (hpcc-page.cnc.ccgslb.com.cn) TCP 121.30.193.30: Technique ID: T1140 Technique Name: Deobfuscate/Decode Files or Information Medium { \"families\": [], \"description\": \"One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.\", Technique ID: T1055 Technique Name: Process Injection A common use for this is when applications run in the system tray, but don't also want to sh" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Singapore", "Brazil", "Ireland", "Germany", "Chile", "China", "Switzerland" ], "malware_families": [ { "id": "RiskTool.AndroidOS.beto", "display_name": "RiskTool.AndroidOS.beto", "target": null }, { "id": "Trojan.TrojanBanker.Android", "display_name": "Trojan.TrojanBanker.Android", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/Predator!rfn", "display_name": "ALF:HeraklezEval:Trojan:Win32/Predator!rfn", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1737, "hostname": 4754, "URL": 11496, "FileHash-MD5": 96, "FileHash-SHA1": 79, "FileHash-SHA256": 2457, "email": 11, "SSLCertFingerprint": 2 }, "indicator_count": 20632, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "661 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66536881127f5ee988306394", "name": "iOS Attack - Crouching Yeti: http://x.com/denverpolice/status/|", "description": "Targeted triangulation. Apple iOS iPad. Attack chains of Operation Triangulation involves advanced tactics employed by those acting as secret middleman, deploying spoofed trusted websites, emails, alarming news stories, messages, Bluetooth hacking, if threat actor has full CnC of targets phone via injection (sometimes it's random) can power on B/T. In Spoofed sites, malicious redirects, iMessage 0day case. Zero-click iMessage exploit seen. Information is sent to attacker and stored. Data harvesting, financial & identity theft, service modification and DoS intended. Used by law enforcement, governments, attorney PI's, cyber security defense, red teams and/or malicious hackers.\n*Crouching Yeti threat description notes: Contextual Indicators: Domain is classified as Social Networking Contextual Indicators: The URL is known benign by Check Point's Threat Cloud Contextual Indicators: Https://x.com is popular among websites with good reputation Contextual Indicators: Domain Cisco Umbrella rank is 312.", "modified": "2024-06-25T16:05:26.604000", "created": "2024-05-26T16:51:13.962000", "tags": [ "sha256", "sha1", "pattern match", "ascii text", "document file", "v2 document", "crlf line", "size", "unicode", "beginstring", "null", "hybrid", "refresh", "body", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "external-resources", "dom-modification", "third-party-cookies", "iframes", "trackers", "text/html", "twitter", "final url", "ip address", "status code", "body length", "kb body", "headers", "deny", "express", "referrer", "impacting azure", "proofpoint", "sneaky server", "replacement", "unauthorized", "switch dns", "query", "vy binh", "hiddentear", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "date", "meta", "form", "submission", "expiresthu", "path", "secure", "self", "xcitium verdict", "cloud", "sophos", "history first", "analysis", "cp", "cyber", "threat", "redrum", "hit", "men", "triangulation", "historical ssl", "apt suspects", "critical cmd", "hide", "asyncrat", "jeremy", "government", "malicious", "yuming", "name servers", "united", "passive dns", "urls", "creation date", "search", "expiration date", "showing", "unknown", "next", "windows nt", "malware beacon", "memcommit", "generic http", "exe upload", "outbound", "etpro trojan", "show", "trojan", "copy", "write", "win32", "malware", "read c", "entries", "medium", "markus", "contentlength", "write c", "delete c", "create c", "yara detections", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "next pe", "as32934", "hitmen", "local government", "scene unit", "crime", "denver police", "address", "status", "aaaa", "apple", "less whois", "registrar", "wannacry", "http", "unique", "url https", "related nids", "code", "screenshot", "anity", "nsa", "shadow", "saudi telecom", "riyadh address", "saudi arabia", "abuse", "ripe", "company isp", "number", "label saudi", "telecom company", "jsc regional", "riyadh", "ripe ncc", "registry techc", "campus", "saudi", "ripe network", "domain", "internet se", "emails", "system", "server tsa", "b server", "certificate", "digicert inc", "moved", "record value" ], "references": [ "http://x.com/denverpolice/status/", "Redirects to >https://twitter.com/x/migrate?tok=eyJlIjoiL2RlbnZlcnBvbGljZS9zdGF0dXMvIiwidCI6MTcxNjcwMzc3M33oZya0EO4PtEbRwq4XZboX", "Redirects to https://twitter.com?mx=1", "IP address: 104.244.42.1 Hosting: Unknown Running on: Tsa B CMS: Express", "Crouching Yeti: Appendixes - according to source ArcSight Threat Intelligence", "https://otx.alienvault.com/indicator/file/00001aff2ea1acd6087f9fba8d8316d90d29e391d9969bc70cc607461467797e", "Alerts: nids_malware_alert network_icmp dumped_buffer network_cnc_http network_http network_http_post allocates_rwx", "Alerts: packer_entropy packer_upx antivm_memory_available pe_features", "Yara Detections: Yara Detections Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , Toxoplasmosis , UPX", "Packer UPX v0.89.6 - v1.02 / v1.05 -v1.24 -> Markus & Laszlo [overlay]", "Yara Detections: ConventionEngine_Term_Desktop , LZMA , mpress_2_xx_x86 , dbgdetect_procs", "pornhub.dev, http://matrix.pornhub.dev, https://twitter.com/PORNO_SEXYBABES, https://www.anon-v.com/porno/fenella/", "Hostname device-local-fb18804d-348e-49ea-8c17-cc8a29f18082.remotewd.com | 192.168.56.104: IPv4", "https://otx.alienvault.com/indicator/file/f7636eef1d9df0664cd0f205ad8864b659bf9898ce6231376778c4411986912e", "https://otx.alienvault.com/indicator/file/000054fa2b0d1004464350ee9acc40707fec51223dba36c702a3db4139af9717", "Domain: hicloudcam.com | https://otx.alienvault.com/indicator/hostname/alarmeu.sslproxy.gatewayvvlilly3lilly.alpha.hicloudcam.com", "originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com | 108.160.165.139 Location: USA |ASN AS19679 dropbox inc. Nameservers ns-136.awsdns-17.com. ns-1518.awsdns-61.org. ,\u00a0 ns-1573.awsdns-04.co.uk. ,\u00a0 ns-809.awsdns-37.net. Less WHOIS Registrar: https://www.101domain.com/,\u00a0\u00a0 Creation Date: Oct 21, 2010 Related Pulses None Related Tags None Indicator Facts Running webserver External Resources Whois,\u00a0 UrlVoid,\u00a0 VirusTotal Analysis Related Pulses Comments (0) Whois Show 100 entr", "https://otx.alienvault.com/indicator/hostname/originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com", "PATHETIC redirect: rainn.org | victims of violence & abuse disclose extremely sensitive details. Reported false information given to disorient victims.", "WannaCry | NSA -Anity Cert: https://otx.alienvault.com/indicator/url/https://www.antiy.com/response/Antiy_Wannacry_NSA.html", "WannaCry MS17-010 'Shadow' https://otx.alienvault.com/otxapi/indicators/url/screenshot/https://www.antiy.com/response/wannacry.html", "Command and Control IP: 5.41.21.250 | Location Saudi Arabia flag Jeddah, Saudi Arabia ASN AS39891 saudi telecom company jsc", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "uploads-cserver-alumni-profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32/Vflooder.B Checkin", "display_name": "Win32/Vflooder.B Checkin", "target": null }, { "id": "Win.Malware.Vtflooder-6723768-0", "display_name": "Win.Malware.Vtflooder-6723768-0", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32/Vflooder.B vtapi DOS", "display_name": "Win32/Vflooder.B vtapi DOS", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Trojan.Downloader-63174", "display_name": "Win.Trojan.Downloader-63174", "target": null }, { "id": "Clicker.BGOU", "display_name": "Clicker.BGOU", "target": null }, { "id": "Win.Trojan.Agent-752791", "display_name": "Win.Trojan.Agent-752791", "target": null }, { "id": "Win.Dropper.QQpass-9895638-0", "display_name": "Win.Dropper.QQpass-9895638-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "WannaCry", "display_name": "WannaCry", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1038", "name": "DLL Search Order Hijacking", "display_name": "T1038 - DLL Search Order Hijacking" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 350, "FileHash-SHA1": 348, "FileHash-SHA256": 2659, "URL": 7850, "domain": 2245, "hostname": 3611, "SSLCertFingerprint": 4, "email": 10, "CIDR": 4 }, "indicator_count": 17081, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "704 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66536c8eee8d42d670e27723", "name": "Eternal Blue _ WannaCry MS17-010 | Apple iOS iMessage injection infiltration", "description": "", "modified": "2024-06-25T16:05:26.604000", "created": "2024-05-26T17:08:30.022000", "tags": [ "sha256", "sha1", "pattern match", "ascii text", "document file", "v2 document", "crlf line", "size", "unicode", "beginstring", "null", "hybrid", "refresh", "body", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "external-resources", "dom-modification", "third-party-cookies", "iframes", "trackers", "text/html", "twitter", "final url", "ip address", "status code", "body length", "kb body", "headers", "deny", "express", "referrer", "impacting azure", "proofpoint", "sneaky server", "replacement", "unauthorized", "switch dns", "query", "vy binh", "hiddentear", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "date", "meta", "form", "submission", "expiresthu", "path", "secure", "self", "xcitium verdict", "cloud", "sophos", "history first", "analysis", "cp", "cyber", "threat", "redrum", "hit", "men", "triangulation", "historical ssl", "apt suspects", "critical cmd", "hide", "asyncrat", "jeremy", "government", "malicious", "yuming", "name servers", "united", "passive dns", "urls", "creation date", "search", "expiration date", "showing", "unknown", "next", "windows nt", "malware beacon", "memcommit", "generic http", "exe upload", "outbound", "etpro trojan", "show", "trojan", "copy", "write", "win32", "malware", "read c", "entries", "medium", "markus", "contentlength", "write c", "delete c", "create c", "yara detections", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "next pe", "as32934", "hitmen", "local government", "scene unit", "crime", "denver police", "address", "status", "aaaa", "apple", "less whois", "registrar", "wannacry", "http", "unique", "url https", "related nids", "code", "screenshot", "anity", "nsa", "shadow", "saudi telecom", "riyadh address", "saudi arabia", "abuse", "ripe", "company isp", "number", "label saudi", "telecom company", "jsc regional", "riyadh", "ripe ncc", "registry techc", "campus", "saudi", "ripe network", "domain", "internet se", "emails", "system", "server tsa", "b server", "certificate", "digicert inc", "moved", "record value" ], "references": [ "http://x.com/denverpolice/status/", "Redirects to >https://twitter.com/x/migrate?tok=eyJlIjoiL2RlbnZlcnBvbGljZS9zdGF0dXMvIiwidCI6MTcxNjcwMzc3M33oZya0EO4PtEbRwq4XZboX", "Redirects to https://twitter.com?mx=1", "IP address: 104.244.42.1 Hosting: Unknown Running on: Tsa B CMS: Express", "Crouching Yeti: Appendixes - according to source ArcSight Threat Intelligence", "https://otx.alienvault.com/indicator/file/00001aff2ea1acd6087f9fba8d8316d90d29e391d9969bc70cc607461467797e", "Alerts: nids_malware_alert network_icmp dumped_buffer network_cnc_http network_http network_http_post allocates_rwx", "Alerts: packer_entropy packer_upx antivm_memory_available pe_features", "Yara Detections: Yara Detections Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , Toxoplasmosis , UPX", "Packer UPX v0.89.6 - v1.02 / v1.05 -v1.24 -> Markus & Laszlo [overlay]", "Yara Detections: ConventionEngine_Term_Desktop , LZMA , mpress_2_xx_x86 , dbgdetect_procs", "pornhub.dev, http://matrix.pornhub.dev, https://twitter.com/PORNO_SEXYBABES, https://www.anon-v.com/porno/fenella/", "Hostname device-local-fb18804d-348e-49ea-8c17-cc8a29f18082.remotewd.com | 192.168.56.104: IPv4", "https://otx.alienvault.com/indicator/file/f7636eef1d9df0664cd0f205ad8864b659bf9898ce6231376778c4411986912e", "https://otx.alienvault.com/indicator/file/000054fa2b0d1004464350ee9acc40707fec51223dba36c702a3db4139af9717", "Domain: hicloudcam.com | https://otx.alienvault.com/indicator/hostname/alarmeu.sslproxy.gatewayvvlilly3lilly.alpha.hicloudcam.com", "originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com | 108.160.165.139 Location: USA |ASN AS19679 dropbox inc. Nameservers ns-136.awsdns-17.com. ns-1518.awsdns-61.org. ,\u00a0 ns-1573.awsdns-04.co.uk. ,\u00a0 ns-809.awsdns-37.net. Less WHOIS Registrar: https://www.101domain.com/,\u00a0\u00a0 Creation Date: Oct 21, 2010 Related Pulses None Related Tags None Indicator Facts Running webserver External Resources Whois,\u00a0 UrlVoid,\u00a0 VirusTotal Analysis Related Pulses Comments (0) Whois Show 100 entr", "https://otx.alienvault.com/indicator/hostname/originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com", "PATHETIC redirect: rainn.org | victims of violence & abuse disclose extremely sensitive details. Reported false information given to disorient victims.", "WannaCry | NSA -Anity Cert: https://otx.alienvault.com/indicator/url/https://www.antiy.com/response/Antiy_Wannacry_NSA.html", "WannaCry MS17-010 'Shadow' https://otx.alienvault.com/otxapi/indicators/url/screenshot/https://www.antiy.com/response/wannacry.html", "Command and Control IP: 5.41.21.250 | Location Saudi Arabia flag Jeddah, Saudi Arabia ASN AS39891 saudi telecom company jsc", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "uploads-cserver-alumni-profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32/Vflooder.B Checkin", "display_name": "Win32/Vflooder.B Checkin", "target": null }, { "id": "Win.Malware.Vtflooder-6723768-0", "display_name": "Win.Malware.Vtflooder-6723768-0", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32/Vflooder.B vtapi DOS", "display_name": "Win32/Vflooder.B vtapi DOS", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Trojan.Downloader-63174", "display_name": "Win.Trojan.Downloader-63174", "target": null }, { "id": "Clicker.BGOU", "display_name": "Clicker.BGOU", "target": null }, { "id": "Win.Trojan.Agent-752791", "display_name": "Win.Trojan.Agent-752791", "target": null }, { "id": "Win.Dropper.QQpass-9895638-0", "display_name": "Win.Dropper.QQpass-9895638-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "WannaCry", "display_name": "WannaCry", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1038", "name": "DLL Search Order Hijacking", "display_name": "T1038 - DLL Search Order Hijacking" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [], "TLP": "green", "cloned_from": "66536881127f5ee988306394", "export_count": 55, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 350, "FileHash-SHA1": 348, "FileHash-SHA256": 2659, "URL": 7850, "domain": 2245, "hostname": 3611, "SSLCertFingerprint": 4, "email": 10, "CIDR": 4 }, "indicator_count": 17081, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "704 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Redirects to https://twitter.com?mx=1", "https://otx.alienvault.com/indicator/hostname/originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com", "IDS: Matches rule POLICY-OTHER HTTP request by IPv4 address attempt Matches rule POLICY-OTHER TOR traffic anonymizer server request Matches rule ET POLICY TOR Consensus Data Requested Matches rule ET P2P Tor Get Server Request Matches rule ET P2P TOR 1.0 Server Key Retrieval", "Redirects to >https://twitter.com/x/migrate?tok=eyJlIjoiL2RlbnZlcnBvbGljZS9zdGF0dXMvIiwidCI6MTcxNjcwMzc3M33oZya0EO4PtEbRwq4XZboX", "RULE: MAL_Agent_May20_1 RULE_SET: Livehunt - Default22 Indicators RULE_TYPE: VALHALLA rule feed only \u26a1- RULE_AUTHOR: Florian Roth", "IDS Detections: ETPRO TROJAN Spammer MSIL/Misnt.A Get MX ETPRO TROJAN Spammer MSIL/Misnt.A Fetching Spam List", "IP address: 104.244.42.1 Hosting: Unknown Running on: Tsa B CMS: Express", "utmmail.bcw.edu | 166.78.44.213 11/04/24 | isu.edu | iup.edu | siu.edu | stcloudstate.edu | ucr.edu | router9.mail.cornell.edu", "(Invalid IP) 022.12.7.75 Chrome \\\\ user data \\\\ crowd deny \\\\ rData \\\\ crowd deny \\\\ 28 \\\\ metadata \\\\ ve", "Sigma: Matches rule Failed Code Integrity Checks by Thomas Patzke Matches rule Process Creation Using Sysnative Folder by Max Altgelt", "IP 114.114.114.114 Antivirus Detections: Trojan:Win32/Magania.DSK!MTB , TEL:SIGATTR:CreateRemoteThread", "DISA Entrypoint: call 0x41259b jmp 0x40b3ac int3 int3 int3 int3 int3 int3 int3 int3", "Packer UPX v0.89.6 - v1.02 / v1.05 -v1.24 -> Markus & Laszlo [overlay]", "https://0-enakamai-lanwpradio-pornos4-dd-engine.redirectme.netoppofe2znetoppofindnetoppofcassandraddd-production.neto46cassandra.ali.zomans.com", "IP 114.114.114.114 Antivirus Detections: !#SIGATTR:IEProxyChange , ALF:Backdoor:Win64/Meterpreter.AB!MTB ,", "WannaCry | NSA -Anity Cert: https://otx.alienvault.com/indicator/url/https://www.antiy.com/response/Antiy_Wannacry_NSA.html", "YARA Signature Match - THOR APT Scanner - RULE_AUTHOR: Florian Roth", "PE Anomalies: entropy_based | Yara Detections: Yara Detections stack_string | Stack_String: stack_string E\u000fEEEE\u000fEEEE\u000fEEEE\u000fEEEE\u000fEE\u000fEE\u000fEE\u000fEE\u000f", "Command and Control IP: 5.41.21.250 | Location Saudi Arabia flag Jeddah, Saudi Arabia ASN AS39891 saudi telecom company jsc", "http://x.com/denverpolice/status/", "IDS Detections: : Suspicious User-Agent (HTTP Downloader) Suspicious User-Agent containing Loader Observed", "IDS: Matches rule POLICY-OTHER HTTP request by IPv4 address attempt Matches rule POLICY-OTHER TOR traffic anonymizer server request Matches rule ET POLICY TOR Consensus Data Requested Matches rule ET P2P Tor Get Server Request Matches rule ET P2P TOR 1.0 Server Key Retrieval", "REFERENCE: ACSC IOCs May 2020 pivoting RULE_AUTHOR: Florian Roth", "\u00bb 2preprod-sonar-data-preprod-sonar-data5z.redirectme.netmovilpreprod-sonar-datappmovilpreprod-sonar-datafentryd.0025.ali.zomans.com", "Apple Spy: iphone-say.com apple-prompt-iphone.com http://www.apple-prompt-iphone.com/", "Interesting Strings: http://ns.adobe.com/xap/1.0/mm/ http://ns.adobe.com/xap/1.0/ http://ns.adobe.com/xap/1.0/sType/ResourceRef", "Address:\tRoom 301, Building 3B, Startup park, High Tech park, Shiyang Road 56, Baixia District, Nanjing, Jiangsu, China City nan jing shi Country", "https://blog.malwarebytes.org/intelligence/2016/03/maktub-locker-beautiful-and-dangerous/", "prfsmtppr01ccd.uchospitals.edu \u2022 165.68.13.55", "Yara Detections: ConventionEngine_Term_Desktop , LZMA , mpress_2_xx_x86 , dbgdetect_procs", "uploads-cserver-alumni-profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com", "hpcc-page.cnc.ccgslb.com.cn 121.30.192.9 58.20.206.154 139.209.89.125 124.67.23.253 61.180.227.172 61.162.172.185 IP Traffic", "pornhub.dev, http://matrix.pornhub.dev, https://twitter.com/PORNO_SEXYBABES, https://www.anon-v.com/porno/fenella/", "ET TOR Known Tor Relay/Router (Not Exit) Node Traffic Groups: 129, 750, 824, 439, 282, 820, 21 , 63, 896, 91, 11, 202, 684 919,31 ,156, 743", "Alerts: nids_malware_alert network_icmp dumped_buffer network_cnc_http network_http network_http_post allocates_rwx", "https://otx.alienvault.com/indicator/file/f7636eef1d9df0664cd0f205ad8864b659bf9898ce6231376778c4411986912e", "High Priority IDS Detections: W32/Emotet.v4 FileHash-SHA256 613ed78c024ee7744c5b53c18b315d10faa39d18975f1634f82da61c02ea8a4f", "Domains Contacted: fbi.gov", "Type Indicator Reason: IPv4 104.16.149.244 In CDN range: provider=cloudflare IPv4 131.188.40.189 IP Associated with Tor Exit Nodes", "http://apple.phishing.91tbc.com/ | apple.phishing.491459.top http://apple.phishing.91tbc.com/?ZYUKUR=8049183536181170.html", "http://google.com.demo-box.cognito.svcgateway.foodsigned-php.ppp.canva-apps.cn/", "RULE_LINK: https://valhalla.nextron-systems.com/info/rule/MAL_Agent_May20_1 DESCRIPTION:", "Apple Spy: cmlinki-img-3radio-iphone-web-cmlinki3-iphone-web-cmlinkiradio.redirectme.netoppofentryd.0-iphone-web-cmlinkiradio-iphone-web-cm", "Antivirus Detections: ALF:HeraklezEval:Trojan:Win32/Asacky!rfn , ALF:HeraklezEval:Trojan:Win32/Predator!rfn , Win.Trojan.Generic-9789164-0", "Suspicious of NSO Pegasus type spyware campaign (possibly)", "Virus: \"ba30376f915afa868763f84299fae5d2.virus.rtf - LibreOffice Writer\"", "Trojan:Win32/Predator!: FileHash-SHA256 493323dd39ebb91b861e63c7341d037877886bc3a6cf4deaef08ef76bb9db15e", "IDS Detections: ETPRO TROJAN Spammer MSIL/Misnt.A Spam Payload Download", "walmartmobile.cn", "Antivirus Detections Win32:Filecoder-AD\\ [Trj] , Win.Malware.Cabby-6803812-0 , TrojanDownloader:Win32/Dalexis!rfn!rfn", "YARA Detections: WinRAR_SFX", "Yara Detections: Yara Detections Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , Toxoplasmosis , UPX", "Ransomware\u00bbTrojanDownloader:Win32/Dalexis | FileHash-SHA256 01da63fd3b935be956657d8f7212e976c553a6e040d5db9592fab807441b3e32", "TCP 123.125.159.119:80 (gad.page.cnc.ccgslb.com.cn) TCP 121.30.192.9:80 (hpcc-page.cnc.ccgslb.com.cn) TCP 121.30.193.30: Technique ID: T1140 Technique Name: Deobfuscate/Decode Files or Information Medium { \"families\": [], \"description\": \"One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.\", Technique ID: T1055 Technique Name: Process Injection A common use for this is when applications run in the system tray, but don't also want to sh", "Alerts: queries_programs wmi_antivm checks_debugger generates_crypto_key recon_fingerprint pe_unknown_resource_name", "Detects malware used in activity noticed 05/2020 likely related to Chinese actor", "Cryptographical plain text c\ufffdh\u000f\u00107\ufffd\ufffd1Q\ufffd\u0286\ufffd\u0254E\ufffdW\u0014\ufffd\u0382\ufffd Rw\ufffde\ufffd\ufffd%\u000b\ufffd\ufffd\ufffdreudt\ufffd\ufffd\ufffd", "IP\u2019s Contacted: 185.220.100.255 199.249.230.142 199.254.238.52 23.128.248.20 45.58.156.76", "IP\u2019s Contacted: 104.16.149.244 128.31.0.39 131.188.40.189 14.200.177.98 148.251.79.57", "Apple Spy: 113-dd-hppg.redirectme.netiphonepofentrydiotging2znetoppofindlabstryd.0-enakamai-lanwpradiocen6.ali.zomans.com", "ET TOR Known Tor Relay/Router (Not Exit) Node Traffic Groups: 869, 42, 6, 443, 85, 416, 688, 117, 217, 217, 443, 709, 703, 879, 338, 682", "(Invalid IP) 022.12.7.75 redirect \u00bb 18.12.7.75 AS 3 (MIT-GATEWAYS) US", "Matches rule Wow6432Node CurrentVersion Autorun Keys Modification by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "114.114.114.114 IDS Detections DYNAMIC_DNS Query to a *.ns1.name Domain Query to a *.top domain - Likely Hostile Observed DNS Query to .work", "Interesting Strings: http://www.w3.org/1999/02/22", "https://otx.alienvault.com/indicator/file/00001aff2ea1acd6087f9fba8d8316d90d29e391d9969bc70cc607461467797e", "PATHETIC redirect: rainn.org | victims of violence & abuse disclose extremely sensitive details. Reported false information given to disorient victims.", "Alerts: dead_host network_icmp nolookup_communication modifies_proxy_wpad network_cnc_http network_http packer_entropy", "traceability-qa.walmartmobile.cn", "Alerts: allocates_rwx creates_hidden_file dropper has_wmi protection_rx antivm_network_adapters raises_exception", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "IDS: Matches rule ET JA3 Hash - Possible Malware - Dridex", "IP 114.114.114.114 Domain 114dns.com: PegasusPlus", "dmz-mailsec-scanner-6.mit.edu | external-relay.iupui.edu | fresno.ucsf.edu | mail.virginia.edu | mailfilter2.cgu.edu | mx.gonzaga.edu", "Trojan:Win32/Predator!: FileHash-SHA256 1cf6574bb7edda08a539fdb2885a959071b60d9c9bfb44ee1b9912b3864ff758", "IP 114.114.114.114 Antivirus Detections: ALF:PUA:Block:VrBrothers.R!MTB , ALF:Trojan:MSIL/AgentTesla.KM , ALFPER:RefLoadApiHash ,", "Unique antivirus detections for files communicating with IP address", "Type Indicator Reason: IPv4 192.168.56.108 Private IP Address: IPv4 46.20.35.112 IP Associated with Tor Exit Nodes: Domain: fbi.gov", "extdomembers-2022.bounceme.netoppofrobledevradiod.devkissflowd-netoppofweblatedevradio-krd-kr-finance-fw.devkissflowd-netoppofweblatedevradio-krd-kr.ali.zomans.com", "Hostname device-local-fb18804d-348e-49ea-8c17-cc8a29f18082.remotewd.com | 192.168.56.104: IPv4", "Apple Spy: redirectme.netiphonepofentrydstaging2znetoppofindlabstryd.netoppofindhypernova.ali.zomans.com", "Antivirus Detections Win32:Malware-gen: Yara Detections: stack_string", "IDS Detections: Maktub Locker TOR Status Check TOR Consensus Data Requested TOR 1.0 Server Key Retrieval Tor Get Server Request TLS Handshake", "tulach.cc| 114.114.114.114 [public1.114dns.com] | thebrotherssabey | bian sabey under multiple WP & DGA domains , various titles , various roles", "Crouching Yeti: Appendixes - according to source ArcSight Threat Intelligence", "https://otx.alienvault.com/indicator/file/000054fa2b0d1004464350ee9acc40707fec51223dba36c702a3db4139af9717", "originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com | 108.160.165.139 Location: USA |ASN AS19679 dropbox inc. Nameservers ns-136.awsdns-17.com. ns-1518.awsdns-61.org. ,\u00a0 ns-1573.awsdns-04.co.uk. ,\u00a0 ns-809.awsdns-37.net. Less WHOIS Registrar: https://www.101domain.com/,\u00a0\u00a0 Creation Date: Oct 21, 2010 Related Pulses None Related Tags None Indicator Facts Running webserver External Resources Whois,\u00a0 UrlVoid,\u00a0 VirusTotal Analysis Related Pulses Comments (0) Whois Show 100 entr", "http://img01.mifile.cn/m/apk/mishop_3.0.20141212_1.1.1.apk", "High Priority Alerts: antisandbox_unhook antivirus_virustotal", "https://www.nextron-systems.com/notes-on-virustotal-matches/", "https://bd-server.com/user/JasminMcVey2/", "mx3.stanford.edu | my-stjohns-edu.mail.protection.outlook.com | prfsmtppr01ccd.uchospitals.edu", "interact.f5.com", "IP 114.114.114.114 Antivirus Detections: Backdoor:Linux/Dofloo.A!MTB , Backdoor:Linux/Gafgyt.AF!MTB , Can't access file ,", "Emails: pegasusplus@gmail.com Name: Zhao Zhenping Name Servers: NS1000.114DNS.COM Org: Nanjing XinFeng Network Technologies, Inc.", "Trojan:Win32/Predator!: FileHash-SHA256 f7da3472e0f81fa37ea05cc91338b6a693a1fcd4d30025fdfbfc7f2f0119fa20", "Alerts: dead_host network_icmp antivm_generic_services creates_largekey disables_proxy dumped_buffer network_cnc_http", "External Hosts Top Country United States, Germany | IP Hostname: 104.16.149.244: fbi.gov | United States: AS13335 cloudflare", "Alerts: packer_entropy packer_upx antivm_memory_available pe_features", "IDS: Matches rule (http_inspect) white space before or between HTTP messages Matches rule SURICATA HTTP Request abnormal Content-Encoding", "Apple Spy: 113-dd-hppg.redirectme.netiphonepofentrydstaging2zsendlabstryd.0-enakamai-lanwpradiocen6.ali.zomans.com", "trojan.msil.spammer.ai = spammer.ai", "Domain: hicloudcam.com | https://otx.alienvault.com/indicator/hostname/alarmeu.sslproxy.gatewayvvlilly3lilly.alpha.hicloudcam.com", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/01da63fd3b935be956657d8f7212e976c553a6e040d5db9592fab807441b3e32", "WannaCry MS17-010 'Shadow' https://otx.alienvault.com/otxapi/indicators/url/screenshot/https://www.antiy.com/response/wannacry.html", "malware_hosting IP's:42.177.83.115 | IPv4 42.177.83.134 malware_hosting", "Spammer:MSIL/Misnt.A PLUS - FileHash-SHA256 5966e329cb56a0cc4956f1ca0da2b337aa3e6145d4622ac1152bfc29ab96304d", "Alerts: network_http allocates_rwx stealth_window injection_process_search process_interest", "http://tshop.doido.com" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Spammer:msil/misnt.a", "Worm:win32/macoute.a", "Sape.heur.9b552", "Trojan:win32/zonsterarch", "Win.ransomware.sodinokibi-7013612-0", "Maktub locker", "C2087940", "Symantec", "Risktool.androidos.beto", "Trojan:win32/qqpass", "Win32:malware-gen", "Win32/vflooder.b vtapi dos", "Emotet", "Win.dropper.qqpass-9895638-0", "Etpro", "Win.trojan.agent-752791", "Win.malware.vtflooder-6723768-0", "Trojan:win32/magania", "Trojandownloader:win32/dalexis!rfn!rfn", "Trojan.trojanbanker.android", "Win32/vflooder.b checkin", "Win32:trojan-gen", "Wannacry", "Win.trojan.downloader-63174", "Atros3.ahfb", "Alf:heraklezeval:trojan:win32/predator!rfn", "Clicker.bgou", "Nod32" ], "industries": [ "Technology", "Government", "Telecommunications", "Civilian society", "Healthcare", "Education" ], "unique_indicators": 49542 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/upchinafund.com", "whois": "http://whois.domaintools.com/upchinafund.com", "domain": "upchinafund.com", "hostname": "js.upchinafund.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "6a16afb92680fcea084bb7b0", "name": "credit: scoreblue ['Eternal Blue_Wana Cry MS'] clone - user notes: interesting name tagged", "description": "", "modified": "2026-05-27T08:54:31.968000", "created": "2026-05-27T08:47:53.724000", "tags": [ "sha256", "sha1", "pattern match", "ascii text", "document file", "v2 document", "crlf line", "size", "unicode", "beginstring", "null", "hybrid", "refresh", "body", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "external-resources", "dom-modification", "third-party-cookies", "iframes", "trackers", "text/html", "twitter", "final url", "ip address", "status code", "body length", "kb body", "headers", "deny", "express", "referrer", "impacting azure", "proofpoint", "sneaky server", "replacement", "unauthorized", "switch dns", "query", "vy binh", "hiddentear", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "date", "meta", "form", "submission", "expiresthu", "path", "secure", "self", "xcitium verdict", "cloud", "sophos", "history first", "analysis", "cp", "cyber", "threat", "redrum", "hit", "men", "triangulation", "historical ssl", "apt suspects", "critical cmd", "hide", "asyncrat", "jeremy", "government", "malicious", "yuming", "name servers", "united", "passive dns", "urls", "creation date", "search", "expiration date", "showing", "unknown", "next", "windows nt", "malware beacon", "memcommit", "generic http", "exe upload", "outbound", "etpro trojan", "show", "trojan", "copy", "write", "win32", "malware", "read c", "entries", "medium", "markus", "contentlength", "write c", "delete c", "create c", "yara detections", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "next pe", "as32934", "hitmen", "local government", "scene unit", "crime", "denver police", "address", "status", "aaaa", "apple", "less whois", "registrar", "wannacry", "http", "unique", "url https", "related nids", "code", "screenshot", "anity", "nsa", "shadow", "saudi telecom", "riyadh address", "saudi arabia", "abuse", "ripe", "company isp", "number", "label saudi", "telecom company", "jsc regional", "riyadh", "ripe ncc", "registry techc", "campus", "saudi", "ripe network", "domain", "internet se", "emails", "system", "server tsa", "b server", "certificate", "digicert inc", "moved", "record value" ], "references": [ "http://x.com/denverpolice/status/", "Redirects to >https://twitter.com/x/migrate?tok=eyJlIjoiL2RlbnZlcnBvbGljZS9zdGF0dXMvIiwidCI6MTcxNjcwMzc3M33oZya0EO4PtEbRwq4XZboX", "Redirects to https://twitter.com?mx=1", "IP address: 104.244.42.1 Hosting: Unknown Running on: Tsa B CMS: Express", "Crouching Yeti: Appendixes - according to source ArcSight Threat Intelligence", "https://otx.alienvault.com/indicator/file/00001aff2ea1acd6087f9fba8d8316d90d29e391d9969bc70cc607461467797e", "Alerts: nids_malware_alert network_icmp dumped_buffer network_cnc_http network_http network_http_post allocates_rwx", "Alerts: packer_entropy packer_upx antivm_memory_available pe_features", "Yara Detections: Yara Detections Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , Toxoplasmosis , UPX", "Packer UPX v0.89.6 - v1.02 / v1.05 -v1.24 -> Markus & Laszlo [overlay]", "Yara Detections: ConventionEngine_Term_Desktop , LZMA , mpress_2_xx_x86 , dbgdetect_procs", "pornhub.dev, http://matrix.pornhub.dev, https://twitter.com/PORNO_SEXYBABES, https://www.anon-v.com/porno/fenella/", "Hostname device-local-fb18804d-348e-49ea-8c17-cc8a29f18082.remotewd.com | 192.168.56.104: IPv4", "https://otx.alienvault.com/indicator/file/f7636eef1d9df0664cd0f205ad8864b659bf9898ce6231376778c4411986912e", "https://otx.alienvault.com/indicator/file/000054fa2b0d1004464350ee9acc40707fec51223dba36c702a3db4139af9717", "Domain: hicloudcam.com | https://otx.alienvault.com/indicator/hostname/alarmeu.sslproxy.gatewayvvlilly3lilly.alpha.hicloudcam.com", "originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com | 108.160.165.139 Location: USA |ASN AS19679 dropbox inc. Nameservers ns-136.awsdns-17.com. ns-1518.awsdns-61.org. ,\u00a0 ns-1573.awsdns-04.co.uk. ,\u00a0 ns-809.awsdns-37.net. Less WHOIS Registrar: https://www.101domain.com/,\u00a0\u00a0 Creation Date: Oct 21, 2010 Related Pulses None Related Tags None Indicator Facts Running webserver External Resources Whois,\u00a0 UrlVoid,\u00a0 VirusTotal Analysis Related Pulses Comments (0) Whois Show 100 entr", "https://otx.alienvault.com/indicator/hostname/originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com", "PATHETIC redirect: rainn.org | victims of violence & abuse disclose extremely sensitive details. Reported false information given to disorient victims.", "WannaCry | NSA -Anity Cert: https://otx.alienvault.com/indicator/url/https://www.antiy.com/response/Antiy_Wannacry_NSA.html", "WannaCry MS17-010 'Shadow' https://otx.alienvault.com/otxapi/indicators/url/screenshot/https://www.antiy.com/response/wannacry.html", "Command and Control IP: 5.41.21.250 | Location Saudi Arabia flag Jeddah, Saudi Arabia ASN AS39891 saudi telecom company jsc", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "uploads-cserver-alumni-profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32/Vflooder.B Checkin", "display_name": "Win32/Vflooder.B Checkin", "target": null }, { "id": "Win.Malware.Vtflooder-6723768-0", "display_name": "Win.Malware.Vtflooder-6723768-0", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32/Vflooder.B vtapi DOS", "display_name": "Win32/Vflooder.B vtapi DOS", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Trojan.Downloader-63174", "display_name": "Win.Trojan.Downloader-63174", "target": null }, { "id": "Clicker.BGOU", "display_name": "Clicker.BGOU", "target": null }, { "id": "Win.Trojan.Agent-752791", "display_name": "Win.Trojan.Agent-752791", "target": null }, { "id": "Win.Dropper.QQpass-9895638-0", "display_name": "Win.Dropper.QQpass-9895638-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "WannaCry", "display_name": "WannaCry", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1038", "name": "DLL Search Order Hijacking", "display_name": "T1038 - DLL Search Order Hijacking" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [], "TLP": "green", "cloned_from": "66536c8eee8d42d670e27723", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 350, "FileHash-SHA1": 348, "FileHash-SHA256": 2662, "URL": 7850, "domain": 2245, "hostname": 3611, "SSLCertFingerprint": 4, "email": 10, "CIDR": 4 }, "indicator_count": 17084, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a16ab45548ef01419902c8f", "name": "Credit: Scoreblue - \"iOS Attack - Crouching Yeti: http://x.[com]/denverpolice/status/| CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by scoreblue Public", "description": "", "modified": "2026-05-27T08:28:53.256000", "created": "2026-05-27T08:28:53.256000", "tags": [ "sha256", "sha1", "pattern match", "ascii text", "document file", "v2 document", "crlf line", "size", "unicode", "beginstring", "null", "hybrid", "refresh", "body", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "external-resources", "dom-modification", "third-party-cookies", "iframes", "trackers", "text/html", "twitter", "final url", "ip address", "status code", "body length", "kb body", "headers", "deny", "express", "referrer", "impacting azure", "proofpoint", "sneaky server", "replacement", "unauthorized", "switch dns", "query", "vy binh", "hiddentear", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "date", "meta", "form", "submission", "expiresthu", "path", "secure", "self", "xcitium verdict", "cloud", "sophos", "history first", "analysis", "cp", "cyber", "threat", "redrum", "hit", "men", "triangulation", "historical ssl", "apt suspects", "critical cmd", "hide", "asyncrat", "jeremy", "government", "malicious", "yuming", "name servers", "united", "passive dns", "urls", "creation date", "search", "expiration date", "showing", "unknown", "next", "windows nt", "malware beacon", "memcommit", "generic http", "exe upload", "outbound", "etpro trojan", "show", "trojan", "copy", "write", "win32", "malware", "read c", "entries", "medium", "markus", "contentlength", "write c", "delete c", "create c", "yara detections", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "next pe", "as32934", "hitmen", "local government", "scene unit", "crime", "denver police", "address", "status", "aaaa", "apple", "less whois", "registrar", "wannacry", "http", "unique", "url https", "related nids", "code", "screenshot", "anity", "nsa", "shadow", "saudi telecom", "riyadh address", "saudi arabia", "abuse", "ripe", "company isp", "number", "label saudi", "telecom company", "jsc regional", "riyadh", "ripe ncc", "registry techc", "campus", "saudi", "ripe network", "domain", "internet se", "emails", "system", "server tsa", "b server", "certificate", "digicert inc", "moved", "record value" ], "references": [ "http://x.com/denverpolice/status/", "Redirects to >https://twitter.com/x/migrate?tok=eyJlIjoiL2RlbnZlcnBvbGljZS9zdGF0dXMvIiwidCI6MTcxNjcwMzc3M33oZya0EO4PtEbRwq4XZboX", "Redirects to https://twitter.com?mx=1", "IP address: 104.244.42.1 Hosting: Unknown Running on: Tsa B CMS: Express", "Crouching Yeti: Appendixes - according to source ArcSight Threat Intelligence", "https://otx.alienvault.com/indicator/file/00001aff2ea1acd6087f9fba8d8316d90d29e391d9969bc70cc607461467797e", "Alerts: nids_malware_alert network_icmp dumped_buffer network_cnc_http network_http network_http_post allocates_rwx", "Alerts: packer_entropy packer_upx antivm_memory_available pe_features", "Yara Detections: Yara Detections Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , Toxoplasmosis , UPX", "Packer UPX v0.89.6 - v1.02 / v1.05 -v1.24 -> Markus & Laszlo [overlay]", "Yara Detections: ConventionEngine_Term_Desktop , LZMA , mpress_2_xx_x86 , dbgdetect_procs", "pornhub.dev, http://matrix.pornhub.dev, https://twitter.com/PORNO_SEXYBABES, https://www.anon-v.com/porno/fenella/", "Hostname device-local-fb18804d-348e-49ea-8c17-cc8a29f18082.remotewd.com | 192.168.56.104: IPv4", "https://otx.alienvault.com/indicator/file/f7636eef1d9df0664cd0f205ad8864b659bf9898ce6231376778c4411986912e", "https://otx.alienvault.com/indicator/file/000054fa2b0d1004464350ee9acc40707fec51223dba36c702a3db4139af9717", "Domain: hicloudcam.com | https://otx.alienvault.com/indicator/hostname/alarmeu.sslproxy.gatewayvvlilly3lilly.alpha.hicloudcam.com", "originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com | 108.160.165.139 Location: USA |ASN AS19679 dropbox inc. Nameservers ns-136.awsdns-17.com. ns-1518.awsdns-61.org. ,\u00a0 ns-1573.awsdns-04.co.uk. ,\u00a0 ns-809.awsdns-37.net. Less WHOIS Registrar: https://www.101domain.com/,\u00a0\u00a0 Creation Date: Oct 21, 2010 Related Pulses None Related Tags None Indicator Facts Running webserver External Resources Whois,\u00a0 UrlVoid,\u00a0 VirusTotal Analysis Related Pulses Comments (0) Whois Show 100 entr", "https://otx.alienvault.com/indicator/hostname/originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com", "PATHETIC redirect: rainn.org | victims of violence & abuse disclose extremely sensitive details. Reported false information given to disorient victims.", "WannaCry | NSA -Anity Cert: https://otx.alienvault.com/indicator/url/https://www.antiy.com/response/Antiy_Wannacry_NSA.html", "WannaCry MS17-010 'Shadow' https://otx.alienvault.com/otxapi/indicators/url/screenshot/https://www.antiy.com/response/wannacry.html", "Command and Control IP: 5.41.21.250 | Location Saudi Arabia flag Jeddah, Saudi Arabia ASN AS39891 saudi telecom company jsc", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "uploads-cserver-alumni-profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32/Vflooder.B Checkin", "display_name": "Win32/Vflooder.B Checkin", "target": null }, { "id": "Win.Malware.Vtflooder-6723768-0", "display_name": "Win.Malware.Vtflooder-6723768-0", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32/Vflooder.B vtapi DOS", "display_name": "Win32/Vflooder.B vtapi DOS", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Trojan.Downloader-63174", "display_name": "Win.Trojan.Downloader-63174", "target": null }, { "id": "Clicker.BGOU", "display_name": "Clicker.BGOU", "target": null }, { "id": "Win.Trojan.Agent-752791", "display_name": "Win.Trojan.Agent-752791", "target": null }, { "id": "Win.Dropper.QQpass-9895638-0", "display_name": "Win.Dropper.QQpass-9895638-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "WannaCry", "display_name": "WannaCry", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1038", "name": "DLL Search Order Hijacking", "display_name": "T1038 - DLL Search Order Hijacking" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [], "TLP": "green", "cloned_from": "66536881127f5ee988306394", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 350, "FileHash-SHA1": 348, "FileHash-SHA256": 2659, "URL": 7850, "domain": 2245, "hostname": 3611, "SSLCertFingerprint": 4, "email": 10, "CIDR": 4 }, "indicator_count": 17081, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "4 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a16ab3f9578fcc7ffd52a3a", "name": "Credit: Scoreblue - \"iOS Attack - Crouching Yeti: http://x.[com]/denverpolice/status/| CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by scoreblue Public", "description": "", "modified": "2026-05-27T08:28:47.467000", "created": "2026-05-27T08:28:47.467000", "tags": [ "sha256", "sha1", "pattern match", "ascii text", "document file", "v2 document", "crlf line", "size", "unicode", "beginstring", "null", "hybrid", "refresh", "body", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "external-resources", "dom-modification", "third-party-cookies", "iframes", "trackers", "text/html", "twitter", "final url", "ip address", "status code", "body length", "kb body", "headers", "deny", "express", "referrer", "impacting azure", "proofpoint", "sneaky server", "replacement", "unauthorized", "switch dns", "query", "vy binh", "hiddentear", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "date", "meta", "form", "submission", "expiresthu", "path", "secure", "self", "xcitium verdict", "cloud", "sophos", "history first", "analysis", "cp", "cyber", "threat", "redrum", "hit", "men", "triangulation", "historical ssl", "apt suspects", "critical cmd", "hide", "asyncrat", "jeremy", "government", "malicious", "yuming", "name servers", "united", "passive dns", "urls", "creation date", "search", "expiration date", "showing", "unknown", "next", "windows nt", "malware beacon", "memcommit", "generic http", "exe upload", "outbound", "etpro trojan", "show", "trojan", "copy", "write", "win32", "malware", "read c", "entries", "medium", "markus", "contentlength", "write c", "delete c", "create c", "yara detections", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "next pe", "as32934", "hitmen", "local government", "scene unit", "crime", "denver police", "address", "status", "aaaa", "apple", "less whois", "registrar", "wannacry", "http", "unique", "url https", "related nids", "code", "screenshot", "anity", "nsa", "shadow", "saudi telecom", "riyadh address", "saudi arabia", "abuse", "ripe", "company isp", "number", "label saudi", "telecom company", "jsc regional", "riyadh", "ripe ncc", "registry techc", "campus", "saudi", "ripe network", "domain", "internet se", "emails", "system", "server tsa", "b server", "certificate", "digicert inc", "moved", "record value" ], "references": [ "http://x.com/denverpolice/status/", "Redirects to >https://twitter.com/x/migrate?tok=eyJlIjoiL2RlbnZlcnBvbGljZS9zdGF0dXMvIiwidCI6MTcxNjcwMzc3M33oZya0EO4PtEbRwq4XZboX", "Redirects to https://twitter.com?mx=1", "IP address: 104.244.42.1 Hosting: Unknown Running on: Tsa B CMS: Express", "Crouching Yeti: Appendixes - according to source ArcSight Threat Intelligence", "https://otx.alienvault.com/indicator/file/00001aff2ea1acd6087f9fba8d8316d90d29e391d9969bc70cc607461467797e", "Alerts: nids_malware_alert network_icmp dumped_buffer network_cnc_http network_http network_http_post allocates_rwx", "Alerts: packer_entropy packer_upx antivm_memory_available pe_features", "Yara Detections: Yara Detections Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , Toxoplasmosis , UPX", "Packer UPX v0.89.6 - v1.02 / v1.05 -v1.24 -> Markus & Laszlo [overlay]", "Yara Detections: ConventionEngine_Term_Desktop , LZMA , mpress_2_xx_x86 , dbgdetect_procs", "pornhub.dev, http://matrix.pornhub.dev, https://twitter.com/PORNO_SEXYBABES, https://www.anon-v.com/porno/fenella/", "Hostname device-local-fb18804d-348e-49ea-8c17-cc8a29f18082.remotewd.com | 192.168.56.104: IPv4", "https://otx.alienvault.com/indicator/file/f7636eef1d9df0664cd0f205ad8864b659bf9898ce6231376778c4411986912e", "https://otx.alienvault.com/indicator/file/000054fa2b0d1004464350ee9acc40707fec51223dba36c702a3db4139af9717", "Domain: hicloudcam.com | https://otx.alienvault.com/indicator/hostname/alarmeu.sslproxy.gatewayvvlilly3lilly.alpha.hicloudcam.com", "originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com | 108.160.165.139 Location: USA |ASN AS19679 dropbox inc. Nameservers ns-136.awsdns-17.com. ns-1518.awsdns-61.org. ,\u00a0 ns-1573.awsdns-04.co.uk. ,\u00a0 ns-809.awsdns-37.net. Less WHOIS Registrar: https://www.101domain.com/,\u00a0\u00a0 Creation Date: Oct 21, 2010 Related Pulses None Related Tags None Indicator Facts Running webserver External Resources Whois,\u00a0 UrlVoid,\u00a0 VirusTotal Analysis Related Pulses Comments (0) Whois Show 100 entr", "https://otx.alienvault.com/indicator/hostname/originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com", "PATHETIC redirect: rainn.org | victims of violence & abuse disclose extremely sensitive details. Reported false information given to disorient victims.", "WannaCry | NSA -Anity Cert: https://otx.alienvault.com/indicator/url/https://www.antiy.com/response/Antiy_Wannacry_NSA.html", "WannaCry MS17-010 'Shadow' https://otx.alienvault.com/otxapi/indicators/url/screenshot/https://www.antiy.com/response/wannacry.html", "Command and Control IP: 5.41.21.250 | Location Saudi Arabia flag Jeddah, Saudi Arabia ASN AS39891 saudi telecom company jsc", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "uploads-cserver-alumni-profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32/Vflooder.B Checkin", "display_name": "Win32/Vflooder.B Checkin", "target": null }, { "id": "Win.Malware.Vtflooder-6723768-0", "display_name": "Win.Malware.Vtflooder-6723768-0", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32/Vflooder.B vtapi DOS", "display_name": "Win32/Vflooder.B vtapi DOS", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Trojan.Downloader-63174", "display_name": "Win.Trojan.Downloader-63174", "target": null }, { "id": "Clicker.BGOU", "display_name": "Clicker.BGOU", "target": null }, { "id": "Win.Trojan.Agent-752791", "display_name": "Win.Trojan.Agent-752791", "target": null }, { "id": "Win.Dropper.QQpass-9895638-0", "display_name": "Win.Dropper.QQpass-9895638-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "WannaCry", "display_name": "WannaCry", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1038", "name": "DLL Search Order Hijacking", "display_name": "T1038 - DLL Search Order Hijacking" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [], "TLP": "green", "cloned_from": "66536881127f5ee988306394", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 350, "FileHash-SHA1": 348, "FileHash-SHA256": 2659, "URL": 7850, "domain": 2245, "hostname": 3611, "SSLCertFingerprint": 4, "email": 10, "CIDR": 4 }, "indicator_count": 17081, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "4 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "670224ac3c8cce621843a477", "name": "Man in Browser Multi-systems attack | Ransom", "description": "System wide issues. Internal and external attack affecting medical and educational institution \u2022 Man in Browser \u2022 Mail spammer. Many other priority vulnerabilities.\nShort List of Malware Families\nAtros3.AHFB\nETPRO\nNOD32\nSAPE.Heur.9B552\nSpammer:MSIL/Misnt.A\nSymantec\nTrojan:Win32/Zonsterarch\nWin.Ransomware.Sodinokibi-7013612-0\nIDS Detections\nW32/Emotet.v4 Checkin", "modified": "2024-11-05T05:02:29.649000", "created": "2024-10-06T05:48:28.806000", "tags": [ "as32934", "passive dns", "urls", "address", "search", "unknown", "aaaa", "as13414 twitter", "as19679 dropbox", "germany unknown", "france unknown", "hong kong", "asnone hong", "kong unknown", "kong", "all scoreblue", "ipv4", "files", "http", "ip address", "related nids", "files location", "flag united", "hostname", "a domains", "meta", "moved", "body", "as13768 aptum", "canada", "asnone united", "whitelisted", "url analysis", "location united", "cookie", "united states", "record type", "ttl value", "key identifier", "full name", "data", "v3 serial", "number", "cus odigicert", "cndigicert sha2", "high assurance", "server ca", "validity", "united", "as2914 ntt", "yuming", "name servers", "date", "next", "as32780 hosting", "welcome", "pulse pulses", "accept", "domainmaster", "creation date", "expiration date", "as35280 acorus", "as396982 google", "status", "cname", "united kingdom", "trojan", "service", "ransom", "pulse submit", "asn as35280", "error", "japan unknown", "post https", "post method", "medium", "high", "registry", "creates", "alerts", "contacted", "tools", "win32", "malware", "copy", "persistence", "execution", "powershell e", "script urls", "httponly set", "general", "read c", "show", "entries", "etpro trojan", "intel", "ms windows", "file", "virustotal", "write", "baidu", "vipre", "panda", "download", "main", "look", "install", "push", "sape.heur.9b552", "nod32", "symantec", "etpro", "dynamicloader", "yara rule", "stack pivoting", "cape", "maninbrowser", "mitb", "t1055", "server", "registrar abuse", "contact phone", "registrar url", "registrar", "whois lookup", "dnssec", "domain name", "attempts", "performs", "packing t1045", "browse scan", "august", "as174 cogent", "canada unknown", "overview ip", "files domain", "files related", "pulses none", "related tags", "gmt content", "type", "content length", "svr id", "encrypt", "trojandropper", "virtool", "msie", "chrome", "as45012 dogado", "tr tr", "die domain", "td tr", "gmt server", "scan endpoints", "scoreblue ipv4", "ripe route", "ip location", "asn as45012", "cloudpit dogado", "gmbh", "whois server", "reverse ip", "abuse contact", "de adminc", "ssh attacker", "mysql", "tor relays", "sabey type", "showing", "pulses", "indicator facts", "hichina zhicheng technology ltd.,", "domain", "as4837 china", "china unknown", "default", "tlsv1", "germany as34788", "post", "windows nt", "dotted quad", "fake browser", "artemis", "emotet", "as9808 china", "as56047 china", "as56040 china", "as58541 qingdao", "et trojan", "sinkhole cookie", "macoute", "sha256", "yara detections", "worm", "explorer", "possible", "april", "uchealth", "ogoogle inc", "lsalford", "ocomodo ca", "limited", "secure server", "c2087940" ], "references": [ "\u00bb 2preprod-sonar-data-preprod-sonar-data5z.redirectme.netmovilpreprod-sonar-datappmovilpreprod-sonar-datafentryd.0025.ali.zomans.com", "prfsmtppr01ccd.uchospitals.edu \u2022 165.68.13.55", "IDS Detections: ETPRO TROJAN Spammer MSIL/Misnt.A Get MX ETPRO TROJAN Spammer MSIL/Misnt.A Fetching Spam List", "IDS Detections: ETPRO TROJAN Spammer MSIL/Misnt.A Spam Payload Download", "Spammer:MSIL/Misnt.A PLUS - FileHash-SHA256 5966e329cb56a0cc4956f1ca0da2b337aa3e6145d4622ac1152bfc29ab96304d", "YARA Detections: WinRAR_SFX", "High Priority Alerts: antisandbox_unhook antivirus_virustotal", "utmmail.bcw.edu | 166.78.44.213 11/04/24 | isu.edu | iup.edu | siu.edu | stcloudstate.edu | ucr.edu | router9.mail.cornell.edu", "dmz-mailsec-scanner-6.mit.edu | external-relay.iupui.edu | fresno.ucsf.edu | mail.virginia.edu | mailfilter2.cgu.edu | mx.gonzaga.edu", "mx3.stanford.edu | my-stjohns-edu.mail.protection.outlook.com | prfsmtppr01ccd.uchospitals.edu", "extdomembers-2022.bounceme.netoppofrobledevradiod.devkissflowd-netoppofweblatedevradio-krd-kr-finance-fw.devkissflowd-netoppofweblatedevradio-krd-kr.ali.zomans.com", "trojan.msil.spammer.ai = spammer.ai", "interact.f5.com", "https://0-enakamai-lanwpradio-pornos4-dd-engine.redirectme.netoppofe2znetoppofindnetoppofcassandraddd-production.neto46cassandra.ali.zomans.com", "http://apple.phishing.91tbc.com/ | apple.phishing.491459.top http://apple.phishing.91tbc.com/?ZYUKUR=8049183536181170.html", "https://bd-server.com/user/JasminMcVey2/", "http://google.com.demo-box.cognito.svcgateway.foodsigned-php.ppp.canva-apps.cn/", "(Invalid IP) 022.12.7.75 Chrome \\\\ user data \\\\ crowd deny \\\\ rData \\\\ crowd deny \\\\ 28 \\\\ metadata \\\\ ve", "(Invalid IP) 022.12.7.75 redirect \u00bb 18.12.7.75 AS 3 (MIT-GATEWAYS) US", "High Priority IDS Detections: W32/Emotet.v4 FileHash-SHA256 613ed78c024ee7744c5b53c18b315d10faa39d18975f1634f82da61c02ea8a4f", "Suspicious of NSO Pegasus type spyware campaign (possibly)" ], "public": 1, "adversary": "", "targeted_countries": [ "Singapore", "Malaysia", "United States of America", "Argentina", "France", "Sweden", "Ireland", "Romania", "Taiwan", "Germany", "Netherlands", "Brazil", "Colombia", "Indonesia", "Hong Kong", "Poland", "Slovakia", "Lithuania", "United Kingdom of Great Britain and Northern Ireland", "Denmark", "Slovenia", "Greece", "Italy", "Aruba", "China", "Japan" ], "malware_families": [ { "id": "Trojan:Win32/Zonsterarch", "display_name": "Trojan:Win32/Zonsterarch", "target": "/malware/Trojan:Win32/Zonsterarch" }, { "id": "Win.Ransomware.Sodinokibi-7013612-0", "display_name": "Win.Ransomware.Sodinokibi-7013612-0", "target": null }, { "id": "Atros3.AHFB", "display_name": "Atros3.AHFB", "target": null }, { "id": "Spammer:MSIL/Misnt.A", "display_name": "Spammer:MSIL/Misnt.A", "target": "/malware/Spammer:MSIL/Misnt.A" }, { "id": "SAPE.Heur.9B552", "display_name": "SAPE.Heur.9B552", "target": null }, { "id": "NOD32", "display_name": "NOD32", "target": null }, { "id": "Symantec", "display_name": "Symantec", "target": null }, { "id": "ETPRO", "display_name": "ETPRO", "target": null }, { "id": "Worm:Win32/Macoute.A", "display_name": "Worm:Win32/Macoute.A", "target": "/malware/Worm:Win32/Macoute.A" }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "C2087940", "display_name": "C2087940", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" } ], "industries": [ "Healthcare", "Civilian Society", "Technology", "Education" ], "TLP": "green", "cloned_from": null, "export_count": 55, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1287, "hostname": 2995, "URL": 3606, "email": 22, "FileHash-MD5": 173, "FileHash-SHA256": 1059, "FileHash-SHA1": 163, "CIDR": 1, "SSLCertFingerprint": 43 }, "indicator_count": 9349, "is_author": false, "is_subscribing": null, "subscriber_count": 236, "modified_text": "572 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66dfa5a84844f3703fea6b84", "name": "Maktub Locker Ransomware", "description": "Maktub Locker Ransomware is old, works and arrives to victims like typical ransomware. I . I'm can't make a valuable contribution regarding link that populates fbi.gov node without security header. . Tulach -114.114.114.114 is at the center of most of the vulnerabilities I've researched. I've removed Tsara Brashears and name and organizations relating Brian Sabey from pulse. VT Alexo auto populated in tags. Internet search shows he referenced link and 'black suits' I did not research VT-Alexo and I don't know his significance to the Ransomware link [link appears 1st in references]. \nThere has been so much government, healthcare, legal, and law enforcement entanglement and/or/likely impersonation regarding a main issue I've been researching. Lost in this moment...", "modified": "2024-10-09T21:01:40.228000", "created": "2024-09-10T01:49:28.437000", "tags": [ "axeljg", "kulinskiarkadi", "ip hostname", "reverse ip", "united", "regopenkeyexw", "cryptexportkey", "regsetvalueexa", "ip address", "medium", "regdword", "t1047", "instrumentation", "rpcs", "high", "win32", "malware", "showing", "entries disa", "entrypoint", "fbi.gov", "alexo", "germany", "united states", "brian sabey", "thebrotherssabey", "alexo virustotal", "yara detections", "ids detections", "contacted", "show", "medium windows", "alerts", "maktub locker", "tsara brashness dead", "aig", "soc", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 compiler", "compiler", "vs2008", "vs2005", "contained", "info compiler", "products", "vs2008 sp1", "header intel", "name md5", "type", "language", "virus", "urls", "javascript", "b file", "files", "file type", "rich text", "format", "found", "downloads", "injection t1055", "spawns", "t1497 may", "https", "mitre att", "ta0002 shared", "modules t1129", "window", "get file", "check mutex", "print debug", "get disk", "check", "enumerate gui", "create mutex", "query", "enumerate", "create shortcut", "capture", "get http", "windows nt", "request", "response", "number", "algorithm", "ja3s", "cus cnr3", "subject", "http requests", "samplepath", "runtime modules", "referrer", "threat network", "infrastructure", "historical ssl", "approach", "ta413", "tibetan targets", "vy binh", "march", "tulach", "114.114.114.114", "libreoffice.org", "as174 cogent", "china unknown", "china", "passive dns", "entries", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "twitter", "problems", "domainabuse", "creation date", "search", "domain", "domain name", "expiration date", "nanjing", "date", "all search", "trojan", "trojan features", "related pulses", "file samples", "files matching", "sort" ], "references": [ "Ransomware\u00bbTrojanDownloader:Win32/Dalexis | FileHash-SHA256 01da63fd3b935be956657d8f7212e976c553a6e040d5db9592fab807441b3e32", "Antivirus Detections Win32:Filecoder-AD\\ [Trj] , Win.Malware.Cabby-6803812-0 , TrojanDownloader:Win32/Dalexis!rfn!rfn", "IDS Detections: Maktub Locker TOR Status Check TOR Consensus Data Requested TOR 1.0 Server Key Retrieval Tor Get Server Request TLS Handshake", "Domains Contacted: fbi.gov", "IP\u2019s Contacted: 104.16.149.244 128.31.0.39 131.188.40.189 14.200.177.98 148.251.79.57", "IP\u2019s Contacted: 185.220.100.255 199.249.230.142 199.254.238.52 23.128.248.20 45.58.156.76", "tulach.cc| 114.114.114.114 [public1.114dns.com] | thebrotherssabey | bian sabey under multiple WP & DGA domains , various titles , various roles", "External Hosts Top Country United States, Germany | IP Hostname: 104.16.149.244: fbi.gov | United States: AS13335 cloudflare", "Type Indicator Reason: IPv4 104.16.149.244 In CDN range: provider=cloudflare IPv4 131.188.40.189 IP Associated with Tor Exit Nodes", "Type Indicator Reason: IPv4 192.168.56.108 Private IP Address: IPv4 46.20.35.112 IP Associated with Tor Exit Nodes: Domain: fbi.gov", "PE Anomalies: entropy_based | Yara Detections: Yara Detections stack_string | Stack_String: stack_string E\u000fEEEE\u000fEEEE\u000fEEEE\u000fEEEE\u000fEE\u000fEE\u000fEE\u000fEE\u000f", "DISA Entrypoint: call 0x41259b jmp 0x40b3ac int3 int3 int3 int3 int3 int3 int3 int3", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/01da63fd3b935be956657d8f7212e976c553a6e040d5db9592fab807441b3e32", "Alerts: dead_host network_icmp nolookup_communication modifies_proxy_wpad network_cnc_http network_http packer_entropy", "Alerts: allocates_rwx creates_hidden_file dropper has_wmi protection_rx antivm_network_adapters raises_exception", "Alerts: queries_programs wmi_antivm checks_debugger generates_crypto_key recon_fingerprint pe_unknown_resource_name", "Interesting Strings: http://ns.adobe.com/xap/1.0/mm/ http://ns.adobe.com/xap/1.0/ http://ns.adobe.com/xap/1.0/sType/ResourceRef", "Interesting Strings: http://www.w3.org/1999/02/22", "Virus: \"ba30376f915afa868763f84299fae5d2.virus.rtf - LibreOffice Writer\"", "Cryptographical plain text c\ufffdh\u000f\u00107\ufffd\ufffd1Q\ufffd\u0286\ufffd\u0254E\ufffdW\u0014\ufffd\u0382\ufffd Rw\ufffde\ufffd\ufffd%\u000b\ufffd\ufffd\ufffdreudt\ufffd\ufffd\ufffd", "IDS: Matches rule ET JA3 Hash - Possible Malware - Dridex", "ET TOR Known Tor Relay/Router (Not Exit) Node Traffic Groups: 129, 750, 824, 439, 282, 820, 21 , 63, 896, 91, 11, 202, 684 919,31 ,156, 743", "ET TOR Known Tor Relay/Router (Not Exit) Node Traffic Groups: 869, 42, 6, 443, 85, 416, 688, 117, 217, 217, 443, 709, 703, 879, 338, 682", "Matches rule Wow6432Node CurrentVersion Autorun Keys Modification by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "IDS: Matches rule POLICY-OTHER HTTP request by IPv4 address attempt Matches rule POLICY-OTHER TOR traffic anonymizer server request Matches rule ET POLICY TOR Consensus Data Requested Matches rule ET P2P Tor Get Server Request Matches rule ET P2P TOR 1.0 Server Key Retrieval", "IDS: Matches rule POLICY-OTHER HTTP request by IPv4 address attempt Matches rule POLICY-OTHER TOR traffic anonymizer server request Matches rule ET POLICY TOR Consensus Data Requested Matches rule ET P2P Tor Get Server Request Matches rule ET P2P TOR 1.0 Server Key Retrieval", "IDS: Matches rule POLICY-OTHER HTTP request by IPv4 address attempt Matches rule POLICY-OTHER TOR traffic anonymizer server request Matches rule ET POLICY TOR Consensus Data Requested Matches rule ET P2P Tor Get Server Request Matches rule ET P2P TOR 1.0 Server Key Retrieval", "IDS: Matches rule POLICY-OTHER HTTP request by IPv4 address attempt Matches rule POLICY-OTHER TOR traffic anonymizer server request Matches rule ET POLICY TOR Consensus Data Requested Matches rule ET P2P Tor Get Server Request Matches rule ET P2P TOR 1.0 Server Key Retrieval", "IDS: Matches rule POLICY-OTHER HTTP request by IPv4 address attempt Matches rule POLICY-OTHER TOR traffic anonymizer server request Matches rule ET POLICY TOR Consensus Data Requested Matches rule ET P2P Tor Get Server Request Matches rule ET P2P TOR 1.0 Server Key Retrieval", "IDS: Matches rule (http_inspect) white space before or between HTTP messages Matches rule SURICATA HTTP Request abnormal Content-Encoding", "Sigma: Matches rule Failed Code Integrity Checks by Thomas Patzke Matches rule Process Creation Using Sysnative Folder by Max Altgelt", "YARA Signature Match - THOR APT Scanner - RULE_AUTHOR: Florian Roth", "RULE: MAL_Agent_May20_1 RULE_SET: Livehunt - Default22 Indicators RULE_TYPE: VALHALLA rule feed only \u26a1- RULE_AUTHOR: Florian Roth", "RULE_LINK: https://valhalla.nextron-systems.com/info/rule/MAL_Agent_May20_1 DESCRIPTION:", "Detects malware used in activity noticed 05/2020 likely related to Chinese actor", "REFERENCE: ACSC IOCs May 2020 pivoting RULE_AUTHOR: Florian Roth", "https://www.nextron-systems.com/notes-on-virustotal-matches/", "114.114.114.114 IDS Detections DYNAMIC_DNS Query to a *.ns1.name Domain Query to a *.top domain - Likely Hostile Observed DNS Query to .work", "IP 114.114.114.114 Antivirus Detections: !#SIGATTR:IEProxyChange , ALF:Backdoor:Win64/Meterpreter.AB!MTB ,", "IP 114.114.114.114 Antivirus Detections: ALF:PUA:Block:VrBrothers.R!MTB , ALF:Trojan:MSIL/AgentTesla.KM , ALFPER:RefLoadApiHash ,", "IP 114.114.114.114 Antivirus Detections: Backdoor:Linux/Dofloo.A!MTB , Backdoor:Linux/Gafgyt.AF!MTB , Can't access file ,", "IP 114.114.114.114 Antivirus Detections: Trojan:Win32/Magania.DSK!MTB , TEL:SIGATTR:CreateRemoteThread", "IP 114.114.114.114 Domain 114dns.com: PegasusPlus", "Emails: pegasusplus@gmail.com Name: Zhao Zhenping Name Servers: NS1000.114DNS.COM Org: Nanjing XinFeng Network Technologies, Inc.", "Address:\tRoom 301, Building 3B, Startup park, High Tech park, Shiyang Road 56, Baixia District, Nanjing, Jiangsu, China City nan jing shi Country", "https://blog.malwarebytes.org/intelligence/2016/03/maktub-locker-beautiful-and-dangerous/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "China" ], "malware_families": [ { "id": "Maktub Locker", "display_name": "Maktub Locker", "target": null }, { "id": "TrojanDownloader:Win32/Dalexis!rfn!rfn", "display_name": "TrojanDownloader:Win32/Dalexis!rfn!rfn", "target": "/malware/TrojanDownloader:Win32/Dalexis!rfn!rfn" }, { "id": "Trojan:Win32/Magania", "display_name": "Trojan:Win32/Magania", "target": "/malware/Trojan:Win32/Magania" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" } ], "industries": [ "Government", "Technology", "Telecommunications" ], "TLP": "green", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 182, "FileHash-SHA1": 199, "FileHash-SHA256": 2383, "domain": 395, "URL": 1382, "hostname": 699, "email": 2, "CVE": 1 }, "indicator_count": 5243, "is_author": false, "is_subscribing": null, "subscriber_count": 234, "modified_text": "598 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "668cebf4b3498d2f9b9e9596", "name": "Trojan:Win32/Predator - walmartmobile.cn", "description": "Monitoring, invalid URLs, malicious redirects, cams,cyber crime, red team contract. Collects targets, calls, photos, network, dns, disables proxy, movies services,, messages, shopping habits, contacts. Intrusive as always.", "modified": "2024-08-08T07:05:50.946000", "created": "2024-07-09T07:51:16.371000", "tags": [ "popularity", "ingestion time", "utc cisco", "umbrella", "utc statvoo", "record type", "server", "dnssec", "email", "dns replication", "android", "files", "china unknown", "as4837 china", "aaaa", "search", "moved", "net technology", "for privacy", "name servers", "redacted for", "encrypt", "body", "next", "passive dns", "urls", "scan endpoints", "all scoreblue", "url http", "http", "ip address", "related nids", "files location", "ipv4", "url analysis", "location china", "script script", "td tr", "please", "please enter", "za z0", "server ca", "meta", "a li", "a domains", "ul div", "443 ma2592000", "gmt content", "servers", "https", "self", "hostname", "window", "icloud_apple_id", "apple", "apple ios", "apple id", "apple message", "msie", "chrome", "title", "head body", "center hr", "united", "unknown", "as32934", "as13414 twitter", "as19679 dropbox", "as20940", "kos", "walmart", "calls", "checking", "latest version", "invoked methods", "highlighted", "shell commands", "written", "files deleted", "files copied", "file", "process", "post http", "request", "get http", "dns resolutions", "ip traffic", "process32nextw", "shellexecuteexw", "get na", "entries", "medium", "show", "china as4837", "yara detections", "regsetvalueexw", "dock", "write", "win32", "persistence", "execution", "copy", "cname", "asnone united", "registrar", "as2914 ntt", "hichina", "certificate", "showing", "as142403 yisu", "china asn", "suspicious", "open", "write c", "create c", "read c", "windows nt", "wow64", "slcc2", "media center", "default", "discovery", "xebrbxeax1ezxf0", "sxe0x0cx1cxf8", "invalid url", "status", "reflection", "telephony", "yuming", "domain", "expiration date", "div div", "a div", "span a", "script urls", "p span", "pragma", "trident", "form", "applei_imessage_ios", "as4134 chinanet", "as3356 level", "asnone china", "date", "tsara brashears", "rwi dtools", "pyinstaller", "password", "cybercrime", "valid from", "number", "thumbprint", "ipwnderv1", "hacktool", "phishing", "facebook", "all search", "otx scoreblue", "pulse submit", "injection", "mobile", "tmobile" ], "references": [ "walmartmobile.cn", "malware_hosting IP's:42.177.83.115 | IPv4 42.177.83.134 malware_hosting", "Apple Spy: iphone-say.com apple-prompt-iphone.com http://www.apple-prompt-iphone.com/", "Apple Spy: 113-dd-hppg.redirectme.netiphonepofentrydstaging2zsendlabstryd.0-enakamai-lanwpradiocen6.ali.zomans.com", "Apple Spy: cmlinki-img-3radio-iphone-web-cmlinki3-iphone-web-cmlinkiradio.redirectme.netoppofentryd.0-iphone-web-cmlinkiradio-iphone-web-cm", "Apple Spy: redirectme.netiphonepofentrydstaging2znetoppofindlabstryd.netoppofindhypernova.ali.zomans.com", "Apple Spy: 113-dd-hppg.redirectme.netiphonepofentrydiotging2znetoppofindlabstryd.0-enakamai-lanwpradiocen6.ali.zomans.com", "Trojan:Win32/Predator!: FileHash-SHA256 1cf6574bb7edda08a539fdb2885a959071b60d9c9bfb44ee1b9912b3864ff758", "Trojan:Win32/Predator!: FileHash-SHA256 493323dd39ebb91b861e63c7341d037877886bc3a6cf4deaef08ef76bb9db15e", "Trojan:Win32/Predator!: FileHash-SHA256 f7da3472e0f81fa37ea05cc91338b6a693a1fcd4d30025fdfbfc7f2f0119fa20", "traceability-qa.walmartmobile.cn", "http://img01.mifile.cn/m/apk/mishop_3.0.20141212_1.1.1.apk", "http://tshop.doido.com", "Antivirus Detections Win32:Malware-gen: Yara Detections: stack_string", "Alerts: dead_host network_icmp antivm_generic_services creates_largekey disables_proxy dumped_buffer network_cnc_http", "Alerts: network_http allocates_rwx stealth_window injection_process_search process_interest", "Antivirus Detections: ALF:HeraklezEval:Trojan:Win32/Asacky!rfn , ALF:HeraklezEval:Trojan:Win32/Predator!rfn , Win.Trojan.Generic-9789164-0", "IDS Detections: : Suspicious User-Agent (HTTP Downloader) Suspicious User-Agent containing Loader Observed", "Unique antivirus detections for files communicating with IP address", "hpcc-page.cnc.ccgslb.com.cn 121.30.192.9 58.20.206.154 139.209.89.125 124.67.23.253 61.180.227.172 61.162.172.185 IP Traffic", "TCP 123.125.159.119:80 (gad.page.cnc.ccgslb.com.cn) TCP 121.30.192.9:80 (hpcc-page.cnc.ccgslb.com.cn) TCP 121.30.193.30: Technique ID: T1140 Technique Name: Deobfuscate/Decode Files or Information Medium { \"families\": [], \"description\": \"One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.\", Technique ID: T1055 Technique Name: Process Injection A common use for this is when applications run in the system tray, but don't also want to sh" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Singapore", "Brazil", "Ireland", "Germany", "Chile", "China", "Switzerland" ], "malware_families": [ { "id": "RiskTool.AndroidOS.beto", "display_name": "RiskTool.AndroidOS.beto", "target": null }, { "id": "Trojan.TrojanBanker.Android", "display_name": "Trojan.TrojanBanker.Android", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/Predator!rfn", "display_name": "ALF:HeraklezEval:Trojan:Win32/Predator!rfn", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1737, "hostname": 4754, "URL": 11496, "FileHash-MD5": 96, "FileHash-SHA1": 79, "FileHash-SHA256": 2457, "email": 11, "SSLCertFingerprint": 2 }, "indicator_count": 20632, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "661 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66536881127f5ee988306394", "name": "iOS Attack - Crouching Yeti: http://x.com/denverpolice/status/|", "description": "Targeted triangulation. Apple iOS iPad. Attack chains of Operation Triangulation involves advanced tactics employed by those acting as secret middleman, deploying spoofed trusted websites, emails, alarming news stories, messages, Bluetooth hacking, if threat actor has full CnC of targets phone via injection (sometimes it's random) can power on B/T. In Spoofed sites, malicious redirects, iMessage 0day case. Zero-click iMessage exploit seen. Information is sent to attacker and stored. Data harvesting, financial & identity theft, service modification and DoS intended. Used by law enforcement, governments, attorney PI's, cyber security defense, red teams and/or malicious hackers.\n*Crouching Yeti threat description notes: Contextual Indicators: Domain is classified as Social Networking Contextual Indicators: The URL is known benign by Check Point's Threat Cloud Contextual Indicators: Https://x.com is popular among websites with good reputation Contextual Indicators: Domain Cisco Umbrella rank is 312.", "modified": "2024-06-25T16:05:26.604000", "created": "2024-05-26T16:51:13.962000", "tags": [ "sha256", "sha1", "pattern match", "ascii text", "document file", "v2 document", "crlf line", "size", "unicode", "beginstring", "null", "hybrid", "refresh", "body", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "external-resources", "dom-modification", "third-party-cookies", "iframes", "trackers", "text/html", "twitter", "final url", "ip address", "status code", "body length", "kb body", "headers", "deny", "express", "referrer", "impacting azure", "proofpoint", "sneaky server", "replacement", "unauthorized", "switch dns", "query", "vy binh", "hiddentear", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "date", "meta", "form", "submission", "expiresthu", "path", "secure", "self", "xcitium verdict", "cloud", "sophos", "history first", "analysis", "cp", "cyber", "threat", "redrum", "hit", "men", "triangulation", "historical ssl", "apt suspects", "critical cmd", "hide", "asyncrat", "jeremy", "government", "malicious", "yuming", "name servers", "united", "passive dns", "urls", "creation date", "search", "expiration date", "showing", "unknown", "next", "windows nt", "malware beacon", "memcommit", "generic http", "exe upload", "outbound", "etpro trojan", "show", "trojan", "copy", "write", "win32", "malware", "read c", "entries", "medium", "markus", "contentlength", "write c", "delete c", "create c", "yara detections", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "next pe", "as32934", "hitmen", "local government", "scene unit", "crime", "denver police", "address", "status", "aaaa", "apple", "less whois", "registrar", "wannacry", "http", "unique", "url https", "related nids", "code", "screenshot", "anity", "nsa", "shadow", "saudi telecom", "riyadh address", "saudi arabia", "abuse", "ripe", "company isp", "number", "label saudi", "telecom company", "jsc regional", "riyadh", "ripe ncc", "registry techc", "campus", "saudi", "ripe network", "domain", "internet se", "emails", "system", "server tsa", "b server", "certificate", "digicert inc", "moved", "record value" ], "references": [ "http://x.com/denverpolice/status/", "Redirects to >https://twitter.com/x/migrate?tok=eyJlIjoiL2RlbnZlcnBvbGljZS9zdGF0dXMvIiwidCI6MTcxNjcwMzc3M33oZya0EO4PtEbRwq4XZboX", "Redirects to https://twitter.com?mx=1", "IP address: 104.244.42.1 Hosting: Unknown Running on: Tsa B CMS: Express", "Crouching Yeti: Appendixes - according to source ArcSight Threat Intelligence", "https://otx.alienvault.com/indicator/file/00001aff2ea1acd6087f9fba8d8316d90d29e391d9969bc70cc607461467797e", "Alerts: nids_malware_alert network_icmp dumped_buffer network_cnc_http network_http network_http_post allocates_rwx", "Alerts: packer_entropy packer_upx antivm_memory_available pe_features", "Yara Detections: Yara Detections Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , Toxoplasmosis , UPX", "Packer UPX v0.89.6 - v1.02 / v1.05 -v1.24 -> Markus & Laszlo [overlay]", "Yara Detections: ConventionEngine_Term_Desktop , LZMA , mpress_2_xx_x86 , dbgdetect_procs", "pornhub.dev, http://matrix.pornhub.dev, https://twitter.com/PORNO_SEXYBABES, https://www.anon-v.com/porno/fenella/", "Hostname device-local-fb18804d-348e-49ea-8c17-cc8a29f18082.remotewd.com | 192.168.56.104: IPv4", "https://otx.alienvault.com/indicator/file/f7636eef1d9df0664cd0f205ad8864b659bf9898ce6231376778c4411986912e", "https://otx.alienvault.com/indicator/file/000054fa2b0d1004464350ee9acc40707fec51223dba36c702a3db4139af9717", "Domain: hicloudcam.com | https://otx.alienvault.com/indicator/hostname/alarmeu.sslproxy.gatewayvvlilly3lilly.alpha.hicloudcam.com", "originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com | 108.160.165.139 Location: USA |ASN AS19679 dropbox inc. Nameservers ns-136.awsdns-17.com. ns-1518.awsdns-61.org. ,\u00a0 ns-1573.awsdns-04.co.uk. ,\u00a0 ns-809.awsdns-37.net. Less WHOIS Registrar: https://www.101domain.com/,\u00a0\u00a0 Creation Date: Oct 21, 2010 Related Pulses None Related Tags None Indicator Facts Running webserver External Resources Whois,\u00a0 UrlVoid,\u00a0 VirusTotal Analysis Related Pulses Comments (0) Whois Show 100 entr", "https://otx.alienvault.com/indicator/hostname/originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com", "PATHETIC redirect: rainn.org | victims of violence & abuse disclose extremely sensitive details. Reported false information given to disorient victims.", "WannaCry | NSA -Anity Cert: https://otx.alienvault.com/indicator/url/https://www.antiy.com/response/Antiy_Wannacry_NSA.html", "WannaCry MS17-010 'Shadow' https://otx.alienvault.com/otxapi/indicators/url/screenshot/https://www.antiy.com/response/wannacry.html", "Command and Control IP: 5.41.21.250 | Location Saudi Arabia flag Jeddah, Saudi Arabia ASN AS39891 saudi telecom company jsc", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "uploads-cserver-alumni-profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32/Vflooder.B Checkin", "display_name": "Win32/Vflooder.B Checkin", "target": null }, { "id": "Win.Malware.Vtflooder-6723768-0", "display_name": "Win.Malware.Vtflooder-6723768-0", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32/Vflooder.B vtapi DOS", "display_name": "Win32/Vflooder.B vtapi DOS", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Trojan.Downloader-63174", "display_name": "Win.Trojan.Downloader-63174", "target": null }, { "id": "Clicker.BGOU", "display_name": "Clicker.BGOU", "target": null }, { "id": "Win.Trojan.Agent-752791", "display_name": "Win.Trojan.Agent-752791", "target": null }, { "id": "Win.Dropper.QQpass-9895638-0", "display_name": "Win.Dropper.QQpass-9895638-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "WannaCry", "display_name": "WannaCry", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1038", "name": "DLL Search Order Hijacking", "display_name": "T1038 - DLL Search Order Hijacking" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 350, "FileHash-SHA1": 348, "FileHash-SHA256": 2659, "URL": 7850, "domain": 2245, "hostname": 3611, "SSLCertFingerprint": 4, "email": 10, "CIDR": 4 }, "indicator_count": 17081, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "704 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66536c8eee8d42d670e27723", "name": "Eternal Blue _ WannaCry MS17-010 | Apple iOS iMessage injection infiltration", "description": "", "modified": "2024-06-25T16:05:26.604000", "created": "2024-05-26T17:08:30.022000", "tags": [ "sha256", "sha1", "pattern match", "ascii text", "document file", "v2 document", "crlf line", "size", "unicode", "beginstring", "null", "hybrid", "refresh", "body", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "external-resources", "dom-modification", "third-party-cookies", "iframes", "trackers", "text/html", "twitter", "final url", "ip address", "status code", "body length", "kb body", "headers", "deny", "express", "referrer", "impacting azure", "proofpoint", "sneaky server", "replacement", "unauthorized", "switch dns", "query", "vy binh", "hiddentear", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "date", "meta", "form", "submission", "expiresthu", "path", "secure", "self", "xcitium verdict", "cloud", "sophos", "history first", "analysis", "cp", "cyber", "threat", "redrum", "hit", "men", "triangulation", "historical ssl", "apt suspects", "critical cmd", "hide", "asyncrat", "jeremy", "government", "malicious", "yuming", "name servers", "united", "passive dns", "urls", "creation date", "search", "expiration date", "showing", "unknown", "next", "windows nt", "malware beacon", "memcommit", "generic http", "exe upload", "outbound", "etpro trojan", "show", "trojan", "copy", "write", "win32", "malware", "read c", "entries", "medium", "markus", "contentlength", "write c", "delete c", "create c", "yara detections", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "next pe", "as32934", "hitmen", "local government", "scene unit", "crime", "denver police", "address", "status", "aaaa", "apple", "less whois", "registrar", "wannacry", "http", "unique", "url https", "related nids", "code", "screenshot", "anity", "nsa", "shadow", "saudi telecom", "riyadh address", "saudi arabia", "abuse", "ripe", "company isp", "number", "label saudi", "telecom company", "jsc regional", "riyadh", "ripe ncc", "registry techc", "campus", "saudi", "ripe network", "domain", "internet se", "emails", "system", "server tsa", "b server", "certificate", "digicert inc", "moved", "record value" ], "references": [ "http://x.com/denverpolice/status/", "Redirects to >https://twitter.com/x/migrate?tok=eyJlIjoiL2RlbnZlcnBvbGljZS9zdGF0dXMvIiwidCI6MTcxNjcwMzc3M33oZya0EO4PtEbRwq4XZboX", "Redirects to https://twitter.com?mx=1", "IP address: 104.244.42.1 Hosting: Unknown Running on: Tsa B CMS: Express", "Crouching Yeti: Appendixes - according to source ArcSight Threat Intelligence", "https://otx.alienvault.com/indicator/file/00001aff2ea1acd6087f9fba8d8316d90d29e391d9969bc70cc607461467797e", "Alerts: nids_malware_alert network_icmp dumped_buffer network_cnc_http network_http network_http_post allocates_rwx", "Alerts: packer_entropy packer_upx antivm_memory_available pe_features", "Yara Detections: Yara Detections Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , Toxoplasmosis , UPX", "Packer UPX v0.89.6 - v1.02 / v1.05 -v1.24 -> Markus & Laszlo [overlay]", "Yara Detections: ConventionEngine_Term_Desktop , LZMA , mpress_2_xx_x86 , dbgdetect_procs", "pornhub.dev, http://matrix.pornhub.dev, https://twitter.com/PORNO_SEXYBABES, https://www.anon-v.com/porno/fenella/", "Hostname device-local-fb18804d-348e-49ea-8c17-cc8a29f18082.remotewd.com | 192.168.56.104: IPv4", "https://otx.alienvault.com/indicator/file/f7636eef1d9df0664cd0f205ad8864b659bf9898ce6231376778c4411986912e", "https://otx.alienvault.com/indicator/file/000054fa2b0d1004464350ee9acc40707fec51223dba36c702a3db4139af9717", "Domain: hicloudcam.com | https://otx.alienvault.com/indicator/hostname/alarmeu.sslproxy.gatewayvvlilly3lilly.alpha.hicloudcam.com", "originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com | 108.160.165.139 Location: USA |ASN AS19679 dropbox inc. Nameservers ns-136.awsdns-17.com. ns-1518.awsdns-61.org. ,\u00a0 ns-1573.awsdns-04.co.uk. ,\u00a0 ns-809.awsdns-37.net. Less WHOIS Registrar: https://www.101domain.com/,\u00a0\u00a0 Creation Date: Oct 21, 2010 Related Pulses None Related Tags None Indicator Facts Running webserver External Resources Whois,\u00a0 UrlVoid,\u00a0 VirusTotal Analysis Related Pulses Comments (0) Whois Show 100 entr", "https://otx.alienvault.com/indicator/hostname/originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com", "PATHETIC redirect: rainn.org | victims of violence & abuse disclose extremely sensitive details. Reported false information given to disorient victims.", "WannaCry | NSA -Anity Cert: https://otx.alienvault.com/indicator/url/https://www.antiy.com/response/Antiy_Wannacry_NSA.html", "WannaCry MS17-010 'Shadow' https://otx.alienvault.com/otxapi/indicators/url/screenshot/https://www.antiy.com/response/wannacry.html", "Command and Control IP: 5.41.21.250 | Location Saudi Arabia flag Jeddah, Saudi Arabia ASN AS39891 saudi telecom company jsc", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "uploads-cserver-alumni-profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32/Vflooder.B Checkin", "display_name": "Win32/Vflooder.B Checkin", "target": null }, { "id": "Win.Malware.Vtflooder-6723768-0", "display_name": "Win.Malware.Vtflooder-6723768-0", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32/Vflooder.B vtapi DOS", "display_name": "Win32/Vflooder.B vtapi DOS", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Trojan.Downloader-63174", "display_name": "Win.Trojan.Downloader-63174", "target": null }, { "id": "Clicker.BGOU", "display_name": "Clicker.BGOU", "target": null }, { "id": "Win.Trojan.Agent-752791", "display_name": "Win.Trojan.Agent-752791", "target": null }, { "id": "Win.Dropper.QQpass-9895638-0", "display_name": "Win.Dropper.QQpass-9895638-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "WannaCry", "display_name": "WannaCry", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1038", "name": "DLL Search Order Hijacking", "display_name": "T1038 - DLL Search Order Hijacking" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [], "TLP": "green", "cloned_from": "66536881127f5ee988306394", "export_count": 55, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 350, "FileHash-SHA1": 348, "FileHash-SHA256": 2659, "URL": 7850, "domain": 2245, "hostname": 3611, "SSLCertFingerprint": 4, "email": 10, "CIDR": 4 }, "indicator_count": 17081, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "704 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://js.upchinafund.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://js.upchinafund.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780234759.764965 }