{ "type": "URL", "indicator": "https://labelpack.staging.creeo.studio", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://labelpack.staging.creeo.studio", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3923380739, "indicator": "https://labelpack.staging.creeo.studio", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "66f837de06233b5ccdd84a81", "name": "The Real Jane Doe Syndrome Files", "description": "An array of scripts and files designed to completely compromise your MacBook and effectively erase your digital identity from the internet exists. This type of targeted attack is perpetrated by various groups for political or monetary agendas. It gradually takes over your devices and consumes your energy, time, career, and overall quality of life. In my case, the adversary involved is the DragonForce Malaysia Hacker Group.", "modified": "2024-10-28T16:02:26.345000", "created": "2024-09-28T17:07:42.479000", "tags": [ "copyright", "apple computer", "tcpip", "supported", "quantum", "automounter map", "use directory", "get home", "home autohome", "facility", "file", "level", "access", "level info", "broadcast", "store", "ignore", "rules", "sender", "true", "t option", "mount", "force", "environment", "automountdenv", "promptcommand", "shellsessiondir", "histfile", "histfilesize", "terminal", "myvar", "histtimeformat", "arrange", "bashrematch", "tell", "postfix", "mail", "aliases", "postfix version", "restrict", "wietse venema", "sample", "note", "person", "basic system", "general", "host database", "inpck", "nnnbaud", "berkeley", "parity", "pc entry", "pass8", "parenb istrip", "fixed speed", "entry", "clocal mode", "open directory", "jabber", "group database", "cyrus", "calendar", "dovecot", "postfix scsd", "networkd", "searchpaths", "freebsd", "tmpdir", "fcodes", "prunepaths", "vartmp", "prunedirs", "filesystems", "status mailfrom", "returnpath via", "maxhistsize", "promptmode", "verbose end", "etcirbrcloaded", "default", "setup", "history file", "kernel", "readline", "error", "nroff", "manpath", "uncomment", "manpager", "whatispager", "manlocale", "every", "manpath optman", "maybe", "troff", "refer", "pidfile", "flags", "bcgjnuwz", "ps1h", "make bash", "s checkwinsize", "etcbashrc", "termprogram", "daemon", "service", "server", "user", "audio", "user database", "unix copy", "protocol", "gate daemon", "desktop", "agent", "bridge", "bin usrsbin", "sbin", "default pf", "care", "bashno", "r etcbashrc", "ipv6", "internet", "icmp", "cisco", "monitoring", "argus", "chaos", "rsvp", "encapsulation", "aris", "isis", "rfc1323", "m1460", "macos x", "signature", "linux", "opera", "xp sp1", "windows sp1", "nmap syn", "m265", "direct", "unknown", "synack", "mind", "macos", "warp", "generic", "networkup", "term", "devnull", "common setup", "configure", "set command", "pathbin", "path", "netbootmount", "netbootshadow", "computername", "localonly", "localnetbootdir", "netboot", "define", "purpose", "networkonly", "waiting", "sunnet manager", "rpcsrc", "netlicense", "apple", "notice", "dns hostname", "dns query", "see also", "kame", "ftpd", "bindash binksh", "binsh bintcsh", "none", "fax reception", "hardwired", "0007", "setup user", "home", "zdotdir", "delete", "beep", "vendor", "kf10", "kf11", "kf12", "kf13", "backspace", "insert", "resume", "termsessionid", "savehist", "sharehistory", "addiconbytype", "adddescription", "directory", "fancyindexed", "gzip", "indexignore", "indexes", "versionsort", "fancyindexing", "alias icons", "format", "browsermatch", "davlockdb", "requireany", "webdav", "usergroup", "alias", "authtype digest", "davupload admin", "authuserfile", "apache", "full", "minrate500", "keepalive", "prod", "email", "apache http", "timeout", "number", "minimal", "major", "manual", "provide access", "options indexes", "require", "sethandler", "files", "removetype tr", "traditionally", "addlanguage da", "extendedstatus", "change", "require host", "get information", "allow server", "allow", "addlanguage", "addcharset", "defaultlanguage", "fallback", "polish", "addlanguage pl", "catalan", "english", "greekmodern", "korean", "turkish", "ifmodule", "threadsperchild", "startservers", "minsparethreads", "maxsparethreads", "maximum number", "mpms", "threadstacksize", "loadfile c", "html", "proxyhtmllinks", "first", "ascii", "unicode", "windows", "must", "location", "w3c html", "example", "sslsessioncache", "ocsp stapling", "ssl engine", "sslrequire", "ssltls standard", "prng", "sslrandomseed", "openssl", "high", "userdir sites", "control access", "userdir", "virtualhost", "servername", "virtualhost 80", "serveradmin", "documentroot", "errorlog", "customlog", "hosts", "please", "almost", "errorhttp", "http", "yourincludepath", "apache version", "serversignature", "alias error", "addhandler", "include", "serverroot", "listen", "ifdefine", "loadmodule", "errordocument", "win32", "main", "addtype", "directoryindex", "claim", "category", "time", "host", "threadid", "function", "line", "message", "level error", "a facility", "guest", "springboard", "message sep", "message mc", "message secure", "ca message", "multitouchhid", "usereventagent", "cups", "hp envy", "high duplex", "none colormodel", "gray gamma", "env10", "envc6", "envchou3", "envchou4", "envdl", "isob5", "false", "cups scheduler", "list", "synconclose no", "default user", "user lp", "group lp", "system", "group value", "limit", "order deny", "require user", "owner", "authtype", "default require", "authkey", "lpadmin", "restrict access", "d0 j", "acl account", "touch id", "airdrop anchor", "reject empty", "domain", "canonical", "tables", "ldap", "post", "replace user", "address", "bugs", "matches", "postfix smtp", "ipv6 host", "reject", "reply", "prior", "hold", "info", "smtp", "isp mail", "name", "mail delivery", "charset", "report", "postfix dsn", "mail returned", "this", "only", "program", "agreement", "contributor", "recipient", "contribution", "the program", "corporation", "contributors", "product x", "as expressly", "arch", "arch x8664", "pipe wall", "wimplicit", "ranlib", "warn", "switch", "start", "systype", "mime", "headerchecks", "readme files", "filters while", "posix", "empty", "body", "pass", "write", "date", "smtp server", "specify", "mx host", "unix password", "user unknown", "postfix queue", "unix", "beware", "class", "uucp", "shell", "local", "outlook", "postfix master", "begin", "server admin", "mail backend", "modern smtp", "iana", "many", "postfix pipe", "recent cyrus", "amos gouaux", "old example", "relocated", "matches user", "synopsis", "or even", "lutz jaenicke", "technology", "cottbus", "germany", "openssl package", "openssl project", "europe", "remember that", "use of", "virtual", "virtual alias", "redirect mail", "deliver mail", "transport", "description", "result format", "update", "usrsbin", "file format", "no group", "daemondirectory", "id key", "specification", "auto exit", "vpn socket", "ipv4v6", "userfqdn", "fqdn", "auditing", "solaris", "reserved", "openbsm", "secsrvr", "allocation", "bsm event", "solaris kernel", "openbsm kernel", "solaris auemac", "solaris umount", "removed", "Aishah Siti Lazim" ], "references": [ "afpovertcp.cfg", "auto_home", "auto_master", "asl.conf", "autofs.conf", "com.apple.screensharing.agent.launchd", "bashrc_Apple_Terminal", "csh.cshrc", "csh.login", "aliases", "csh.logout", "find.codes", "ftpusers", "hosts", "gettytab", "hosts.equiv", "kern_loader.conf", "group", "locate.rc", "mail.rc", "irbrc", "manpaths", "man.conf", "networks", "newsyslog.conf", "nfs.conf", "bashrc", "ntp_opendirectory.conf", "nsmb.conf", "ntp.conf", "passwd", "paths", "pf.conf", "profile", "notify.conf", "protocols", "pf.os", "rc.common", "rc.netboot", "rpc", "rmtab", "resolv.conf", "rtadvd.conf", "shells", "syslog.conf", "ttys", "xtab", "zprofile", "zshrc", "zshrc_Apple_Terminal", "httpd-autoindex.conf", "httpd-dav.conf", "httpd-default.conf", "httpd-manual.conf", "httpd-info.conf", "httpd-languages.conf", "httpd-mpm.conf", "proxy-html.conf", "httpd-ssl.conf", "httpd-userdir.conf", "httpd-vhosts.conf", "httpd-multilang-errordoc.conf", "httpd.conf", "mpm.conf", "php7.conf", "johndoe.conf", "com.apple.cdscheduler", "com.apple.contacts.ContactsAutocomplete", "com.apple.authd", "com.apple.eventmonitor", "com.apple.mail", "com.apple.iokit.power", "com.apple.MessageTracer", "com.apple.login.guest", "com.apple.install", "com.apple.networking.boringssl", "com.apple.performance", "com.apple.mkb.internal", "com.apple.coreduetd", "com.apple.mkb", "snmp.conf", "snmp.conf.default", "HP_ENVY_6000_series__3D66E1_.ppd", "cups-files.conf", "cups-files.conf.default", "cupsd.conf.default", "cupsd.conf", "com.apple.slapd.conf", "com.apple.xscertd.conf", "files.conf", "com.apple.slapconfig.conf", "authorization", "authorization_la", "authorization_ctk", "authorization_aks", "checkpw", "authorization_lacont", "chkpasswd", "cups", "login.term", "login", "other", "screensaver", "screensaver_new", "screensaver_aks", "screensaver_la", "screensaver_new_ctk", "screensaver_new_la", "screensaver_new_aks", "smbd", "sshd", "screensaver_ctk", "su", "sudo", "sudo_local.template", "10-cryptex", "com.apple", "custom_header_checks", "canonical", "access", "generic", "bounce.cf.default", "LICENSE", "makedefs.out", "header_checks", "main.cf", "main.cf.proto", "master.cf.default", "master.cf.proto", "main.cf.default", "master.cf", "relocated", "TLS_LICENSE", "virtual", "transport", "postfix-files", "racoon.conf", "psk.txt", "audit_warn", "audit_class", "audit_event", "audit_user", "audit_control.example" ], "public": 1, "adversary": "DragonForce Hacker Group Malaysia, Al-Arqam", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "ravescoutllc.", "id": "288912", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 285, "URL": 618, "hostname": 306, "email": 21, "FileHash-SHA256": 219, "CIDR": 3 }, "indicator_count": 1452, "is_author": false, "is_subscribing": null, "subscriber_count": 32, "modified_text": "538 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66994bda3e150656cd5ac9dd", "name": "Browser Session Hijacking Various MyChart Phishing Scams", "description": "Ongoing issues with medical information hijacking. Various medical corporations affected. Tracking, medical, injection process, records retrieval, botnets.", "modified": "2024-08-17T16:01:11.866000", "created": "2024-07-18T17:07:38.719000", "tags": [ "historical ssl", "referrer", "domains", "august", "phishingscams", "domains part", "domain tracker", "roundup", "new problems", "privacy badger", "startpage", "self", "httponly", "samesitenone", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "pragma", "mychartlocale", "urls", "ip detections", "country", "contacted", "files", "file type", "name file", "gmbh", "cloudflare", "tucows", "ii llc", "alibaba cloud", "computing", "sample", "media t1091", "t1497 may", "mitre att", "access ta0001", "replication", "ta0004 process", "injection t1055", "defense evasion", "http requests", "get http", "request", "host", "dns resolutions", "ip traffic", "hashes", "tsara brashears", "red team", "hackers", "highly targeted", "critical risk", "cyberstalking", "apple", "apple ios", "logistics", "cyber defense", "guloader", "hacktool", "emotet", "phishing", "facebook", "malware", "hiddentear", "maze", "server", "domain status", "date", "algorithm", "google llc", "registrar abuse", "registrar", "record type", "ttl value", "aaaa", "whois lookup", "admin country", "ca creation", "dnssec", "markmonitor", "siblings", "whois lookups", "expiration date", "registrar iana", "creation date", "first", "united", "as15169 google", "cname", "status", "virtool", "cryp", "as396982 google", "search", "name servers", "win32", "remote" ], "references": [ "MyChart Phishing Scams", "exploit_source IP's: 20.99.186.246 , 40.126.24.147 , 40.126.24.149 , 40.126.24.81 , 40.126.24.82", "VirTool:Win32/Obfuscator: 0.googleusercontent.com [hacking]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/\t URL\thttp://45.159.189.105/bot/regex |\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win64-Trojan/Pakes.Exp", "display_name": "Win64-Trojan/Pakes.Exp", "target": null }, { "id": "Win64:RansomX-gen", "display_name": "Win64:RansomX-gen", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [ "Healthcare", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 37, "FileHash-SHA1": 33, "FileHash-SHA256": 3473, "domain": 693, "URL": 4384, "hostname": 1610, "CVE": 2, "email": 3 }, "indicator_count": 10235, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "610 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "bashrc", "su", "authorization_lacont", "MyChart Phishing Scams", "manpaths", "LICENSE", "httpd-autoindex.conf", "com.apple.contacts.ContactsAutocomplete", "master.cf.default", "audit_warn", "resolv.conf", "HP_ENVY_6000_series__3D66E1_.ppd", "main.cf.default", "screensaver_ctk", "main.cf.proto", "com.apple.install", "virtual", "com.apple.authd", "relocated", "authorization_la", "screensaver", "psk.txt", "other", "nsmb.conf", "nfs.conf", "com.apple.cdscheduler", "httpd-info.conf", "rmtab", "https://www.anyxxxtube.net/search-porn/tsara-brashears/\t URL\thttp://45.159.189.105/bot/regex |\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "com.apple.MessageTracer", "sudo", "com.apple.slapconfig.conf", "login.term", "mail.rc", "locate.rc", "kern_loader.conf", "master.cf.proto", "chkpasswd", "audit_user", "VirTool:Win32/Obfuscator: 0.googleusercontent.com [hacking]", "httpd-mpm.conf", "main.cf", "csh.cshrc", "httpd-userdir.conf", "newsyslog.conf", "snmp.conf", "rc.common", "com.apple.performance", "bounce.cf.default", "mpm.conf", "rpc", "custom_header_checks", "find.codes", "pf.conf", "man.conf", "files.conf", "csh.logout", "transport", "profile", "com.apple.login.guest", "cups-files.conf.default", "httpd-vhosts.conf", "com.apple", "syslog.conf", "zprofile", "hosts", "canonical", "authorization", "access", "httpd-dav.conf", "ntp_opendirectory.conf", "generic", "com.apple.mkb.internal", "ftpusers", "hosts.equiv", "screensaver_new_ctk", "audit_class", "auto_home", "screensaver_aks", "header_checks", "httpd.conf", "com.apple.mkb", "TLS_LICENSE", "postfix-files", "csh.login", "zshrc", "login", "cupsd.conf", "10-cryptex", "aliases", "authorization_aks", "xtab", "gettytab", "rc.netboot", "com.apple.slapd.conf", "com.apple.mail", "com.apple.networking.boringssl", "sudo_local.template", "makedefs.out", "com.apple.screensharing.agent.launchd", "cupsd.conf.default", "paths", "asl.conf", "pf.os", "screensaver_new_la", "irbrc", "audit_control.example", "screensaver_new_aks", "notify.conf", "screensaver_la", "ttys", "php7.conf", "auto_master", "screensaver_new", "cups-files.conf", "com.apple.xscertd.conf", "ntp.conf", "proxy-html.conf", "audit_event", "networks", "com.apple.eventmonitor", "bashrc_Apple_Terminal", "rtadvd.conf", "zshrc_Apple_Terminal", "httpd-manual.conf", "shells", "httpd-ssl.conf", "johndoe.conf", "com.apple.coreduetd", "snmp.conf.default", "httpd-default.conf", "cups", "httpd-multilang-errordoc.conf", "group", "sshd", "master.cf", "racoon.conf", "protocols", "afpovertcp.cfg", "com.apple.iokit.power", "authorization_ctk", "checkpw", "autofs.conf", "exploit_source IP's: 20.99.186.246 , 40.126.24.147 , 40.126.24.149 , 40.126.24.81 , 40.126.24.82", "passwd", "httpd-languages.conf", "smbd" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "DragonForce Hacker Group Malaysia, Al-Arqam" ], "malware_families": [ "Win64-trojan/pakes.exp", "Win64:ransomx-gen" ], "industries": [ "Technology", "Healthcare" ], "unique_indicators": 11839 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/creeo.studio", "whois": "http://whois.domaintools.com/creeo.studio", "domain": "creeo.studio", "hostname": "labelpack.staging.creeo.studio" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "66f837de06233b5ccdd84a81", "name": "The Real Jane Doe Syndrome Files", "description": "An array of scripts and files designed to completely compromise your MacBook and effectively erase your digital identity from the internet exists. This type of targeted attack is perpetrated by various groups for political or monetary agendas. It gradually takes over your devices and consumes your energy, time, career, and overall quality of life. In my case, the adversary involved is the DragonForce Malaysia Hacker Group.", "modified": "2024-10-28T16:02:26.345000", "created": "2024-09-28T17:07:42.479000", "tags": [ "copyright", "apple computer", "tcpip", "supported", "quantum", "automounter map", "use directory", "get home", "home autohome", "facility", "file", "level", "access", "level info", "broadcast", "store", "ignore", "rules", "sender", "true", "t option", "mount", "force", "environment", "automountdenv", "promptcommand", "shellsessiondir", "histfile", "histfilesize", "terminal", "myvar", "histtimeformat", "arrange", "bashrematch", "tell", "postfix", "mail", "aliases", "postfix version", "restrict", "wietse venema", "sample", "note", "person", "basic system", "general", "host database", "inpck", "nnnbaud", "berkeley", "parity", "pc entry", "pass8", "parenb istrip", "fixed speed", "entry", "clocal mode", "open directory", "jabber", "group database", "cyrus", "calendar", "dovecot", "postfix scsd", "networkd", "searchpaths", "freebsd", "tmpdir", "fcodes", "prunepaths", "vartmp", "prunedirs", "filesystems", "status mailfrom", "returnpath via", "maxhistsize", "promptmode", "verbose end", "etcirbrcloaded", "default", "setup", "history file", "kernel", "readline", "error", "nroff", "manpath", "uncomment", "manpager", "whatispager", "manlocale", "every", "manpath optman", "maybe", "troff", "refer", "pidfile", "flags", "bcgjnuwz", "ps1h", "make bash", "s checkwinsize", "etcbashrc", "termprogram", "daemon", "service", "server", "user", "audio", "user database", "unix copy", "protocol", "gate daemon", "desktop", "agent", "bridge", "bin usrsbin", "sbin", "default pf", "care", "bashno", "r etcbashrc", "ipv6", "internet", "icmp", "cisco", "monitoring", "argus", "chaos", "rsvp", "encapsulation", "aris", "isis", "rfc1323", "m1460", "macos x", "signature", "linux", "opera", "xp sp1", "windows sp1", "nmap syn", "m265", "direct", "unknown", "synack", "mind", "macos", "warp", "generic", "networkup", "term", "devnull", "common setup", "configure", "set command", "pathbin", "path", "netbootmount", "netbootshadow", "computername", "localonly", "localnetbootdir", "netboot", "define", "purpose", "networkonly", "waiting", "sunnet manager", "rpcsrc", "netlicense", "apple", "notice", "dns hostname", "dns query", "see also", "kame", "ftpd", "bindash binksh", "binsh bintcsh", "none", "fax reception", "hardwired", "0007", "setup user", "home", "zdotdir", "delete", "beep", "vendor", "kf10", "kf11", "kf12", "kf13", "backspace", "insert", "resume", "termsessionid", "savehist", "sharehistory", "addiconbytype", "adddescription", "directory", "fancyindexed", "gzip", "indexignore", "indexes", "versionsort", "fancyindexing", "alias icons", "format", "browsermatch", "davlockdb", "requireany", "webdav", "usergroup", "alias", "authtype digest", "davupload admin", "authuserfile", "apache", "full", "minrate500", "keepalive", "prod", "email", "apache http", "timeout", "number", "minimal", "major", "manual", "provide access", "options indexes", "require", "sethandler", "files", "removetype tr", "traditionally", "addlanguage da", "extendedstatus", "change", "require host", "get information", "allow server", "allow", "addlanguage", "addcharset", "defaultlanguage", "fallback", "polish", "addlanguage pl", "catalan", "english", "greekmodern", "korean", "turkish", "ifmodule", "threadsperchild", "startservers", "minsparethreads", "maxsparethreads", "maximum number", "mpms", "threadstacksize", "loadfile c", "html", "proxyhtmllinks", "first", "ascii", "unicode", "windows", "must", "location", "w3c html", "example", "sslsessioncache", "ocsp stapling", "ssl engine", "sslrequire", "ssltls standard", "prng", "sslrandomseed", "openssl", "high", "userdir sites", "control access", "userdir", "virtualhost", "servername", "virtualhost 80", "serveradmin", "documentroot", "errorlog", "customlog", "hosts", "please", "almost", "errorhttp", "http", "yourincludepath", "apache version", "serversignature", "alias error", "addhandler", "include", "serverroot", "listen", "ifdefine", "loadmodule", "errordocument", "win32", "main", "addtype", "directoryindex", "claim", "category", "time", "host", "threadid", "function", "line", "message", "level error", "a facility", "guest", "springboard", "message sep", "message mc", "message secure", "ca message", "multitouchhid", "usereventagent", "cups", "hp envy", "high duplex", "none colormodel", "gray gamma", "env10", "envc6", "envchou3", "envchou4", "envdl", "isob5", "false", "cups scheduler", "list", "synconclose no", "default user", "user lp", "group lp", "system", "group value", "limit", "order deny", "require user", "owner", "authtype", "default require", "authkey", "lpadmin", "restrict access", "d0 j", "acl account", "touch id", "airdrop anchor", "reject empty", "domain", "canonical", "tables", "ldap", "post", "replace user", "address", "bugs", "matches", "postfix smtp", "ipv6 host", "reject", "reply", "prior", "hold", "info", "smtp", "isp mail", "name", "mail delivery", "charset", "report", "postfix dsn", "mail returned", "this", "only", "program", "agreement", "contributor", "recipient", "contribution", "the program", "corporation", "contributors", "product x", "as expressly", "arch", "arch x8664", "pipe wall", "wimplicit", "ranlib", "warn", "switch", "start", "systype", "mime", "headerchecks", "readme files", "filters while", "posix", "empty", "body", "pass", "write", "date", "smtp server", "specify", "mx host", "unix password", "user unknown", "postfix queue", "unix", "beware", "class", "uucp", "shell", "local", "outlook", "postfix master", "begin", "server admin", "mail backend", "modern smtp", "iana", "many", "postfix pipe", "recent cyrus", "amos gouaux", "old example", "relocated", "matches user", "synopsis", "or even", "lutz jaenicke", "technology", "cottbus", "germany", "openssl package", "openssl project", "europe", "remember that", "use of", "virtual", "virtual alias", "redirect mail", "deliver mail", "transport", "description", "result format", "update", "usrsbin", "file format", "no group", "daemondirectory", "id key", "specification", "auto exit", "vpn socket", "ipv4v6", "userfqdn", "fqdn", "auditing", "solaris", "reserved", "openbsm", "secsrvr", "allocation", "bsm event", "solaris kernel", "openbsm kernel", "solaris auemac", "solaris umount", "removed", "Aishah Siti Lazim" ], "references": [ "afpovertcp.cfg", "auto_home", "auto_master", "asl.conf", "autofs.conf", "com.apple.screensharing.agent.launchd", "bashrc_Apple_Terminal", "csh.cshrc", "csh.login", "aliases", "csh.logout", "find.codes", "ftpusers", "hosts", "gettytab", "hosts.equiv", "kern_loader.conf", "group", "locate.rc", "mail.rc", "irbrc", "manpaths", "man.conf", "networks", "newsyslog.conf", "nfs.conf", "bashrc", "ntp_opendirectory.conf", "nsmb.conf", "ntp.conf", "passwd", "paths", "pf.conf", "profile", "notify.conf", "protocols", "pf.os", "rc.common", "rc.netboot", "rpc", "rmtab", "resolv.conf", "rtadvd.conf", "shells", "syslog.conf", "ttys", "xtab", "zprofile", "zshrc", "zshrc_Apple_Terminal", "httpd-autoindex.conf", "httpd-dav.conf", "httpd-default.conf", "httpd-manual.conf", "httpd-info.conf", "httpd-languages.conf", "httpd-mpm.conf", "proxy-html.conf", "httpd-ssl.conf", "httpd-userdir.conf", "httpd-vhosts.conf", "httpd-multilang-errordoc.conf", "httpd.conf", "mpm.conf", "php7.conf", "johndoe.conf", "com.apple.cdscheduler", "com.apple.contacts.ContactsAutocomplete", "com.apple.authd", "com.apple.eventmonitor", "com.apple.mail", "com.apple.iokit.power", "com.apple.MessageTracer", "com.apple.login.guest", "com.apple.install", "com.apple.networking.boringssl", "com.apple.performance", "com.apple.mkb.internal", "com.apple.coreduetd", "com.apple.mkb", "snmp.conf", "snmp.conf.default", "HP_ENVY_6000_series__3D66E1_.ppd", "cups-files.conf", "cups-files.conf.default", "cupsd.conf.default", "cupsd.conf", "com.apple.slapd.conf", "com.apple.xscertd.conf", "files.conf", "com.apple.slapconfig.conf", "authorization", "authorization_la", "authorization_ctk", "authorization_aks", "checkpw", "authorization_lacont", "chkpasswd", "cups", "login.term", "login", "other", "screensaver", "screensaver_new", "screensaver_aks", "screensaver_la", "screensaver_new_ctk", "screensaver_new_la", "screensaver_new_aks", "smbd", "sshd", "screensaver_ctk", "su", "sudo", "sudo_local.template", "10-cryptex", "com.apple", "custom_header_checks", "canonical", "access", "generic", "bounce.cf.default", "LICENSE", "makedefs.out", "header_checks", "main.cf", "main.cf.proto", "master.cf.default", "master.cf.proto", "main.cf.default", "master.cf", "relocated", "TLS_LICENSE", "virtual", "transport", "postfix-files", "racoon.conf", "psk.txt", "audit_warn", "audit_class", "audit_event", "audit_user", "audit_control.example" ], "public": 1, "adversary": "DragonForce Hacker Group Malaysia, Al-Arqam", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "ravescoutllc.", "id": "288912", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 285, "URL": 618, "hostname": 306, "email": 21, "FileHash-SHA256": 219, "CIDR": 3 }, "indicator_count": 1452, "is_author": false, "is_subscribing": null, "subscriber_count": 32, "modified_text": "538 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66994bda3e150656cd5ac9dd", "name": "Browser Session Hijacking Various MyChart Phishing Scams", "description": "Ongoing issues with medical information hijacking. Various medical corporations affected. Tracking, medical, injection process, records retrieval, botnets.", "modified": "2024-08-17T16:01:11.866000", "created": "2024-07-18T17:07:38.719000", "tags": [ "historical ssl", "referrer", "domains", "august", "phishingscams", "domains part", "domain tracker", "roundup", "new problems", "privacy badger", "startpage", "self", "httponly", "samesitenone", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "pragma", "mychartlocale", "urls", "ip detections", "country", "contacted", "files", "file type", "name file", "gmbh", "cloudflare", "tucows", "ii llc", "alibaba cloud", "computing", "sample", "media t1091", "t1497 may", "mitre att", "access ta0001", "replication", "ta0004 process", "injection t1055", "defense evasion", "http requests", "get http", "request", "host", "dns resolutions", "ip traffic", "hashes", "tsara brashears", "red team", "hackers", "highly targeted", "critical risk", "cyberstalking", "apple", "apple ios", "logistics", "cyber defense", "guloader", "hacktool", "emotet", "phishing", "facebook", "malware", "hiddentear", "maze", "server", "domain status", "date", "algorithm", "google llc", "registrar abuse", "registrar", "record type", "ttl value", "aaaa", "whois lookup", "admin country", "ca creation", "dnssec", "markmonitor", "siblings", "whois lookups", "expiration date", "registrar iana", "creation date", "first", "united", "as15169 google", "cname", "status", "virtool", "cryp", "as396982 google", "search", "name servers", "win32", "remote" ], "references": [ "MyChart Phishing Scams", "exploit_source IP's: 20.99.186.246 , 40.126.24.147 , 40.126.24.149 , 40.126.24.81 , 40.126.24.82", "VirTool:Win32/Obfuscator: 0.googleusercontent.com [hacking]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/\t URL\thttp://45.159.189.105/bot/regex |\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win64-Trojan/Pakes.Exp", "display_name": "Win64-Trojan/Pakes.Exp", "target": null }, { "id": "Win64:RansomX-gen", "display_name": "Win64:RansomX-gen", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [ "Healthcare", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 37, "FileHash-SHA1": 33, "FileHash-SHA256": 3473, "domain": 693, "URL": 4384, "hostname": 1610, "CVE": 2, "email": 3 }, "indicator_count": 10235, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "610 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://labelpack.staging.creeo.studio", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://labelpack.staging.creeo.studio", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776681351.262353 }