{ "type": "URL", "indicator": "https://landing.sexselector.com/joinf", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://landing.sexselector.com/joinf", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3913120710, "indicator": "https://landing.sexselector.com/joinf", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "6a0720634ea305e1776cb0df", "name": "credit: OctoSeek [\u2022Sakula Rat | Porn Name Change\u2022]", "description": "", "modified": "2026-05-15T13:32:19.730000", "created": "2026-05-15T13:32:19.730000", "tags": [ "algorithm", "v3 serial", "number", "subject public", "key info", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "date", "first", "threat roundup", "october", "december", "september", "round", "referrer", "november", "april", "historical ssl", "keeper", "core", "hacktool", "kiana arellano", "a person", "kiana", "harassment", "strikes", "colorado", "github", "heur", "info title", "record keeping", "media", "adult mobile", "scene", "brandi love", "alexis fawx", "girls", "carter cruise", "brandi loves", "reagan foxx", "kenzie reeves", "ryan keely", "privacy policy", "meow", "love", "summer", "click", "back", "accept", "tsara brashears", "youngcoders", "hallrender", "briansabey", "sweetheartvideos", "2257legalporn", "union blvd", "samiamnot", "utc submissions", "submitters", "enom", "moniker online", "wild west", "domains", "domainsite", "annulet", "google llc", "facebook", "twitter", "service", "nitro", "creation date", "status", "search", "scan endpoints", "all scoreblue", "hostname", "pulse submit", "url analysis", "passive dns", "unknown", "default", "cnc beacon", "show", "delete", "ids detections", "yara detections", "suspicious ua", "intel", "ms windows", "copy", "sakula", "write", "february", "bublik", "malware", "suspicious", "pornhub", "#pornvibes", "ng", "united", "as44273 host", "expiration date", "showing", "as394695 pdr", "virgin islands", "cname", "as19905", "pulses", "nxdomain", "as8075", "servers", "domain", "name servers", "entries", "date hash", "avast avg", "as30148 sucuri", "aaaa", "gvt mitm", "van", "png image", "jpeg image", "rgba", "exif standard", "tiff image", "pattern match", "ascii text", "jfif", "et tor", "starfield", "june", "hybrid", "general", "local", "encrypt", "strings", "adobea", "daga", "orbiting tsara brashears", "arvada", "projecthilo" ], "references": [ "brassiere.world mail.brassiere.world webdisk.brassiere.world webmail.brassiere.world", "IDS Detections: Sakula/Mivast RAT CnC Beacon 1 SUSPICIOUS UA (iexplore) | Alert: cape_detected_threat", "hallrender.com/attorney/brian-sabey www.hallrender.com/attorney/brian-sabey hallrender.com www.hallrender.com https://hallrender.com", "milehighmedia.com https://www.milehighmedia.com/ https://www.milehighmedia.com/legal/2257", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.sweetheartvideo.com/tsara-brashears/ | 66.254.114.234", "www.youtube.com/watch?v=GyuMozsVyYs [TB's YouTube]", "youngcoders.ng", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Sakula RAT: www.polarroute.com", "CVE-1999-0016 CVE-2019-12259 CVE-2019-12265 CVE-2001-0260 CVE-2005-0446 CVE-2005-0560 CVE-2005-1476", "CVE-2008-2257\tCVE-2008-2938\tCVE-2008-2939\tCVE-2008-3018\tCVE-2008-3021\tCVE-2009-1122", "CVE-2015-2808 CVE-2016-0101 CVE-2016-2569 CVE-2006-3869 CVE-2014-6345 CVE-2009-1535", "Sakula RAT: FileHash-SHA256 0932c2b991cc37bd0de1a90f9ffd43f1324944b59fdbaa0e03f3e94adb59c61f rat", "Sakula RAT: FileHash-SHA25627ddd99c31b3141f0e635ca8c3ded921bee4fddd93364f4280ee5 rat", "Sakula RAT: FileHash-SHA256 48fd389005934aa4ee77f2029f1addc2d918fa0916b64a43049c65ce83ebde765866dbc5f8d", "Sakula RAT: FileHash-SHA256 0f3775b95144206425cc95283f7ae481eab4cc5cbdd687c7bde3e5c7c9b5482a", "Banload: 556d622fae283aca465e24143c392e2ccf2b0d6a95cf28363ef5b84175729638", "Waledac: FileHash-SHA256 7a513daf66139269a18f5aeebc6790ac3179ff533d24f0fe18b2c4d6a1761787" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ALF:HeraklezEval:VirTool:Win32/Waledac!rfn", "display_name": "ALF:HeraklezEval:VirTool:Win32/Waledac!rfn", "target": null }, { "id": "TrojanDownloader:Win32/Banload", "display_name": "TrojanDownloader:Win32/Banload", "target": "/malware/TrojanDownloader:Win32/Banload" }, { "id": "Sakula", "display_name": "Sakula", "target": null }, { "id": "Sakula RAT", "display_name": "Sakula RAT", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1483", "name": "Domain Generation Algorithms", "display_name": "T1483 - Domain Generation Algorithms" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": "6681f3bd6a8701371811709b", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 278, "FileHash-SHA1": 141, "FileHash-SHA256": 991, "domain": 1074, "hostname": 706, "URL": 859, "CVE": 19, "email": 5, "SSLCertFingerprint": 20 }, "indicator_count": 4093, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "15 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6888a85aa32aab22f638d0e6", "name": "Autodesk issue in CrowdStrike prior to outage | [by scoreblue]", "description": "", "modified": "2025-07-29T10:54:18.501000", "created": "2025-07-29T10:54:18.501000", "tags": [ "healthy check", "ssl bypass", "domain tracker", "privacy badger", "startpage", "w11 pc", "pass", "iocs", "all scoreblue", "pdf report", "pcap", "stix", "avast avg", "no expiration", "status", "name servers", "moved", "h1 center", "next", "sec ch", "ch ua", "ua platform", "emails", "certificate", "passive dns", "urls", "encrypt", "body", "pe32 executable", "ms windows", "intel", "windows control", "panel item", "dos borland", "executable", "algorithm", "thumbprint", "serial number", "signing ca", "symantec time", "stamping", "g2 name", "g2 issuer", "class", "code", "kb pe", "csc corporate", "porkbun llc", "gandi sas", "request", "path", "get https", "get http", "response", "cachecontrol", "pragma", "connection", "gmt connection", "accept", "slug", "as29789", "united", "unknown", "ransom", "heur", "server", "registrar abuse", "san rafael", "autodesk", "contact phone", "registrar url", "process32nextw", "create c", "read c", "writeconsolew", "delete", "write", "show", "malware", "write c", "regsetvalueexa", "delete c", "search", "regdword", "whitelisted", "panda banker", "ursnif", "win32", "persistence", "execution", "banker", "local", "domain", "servers", "pulse pulses", "files", "ip address", "creation date", "united kingdom", "as9009 m247", "ipv4", "pulse submit", "url analysis", "twitter", "as16552 tiggee", "as397241", "as397240", "entries", "cname", "nxdomain", "a nxdomain", "worm", "file samples", "files matching", "alf features", "denver co", "wewatta", "scan endpoints", "related pulses", "date hash", "showing", "as62597 nsone", "date", "trojanspy", "cookie", "hostmaster", "expiration date", "msie", "windows nt", "wow64", "slcc2", "media center", "tls handshake", "et info", "getdc0x2a", "failure", "post http", "copy", "crash", "ascii text", "ascii", "jpeg image", "artemis", "trojan", "virustotal", "mike", "vipre", "panda", "win32mediadrug", "win324shared", "win32spigot", "hstr", "lowfi", "yara detections", "contacted", "report spam", "mozilla", "trojanclicker", "url http", "url https", "role title", "added active", "type indicator", "source domain", "akamai rank", "hostname", "ver2", "msclkidn", "vids0", "global outage", "cobalt strike", "fancy bear", "communications", "android device", "cnc beacon", "suspicious ua", "youtube", "sakula rat", "mivast", "sakula", "windows", "samuel tulach", "light dark", "samuel", "tulach", "hyperv", "detecting", "writing gui", "bootkits", "world", "information", "discovery", "t1027", "t1057", "t1071", "protocol", "t1105", "tool transfer", "t1129", "capture", "service", "t1119" ], "references": [ "autodesk.com [ Everything below was found in Autodesk [including crowdstrike & any.desk] Found in in Crowdsrike if labeled.", "66.254.114.234 | reflectededge.reflected.net | reflected.net | 192.0.2.0 | https://www.brazzers.com/ | brazzers.com | brazzersnetwork.com", "keezmovies.com | redtube.com | tube8.com | tube8.com | youporn.com| 0.brazzers.com | www.g-tunnel.comwww.brazzers.com |", "Win32:Mystic , Win.Trojan.Xblocker-236 \u00bbFileHash-SHA256 8c59adbccc1987d13fec983f1e2be046611511b65479d1719bda77c5c90bbe21", "IDS Detections: TLS Handshake Failure | Alerts: network_icmp , injection", "Win32:BankerX-gen\\ [Trj] \u00bb FileHash-SHA256 2e5118d15a18ae852bf94d91707ff634d9d8354fef492f5c4e1c46b9cf96184c", "IDS Detections: Zeus Panda Banker / Ursnif Malicious SSL Certificate Detected TLS Handshake Failure", "Alerts: network_icmp antisandbox_idletime modifies_certificates modifies_proxy_wpad disables_proxy", "RedTube.com Detections: ALF:AGGR:OpcCl:95!ml , ALF:JASYP:Backdoor:Win32/Cycbot!atmn , Win.Downloader.117423-1 ,", "RedTube.com Detections: Win.Trojan.Crypt-321 , Win.Trojan.FakeAV-4166 , Win.Trojan.Fakeav-10977 , Win.Trojan.Fakeav-3386", "Crowdstrike: wildcard.352-445-1166.device.sim.to.img.sedoparking.com", "Crowdstrike: maxfehlinger.de http://auth.cranberry.testing.maxfehlinger.de | http://latex.cranberry.testing.maxfehlinger.de |", "Crowdstrike: https://traefik.cranberry.testing.maxfehlinger.de | http://traefik.cranberry.testing.maxfehlinger.de |", "Crowdstrike: http://watchtower.cranberry.testing.maxfehlinger.de| https://auth.cranberry.testing.maxfehlinger.de |", "Crowdstrike: auth.cranberry.testing.maxfehlinger.de | latex.cranberry.testing.maxfehlinger.de | traefik.cranberry.testing.maxfehlinger.de |", "Crowdstrike: watchtower.cranberry.testing.maxfehlinger.de | https://latex.cranberry.testing.maxfehlinger.de |", "Crowdstrike: https://www.anyxxxtube.net/search-porn/tsara-brashears/\tphishing\t| https://www.anyxxxtube.net/sitemap.xml", "Crowdstrike: https://www.pornhub.com/gifs/search?search=tsara+lynn+brash |", "Crowdstrike: autodesk.com | 0ds.autodesk.com | aknanalytics.autodesk.com | anubis.autodesk.com | autobetaint.autodesk.com", "Crowdstrike: autodeskarchitecture.autodesk.com | beacon-dev3.autodesk.com | boxtooffice365.autodesk.com | brahma-studio.autodesk.com", "Crowdstrike: cdc-stg-emea.autodesk.com | cloudcost.autodesk.com | cloudpc-stg.autodesk.com | d-s.autodesk.com |", "Crowdstrike: daiwahouse-learning.autodesk.com| datagovernance-dev.autodesk.com | enterprise-api-np.autodesk.com", "Crowdstrike: symcd.com [Certificate Subjectaltname \u00bb\u00bb anydesk.com \u00bb\u00bb http://gn.symcb.com/gn.crt Ocsp\thttp://gn.symcd.com] ANYDESK.COM-unsigned", "Crowdstrike: https://bat.bing.com/action/0?ti=12001672&tm=al001&Ver=2&mid=12436868-a484-4998-931c-980262982f67&sid=b92cd8f0483e11efa3c96fe28be413cb&vid=b92cdd10483e11efb1024309353d849f&vids=1&msclkid=N&pi=-740138922&lg=en-US&sw=800&sh=600&sc=24&tl=CrowdStrike%3A%20Stop%20breaches.%20Drive%20business.&p=https%3A%2F%2Fwww.crowdstrike.com%2Fen-us%2F&r=<=1022&pt=1721661968606", "Crowdstrike: \tbat.bing.com, https://tulach.cc, https://otx.alienvault.com/indicator/url/http://www.hallrender.com/attorney/brian-sabey", "Crowdstrike: https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | https://www.pornhub.com/video/search?search=tsara+brashears | www.youtube.com/watch?v=GyuMozsVyYs | www.pornhub.com | www.youtube.com", "Crowdstrike: https://hr.employmenthero.com/rs/387-SZZ-170/images/youtube-icon-emp-hero-violet.png", "Crowdstrike + Autodesk.com: hallrender.com/attorney/brian-sabey www.hallrender.com/attorney/brian-sabey hallrender.com www.hallrender.com https://hallrender.com milehighmedia.com https://www.milehighmedia.com/ https://www.milehighmedia.com/legal/2257", "Crowdstrike + Autodesk.com: brassiere.world mail.brassiere.world webdisk.brassiere.world webmail.brassiere.world", "Crowdstrike + Autodesk.com: 128 + symcd.com some w/issues | 658 autodesk.com pulse some w/issues | removed any.desk & boot", "The more I say...Any.Desk + boot.net.anydesk.com was in OG Private CrowdsStrike pulse", "Above links in search results direct out with and arrow pointing out.", "https://otx.alienvault.com/browse/global/pulses?q=tag:%22esta%20caliente%22&include_inactive=0&sort=-modified&page=1&limit=10&indicatorsSearch=esta%20caliente", "Above link opened 'esta caliente'= 'it's hot'| I did NOT do that | All connected links gone. This has become common.", "I didn't add pertinent findings back to Pulse. Pulse comp,eyes says ago . Couldn't submit. It's was actually a tiny pulse of autodesk.com with crowdstrike relationship references,", "boot.net.anydesk.com removed from my Pulse below", "https://otx.alienvault.com/pulse/66d4c125ad61ee5577639a2d" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands" ], "malware_families": [ { "id": "Win32:Mystic", "display_name": "Win32:Mystic", "target": null }, { "id": "Win.Trojan.Xblocker-236", "display_name": "Win.Trojan.Xblocker-236", "target": null }, { "id": "Ransom:Win32/Genasom", "display_name": "Ransom:Win32/Genasom", "target": "/malware/Ransom:Win32/Genasom" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "ALF:JASYP:Backdoor:Win32/Cycbot", "display_name": "ALF:JASYP:Backdoor:Win32/Cycbot", "target": null }, { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanSpy:Win32/Usteal", "display_name": "TrojanSpy:Win32/Usteal", "target": "/malware/TrojanSpy:Win32/Usteal" }, { "id": "Win.Trojan.PoetRat-7669676-0", "display_name": "Win.Trojan.PoetRat-7669676-0", "target": null }, { "id": "Mivast", "display_name": "Mivast", "target": null }, { "id": "Sakula", "display_name": "Sakula", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": "66d89c45ddc0c7db084b75b7", "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1417, "FileHash-SHA1": 1165, "FileHash-SHA256": 6536, "URL": 6112, "domain": 1340, "hostname": 2654, "email": 15, "SSLCertFingerprint": 9 }, "indicator_count": 19248, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "305 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d89c45ddc0c7db084b75b7", "name": "Autodesk weakens CS | Unauthorized AlienVault API | Stolen pulsed", "description": "Critical issues within AlienVault , VT & my devices. Plugins auto installed after I opened message from AV user. Sudden redirects to 0/ http/s. Heavy modifications, removal of IoC's on AV & VT & Virus Total. Autodesk.com was under CrowdStrike until last night. Links where vulnerabilities were originating from completely disappeared from graph I kindly kept private. Continuous mods for months to Crowdstrike and other pulses. [https://otx.alienvault.com/api appears in search] A page opens with Tag: \"esta caliente\" | All linked pulses Gone. Only person who frequently contacted me appears where they didn't before & These dishonest billion $ companies cover up though they are at fault for allowing ALL threat actor to be protected with non adversarial businesses. Besides other compromises, surprisingly Brashears porn found in Crowdstrike/Autodesk others. Disappointing.", "modified": "2024-10-04T17:02:07.067000", "created": "2024-09-04T17:43:33.123000", "tags": [ "healthy check", "ssl bypass", "domain tracker", "privacy badger", "startpage", "w11 pc", "pass", "iocs", "all scoreblue", "pdf report", "pcap", "stix", "avast avg", "no expiration", "status", "name servers", "moved", "h1 center", "next", "sec ch", "ch ua", "ua platform", "emails", "certificate", "passive dns", "urls", "encrypt", "body", "pe32 executable", "ms windows", "intel", "windows control", "panel item", "dos borland", "executable", "algorithm", "thumbprint", "serial number", "signing ca", "symantec time", "stamping", "g2 name", "g2 issuer", "class", "code", "kb pe", "csc corporate", "porkbun llc", "gandi sas", "request", "path", "get https", "get http", "response", "cachecontrol", "pragma", "connection", "gmt connection", "accept", "slug", "as29789", "united", "unknown", "ransom", "heur", "server", "registrar abuse", "san rafael", "autodesk", "contact phone", "registrar url", "process32nextw", "create c", "read c", "writeconsolew", "delete", "write", "show", "malware", "write c", "regsetvalueexa", "delete c", "search", "regdword", "whitelisted", "panda banker", "ursnif", "win32", "persistence", "execution", "banker", "local", "domain", "servers", "pulse pulses", "files", "ip address", "creation date", "united kingdom", "as9009 m247", "ipv4", "pulse submit", "url analysis", "twitter", "as16552 tiggee", "as397241", "as397240", "entries", "cname", "nxdomain", "a nxdomain", "worm", "file samples", "files matching", "alf features", "denver co", "wewatta", "scan endpoints", "related pulses", "date hash", "showing", "as62597 nsone", "date", "trojanspy", "cookie", "hostmaster", "expiration date", "msie", "windows nt", "wow64", "slcc2", "media center", "tls handshake", "et info", "getdc0x2a", "failure", "post http", "copy", "crash", "ascii text", "ascii", "jpeg image", "artemis", "trojan", "virustotal", "mike", "vipre", "panda", "win32mediadrug", "win324shared", "win32spigot", "hstr", "lowfi", "yara detections", "contacted", "report spam", "mozilla", "trojanclicker", "url http", "url https", "role title", "added active", "type indicator", "source domain", "akamai rank", "hostname", "ver2", "msclkidn", "vids0", "global outage", "cobalt strike", "fancy bear", "communications", "android device", "cnc beacon", "suspicious ua", "youtube", "sakula rat", "mivast", "sakula", "windows", "samuel tulach", "light dark", "samuel", "tulach", "hyperv", "detecting", "writing gui", "bootkits", "world", "information", "discovery", "t1027", "t1057", "t1071", "protocol", "t1105", "tool transfer", "t1129", "capture", "service", "t1119" ], "references": [ "autodesk.com [ Everything below was found in Autodesk [including crowdstrike & any.desk] Found in in Crowdsrike if labeled.", "66.254.114.234 | reflectededge.reflected.net | reflected.net | 192.0.2.0 | https://www.brazzers.com/ | brazzers.com | brazzersnetwork.com", "keezmovies.com | redtube.com | tube8.com | tube8.com | youporn.com| 0.brazzers.com | www.g-tunnel.comwww.brazzers.com |", "Win32:Mystic , Win.Trojan.Xblocker-236 \u00bbFileHash-SHA256 8c59adbccc1987d13fec983f1e2be046611511b65479d1719bda77c5c90bbe21", "IDS Detections: TLS Handshake Failure | Alerts: network_icmp , injection", "Win32:BankerX-gen\\ [Trj] \u00bb FileHash-SHA256 2e5118d15a18ae852bf94d91707ff634d9d8354fef492f5c4e1c46b9cf96184c", "IDS Detections: Zeus Panda Banker / Ursnif Malicious SSL Certificate Detected TLS Handshake Failure", "Alerts: network_icmp antisandbox_idletime modifies_certificates modifies_proxy_wpad disables_proxy", "RedTube.com Detections: ALF:AGGR:OpcCl:95!ml , ALF:JASYP:Backdoor:Win32/Cycbot!atmn , Win.Downloader.117423-1 ,", "RedTube.com Detections: Win.Trojan.Crypt-321 , Win.Trojan.FakeAV-4166 , Win.Trojan.Fakeav-10977 , Win.Trojan.Fakeav-3386", "Crowdstrike: wildcard.352-445-1166.device.sim.to.img.sedoparking.com", "Crowdstrike: maxfehlinger.de http://auth.cranberry.testing.maxfehlinger.de | http://latex.cranberry.testing.maxfehlinger.de |", "Crowdstrike: https://traefik.cranberry.testing.maxfehlinger.de | http://traefik.cranberry.testing.maxfehlinger.de |", "Crowdstrike: http://watchtower.cranberry.testing.maxfehlinger.de| https://auth.cranberry.testing.maxfehlinger.de |", "Crowdstrike: auth.cranberry.testing.maxfehlinger.de | latex.cranberry.testing.maxfehlinger.de | traefik.cranberry.testing.maxfehlinger.de |", "Crowdstrike: watchtower.cranberry.testing.maxfehlinger.de | https://latex.cranberry.testing.maxfehlinger.de |", "Crowdstrike: https://www.anyxxxtube.net/search-porn/tsara-brashears/\tphishing\t| https://www.anyxxxtube.net/sitemap.xml", "Crowdstrike: https://www.pornhub.com/gifs/search?search=tsara+lynn+brash |", "Crowdstrike: autodesk.com | 0ds.autodesk.com | aknanalytics.autodesk.com | anubis.autodesk.com | autobetaint.autodesk.com", "Crowdstrike: autodeskarchitecture.autodesk.com | beacon-dev3.autodesk.com | boxtooffice365.autodesk.com | brahma-studio.autodesk.com", "Crowdstrike: cdc-stg-emea.autodesk.com | cloudcost.autodesk.com | cloudpc-stg.autodesk.com | d-s.autodesk.com |", "Crowdstrike: daiwahouse-learning.autodesk.com| datagovernance-dev.autodesk.com | enterprise-api-np.autodesk.com", "Crowdstrike: symcd.com [Certificate Subjectaltname \u00bb\u00bb anydesk.com \u00bb\u00bb http://gn.symcb.com/gn.crt Ocsp\thttp://gn.symcd.com] ANYDESK.COM-unsigned", "Crowdstrike: https://bat.bing.com/action/0?ti=12001672&tm=al001&Ver=2&mid=12436868-a484-4998-931c-980262982f67&sid=b92cd8f0483e11efa3c96fe28be413cb&vid=b92cdd10483e11efb1024309353d849f&vids=1&msclkid=N&pi=-740138922&lg=en-US&sw=800&sh=600&sc=24&tl=CrowdStrike%3A%20Stop%20breaches.%20Drive%20business.&p=https%3A%2F%2Fwww.crowdstrike.com%2Fen-us%2F&r=<=1022&pt=1721661968606", "Crowdstrike: \tbat.bing.com, https://tulach.cc, https://otx.alienvault.com/indicator/url/http://www.hallrender.com/attorney/brian-sabey", "Crowdstrike: https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | https://www.pornhub.com/video/search?search=tsara+brashears | www.youtube.com/watch?v=GyuMozsVyYs | www.pornhub.com | www.youtube.com", "Crowdstrike: https://hr.employmenthero.com/rs/387-SZZ-170/images/youtube-icon-emp-hero-violet.png", "Crowdstrike + Autodesk.com: hallrender.com/attorney/brian-sabey www.hallrender.com/attorney/brian-sabey hallrender.com www.hallrender.com https://hallrender.com milehighmedia.com https://www.milehighmedia.com/ https://www.milehighmedia.com/legal/2257", "Crowdstrike + Autodesk.com: brassiere.world mail.brassiere.world webdisk.brassiere.world webmail.brassiere.world", "Crowdstrike + Autodesk.com: 128 + symcd.com some w/issues | 658 autodesk.com pulse some w/issues | removed any.desk & boot", "The more I say...Any.Desk + boot.net.anydesk.com was in OG Private CrowdsStrike pulse", "Above links in search results direct out with and arrow pointing out.", "https://otx.alienvault.com/browse/global/pulses?q=tag:%22esta%20caliente%22&include_inactive=0&sort=-modified&page=1&limit=10&indicatorsSearch=esta%20caliente", "Above link opened 'esta caliente'= 'it's hot'| I did NOT do that | All connected links gone. This has become common.", "I didn't add pertinent findings back to Pulse. Pulse comp,eyes says ago . Couldn't submit. It's was actually a tiny pulse of autodesk.com with crowdstrike relationship references,", "boot.net.anydesk.com removed from my Pulse below", "https://otx.alienvault.com/pulse/66d4c125ad61ee5577639a2d" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands" ], "malware_families": [ { "id": "Win32:Mystic", "display_name": "Win32:Mystic", "target": null }, { "id": "Win.Trojan.Xblocker-236", "display_name": "Win.Trojan.Xblocker-236", "target": null }, { "id": "Ransom:Win32/Genasom", "display_name": "Ransom:Win32/Genasom", "target": "/malware/Ransom:Win32/Genasom" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "ALF:JASYP:Backdoor:Win32/Cycbot", "display_name": "ALF:JASYP:Backdoor:Win32/Cycbot", "target": null }, { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanSpy:Win32/Usteal", "display_name": "TrojanSpy:Win32/Usteal", "target": "/malware/TrojanSpy:Win32/Usteal" }, { "id": "Win.Trojan.PoetRat-7669676-0", "display_name": "Win.Trojan.PoetRat-7669676-0", "target": null }, { "id": "Mivast", "display_name": "Mivast", "target": null }, { "id": "Sakula", "display_name": "Sakula", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1417, "FileHash-SHA1": 1165, "FileHash-SHA256": 6536, "URL": 6112, "domain": 1340, "hostname": 2654, "email": 15, "SSLCertFingerprint": 9 }, "indicator_count": 19248, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "603 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "667f591470ecb21b4ad041a5", "name": "Sakula RAT | Porn name change>>brassiere.world | Orbiters", "description": "brassiere.world a brazzersporn redirect. Malicious Sakula RAT. Orbiters including Brian Sabey, Mile High Media Legal 2257. If this is legal then it's time to make significant change.", "modified": "2024-07-28T23:00:54.190000", "created": "2024-06-29T00:45:08.323000", "tags": [ "algorithm", "v3 serial", "number", "subject public", "key info", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "date", "first", "threat roundup", "october", "december", "september", "round", "referrer", "november", "april", "historical ssl", "keeper", "core", "hacktool", "kiana arellano", "a person", "kiana", "harassment", "strikes", "colorado", "github", "heur", "info title", "record keeping", "media", "adult mobile", "scene", "brandi love", "alexis fawx", "girls", "carter cruise", "brandi loves", "reagan foxx", "kenzie reeves", "ryan keely", "privacy policy", "meow", "love", "summer", "click", "back", "accept", "tsara brashears", "youngcoders", "hallrender", "briansabey", "sweetheartvideos", "2257legalporn", "union blvd", "samiamnot", "utc submissions", "submitters", "enom", "moniker online", "wild west", "domains", "domainsite", "annulet", "google llc", "facebook", "twitter", "service", "nitro", "creation date", "status", "search", "scan endpoints", "all scoreblue", "hostname", "pulse submit", "url analysis", "passive dns", "unknown", "default", "cnc beacon", "show", "delete", "ids detections", "yara detections", "suspicious ua", "intel", "ms windows", "copy", "sakula", "write", "february", "bublik", "malware", "suspicious", "pornhub", "#pornvibes", "ng", "united", "as44273 host", "expiration date", "showing", "as394695 pdr", "virgin islands", "cname", "as19905", "pulses", "nxdomain", "as8075", "servers", "domain", "name servers", "entries", "date hash", "avast avg", "as30148 sucuri", "aaaa", "gvt mitm", "van", "png image", "jpeg image", "rgba", "exif standard", "tiff image", "pattern match", "ascii text", "jfif", "et tor", "starfield", "june", "hybrid", "general", "local", "encrypt", "strings", "adobea", "daga", "orbiting tsara brashears", "arvada", "projecthilo" ], "references": [ "brassiere.world mail.brassiere.world webdisk.brassiere.world webmail.brassiere.world", "IDS Detections: Sakula/Mivast RAT CnC Beacon 1 SUSPICIOUS UA (iexplore) | Alert: cape_detected_threat", "hallrender.com/attorney/brian-sabey www.hallrender.com/attorney/brian-sabey hallrender.com www.hallrender.com https://hallrender.com", "milehighmedia.com https://www.milehighmedia.com/ https://www.milehighmedia.com/legal/2257", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.sweetheartvideo.com/tsara-brashears/ | 66.254.114.234", "www.youtube.com/watch?v=GyuMozsVyYs [TB's YouTube]", "youngcoders.ng", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Sakula RAT: www.polarroute.com", "CVE-1999-0016 CVE-2019-12259 CVE-2019-12265 CVE-2001-0260 CVE-2005-0446 CVE-2005-0560 CVE-2005-1476", "CVE-2008-2257\tCVE-2008-2938\tCVE-2008-2939\tCVE-2008-3018\tCVE-2008-3021\tCVE-2009-1122", "CVE-2015-2808 CVE-2016-0101 CVE-2016-2569 CVE-2006-3869 CVE-2014-6345 CVE-2009-1535", "Sakula RAT: FileHash-SHA256 0932c2b991cc37bd0de1a90f9ffd43f1324944b59fdbaa0e03f3e94adb59c61f rat", "Sakula RAT: FileHash-SHA25627ddd99c31b3141f0e635ca8c3ded921bee4fddd93364f4280ee5 rat", "Sakula RAT: FileHash-SHA256 48fd389005934aa4ee77f2029f1addc2d918fa0916b64a43049c65ce83ebde765866dbc5f8d", "Sakula RAT: FileHash-SHA256 0f3775b95144206425cc95283f7ae481eab4cc5cbdd687c7bde3e5c7c9b5482a", "Banload: 556d622fae283aca465e24143c392e2ccf2b0d6a95cf28363ef5b84175729638", "Waledac: FileHash-SHA256 7a513daf66139269a18f5aeebc6790ac3179ff533d24f0fe18b2c4d6a1761787" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ALF:HeraklezEval:VirTool:Win32/Waledac!rfn", "display_name": "ALF:HeraklezEval:VirTool:Win32/Waledac!rfn", "target": null }, { "id": "TrojanDownloader:Win32/Banload", "display_name": "TrojanDownloader:Win32/Banload", "target": "/malware/TrojanDownloader:Win32/Banload" }, { "id": "Sakula", "display_name": "Sakula", "target": null }, { "id": "Sakula RAT", "display_name": "Sakula RAT", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1483", "name": "Domain Generation Algorithms", "display_name": "T1483 - Domain Generation Algorithms" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 278, "FileHash-SHA1": 141, "FileHash-SHA256": 991, "domain": 1074, "hostname": 706, "URL": 859, "CVE": 19, "email": 5, "SSLCertFingerprint": 20 }, "indicator_count": 4093, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "671 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6681f3bd6a8701371811709b", "name": "Sakula RAT | Porn name change>>brassiere.world | Orbiters ", "description": "", "modified": "2024-07-28T23:00:54.190000", "created": "2024-07-01T00:09:33.078000", "tags": [ "algorithm", "v3 serial", "number", "subject public", "key info", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "date", "first", "threat roundup", "october", "december", "september", "round", "referrer", "november", "april", "historical ssl", "keeper", "core", "hacktool", "kiana arellano", "a person", "kiana", "harassment", "strikes", "colorado", "github", "heur", "info title", "record keeping", "media", "adult mobile", "scene", "brandi love", "alexis fawx", "girls", "carter cruise", "brandi loves", "reagan foxx", "kenzie reeves", "ryan keely", "privacy policy", "meow", "love", "summer", "click", "back", "accept", "tsara brashears", "youngcoders", "hallrender", "briansabey", "sweetheartvideos", "2257legalporn", "union blvd", "samiamnot", "utc submissions", "submitters", "enom", "moniker online", "wild west", "domains", "domainsite", "annulet", "google llc", "facebook", "twitter", "service", "nitro", "creation date", "status", "search", "scan endpoints", "all scoreblue", "hostname", "pulse submit", "url analysis", "passive dns", "unknown", "default", "cnc beacon", "show", "delete", "ids detections", "yara detections", "suspicious ua", "intel", "ms windows", "copy", "sakula", "write", "february", "bublik", "malware", "suspicious", "pornhub", "#pornvibes", "ng", "united", "as44273 host", "expiration date", "showing", "as394695 pdr", "virgin islands", "cname", "as19905", "pulses", "nxdomain", "as8075", "servers", "domain", "name servers", "entries", "date hash", "avast avg", "as30148 sucuri", "aaaa", "gvt mitm", "van", "png image", "jpeg image", "rgba", "exif standard", "tiff image", "pattern match", "ascii text", "jfif", "et tor", "starfield", "june", "hybrid", "general", "local", "encrypt", "strings", "adobea", "daga", "orbiting tsara brashears", "arvada", "projecthilo" ], "references": [ "brassiere.world mail.brassiere.world webdisk.brassiere.world webmail.brassiere.world", "IDS Detections: Sakula/Mivast RAT CnC Beacon 1 SUSPICIOUS UA (iexplore) | Alert: cape_detected_threat", "hallrender.com/attorney/brian-sabey www.hallrender.com/attorney/brian-sabey hallrender.com www.hallrender.com https://hallrender.com", "milehighmedia.com https://www.milehighmedia.com/ https://www.milehighmedia.com/legal/2257", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.sweetheartvideo.com/tsara-brashears/ | 66.254.114.234", "www.youtube.com/watch?v=GyuMozsVyYs [TB's YouTube]", "youngcoders.ng", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Sakula RAT: www.polarroute.com", "CVE-1999-0016 CVE-2019-12259 CVE-2019-12265 CVE-2001-0260 CVE-2005-0446 CVE-2005-0560 CVE-2005-1476", "CVE-2008-2257\tCVE-2008-2938\tCVE-2008-2939\tCVE-2008-3018\tCVE-2008-3021\tCVE-2009-1122", "CVE-2015-2808 CVE-2016-0101 CVE-2016-2569 CVE-2006-3869 CVE-2014-6345 CVE-2009-1535", "Sakula RAT: FileHash-SHA256 0932c2b991cc37bd0de1a90f9ffd43f1324944b59fdbaa0e03f3e94adb59c61f rat", "Sakula RAT: FileHash-SHA25627ddd99c31b3141f0e635ca8c3ded921bee4fddd93364f4280ee5 rat", "Sakula RAT: FileHash-SHA256 48fd389005934aa4ee77f2029f1addc2d918fa0916b64a43049c65ce83ebde765866dbc5f8d", "Sakula RAT: FileHash-SHA256 0f3775b95144206425cc95283f7ae481eab4cc5cbdd687c7bde3e5c7c9b5482a", "Banload: 556d622fae283aca465e24143c392e2ccf2b0d6a95cf28363ef5b84175729638", "Waledac: FileHash-SHA256 7a513daf66139269a18f5aeebc6790ac3179ff533d24f0fe18b2c4d6a1761787" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ALF:HeraklezEval:VirTool:Win32/Waledac!rfn", "display_name": "ALF:HeraklezEval:VirTool:Win32/Waledac!rfn", "target": null }, { "id": "TrojanDownloader:Win32/Banload", "display_name": "TrojanDownloader:Win32/Banload", "target": "/malware/TrojanDownloader:Win32/Banload" }, { "id": "Sakula", "display_name": "Sakula", "target": null }, { "id": "Sakula RAT", "display_name": "Sakula RAT", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1483", "name": "Domain Generation Algorithms", "display_name": "T1483 - Domain Generation Algorithms" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": "667f591470ecb21b4ad041a5", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 278, "FileHash-SHA1": 141, "FileHash-SHA256": 991, "domain": 1074, "hostname": 706, "URL": 859, "CVE": 19, "email": 5, "SSLCertFingerprint": 20 }, "indicator_count": 4093, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "671 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Crowdstrike: \tbat.bing.com, https://tulach.cc, https://otx.alienvault.com/indicator/url/http://www.hallrender.com/attorney/brian-sabey", "Crowdstrike: daiwahouse-learning.autodesk.com| datagovernance-dev.autodesk.com | enterprise-api-np.autodesk.com", "Above link opened 'esta caliente'= 'it's hot'| I did NOT do that | All connected links gone. This has become common.", "hallrender.com/attorney/brian-sabey www.hallrender.com/attorney/brian-sabey hallrender.com www.hallrender.com https://hallrender.com", "Sakula RAT: FileHash-SHA256 0f3775b95144206425cc95283f7ae481eab4cc5cbdd687c7bde3e5c7c9b5482a", "I didn't add pertinent findings back to Pulse. Pulse comp,eyes says ago . Couldn't submit. It's was actually a tiny pulse of autodesk.com with crowdstrike relationship references,", "https://www.sweetheartvideo.com/tsara-brashears/ | 66.254.114.234", "CVE-2008-2257\tCVE-2008-2938\tCVE-2008-2939\tCVE-2008-3018\tCVE-2008-3021\tCVE-2009-1122", "boot.net.anydesk.com removed from my Pulse below", "CVE-1999-0016 CVE-2019-12259 CVE-2019-12265 CVE-2001-0260 CVE-2005-0446 CVE-2005-0560 CVE-2005-1476", "Win32:Mystic , Win.Trojan.Xblocker-236 \u00bbFileHash-SHA256 8c59adbccc1987d13fec983f1e2be046611511b65479d1719bda77c5c90bbe21", "www.youtube.com/watch?v=GyuMozsVyYs [TB's YouTube]", "The more I say...Any.Desk + boot.net.anydesk.com was in OG Private CrowdsStrike pulse", "IDS Detections: Sakula/Mivast RAT CnC Beacon 1 SUSPICIOUS UA (iexplore) | Alert: cape_detected_threat", "RedTube.com Detections: ALF:AGGR:OpcCl:95!ml , ALF:JASYP:Backdoor:Win32/Cycbot!atmn , Win.Downloader.117423-1 ,", "Crowdstrike + Autodesk.com: hallrender.com/attorney/brian-sabey www.hallrender.com/attorney/brian-sabey hallrender.com www.hallrender.com https://hallrender.com milehighmedia.com https://www.milehighmedia.com/ https://www.milehighmedia.com/legal/2257", "Crowdstrike: cdc-stg-emea.autodesk.com | cloudcost.autodesk.com | cloudpc-stg.autodesk.com | d-s.autodesk.com |", "autodesk.com [ Everything below was found in Autodesk [including crowdstrike & any.desk] Found in in Crowdsrike if labeled.", "Crowdstrike: maxfehlinger.de http://auth.cranberry.testing.maxfehlinger.de | http://latex.cranberry.testing.maxfehlinger.de |", "CVE-2015-2808 CVE-2016-0101 CVE-2016-2569 CVE-2006-3869 CVE-2014-6345 CVE-2009-1535", "Crowdstrike: https://traefik.cranberry.testing.maxfehlinger.de | http://traefik.cranberry.testing.maxfehlinger.de |", "Crowdstrike + Autodesk.com: brassiere.world mail.brassiere.world webdisk.brassiere.world webmail.brassiere.world", "Crowdstrike: https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | https://www.pornhub.com/video/search?search=tsara+brashears | www.youtube.com/watch?v=GyuMozsVyYs | www.pornhub.com | www.youtube.com", "Crowdstrike + Autodesk.com: 128 + symcd.com some w/issues | 658 autodesk.com pulse some w/issues | removed any.desk & boot", "IDS Detections: Zeus Panda Banker / Ursnif Malicious SSL Certificate Detected TLS Handshake Failure", "RedTube.com Detections: Win.Trojan.Crypt-321 , Win.Trojan.FakeAV-4166 , Win.Trojan.Fakeav-10977 , Win.Trojan.Fakeav-3386", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.pornhub.com/video/search?search=tsara+brashears", "Sakula RAT: FileHash-SHA25627ddd99c31b3141f0e635ca8c3ded921bee4fddd93364f4280ee5 rat", "Crowdstrike: autodesk.com | 0ds.autodesk.com | aknanalytics.autodesk.com | anubis.autodesk.com | autobetaint.autodesk.com", "Crowdstrike: wildcard.352-445-1166.device.sim.to.img.sedoparking.com", "https://otx.alienvault.com/browse/global/pulses?q=tag:%22esta%20caliente%22&include_inactive=0&sort=-modified&page=1&limit=10&indicatorsSearch=esta%20caliente", "youngcoders.ng", "Crowdstrike: https://www.anyxxxtube.net/search-porn/tsara-brashears/\tphishing\t| https://www.anyxxxtube.net/sitemap.xml", "Crowdstrike: https://www.pornhub.com/gifs/search?search=tsara+lynn+brash |", "Crowdstrike: symcd.com [Certificate Subjectaltname \u00bb\u00bb anydesk.com \u00bb\u00bb http://gn.symcb.com/gn.crt Ocsp\thttp://gn.symcd.com] ANYDESK.COM-unsigned", "https://otx.alienvault.com/pulse/66d4c125ad61ee5577639a2d", "Sakula RAT: FileHash-SHA256 48fd389005934aa4ee77f2029f1addc2d918fa0916b64a43049c65ce83ebde765866dbc5f8d", "Above links in search results direct out with and arrow pointing out.", "Sakula RAT: FileHash-SHA256 0932c2b991cc37bd0de1a90f9ffd43f1324944b59fdbaa0e03f3e94adb59c61f rat", "keezmovies.com | redtube.com | tube8.com | tube8.com | youporn.com| 0.brazzers.com | www.g-tunnel.comwww.brazzers.com |", "Banload: 556d622fae283aca465e24143c392e2ccf2b0d6a95cf28363ef5b84175729638", "Crowdstrike: https://bat.bing.com/action/0?ti=12001672&tm=al001&Ver=2&mid=12436868-a484-4998-931c-980262982f67&sid=b92cd8f0483e11efa3c96fe28be413cb&vid=b92cdd10483e11efb1024309353d849f&vids=1&msclkid=N&pi=-740138922&lg=en-US&sw=800&sh=600&sc=24&tl=CrowdStrike%3A%20Stop%20breaches.%20Drive%20business.&p=https%3A%2F%2Fwww.crowdstrike.com%2Fen-us%2F&r=<=1022&pt=1721661968606", "Crowdstrike: https://hr.employmenthero.com/rs/387-SZZ-170/images/youtube-icon-emp-hero-violet.png", "Sakula RAT: www.polarroute.com", "IDS Detections: TLS Handshake Failure | Alerts: network_icmp , injection", "Win32:BankerX-gen\\ [Trj] \u00bb FileHash-SHA256 2e5118d15a18ae852bf94d91707ff634d9d8354fef492f5c4e1c46b9cf96184c", "Crowdstrike: auth.cranberry.testing.maxfehlinger.de | latex.cranberry.testing.maxfehlinger.de | traefik.cranberry.testing.maxfehlinger.de |", "Crowdstrike: autodeskarchitecture.autodesk.com | beacon-dev3.autodesk.com | boxtooffice365.autodesk.com | brahma-studio.autodesk.com", "brassiere.world mail.brassiere.world webdisk.brassiere.world webmail.brassiere.world", "Crowdstrike: http://watchtower.cranberry.testing.maxfehlinger.de| https://auth.cranberry.testing.maxfehlinger.de |", "Waledac: FileHash-SHA256 7a513daf66139269a18f5aeebc6790ac3179ff533d24f0fe18b2c4d6a1761787", "Crowdstrike: watchtower.cranberry.testing.maxfehlinger.de | https://latex.cranberry.testing.maxfehlinger.de |", "Alerts: network_icmp antisandbox_idletime modifies_certificates modifies_proxy_wpad disables_proxy", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "66.254.114.234 | reflectededge.reflected.net | reflected.net | 192.0.2.0 | https://www.brazzers.com/ | brazzers.com | brazzersnetwork.com", "milehighmedia.com https://www.milehighmedia.com/ https://www.milehighmedia.com/legal/2257" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Ransom:win32/genasom", "Sakula", "Trojandownloader:win32/banload", "#lowfienabledtcontinueafterunpacking", "Trojanspy", "Alf:jasyp:backdoor:win32/cycbot", "Mivast", "Trojanspy:win32/usteal", "Worm:win32/autorun", "Sakula rat", "Win.trojan.xblocker-236", "Win32:mystic", "Win.trojan.poetrat-7669676-0", "Alf:heraklezeval:virtool:win32/waledac!rfn" ], "industries": [], "unique_indicators": 23623 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/sexselector.com", "whois": "http://whois.domaintools.com/sexselector.com", "domain": "sexselector.com", "hostname": "landing.sexselector.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "6a0720634ea305e1776cb0df", "name": "credit: OctoSeek [\u2022Sakula Rat | Porn Name Change\u2022]", "description": "", "modified": "2026-05-15T13:32:19.730000", "created": "2026-05-15T13:32:19.730000", "tags": [ "algorithm", "v3 serial", "number", "subject public", "key info", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "date", "first", "threat roundup", "october", "december", "september", "round", "referrer", "november", "april", "historical ssl", "keeper", "core", "hacktool", "kiana arellano", "a person", "kiana", "harassment", "strikes", "colorado", "github", "heur", "info title", "record keeping", "media", "adult mobile", "scene", "brandi love", "alexis fawx", "girls", "carter cruise", "brandi loves", "reagan foxx", "kenzie reeves", "ryan keely", "privacy policy", "meow", "love", "summer", "click", "back", "accept", "tsara brashears", "youngcoders", "hallrender", "briansabey", "sweetheartvideos", "2257legalporn", "union blvd", "samiamnot", "utc submissions", "submitters", "enom", "moniker online", "wild west", "domains", "domainsite", "annulet", "google llc", "facebook", "twitter", "service", "nitro", "creation date", "status", "search", "scan endpoints", "all scoreblue", "hostname", "pulse submit", "url analysis", "passive dns", "unknown", "default", "cnc beacon", "show", "delete", "ids detections", "yara detections", "suspicious ua", "intel", "ms windows", "copy", "sakula", "write", "february", "bublik", "malware", "suspicious", "pornhub", "#pornvibes", "ng", "united", "as44273 host", "expiration date", "showing", "as394695 pdr", "virgin islands", "cname", "as19905", "pulses", "nxdomain", "as8075", "servers", "domain", "name servers", "entries", "date hash", "avast avg", "as30148 sucuri", "aaaa", "gvt mitm", "van", "png image", "jpeg image", "rgba", "exif standard", "tiff image", "pattern match", "ascii text", "jfif", "et tor", "starfield", "june", "hybrid", "general", "local", "encrypt", "strings", "adobea", "daga", "orbiting tsara brashears", "arvada", "projecthilo" ], "references": [ "brassiere.world mail.brassiere.world webdisk.brassiere.world webmail.brassiere.world", "IDS Detections: Sakula/Mivast RAT CnC Beacon 1 SUSPICIOUS UA (iexplore) | Alert: cape_detected_threat", "hallrender.com/attorney/brian-sabey www.hallrender.com/attorney/brian-sabey hallrender.com www.hallrender.com https://hallrender.com", "milehighmedia.com https://www.milehighmedia.com/ https://www.milehighmedia.com/legal/2257", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.sweetheartvideo.com/tsara-brashears/ | 66.254.114.234", "www.youtube.com/watch?v=GyuMozsVyYs [TB's YouTube]", "youngcoders.ng", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Sakula RAT: www.polarroute.com", "CVE-1999-0016 CVE-2019-12259 CVE-2019-12265 CVE-2001-0260 CVE-2005-0446 CVE-2005-0560 CVE-2005-1476", "CVE-2008-2257\tCVE-2008-2938\tCVE-2008-2939\tCVE-2008-3018\tCVE-2008-3021\tCVE-2009-1122", "CVE-2015-2808 CVE-2016-0101 CVE-2016-2569 CVE-2006-3869 CVE-2014-6345 CVE-2009-1535", "Sakula RAT: FileHash-SHA256 0932c2b991cc37bd0de1a90f9ffd43f1324944b59fdbaa0e03f3e94adb59c61f rat", "Sakula RAT: FileHash-SHA25627ddd99c31b3141f0e635ca8c3ded921bee4fddd93364f4280ee5 rat", "Sakula RAT: FileHash-SHA256 48fd389005934aa4ee77f2029f1addc2d918fa0916b64a43049c65ce83ebde765866dbc5f8d", "Sakula RAT: FileHash-SHA256 0f3775b95144206425cc95283f7ae481eab4cc5cbdd687c7bde3e5c7c9b5482a", "Banload: 556d622fae283aca465e24143c392e2ccf2b0d6a95cf28363ef5b84175729638", "Waledac: FileHash-SHA256 7a513daf66139269a18f5aeebc6790ac3179ff533d24f0fe18b2c4d6a1761787" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ALF:HeraklezEval:VirTool:Win32/Waledac!rfn", "display_name": "ALF:HeraklezEval:VirTool:Win32/Waledac!rfn", "target": null }, { "id": "TrojanDownloader:Win32/Banload", "display_name": "TrojanDownloader:Win32/Banload", "target": "/malware/TrojanDownloader:Win32/Banload" }, { "id": "Sakula", "display_name": "Sakula", "target": null }, { "id": "Sakula RAT", "display_name": "Sakula RAT", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1483", "name": "Domain Generation Algorithms", "display_name": "T1483 - Domain Generation Algorithms" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": "6681f3bd6a8701371811709b", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 278, "FileHash-SHA1": 141, "FileHash-SHA256": 991, "domain": 1074, "hostname": 706, "URL": 859, "CVE": 19, "email": 5, "SSLCertFingerprint": 20 }, "indicator_count": 4093, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "15 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6888a85aa32aab22f638d0e6", "name": "Autodesk issue in CrowdStrike prior to outage | [by scoreblue]", "description": "", "modified": "2025-07-29T10:54:18.501000", "created": "2025-07-29T10:54:18.501000", "tags": [ "healthy check", "ssl bypass", "domain tracker", "privacy badger", "startpage", "w11 pc", "pass", "iocs", "all scoreblue", "pdf report", "pcap", "stix", "avast avg", "no expiration", "status", "name servers", "moved", "h1 center", "next", "sec ch", "ch ua", "ua platform", "emails", "certificate", "passive dns", "urls", "encrypt", "body", "pe32 executable", "ms windows", "intel", "windows control", "panel item", "dos borland", "executable", "algorithm", "thumbprint", "serial number", "signing ca", "symantec time", "stamping", "g2 name", "g2 issuer", "class", "code", "kb pe", "csc corporate", "porkbun llc", "gandi sas", "request", "path", "get https", "get http", "response", "cachecontrol", "pragma", "connection", "gmt connection", "accept", "slug", "as29789", "united", "unknown", "ransom", "heur", "server", "registrar abuse", "san rafael", "autodesk", "contact phone", "registrar url", "process32nextw", "create c", "read c", "writeconsolew", "delete", "write", "show", "malware", "write c", "regsetvalueexa", "delete c", "search", "regdword", "whitelisted", "panda banker", "ursnif", "win32", "persistence", "execution", "banker", "local", "domain", "servers", "pulse pulses", "files", "ip address", "creation date", "united kingdom", "as9009 m247", "ipv4", "pulse submit", "url analysis", "twitter", "as16552 tiggee", "as397241", "as397240", "entries", "cname", "nxdomain", "a nxdomain", "worm", "file samples", "files matching", "alf features", "denver co", "wewatta", "scan endpoints", "related pulses", "date hash", "showing", "as62597 nsone", "date", "trojanspy", "cookie", "hostmaster", "expiration date", "msie", "windows nt", "wow64", "slcc2", "media center", "tls handshake", "et info", "getdc0x2a", "failure", "post http", "copy", "crash", "ascii text", "ascii", "jpeg image", "artemis", "trojan", "virustotal", "mike", "vipre", "panda", "win32mediadrug", "win324shared", "win32spigot", "hstr", "lowfi", "yara detections", "contacted", "report spam", "mozilla", "trojanclicker", "url http", "url https", "role title", "added active", "type indicator", "source domain", "akamai rank", "hostname", "ver2", "msclkidn", "vids0", "global outage", "cobalt strike", "fancy bear", "communications", "android device", "cnc beacon", "suspicious ua", "youtube", "sakula rat", "mivast", "sakula", "windows", "samuel tulach", "light dark", "samuel", "tulach", "hyperv", "detecting", "writing gui", "bootkits", "world", "information", "discovery", "t1027", "t1057", "t1071", "protocol", "t1105", "tool transfer", "t1129", "capture", "service", "t1119" ], "references": [ "autodesk.com [ Everything below was found in Autodesk [including crowdstrike & any.desk] Found in in Crowdsrike if labeled.", "66.254.114.234 | reflectededge.reflected.net | reflected.net | 192.0.2.0 | https://www.brazzers.com/ | brazzers.com | brazzersnetwork.com", "keezmovies.com | redtube.com | tube8.com | tube8.com | youporn.com| 0.brazzers.com | www.g-tunnel.comwww.brazzers.com |", "Win32:Mystic , Win.Trojan.Xblocker-236 \u00bbFileHash-SHA256 8c59adbccc1987d13fec983f1e2be046611511b65479d1719bda77c5c90bbe21", "IDS Detections: TLS Handshake Failure | Alerts: network_icmp , injection", "Win32:BankerX-gen\\ [Trj] \u00bb FileHash-SHA256 2e5118d15a18ae852bf94d91707ff634d9d8354fef492f5c4e1c46b9cf96184c", "IDS Detections: Zeus Panda Banker / Ursnif Malicious SSL Certificate Detected TLS Handshake Failure", "Alerts: network_icmp antisandbox_idletime modifies_certificates modifies_proxy_wpad disables_proxy", "RedTube.com Detections: ALF:AGGR:OpcCl:95!ml , ALF:JASYP:Backdoor:Win32/Cycbot!atmn , Win.Downloader.117423-1 ,", "RedTube.com Detections: Win.Trojan.Crypt-321 , Win.Trojan.FakeAV-4166 , Win.Trojan.Fakeav-10977 , Win.Trojan.Fakeav-3386", "Crowdstrike: wildcard.352-445-1166.device.sim.to.img.sedoparking.com", "Crowdstrike: maxfehlinger.de http://auth.cranberry.testing.maxfehlinger.de | http://latex.cranberry.testing.maxfehlinger.de |", "Crowdstrike: https://traefik.cranberry.testing.maxfehlinger.de | http://traefik.cranberry.testing.maxfehlinger.de |", "Crowdstrike: http://watchtower.cranberry.testing.maxfehlinger.de| https://auth.cranberry.testing.maxfehlinger.de |", "Crowdstrike: auth.cranberry.testing.maxfehlinger.de | latex.cranberry.testing.maxfehlinger.de | traefik.cranberry.testing.maxfehlinger.de |", "Crowdstrike: watchtower.cranberry.testing.maxfehlinger.de | https://latex.cranberry.testing.maxfehlinger.de |", "Crowdstrike: https://www.anyxxxtube.net/search-porn/tsara-brashears/\tphishing\t| https://www.anyxxxtube.net/sitemap.xml", "Crowdstrike: https://www.pornhub.com/gifs/search?search=tsara+lynn+brash |", "Crowdstrike: autodesk.com | 0ds.autodesk.com | aknanalytics.autodesk.com | anubis.autodesk.com | autobetaint.autodesk.com", "Crowdstrike: autodeskarchitecture.autodesk.com | beacon-dev3.autodesk.com | boxtooffice365.autodesk.com | brahma-studio.autodesk.com", "Crowdstrike: cdc-stg-emea.autodesk.com | cloudcost.autodesk.com | cloudpc-stg.autodesk.com | d-s.autodesk.com |", "Crowdstrike: daiwahouse-learning.autodesk.com| datagovernance-dev.autodesk.com | enterprise-api-np.autodesk.com", "Crowdstrike: symcd.com [Certificate Subjectaltname \u00bb\u00bb anydesk.com \u00bb\u00bb http://gn.symcb.com/gn.crt Ocsp\thttp://gn.symcd.com] ANYDESK.COM-unsigned", "Crowdstrike: https://bat.bing.com/action/0?ti=12001672&tm=al001&Ver=2&mid=12436868-a484-4998-931c-980262982f67&sid=b92cd8f0483e11efa3c96fe28be413cb&vid=b92cdd10483e11efb1024309353d849f&vids=1&msclkid=N&pi=-740138922&lg=en-US&sw=800&sh=600&sc=24&tl=CrowdStrike%3A%20Stop%20breaches.%20Drive%20business.&p=https%3A%2F%2Fwww.crowdstrike.com%2Fen-us%2F&r=<=1022&pt=1721661968606", "Crowdstrike: \tbat.bing.com, https://tulach.cc, https://otx.alienvault.com/indicator/url/http://www.hallrender.com/attorney/brian-sabey", "Crowdstrike: https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | https://www.pornhub.com/video/search?search=tsara+brashears | www.youtube.com/watch?v=GyuMozsVyYs | www.pornhub.com | www.youtube.com", "Crowdstrike: https://hr.employmenthero.com/rs/387-SZZ-170/images/youtube-icon-emp-hero-violet.png", "Crowdstrike + Autodesk.com: hallrender.com/attorney/brian-sabey www.hallrender.com/attorney/brian-sabey hallrender.com www.hallrender.com https://hallrender.com milehighmedia.com https://www.milehighmedia.com/ https://www.milehighmedia.com/legal/2257", "Crowdstrike + Autodesk.com: brassiere.world mail.brassiere.world webdisk.brassiere.world webmail.brassiere.world", "Crowdstrike + Autodesk.com: 128 + symcd.com some w/issues | 658 autodesk.com pulse some w/issues | removed any.desk & boot", "The more I say...Any.Desk + boot.net.anydesk.com was in OG Private CrowdsStrike pulse", "Above links in search results direct out with and arrow pointing out.", "https://otx.alienvault.com/browse/global/pulses?q=tag:%22esta%20caliente%22&include_inactive=0&sort=-modified&page=1&limit=10&indicatorsSearch=esta%20caliente", "Above link opened 'esta caliente'= 'it's hot'| I did NOT do that | All connected links gone. This has become common.", "I didn't add pertinent findings back to Pulse. Pulse comp,eyes says ago . Couldn't submit. It's was actually a tiny pulse of autodesk.com with crowdstrike relationship references,", "boot.net.anydesk.com removed from my Pulse below", "https://otx.alienvault.com/pulse/66d4c125ad61ee5577639a2d" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands" ], "malware_families": [ { "id": "Win32:Mystic", "display_name": "Win32:Mystic", "target": null }, { "id": "Win.Trojan.Xblocker-236", "display_name": "Win.Trojan.Xblocker-236", "target": null }, { "id": "Ransom:Win32/Genasom", "display_name": "Ransom:Win32/Genasom", "target": "/malware/Ransom:Win32/Genasom" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "ALF:JASYP:Backdoor:Win32/Cycbot", "display_name": "ALF:JASYP:Backdoor:Win32/Cycbot", "target": null }, { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanSpy:Win32/Usteal", "display_name": "TrojanSpy:Win32/Usteal", "target": "/malware/TrojanSpy:Win32/Usteal" }, { "id": "Win.Trojan.PoetRat-7669676-0", "display_name": "Win.Trojan.PoetRat-7669676-0", "target": null }, { "id": "Mivast", "display_name": "Mivast", "target": null }, { "id": "Sakula", "display_name": "Sakula", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": "66d89c45ddc0c7db084b75b7", "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1417, "FileHash-SHA1": 1165, "FileHash-SHA256": 6536, "URL": 6112, "domain": 1340, "hostname": 2654, "email": 15, "SSLCertFingerprint": 9 }, "indicator_count": 19248, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "305 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d89c45ddc0c7db084b75b7", "name": "Autodesk weakens CS | Unauthorized AlienVault API | Stolen pulsed", "description": "Critical issues within AlienVault , VT & my devices. Plugins auto installed after I opened message from AV user. Sudden redirects to 0/ http/s. Heavy modifications, removal of IoC's on AV & VT & Virus Total. Autodesk.com was under CrowdStrike until last night. Links where vulnerabilities were originating from completely disappeared from graph I kindly kept private. Continuous mods for months to Crowdstrike and other pulses. [https://otx.alienvault.com/api appears in search] A page opens with Tag: \"esta caliente\" | All linked pulses Gone. Only person who frequently contacted me appears where they didn't before & These dishonest billion $ companies cover up though they are at fault for allowing ALL threat actor to be protected with non adversarial businesses. Besides other compromises, surprisingly Brashears porn found in Crowdstrike/Autodesk others. Disappointing.", "modified": "2024-10-04T17:02:07.067000", "created": "2024-09-04T17:43:33.123000", "tags": [ "healthy check", "ssl bypass", "domain tracker", "privacy badger", "startpage", "w11 pc", "pass", "iocs", "all scoreblue", "pdf report", "pcap", "stix", "avast avg", "no expiration", "status", "name servers", "moved", "h1 center", "next", "sec ch", "ch ua", "ua platform", "emails", "certificate", "passive dns", "urls", "encrypt", "body", "pe32 executable", "ms windows", "intel", "windows control", "panel item", "dos borland", "executable", "algorithm", "thumbprint", "serial number", "signing ca", "symantec time", "stamping", "g2 name", "g2 issuer", "class", "code", "kb pe", "csc corporate", "porkbun llc", "gandi sas", "request", "path", "get https", "get http", "response", "cachecontrol", "pragma", "connection", "gmt connection", "accept", "slug", "as29789", "united", "unknown", "ransom", "heur", "server", "registrar abuse", "san rafael", "autodesk", "contact phone", "registrar url", "process32nextw", "create c", "read c", "writeconsolew", "delete", "write", "show", "malware", "write c", "regsetvalueexa", "delete c", "search", "regdword", "whitelisted", "panda banker", "ursnif", "win32", "persistence", "execution", "banker", "local", "domain", "servers", "pulse pulses", "files", "ip address", "creation date", "united kingdom", "as9009 m247", "ipv4", "pulse submit", "url analysis", "twitter", "as16552 tiggee", "as397241", "as397240", "entries", "cname", "nxdomain", "a nxdomain", "worm", "file samples", "files matching", "alf features", "denver co", "wewatta", "scan endpoints", "related pulses", "date hash", "showing", "as62597 nsone", "date", "trojanspy", "cookie", "hostmaster", "expiration date", "msie", "windows nt", "wow64", "slcc2", "media center", "tls handshake", "et info", "getdc0x2a", "failure", "post http", "copy", "crash", "ascii text", "ascii", "jpeg image", "artemis", "trojan", "virustotal", "mike", "vipre", "panda", "win32mediadrug", "win324shared", "win32spigot", "hstr", "lowfi", "yara detections", "contacted", "report spam", "mozilla", "trojanclicker", "url http", "url https", "role title", "added active", "type indicator", "source domain", "akamai rank", "hostname", "ver2", "msclkidn", "vids0", "global outage", "cobalt strike", "fancy bear", "communications", "android device", "cnc beacon", "suspicious ua", "youtube", "sakula rat", "mivast", "sakula", "windows", "samuel tulach", "light dark", "samuel", "tulach", "hyperv", "detecting", "writing gui", "bootkits", "world", "information", "discovery", "t1027", "t1057", "t1071", "protocol", "t1105", "tool transfer", "t1129", "capture", "service", "t1119" ], "references": [ "autodesk.com [ Everything below was found in Autodesk [including crowdstrike & any.desk] Found in in Crowdsrike if labeled.", "66.254.114.234 | reflectededge.reflected.net | reflected.net | 192.0.2.0 | https://www.brazzers.com/ | brazzers.com | brazzersnetwork.com", "keezmovies.com | redtube.com | tube8.com | tube8.com | youporn.com| 0.brazzers.com | www.g-tunnel.comwww.brazzers.com |", "Win32:Mystic , Win.Trojan.Xblocker-236 \u00bbFileHash-SHA256 8c59adbccc1987d13fec983f1e2be046611511b65479d1719bda77c5c90bbe21", "IDS Detections: TLS Handshake Failure | Alerts: network_icmp , injection", "Win32:BankerX-gen\\ [Trj] \u00bb FileHash-SHA256 2e5118d15a18ae852bf94d91707ff634d9d8354fef492f5c4e1c46b9cf96184c", "IDS Detections: Zeus Panda Banker / Ursnif Malicious SSL Certificate Detected TLS Handshake Failure", "Alerts: network_icmp antisandbox_idletime modifies_certificates modifies_proxy_wpad disables_proxy", "RedTube.com Detections: ALF:AGGR:OpcCl:95!ml , ALF:JASYP:Backdoor:Win32/Cycbot!atmn , Win.Downloader.117423-1 ,", "RedTube.com Detections: Win.Trojan.Crypt-321 , Win.Trojan.FakeAV-4166 , Win.Trojan.Fakeav-10977 , Win.Trojan.Fakeav-3386", "Crowdstrike: wildcard.352-445-1166.device.sim.to.img.sedoparking.com", "Crowdstrike: maxfehlinger.de http://auth.cranberry.testing.maxfehlinger.de | http://latex.cranberry.testing.maxfehlinger.de |", "Crowdstrike: https://traefik.cranberry.testing.maxfehlinger.de | http://traefik.cranberry.testing.maxfehlinger.de |", "Crowdstrike: http://watchtower.cranberry.testing.maxfehlinger.de| https://auth.cranberry.testing.maxfehlinger.de |", "Crowdstrike: auth.cranberry.testing.maxfehlinger.de | latex.cranberry.testing.maxfehlinger.de | traefik.cranberry.testing.maxfehlinger.de |", "Crowdstrike: watchtower.cranberry.testing.maxfehlinger.de | https://latex.cranberry.testing.maxfehlinger.de |", "Crowdstrike: https://www.anyxxxtube.net/search-porn/tsara-brashears/\tphishing\t| https://www.anyxxxtube.net/sitemap.xml", "Crowdstrike: https://www.pornhub.com/gifs/search?search=tsara+lynn+brash |", "Crowdstrike: autodesk.com | 0ds.autodesk.com | aknanalytics.autodesk.com | anubis.autodesk.com | autobetaint.autodesk.com", "Crowdstrike: autodeskarchitecture.autodesk.com | beacon-dev3.autodesk.com | boxtooffice365.autodesk.com | brahma-studio.autodesk.com", "Crowdstrike: cdc-stg-emea.autodesk.com | cloudcost.autodesk.com | cloudpc-stg.autodesk.com | d-s.autodesk.com |", "Crowdstrike: daiwahouse-learning.autodesk.com| datagovernance-dev.autodesk.com | enterprise-api-np.autodesk.com", "Crowdstrike: symcd.com [Certificate Subjectaltname \u00bb\u00bb anydesk.com \u00bb\u00bb http://gn.symcb.com/gn.crt Ocsp\thttp://gn.symcd.com] ANYDESK.COM-unsigned", "Crowdstrike: https://bat.bing.com/action/0?ti=12001672&tm=al001&Ver=2&mid=12436868-a484-4998-931c-980262982f67&sid=b92cd8f0483e11efa3c96fe28be413cb&vid=b92cdd10483e11efb1024309353d849f&vids=1&msclkid=N&pi=-740138922&lg=en-US&sw=800&sh=600&sc=24&tl=CrowdStrike%3A%20Stop%20breaches.%20Drive%20business.&p=https%3A%2F%2Fwww.crowdstrike.com%2Fen-us%2F&r=<=1022&pt=1721661968606", "Crowdstrike: \tbat.bing.com, https://tulach.cc, https://otx.alienvault.com/indicator/url/http://www.hallrender.com/attorney/brian-sabey", "Crowdstrike: https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | https://www.pornhub.com/video/search?search=tsara+brashears | www.youtube.com/watch?v=GyuMozsVyYs | www.pornhub.com | www.youtube.com", "Crowdstrike: https://hr.employmenthero.com/rs/387-SZZ-170/images/youtube-icon-emp-hero-violet.png", "Crowdstrike + Autodesk.com: hallrender.com/attorney/brian-sabey www.hallrender.com/attorney/brian-sabey hallrender.com www.hallrender.com https://hallrender.com milehighmedia.com https://www.milehighmedia.com/ https://www.milehighmedia.com/legal/2257", "Crowdstrike + Autodesk.com: brassiere.world mail.brassiere.world webdisk.brassiere.world webmail.brassiere.world", "Crowdstrike + Autodesk.com: 128 + symcd.com some w/issues | 658 autodesk.com pulse some w/issues | removed any.desk & boot", "The more I say...Any.Desk + boot.net.anydesk.com was in OG Private CrowdsStrike pulse", "Above links in search results direct out with and arrow pointing out.", "https://otx.alienvault.com/browse/global/pulses?q=tag:%22esta%20caliente%22&include_inactive=0&sort=-modified&page=1&limit=10&indicatorsSearch=esta%20caliente", "Above link opened 'esta caliente'= 'it's hot'| I did NOT do that | All connected links gone. This has become common.", "I didn't add pertinent findings back to Pulse. Pulse comp,eyes says ago . Couldn't submit. It's was actually a tiny pulse of autodesk.com with crowdstrike relationship references,", "boot.net.anydesk.com removed from my Pulse below", "https://otx.alienvault.com/pulse/66d4c125ad61ee5577639a2d" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands" ], "malware_families": [ { "id": "Win32:Mystic", "display_name": "Win32:Mystic", "target": null }, { "id": "Win.Trojan.Xblocker-236", "display_name": "Win.Trojan.Xblocker-236", "target": null }, { "id": "Ransom:Win32/Genasom", "display_name": "Ransom:Win32/Genasom", "target": "/malware/Ransom:Win32/Genasom" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "ALF:JASYP:Backdoor:Win32/Cycbot", "display_name": "ALF:JASYP:Backdoor:Win32/Cycbot", "target": null }, { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanSpy:Win32/Usteal", "display_name": "TrojanSpy:Win32/Usteal", "target": "/malware/TrojanSpy:Win32/Usteal" }, { "id": "Win.Trojan.PoetRat-7669676-0", "display_name": "Win.Trojan.PoetRat-7669676-0", "target": null }, { "id": "Mivast", "display_name": "Mivast", "target": null }, { "id": "Sakula", "display_name": "Sakula", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1417, "FileHash-SHA1": 1165, "FileHash-SHA256": 6536, "URL": 6112, "domain": 1340, "hostname": 2654, "email": 15, "SSLCertFingerprint": 9 }, "indicator_count": 19248, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "603 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "667f591470ecb21b4ad041a5", "name": "Sakula RAT | Porn name change>>brassiere.world | Orbiters", "description": "brassiere.world a brazzersporn redirect. Malicious Sakula RAT. Orbiters including Brian Sabey, Mile High Media Legal 2257. If this is legal then it's time to make significant change.", "modified": "2024-07-28T23:00:54.190000", "created": "2024-06-29T00:45:08.323000", "tags": [ "algorithm", "v3 serial", "number", "subject public", "key info", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "date", "first", "threat roundup", "october", "december", "september", "round", "referrer", "november", "april", "historical ssl", "keeper", "core", "hacktool", "kiana arellano", "a person", "kiana", "harassment", "strikes", "colorado", "github", "heur", "info title", "record keeping", "media", "adult mobile", "scene", "brandi love", "alexis fawx", "girls", "carter cruise", "brandi loves", "reagan foxx", "kenzie reeves", "ryan keely", "privacy policy", "meow", "love", "summer", "click", "back", "accept", "tsara brashears", "youngcoders", "hallrender", "briansabey", "sweetheartvideos", "2257legalporn", "union blvd", "samiamnot", "utc submissions", "submitters", "enom", "moniker online", "wild west", "domains", "domainsite", "annulet", "google llc", "facebook", "twitter", "service", "nitro", "creation date", "status", "search", "scan endpoints", "all scoreblue", "hostname", "pulse submit", "url analysis", "passive dns", "unknown", "default", "cnc beacon", "show", "delete", "ids detections", "yara detections", "suspicious ua", "intel", "ms windows", "copy", "sakula", "write", "february", "bublik", "malware", "suspicious", "pornhub", "#pornvibes", "ng", "united", "as44273 host", "expiration date", "showing", "as394695 pdr", "virgin islands", "cname", "as19905", "pulses", "nxdomain", "as8075", "servers", "domain", "name servers", "entries", "date hash", "avast avg", "as30148 sucuri", "aaaa", "gvt mitm", "van", "png image", "jpeg image", "rgba", "exif standard", "tiff image", "pattern match", "ascii text", "jfif", "et tor", "starfield", "june", "hybrid", "general", "local", "encrypt", "strings", "adobea", "daga", "orbiting tsara brashears", "arvada", "projecthilo" ], "references": [ "brassiere.world mail.brassiere.world webdisk.brassiere.world webmail.brassiere.world", "IDS Detections: Sakula/Mivast RAT CnC Beacon 1 SUSPICIOUS UA (iexplore) | Alert: cape_detected_threat", "hallrender.com/attorney/brian-sabey www.hallrender.com/attorney/brian-sabey hallrender.com www.hallrender.com https://hallrender.com", "milehighmedia.com https://www.milehighmedia.com/ https://www.milehighmedia.com/legal/2257", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.sweetheartvideo.com/tsara-brashears/ | 66.254.114.234", "www.youtube.com/watch?v=GyuMozsVyYs [TB's YouTube]", "youngcoders.ng", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Sakula RAT: www.polarroute.com", "CVE-1999-0016 CVE-2019-12259 CVE-2019-12265 CVE-2001-0260 CVE-2005-0446 CVE-2005-0560 CVE-2005-1476", "CVE-2008-2257\tCVE-2008-2938\tCVE-2008-2939\tCVE-2008-3018\tCVE-2008-3021\tCVE-2009-1122", "CVE-2015-2808 CVE-2016-0101 CVE-2016-2569 CVE-2006-3869 CVE-2014-6345 CVE-2009-1535", "Sakula RAT: FileHash-SHA256 0932c2b991cc37bd0de1a90f9ffd43f1324944b59fdbaa0e03f3e94adb59c61f rat", "Sakula RAT: FileHash-SHA25627ddd99c31b3141f0e635ca8c3ded921bee4fddd93364f4280ee5 rat", "Sakula RAT: FileHash-SHA256 48fd389005934aa4ee77f2029f1addc2d918fa0916b64a43049c65ce83ebde765866dbc5f8d", "Sakula RAT: FileHash-SHA256 0f3775b95144206425cc95283f7ae481eab4cc5cbdd687c7bde3e5c7c9b5482a", "Banload: 556d622fae283aca465e24143c392e2ccf2b0d6a95cf28363ef5b84175729638", "Waledac: FileHash-SHA256 7a513daf66139269a18f5aeebc6790ac3179ff533d24f0fe18b2c4d6a1761787" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ALF:HeraklezEval:VirTool:Win32/Waledac!rfn", "display_name": "ALF:HeraklezEval:VirTool:Win32/Waledac!rfn", "target": null }, { "id": "TrojanDownloader:Win32/Banload", "display_name": "TrojanDownloader:Win32/Banload", "target": "/malware/TrojanDownloader:Win32/Banload" }, { "id": "Sakula", "display_name": "Sakula", "target": null }, { "id": "Sakula RAT", "display_name": "Sakula RAT", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1483", "name": "Domain Generation Algorithms", "display_name": "T1483 - Domain Generation Algorithms" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 278, "FileHash-SHA1": 141, "FileHash-SHA256": 991, "domain": 1074, "hostname": 706, "URL": 859, "CVE": 19, "email": 5, "SSLCertFingerprint": 20 }, "indicator_count": 4093, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "671 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6681f3bd6a8701371811709b", "name": "Sakula RAT | Porn name change>>brassiere.world | Orbiters ", "description": "", "modified": "2024-07-28T23:00:54.190000", "created": "2024-07-01T00:09:33.078000", "tags": [ "algorithm", "v3 serial", "number", "subject public", "key info", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "date", "first", "threat roundup", "october", "december", "september", "round", "referrer", "november", "april", "historical ssl", "keeper", "core", "hacktool", "kiana arellano", "a person", "kiana", "harassment", "strikes", "colorado", "github", "heur", "info title", "record keeping", "media", "adult mobile", "scene", "brandi love", "alexis fawx", "girls", "carter cruise", "brandi loves", "reagan foxx", "kenzie reeves", "ryan keely", "privacy policy", "meow", "love", "summer", "click", "back", "accept", "tsara brashears", "youngcoders", "hallrender", "briansabey", "sweetheartvideos", "2257legalporn", "union blvd", "samiamnot", "utc submissions", "submitters", "enom", "moniker online", "wild west", "domains", "domainsite", "annulet", "google llc", "facebook", "twitter", "service", "nitro", "creation date", "status", "search", "scan endpoints", "all scoreblue", "hostname", "pulse submit", "url analysis", "passive dns", "unknown", "default", "cnc beacon", "show", "delete", "ids detections", "yara detections", "suspicious ua", "intel", "ms windows", "copy", "sakula", "write", "february", "bublik", "malware", "suspicious", "pornhub", "#pornvibes", "ng", "united", "as44273 host", "expiration date", "showing", "as394695 pdr", "virgin islands", "cname", "as19905", "pulses", "nxdomain", "as8075", "servers", "domain", "name servers", "entries", "date hash", "avast avg", "as30148 sucuri", "aaaa", "gvt mitm", "van", "png image", "jpeg image", "rgba", "exif standard", "tiff image", "pattern match", "ascii text", "jfif", "et tor", "starfield", "june", "hybrid", "general", "local", "encrypt", "strings", "adobea", "daga", "orbiting tsara brashears", "arvada", "projecthilo" ], "references": [ "brassiere.world mail.brassiere.world webdisk.brassiere.world webmail.brassiere.world", "IDS Detections: Sakula/Mivast RAT CnC Beacon 1 SUSPICIOUS UA (iexplore) | Alert: cape_detected_threat", "hallrender.com/attorney/brian-sabey www.hallrender.com/attorney/brian-sabey hallrender.com www.hallrender.com https://hallrender.com", "milehighmedia.com https://www.milehighmedia.com/ https://www.milehighmedia.com/legal/2257", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.sweetheartvideo.com/tsara-brashears/ | 66.254.114.234", "www.youtube.com/watch?v=GyuMozsVyYs [TB's YouTube]", "youngcoders.ng", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Sakula RAT: www.polarroute.com", "CVE-1999-0016 CVE-2019-12259 CVE-2019-12265 CVE-2001-0260 CVE-2005-0446 CVE-2005-0560 CVE-2005-1476", "CVE-2008-2257\tCVE-2008-2938\tCVE-2008-2939\tCVE-2008-3018\tCVE-2008-3021\tCVE-2009-1122", "CVE-2015-2808 CVE-2016-0101 CVE-2016-2569 CVE-2006-3869 CVE-2014-6345 CVE-2009-1535", "Sakula RAT: FileHash-SHA256 0932c2b991cc37bd0de1a90f9ffd43f1324944b59fdbaa0e03f3e94adb59c61f rat", "Sakula RAT: FileHash-SHA25627ddd99c31b3141f0e635ca8c3ded921bee4fddd93364f4280ee5 rat", "Sakula RAT: FileHash-SHA256 48fd389005934aa4ee77f2029f1addc2d918fa0916b64a43049c65ce83ebde765866dbc5f8d", "Sakula RAT: FileHash-SHA256 0f3775b95144206425cc95283f7ae481eab4cc5cbdd687c7bde3e5c7c9b5482a", "Banload: 556d622fae283aca465e24143c392e2ccf2b0d6a95cf28363ef5b84175729638", "Waledac: FileHash-SHA256 7a513daf66139269a18f5aeebc6790ac3179ff533d24f0fe18b2c4d6a1761787" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ALF:HeraklezEval:VirTool:Win32/Waledac!rfn", "display_name": "ALF:HeraklezEval:VirTool:Win32/Waledac!rfn", "target": null }, { "id": "TrojanDownloader:Win32/Banload", "display_name": "TrojanDownloader:Win32/Banload", "target": "/malware/TrojanDownloader:Win32/Banload" }, { "id": "Sakula", "display_name": "Sakula", "target": null }, { "id": "Sakula RAT", "display_name": "Sakula RAT", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1483", "name": "Domain Generation Algorithms", "display_name": "T1483 - Domain Generation Algorithms" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": "667f591470ecb21b4ad041a5", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 278, "FileHash-SHA1": 141, "FileHash-SHA256": 991, "domain": 1074, "hostname": 706, "URL": 859, "CVE": 19, "email": 5, "SSLCertFingerprint": 20 }, "indicator_count": 4093, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "671 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://landing.sexselector.com/joinf", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://landing.sexselector.com/joinf", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780210748.491326 }