{ "type": "URL", "indicator": "https://lb.eu-1-id5-sync.com/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://lb.eu-1-id5-sync.com/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3658668730, "indicator": "https://lb.eu-1-id5-sync.com/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 17, "pulses": [ { "id": "68730c407f8484c524c2d7f4", "name": "The Denver Post used for Fake news | Foundry | Twitter | Porn", "description": "Is the Denver Post a honey pot? Portal? Used for investigating? Smear campaigns? \n\nVictims reported for multiple years their names have been advertised in malicious red report campaigns, obituaries, threats. This has been true of the Ricky Mountain News which has been out of business for years and Denver Post.\n\n\nI can\u2019t annotate so I can\u2019t include references.\nReferences:\nFoundry\nTwitter\nDouglas Undersheriff who was either being smeared or heading a smear campaign.\nPorn\nTwitter \nInjured worker\u2019s compensation targets with la he loss including death.\nThey don\u2019t want to pay. Crazy fact: Workers compensation keeps the nearly a billion $ annually tax free. Does not want to pay. Bonuses doctors and anyone who will deny truly injured workers their compensation. \n#callthecopsifyousee_o-o_t_pac", "modified": "2025-08-12T01:02:51.771000", "created": "2025-07-13T01:30:40.917000", "tags": [ "gtmtlfp4r", "utc gtmtlfp4r", "domains", "hashes", "reverse dns", "url https", "general full", "united", "security tls", "resource", "protocol h2", "software", "hash", "name value", "main", "spurlock", "carlos illescas", "wordpress", "denver post", "server nginx", "date sun", "gmt contenttype", "connection", "wordpress vip", "https", "link", "json", "contentencoding", "miss xrq", "value", "july", "variables", "osano function", "gpp function", "tcfapi function", "uspapi", "mg2 string", "bcclass", "dfmadmodslevel", "xblocker", "extraction", "data upload", "extrac", "included data", "review ious", "u excluded", "suggesteroo", "ony incude", "failed", "so type", "extra data", "includec review", "exclude suggest", "find s", "s type", "ur extraction", "extract", "included ic", "review ioc", "type no", "extri", "include review", "exclude sugges", "typ filel", "filet filet" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1774, "FileHash-SHA256": 3808, "domain": 373, "FileHash-MD5": 155, "FileHash-SHA1": 135, "hostname": 1156 }, "indicator_count": 7401, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "250 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6523344e4adc85389899504c", "name": "Unsupported IE 404 account running BotNet Command & Control [by OctoSeek]", "description": "", "modified": "2024-10-13T03:00:28.081000", "created": "2023-10-08T22:59:26.040000", "tags": [ "united", "contacted urls", "whois record", "contacted", "malicious site", "malware", "phishing site", "anonymizer", "heur", "control server", "facebook", "cobalt strike", "execution", "installcore", "phishing", "service", "core", "metro", "icmp", "hacktool", "download", "relic", "monitoring", "installer", "steam", "bank", "dnspionage", "crack", "unsafe", "ramnit", "emotet", "malware site", "proxy", "exploit", "fakealert", "team", "redline stealer", "laplasclipper", "cisco umbrella", "site", "safe site", "alexa top", "million", "alexa", "downloader", "opencandy", "generic", "presenoker", "maltiverse", "trojanspy", "date", "unknown", "windir", "markmonitor", "name server", "av detection", "september", "default browser", "guest system", "hybrid", "general", "click", "strings", "class", "critical", "blacklist", "union", "Embarcadero Delphi", "whois whois", "referrer", "ssl certificate", "communicating", "resolutions", "parent parent", "dropped", "stealer", "banker", "keylogger", "attack", "apple", "detection list", "ip address", "netsky", "firehol proxy", "noname057", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "FireHol", "Proxy", "Pexee", "Bank of America Corporation Malware Download", "CVE-2017-11882", "Alexa SANS Internet Storm Center", "MCI Verizon Block", "NaN" ], "references": [ "http://ww1.tsx.org/_fd", "https://www.milehighmedia.com/legal/2257 (exploit source | revenge porn)", "Target \u2192 https://www.pinterest.com/pinkbuffalorun/ (EMOTET) Full control taken. True Board owner (a legitimate business) was likely very unaware Pinterest activities all flowed through the Dark Web. (Research shows over 5000 followers | 1 million visits per mo | more than 1 million pins re-pinned)", "http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel (remote hacking/potentially maliciousRedTeam)", "http://45.159.189.105/bot/online?guid=WALKER-PC&key=b73f03cae5752ff4c823f89de539b59754bc4e65d43970358b17bcf21fb6c4e5 (remote hacking)", "http://clipper.guru/bot/online?guid=WALKER-PC (remote hacking)", "Target \u2192 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (attached to Pinterest account)", "https://firebaseremoteconfig.googleapis.com/v1/projects/16163253122/namespaces/firebase:fetch (remote hacking)", "firebaseremoteconfig.googleapis.com (remote hacking)", "remote.telegrafix.com (remote hacking)", "fb582cc7cfcfa64786caff627cc34ff7aedf7a97620d0cd2eb927d4bb3b7653d", "remote.haverhillcc.com (remote hacking)", "http://ax.itunes.apple.com/WebObjects/MZStoreServices.woa/ws/RSS/toppaidapplications/limit=10/xml", "http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409", "http://init-p01st.push.apple.com/bag (remote hacking)", "https://support.apple.com/en-us/HT201265. Targets (iOS ID)", "apple.com. (malicious version/header)", "https://www.apple.com/sitemap/", "https://applemusic-spotlight.myunidays.com/US/en-US? (remote hacking)", "http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409", "init.ess.apple.com (remote hacking)", "applepaydayloans.com", "www.metrobyt-mobile.com (So very hacked. Should be shut down. No corporate headquarters. Malicious practices by many independent owners)", "https://applepaydayloans.com/", "https://sinister.ly/Thread-Apple-empty-box?page=13", "7651508989a859a165a3e587268021e3ce3734b3e8711d06a101068c60dfdbbe ( Spyware| tsetup.2.4.4.exe | Downloader.Agent!1.E2F1 (CLASSIC) |Telegram Messenger Inc WeExtract malicious installation on targets media & devices)", "https://support.Apple.com/de", "http://www.Apple.com/quicktime/download", "http://www.Apple.com/quicktime/download/standalone.html", "https://urldefense.us/v2/url?u=http-3A__support.apple.com_kb_HT2693&d=DwMGaQ&c=mcnPvAfk3Xtjyky7sc3uA24Vk9hJzQ1fEHisENJPWek&r=PjGDHIUs1kNE6nRUZrOEsufSDp8LBQ-SwHI1wE1Z0Qo&m=zBlvHUR-UT1fW5-53xrUtd5Uj5DBn30a-XGaqZ1lyWh4YCJi5SWOvg3tVORPEuat&s=OJ-NfystLux9f25c44kAAuBLCoTAo6gQJ7EMKHRlrCk&e=&data=05", "https://www.roseoubleu.fr/panier (phishing)", "Roksit.net", "stagelight.pl (malicious/ pattern match)", "www.jamesbgriffinlaw.com (malicious host)", "Data Analytics", "Behavior Pattern Match Analysis", "45.159.189.105 (Command and Control)", "http://45.159.189.105/bot/regex (Bot Command)", "151.101.0.84 US - United States Pinterest Botnet Command and Control Server - 23.62.46.21", "AS54113 Fastly Autonomous System aggregation for Pinterest United States Botnet Command and Control Server", "DetectItEasy PE32 Installer: Inno Setup Module (6.0.0) [unicode] Compiler: Embarcadero Delphi (10.3 Rio) [Professional] Linker: Turbo Linker (2.25*,Delphi) [GUI32,signed] Overlay: Inno Setup Installer data", "(unsupported_iexplore exploit/redirect) https://www.pinterest.com/pin/mood--35536284546940000/ (Dark Web Trace)" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TEL:Delphi/Obfuscator", "display_name": "TEL:Delphi/Obfuscator", "target": "/malware/TEL:Delphi/Obfuscator" }, { "id": "LaplasClipper", "display_name": "LaplasClipper", "target": null }, { "id": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "display_name": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "target": null }, { "id": "SLFPER:InstallCore", "display_name": "SLFPER:InstallCore", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "ALF:Program:OpenCandy:Remnant", "display_name": "ALF:Program:OpenCandy:Remnant", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "generic.malware", "display_name": "generic.malware", "target": null }, { "id": "Anonymizer", "display_name": "Anonymizer", "target": null }, { "id": "#HSTR:HackTool:Win32/Mimikatz", "display_name": "#HSTR:HackTool:Win32/Mimikatz", "target": null }, { "id": "PWS:MSIL/Steam", "display_name": "PWS:MSIL/Steam", "target": "/malware/PWS:MSIL/Steam" }, { "id": "Trojan.HTML.Agent", "display_name": "Trojan.HTML.Agent", "target": null }, { "id": "Gen:Variant.Zusy", "display_name": "Gen:Variant.Zusy", "target": null }, { "id": "Worm:Win32/Netsky", "display_name": "Worm:Win32/Netsky", "target": "/malware/Worm:Win32/Netsky" }, { "id": "Sodin Ransomware", "display_name": "Sodin Ransomware", "target": null }, { "id": "Keyloggers", "display_name": "Keyloggers", "target": null }, { "id": "Proxy", "display_name": "Proxy", "target": null }, { "id": "TEL:Trojan:Win32/Emotet", "display_name": "TEL:Trojan:Win32/Emotet", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat", "display_name": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat", "target": null }, { "id": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar", "display_name": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar", "target": null }, { "id": "AdwareSig [Adw] ml.Generic", "display_name": "AdwareSig [Adw] ml.Generic", "target": null }, { "id": "W32.Hack.Generic", "display_name": "W32.Hack.Generic", "target": null }, { "id": "Trojan.Ole2.Vbs", "display_name": "Trojan.Ole2.Vbs", "target": null }, { "id": "QVM20.1.8D80.Malware", "display_name": "QVM20.1.8D80.Malware", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Backdoor.Mokes", "display_name": "Backdoor.Mokes", "target": null }, { "id": "AdWare.DropWare", "display_name": "AdWare.DropWare", "target": null }, { "id": "Gen:Variant.Razy", "display_name": "Gen:Variant.Razy", "target": null }, { "id": "Generic.31fcc75f", "display_name": "Generic.31fcc75f", "target": null }, { "id": "Trojan.Generic", "display_name": "Trojan.Generic", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "malware.generic", "display_name": "malware.generic", "target": null }, { "id": "Gen:Variant.Bulz", "display_name": "Gen:Variant.Bulz", "target": null }, { "id": "GameHack.DR", "display_name": "GameHack.DR", "target": null }, { "id": "Dropper.Binder", "display_name": "Dropper.Binder", "target": null }, { "id": "malicious.22a4c0", "display_name": "malicious.22a4c0", "target": null }, { "id": "SdBot.CAOC", "display_name": "SdBot.CAOC", "target": null }, { "id": "ml.Generic", "display_name": "ml.Generic", "target": null }, { "id": "Trojan.Ransom.GenericKD", "display_name": "Trojan.Ransom.GenericKD", "target": null }, { "id": "Phish.AB", "display_name": "Phish.AB", "target": null }, { "id": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea", "display_name": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": "6506b48d699080b4bfd334c5", "export_count": 74, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7761, "CVE": 6, "FileHash-MD5": 285, "FileHash-SHA1": 165, "FileHash-SHA256": 5059, "domain": 987, "hostname": 2399 }, "indicator_count": 16662, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "553 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a835fc0836f148fa45c8", "name": "Unsupported IE 404 account running BotNet Command & Control [by OctoSeek]", "description": "", "modified": "2023-12-06T16:58:29.243000", "created": "2023-12-06T16:58:29.243000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "URL": 7203, "hostname": 2260, "FileHash-SHA256": 4835, "FileHash-MD5": 283, "FileHash-SHA1": 163, "domain": 915 }, "indicator_count": 15665, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a521974bdb5d6dbda092", "name": "", "description": "", "modified": "2023-12-06T16:45:21.776000", "created": "2023-12-06T16:45:21.776000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "URL": 7203, "hostname": 2260, "FileHash-SHA256": 4835, "FileHash-MD5": 283, "FileHash-SHA1": 163, "domain": 915 }, "indicator_count": 15665, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a5109ecc3c75c949f950", "name": "Unsupported IE 404 account running BotNet Command & Control Server | B/L", "description": "", "modified": "2023-12-06T16:45:04.296000", "created": "2023-12-06T16:45:04.296000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "URL": 7203, "hostname": 2260, "FileHash-SHA256": 4835, "FileHash-MD5": 283, "FileHash-SHA1": 163, "domain": 915 }, "indicator_count": 15665, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a4f322399eb1db2a07b2", "name": "Hijacked Pinterest Account Spreader, BotNet Control Server | Unsupported IE", "description": "", "modified": "2023-12-06T16:44:35.786000", "created": "2023-12-06T16:44:35.786000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "URL": 7203, "hostname": 2260, "FileHash-SHA256": 4835, "FileHash-MD5": 283, "FileHash-SHA1": 163, "domain": 915 }, "indicator_count": 15665, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a4e083c4acd789ea7e58", "name": "Blacklisted", "description": "", "modified": "2023-12-06T16:44:16.060000", "created": "2023-12-06T16:44:16.060000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "URL": 7203, "hostname": 2258, "FileHash-SHA256": 4835, "FileHash-MD5": 283, "FileHash-SHA1": 163, "domain": 915 }, "indicator_count": 15663, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a4d5c14495fcf65ee8a5", "name": "Netsky", "description": "", "modified": "2023-12-06T16:44:05.631000", "created": "2023-12-06T16:44:05.631000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "URL": 7203, "hostname": 2260, "FileHash-SHA256": 4835, "FileHash-MD5": 283, "FileHash-SHA1": 163, "domain": 915 }, "indicator_count": 15665, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a4cb97598bac143dc90b", "name": "Critical: Pinterest Cyber Espionage", "description": "", "modified": "2023-12-06T16:43:55.639000", "created": "2023-12-06T16:43:55.639000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "URL": 7203, "hostname": 2260, "FileHash-SHA256": 4835, "FileHash-MD5": 283, "FileHash-SHA1": 163, "domain": 915 }, "indicator_count": 15665, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f203d9b8cd815d8b5134c", "name": "Unsupported IE 404 account running BotNet Command & Control", "description": "", "modified": "2023-10-30T03:17:17.770000", "created": "2023-10-30T03:17:17.770000", "tags": [ "united", "contacted urls", "whois record", "contacted", "malicious site", "malware", "phishing site", "anonymizer", "heur", "control server", "facebook", "cobalt strike", "execution", "installcore", "phishing", "service", "core", "metro", "icmp", "hacktool", "download", "relic", "monitoring", "installer", "steam", "bank", "dnspionage", "crack", "unsafe", "ramnit", "emotet", "malware site", "proxy", "exploit", "fakealert", "team", "redline stealer", "laplasclipper", "cisco umbrella", "site", "safe site", "alexa top", "million", "alexa", "downloader", "opencandy", "generic", "presenoker", "maltiverse", "trojanspy", "date", "unknown", "windir", "markmonitor", "name server", "av detection", "september", "default browser", "guest system", "hybrid", "general", "click", "strings", "class", "critical", "blacklist", "union", "Embarcadero Delphi", "whois whois", "referrer", "ssl certificate", "communicating", "resolutions", "parent parent", "dropped", "stealer", "banker", "keylogger", "attack", "apple", "detection list", "ip address", "netsky", "firehol proxy", "noname057", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "FireHol", "Proxy", "Pexee", "Bank of America Corporation Malware Download", "CVE-2017-11882", "Alexa SANS Internet Storm Center", "MCI Verizon Block", "NaN" ], "references": [ "http://ww1.tsx.org/_fd", "https://www.milehighmedia.com/legal/2257 (exploit source | revenge porn)", "Target \u2192 https://www.pinterest.com/pinkbuffalorun/ (EMOTET) Full control taken. True Board owner (a legitimate business) was likely very unaware Pinterest activities all flowed through the Dark Web. (Research shows over 5000 followers | 1 million visits per mo | more than 1 million pins re-pinned)", "http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel (remote hacking/potentially maliciousRedTeam)", "http://45.159.189.105/bot/online?guid=WALKER-PC&key=b73f03cae5752ff4c823f89de539b59754bc4e65d43970358b17bcf21fb6c4e5 (remote hacking)", "http://clipper.guru/bot/online?guid=WALKER-PC (remote hacking)", "Target \u2192 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (attached to Pinterest account)", "https://firebaseremoteconfig.googleapis.com/v1/projects/16163253122/namespaces/firebase:fetch (remote hacking)", "firebaseremoteconfig.googleapis.com (remote hacking)", "remote.telegrafix.com (remote hacking)", "fb582cc7cfcfa64786caff627cc34ff7aedf7a97620d0cd2eb927d4bb3b7653d", "remote.haverhillcc.com (remote hacking)", "http://ax.itunes.apple.com/WebObjects/MZStoreServices.woa/ws/RSS/toppaidapplications/limit=10/xml", "http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409", "http://init-p01st.push.apple.com/bag (remote hacking)", "https://support.apple.com/en-us/HT201265. Targets (iOS ID)", "apple.com. (malicious version/header)", "https://www.apple.com/sitemap/", "https://applemusic-spotlight.myunidays.com/US/en-US? (remote hacking)", "http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409", "init.ess.apple.com (remote hacking)", "applepaydayloans.com", "www.metrobyt-mobile.com (So very hacked. Should be shut down. No corporate headquarters. Malicious practices by many independent owners)", "https://applepaydayloans.com/", "https://sinister.ly/Thread-Apple-empty-box?page=13", "7651508989a859a165a3e587268021e3ce3734b3e8711d06a101068c60dfdbbe ( Spyware| tsetup.2.4.4.exe | Downloader.Agent!1.E2F1 (CLASSIC) |Telegram Messenger Inc WeExtract malicious installation on targets media & devices)", "https://support.Apple.com/de", "http://www.Apple.com/quicktime/download", "http://www.Apple.com/quicktime/download/standalone.html", "https://urldefense.us/v2/url?u=http-3A__support.apple.com_kb_HT2693&d=DwMGaQ&c=mcnPvAfk3Xtjyky7sc3uA24Vk9hJzQ1fEHisENJPWek&r=PjGDHIUs1kNE6nRUZrOEsufSDp8LBQ-SwHI1wE1Z0Qo&m=zBlvHUR-UT1fW5-53xrUtd5Uj5DBn30a-XGaqZ1lyWh4YCJi5SWOvg3tVORPEuat&s=OJ-NfystLux9f25c44kAAuBLCoTAo6gQJ7EMKHRlrCk&e=&data=05", "https://www.roseoubleu.fr/panier (phishing)", "Roksit.net", "stagelight.pl (malicious/ pattern match)", "www.jamesbgriffinlaw.com (malicious host)", "Data Analytics", "Behavior Pattern Match Analysis", "45.159.189.105 (Command and Control)", "http://45.159.189.105/bot/regex (Bot Command)", "151.101.0.84 US - United States Pinterest Botnet Command and Control Server - 23.62.46.21", "AS54113 Fastly Autonomous System aggregation for Pinterest United States Botnet Command and Control Server", "DetectItEasy PE32 Installer: Inno Setup Module (6.0.0) [unicode] Compiler: Embarcadero Delphi (10.3 Rio) [Professional] Linker: Turbo Linker (2.25*,Delphi) [GUI32,signed] Overlay: Inno Setup Installer data", "(unsupported_iexplore exploit/redirect) https://www.pinterest.com/pin/mood--35536284546940000/ (Dark Web Trace)" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TEL:Delphi/Obfuscator", "display_name": "TEL:Delphi/Obfuscator", "target": "/malware/TEL:Delphi/Obfuscator" }, { "id": "LaplasClipper", "display_name": "LaplasClipper", "target": null }, { "id": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "display_name": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "target": null }, { "id": "SLFPER:InstallCore", "display_name": "SLFPER:InstallCore", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "ALF:Program:OpenCandy:Remnant", "display_name": "ALF:Program:OpenCandy:Remnant", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "generic.malware", "display_name": "generic.malware", "target": null }, { "id": "Anonymizer", "display_name": "Anonymizer", "target": null }, { "id": "#HSTR:HackTool:Win32/Mimikatz", "display_name": "#HSTR:HackTool:Win32/Mimikatz", "target": null }, { "id": "PWS:MSIL/Steam", "display_name": "PWS:MSIL/Steam", "target": "/malware/PWS:MSIL/Steam" }, { "id": "Trojan.HTML.Agent", "display_name": "Trojan.HTML.Agent", "target": null }, { "id": "Gen:Variant.Zusy", "display_name": "Gen:Variant.Zusy", "target": null }, { "id": "Worm:Win32/Netsky", "display_name": "Worm:Win32/Netsky", "target": "/malware/Worm:Win32/Netsky" }, { "id": "Sodin Ransomware", "display_name": "Sodin Ransomware", "target": null }, { "id": "Keyloggers", "display_name": "Keyloggers", "target": null }, { "id": "Proxy", "display_name": "Proxy", "target": null }, { "id": "TEL:Trojan:Win32/Emotet", "display_name": "TEL:Trojan:Win32/Emotet", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat", "display_name": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat", "target": null }, { "id": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar", "display_name": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar", "target": null }, { "id": "AdwareSig [Adw] ml.Generic", "display_name": "AdwareSig [Adw] ml.Generic", "target": null }, { "id": "W32.Hack.Generic", "display_name": "W32.Hack.Generic", "target": null }, { "id": "Trojan.Ole2.Vbs", "display_name": "Trojan.Ole2.Vbs", "target": null }, { "id": "QVM20.1.8D80.Malware", "display_name": "QVM20.1.8D80.Malware", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Backdoor.Mokes", "display_name": "Backdoor.Mokes", "target": null }, { "id": "AdWare.DropWare", "display_name": "AdWare.DropWare", "target": null }, { "id": "Gen:Variant.Razy", "display_name": "Gen:Variant.Razy", "target": null }, { "id": "Generic.31fcc75f", "display_name": "Generic.31fcc75f", "target": null }, { "id": "Trojan.Generic", "display_name": "Trojan.Generic", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "malware.generic", "display_name": "malware.generic", "target": null }, { "id": "Gen:Variant.Bulz", "display_name": "Gen:Variant.Bulz", "target": null }, { "id": "GameHack.DR", "display_name": "GameHack.DR", "target": null }, { "id": "Dropper.Binder", "display_name": "Dropper.Binder", "target": null }, { "id": "malicious.22a4c0", "display_name": "malicious.22a4c0", "target": null }, { "id": "SdBot.CAOC", "display_name": "SdBot.CAOC", "target": null }, { "id": "ml.Generic", "display_name": "ml.Generic", "target": null }, { "id": "Trojan.Ransom.GenericKD", "display_name": "Trojan.Ransom.GenericKD", "target": null }, { "id": "Phish.AB", "display_name": "Phish.AB", "target": null }, { "id": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea", "display_name": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": "6523344e4adc85389899504c", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7203, "CVE": 6, "FileHash-MD5": 283, "FileHash-SHA1": 163, "FileHash-SHA256": 4835, "domain": 915, "hostname": 2260 }, "indicator_count": 15665, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "902 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6506b296b842740e2f7b2625", "name": "Blacklisted", "description": "", "modified": "2023-10-17T09:00:23.825000", "created": "2023-09-17T08:02:30.711000", "tags": [ "united", "contacted urls", "whois record", "contacted", "malicious site", "malware", "phishing site", "anonymizer", "heur", "control server", "facebook", "cobalt strike", "execution", "installcore", "phishing", "service", "core", "metro", "icmp", "hacktool", "download", "relic", "monitoring", "installer", "steam", "bank", "dnspionage", "crack", "unsafe", "ramnit", "emotet", "malware site", "proxy", "exploit", "fakealert", "team", "redline stealer", "laplasclipper", "cisco umbrella", "site", "safe site", "alexa top", "million", "alexa", "downloader", "opencandy", "generic", "presenoker", "maltiverse", "trojanspy", "date", "unknown", "windir", "markmonitor", "name server", "av detection", "september", "default browser", "guest system", "hybrid", "general", "click", "strings", "class", "critical", "blacklist", "union", "Embarcadero Delphi", "whois whois", "referrer", "ssl certificate", "communicating", "resolutions", "parent parent", "dropped", "stealer", "banker", "keylogger", "attack", "apple", "detection list", "ip address", "netsky", "firehol proxy", "noname057", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "FireHol", "Proxy", "Pexee", "Bank of America Corporation Malware Download", "CVE-2017-11882", "Alexa SANS Internet Storm Center", "MCI Verizon Block", "NaN" ], "references": [ "http://ww1.tsx.org/_fd", "https://www.milehighmedia.com/legal/2257 (exploit source | revenge porn)", "Target \u2192 https://www.pinterest.com/pinkbuffalorun/ (EMOTET) Full control taken. True Board owner (a legitimate business) was likely very unaware Pinterest activities all flowed through the Dark Web. (Research shows over 5000 followers | 1 million visits per mo | more than 1 million pins re-pinned)", "http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel (remote hacking/potentially maliciousRedTeam)", "http://45.159.189.105/bot/online?guid=WALKER-PC&key=b73f03cae5752ff4c823f89de539b59754bc4e65d43970358b17bcf21fb6c4e5 (remote hacking)", "http://clipper.guru/bot/online?guid=WALKER-PC (remote hacking)", "Target \u2192 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (attached to Pinterest account)", "https://firebaseremoteconfig.googleapis.com/v1/projects/16163253122/namespaces/firebase:fetch (remote hacking)", "firebaseremoteconfig.googleapis.com (remote hacking)", "remote.telegrafix.com (remote hacking)", "fb582cc7cfcfa64786caff627cc34ff7aedf7a97620d0cd2eb927d4bb3b7653d", "remote.haverhillcc.com (remote hacking)", "http://ax.itunes.apple.com/WebObjects/MZStoreServices.woa/ws/RSS/toppaidapplications/limit=10/xml", "http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409", "http://init-p01st.push.apple.com/bag (remote hacking)", "https://support.apple.com/en-us/HT201265. Targets (iOS ID)", "apple.com. (malicious version/header)", "https://www.apple.com/sitemap/", "https://applemusic-spotlight.myunidays.com/US/en-US? (remote hacking)", "http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409", "init.ess.apple.com (remote hacking)", "applepaydayloans.com", "www.metrobyt-mobile.com (So very hacked. Should be shut down. No corporate headquarters. Malicious practices by many independent owners)", "https://applepaydayloans.com/", "https://sinister.ly/Thread-Apple-empty-box?page=13", "7651508989a859a165a3e587268021e3ce3734b3e8711d06a101068c60dfdbbe ( Spyware| tsetup.2.4.4.exe | Downloader.Agent!1.E2F1 (CLASSIC) |Telegram Messenger Inc WeExtract malicious installation on targets media & devices)", "https://support.Apple.com/de", "http://www.Apple.com/quicktime/download", "http://www.Apple.com/quicktime/download/standalone.html", "https://urldefense.us/v2/url?u=http-3A__support.apple.com_kb_HT2693&d=DwMGaQ&c=mcnPvAfk3Xtjyky7sc3uA24Vk9hJzQ1fEHisENJPWek&r=PjGDHIUs1kNE6nRUZrOEsufSDp8LBQ-SwHI1wE1Z0Qo&m=zBlvHUR-UT1fW5-53xrUtd5Uj5DBn30a-XGaqZ1lyWh4YCJi5SWOvg3tVORPEuat&s=OJ-NfystLux9f25c44kAAuBLCoTAo6gQJ7EMKHRlrCk&e=&data=05", "https://www.roseoubleu.fr/panier (phishing)", "Roksit.net", "stagelight.pl (malicious/ pattern match)", "www.jamesbgriffinlaw.com (malicious host)", "Data Analytics", "Behavior Pattern Match Analysis", "45.159.189.105 (Command and Control)", "http://45.159.189.105/bot/regex (Bot Command)", "151.101.0.84 US - United States Pinterest Botnet Command and Control Server - 23.62.46.21", "AS54113 Fastly Autonomous System aggregation for Pinterest United States Botnet Command and Control Server", "DetectItEasy PE32 Installer: Inno Setup Module (6.0.0) [unicode] Compiler: Embarcadero Delphi (10.3 Rio) [Professional] Linker: Turbo Linker (2.25*,Delphi) [GUI32,signed] Overlay: Inno Setup Installer data", "(unsupported_iexplore exploit/redirect) https://www.pinterest.com/pin/mood--35536284546940000/ (Dark Web Trace)" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TEL:Delphi/Obfuscator", "display_name": "TEL:Delphi/Obfuscator", "target": "/malware/TEL:Delphi/Obfuscator" }, { "id": "LaplasClipper", "display_name": "LaplasClipper", "target": null }, { "id": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "display_name": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "target": null }, { "id": "SLFPER:InstallCore", "display_name": "SLFPER:InstallCore", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "ALF:Program:OpenCandy:Remnant", "display_name": "ALF:Program:OpenCandy:Remnant", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "generic.malware", "display_name": "generic.malware", "target": null }, { "id": "Anonymizer", "display_name": "Anonymizer", "target": null }, { "id": "#HSTR:HackTool:Win32/Mimikatz", "display_name": "#HSTR:HackTool:Win32/Mimikatz", "target": null }, { "id": "PWS:MSIL/Steam", "display_name": "PWS:MSIL/Steam", "target": "/malware/PWS:MSIL/Steam" }, { "id": "Trojan.HTML.Agent", "display_name": "Trojan.HTML.Agent", "target": null }, { "id": "Gen:Variant.Zusy", "display_name": "Gen:Variant.Zusy", "target": null }, { "id": "Worm:Win32/Netsky", "display_name": "Worm:Win32/Netsky", "target": "/malware/Worm:Win32/Netsky" }, { "id": "Sodin Ransomware", "display_name": "Sodin Ransomware", "target": null }, { "id": "Keyloggers", "display_name": "Keyloggers", "target": null }, { "id": "Proxy", "display_name": "Proxy", "target": null }, { "id": "TEL:Trojan:Win32/Emotet", "display_name": "TEL:Trojan:Win32/Emotet", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat", "display_name": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat", "target": null }, { "id": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar", "display_name": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar", "target": null }, { "id": "AdwareSig [Adw] ml.Generic", "display_name": "AdwareSig [Adw] ml.Generic", "target": null }, { "id": "W32.Hack.Generic", "display_name": "W32.Hack.Generic", "target": null }, { "id": "Trojan.Ole2.Vbs", "display_name": "Trojan.Ole2.Vbs", "target": null }, { "id": "QVM20.1.8D80.Malware", "display_name": "QVM20.1.8D80.Malware", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Backdoor.Mokes", "display_name": "Backdoor.Mokes", "target": null }, { "id": "AdWare.DropWare", "display_name": "AdWare.DropWare", "target": null }, { "id": "Gen:Variant.Razy", "display_name": "Gen:Variant.Razy", "target": null }, { "id": "Generic.31fcc75f", "display_name": "Generic.31fcc75f", "target": null }, { "id": "Trojan.Generic", "display_name": "Trojan.Generic", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "malware.generic", "display_name": "malware.generic", "target": null }, { "id": "Gen:Variant.Bulz", "display_name": "Gen:Variant.Bulz", "target": null }, { "id": "GameHack.DR", "display_name": "GameHack.DR", "target": null }, { "id": "Dropper.Binder", "display_name": "Dropper.Binder", "target": null }, { "id": "malicious.22a4c0", "display_name": "malicious.22a4c0", "target": null }, { "id": "SdBot.CAOC", "display_name": "SdBot.CAOC", "target": null }, { "id": "ml.Generic", "display_name": "ml.Generic", "target": null }, { "id": "Trojan.Ransom.GenericKD", "display_name": "Trojan.Ransom.GenericKD", "target": null }, { "id": "Phish.AB", "display_name": "Phish.AB", "target": null }, { "id": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea", "display_name": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": "6506b27d63535110fca94a73", "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7207, "CVE": 6, "FileHash-MD5": 283, "FileHash-SHA1": 163, "FileHash-SHA256": 4835, "domain": 915, "hostname": 2258 }, "indicator_count": 15667, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "915 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6506b4a0406fd5b9839955b0", "name": " ", "description": "", "modified": "2023-10-17T04:04:05.965000", "created": "2023-09-17T08:11:12.583000", "tags": [ "united", "contacted urls", "whois record", "contacted", "malicious site", "malware", "phishing site", "anonymizer", "heur", "control server", "facebook", "cobalt strike", "execution", "installcore", "phishing", "service", "core", "metro", "icmp", "hacktool", "download", "relic", "monitoring", "installer", "steam", "bank", "dnspionage", "crack", "unsafe", "ramnit", "emotet", "malware site", "proxy", "exploit", "fakealert", "team", "redline stealer", "laplasclipper", "cisco umbrella", "site", "safe site", "alexa top", "million", "alexa", "downloader", "opencandy", "generic", "presenoker", "maltiverse", "trojanspy", "date", "unknown", "windir", "markmonitor", "name server", "av detection", "september", "default browser", "guest system", "hybrid", "general", "click", "strings", "class", "critical", "blacklist", "union", "Embarcadero Delphi", "whois whois", "referrer", "ssl certificate", "communicating", "resolutions", "parent parent", "dropped", "stealer", "banker", "keylogger", "attack", "apple", "detection list", "ip address", "netsky", "firehol proxy", "noname057", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "FireHol", "Proxy", "Pexee", "Bank of America Corporation Malware Download", "CVE-2017-11882", "Alexa SANS Internet Storm Center", "MCI Verizon Block", "NaN" ], "references": [ "http://ww1.tsx.org/_fd", "https://www.milehighmedia.com/legal/2257 (exploit source | revenge porn)", "Target \u2192 https://www.pinterest.com/pinkbuffalorun/ (EMOTET) Full control taken. True Board owner (a legitimate business) was likely very unaware Pinterest activities all flowed through the Dark Web. (Research shows over 5000 followers | 1 million visits per mo | more than 1 million pins re-pinned)", "http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel (remote hacking/potentially maliciousRedTeam)", "http://45.159.189.105/bot/online?guid=WALKER-PC&key=b73f03cae5752ff4c823f89de539b59754bc4e65d43970358b17bcf21fb6c4e5 (remote hacking)", "http://clipper.guru/bot/online?guid=WALKER-PC (remote hacking)", "Target \u2192 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (attached to Pinterest account)", "https://firebaseremoteconfig.googleapis.com/v1/projects/16163253122/namespaces/firebase:fetch (remote hacking)", "firebaseremoteconfig.googleapis.com (remote hacking)", "remote.telegrafix.com (remote hacking)", "fb582cc7cfcfa64786caff627cc34ff7aedf7a97620d0cd2eb927d4bb3b7653d", "remote.haverhillcc.com (remote hacking)", "http://ax.itunes.apple.com/WebObjects/MZStoreServices.woa/ws/RSS/toppaidapplications/limit=10/xml", "http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409", "http://init-p01st.push.apple.com/bag (remote hacking)", "https://support.apple.com/en-us/HT201265. Targets (iOS ID)", "apple.com. (malicious version/header)", "https://www.apple.com/sitemap/", "https://applemusic-spotlight.myunidays.com/US/en-US? (remote hacking)", "http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409", "init.ess.apple.com (remote hacking)", "applepaydayloans.com", "www.metrobyt-mobile.com (So very hacked. Should be shut down. No corporate headquarters. Malicious practices by many independent owners)", "https://applepaydayloans.com/", "https://sinister.ly/Thread-Apple-empty-box?page=13", "7651508989a859a165a3e587268021e3ce3734b3e8711d06a101068c60dfdbbe ( Spyware| tsetup.2.4.4.exe | Downloader.Agent!1.E2F1 (CLASSIC) |Telegram Messenger Inc WeExtract malicious installation on targets media & devices)", "https://support.Apple.com/de", "http://www.Apple.com/quicktime/download", "http://www.Apple.com/quicktime/download/standalone.html", "https://urldefense.us/v2/url?u=http-3A__support.apple.com_kb_HT2693&d=DwMGaQ&c=mcnPvAfk3Xtjyky7sc3uA24Vk9hJzQ1fEHisENJPWek&r=PjGDHIUs1kNE6nRUZrOEsufSDp8LBQ-SwHI1wE1Z0Qo&m=zBlvHUR-UT1fW5-53xrUtd5Uj5DBn30a-XGaqZ1lyWh4YCJi5SWOvg3tVORPEuat&s=OJ-NfystLux9f25c44kAAuBLCoTAo6gQJ7EMKHRlrCk&e=&data=05", "https://www.roseoubleu.fr/panier (phishing)", "Roksit.net", "stagelight.pl (malicious/ pattern match)", "www.jamesbgriffinlaw.com (malicious host)", "Data Analytics", "Behavior Pattern Match Analysis", "45.159.189.105 (Command and Control)", "http://45.159.189.105/bot/regex (Bot Command)", "151.101.0.84 US - United States Pinterest Botnet Command and Control Server - 23.62.46.21", "AS54113 Fastly Autonomous System aggregation for Pinterest United States Botnet Command and Control Server", "DetectItEasy PE32 Installer: Inno Setup Module (6.0.0) [unicode] Compiler: Embarcadero Delphi (10.3 Rio) [Professional] Linker: Turbo Linker (2.25*,Delphi) [GUI32,signed] Overlay: Inno Setup Installer data", "(unsupported_iexplore exploit/redirect) https://www.pinterest.com/pin/mood--35536284546940000/ (Dark Web Trace)" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TEL:Delphi/Obfuscator", "display_name": "TEL:Delphi/Obfuscator", "target": "/malware/TEL:Delphi/Obfuscator" }, { "id": "LaplasClipper", "display_name": "LaplasClipper", "target": null }, { "id": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "display_name": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "target": null }, { "id": "SLFPER:InstallCore", "display_name": "SLFPER:InstallCore", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "ALF:Program:OpenCandy:Remnant", "display_name": "ALF:Program:OpenCandy:Remnant", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "generic.malware", "display_name": "generic.malware", "target": null }, { "id": "Anonymizer", "display_name": "Anonymizer", "target": null }, { "id": "#HSTR:HackTool:Win32/Mimikatz", "display_name": "#HSTR:HackTool:Win32/Mimikatz", "target": null }, { "id": "PWS:MSIL/Steam", "display_name": "PWS:MSIL/Steam", "target": "/malware/PWS:MSIL/Steam" }, { "id": "Trojan.HTML.Agent", "display_name": "Trojan.HTML.Agent", "target": null }, { "id": "Gen:Variant.Zusy", "display_name": "Gen:Variant.Zusy", "target": null }, { "id": "Worm:Win32/Netsky", "display_name": "Worm:Win32/Netsky", "target": "/malware/Worm:Win32/Netsky" }, { "id": "Sodin Ransomware", "display_name": "Sodin Ransomware", "target": null }, { "id": "Keyloggers", "display_name": "Keyloggers", "target": null }, { "id": "Proxy", "display_name": "Proxy", "target": null }, { "id": "TEL:Trojan:Win32/Emotet", "display_name": "TEL:Trojan:Win32/Emotet", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat", "display_name": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat", "target": null }, { "id": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar", "display_name": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar", "target": null }, { "id": "AdwareSig [Adw] ml.Generic", "display_name": "AdwareSig [Adw] ml.Generic", "target": null }, { "id": "W32.Hack.Generic", "display_name": "W32.Hack.Generic", "target": null }, { "id": "Trojan.Ole2.Vbs", "display_name": "Trojan.Ole2.Vbs", "target": null }, { "id": "QVM20.1.8D80.Malware", "display_name": "QVM20.1.8D80.Malware", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Backdoor.Mokes", "display_name": "Backdoor.Mokes", "target": null }, { "id": "AdWare.DropWare", "display_name": "AdWare.DropWare", "target": null }, { "id": "Gen:Variant.Razy", "display_name": "Gen:Variant.Razy", "target": null }, { "id": "Generic.31fcc75f", "display_name": "Generic.31fcc75f", "target": null }, { "id": "Trojan.Generic", "display_name": "Trojan.Generic", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "malware.generic", "display_name": "malware.generic", "target": null }, { "id": "Gen:Variant.Bulz", "display_name": "Gen:Variant.Bulz", "target": null }, { "id": "GameHack.DR", "display_name": "GameHack.DR", "target": null }, { "id": "Dropper.Binder", "display_name": "Dropper.Binder", "target": null }, { "id": "malicious.22a4c0", "display_name": "malicious.22a4c0", "target": null }, { "id": "SdBot.CAOC", "display_name": "SdBot.CAOC", "target": null }, { "id": "ml.Generic", "display_name": "ml.Generic", "target": null }, { "id": "Trojan.Ransom.GenericKD", "display_name": "Trojan.Ransom.GenericKD", "target": null }, { "id": "Phish.AB", "display_name": "Phish.AB", "target": null }, { "id": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea", "display_name": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": "6506b48d699080b4bfd334c5", "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7203, "CVE": 6, "FileHash-MD5": 283, "FileHash-SHA1": 163, "FileHash-SHA256": 4835, "domain": 915, "hostname": 2260 }, "indicator_count": 15665, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "915 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6506b48d699080b4bfd334c5", "name": "Unsupported IE 404 account running BotNet Command & Control Server | B/L", "description": "", "modified": "2023-10-17T04:04:05.965000", "created": "2023-09-17T08:10:53.311000", "tags": [ "united", "contacted urls", "whois record", "contacted", "malicious site", "malware", "phishing site", "anonymizer", "heur", "control server", "facebook", "cobalt strike", "execution", "installcore", "phishing", "service", "core", "metro", "icmp", "hacktool", "download", "relic", "monitoring", "installer", "steam", "bank", "dnspionage", "crack", "unsafe", "ramnit", "emotet", "malware site", "proxy", "exploit", "fakealert", "team", "redline stealer", "laplasclipper", "cisco umbrella", "site", "safe site", "alexa top", "million", "alexa", "downloader", "opencandy", "generic", "presenoker", "maltiverse", "trojanspy", "date", "unknown", "windir", "markmonitor", "name server", "av detection", "september", "default browser", "guest system", "hybrid", "general", "click", "strings", "class", "critical", "blacklist", "union", "Embarcadero Delphi", "whois whois", "referrer", "ssl certificate", "communicating", "resolutions", "parent parent", "dropped", "stealer", "banker", "keylogger", "attack", "apple", "detection list", "ip address", "netsky", "firehol proxy", "noname057", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "FireHol", "Proxy", "Pexee", "Bank of America Corporation Malware Download", "CVE-2017-11882", "Alexa SANS Internet Storm Center", "MCI Verizon Block", "NaN" ], "references": [ "http://ww1.tsx.org/_fd", "https://www.milehighmedia.com/legal/2257 (exploit source | revenge porn)", "Target \u2192 https://www.pinterest.com/pinkbuffalorun/ (EMOTET) Full control taken. True Board owner (a legitimate business) was likely very unaware Pinterest activities all flowed through the Dark Web. (Research shows over 5000 followers | 1 million visits per mo | more than 1 million pins re-pinned)", "http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel (remote hacking/potentially maliciousRedTeam)", "http://45.159.189.105/bot/online?guid=WALKER-PC&key=b73f03cae5752ff4c823f89de539b59754bc4e65d43970358b17bcf21fb6c4e5 (remote hacking)", "http://clipper.guru/bot/online?guid=WALKER-PC (remote hacking)", "Target \u2192 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (attached to Pinterest account)", "https://firebaseremoteconfig.googleapis.com/v1/projects/16163253122/namespaces/firebase:fetch (remote hacking)", "firebaseremoteconfig.googleapis.com (remote hacking)", "remote.telegrafix.com (remote hacking)", "fb582cc7cfcfa64786caff627cc34ff7aedf7a97620d0cd2eb927d4bb3b7653d", "remote.haverhillcc.com (remote hacking)", "http://ax.itunes.apple.com/WebObjects/MZStoreServices.woa/ws/RSS/toppaidapplications/limit=10/xml", "http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409", "http://init-p01st.push.apple.com/bag (remote hacking)", "https://support.apple.com/en-us/HT201265. Targets (iOS ID)", "apple.com. (malicious version/header)", "https://www.apple.com/sitemap/", "https://applemusic-spotlight.myunidays.com/US/en-US? (remote hacking)", "http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409", "init.ess.apple.com (remote hacking)", "applepaydayloans.com", "www.metrobyt-mobile.com (So very hacked. Should be shut down. No corporate headquarters. Malicious practices by many independent owners)", "https://applepaydayloans.com/", "https://sinister.ly/Thread-Apple-empty-box?page=13", "7651508989a859a165a3e587268021e3ce3734b3e8711d06a101068c60dfdbbe ( Spyware| tsetup.2.4.4.exe | Downloader.Agent!1.E2F1 (CLASSIC) |Telegram Messenger Inc WeExtract malicious installation on targets media & devices)", "https://support.Apple.com/de", "http://www.Apple.com/quicktime/download", "http://www.Apple.com/quicktime/download/standalone.html", "https://urldefense.us/v2/url?u=http-3A__support.apple.com_kb_HT2693&d=DwMGaQ&c=mcnPvAfk3Xtjyky7sc3uA24Vk9hJzQ1fEHisENJPWek&r=PjGDHIUs1kNE6nRUZrOEsufSDp8LBQ-SwHI1wE1Z0Qo&m=zBlvHUR-UT1fW5-53xrUtd5Uj5DBn30a-XGaqZ1lyWh4YCJi5SWOvg3tVORPEuat&s=OJ-NfystLux9f25c44kAAuBLCoTAo6gQJ7EMKHRlrCk&e=&data=05", "https://www.roseoubleu.fr/panier (phishing)", "Roksit.net", "stagelight.pl (malicious/ pattern match)", "www.jamesbgriffinlaw.com (malicious host)", "Data Analytics", "Behavior Pattern Match Analysis", "45.159.189.105 (Command and Control)", "http://45.159.189.105/bot/regex (Bot Command)", "151.101.0.84 US - United States Pinterest Botnet Command and Control Server - 23.62.46.21", "AS54113 Fastly Autonomous System aggregation for Pinterest United States Botnet Command and Control Server", "DetectItEasy PE32 Installer: Inno Setup Module (6.0.0) [unicode] Compiler: Embarcadero Delphi (10.3 Rio) [Professional] Linker: Turbo Linker (2.25*,Delphi) [GUI32,signed] Overlay: Inno Setup Installer data", "(unsupported_iexplore exploit/redirect) https://www.pinterest.com/pin/mood--35536284546940000/ (Dark Web Trace)" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TEL:Delphi/Obfuscator", "display_name": "TEL:Delphi/Obfuscator", "target": "/malware/TEL:Delphi/Obfuscator" }, { "id": "LaplasClipper", "display_name": "LaplasClipper", "target": null }, { "id": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "display_name": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "target": null }, { "id": "SLFPER:InstallCore", "display_name": "SLFPER:InstallCore", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "ALF:Program:OpenCandy:Remnant", "display_name": "ALF:Program:OpenCandy:Remnant", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "generic.malware", "display_name": "generic.malware", "target": null }, { "id": "Anonymizer", "display_name": "Anonymizer", "target": null }, { "id": "#HSTR:HackTool:Win32/Mimikatz", "display_name": "#HSTR:HackTool:Win32/Mimikatz", "target": null }, { "id": "PWS:MSIL/Steam", "display_name": "PWS:MSIL/Steam", "target": "/malware/PWS:MSIL/Steam" }, { "id": "Trojan.HTML.Agent", "display_name": "Trojan.HTML.Agent", "target": null }, { "id": "Gen:Variant.Zusy", "display_name": "Gen:Variant.Zusy", "target": null }, { "id": "Worm:Win32/Netsky", "display_name": "Worm:Win32/Netsky", "target": "/malware/Worm:Win32/Netsky" }, { "id": "Sodin Ransomware", "display_name": "Sodin Ransomware", "target": null }, { "id": "Keyloggers", "display_name": "Keyloggers", "target": null }, { "id": "Proxy", "display_name": "Proxy", "target": null }, { "id": "TEL:Trojan:Win32/Emotet", "display_name": "TEL:Trojan:Win32/Emotet", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat", "display_name": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat", "target": null }, { "id": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar", "display_name": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar", "target": null }, { "id": "AdwareSig [Adw] ml.Generic", "display_name": "AdwareSig [Adw] ml.Generic", "target": null }, { "id": "W32.Hack.Generic", "display_name": "W32.Hack.Generic", "target": null }, { "id": "Trojan.Ole2.Vbs", "display_name": "Trojan.Ole2.Vbs", "target": null }, { "id": "QVM20.1.8D80.Malware", "display_name": "QVM20.1.8D80.Malware", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Backdoor.Mokes", "display_name": "Backdoor.Mokes", "target": null }, { "id": "AdWare.DropWare", "display_name": "AdWare.DropWare", "target": null }, { "id": "Gen:Variant.Razy", "display_name": "Gen:Variant.Razy", "target": null }, { "id": "Generic.31fcc75f", "display_name": "Generic.31fcc75f", "target": null }, { "id": "Trojan.Generic", "display_name": "Trojan.Generic", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "malware.generic", "display_name": "malware.generic", "target": null }, { "id": "Gen:Variant.Bulz", "display_name": "Gen:Variant.Bulz", "target": null }, { "id": "GameHack.DR", "display_name": "GameHack.DR", "target": null }, { "id": "Dropper.Binder", "display_name": "Dropper.Binder", "target": null }, { "id": "malicious.22a4c0", "display_name": "malicious.22a4c0", "target": null }, { "id": "SdBot.CAOC", "display_name": "SdBot.CAOC", "target": null }, { "id": "ml.Generic", "display_name": "ml.Generic", "target": null }, { "id": "Trojan.Ransom.GenericKD", "display_name": "Trojan.Ransom.GenericKD", "target": null }, { "id": "Phish.AB", "display_name": "Phish.AB", "target": null }, { "id": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea", "display_name": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": "6506b3a1d09b3acfd89906a5", "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7203, "CVE": 6, "FileHash-MD5": 283, "FileHash-SHA1": 163, "FileHash-SHA256": 4835, "domain": 915, "hostname": 2260 }, "indicator_count": 15665, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "915 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6506b3a1d09b3acfd89906a5", "name": "Hijacked Pinterest Account Spreader, BotNet Control Server | Unsupported IE", "description": "", "modified": "2023-10-17T04:04:05.965000", "created": "2023-09-17T08:06:57.276000", "tags": [ "united", "contacted urls", "whois record", "contacted", "malicious site", "malware", "phishing site", "anonymizer", "heur", "control server", "facebook", "cobalt strike", "execution", "installcore", "phishing", "service", "core", "metro", "icmp", "hacktool", "download", "relic", "monitoring", "installer", "steam", "bank", "dnspionage", "crack", "unsafe", "ramnit", "emotet", "malware site", "proxy", "exploit", "fakealert", "team", "redline stealer", "laplasclipper", "cisco umbrella", "site", "safe site", "alexa top", "million", "alexa", "downloader", "opencandy", "generic", "presenoker", "maltiverse", "trojanspy", "date", "unknown", "windir", "markmonitor", "name server", "av detection", "september", "default browser", "guest system", "hybrid", "general", "click", "strings", "class", "critical", "blacklist", "union", "Embarcadero Delphi", "whois whois", "referrer", "ssl certificate", "communicating", "resolutions", "parent parent", "dropped", "stealer", "banker", "keylogger", "attack", "apple", "detection list", "ip address", "netsky", "firehol proxy", "noname057", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "FireHol", "Proxy", "Pexee", "Bank of America Corporation Malware Download", "CVE-2017-11882", "Alexa SANS Internet Storm Center", "MCI Verizon Block", "NaN" ], "references": [ "http://ww1.tsx.org/_fd", "https://www.milehighmedia.com/legal/2257 (exploit source | revenge porn)", "Target \u2192 https://www.pinterest.com/pinkbuffalorun/ (EMOTET) Full control taken. True Board owner (a legitimate business) was likely very unaware Pinterest activities all flowed through the Dark Web. (Research shows over 5000 followers | 1 million visits per mo | more than 1 million pins re-pinned)", "http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel (remote hacking/potentially maliciousRedTeam)", "http://45.159.189.105/bot/online?guid=WALKER-PC&key=b73f03cae5752ff4c823f89de539b59754bc4e65d43970358b17bcf21fb6c4e5 (remote hacking)", "http://clipper.guru/bot/online?guid=WALKER-PC (remote hacking)", "Target \u2192 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (attached to Pinterest account)", "https://firebaseremoteconfig.googleapis.com/v1/projects/16163253122/namespaces/firebase:fetch (remote hacking)", "firebaseremoteconfig.googleapis.com (remote hacking)", "remote.telegrafix.com (remote hacking)", "fb582cc7cfcfa64786caff627cc34ff7aedf7a97620d0cd2eb927d4bb3b7653d", "remote.haverhillcc.com (remote hacking)", "http://ax.itunes.apple.com/WebObjects/MZStoreServices.woa/ws/RSS/toppaidapplications/limit=10/xml", "http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409", "http://init-p01st.push.apple.com/bag (remote hacking)", "https://support.apple.com/en-us/HT201265. Targets (iOS ID)", "apple.com. (malicious version/header)", "https://www.apple.com/sitemap/", "https://applemusic-spotlight.myunidays.com/US/en-US? (remote hacking)", "http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409", "init.ess.apple.com (remote hacking)", "applepaydayloans.com", "www.metrobyt-mobile.com (So very hacked. Should be shut down. No corporate headquarters. Malicious practices by many independent owners)", "https://applepaydayloans.com/", "https://sinister.ly/Thread-Apple-empty-box?page=13", "7651508989a859a165a3e587268021e3ce3734b3e8711d06a101068c60dfdbbe ( Spyware| tsetup.2.4.4.exe | Downloader.Agent!1.E2F1 (CLASSIC) |Telegram Messenger Inc WeExtract malicious installation on targets media & devices)", "https://support.Apple.com/de", "http://www.Apple.com/quicktime/download", "http://www.Apple.com/quicktime/download/standalone.html", "https://urldefense.us/v2/url?u=http-3A__support.apple.com_kb_HT2693&d=DwMGaQ&c=mcnPvAfk3Xtjyky7sc3uA24Vk9hJzQ1fEHisENJPWek&r=PjGDHIUs1kNE6nRUZrOEsufSDp8LBQ-SwHI1wE1Z0Qo&m=zBlvHUR-UT1fW5-53xrUtd5Uj5DBn30a-XGaqZ1lyWh4YCJi5SWOvg3tVORPEuat&s=OJ-NfystLux9f25c44kAAuBLCoTAo6gQJ7EMKHRlrCk&e=&data=05", "https://www.roseoubleu.fr/panier (phishing)", "Roksit.net", "stagelight.pl (malicious/ pattern match)", "www.jamesbgriffinlaw.com (malicious host)", "Data Analytics", "Behavior Pattern Match Analysis", "45.159.189.105 (Command and Control)", "http://45.159.189.105/bot/regex (Bot Command)", "151.101.0.84 US - United States Pinterest Botnet Command and Control Server - 23.62.46.21", "AS54113 Fastly Autonomous System aggregation for Pinterest United States Botnet Command and Control Server", "DetectItEasy PE32 Installer: Inno Setup Module (6.0.0) [unicode] Compiler: Embarcadero Delphi (10.3 Rio) [Professional] Linker: Turbo Linker (2.25*,Delphi) [GUI32,signed] Overlay: Inno Setup Installer data", "(unsupported_iexplore exploit/redirect) https://www.pinterest.com/pin/mood--35536284546940000/ (Dark Web Trace)" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TEL:Delphi/Obfuscator", "display_name": "TEL:Delphi/Obfuscator", "target": "/malware/TEL:Delphi/Obfuscator" }, { "id": "LaplasClipper", "display_name": "LaplasClipper", "target": null }, { "id": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "display_name": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "target": null }, { "id": "SLFPER:InstallCore", "display_name": "SLFPER:InstallCore", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "ALF:Program:OpenCandy:Remnant", "display_name": "ALF:Program:OpenCandy:Remnant", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "generic.malware", "display_name": "generic.malware", "target": null }, { "id": "Anonymizer", "display_name": "Anonymizer", "target": null }, { "id": "#HSTR:HackTool:Win32/Mimikatz", "display_name": "#HSTR:HackTool:Win32/Mimikatz", "target": null }, { "id": "PWS:MSIL/Steam", "display_name": "PWS:MSIL/Steam", "target": "/malware/PWS:MSIL/Steam" }, { "id": "Trojan.HTML.Agent", "display_name": "Trojan.HTML.Agent", "target": null }, { "id": "Gen:Variant.Zusy", "display_name": "Gen:Variant.Zusy", "target": null }, { "id": "Worm:Win32/Netsky", "display_name": "Worm:Win32/Netsky", "target": "/malware/Worm:Win32/Netsky" }, { "id": "Sodin Ransomware", "display_name": "Sodin Ransomware", "target": null }, { "id": "Keyloggers", "display_name": "Keyloggers", "target": null }, { "id": "Proxy", "display_name": "Proxy", "target": null }, { "id": "TEL:Trojan:Win32/Emotet", "display_name": "TEL:Trojan:Win32/Emotet", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat", "display_name": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat", "target": null }, { "id": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar", "display_name": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar", "target": null }, { "id": "AdwareSig [Adw] ml.Generic", "display_name": "AdwareSig [Adw] ml.Generic", "target": null }, { "id": "W32.Hack.Generic", "display_name": "W32.Hack.Generic", "target": null }, { "id": "Trojan.Ole2.Vbs", "display_name": "Trojan.Ole2.Vbs", "target": null }, { "id": "QVM20.1.8D80.Malware", "display_name": "QVM20.1.8D80.Malware", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Backdoor.Mokes", "display_name": "Backdoor.Mokes", "target": null }, { "id": "AdWare.DropWare", "display_name": "AdWare.DropWare", "target": null }, { "id": "Gen:Variant.Razy", "display_name": "Gen:Variant.Razy", "target": null }, { "id": "Generic.31fcc75f", "display_name": "Generic.31fcc75f", "target": null }, { "id": "Trojan.Generic", "display_name": "Trojan.Generic", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "malware.generic", "display_name": "malware.generic", "target": null }, { "id": "Gen:Variant.Bulz", "display_name": "Gen:Variant.Bulz", "target": null }, { "id": "GameHack.DR", "display_name": "GameHack.DR", "target": null }, { "id": "Dropper.Binder", "display_name": "Dropper.Binder", "target": null }, { "id": "malicious.22a4c0", "display_name": "malicious.22a4c0", "target": null }, { "id": "SdBot.CAOC", "display_name": "SdBot.CAOC", "target": null }, { "id": "ml.Generic", "display_name": "ml.Generic", "target": null }, { "id": "Trojan.Ransom.GenericKD", "display_name": "Trojan.Ransom.GenericKD", "target": null }, { "id": "Phish.AB", "display_name": "Phish.AB", "target": null }, { "id": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea", "display_name": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": "6506b296b842740e2f7b2625", "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7203, "CVE": 6, "FileHash-MD5": 283, "FileHash-SHA1": 163, "FileHash-SHA256": 4835, "domain": 915, "hostname": 2260 }, "indicator_count": 15665, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "915 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6506b27d63535110fca94a73", "name": "Netsky ", "description": "", "modified": "2023-10-17T04:04:05.965000", "created": "2023-09-17T08:02:05.910000", "tags": [ "united", "contacted urls", "whois record", "contacted", "malicious site", "malware", "phishing site", "anonymizer", "heur", "control server", "facebook", "cobalt strike", "execution", "installcore", "phishing", "service", "core", "metro", "icmp", "hacktool", "download", "relic", "monitoring", "installer", "steam", "bank", "dnspionage", "crack", "unsafe", "ramnit", "emotet", "malware site", "proxy", "exploit", "fakealert", "team", "redline stealer", "laplasclipper", "cisco umbrella", "site", "safe site", "alexa top", "million", "alexa", "downloader", "opencandy", "generic", "presenoker", "maltiverse", "trojanspy", "date", "unknown", "windir", "markmonitor", "name server", "av detection", "september", "default browser", "guest system", "hybrid", "general", "click", "strings", "class", "critical", "blacklist", "union", "Embarcadero Delphi", "whois whois", "referrer", "ssl certificate", "communicating", "resolutions", "parent parent", "dropped", "stealer", "banker", "keylogger", "attack", "apple", "detection list", "ip address", "netsky", "firehol proxy", "noname057", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "FireHol", "Proxy", "Pexee", "Bank of America Corporation Malware Download", "CVE-2017-11882", "Alexa SANS Internet Storm Center", "MCI Verizon Block", "NaN" ], "references": [ "http://ww1.tsx.org/_fd", "https://www.milehighmedia.com/legal/2257 (exploit source | revenge porn)", "Target \u2192 https://www.pinterest.com/pinkbuffalorun/ (EMOTET) Full control taken. True Board owner (a legitimate business) was likely very unaware Pinterest activities all flowed through the Dark Web. (Research shows over 5000 followers | 1 million visits per mo | more than 1 million pins re-pinned)", "http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel (remote hacking/potentially maliciousRedTeam)", "http://45.159.189.105/bot/online?guid=WALKER-PC&key=b73f03cae5752ff4c823f89de539b59754bc4e65d43970358b17bcf21fb6c4e5 (remote hacking)", "http://clipper.guru/bot/online?guid=WALKER-PC (remote hacking)", "Target \u2192 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (attached to Pinterest account)", "https://firebaseremoteconfig.googleapis.com/v1/projects/16163253122/namespaces/firebase:fetch (remote hacking)", "firebaseremoteconfig.googleapis.com (remote hacking)", "remote.telegrafix.com (remote hacking)", "fb582cc7cfcfa64786caff627cc34ff7aedf7a97620d0cd2eb927d4bb3b7653d", "remote.haverhillcc.com (remote hacking)", "http://ax.itunes.apple.com/WebObjects/MZStoreServices.woa/ws/RSS/toppaidapplications/limit=10/xml", "http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409", "http://init-p01st.push.apple.com/bag (remote hacking)", "https://support.apple.com/en-us/HT201265. Targets (iOS ID)", "apple.com. (malicious version/header)", "https://www.apple.com/sitemap/", "https://applemusic-spotlight.myunidays.com/US/en-US? (remote hacking)", "http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409", "init.ess.apple.com (remote hacking)", "applepaydayloans.com", "www.metrobyt-mobile.com (So very hacked. Should be shut down. No corporate headquarters. Malicious practices by many independent owners)", "https://applepaydayloans.com/", "https://sinister.ly/Thread-Apple-empty-box?page=13", "7651508989a859a165a3e587268021e3ce3734b3e8711d06a101068c60dfdbbe ( Spyware| tsetup.2.4.4.exe | Downloader.Agent!1.E2F1 (CLASSIC) |Telegram Messenger Inc WeExtract malicious installation on targets media & devices)", "https://support.Apple.com/de", "http://www.Apple.com/quicktime/download", "http://www.Apple.com/quicktime/download/standalone.html", "https://urldefense.us/v2/url?u=http-3A__support.apple.com_kb_HT2693&d=DwMGaQ&c=mcnPvAfk3Xtjyky7sc3uA24Vk9hJzQ1fEHisENJPWek&r=PjGDHIUs1kNE6nRUZrOEsufSDp8LBQ-SwHI1wE1Z0Qo&m=zBlvHUR-UT1fW5-53xrUtd5Uj5DBn30a-XGaqZ1lyWh4YCJi5SWOvg3tVORPEuat&s=OJ-NfystLux9f25c44kAAuBLCoTAo6gQJ7EMKHRlrCk&e=&data=05", "https://www.roseoubleu.fr/panier (phishing)", "Roksit.net", "stagelight.pl (malicious/ pattern match)", "www.jamesbgriffinlaw.com (malicious host)", "Data Analytics", "Behavior Pattern Match Analysis", "45.159.189.105 (Command and Control)", "http://45.159.189.105/bot/regex (Bot Command)", "151.101.0.84 US - United States Pinterest Botnet Command and Control Server - 23.62.46.21", "AS54113 Fastly Autonomous System aggregation for Pinterest United States Botnet Command and Control Server", "DetectItEasy PE32 Installer: Inno Setup Module (6.0.0) [unicode] Compiler: Embarcadero Delphi (10.3 Rio) [Professional] Linker: Turbo Linker (2.25*,Delphi) [GUI32,signed] Overlay: Inno Setup Installer data", "(unsupported_iexplore exploit/redirect) https://www.pinterest.com/pin/mood--35536284546940000/ (Dark Web Trace)" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TEL:Delphi/Obfuscator", "display_name": "TEL:Delphi/Obfuscator", "target": "/malware/TEL:Delphi/Obfuscator" }, { "id": "LaplasClipper", "display_name": "LaplasClipper", "target": null }, { "id": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "display_name": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "target": null }, { "id": "SLFPER:InstallCore", "display_name": "SLFPER:InstallCore", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "ALF:Program:OpenCandy:Remnant", "display_name": "ALF:Program:OpenCandy:Remnant", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "generic.malware", "display_name": "generic.malware", "target": null }, { "id": "Anonymizer", "display_name": "Anonymizer", "target": null }, { "id": "#HSTR:HackTool:Win32/Mimikatz", "display_name": "#HSTR:HackTool:Win32/Mimikatz", "target": null }, { "id": "PWS:MSIL/Steam", "display_name": "PWS:MSIL/Steam", "target": "/malware/PWS:MSIL/Steam" }, { "id": "Trojan.HTML.Agent", "display_name": "Trojan.HTML.Agent", "target": null }, { "id": "Gen:Variant.Zusy", "display_name": "Gen:Variant.Zusy", "target": null }, { "id": "Worm:Win32/Netsky", "display_name": "Worm:Win32/Netsky", "target": "/malware/Worm:Win32/Netsky" }, { "id": "Sodin Ransomware", "display_name": "Sodin Ransomware", "target": null }, { "id": "Keyloggers", "display_name": "Keyloggers", "target": null }, { "id": "Proxy", "display_name": "Proxy", "target": null }, { "id": "TEL:Trojan:Win32/Emotet", "display_name": "TEL:Trojan:Win32/Emotet", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat", "display_name": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat", "target": null }, { "id": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar", "display_name": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar", "target": null }, { "id": "AdwareSig [Adw] ml.Generic", "display_name": "AdwareSig [Adw] ml.Generic", "target": null }, { "id": "W32.Hack.Generic", "display_name": "W32.Hack.Generic", "target": null }, { "id": "Trojan.Ole2.Vbs", "display_name": "Trojan.Ole2.Vbs", "target": null }, { "id": "QVM20.1.8D80.Malware", "display_name": "QVM20.1.8D80.Malware", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Backdoor.Mokes", "display_name": "Backdoor.Mokes", "target": null }, { "id": "AdWare.DropWare", "display_name": "AdWare.DropWare", "target": null }, { "id": "Gen:Variant.Razy", "display_name": "Gen:Variant.Razy", "target": null }, { "id": "Generic.31fcc75f", "display_name": "Generic.31fcc75f", "target": null }, { "id": "Trojan.Generic", "display_name": "Trojan.Generic", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "malware.generic", "display_name": "malware.generic", "target": null }, { "id": "Gen:Variant.Bulz", "display_name": "Gen:Variant.Bulz", "target": null }, { "id": "GameHack.DR", "display_name": "GameHack.DR", "target": null }, { "id": "Dropper.Binder", "display_name": "Dropper.Binder", "target": null }, { "id": "malicious.22a4c0", "display_name": "malicious.22a4c0", "target": null }, { "id": "SdBot.CAOC", "display_name": "SdBot.CAOC", "target": null }, { "id": "ml.Generic", "display_name": "ml.Generic", "target": null }, { "id": "Trojan.Ransom.GenericKD", "display_name": "Trojan.Ransom.GenericKD", "target": null }, { "id": "Phish.AB", "display_name": "Phish.AB", "target": null }, { "id": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea", "display_name": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": "6506b2196ad4270f3ba15394", "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7203, "CVE": 6, "FileHash-MD5": 283, "FileHash-SHA1": 163, "FileHash-SHA256": 4835, "domain": 915, "hostname": 2260 }, "indicator_count": 15665, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "915 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6506b2196ad4270f3ba15394", "name": "Critical: Pinterest Cyber Espionage", "description": "Attack", "modified": "2023-10-17T04:04:05.965000", "created": "2023-09-17T08:00:24.928000", "tags": [ "united", "contacted urls", "whois record", "contacted", "malicious site", "malware", "phishing site", "anonymizer", "heur", "control server", "facebook", "cobalt strike", "execution", "installcore", "phishing", "service", "core", "metro", "icmp", "hacktool", "download", "relic", "monitoring", "installer", "steam", "bank", "dnspionage", "crack", "unsafe", "ramnit", "emotet", "malware site", "proxy", "exploit", "fakealert", "team", "redline stealer", "laplasclipper", "cisco umbrella", "site", "safe site", "alexa top", "million", "alexa", "downloader", "opencandy", "generic", "presenoker", "maltiverse", "trojanspy", "date", "unknown", "windir", "markmonitor", "name server", "av detection", "september", "default browser", "guest system", "hybrid", "general", "click", "strings", "class", "critical", "blacklist", "union", "Embarcadero Delphi", "whois whois", "referrer", "ssl certificate", "communicating", "resolutions", "parent parent", "dropped", "stealer", "banker", "keylogger", "attack", "apple", "detection list", "ip address", "netsky", "firehol proxy", "noname057", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "FireHol", "Proxy", "Pexee", "Bank of America Corporation Malware Download", "CVE-2017-11882", "Alexa SANS Internet Storm Center", "MCI Verizon Block", "NaN" ], "references": [ "http://ww1.tsx.org/_fd", "https://www.milehighmedia.com/legal/2257 (exploit source | revenge porn)", "Target \u2192 https://www.pinterest.com/pinkbuffalorun/ (EMOTET) Full control taken. True Board owner (a legitimate business) was likely very unaware Pinterest activities all flowed through the Dark Web. (Research shows over 5000 followers | 1 million visits per mo | more than 1 million pins re-pinned)", "http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel (remote hacking/potentially maliciousRedTeam)", "http://45.159.189.105/bot/online?guid=WALKER-PC&key=b73f03cae5752ff4c823f89de539b59754bc4e65d43970358b17bcf21fb6c4e5 (remote hacking)", "http://clipper.guru/bot/online?guid=WALKER-PC (remote hacking)", "Target \u2192 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (attached to Pinterest account)", "https://firebaseremoteconfig.googleapis.com/v1/projects/16163253122/namespaces/firebase:fetch (remote hacking)", "firebaseremoteconfig.googleapis.com (remote hacking)", "remote.telegrafix.com (remote hacking)", "fb582cc7cfcfa64786caff627cc34ff7aedf7a97620d0cd2eb927d4bb3b7653d", "remote.haverhillcc.com (remote hacking)", "http://ax.itunes.apple.com/WebObjects/MZStoreServices.woa/ws/RSS/toppaidapplications/limit=10/xml", "http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409", "http://init-p01st.push.apple.com/bag (remote hacking)", "https://support.apple.com/en-us/HT201265. Targets (iOS ID)", "apple.com. (malicious version/header)", "https://www.apple.com/sitemap/", "https://applemusic-spotlight.myunidays.com/US/en-US? (remote hacking)", "http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409", "init.ess.apple.com (remote hacking)", "applepaydayloans.com", "www.metrobyt-mobile.com (So very hacked. Should be shut down. No corporate headquarters. Malicious practices by many independent owners)", "https://applepaydayloans.com/", "https://sinister.ly/Thread-Apple-empty-box?page=13", "7651508989a859a165a3e587268021e3ce3734b3e8711d06a101068c60dfdbbe ( Spyware| tsetup.2.4.4.exe | Downloader.Agent!1.E2F1 (CLASSIC) |Telegram Messenger Inc WeExtract malicious installation on targets media & devices)", "https://support.Apple.com/de", "http://www.Apple.com/quicktime/download", "http://www.Apple.com/quicktime/download/standalone.html", "https://urldefense.us/v2/url?u=http-3A__support.apple.com_kb_HT2693&d=DwMGaQ&c=mcnPvAfk3Xtjyky7sc3uA24Vk9hJzQ1fEHisENJPWek&r=PjGDHIUs1kNE6nRUZrOEsufSDp8LBQ-SwHI1wE1Z0Qo&m=zBlvHUR-UT1fW5-53xrUtd5Uj5DBn30a-XGaqZ1lyWh4YCJi5SWOvg3tVORPEuat&s=OJ-NfystLux9f25c44kAAuBLCoTAo6gQJ7EMKHRlrCk&e=&data=05", "https://www.roseoubleu.fr/panier (phishing)", "Roksit.net", "stagelight.pl (malicious/ pattern match)", "www.jamesbgriffinlaw.com (malicious host)", "Data Analytics", "Behavior Pattern Match Analysis", "45.159.189.105 (Command and Control)", "http://45.159.189.105/bot/regex (Bot Command)", "151.101.0.84 US - United States Pinterest Botnet Command and Control Server - 23.62.46.21", "AS54113 Fastly Autonomous System aggregation for Pinterest United States Botnet Command and Control Server", "DetectItEasy PE32 Installer: Inno Setup Module (6.0.0) [unicode] Compiler: Embarcadero Delphi (10.3 Rio) [Professional] Linker: Turbo Linker (2.25*,Delphi) [GUI32,signed] Overlay: Inno Setup Installer data", "(unsupported_iexplore exploit/redirect) https://www.pinterest.com/pin/mood--35536284546940000/ (Dark Web Trace)" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TEL:Delphi/Obfuscator", "display_name": "TEL:Delphi/Obfuscator", "target": "/malware/TEL:Delphi/Obfuscator" }, { "id": "LaplasClipper", "display_name": "LaplasClipper", "target": null }, { "id": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "display_name": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "target": null }, { "id": "SLFPER:InstallCore", "display_name": "SLFPER:InstallCore", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "ALF:Program:OpenCandy:Remnant", "display_name": "ALF:Program:OpenCandy:Remnant", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "generic.malware", "display_name": "generic.malware", "target": null }, { "id": "Anonymizer", "display_name": "Anonymizer", "target": null }, { "id": "#HSTR:HackTool:Win32/Mimikatz", "display_name": "#HSTR:HackTool:Win32/Mimikatz", "target": null }, { "id": "PWS:MSIL/Steam", "display_name": "PWS:MSIL/Steam", "target": "/malware/PWS:MSIL/Steam" }, { "id": "Trojan.HTML.Agent", "display_name": "Trojan.HTML.Agent", "target": null }, { "id": "Gen:Variant.Zusy", "display_name": "Gen:Variant.Zusy", "target": null }, { "id": "Worm:Win32/Netsky", "display_name": "Worm:Win32/Netsky", "target": "/malware/Worm:Win32/Netsky" }, { "id": "Sodin Ransomware", "display_name": "Sodin Ransomware", "target": null }, { "id": "Keyloggers", "display_name": "Keyloggers", "target": null }, { "id": "Proxy", "display_name": "Proxy", "target": null }, { "id": "TEL:Trojan:Win32/Emotet", "display_name": "TEL:Trojan:Win32/Emotet", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat", "display_name": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat", "target": null }, { "id": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar", "display_name": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar", "target": null }, { "id": "AdwareSig [Adw] ml.Generic", "display_name": "AdwareSig [Adw] ml.Generic", "target": null }, { "id": "W32.Hack.Generic", "display_name": "W32.Hack.Generic", "target": null }, { "id": "Trojan.Ole2.Vbs", "display_name": "Trojan.Ole2.Vbs", "target": null }, { "id": "QVM20.1.8D80.Malware", "display_name": "QVM20.1.8D80.Malware", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Backdoor.Mokes", "display_name": "Backdoor.Mokes", "target": null }, { "id": "AdWare.DropWare", "display_name": "AdWare.DropWare", "target": null }, { "id": "Gen:Variant.Razy", "display_name": "Gen:Variant.Razy", "target": null }, { "id": "Generic.31fcc75f", "display_name": "Generic.31fcc75f", "target": null }, { "id": "Trojan.Generic", "display_name": "Trojan.Generic", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "malware.generic", "display_name": "malware.generic", "target": null }, { "id": "Gen:Variant.Bulz", "display_name": "Gen:Variant.Bulz", "target": null }, { "id": "GameHack.DR", "display_name": "GameHack.DR", "target": null }, { "id": "Dropper.Binder", "display_name": "Dropper.Binder", "target": null }, { "id": "malicious.22a4c0", "display_name": "malicious.22a4c0", "target": null }, { "id": "SdBot.CAOC", "display_name": "SdBot.CAOC", "target": null }, { "id": "ml.Generic", "display_name": "ml.Generic", "target": null }, { "id": "Trojan.Ransom.GenericKD", "display_name": "Trojan.Ransom.GenericKD", "target": null }, { "id": "Phish.AB", "display_name": "Phish.AB", "target": null }, { "id": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea", "display_name": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7203, "CVE": 6, "FileHash-MD5": 283, "FileHash-SHA1": 163, "FileHash-SHA256": 4835, "domain": 915, "hostname": 2260 }, "indicator_count": 15665, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "915 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "642eac06b2963a871b0fdd45", "name": "just a bunch of tv's - Oh maybe these tv channels are all neural \ud83e\udd37\u200d\u2640\ufe0f world tv stream infection", "description": "The Falcon Sandbox malware analysis service is available to download, download and use any of the Falcon MalQuery tools or information you may have seen on the website. \u00c2\u00a31.5m", "modified": "2023-05-06T10:00:48.707000", "created": "2023-04-06T11:24:54.313000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "ansi", "dropped file", "runtime data", "chromeua", "span", "optout", "pcap processing", "pattern match", "script", "click", "date", "middle", "null", "april", "twitter", "body", "error", "jackson", "desktop", "service", "bill", "heat", "webview", "cruise", "blank", "meta", "night", "false", "contact", "suspicious", "facebook", "close", "cannon", "mayberry", "santana", "comment", "flex", "karma", "nightmare", "find", "spacer", "kitty", "mike", "local", "already", "soldier", "wallpaper", "story", "generic", "tiny", "trident", "android", "hybrid", "general", "hosts", "favorite", "homepage", "music", "code", "push", "strings", "malicious", "qakbot", "25px", "60px", "24px", "100px", "1439px", "segoe ui", "roboto", "path", "chat", "form", "embed", "unknown", "live", "network", "unicode", "feed", "5000", "next", "fullscreen", "iframe", "latv", "latino voices", "localappdata", "latino", "noscript", "pragma", "this", "hybrid analysis", "programfiles", "input", "wilstaging02", "potential ip" ], "references": [ "https://hybrid-analysis.com/sample/843923233cd86185dc3983fbe0fe3be72c6aeef0372db6c076287befc9d3fc5b/642d9d1695c2babbb70478eb", "https://hybrid-analysis.com/sample/52cd1ef12d9ec251dee2996f76150757f7247903d1cf86322569ed90536f59b3/642d9d5f20d5a59b1c0443fd", "https://hybrid-analysis.com/sample/ead272d3ccb36a5a827f80418096bfc30d1251bb739b06ff1711844d99d1b214/642d9de1e48d649afd01ad36", "https://hybrid-analysis.com/sample/3243e4a1f5a075f4d57121d5738d321dcd7e4c79bd96828442e351f660b60dc3/642d9d9c7cb35d938c068be9", "https://hybrid-analysis.com/sample/ea23092a5495e8990d050e61214866717374d79a9403232e37e271e327fe3a58/642db9b4ddc1df124a09bec0" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1291, "email": 13, "domain": 591, "URL": 3931, "FileHash-SHA256": 431, "FileHash-MD5": 92, "FileHash-SHA1": 89 }, "indicator_count": 6438, "is_author": false, "is_subscribing": null, "subscriber_count": 93, "modified_text": "1079 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "http://ww1.tsx.org/_fd", "7651508989a859a165a3e587268021e3ce3734b3e8711d06a101068c60dfdbbe ( Spyware| tsetup.2.4.4.exe | Downloader.Agent!1.E2F1 (CLASSIC) |Telegram Messenger Inc WeExtract malicious installation on targets media & devices)", "http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409", "https://support.apple.com/en-us/HT201265. Targets (iOS ID)", "http://www.Apple.com/quicktime/download/standalone.html", "Roksit.net", "https://hybrid-analysis.com/sample/52cd1ef12d9ec251dee2996f76150757f7247903d1cf86322569ed90536f59b3/642d9d5f20d5a59b1c0443fd", "https://hybrid-analysis.com/sample/ea23092a5495e8990d050e61214866717374d79a9403232e37e271e327fe3a58/642db9b4ddc1df124a09bec0", "http://www.Apple.com/quicktime/download", "stagelight.pl (malicious/ pattern match)", "151.101.0.84 US - United States Pinterest Botnet Command and Control Server - 23.62.46.21", "https://www.milehighmedia.com/legal/2257 (exploit source | revenge porn)", "DetectItEasy PE32 Installer: Inno Setup Module (6.0.0) [unicode] Compiler: Embarcadero Delphi (10.3 Rio) [Professional] Linker: Turbo Linker (2.25*,Delphi) [GUI32,signed] Overlay: Inno Setup Installer data", "firebaseremoteconfig.googleapis.com (remote hacking)", "remote.haverhillcc.com (remote hacking)", "https://hybrid-analysis.com/sample/ead272d3ccb36a5a827f80418096bfc30d1251bb739b06ff1711844d99d1b214/642d9de1e48d649afd01ad36", "http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel (remote hacking/potentially maliciousRedTeam)", "https://sinister.ly/Thread-Apple-empty-box?page=13", "Target \u2192 https://www.pinterest.com/pinkbuffalorun/ (EMOTET) Full control taken. True Board owner (a legitimate business) was likely very unaware Pinterest activities all flowed through the Dark Web. (Research shows over 5000 followers | 1 million visits per mo | more than 1 million pins re-pinned)", "Data Analytics", "https://support.Apple.com/de", "https://www.roseoubleu.fr/panier (phishing)", "(unsupported_iexplore exploit/redirect) https://www.pinterest.com/pin/mood--35536284546940000/ (Dark Web Trace)", "http://ax.itunes.apple.com/WebObjects/MZStoreServices.woa/ws/RSS/toppaidapplications/limit=10/xml", "http://45.159.189.105/bot/online?guid=WALKER-PC&key=b73f03cae5752ff4c823f89de539b59754bc4e65d43970358b17bcf21fb6c4e5 (remote hacking)", "init.ess.apple.com (remote hacking)", "https://hybrid-analysis.com/sample/3243e4a1f5a075f4d57121d5738d321dcd7e4c79bd96828442e351f660b60dc3/642d9d9c7cb35d938c068be9", "http://clipper.guru/bot/online?guid=WALKER-PC (remote hacking)", "Target \u2192 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (attached to Pinterest account)", "https://www.apple.com/sitemap/", "https://applepaydayloans.com/", "https://urldefense.us/v2/url?u=http-3A__support.apple.com_kb_HT2693&d=DwMGaQ&c=mcnPvAfk3Xtjyky7sc3uA24Vk9hJzQ1fEHisENJPWek&r=PjGDHIUs1kNE6nRUZrOEsufSDp8LBQ-SwHI1wE1Z0Qo&m=zBlvHUR-UT1fW5-53xrUtd5Uj5DBn30a-XGaqZ1lyWh4YCJi5SWOvg3tVORPEuat&s=OJ-NfystLux9f25c44kAAuBLCoTAo6gQJ7EMKHRlrCk&e=&data=05", "Behavior Pattern Match Analysis", "AS54113 Fastly Autonomous System aggregation for Pinterest United States Botnet Command and Control Server", "remote.telegrafix.com (remote hacking)", "www.metrobyt-mobile.com (So very hacked. Should be shut down. No corporate headquarters. Malicious practices by many independent owners)", "https://hybrid-analysis.com/sample/843923233cd86185dc3983fbe0fe3be72c6aeef0372db6c076287befc9d3fc5b/642d9d1695c2babbb70478eb", "https://firebaseremoteconfig.googleapis.com/v1/projects/16163253122/namespaces/firebase:fetch (remote hacking)", "www.jamesbgriffinlaw.com (malicious host)", "http://init-p01st.push.apple.com/bag (remote hacking)", "applepaydayloans.com", "45.159.189.105 (Command and Control)", "https://applemusic-spotlight.myunidays.com/US/en-US? (remote hacking)", "fb582cc7cfcfa64786caff627cc34ff7aedf7a97620d0cd2eb927d4bb3b7653d", "http://45.159.189.105/bot/regex (Bot Command)", "apple.com. (malicious version/header)" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Gen:variant.zusy", "Trojan.ole2.vbs", "Maltiverse", "Slfper:installcore", "Sodin ransomware", "Malicious.22a4c0", "Generic.asmalws malicious_confidence_70% 1\til:trojan.msilzilla 1\tfilerepmalware 1\transom.sabsik 1\tbehaveslike.dropper 1\tmicrosoft phishing 1\tbackdoor.mokes 1\tphishing bank of america corporat", "Worm:win32/netsky", "Trojan.generic", "Backdoor.mokes", "Generic.31fcc75f", "#lowfi:siga:trojanspy:msil/keylogger", "Gen:variant.bulz", "Laplasclipper", "Pws:msil/steam", "Ml.generic", "Artemis", "Proxy", "Trojan.html.agent", "Adwaresig [adw] ml.generic", "Phish.ab", "Alf:program:opencandy:remnant", "Malware.generic", "Trojanspy", "Qvm20.1.8d80.malware", "Relic", "Gen:variant.razy", "Keyloggers", "Tel:delphi/obfuscator", "Redline stealer", "Sdbot.caoc", "Anonymizer", "Ramnit", "Cobalt strike - s0154", "Adware.dropware", "Tel:trojan:win32/emotet", "Trojan.ransom.generickd", "Gamehack.dr", "#hstr:hacktool:win32/mimikatz", "Undefined 1\tms 1\txyz 1\tgl 1\tnet tld aggregation com ms xyz gl net 20% 20% 20% 20% 20% tld\tcount com\t1 undefined\tnan ms\t1 xyz\t1 gl\t1 net\t1 combined blacklist timeline hybrid-analysis maltiverse resea", "W32.hack.generic", "Malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tunsafe.ai_score_98% 1\tmobigame 1\tbanker,evasive,retefe 1\tprogram.unwanted 1\tmalicious.high.ml 1\tkryptik.dawvk 1\tunsafe.ai_score_91% 1\tadwar", "Generic.malware", "Skynet", "Dropper.binder" ], "industries": [], "unique_indicators": 30987 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/eu-1-id5-sync.com", "whois": "http://whois.domaintools.com/eu-1-id5-sync.com", "domain": "eu-1-id5-sync.com", "hostname": "lb.eu-1-id5-sync.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 17, "pulses": [ { "id": "68730c407f8484c524c2d7f4", "name": "The Denver Post used for Fake news | Foundry | Twitter | Porn", "description": "Is the Denver Post a honey pot? Portal? Used for investigating? Smear campaigns? \n\nVictims reported for multiple years their names have been advertised in malicious red report campaigns, obituaries, threats. This has been true of the Ricky Mountain News which has been out of business for years and Denver Post.\n\n\nI can\u2019t annotate so I can\u2019t include references.\nReferences:\nFoundry\nTwitter\nDouglas Undersheriff who was either being smeared or heading a smear campaign.\nPorn\nTwitter \nInjured worker\u2019s compensation targets with la he loss including death.\nThey don\u2019t want to pay. Crazy fact: Workers compensation keeps the nearly a billion $ annually tax free. Does not want to pay. Bonuses doctors and anyone who will deny truly injured workers their compensation. \n#callthecopsifyousee_o-o_t_pac", "modified": "2025-08-12T01:02:51.771000", "created": "2025-07-13T01:30:40.917000", "tags": [ "gtmtlfp4r", "utc gtmtlfp4r", "domains", "hashes", "reverse dns", "url https", "general full", "united", "security tls", "resource", "protocol h2", "software", "hash", "name value", "main", "spurlock", "carlos illescas", "wordpress", "denver post", "server nginx", "date sun", "gmt contenttype", "connection", "wordpress vip", "https", "link", "json", "contentencoding", "miss xrq", "value", "july", "variables", "osano function", "gpp function", "tcfapi function", "uspapi", "mg2 string", "bcclass", "dfmadmodslevel", "xblocker", "extraction", "data upload", "extrac", "included data", "review ious", "u excluded", "suggesteroo", "ony incude", "failed", "so type", "extra data", "includec review", "exclude suggest", "find s", "s type", "ur extraction", "extract", "included ic", "review ioc", "type no", "extri", "include review", "exclude sugges", "typ filel", "filet filet" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1774, "FileHash-SHA256": 3808, "domain": 373, "FileHash-MD5": 155, "FileHash-SHA1": 135, "hostname": 1156 }, "indicator_count": 7401, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "250 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6523344e4adc85389899504c", "name": "Unsupported IE 404 account running BotNet Command & Control [by OctoSeek]", "description": "", "modified": "2024-10-13T03:00:28.081000", "created": "2023-10-08T22:59:26.040000", "tags": [ "united", "contacted urls", "whois record", "contacted", "malicious site", "malware", "phishing site", "anonymizer", "heur", "control server", "facebook", "cobalt strike", "execution", "installcore", "phishing", "service", "core", "metro", "icmp", "hacktool", "download", "relic", "monitoring", "installer", "steam", "bank", "dnspionage", "crack", "unsafe", "ramnit", "emotet", "malware site", "proxy", "exploit", "fakealert", "team", "redline stealer", "laplasclipper", "cisco umbrella", "site", "safe site", "alexa top", "million", "alexa", "downloader", "opencandy", "generic", "presenoker", "maltiverse", "trojanspy", "date", "unknown", "windir", "markmonitor", "name server", "av detection", "september", "default browser", "guest system", "hybrid", "general", "click", "strings", "class", "critical", "blacklist", "union", "Embarcadero Delphi", "whois whois", "referrer", "ssl certificate", "communicating", "resolutions", "parent parent", "dropped", "stealer", "banker", "keylogger", "attack", "apple", "detection list", "ip address", "netsky", "firehol proxy", "noname057", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "FireHol", "Proxy", "Pexee", "Bank of America Corporation Malware Download", "CVE-2017-11882", "Alexa SANS Internet Storm Center", "MCI Verizon Block", "NaN" ], "references": [ "http://ww1.tsx.org/_fd", "https://www.milehighmedia.com/legal/2257 (exploit source | revenge porn)", "Target \u2192 https://www.pinterest.com/pinkbuffalorun/ (EMOTET) Full control taken. True Board owner (a legitimate business) was likely very unaware Pinterest activities all flowed through the Dark Web. (Research shows over 5000 followers | 1 million visits per mo | more than 1 million pins re-pinned)", "http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel (remote hacking/potentially maliciousRedTeam)", "http://45.159.189.105/bot/online?guid=WALKER-PC&key=b73f03cae5752ff4c823f89de539b59754bc4e65d43970358b17bcf21fb6c4e5 (remote hacking)", "http://clipper.guru/bot/online?guid=WALKER-PC (remote hacking)", "Target \u2192 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (attached to Pinterest account)", "https://firebaseremoteconfig.googleapis.com/v1/projects/16163253122/namespaces/firebase:fetch (remote hacking)", "firebaseremoteconfig.googleapis.com (remote hacking)", "remote.telegrafix.com (remote hacking)", "fb582cc7cfcfa64786caff627cc34ff7aedf7a97620d0cd2eb927d4bb3b7653d", "remote.haverhillcc.com (remote hacking)", "http://ax.itunes.apple.com/WebObjects/MZStoreServices.woa/ws/RSS/toppaidapplications/limit=10/xml", "http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409", "http://init-p01st.push.apple.com/bag (remote hacking)", "https://support.apple.com/en-us/HT201265. Targets (iOS ID)", "apple.com. (malicious version/header)", "https://www.apple.com/sitemap/", "https://applemusic-spotlight.myunidays.com/US/en-US? (remote hacking)", "http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409", "init.ess.apple.com (remote hacking)", "applepaydayloans.com", "www.metrobyt-mobile.com (So very hacked. Should be shut down. No corporate headquarters. Malicious practices by many independent owners)", "https://applepaydayloans.com/", "https://sinister.ly/Thread-Apple-empty-box?page=13", "7651508989a859a165a3e587268021e3ce3734b3e8711d06a101068c60dfdbbe ( Spyware| tsetup.2.4.4.exe | Downloader.Agent!1.E2F1 (CLASSIC) |Telegram Messenger Inc WeExtract malicious installation on targets media & devices)", "https://support.Apple.com/de", "http://www.Apple.com/quicktime/download", "http://www.Apple.com/quicktime/download/standalone.html", "https://urldefense.us/v2/url?u=http-3A__support.apple.com_kb_HT2693&d=DwMGaQ&c=mcnPvAfk3Xtjyky7sc3uA24Vk9hJzQ1fEHisENJPWek&r=PjGDHIUs1kNE6nRUZrOEsufSDp8LBQ-SwHI1wE1Z0Qo&m=zBlvHUR-UT1fW5-53xrUtd5Uj5DBn30a-XGaqZ1lyWh4YCJi5SWOvg3tVORPEuat&s=OJ-NfystLux9f25c44kAAuBLCoTAo6gQJ7EMKHRlrCk&e=&data=05", "https://www.roseoubleu.fr/panier (phishing)", "Roksit.net", "stagelight.pl (malicious/ pattern match)", "www.jamesbgriffinlaw.com (malicious host)", "Data Analytics", "Behavior Pattern Match Analysis", "45.159.189.105 (Command and Control)", "http://45.159.189.105/bot/regex (Bot Command)", "151.101.0.84 US - United States Pinterest Botnet Command and Control Server - 23.62.46.21", "AS54113 Fastly Autonomous System aggregation for Pinterest United States Botnet Command and Control Server", "DetectItEasy PE32 Installer: Inno Setup Module (6.0.0) [unicode] Compiler: Embarcadero Delphi (10.3 Rio) [Professional] Linker: Turbo Linker (2.25*,Delphi) [GUI32,signed] Overlay: Inno Setup Installer data", "(unsupported_iexplore exploit/redirect) https://www.pinterest.com/pin/mood--35536284546940000/ (Dark Web Trace)" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TEL:Delphi/Obfuscator", "display_name": "TEL:Delphi/Obfuscator", "target": "/malware/TEL:Delphi/Obfuscator" }, { "id": "LaplasClipper", "display_name": "LaplasClipper", "target": null }, { "id": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "display_name": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "target": null }, { "id": "SLFPER:InstallCore", "display_name": "SLFPER:InstallCore", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "ALF:Program:OpenCandy:Remnant", "display_name": "ALF:Program:OpenCandy:Remnant", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "generic.malware", "display_name": "generic.malware", "target": null }, { "id": "Anonymizer", "display_name": "Anonymizer", "target": null }, { "id": "#HSTR:HackTool:Win32/Mimikatz", "display_name": "#HSTR:HackTool:Win32/Mimikatz", "target": null }, { "id": "PWS:MSIL/Steam", "display_name": "PWS:MSIL/Steam", "target": "/malware/PWS:MSIL/Steam" }, { "id": "Trojan.HTML.Agent", "display_name": "Trojan.HTML.Agent", "target": null }, { "id": "Gen:Variant.Zusy", "display_name": "Gen:Variant.Zusy", "target": null }, { "id": "Worm:Win32/Netsky", "display_name": "Worm:Win32/Netsky", "target": "/malware/Worm:Win32/Netsky" }, { "id": "Sodin Ransomware", "display_name": "Sodin Ransomware", "target": null }, { "id": "Keyloggers", "display_name": "Keyloggers", "target": null }, { "id": "Proxy", "display_name": "Proxy", "target": null }, { "id": "TEL:Trojan:Win32/Emotet", "display_name": "TEL:Trojan:Win32/Emotet", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat", "display_name": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat", "target": null }, { "id": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar", "display_name": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar", "target": null }, { "id": "AdwareSig [Adw] ml.Generic", "display_name": "AdwareSig [Adw] ml.Generic", "target": null }, { "id": "W32.Hack.Generic", "display_name": "W32.Hack.Generic", "target": null }, { "id": "Trojan.Ole2.Vbs", "display_name": "Trojan.Ole2.Vbs", "target": null }, { "id": "QVM20.1.8D80.Malware", "display_name": "QVM20.1.8D80.Malware", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Backdoor.Mokes", "display_name": "Backdoor.Mokes", "target": null }, { "id": "AdWare.DropWare", "display_name": "AdWare.DropWare", "target": null }, { "id": "Gen:Variant.Razy", "display_name": "Gen:Variant.Razy", "target": null }, { "id": "Generic.31fcc75f", "display_name": "Generic.31fcc75f", "target": null }, { "id": "Trojan.Generic", "display_name": "Trojan.Generic", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "malware.generic", "display_name": "malware.generic", "target": null }, { "id": "Gen:Variant.Bulz", "display_name": "Gen:Variant.Bulz", "target": null }, { "id": "GameHack.DR", "display_name": "GameHack.DR", "target": null }, { "id": "Dropper.Binder", "display_name": "Dropper.Binder", "target": null }, { "id": "malicious.22a4c0", "display_name": "malicious.22a4c0", "target": null }, { "id": "SdBot.CAOC", "display_name": "SdBot.CAOC", "target": null }, { "id": "ml.Generic", "display_name": "ml.Generic", "target": null }, { "id": "Trojan.Ransom.GenericKD", "display_name": "Trojan.Ransom.GenericKD", "target": null }, { "id": "Phish.AB", "display_name": "Phish.AB", "target": null }, { "id": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea", "display_name": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": "6506b48d699080b4bfd334c5", "export_count": 74, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7761, "CVE": 6, "FileHash-MD5": 285, "FileHash-SHA1": 165, "FileHash-SHA256": 5059, "domain": 987, "hostname": 2399 }, "indicator_count": 16662, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "553 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a835fc0836f148fa45c8", "name": "Unsupported IE 404 account running BotNet Command & Control [by OctoSeek]", "description": "", "modified": "2023-12-06T16:58:29.243000", "created": "2023-12-06T16:58:29.243000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "URL": 7203, "hostname": 2260, "FileHash-SHA256": 4835, "FileHash-MD5": 283, "FileHash-SHA1": 163, "domain": 915 }, "indicator_count": 15665, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a521974bdb5d6dbda092", "name": "", "description": "", "modified": "2023-12-06T16:45:21.776000", "created": "2023-12-06T16:45:21.776000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "URL": 7203, "hostname": 2260, "FileHash-SHA256": 4835, "FileHash-MD5": 283, "FileHash-SHA1": 163, "domain": 915 }, "indicator_count": 15665, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a5109ecc3c75c949f950", "name": "Unsupported IE 404 account running BotNet Command & Control Server | B/L", "description": "", "modified": "2023-12-06T16:45:04.296000", "created": "2023-12-06T16:45:04.296000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "URL": 7203, "hostname": 2260, "FileHash-SHA256": 4835, "FileHash-MD5": 283, "FileHash-SHA1": 163, "domain": 915 }, "indicator_count": 15665, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a4f322399eb1db2a07b2", "name": "Hijacked Pinterest Account Spreader, BotNet Control Server | Unsupported IE", "description": "", "modified": "2023-12-06T16:44:35.786000", "created": "2023-12-06T16:44:35.786000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "URL": 7203, "hostname": 2260, "FileHash-SHA256": 4835, "FileHash-MD5": 283, "FileHash-SHA1": 163, "domain": 915 }, "indicator_count": 15665, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a4e083c4acd789ea7e58", "name": "Blacklisted", "description": "", "modified": "2023-12-06T16:44:16.060000", "created": "2023-12-06T16:44:16.060000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "URL": 7203, "hostname": 2258, "FileHash-SHA256": 4835, "FileHash-MD5": 283, "FileHash-SHA1": 163, "domain": 915 }, "indicator_count": 15663, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a4d5c14495fcf65ee8a5", "name": "Netsky", "description": "", "modified": "2023-12-06T16:44:05.631000", "created": "2023-12-06T16:44:05.631000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "URL": 7203, "hostname": 2260, "FileHash-SHA256": 4835, "FileHash-MD5": 283, "FileHash-SHA1": 163, "domain": 915 }, "indicator_count": 15665, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a4cb97598bac143dc90b", "name": "Critical: Pinterest Cyber Espionage", "description": "", "modified": "2023-12-06T16:43:55.639000", "created": "2023-12-06T16:43:55.639000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "URL": 7203, "hostname": 2260, "FileHash-SHA256": 4835, "FileHash-MD5": 283, "FileHash-SHA1": 163, "domain": 915 }, "indicator_count": 15665, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f203d9b8cd815d8b5134c", "name": "Unsupported IE 404 account running BotNet Command & Control", "description": "", "modified": "2023-10-30T03:17:17.770000", "created": "2023-10-30T03:17:17.770000", "tags": [ "united", "contacted urls", "whois record", "contacted", "malicious site", "malware", "phishing site", "anonymizer", "heur", "control server", "facebook", "cobalt strike", "execution", "installcore", "phishing", "service", "core", "metro", "icmp", "hacktool", "download", "relic", "monitoring", "installer", "steam", "bank", "dnspionage", "crack", "unsafe", "ramnit", "emotet", "malware site", "proxy", "exploit", "fakealert", "team", "redline stealer", "laplasclipper", "cisco umbrella", "site", "safe site", "alexa top", "million", "alexa", "downloader", "opencandy", "generic", "presenoker", "maltiverse", "trojanspy", "date", "unknown", "windir", "markmonitor", "name server", "av detection", "september", "default browser", "guest system", "hybrid", "general", "click", "strings", "class", "critical", "blacklist", "union", "Embarcadero Delphi", "whois whois", "referrer", "ssl certificate", "communicating", "resolutions", "parent parent", "dropped", "stealer", "banker", "keylogger", "attack", "apple", "detection list", "ip address", "netsky", "firehol proxy", "noname057", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "FireHol", "Proxy", "Pexee", "Bank of America Corporation Malware Download", "CVE-2017-11882", "Alexa SANS Internet Storm Center", "MCI Verizon Block", "NaN" ], "references": [ "http://ww1.tsx.org/_fd", "https://www.milehighmedia.com/legal/2257 (exploit source | revenge porn)", "Target \u2192 https://www.pinterest.com/pinkbuffalorun/ (EMOTET) Full control taken. True Board owner (a legitimate business) was likely very unaware Pinterest activities all flowed through the Dark Web. (Research shows over 5000 followers | 1 million visits per mo | more than 1 million pins re-pinned)", "http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel (remote hacking/potentially maliciousRedTeam)", "http://45.159.189.105/bot/online?guid=WALKER-PC&key=b73f03cae5752ff4c823f89de539b59754bc4e65d43970358b17bcf21fb6c4e5 (remote hacking)", "http://clipper.guru/bot/online?guid=WALKER-PC (remote hacking)", "Target \u2192 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (attached to Pinterest account)", "https://firebaseremoteconfig.googleapis.com/v1/projects/16163253122/namespaces/firebase:fetch (remote hacking)", "firebaseremoteconfig.googleapis.com (remote hacking)", "remote.telegrafix.com (remote hacking)", "fb582cc7cfcfa64786caff627cc34ff7aedf7a97620d0cd2eb927d4bb3b7653d", "remote.haverhillcc.com (remote hacking)", "http://ax.itunes.apple.com/WebObjects/MZStoreServices.woa/ws/RSS/toppaidapplications/limit=10/xml", "http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409", "http://init-p01st.push.apple.com/bag (remote hacking)", "https://support.apple.com/en-us/HT201265. Targets (iOS ID)", "apple.com. (malicious version/header)", "https://www.apple.com/sitemap/", "https://applemusic-spotlight.myunidays.com/US/en-US? (remote hacking)", "http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409", "init.ess.apple.com (remote hacking)", "applepaydayloans.com", "www.metrobyt-mobile.com (So very hacked. Should be shut down. No corporate headquarters. Malicious practices by many independent owners)", "https://applepaydayloans.com/", "https://sinister.ly/Thread-Apple-empty-box?page=13", "7651508989a859a165a3e587268021e3ce3734b3e8711d06a101068c60dfdbbe ( Spyware| tsetup.2.4.4.exe | Downloader.Agent!1.E2F1 (CLASSIC) |Telegram Messenger Inc WeExtract malicious installation on targets media & devices)", "https://support.Apple.com/de", "http://www.Apple.com/quicktime/download", "http://www.Apple.com/quicktime/download/standalone.html", "https://urldefense.us/v2/url?u=http-3A__support.apple.com_kb_HT2693&d=DwMGaQ&c=mcnPvAfk3Xtjyky7sc3uA24Vk9hJzQ1fEHisENJPWek&r=PjGDHIUs1kNE6nRUZrOEsufSDp8LBQ-SwHI1wE1Z0Qo&m=zBlvHUR-UT1fW5-53xrUtd5Uj5DBn30a-XGaqZ1lyWh4YCJi5SWOvg3tVORPEuat&s=OJ-NfystLux9f25c44kAAuBLCoTAo6gQJ7EMKHRlrCk&e=&data=05", "https://www.roseoubleu.fr/panier (phishing)", "Roksit.net", "stagelight.pl (malicious/ pattern match)", "www.jamesbgriffinlaw.com (malicious host)", "Data Analytics", "Behavior Pattern Match Analysis", "45.159.189.105 (Command and Control)", "http://45.159.189.105/bot/regex (Bot Command)", "151.101.0.84 US - United States Pinterest Botnet Command and Control Server - 23.62.46.21", "AS54113 Fastly Autonomous System aggregation for Pinterest United States Botnet Command and Control Server", "DetectItEasy PE32 Installer: Inno Setup Module (6.0.0) [unicode] Compiler: Embarcadero Delphi (10.3 Rio) [Professional] Linker: Turbo Linker (2.25*,Delphi) [GUI32,signed] Overlay: Inno Setup Installer data", "(unsupported_iexplore exploit/redirect) https://www.pinterest.com/pin/mood--35536284546940000/ (Dark Web Trace)" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TEL:Delphi/Obfuscator", "display_name": "TEL:Delphi/Obfuscator", "target": "/malware/TEL:Delphi/Obfuscator" }, { "id": "LaplasClipper", "display_name": "LaplasClipper", "target": null }, { "id": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "display_name": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "target": null }, { "id": "SLFPER:InstallCore", "display_name": "SLFPER:InstallCore", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "ALF:Program:OpenCandy:Remnant", "display_name": "ALF:Program:OpenCandy:Remnant", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "generic.malware", "display_name": "generic.malware", "target": null }, { "id": "Anonymizer", "display_name": "Anonymizer", "target": null }, { "id": "#HSTR:HackTool:Win32/Mimikatz", "display_name": "#HSTR:HackTool:Win32/Mimikatz", "target": null }, { "id": "PWS:MSIL/Steam", "display_name": "PWS:MSIL/Steam", "target": "/malware/PWS:MSIL/Steam" }, { "id": "Trojan.HTML.Agent", "display_name": "Trojan.HTML.Agent", "target": null }, { "id": "Gen:Variant.Zusy", "display_name": "Gen:Variant.Zusy", "target": null }, { "id": "Worm:Win32/Netsky", "display_name": "Worm:Win32/Netsky", "target": "/malware/Worm:Win32/Netsky" }, { "id": "Sodin Ransomware", "display_name": "Sodin Ransomware", "target": null }, { "id": "Keyloggers", "display_name": "Keyloggers", "target": null }, { "id": "Proxy", "display_name": "Proxy", "target": null }, { "id": "TEL:Trojan:Win32/Emotet", "display_name": "TEL:Trojan:Win32/Emotet", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat", "display_name": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat", "target": null }, { "id": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar", "display_name": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar", "target": null }, { "id": "AdwareSig [Adw] ml.Generic", "display_name": "AdwareSig [Adw] ml.Generic", "target": null }, { "id": "W32.Hack.Generic", "display_name": "W32.Hack.Generic", "target": null }, { "id": "Trojan.Ole2.Vbs", "display_name": "Trojan.Ole2.Vbs", "target": null }, { "id": "QVM20.1.8D80.Malware", "display_name": "QVM20.1.8D80.Malware", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Backdoor.Mokes", "display_name": "Backdoor.Mokes", "target": null }, { "id": "AdWare.DropWare", "display_name": "AdWare.DropWare", "target": null }, { "id": "Gen:Variant.Razy", "display_name": "Gen:Variant.Razy", "target": null }, { "id": "Generic.31fcc75f", "display_name": "Generic.31fcc75f", "target": null }, { "id": "Trojan.Generic", "display_name": "Trojan.Generic", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "malware.generic", "display_name": "malware.generic", "target": null }, { "id": "Gen:Variant.Bulz", "display_name": "Gen:Variant.Bulz", "target": null }, { "id": "GameHack.DR", "display_name": "GameHack.DR", "target": null }, { "id": "Dropper.Binder", "display_name": "Dropper.Binder", "target": null }, { "id": "malicious.22a4c0", "display_name": "malicious.22a4c0", "target": null }, { "id": "SdBot.CAOC", "display_name": "SdBot.CAOC", "target": null }, { "id": "ml.Generic", "display_name": "ml.Generic", "target": null }, { "id": "Trojan.Ransom.GenericKD", "display_name": "Trojan.Ransom.GenericKD", "target": null }, { "id": "Phish.AB", "display_name": "Phish.AB", "target": null }, { "id": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea", "display_name": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": "6523344e4adc85389899504c", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7203, "CVE": 6, "FileHash-MD5": 283, "FileHash-SHA1": 163, "FileHash-SHA256": 4835, "domain": 915, "hostname": 2260 }, "indicator_count": 15665, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "902 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://lb.eu-1-id5-sync.com/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://lb.eu-1-id5-sync.com/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776644036.215713 }