{ "type": "URL", "indicator": "https://leeyr.com/150.htm", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://leeyr.com/150.htm", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4136439003, "indicator": "https://leeyr.com/150.htm", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "68dd9423f9208dcc8701e12e", "name": "Maktub Locker TOR Status Check \u2022 Cab \\ Drive by( dbi.com) Malicious pic", "description": "After 911 told me I was bounced to the Denver, Co Station 5 , located 45 & Peoria in Denver , Colorado , not even close. \nThe phone number changed, only 911 access. Clue: I saw an Amber alert in n target phone when I powered it on. No all notices always turned off. Made a call\non contact list and screen changed to a plain faced interface. \n\nAfter finding a mother foundry link on targets phone I grew curious about a CEO\u2019s strange story of Palantir\u2019s Karp Theil roommate situation in Law School but I could only find one picture on of them on a campus in their late 40\u2019s. He\u2019s African American mixed. The picture of his mother in hacked phone is 215 yo. No information federal oversight as CEO right? Or limited information on crazy hacked device? \n\nClicked on link then OMGness\n\n#whatIfind #onhackeddevice #targeting", "modified": "2025-10-31T19:03:21.338000", "created": "2025-10-01T20:50:43.002000", "tags": [ "iocs", "logo", "passive dns", "related tags", "none google", "ipv4", "gogle", "twitter", "x.com", "ransomware", "fbi \u2019site\u2019", "python", "cloud", "regopenkeyexw", "read c", "port", "destination", "cryptexportkey", "count read", "tor get", "malware", "write", "format", "redacted for", "server", "privacy tech", "privacy admin", "country", "postal code", "organization", "date", "email", "code", "aaaa", "value a", "key identifier", "v3 serial", "number", "cus ogoogle", "trust", "cnwe1 validity", "subject public", "key info", "key algorithm", "ec oid", "maktub", "cnc", "python-projekt", "x post", "link", "android", "iphone", "google", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "ssl certificate", "spawns", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "size", "mitre att", "show technique", "ck matrix", "title", "path", "hybrid", "general", "local", "form", "click", "strings", "body" ], "references": [ "FBI.GOV - VT I\u2019m looking @ says website is legitimate & not misused - hmm", "Entity CLOUD14", "CLOUDFLARENET - 104.16.148.244 , 104.19.148.244", "https://otx.alienvault.com/indicator/file/ba30376f915afa868763f84299fae5d2", "https://hybrid-analysis.com/sample/f2b943e81f1b284cf9dabb4ff156526a02ecca485ac117714867d92b262c8fdd/68dd867e3bc50d9068072c05", "Hashtags left on Hybrid Analysis (above) weren\u2019t posted by me", "Maktub Locker TOR Status Check \u2022 TOR Consensus Data Requested \u2022 TOR 1.0 Server Key Retrieval", "Tor Get Server Request \u2022 TLS Handshake Failure High Priority", "Yara Detections: stack_string Alerts: dead_host", "Alerts: network_icmp nolookup_communication modifies_proxy_wpad network_cnc_http network_http", "Alerts: allocates_rwx creates_hidden_file dropper has_wmi protection_rx antivm_network_adapters", "Alerts: packer_entropy queries_programs wmi_antivm checks_debugger generates_crypto_key recon_fingerprint pe_unknown_resource_name raises_exception" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Code Virus Ransomware", "display_name": "Code Virus Ransomware", "target": null }, { "id": "AVAST- Win32:Filecoder-AD\\ [Trj]", "display_name": "AVAST- Win32:Filecoder-AD\\ [Trj]", "target": null }, { "id": "CLAMAV - Win.Malware.Cabby-6803812", "display_name": "CLAMAV - Win.Malware.Cabby-6803812", "target": null }, { "id": "Ms Defender - TrojanDownloader:Win32/Dalexis!rfn!rfn", "display_name": "Ms Defender - TrojanDownloader:Win32/Dalexis!rfn!rfn", "target": "/malware/Ms Defender - TrojanDownloader:Win32/Dalexis!rfn!rfn" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 574, "domain": 147, "FileHash-MD5": 156, "FileHash-SHA1": 130, "FileHash-SHA256": 539, "URL": 982, "SSLCertFingerprint": 4, "email": 2 }, "indicator_count": 2534, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "170 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68dc624893ea922b898f911b", "name": "FBI? Ghe real one? Idk - Cab / Deive by compromised an iOS device", "description": "Checking a targets phone, it\u2019s seems very infected with limited results on google searches results. I clicked on an image I thought looked suspicious. Image was coded. I have no idea if this is the FBI I haven\u2019t examined or researched for vulnerabilities yet. I will break this down over time. The number is kept alive but number could not be verified , it was a different number altogether. The phone was out of service, I reached out to 911. And spoke to a person I can\u2019t verify. The service was reconnected a day later. It\u2019s a very crazy hack!", "modified": "2025-10-30T22:01:00.256000", "created": "2025-09-30T23:05:44.154000", "tags": [ "search", "google search", "in a", "relevance", "internet storm", "intranet", "part", "steps", "hyper v", "windowssystem32", "ping request", "algorithm", "ouno sni", "key usage", "google llc", "v3 serial", "number", "public key", "info", "key algorithm", "domain", "subject key", "identifier", "net173", "net1730000", "gogl", "orgid", "gogl address", "city", "mountain view", "stateprov", "postalcode", "registrar", "ip address", "http", "port", "accept", "info file", "network dropped", "duration cuckoo", "version file", "machine label", "shutdown", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "defense evasion", "spawns", "found", "united", "ascii text", "pattern match", "mitre att", "title", "hybrid", "general", "path", "click", "strings", "body", "initial access", "local", "passive dns", "urls", "url add", "related nids", "files location", "flag united", "backdoor", "status", "aaaa", "date", "name servers", "record value", "emails", "present aug", "present sep", "moved", "error", "antivm", "drive by", "cab by" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 544, "FileHash-SHA256": 2300, "URL": 3905, "hostname": 1675, "FileHash-MD5": 209, "FileHash-SHA1": 210, "CIDR": 1, "email": 7, "SSLCertFingerprint": 8, "CVE": 2 }, "indicator_count": 8861, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "171 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68dc68684ad290e0c21a88ab", "name": "Cab / Drive by Compromise Part 2 After 1st scan results.", "description": "104.16.148.244\n, \n104.16.149.244\nLocation\n\nUnited States\nASN\nAS13335 cloudflare\nNameservers\nns-cloud-e4.googledomains.com.\n, \nns-cloud-e1.googledomains.com.\n, \nns-cloud-e3.googledomains.com.\n, \nns-cloud-e2.googledomains.com.\nWhois:\n\n\nDomain Name\tFBI.GOV\nStatus\tACTIVE\n\n Whitelisted\t\tA\t\t2025-09-10 07:17\t2025-09-10 07:17\t\tcountry flag United States\n Whitelisted\t\tAAAA\t\t2025-08-24 05:36\t2025-08-24 05:36\t\tcountry flag United States\n\nhttps://le.fbi.gov\t\tConnection Error\t\tNot Present\t\nSep 30, 2025\thttps://littlerock.fbi.gov\t\t\n[Lol, OTX auto populated: A summary of key facts and statistics about a cyber-attack on the US government, as compiled by the Department of Homeland Security (DHS) and the Office of National Statistics (OBS).]", "modified": "2025-10-30T00:02:15.510000", "created": "2025-09-30T23:31:52.265000", "tags": [ "present sep", "united", "ip address", "aaaa", "next associated", "location united", "asn as13335", "less", "pulses" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 42, "domain": 31, "hostname": 46, "URL": 71 }, "indicator_count": 192, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "171 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://hybrid-analysis.com/sample/f2b943e81f1b284cf9dabb4ff156526a02ecca485ac117714867d92b262c8fdd/68dd867e3bc50d9068072c05", "Alerts: allocates_rwx creates_hidden_file dropper has_wmi protection_rx antivm_network_adapters", "Alerts: packer_entropy queries_programs wmi_antivm checks_debugger generates_crypto_key recon_fingerprint pe_unknown_resource_name raises_exception", "CLOUDFLARENET - 104.16.148.244 , 104.19.148.244", "Maktub Locker TOR Status Check \u2022 TOR Consensus Data Requested \u2022 TOR 1.0 Server Key Retrieval", "https://otx.alienvault.com/indicator/file/ba30376f915afa868763f84299fae5d2", "Entity CLOUD14", "Alerts: network_icmp nolookup_communication modifies_proxy_wpad network_cnc_http network_http", "Yara Detections: stack_string Alerts: dead_host", "FBI.GOV - VT I\u2019m looking @ says website is legitimate & not misused - hmm", "Tor Get Server Request \u2022 TLS Handshake Failure High Priority", "Hashtags left on Hybrid Analysis (above) weren\u2019t posted by me" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Ms defender - trojandownloader:win32/dalexis!rfn!rfn", "Clamav - win.malware.cabby-6803812", "Avast- win32:filecoder-ad\\ [trj]", "Code virus ransomware" ], "industries": [], "unique_indicators": 11228 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/leeyr.com", "whois": "http://whois.domaintools.com/leeyr.com", "domain": "leeyr.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "68dd9423f9208dcc8701e12e", "name": "Maktub Locker TOR Status Check \u2022 Cab \\ Drive by( dbi.com) Malicious pic", "description": "After 911 told me I was bounced to the Denver, Co Station 5 , located 45 & Peoria in Denver , Colorado , not even close. \nThe phone number changed, only 911 access. Clue: I saw an Amber alert in n target phone when I powered it on. No all notices always turned off. Made a call\non contact list and screen changed to a plain faced interface. \n\nAfter finding a mother foundry link on targets phone I grew curious about a CEO\u2019s strange story of Palantir\u2019s Karp Theil roommate situation in Law School but I could only find one picture on of them on a campus in their late 40\u2019s. He\u2019s African American mixed. The picture of his mother in hacked phone is 215 yo. No information federal oversight as CEO right? Or limited information on crazy hacked device? \n\nClicked on link then OMGness\n\n#whatIfind #onhackeddevice #targeting", "modified": "2025-10-31T19:03:21.338000", "created": "2025-10-01T20:50:43.002000", "tags": [ "iocs", "logo", "passive dns", "related tags", "none google", "ipv4", "gogle", "twitter", "x.com", "ransomware", "fbi \u2019site\u2019", "python", "cloud", "regopenkeyexw", "read c", "port", "destination", "cryptexportkey", "count read", "tor get", "malware", "write", "format", "redacted for", "server", "privacy tech", "privacy admin", "country", "postal code", "organization", "date", "email", "code", "aaaa", "value a", "key identifier", "v3 serial", "number", "cus ogoogle", "trust", "cnwe1 validity", "subject public", "key info", "key algorithm", "ec oid", "maktub", "cnc", "python-projekt", "x post", "link", "android", "iphone", "google", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "ssl certificate", "spawns", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "size", "mitre att", "show technique", "ck matrix", "title", "path", "hybrid", "general", "local", "form", "click", "strings", "body" ], "references": [ "FBI.GOV - VT I\u2019m looking @ says website is legitimate & not misused - hmm", "Entity CLOUD14", "CLOUDFLARENET - 104.16.148.244 , 104.19.148.244", "https://otx.alienvault.com/indicator/file/ba30376f915afa868763f84299fae5d2", "https://hybrid-analysis.com/sample/f2b943e81f1b284cf9dabb4ff156526a02ecca485ac117714867d92b262c8fdd/68dd867e3bc50d9068072c05", "Hashtags left on Hybrid Analysis (above) weren\u2019t posted by me", "Maktub Locker TOR Status Check \u2022 TOR Consensus Data Requested \u2022 TOR 1.0 Server Key Retrieval", "Tor Get Server Request \u2022 TLS Handshake Failure High Priority", "Yara Detections: stack_string Alerts: dead_host", "Alerts: network_icmp nolookup_communication modifies_proxy_wpad network_cnc_http network_http", "Alerts: allocates_rwx creates_hidden_file dropper has_wmi protection_rx antivm_network_adapters", "Alerts: packer_entropy queries_programs wmi_antivm checks_debugger generates_crypto_key recon_fingerprint pe_unknown_resource_name raises_exception" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Code Virus Ransomware", "display_name": "Code Virus Ransomware", "target": null }, { "id": "AVAST- Win32:Filecoder-AD\\ [Trj]", "display_name": "AVAST- Win32:Filecoder-AD\\ [Trj]", "target": null }, { "id": "CLAMAV - Win.Malware.Cabby-6803812", "display_name": "CLAMAV - Win.Malware.Cabby-6803812", "target": null }, { "id": "Ms Defender - TrojanDownloader:Win32/Dalexis!rfn!rfn", "display_name": "Ms Defender - TrojanDownloader:Win32/Dalexis!rfn!rfn", "target": "/malware/Ms Defender - TrojanDownloader:Win32/Dalexis!rfn!rfn" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 574, "domain": 147, "FileHash-MD5": 156, "FileHash-SHA1": 130, "FileHash-SHA256": 539, "URL": 982, "SSLCertFingerprint": 4, "email": 2 }, "indicator_count": 2534, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "170 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68dc624893ea922b898f911b", "name": "FBI? Ghe real one? Idk - Cab / Deive by compromised an iOS device", "description": "Checking a targets phone, it\u2019s seems very infected with limited results on google searches results. I clicked on an image I thought looked suspicious. Image was coded. I have no idea if this is the FBI I haven\u2019t examined or researched for vulnerabilities yet. I will break this down over time. The number is kept alive but number could not be verified , it was a different number altogether. The phone was out of service, I reached out to 911. And spoke to a person I can\u2019t verify. The service was reconnected a day later. It\u2019s a very crazy hack!", "modified": "2025-10-30T22:01:00.256000", "created": "2025-09-30T23:05:44.154000", "tags": [ "search", "google search", "in a", "relevance", "internet storm", "intranet", "part", "steps", "hyper v", "windowssystem32", "ping request", "algorithm", "ouno sni", "key usage", "google llc", "v3 serial", "number", "public key", "info", "key algorithm", "domain", "subject key", "identifier", "net173", "net1730000", "gogl", "orgid", "gogl address", "city", "mountain view", "stateprov", "postalcode", "registrar", "ip address", "http", "port", "accept", "info file", "network dropped", "duration cuckoo", "version file", "machine label", "shutdown", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "defense evasion", "spawns", "found", "united", "ascii text", "pattern match", "mitre att", "title", "hybrid", "general", "path", "click", "strings", "body", "initial access", "local", "passive dns", "urls", "url add", "related nids", "files location", "flag united", "backdoor", "status", "aaaa", "date", "name servers", "record value", "emails", "present aug", "present sep", "moved", "error", "antivm", "drive by", "cab by" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 544, "FileHash-SHA256": 2300, "URL": 3905, "hostname": 1675, "FileHash-MD5": 209, "FileHash-SHA1": 210, "CIDR": 1, "email": 7, "SSLCertFingerprint": 8, "CVE": 2 }, "indicator_count": 8861, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "171 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68dc68684ad290e0c21a88ab", "name": "Cab / Drive by Compromise Part 2 After 1st scan results.", "description": "104.16.148.244\n, \n104.16.149.244\nLocation\n\nUnited States\nASN\nAS13335 cloudflare\nNameservers\nns-cloud-e4.googledomains.com.\n, \nns-cloud-e1.googledomains.com.\n, \nns-cloud-e3.googledomains.com.\n, \nns-cloud-e2.googledomains.com.\nWhois:\n\n\nDomain Name\tFBI.GOV\nStatus\tACTIVE\n\n Whitelisted\t\tA\t\t2025-09-10 07:17\t2025-09-10 07:17\t\tcountry flag United States\n Whitelisted\t\tAAAA\t\t2025-08-24 05:36\t2025-08-24 05:36\t\tcountry flag United States\n\nhttps://le.fbi.gov\t\tConnection Error\t\tNot Present\t\nSep 30, 2025\thttps://littlerock.fbi.gov\t\t\n[Lol, OTX auto populated: A summary of key facts and statistics about a cyber-attack on the US government, as compiled by the Department of Homeland Security (DHS) and the Office of National Statistics (OBS).]", "modified": "2025-10-30T00:02:15.510000", "created": "2025-09-30T23:31:52.265000", "tags": [ "present sep", "united", "ip address", "aaaa", "next associated", "location united", "asn as13335", "less", "pulses" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 42, "domain": 31, "hostname": 46, "URL": 71 }, "indicator_count": 192, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "171 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://leeyr.com/150.htm", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://leeyr.com/150.htm", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776641851.532739 }