{ "type": "URL", "indicator": "https://lock.mobiletoolapps.com/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://lock.mobiletoolapps.com/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3230073260, "indicator": "https://lock.mobiletoolapps.com/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 33, "pulses": [ { "id": "69a9cd444aa144401d0c4988", "name": "Pools Open", "description": "", "modified": "2026-04-15T19:21:28.851000", "created": "2026-03-05T18:36:52.014000", "tags": [ "Timothy Pool", "Christopher Pool", "Pool's Closed" ], "references": [ "Pool Closed", "Pool's Closed" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Media", "ad fraud" ], "TLP": "white", "cloned_from": "5fa57698ac0f6638b7b9a8ba", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 8098, "URL": 23428, "hostname": 9592, "domain": 4727, "SSLCertFingerprint": 22, "FileHash-MD5": 696, "FileHash-SHA1": 457, "CIDR": 78, "email": 3, "CVE": 2 }, "indicator_count": 47103, "is_author": false, "is_subscribing": null, "subscriber_count": 50, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69640c0afc9805a6fa2da07b", "name": "MUSO.AI Malware \u2018Incredimail\u2019 Palantir in use[OTX auto populated title -Tsara Brashears]", "description": "MUSO.Ai , Is have to do more research. Some searches on reports MUSO as an opt in resource for artist to view, sort, and manage legacy credits, MUSO also collects royalties. Research and investigation confirms no one on music team is associated with or l thinks they may have heard of MUSO. Is MUSO. AI Palantir customer or service ,spy app services by the folks at Palantir. . [otx auto pop praise: Tsara Brashears is the most popular songwriter in the world, but can you use the app to find out more about the artist and the musicians behind the tracks?] cute. \n#dembiak #palantir #muso #ai", "modified": "2026-02-10T20:03:47.214000", "created": "2026-01-11T20:46:02.176000", "tags": [ "lark kdence", "zack dare", "zafira", "jon bonus", "andy flebbe", "div div", "present nov", "a domains", "united", "script urls", "div a", "script domains", "discover", "moved", "insert", "x0 tw", "urls", "cloudfront x", "title error", "url analysis", "reverse dns", "servers", "name servers", "united states", "all ipv4", "aaaa", "ip address", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "evasion att", "t1480 execution", "ascii text", "mitre att", "pattern match", "null", "error", "click", "hybrid", "general", "local", "path", "starfield", "strings", "refresh", "tools", "meta", "onload", "span", "data upload", "extraction", "type", "extra", "referen https", "include review", "exclude sugges", "stop", "aivoes typ", "passive dns", "date", "united states", "status", "domain add", "files", "hostname", "read c", "medium", "search", "show", "memcommit", "high", "checks", "windows", "delete", "execution", "dock", "write", "persistence", "capture", "next", "amazon02", "as autonomous", "system", "asn16509", "domain", "current dns", "a record", "as16509", "december", "ip information", "ipasns ip", "google", "fastly", "googlecl", "akamaias", "cloudflar", "domain tree", "links ip", "address as", "cisco", "umbrella rank", "general full", "url https", "software", "resource hash", "protocol h2", "security tls", "hostname add", "challengescript", "captchascript", "name", "value", "source level", "url text", "automatic", "webgl", "please", "extr data", "data", "size", "title", "yara detections", "filehash", "av detections", "ids detections", "alerts", "analysis date", "file score", "low risk", "entries", "rgba", "unicode", "asnone", "malware", "port", "destination", "tlsv1", "tls handshake", "failure", "roboto", "msie", "windows nt", "wow64", "slcc2", "media center", "expiration", "url http", "no expiration", "present jan", "unknown ns", "certificate", "body", "present oct", "present may", "present dec", "present sep", "present feb", "showing", "next associated", "all se", "pulse pulses", "http", "files domain", "files related", "pulses none", "debiak", "tsara brashears", "ai", "palantir", "muso ai", "sort", "artists", "royalties", "music", "songwriter", "collect", "view", "malicious app", "false claims" ], "references": [ "https://credits.muso.ai/profile/ad62a9c1-de4a-4b3a-91d4-8f1ca6b5ad7a", "22.hio52.r.cloudfront.net", "us-gov-west-1.gov.reveal-global.com", "us-g0v-wact-1anvrav\u0645al=\u0635\u0639 \u0627\u062d\u0637\u0645\u0644\u0647", "MD5 be5eae9bd85769bce02d6e52a4927bcd Pulses Integrations C EXIF Data: HTML:Title\tINetSim default HTML page", "External Hosts Israel Unique Countries 2 Unique ASNs 2 IP", "ASN 82.80.204.63 www5.incredimail.com \u2022 Israel", "United States | ASNone 82.80.204.5 cen.incredibar.com \u2022 Israel", "AS8551 bezeq international-Itd 3.163.24.31 www5l.incredimail.com \u2022 Israel", "Antivirus Detections: Win.Malware.Incredimail-6804483-0 IDS Detections: Misspelled Mozilla User-Agent (Mozila)", "IP\u2019s Contacted : 82.80.204.63 3.163.24.31 82.80.204.5", "Domains Contacted: cen.incredibar.com www5l.incredimail.com www5.incredimail.com", "medallion-compute.washington.palantircloud.com \u2022 graviera-compute.palantirfedstart.com", "caerphilly-containers.palantirfedstart.com \u2022 equilibrium.palantirfoundry.com \u2022 palantirfoundry.com", "upstreamx.palantirfoundry.com \u2022 https://usw-2-dev.palantirfoundry.com", "https://upstreamx.palantirfoundry.com \u2022 edwards.palantirfoundry.com \u2022 stagwellmarketingcloud.palantirfoundry.com", "https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.ce31c01d-0b84-4e29-906f-1b8057568d49/master", "https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.878cb49b-395c-4c82-8db8-5e2bb0e628ce/master", "https://paloma.palantirfoundry.com https://lucyw.palantirfoundry.com \u2022 http://edwards.palantirfoundry.com/", "http://dasima-containers.palantirfoundry.com \u2022 http://usw-2-dev.palantirfoundry.com", "https://kt-presales.palantirfoundry.co \u2022 https://glare.palantirfoundry.com", "engage.palantirfoundry.com \u2022 http://engage.palantirfoundry.com", "https://equilibrium.palantirfoundry.com \u2022\u2019https://engage.palantirfoundry.com", "http://upstreamx.palantirfoundry.com/ \u2022 https://equilibrium.palantirfoundry.com/", "https://glare.pali om. \u2022 http://engage.palantirfou?", "What? patch.virtualworldweb.com \u2022 s.palantirfoundry.com \u2022 http://u tirfoundry.co", "(patch.virtualworldweb.com) why does this sound so creepy? DIT , simulation, OWO ,sentient weird.", "www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process\t\u2022", "www.endgame \u2022 http://battlefront.com/matrixgames.html \u2022 prometheus.services.myscript.com - Wild!", "campdeadwood2026.com", "http://www.mobile-connection-alert.fyi/eb/bn/bn-9-nopop/9-nopop-1.html?var=&var2=&var3=$device=MOBILE&brand=Apple&model=iPhone&city=San%20Antonio&os=IOS&osversion=IOS%2011.4&country=US&countryname=United%20States&carrier=&referrerdomain=&language=en&connectiontype=CABLE&ip=76.185.246.58®ion=Texas&cep=W-gWTncHS9Jzl2WpUnQW3DI5dgjcKdwNWM11yWj-BtNBDFNTD52Baezh0F6DNui3qOYcu9zUPktlUvTulBlF6GONqMgW0w5NXdG42lOJGAp8P79kEUkAM3xGHBcIuf2PfSpz0mTGxnhbXyAteh4g-wCUR45SdW6fMtSANbFpDDpNDCq8LpN8mLeQJjdLUA_TGOXW9mubTgOyAGy", "Pornhub to your phone. Dumping or by request?", "https://soerkvingo.msnstyle.dk/vaginas-escort-girl-ukraina-pure-nudisme-dyresex-noveller-sukker-pris-porno-med-norsk-tale/", "www.killer333.club So I\u2019m right." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Incredimail-6804483-0", "display_name": "Win.Malware.Incredimail-6804483-0", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "TA0028", "name": "Persistence", "display_name": "TA0028 - Persistence" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1017", "name": "Application Deployment Software", "display_name": "T1017 - Application Deployment Software" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10686, "hostname": 2427, "domain": 1094, "FileHash-MD5": 175, "FileHash-SHA1": 65, "FileHash-SHA256": 1118, "email": 4, "SSLCertFingerprint": 14 }, "indicator_count": 15583, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "68 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6962b68da732abc66a0c2caf", "name": "Der Zugriff \u2022 Kanna \u2022 MyDoom \u2022 Sigur - Pahamify Pegasus", "description": "Pahamify Pegasus | Execution Attack, Access Attack | Drive by Compromise | \nSifting through Pahamify Pegasus this is no longer your computer , injection, google connects, remote connections, remote mouse movement, remote access, Google espionage, bad traffic, Apple complicit access. This is your Google account and browser, this is your appleid. Still researching\u2026. || \n*https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_ ||\nMalware: Der Zugriff ,\nKanna ,\nMyDoom ,\nSigur \n#firebase #google_connection #bible_gateway_honeypot #crypto #hidden_users #who_else", "modified": "2026-02-09T19:00:09.890000", "created": "2026-01-10T20:29:01.675000", "tags": [ "ip address", "status code", "kb body", "iocs", "deny age", "cloudfront", "utc google", "tag manager", "g8t6ln06z40", "utc na", "google tag", "injection", "t1055 malware", "tree", "help v", "defense evasion", "injection t1055", "resolved ips", "get http", "dns resolutions", "v memory", "pattern domains", "full reports", "v help", "memory pattern", "urls https", "hashes", "tiktok", "microsoft", "dashboard falcon", "request", "windows nt", "win64", "khtml", "gecko", "response", "appleid", "united", "name servers", "aaaa", "servers", "moved", "script urls", "passive dns", "urls", "data upload", "extraction", "failed", "jsvendor", "jsapp", "script script", "cssapp", "jsfirebase", "pegasus", "encrypt", "title error", "ipv4", "files", "reverse dns", "united states", "malware", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "execution att", "t1204 user", "script", "beginstring", "bad traffic", "et info", "null", "title", "refresh", "span", "strings", "error", "tools", "meta", "look", "verify", "restart", "mitre att", "ascii text", "pattern match", "ck matrix", "tls handshake", "hybrid", "general", "local", "path", "click", "ck techniques", "access att", "div div", "a li", "ul div", "record value", "emails", "accept", "referen https", "microsoft-falcon.net", "proxy", "status", "certificate", "updated date", "whois server", "zipcode", "entries http", "scans show", "search", "matches x", "type", "gmt cache", "all ipv4", "america flag", "america asn", "sameorigin", "urls show", "date checked", "url hostname", "server response", "google safe", "results jan", "ipv4 add", "win32mydoom jan", "trojan", "worm", "expiration date", "files show", "date hash", "avast avg", "win32mydoom", "backdoor", "found", "gmt connection", "control", "content type", "twitter", "dynamicloader", "medium", "high", "msie", "wow64", "slcc2", "media center", "write", "global", "domain name", "hostname", "apple", "racebook", "mouse movement", "remote mouse", "domain", "hostname add", "url analysis", "crlf line", "ff d5", "unicode text", "utf8", "ee fc", "yara rule", "f0 ff", "ff bb", "music", "push", "autorun", "unknown", "present sep", "present may", "present jan", "present aug", "cname", "present nov", "present jun", "apache", "body", "pragma", "found registry", "able", "model", "indicator", "source", "show technique", "file", "internet", "errore", "erreur", "download", "service", "crypto", "compiler", "installer", "yang", "updater", "shutdown", "thunk", "este", "install", "reboot", "code", "downloader", "sigur", "kanna", "der zugriff", "google", "chrome", "Pahamify Pegasus", "christoper p. ahmann", "law enforcement", "retaliation", "phone", "espionage", "united states", "m brian sabey", "quasi government", "target", "monitored targeting", "aig", "therahand (old name)", "target: tsara brashears", "douglas county, co", "sheriff", "industry and commerce", "worker\u2019s compensation", "crime", "financial crime", "danger", "nem tih", "amazon", "aws", "amazon aws", "deal", "deal with it lawfully", "pay victim", "protecting reimer" ], "references": [ "https://pegasus.pahamify.com/ \u2022 pahamify.com \u2022 pegasus.pahamify.com \u2022 activation.pahamify.com \u2022 httpspegasus.pahamify.com", "https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_", "Der Zugriff\u2022 Kanna \u2022 MyDoom \u2022 Sigur", "Pahamify Pegasus", "Matches rule ET INFO Observed Google DNS over HTTPS Domain (dns google in TLS SNI)", "https://graph.facebook.com/v3.3/590584968016991/mobile_sdk_gk?fields=gatekeepers&format=json&sdk_version=5.0.0&sdk=android&platform=android", "https://4.base.maps.ls.hereapi.com/maptile/2.1/maptile/newest/normal.day.mobile/{z}/{x}/{y}/256/PNG8?apiKey=wzEuHW02YdaEjU0Em-SwWQBtxbfF86-OfUuq1z93NI4", "tv.apple.com", "dashboard-proxy-sc-ncus-j7ynx.falcon- core.microsoft-falcon.net", "Antivirus Detections: Win.Trojan.Gamarue-9832405-0 , Trojan:Win32/Pariham.A", "IDS : Commonly Abused File Sharing Site Domain Observed (sendspace .com in DNS Lookup)", "IDS: Commonly Abused File Sharing Site Domain Observed (sendspace .com in TLS SNI)", "IDS: TLS Handshake Failure", "Yara Detections BackdoorWin32Simda", "Google_Chrome_64bit_v136.0.7103.49.exe", "https://hybrid-analysis.com/sample/e4306740e79c65c90242aef93fceeb93fa6da74577570c7b4a04399879349c37/696298b7667c4a112d04eac7", "https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t \u2022 wallpapers-nature.com", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io \u2022", "https://wallpapers-nature.com/tsara-brashears/urlscan-io" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Pariham.A", "display_name": "Trojan:Win32/Pariham.A", "target": "/malware/Trojan:Win32/Pariham.A" }, { "id": "MyDoom", "display_name": "MyDoom", "target": null }, { "id": "Virus:Win95/Cerebrus", "display_name": "Virus:Win95/Cerebrus", "target": "/malware/Virus:Win95/Cerebrus" }, { "id": "AutoRunIt", "display_name": "AutoRunIt", "target": null }, { "id": "Sigur", "display_name": "Sigur", "target": null }, { "id": "Kanna", "display_name": "Kanna", "target": null }, { "id": "Der Zugriff", "display_name": "Der Zugriff", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" }, { "id": "T1543.003", "name": "Windows Service", "display_name": "T1543.003 - Windows Service" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1055.003", "name": "Thread Execution Hijacking", "display_name": "T1055.003 - Thread Execution Hijacking" }, { "id": "T1134.001", "name": "Token Impersonation/Theft", "display_name": "T1134.001 - Token Impersonation/Theft" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1134.002", "name": "Create Process with Token", "display_name": "T1134.002 - Create Process with Token" }, { "id": "T1070.006", "name": "Timestomp", "display_name": "T1070.006 - Timestomp" }, { "id": "T1564.003", "name": "Hidden Window", "display_name": "T1564.003 - Hidden Window" }, { "id": "T1497.003", "name": "Time Based Evasion", "display_name": "T1497.003 - Time Based Evasion" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1497.002", "name": "User Activity Based Checks", "display_name": "T1497.002 - User Activity Based Checks" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1027.005", "name": "Indicator Removal from Tools", "display_name": "T1027.005 - Indicator Removal from Tools" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1074.001", "name": "Local Data Staging", "display_name": "T1074.001 - Local Data Staging" }, { "id": "T1560.002", "name": "Archive via Library", "display_name": "T1560.002 - Archive via Library" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" } ], "industries": [ "Civil Society", "Legal", "Government", "Technology", "Telecommunications", "Financial" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6094, "domain": 1195, "hostname": 2001, "FileHash-SHA256": 2598, "FileHash-MD5": 546, "FileHash-SHA1": 403, "email": 16, "CVE": 2, "SSLCertFingerprint": 3 }, "indicator_count": 12858, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "69 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "5fa57698ac0f6638b7b9a8ba", "name": "Pool's Closed", "description": "Two paupers from the meadow spring forth an upheaval of nasty sites on the world wide web.", "modified": "2025-12-27T05:02:34.910000", "created": "2020-11-06T16:15:20.139000", "tags": [ "Timothy Pool", "Christopher Pool", "Pool's Closed" ], "references": [ "Pool Closed", "Pool's Closed" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Media", "ad fraud" ], "TLP": "white", "cloned_from": null, "export_count": 61, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 4, "follower_count": 0, "vote": 0, "author": { "username": "scnrscnr", "id": "126475", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_126475/resized/80/avatar_67ca5b7bae.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 8098, "URL": 23426, "hostname": 9590, "domain": 4727, "SSLCertFingerprint": 22, "FileHash-MD5": 696, "FileHash-SHA1": 457, "CIDR": 78, "email": 3, "CVE": 2 }, "indicator_count": 47099, "is_author": false, "is_subscribing": null, "subscriber_count": 133, "modified_text": "113 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6923408464566e39caf32285", "name": "Discord- DNS | Malvertizing | Ransom/Msilzilla (sifting IoC\u2019s created by scnrscnr)", "description": "TAGS\nActive\n443 ma2592000\nChristopher Pool\nPool's Closed\nTimothy Pool\na li\n google\namerica att\napache\napache ip\nasn as46606\nauditmode force\nbehavior\nbinary\nbinary file\nbk role\nchat\ncheck\nchrome\nck ids\ncommon stealer\ncookie\ndata upload\ndefender\ndelete c\ndirectui\ndiscord\ndns lookup\ndomain add\ndrop\ndynamicloader\neb d8\nee fc\nerror oct\nexplorer\nexternal ip\nextraction\nf0 ff\nfailed\nff bb\nff d5\nff ff\nfiles\nfoundry\ngmt content\ngmt etag\ngmt server\ngoogle chrome\nguard\nhigh\ninsert\nlolminer\nmalware\nmedia\nmeta\nmoved\nmovie\nmsie\nmsvisualbasic60\nmtb aug -present \nneversend\npowershell\nrelated nids\nresponse ip\nself\nservice domain\nsingapore\nsmartassembly\nspan\nspan a\nsx08x00x00a\ntargeting\ntls sni\ntrojan\ntrojandropper\ntwitter\ntx08x00x00n\nunique\nuser agent\nux08x00x00h\nvirtool\nvirustotal api\nvoice\nvx08x00x00j\nwrite\nwrite c\nwx08x00x00\nx08x00x00b\nx08x00x00x00\nyara\nyara rule\nyx08x00x00l\nz3je\nz3uwq7\nzx08x00x00", "modified": "2025-12-23T16:04:54.329000", "created": "2025-11-23T17:12:36.917000", "tags": [ "no expiration", "expiration", "url https", "url http", "filehashsha256", "hostname", "domain", "filehashmd5", "filehashsha1", "ipv4", "code", "pool", "timothy pool", "z3je z3uwq7", "creation date", "ip address", "emails", "expiration date", "status", "hostname add", "pulse pulses", "passive dns", "urls", "date" ], "references": [ "https://otx.alienvault.com/pulse/5fa57698ac0f6638b7b9a8ba", "Examining pulse created by scnrscnr is worth reviewing. I was surprised tonal see a targets name.I didn\u2019t see Foundry highlighted", "http://aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html \u2022 blogspot.com", "https://aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html \u2022 blogspot.com \u2022 www.techcult.com/judge-the-simpsons-parody-is-child-pornography/ Whitelisted domain techcult.com\t Domain blogspot.com Whitelisted domain blogspot.com\t Domain techcult.com Whitelisted domain techcult.com\t Hostname aninditaannisa.blogspot.com \u2022 domain blogspot.com", "www.techcult.com", "http://foundry.tartarynova.com phishing \u2022 https://foundry.tartarynova.com \u2022 foundry.tartarynova.com", "https://trail.truefoundry.com/api/t/c/usr_NEDuPPvnqv5DXyhti/tsk_X2YECqnpAow7t6JuE/enc_U2FsdGVkX1_wWHRx9nPGCEspZpUcIwc1yphMTxaaQ2ZAbsxOqRR4ibXcaYtcmgJ1UgabTFCHVVBLx2oAnBAW2h8el_edjHN72Ug0yKQePjKnSJEOnQvtq8MUPo0vkU1N", "https://trail.truefoundry.com/api/track/open/usr_NEDuPPvnqv5DXyhti/tsk_L9bYYgL2HGng9mDsC", "https://trail.truefoundry.com/api/track/open/usr_NEDuPPvnqv5DXyhti/tsk_X2YECqnpAow7t6JuE", "truefoundry.com \u2022 assets.production.truefoundry.com \u2022 cpt.llm-gateway.truefoundry.com", "yyz.llm-gateway.truefoundry.com \u2022 trail.truefoundry.com \u2022 sin.llm-gateway.truefoundry.com", "lm-gateway.truefoundry.com \u2022 https://assets.production.truefoundry.com/sample-openapi.json", "162.159.128.233 \u2022 http://tsar.vicly.org \u2022 https://tsar.vicly.org \u2022 tsar.vicly.org \u2022 vicly.org \u2022 https://tsar.vicly.org/", "http://scteamcommunity.com/4k-high-res-porn-videos/squirt phishing", "http://pic.porn.hub-accessories.site \u2022 https://pic.porn.hub-accessories.site \u2022 pic.porn.hub-accessories.site", "2022ww11.pornhubgsy.com \u2022 http://scteamcommunity.com/4k-high-res-porn-videos/squirt", "IDS Detections: Observed Discord Domain in DNS Lookup (discord .com) Discord Chat Service Domain in DNS Lookup (discord .com)", "IDS Detections: Observed Discord Domain (discord .com in TLS SNI)", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "IDS Detections: Observed Discord Domain (discordapp .com in TLS SNI) Observed Discord Service Domain (discord .com) in TLS SNI Less", "Yara: Detections ConventionEngine_Term_Users", "Yara: ConventionEngine_Anomaly_MultiPDB_Double , ConventionEngine_Term_Documents", "Alerts: infostealer_browser infostealer_cookies binary_yara procmem_yara static_pe_anomaly", "Alerts: pe_compile_timestomping antiav_detectfile antidebug_guardpages encrypted_ioc", "Alerts: dynamic_function_loading injection_write_process reads_memory_remote_process", "Alerts : network_cnc_https_generic reads_self packer_entropy injection_rwx uses_windows_utilities antivm_checks_available_memory queries_computer_name queries_user_name", "Yara : MS_Visual_Basic_6_0 ,", "Yara : UPX , Nrv2x , UPX_OEP_place , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser", "Alerts : ransomware_file_modifications stealth_file procmem_yara static_pe_anomaly", "Alerts: disables_folder_options stealth_hidden_extension stealth_hiddenreg anomalous_deletefile", "Alerts: mouse_movement_detect", "Couldn\u2019t pulse 1st pulse so here\u2019s what\u2019s left", "scnrscnr pulse is good. I\u2019m assuming they\u2019re targets.", "Foundry stalking." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanDropper:Win32/VB.IL0", "display_name": "TrojanDropper:Win32/VB.IL0", "target": "/malware/TrojanDropper:Win32/VB.IL0" }, { "id": "ALF:Trojan:Win32/Cassini_56a3061!ibt", "display_name": "ALF:Trojan:Win32/Cassini_56a3061!ibt", "target": null }, { "id": "Win.Ransomware.Msilzilla-10014498-0", "display_name": "Win.Ransomware.Msilzilla-10014498-0", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1443", "name": "Remotely Install Application", "display_name": "T1443 - Remotely Install Application" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 773, "FileHash-SHA1": 684, "FileHash-SHA256": 1910, "CVE": 2, "SSLCertFingerprint": 4, "URL": 3783, "domain": 878, "email": 7, "hostname": 1913 }, "indicator_count": 9954, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "117 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6891bf5f58c1ae303f6d313e", "name": "Jeeng | Powerbox | Tracking | Mirai \u2022 Palantir plugin", "description": "#ELF:Mirai-ALC\\ [Trj]\n* [https://d1-myadmin.dpdlocal.co.uk/login]\n\u2022 [cf20ed53-cb6d-4dfd-a4e8-794fbe163efc.pcap]\nAlfper:BrowserModifier:Win32/DeepSync.C\n#prometheus #trojan #malware #elf #mirai dpd #palantir # plugin #tracking #monitoring #call #tracker #spyware #worm #virus #election_ news", "modified": "2025-09-04T08:05:56.240000", "created": "2025-08-05T08:22:55.113000", "tags": [ "url https", "indicator role", "title added", "active related", "pulses url", "entries", "url http", "type indicator", "role title", "added active", "related pulses", "showing", "iocs", "learn more", "filehashsha256", "types", "indicators show", "search", "present jul", "present jun", "present may", "present aug", "present apr", "present mar", "present feb", "united", "unknown aaaa", "all ipv4", "pulse pulses", "passive dns", "urls", "files", "reverse dns", "location united", "america flag", "america asn", "open", "registrar", "limited ta", "com laude", "nomiq", "creation date", "ip address", "date", "domain", "hostname", "files ip", "address", "asn as21342", "scan", "ipv4", "pulses", "servers", "hostname add", "pulse submit", "url analysis", "verdict", "france unknown", "name servers", "present", "whois show", "record value", "domain name", "expiration date", "status", "domain add", "filehashmd5", "idhttp", "tidcustomhttp", "classes", "medium", "crlf line", "show", "registry", "service", "copy", "patch", "write", "next", "markus", "delphi", "win32", "persistence", "execution", "http", "files domain", "files related", "pulses none", "related tags", "none google", "refresh57959", "windows xp", "pack", "shows", "cc08", "f06a6b", "pulses hostname", "germany unknown", "aaaa", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "ssl certificate", "spawns", "development att", "sha1", "copy md5", "copy sha1", "copy sha256", "sha256", "ascii text", "pattern match", "mitre att", "show technique", "format", "august", "hybrid", "local", "path", "click", "strings", "filehashsha1", "palantir feb", "difference feb" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3809, "hostname": 1197, "domain": 456, "FileHash-MD5": 170, "FileHash-SHA256": 579, "FileHash-SHA1": 161, "CVE": 1, "email": 1, "SSLCertFingerprint": 6 }, "indicator_count": 6380, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "227 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688b056df6e0c1138d15c74c", "name": "LinkedIn | packer_ce1a", "description": "1 researched expanded IOC\u2019s from LinkedIn of alleged \u2018HM\u2019 [FileHash-SHA256\n69d0fb49a546c40c1829baba60df9f9d898190a6af9207a24ec393243843f7fa]\n\n\u2022 Win.Packer.pkr_ce1a-9980177-0\nAlerts:\n#injection_inter_process\n#injection_create_remote_thread\n#creates_largekey\n#network_bind\n#persistence_autorun\n#persistence_autorun_tasks\n#spawns_dev_util\n#cape_detected_threat\n#injection_process_hollowing\n#antivm_generic_disk\n#antivm_generic_services\n#deletes_executed_files\n#injection_runpe\n#persistence_ads\n#suspicious_command\n#hitm@n #whohiredyou", "modified": "2025-08-30T05:01:26.795000", "created": "2025-07-31T05:55:57.885000", "tags": [ "dynamicloader", "xc0xd5xb4x16x", "lxc6nf", "ix18xcblt", "fxeey", "x93xeb", "xa5x07x88x1c", "xb4x9fxf6gp", "xaex16x99", "txebwxbex83", "grum", "tofsee", "accept", "unknown", "copy", "stream", "powershell", "write", "xcaon", "win64", "united", "search", "entries", "delete c", "show", "windows nt", "wow64", "delete", "as15169" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 107, "FileHash-SHA1": 103, "FileHash-SHA256": 1280, "URL": 1166, "domain": 236, "hostname": 379 }, "indicator_count": 3271, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "232 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6665d9ae1b06b560698b2a70", "name": "Assurance [a Prudential company] S0094-Remote Access", "description": "Assurance experienced an abrupt shutdown April 2024. Health Insurance agents were notified mid business; Prudential [Assurance partner] had fully taken over thus ending all contracts amid business. Cyber investigations date back to 2023. Trojan.Karagany [old] is a modular remote access tool used for recon and linked to Dragonfly/Crouching Yeti and more. Infostealer, malware and unwanted programs downloader.\nPersistence. Severe | S0094 - Remote Access\nCVE-2023-22518 | CVE-2023-4966", "modified": "2024-07-09T15:02:04.111000", "created": "2024-06-09T16:34:54.161000", "tags": [ "falcon sandbox", "sha256", "sha1", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "pattern match", "ascii text", "null", "hybrid", "refresh", "body", "span", "june", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "contact", "historical ssl", "referrer", "httponly", "path", "secure", "maxage31557600", "expiresmon", "samesitenone", "expireswed", "etag w", "setcookie dids", "maxage864000", "http response", "final url", "serving ip", "address", "status code", "html document", "history", "utc names", "html info", "title assurance", "meta tags", "script tags", "anchor hrefs", "code", "requestid", "hostid", "xml file", "accessdenied", "message", "signature", "expires", "awsaccesskeyid", "log id", "gmtn", "passive dns", "urls", "digicert global", "g2 tls", "rsa sha256", "tls web", "full name", "self", "false", "united", "as8075", "unknown", "gmt server", "scan endpoints", "all scoreblue", "ipv4", "pulse submit", "url analysis", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "aaaa", "meta", "link", "search", "creation date", "wheels up", "moved", "homepage", "servers", "service", "name servers", "hostname", "next", "japan unknown", "as2510 fujitsu", "status", "page", "ltd dba", "com laude", "record value", "ireland", "germany", "australia", "as44786 adobe", "whitelisted", "win32", "present may", "trojan", "karaganye", "regsetvalueexa", "regdword", "default", "show", "presto", "regbinary", "medium", "create c", "query", "double", "malware", "copy", "karagany", "write", "showing", "as35908 krypt", "as45102 alibaba", "hong kong", "data service", "script script", "div div", "title", "entries", "files", "japan asn", "dns resolutions", "memory pattern", "ip traffic", "domains", "urls https", "files c", "filesgoogle c", "written c", "extensions", "as20446", "as14061", "emails", "threat roundup", "bashlite", "jupyter rising", "vmware", "security blog", "april", "september", "december", "january", "enemybot", "core" ], "references": [ "Assurance", "IDS Detections: Trojan Internet Connectivity Check TrojanDownloader.Win32/Karagany.H checkin 2", "IDS Detections: Query for .cc TLD Suspicious User-Agent (Presto) Double User-Agent (User-Agent User-Agent)", "Alerts: network_icmp modifies_proxy_wpad network_http suspicious_tld allocates_rwx creates_exe antivm_network_adapters checks_debugger", "Domains Contacted: simplesausages.cx.cc adobe.com", "https://test2.ditproducts.com/dat/wannacry1.html", "http://email.critizr.com/asm/unsubscribe/?user_id=1464008&data=anW5I3azQrbEzQ84_I2zsSfJkpp1WTl08_zW0p5h4i5oMDAwdTAwMIqknJPIfal-ld9TvXgRLVf_F", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "CVE-2023-22518 | CVE-2023-4966" ], "public": 1, "adversary": "Berserk Bear (also known as BROMINE, Crouching Yeti, Dragonfly,", "targeted_countries": [ "United States of America", "Netherlands" ], "malware_families": [ { "id": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn", "target": null }, { "id": "Win32:Karagany-D\\ [Trj]", "display_name": "Win32:Karagany-D\\ [Trj]", "target": null }, { "id": "Win.Trojan.Xtoober-650", "display_name": "Win.Trojan.Xtoober-650", "target": null }, { "id": "Trojan:Win32/Startpage.SS", "display_name": "Trojan:Win32/Startpage.SS", "target": "/malware/Trojan:Win32/Startpage.SS" }, { "id": "Win.Packed.Pincav-7537597-0", "display_name": "Win.Packed.Pincav-7537597-0", "target": null }, { "id": "Trojan.Karagany - S0094", "display_name": "Trojan.Karagany - S0094", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Healthcare", "Technology", "Telecommunications", "Finance - Insurance Sector" ], "TLP": "green", "cloned_from": null, "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2950, "FileHash-MD5": 193, "FileHash-SHA1": 171, "FileHash-SHA256": 1885, "URL": 8907, "domain": 2945, "SSLCertFingerprint": 2, "email": 11, "CVE": 2 }, "indicator_count": 17066, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "649 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6665d55d941729c5f283b3f7", "name": "S0094-Remote Access - Assurance [a Prudential company]", "description": "Assurance experienced an abrupt shutdown April 2024. Health Insurance agents were notified mid business; Prudential [Assurance partner] had fully taken over thus ending all contracts amid business. Cyber investigations date back to 2023. health insurance agents Trojan.Karagany [old] is a modular remote access tool used for recon and linked to Dragonfly. Infostealer, malware and unwanted programs downloader.\nPersistence. Severe | S0094 - Remote Access\nCVE-2023-22518 | CVE-2023-4966", "modified": "2024-07-09T15:02:04.111000", "created": "2024-06-09T16:16:29.634000", "tags": [ "falcon sandbox", "sha256", "sha1", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "pattern match", "ascii text", "null", "hybrid", "refresh", "body", "span", "june", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "contact", "historical ssl", "referrer", "httponly", "path", "secure", "maxage31557600", "expiresmon", "samesitenone", "expireswed", "etag w", "setcookie dids", "maxage864000", "http response", "final url", "serving ip", "address", "status code", "html document", "history", "utc names", "html info", "title assurance", "meta tags", "script tags", "anchor hrefs", "code", "requestid", "hostid", "xml file", "accessdenied", "message", "signature", "expires", "awsaccesskeyid", "log id", "gmtn", "passive dns", "urls", "digicert global", "g2 tls", "rsa sha256", "tls web", "full name", "self", "false", "united", "as8075", "unknown", "gmt server", "scan endpoints", "all scoreblue", "ipv4", "pulse submit", "url analysis", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "aaaa", "meta", "link", "search", "creation date", "wheels up", "moved", "homepage", "servers", "service", "name servers", "hostname", "next", "japan unknown", "as2510 fujitsu", "status", "page", "ltd dba", "com laude", "record value", "ireland", "germany", "australia", "as44786 adobe", "whitelisted", "win32", "present may", "trojan", "karaganye", "regsetvalueexa", "regdword", "default", "show", "presto", "regbinary", "medium", "create c", "query", "double", "malware", "copy", "karagany", "write", "showing", "as35908 krypt", "as45102 alibaba", "hong kong", "data service", "script script", "div div", "title", "entries", "files", "japan asn", "dns resolutions", "memory pattern", "ip traffic", "domains", "urls https", "files c", "filesgoogle c", "written c", "extensions", "as20446", "as14061", "emails", "threat roundup", "bashlite", "jupyter rising", "vmware", "security blog", "april", "september", "december", "january", "enemybot", "core" ], "references": [ "Assurance", "IDS Detections: Trojan Internet Connectivity Check TrojanDownloader.Win32/Karagany.H checkin 2", "IDS Detections: Query for .cc TLD Suspicious User-Agent (Presto) Double User-Agent (User-Agent User-Agent)", "Alerts: network_icmp modifies_proxy_wpad network_http suspicious_tld allocates_rwx creates_exe antivm_network_adapters checks_debugger", "Domains Contacted: simplesausages.cx.cc adobe.com", "https://test2.ditproducts.com/dat/wannacry1.html", "http://email.critizr.com/asm/unsubscribe/?user_id=1464008&data=anW5I3azQrbEzQ84_I2zsSfJkpp1WTl08_zW0p5h4i5oMDAwdTAwMIqknJPIfal-ld9TvXgRLVf_F", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "CVE-2023-22518 | CVE-2023-4966" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands" ], "malware_families": [ { "id": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn", "target": null }, { "id": "Win32:Karagany-D\\ [Trj]", "display_name": "Win32:Karagany-D\\ [Trj]", "target": null }, { "id": "Win.Trojan.Xtoober-650", "display_name": "Win.Trojan.Xtoober-650", "target": null }, { "id": "Trojan:Win32/Startpage.SS", "display_name": "Trojan:Win32/Startpage.SS", "target": "/malware/Trojan:Win32/Startpage.SS" }, { "id": "Win.Packed.Pincav-7537597-0", "display_name": "Win.Packed.Pincav-7537597-0", "target": null }, { "id": "Trojan.Karagany - S0094", "display_name": "Trojan.Karagany - S0094", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Healthcare", "Technology", "Telecommunications", "Finance - Insurance Sector" ], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2950, "FileHash-MD5": 193, "FileHash-SHA1": 171, "FileHash-SHA256": 1885, "URL": 8907, "domain": 2945, "SSLCertFingerprint": 2, "email": 11, "CVE": 2 }, "indicator_count": 17066, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "649 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659331589faf01b909c1802d", "name": "Agent Tesla | Spyware | Tracking Android & Apple users | Malware Attack", "description": "", "modified": "2024-01-31T14:03:30.344000", "created": "2024-01-01T21:40:40.413000", "tags": [ "maxads0", "kld1063", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "hostnames", "urls http", "ssl certificate", "whois record", "contacted", "referrer", "historical ssl", "march", "communicating", "copy", "january", "collections", "execution", "malware", "startpage", "malicious", "ransomware", "agent tesla", "attack", "android", "name verdict", "falcon sandbox", "reports", "falcon", "windir", "path", "programfiles", "pe32", "ms windows", "getprocaddress", "file type", "mitre att", "ck id", "show technique", "win64", "date", "open", "hybrid", "cookie", "tracking", "apple", "spyware", "malware", "tablet", "superwebbysearch", "hallrender", "pegasus", "briansabey", "aig", "abuse", "tulach" ], "references": [ "findbetterresults.com", "https://hybrid-analysis.com/sample/bba36b3ae7c49d1cffcc5f8e045d81e9307a2e1a86b923f89008e9377d171fb6", "https://www.virustotal.com/gui/url/eed406872c2e6ef550b948510fe0b7b4c71f752f58551c2f8e61d31a19d2a153/summary", "http://www.applerewards.website/pl/3/index.html?voluumdata=BASE64dmlkLi4wMDAwMDAwMi00NGFiLTQzNDktODAwMC0wMDAwMDAwMDAwMDBfX3ZwaWQuLjJhYWQzMDAwLWJiMzYtMTFlNi04YTYyLTBlYzcxZTllMDMzMV9fY2FpZC4uNjBhMjIwOWUtNWMzNC00OGQ4LWIyNDctYWM5YzVkOTM3MzZhX19ydC4uUl9fbGlkLi4yYTRjOTA4My0zY2RmLTQyNDktOGJmOS0yODMxZWYzNGRhYTlfX29pZDEuLjUwMGE4NDhjLTA2NGEtNDYyZi05MDNmLTgxYzY4ODNmODEwZl9fdmFyMS4uNjA4OTYxX192YXIyLi42NzEwMjhfX3JkLi5vbmNsaWNrYWRzXC5cbmV0X19haWQuLl9fYWIuLl9fc2lkLi4&zoneid=608961&campaignid=671028&visitor_id=4003954", "www2.megawebfind.com [command_and_control]", "https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command= [command_and_control] stolec kradnie krypto" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2368, "FileHash-SHA256": 4539, "hostname": 2892, "URL": 9741, "FileHash-MD5": 836, "FileHash-SHA1": 461, "CVE": 1 }, "indicator_count": 20838, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "809 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659331580cd1571f730b8de2", "name": "Agent Tesla | Spyware | Tracking Android & Apple users | Malware Attack", "description": "", "modified": "2024-01-31T14:03:30.344000", "created": "2024-01-01T21:40:40.242000", "tags": [ "maxads0", "kld1063", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "hostnames", "urls http", "ssl certificate", "whois record", "contacted", "referrer", "historical ssl", "march", "communicating", "copy", "january", "collections", "execution", "malware", "startpage", "malicious", "ransomware", "agent tesla", "attack", "android", "name verdict", "falcon sandbox", "reports", "falcon", "windir", "path", "programfiles", "pe32", "ms windows", "getprocaddress", "file type", "mitre att", "ck id", "show technique", "win64", "date", "open", "hybrid", "cookie", "tracking", "apple", "spyware", "malware", "tablet", "superwebbysearch", "hallrender", "pegasus", "briansabey", "aig", "abuse", "tulach" ], "references": [ "findbetterresults.com", "https://hybrid-analysis.com/sample/bba36b3ae7c49d1cffcc5f8e045d81e9307a2e1a86b923f89008e9377d171fb6", "https://www.virustotal.com/gui/url/eed406872c2e6ef550b948510fe0b7b4c71f752f58551c2f8e61d31a19d2a153/summary", "http://www.applerewards.website/pl/3/index.html?voluumdata=BASE64dmlkLi4wMDAwMDAwMi00NGFiLTQzNDktODAwMC0wMDAwMDAwMDAwMDBfX3ZwaWQuLjJhYWQzMDAwLWJiMzYtMTFlNi04YTYyLTBlYzcxZTllMDMzMV9fY2FpZC4uNjBhMjIwOWUtNWMzNC00OGQ4LWIyNDctYWM5YzVkOTM3MzZhX19ydC4uUl9fbGlkLi4yYTRjOTA4My0zY2RmLTQyNDktOGJmOS0yODMxZWYzNGRhYTlfX29pZDEuLjUwMGE4NDhjLTA2NGEtNDYyZi05MDNmLTgxYzY4ODNmODEwZl9fdmFyMS4uNjA4OTYxX192YXIyLi42NzEwMjhfX3JkLi5vbmNsaWNrYWRzXC5cbmV0X19haWQuLl9fYWIuLl9fc2lkLi4&zoneid=608961&campaignid=671028&visitor_id=4003954", "www2.megawebfind.com [command_and_control]", "https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command= [command_and_control] stolec kradnie krypto" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2368, "FileHash-SHA256": 4539, "hostname": 2892, "URL": 9741, "FileHash-MD5": 836, "FileHash-SHA1": 461, "CVE": 1 }, "indicator_count": 20838, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "809 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a161f0681f4ff3d67feb", "name": "Pool's Closed (by @scnrscnr)", "description": "", "modified": "2023-12-06T16:29:21.844000", "created": "2023-12-06T16:29:21.844000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7844, "FileHash-MD5": 562, "FileHash-SHA1": 429, "URL": 22749, "hostname": 9461, "domain": 4578, "SSLCertFingerprint": 20, "CIDR": 32, "email": 3, "CVE": 2 }, "indicator_count": 45680, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a145926a5676de0e2a1a", "name": "Pool's Closed (by @scnrscnr)", "description": "", "modified": "2023-12-06T16:28:53.979000", "created": "2023-12-06T16:28:53.979000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7844, "FileHash-MD5": 562, "FileHash-SHA1": 429, "URL": 22749, "hostname": 9461, "domain": 4578, "SSLCertFingerprint": 20, "CIDR": 32, "email": 3, "CVE": 2 }, "indicator_count": 45680, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570897ecb6cec4777625431", "name": "www.routerlogin.net", "description": "", "modified": "2023-12-06T14:47:26.604000", "created": "2023-12-06T14:47:26.604000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1532, "domain": 2033, "URL": 11153, "hostname": 2800, "FileHash-SHA1": 5, "email": 3, "FileHash-MD5": 6 }, "indicator_count": 17532, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570800373899fd03e2e49db", "name": "Democrats.org", "description": "", "modified": "2023-12-06T14:06:59.250000", "created": "2023-12-06T14:06:59.250000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3114, "domain": 3501, "hostname": 3860, "URL": 17938, "FileHash-MD5": 2, "FileHash-SHA1": 10 }, "indicator_count": 28425, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65707f519ef27fa72eb62598", "name": "CambridgeAnalytica.org", "description": "", "modified": "2023-12-06T14:04:01.301000", "created": "2023-12-06T14:04:01.301000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 335, "URL": 13379, "hostname": 2501, "domain": 1501, "FileHash-SHA1": 15 }, "indicator_count": 17731, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65707ed1b2c24f71d408f58a", "name": "lvc.org", "description": "", "modified": "2023-12-06T14:01:52.611000", "created": "2023-12-06T14:01:52.611000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "hostname": 3051, "FileHash-SHA256": 524, "URL": 14286, "domain": 1501, "email": 3, "FileHash-SHA1": 12 }, "indicator_count": 19379, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65707ec3c760eea3873db672", "name": "BernieSanders.com (Pt.3)", "description": "", "modified": "2023-12-06T14:01:39.582000", "created": "2023-12-06T14:01:39.582000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 1950, "hostname": 1620, "domain": 900, "URL": 6563 }, "indicator_count": 11034, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65707e5b7df6f60133e8fb50", "name": "Jeeng / Powerbox", "description": "", "modified": "2023-12-06T13:59:55.129000", "created": "2023-12-06T13:59:55.129000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 3, "FileHash-SHA256": 9072, "domain": 2500, "hostname": 3584, "URL": 13548, "FileHash-MD5": 197, "FileHash-SHA1": 162, "email": 19, "CIDR": 20, "SSLCertFingerprint": 2, "BitcoinAddress": 1 }, "indicator_count": 29108, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65707d8251e635c843c1f5b8", "name": "Asurion.com", "description": "", "modified": "2023-12-06T13:56:18.534000", "created": "2023-12-06T13:56:18.534000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 805, "hostname": 2031, "URL": 7728, "domain": 1064, "FileHash-MD5": 4, "FileHash-SHA1": 4, "email": 2 }, "indicator_count": 11638, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65707c9df9c33dd5983b366a", "name": "TrueCar.com", "description": "", "modified": "2023-12-06T13:52:29.953000", "created": "2023-12-06T13:52:29.953000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1156, "domain": 4253, "hostname": 4203, "URL": 17071, "FileHash-MD5": 13, "FileHash-SHA1": 5, "email": 1 }, "indicator_count": 26702, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65707b9630308cb99a817277", "name": "Pool's Closed", "description": "", "modified": "2023-12-06T13:48:06.514000", "created": "2023-12-06T13:48:06.514000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7844, "FileHash-MD5": 562, "FileHash-SHA1": 429, "URL": 22749, "hostname": 9461, "domain": 4578, "SSLCertFingerprint": 20, "CIDR": 32, "email": 3, "CVE": 2 }, "indicator_count": 45680, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64f37719db054ccde25aa9df", "name": "Pool's Closed (by @scnrscnr)", "description": "", "modified": "2023-09-02T17:55:37.269000", "created": "2023-09-02T17:55:37.269000", "tags": [ "Timothy Pool", "Christopher Pool", "Pool's Closed" ], "references": [ "Pool Closed", "Pool's Closed" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Media", "ad fraud" ], "TLP": "white", "cloned_from": "5fa57698ac0f6638b7b9a8ba", "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7851, "URL": 23098, "hostname": 9521, "domain": 4595, "SSLCertFingerprint": 22, "FileHash-MD5": 564, "FileHash-SHA1": 432, "CIDR": 32, "email": 3, "CVE": 2 }, "indicator_count": 46120, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "960 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64f3771616d9a9891947e4df", "name": "Pool's Closed (by @scnrscnr)", "description": "", "modified": "2023-09-02T17:55:34.095000", "created": "2023-09-02T17:55:34.095000", "tags": [ "Timothy Pool", "Christopher Pool", "Pool's Closed" ], "references": [ "Pool Closed", "Pool's Closed" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Media", "ad fraud" ], "TLP": "white", "cloned_from": "5fa57698ac0f6638b7b9a8ba", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7851, "URL": 23098, "hostname": 9521, "domain": 4595, "SSLCertFingerprint": 22, "FileHash-MD5": 564, "FileHash-SHA1": 432, "CIDR": 32, "email": 3, "CVE": 2 }, "indicator_count": 46120, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "960 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "628437db120de2ab2ecb49fe", "name": "The \u201cconti leak page\u201d - likely conti", "description": "Conti leak page https://share.vx-underground.org/Conti/ is likely conti", "modified": "2022-06-16T00:01:26.112000", "created": "2022-05-18T00:03:39.947000", "tags": [ "woff2", "woff", "truetype", "gelionbold", "gelionsemibold", "gelionmedium", "gelionregular", "gelionlight", "gelionthin", "xe", "object", "error", "element", "typeof t", "browser", "ofunction", "typeof e", "typeof r", "tthis", "applepay", "date", "null", "accept", "license", "or conditions", "post", "array", "copyright", "apache license", "version", "this code", "is provided", "on an", "symbol", "typeerror", "iterator", "string", "facebook pixel", "pixel code", "facebook", "service", "phonenumber", "regexp", "function", "shadowsizzle", "domdata", "hexchars", "promise", "typeof n", "agent", "launcher", "this", "android", "class", "fail", "shift", "bind", "trident", "getclass", "body", "widget", "edge", "dataname", "intercom", "typeof symbol", "apple", "webkiti", "criosi", "javascript" ], "references": [ "xfe-URL-share.vx-underground.org_Conti-stix2-2.1-export.json", "https://app.uizard.io/p/c69fa2aa", "https://widget.intercom.io/widget/e1nqrt2k", "https://cdn.eu.pendo.io/agent/static/82b060a2-2cf8-472e-55d4-bd0833416335/pendo.js", "https://connect.facebook.net/signals/plugins/identity.js?v=2.9.60", "xfe-URL-vx-underground.org_Conti_-stix2-2.1-export.json", "xfe-URL-uizard.io-stix2-2.1-export.json", "https://public.profitwell.com/js/profitwell.js?auth=80939adc88898a29e714f6dd3d25e8ba", "https://js.stripe.com/v3", "https://app.uizard.io/fonts.css?cache=2022-04-29-12-55-57", "xfe-URL-Js.stripe.net-stix2-2.1-export.json" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Xe", "display_name": "Xe", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "adjadex1@gmail.com", "id": "187163", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 707, "URL": 3480, "FileHash-SHA256": 438, "domain": 458, "email": 2, "FileHash-MD5": 49 }, "indicator_count": 5134, "is_author": false, "is_subscribing": null, "subscriber_count": 70, "modified_text": "1403 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "620c3b1f8af7ea0dcf2c1218", "name": "Jeeng / Powerbox", "description": "", "modified": "2022-06-12T22:01:23.105000", "created": "2022-02-15T23:45:35.234000", "tags": [ "Jeeng", "tim pool", "timcast" ], "references": [ "cf20ed53-cb6d-4dfd-a4e8-794fbe163efc.pcap" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scnrscnr", "id": "126475", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_126475/resized/80/avatar_67ca5b7bae.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 9072, "domain": 2500, "URL": 13548, "hostname": 3584, "FileHash-MD5": 197, "FileHash-SHA1": 162, "CVE": 3, "CIDR": 20, "SSLCertFingerprint": 2, "email": 19, "BitcoinAddress": 1 }, "indicator_count": 29108, "is_author": false, "is_subscribing": null, "subscriber_count": 97, "modified_text": "1407 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6235e08a628e6c19d898f05c", "name": "www.routerlogin.net", "description": "", "modified": "2022-04-18T00:07:16.048000", "created": "2022-03-19T13:54:18.436000", "tags": [ "code", "server", "san jose", "date", "key identifier", "algorithm", "email", "registrar url", "registry domain", "registry expiry", "win32 exe", "win32 dll", "dos exe", "android", "librouter", "network capture", "thinclient", "setup", "type name", "referring", "technology", "dns replication", "security", "registrar abuse", "comodo valkyrie", "verdict mobile", "rank value", "ingestion time", "cisco umbrella", "dns records", "record type", "nreum", "httponly", "netgear router", "submission", "expirestue", "path", "netgear twitter", "router login", "nr agent", "Ransomware", "WannaCry" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Ransomware.WannaCry-9856297-0", "display_name": "Win.Ransomware.WannaCry-9856297-0", "target": null }, { "id": "Win32:Dracur-D\\ [Cryp]", "display_name": "Win32:Dracur-D\\ [Cryp]", "target": null }, { "id": "Worm:Win32/Krol.A", "display_name": "Worm:Win32/Krol.A", "target": "/malware/Worm:Win32/Krol.A" } ], "attack_ids": [], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1532, "domain": 2033, "hostname": 2800, "URL": 11153, "email": 3, "FileHash-MD5": 6, "FileHash-SHA1": 5 }, "indicator_count": 17532, "is_author": false, "is_subscribing": null, "subscriber_count": 414, "modified_text": "1462 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6220c81aaf6fddde0116569a", "name": "Democrats.org", "description": "", "modified": "2022-04-02T00:04:50.405000", "created": "2022-03-03T13:52:26.328000", "tags": [ "date", "dns replication" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 17938, "hostname": 3860, "domain": 3501, "FileHash-SHA256": 3114, "FileHash-MD5": 2, "FileHash-SHA1": 10 }, "indicator_count": 28425, "is_author": false, "is_subscribing": null, "subscriber_count": 408, "modified_text": "1478 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "621927dd57ee9ed86aeb9cb4", "name": "CambridgeAnalytica.org", "description": "", "modified": "2022-03-27T00:00:39.057000", "created": "2022-02-25T19:02:53.023000", "tags": [ "win32 exe", "scott hanselman", "win32 dll", "llc creation", "date", "passive dns", "subdomains", "detections type", "name", "rich text", "format", "music", "first" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 13379, "hostname": 2501, "domain": 1501, "FileHash-SHA256": 335, "FileHash-SHA1": 15 }, "indicator_count": 17731, "is_author": false, "is_subscribing": null, "subscriber_count": 406, "modified_text": "1484 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6213ffb8b8b4c14bf3c0420f", "name": "lvc.org", "description": "", "modified": "2022-03-23T00:02:04.887000", "created": "2022-02-21T21:10:16.849000", "tags": [ "algorithm", "key identifier", "x509v3 subject", "solutions", "llc creation", "date", "categories", "ranks rank", "value ingestion", "time majestic", "umbrella", "masking enabled", "win32 exe", "server", "email", "registrar abuse", "practice", "gre premium", "code", "registrar url", "score" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 14286, "hostname": 3051, "domain": 1501, "FileHash-SHA256": 524, "CVE": 2, "email": 3, "FileHash-SHA1": 12 }, "indicator_count": 19379, "is_author": false, "is_subscribing": null, "subscriber_count": 406, "modified_text": "1488 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6213f8adc8cfe3f681957ed1", "name": "BernieSanders.com (Pt.3)", "description": "", "modified": "2022-03-23T00:02:04.887000", "created": "2022-02-21T20:40:13.490000", "tags": [ "ssl certificate", "whois record", "whois" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1620, "URL": 6563, "FileHash-SHA256": 1950, "domain": 900, "CVE": 1 }, "indicator_count": 11034, "is_author": false, "is_subscribing": null, "subscriber_count": 409, "modified_text": "1488 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "61f2cadaf1967e1400a2273a", "name": "Asurion.com", "description": "", "modified": "2022-02-26T00:02:44.767000", "created": "2022-01-27T16:39:54.550000", "tags": [ "technology", "date", "security", "csc corporate", "domains", "code", "llc registrar", "iana id", "server", "registrar abuse", "registrant", "tech email", "admin country", "algorithm", "key identifier", "x509v3 subject", "v3 serial", "number", "issuer", "cus cnentrust", "l1k oentrust", "entrust", "validity", "info", "first", "whois record", "ssl certificate" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 805, "URL": 7728, "hostname": 2031, "domain": 1064, "FileHash-MD5": 4, "FileHash-SHA1": 4, "email": 2 }, "indicator_count": 11638, "is_author": false, "is_subscribing": null, "subscriber_count": 407, "modified_text": "1513 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "61e2733e9e57250b5725ab5a", "name": "TrueCar.com", "description": "", "modified": "2022-02-14T00:00:26.279000", "created": "2022-01-15T07:09:50.416000", "tags": [ "android", "win32 exe", "key identifier", "win32 dll", "x509v3 subject", "server", "date", "registrar abuse", "algorithm", "markmonitor", "format", "impact", "first", "text", "email", "type name", "portable", "adguard premium", "usus", "mozilla firefox", "technology", "microsoft", "security", "subdomains", "threatseeker", "sophos", "comodo valkyrie", "verdict mobile", "rank value", "ingestion time", "statvoo", "cisco umbrella", "dns records", "record type", "ttl value", "msms94514764", "data", "v3 serial", "number", "issuer", "cus cnamazon", "validity", "subject public", "key info", "key algorithm", "domain status", "contact phone", "registrar", "ca creation", "dnssec", "domain name", "us registrant", "links https", "path", "submission", "httponly", "expiressat", "samesitelax", "details links", "vehicles comodo", "history first", "analysis" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 17071, "hostname": 4203, "FileHash-SHA256": 1156, "domain": 4253, "FileHash-MD5": 13, "FileHash-SHA1": 5, "email": 1 }, "indicator_count": 26702, "is_author": false, "is_subscribing": null, "subscriber_count": 412, "modified_text": "1525 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "http://scteamcommunity.com/4k-high-res-porn-videos/squirt phishing", "What? patch.virtualworldweb.com \u2022 s.palantirfoundry.com \u2022 http://u tirfoundry.co", "https://otx.alienvault.com/pulse/5fa57698ac0f6638b7b9a8ba", "Domains Contacted: cen.incredibar.com www5l.incredimail.com www5.incredimail.com", "Alerts: network_icmp modifies_proxy_wpad network_http suspicious_tld allocates_rwx creates_exe antivm_network_adapters checks_debugger", "Alerts : ransomware_file_modifications stealth_file procmem_yara static_pe_anomaly", "Alerts : network_cnc_https_generic reads_self packer_entropy injection_rwx uses_windows_utilities antivm_checks_available_memory queries_computer_name queries_user_name", "https://trail.truefoundry.com/api/t/c/usr_NEDuPPvnqv5DXyhti/tsk_X2YECqnpAow7t6JuE/enc_U2FsdGVkX1_wWHRx9nPGCEspZpUcIwc1yphMTxaaQ2ZAbsxOqRR4ibXcaYtcmgJ1UgabTFCHVVBLx2oAnBAW2h8el_edjHN72Ug0yKQePjKnSJEOnQvtq8MUPo0vkU1N", "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "22.hio52.r.cloudfront.net", "Yara: ConventionEngine_Anomaly_MultiPDB_Double , ConventionEngine_Term_Documents", "http://aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html \u2022 blogspot.com", "Antivirus Detections: Win.Malware.Incredimail-6804483-0 IDS Detections: Misspelled Mozilla User-Agent (Mozila)", "IDS: TLS Handshake Failure", "Pool Closed", "https://js.stripe.com/v3", "https://www.virustotal.com/gui/url/eed406872c2e6ef550b948510fe0b7b4c71f752f58551c2f8e61d31a19d2a153/summary", "https://hybrid-analysis.com/sample/bba36b3ae7c49d1cffcc5f8e045d81e9307a2e1a86b923f89008e9377d171fb6", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "External Hosts Israel Unique Countries 2 Unique ASNs 2 IP", "scnrscnr pulse is good. I\u2019m assuming they\u2019re targets.", "https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.ce31c01d-0b84-4e29-906f-1b8057568d49/master", "Couldn\u2019t pulse 1st pulse so here\u2019s what\u2019s left", "IDS Detections: Observed Discord Domain in DNS Lookup (discord .com) Discord Chat Service Domain in DNS Lookup (discord .com)", "https://graph.facebook.com/v3.3/590584968016991/mobile_sdk_gk?fields=gatekeepers&format=json&sdk_version=5.0.0&sdk=android&platform=android", "Alerts: dynamic_function_loading injection_write_process reads_memory_remote_process", "ASN 82.80.204.63 www5.incredimail.com \u2022 Israel", "https://widget.intercom.io/widget/e1nqrt2k", "us-gov-west-1.gov.reveal-global.com", "https://4.base.maps.ls.hereapi.com/maptile/2.1/maptile/newest/normal.day.mobile/{z}/{x}/{y}/256/PNG8?apiKey=wzEuHW02YdaEjU0Em-SwWQBtxbfF86-OfUuq1z93NI4", "https://glare.pali om. \u2022 http://engage.palantirfou?", "https://upstreamx.palantirfoundry.com \u2022 edwards.palantirfoundry.com \u2022 stagwellmarketingcloud.palantirfoundry.com", "Alerts: mouse_movement_detect", "https://app.uizard.io/fonts.css?cache=2022-04-29-12-55-57", "http://upstreamx.palantirfoundry.com/ \u2022 https://equilibrium.palantirfoundry.com/", "Yara: Detections ConventionEngine_Term_Users", "engage.palantirfoundry.com \u2022 http://engage.palantirfoundry.com", "MD5 be5eae9bd85769bce02d6e52a4927bcd Pulses Integrations C EXIF Data: HTML:Title\tINetSim default HTML page", "https://public.profitwell.com/js/profitwell.js?auth=80939adc88898a29e714f6dd3d25e8ba", "www.killer333.club So I\u2019m right.", "campdeadwood2026.com", "Pornhub to your phone. Dumping or by request?", "xfe-URL-vx-underground.org_Conti_-stix2-2.1-export.json", "https://credits.muso.ai/profile/ad62a9c1-de4a-4b3a-91d4-8f1ca6b5ad7a", "162.159.128.233 \u2022 http://tsar.vicly.org \u2022 https://tsar.vicly.org \u2022 tsar.vicly.org \u2022 vicly.org \u2022 https://tsar.vicly.org/", "https://equilibrium.palantirfoundry.com \u2022\u2019https://engage.palantirfoundry.com", "xfe-URL-Js.stripe.net-stix2-2.1-export.json", "Alerts: pe_compile_timestomping antiav_detectfile antidebug_guardpages encrypted_ioc", "truefoundry.com \u2022 assets.production.truefoundry.com \u2022 cpt.llm-gateway.truefoundry.com", "https://cdn.eu.pendo.io/agent/static/82b060a2-2cf8-472e-55d4-bd0833416335/pendo.js", "https://trail.truefoundry.com/api/track/open/usr_NEDuPPvnqv5DXyhti/tsk_X2YECqnpAow7t6JuE", "Matches rule ET INFO Observed Google DNS over HTTPS Domain (dns google in TLS SNI)", "Alerts: infostealer_browser infostealer_cookies binary_yara procmem_yara static_pe_anomaly", "IP\u2019s Contacted : 82.80.204.63 3.163.24.31 82.80.204.5", "dashboard-proxy-sc-ncus-j7ynx.falcon- core.microsoft-falcon.net", "http://www.mobile-connection-alert.fyi/eb/bn/bn-9-nopop/9-nopop-1.html?var=&var2=&var3=$device=MOBILE&brand=Apple&model=iPhone&city=San%20Antonio&os=IOS&osversion=IOS%2011.4&country=US&countryname=United%20States&carrier=&referrerdomain=&language=en&connectiontype=CABLE&ip=76.185.246.58®ion=Texas&cep=W-gWTncHS9Jzl2WpUnQW3DI5dgjcKdwNWM11yWj-BtNBDFNTD52Baezh0F6DNui3qOYcu9zUPktlUvTulBlF6GONqMgW0w5NXdG42lOJGAp8P79kEUkAM3xGHBcIuf2PfSpz0mTGxnhbXyAteh4g-wCUR45SdW6fMtSANbFpDDpNDCq8LpN8mLeQJjdLUA_TGOXW9mubTgOyAGy", "https://paloma.palantirfoundry.com https://lucyw.palantirfoundry.com \u2022 http://edwards.palantirfoundry.com/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command= [command_and_control] stolec kradnie krypto", "xfe-URL-share.vx-underground.org_Conti-stix2-2.1-export.json", "Assurance", "Yara Detections BackdoorWin32Simda", "Yara : MS_Visual_Basic_6_0 ,", "Examining pulse created by scnrscnr is worth reviewing. I was surprised tonal see a targets name.I didn\u2019t see Foundry highlighted", "Foundry stalking.", "cf20ed53-cb6d-4dfd-a4e8-794fbe163efc.pcap", "http://pic.porn.hub-accessories.site \u2022 https://pic.porn.hub-accessories.site \u2022 pic.porn.hub-accessories.site", "Pahamify Pegasus", "IDS Detections: Observed Discord Domain (discordapp .com in TLS SNI) Observed Discord Service Domain (discord .com) in TLS SNI Less", "findbetterresults.com", "Der Zugriff\u2022 Kanna \u2022 MyDoom \u2022 Sigur", "IDS Detections: Observed Discord Domain (discord .com in TLS SNI)", "upstreamx.palantirfoundry.com \u2022 https://usw-2-dev.palantirfoundry.com", "AS8551 bezeq international-Itd 3.163.24.31 www5l.incredimail.com \u2022 Israel", "https://trail.truefoundry.com/api/track/open/usr_NEDuPPvnqv5DXyhti/tsk_L9bYYgL2HGng9mDsC", "Antivirus Detections: Win.Trojan.Gamarue-9832405-0 , Trojan:Win32/Pariham.A", "https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.878cb49b-395c-4c82-8db8-5e2bb0e628ce/master", "Domains Contacted: simplesausages.cx.cc adobe.com", "https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "https://connect.facebook.net/signals/plugins/identity.js?v=2.9.60", "Google_Chrome_64bit_v136.0.7103.49.exe", "us-g0v-wact-1anvrav\u0645al=\u0635\u0639 \u0627\u062d\u0637\u0645\u0644\u0647", "United States | ASNone 82.80.204.5 cen.incredibar.com \u2022 Israel", "https://pegasus.pahamify.com/ \u2022 pahamify.com \u2022 pegasus.pahamify.com \u2022 activation.pahamify.com \u2022 httpspegasus.pahamify.com", "http://www.applerewards.website/pl/3/index.html?voluumdata=BASE64dmlkLi4wMDAwMDAwMi00NGFiLTQzNDktODAwMC0wMDAwMDAwMDAwMDBfX3ZwaWQuLjJhYWQzMDAwLWJiMzYtMTFlNi04YTYyLTBlYzcxZTllMDMzMV9fY2FpZC4uNjBhMjIwOWUtNWMzNC00OGQ4LWIyNDctYWM5YzVkOTM3MzZhX19ydC4uUl9fbGlkLi4yYTRjOTA4My0zY2RmLTQyNDktOGJmOS0yODMxZWYzNGRhYTlfX29pZDEuLjUwMGE4NDhjLTA2NGEtNDYyZi05MDNmLTgxYzY4ODNmODEwZl9fdmFyMS4uNjA4OTYxX192YXIyLi42NzEwMjhfX3JkLi5vbmNsaWNrYWRzXC5cbmV0X19haWQuLl9fYWIuLl9fc2lkLi4&zoneid=608961&campaignid=671028&visitor_id=4003954", "https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t \u2022 wallpapers-nature.com", "tv.apple.com", "https://soerkvingo.msnstyle.dk/vaginas-escort-girl-ukraina-pure-nudisme-dyresex-noveller-sukker-pris-porno-med-norsk-tale/", "2022ww11.pornhubgsy.com \u2022 http://scteamcommunity.com/4k-high-res-porn-videos/squirt", "www2.megawebfind.com [command_and_control]", "https://hybrid-analysis.com/sample/e4306740e79c65c90242aef93fceeb93fa6da74577570c7b4a04399879349c37/696298b7667c4a112d04eac7", "http://dasima-containers.palantirfoundry.com \u2022 http://usw-2-dev.palantirfoundry.com", "https://kt-presales.palantirfoundry.co \u2022 https://glare.palantirfoundry.com", "yyz.llm-gateway.truefoundry.com \u2022 trail.truefoundry.com \u2022 sin.llm-gateway.truefoundry.com", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io \u2022", "https://aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html \u2022 blogspot.com \u2022 www.techcult.com/judge-the-simpsons-parody-is-child-pornography/ Whitelisted domain techcult.com\t Domain blogspot.com Whitelisted domain blogspot.com\t Domain techcult.com Whitelisted domain techcult.com\t Hostname aninditaannisa.blogspot.com \u2022 domain blogspot.com", "lm-gateway.truefoundry.com \u2022 https://assets.production.truefoundry.com/sample-openapi.json", "CVE-2023-22518 | CVE-2023-4966", "Pool's Closed", "Yara : UPX , Nrv2x , UPX_OEP_place , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser", "caerphilly-containers.palantirfedstart.com \u2022 equilibrium.palantirfoundry.com \u2022 palantirfoundry.com", "(patch.virtualworldweb.com) why does this sound so creepy? DIT , simulation, OWO ,sentient weird.", "medallion-compute.washington.palantircloud.com \u2022 graviera-compute.palantirfedstart.com", "Alerts: disables_folder_options stealth_hidden_extension stealth_hiddenreg anomalous_deletefile", "http://email.critizr.com/asm/unsubscribe/?user_id=1464008&data=anW5I3azQrbEzQ84_I2zsSfJkpp1WTl08_zW0p5h4i5oMDAwdTAwMIqknJPIfal-ld9TvXgRLVf_F", "IDS: Commonly Abused File Sharing Site Domain Observed (sendspace .com in TLS SNI)", "IDS : Commonly Abused File Sharing Site Domain Observed (sendspace .com in DNS Lookup)", "http://foundry.tartarynova.com phishing \u2022 https://foundry.tartarynova.com \u2022 foundry.tartarynova.com", "IDS Detections: Trojan Internet Connectivity Check TrojanDownloader.Win32/Karagany.H checkin 2", "www.endgame \u2022 http://battlefront.com/matrixgames.html \u2022 prometheus.services.myscript.com - Wild!", "xfe-URL-uizard.io-stix2-2.1-export.json", "https://app.uizard.io/p/c69fa2aa", "IDS Detections: Query for .cc TLD Suspicious User-Agent (Presto) Double User-Agent (User-Agent User-Agent)", "www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process\t\u2022", "www.techcult.com", "https://test2.ditproducts.com/dat/wannacry1.html" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Berserk Bear (also known as BROMINE, Crouching Yeti, Dragonfly," ], "malware_families": [ "Alf:jasyp:trojandownloader:win32/karagany!atmn", "Win.packed.pincav-7537597-0", "Win.trojan.xtoober-650", "Mydoom", "Sigur", "Trojan:win32/pariham.a", "Win.malware.incredimail-6804483-0", "Win.ransomware.wannacry-9856297-0", "Win.ransomware.msilzilla-10014498-0", "Kanna", "Virus:win95/cerebrus", "Trojandropper:win32/vb.il0", "Autorunit", "Agent tesla", "Der zugriff", "Trojan.karagany - s0094", "Win32:karagany-d\\ [trj]", "Ransomware", "Win32:dracur-d\\ [cryp]", "Trojan:win32/startpage.ss", "Xe", "Worm:win32/krol.a", "Alf:trojan:win32/cassini_56a3061!ibt" ], "industries": [ "Civil society", "Media", "Ad fraud", "Government", "Technology", "Financial", "Telecommunications", "Legal", "Healthcare", "Finance - insurance sector" ], "unique_indicators": 256194 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/mobiletoolapps.com", "whois": "http://whois.domaintools.com/mobiletoolapps.com", "domain": "mobiletoolapps.com", "hostname": "lock.mobiletoolapps.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 33, "pulses": [ { "id": "69a9cd444aa144401d0c4988", "name": "Pools Open", "description": "", "modified": "2026-04-15T19:21:28.851000", "created": "2026-03-05T18:36:52.014000", "tags": [ "Timothy Pool", "Christopher Pool", "Pool's Closed" ], "references": [ "Pool Closed", "Pool's Closed" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Media", "ad fraud" ], "TLP": "white", "cloned_from": "5fa57698ac0f6638b7b9a8ba", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 8098, "URL": 23428, "hostname": 9592, "domain": 4727, "SSLCertFingerprint": 22, "FileHash-MD5": 696, "FileHash-SHA1": 457, "CIDR": 78, "email": 3, "CVE": 2 }, "indicator_count": 47103, "is_author": false, "is_subscribing": null, "subscriber_count": 50, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69640c0afc9805a6fa2da07b", "name": "MUSO.AI Malware \u2018Incredimail\u2019 Palantir in use[OTX auto populated title -Tsara Brashears]", "description": "MUSO.Ai , Is have to do more research. Some searches on reports MUSO as an opt in resource for artist to view, sort, and manage legacy credits, MUSO also collects royalties. Research and investigation confirms no one on music team is associated with or l thinks they may have heard of MUSO. Is MUSO. AI Palantir customer or service ,spy app services by the folks at Palantir. . [otx auto pop praise: Tsara Brashears is the most popular songwriter in the world, but can you use the app to find out more about the artist and the musicians behind the tracks?] cute. \n#dembiak #palantir #muso #ai", "modified": "2026-02-10T20:03:47.214000", "created": "2026-01-11T20:46:02.176000", "tags": [ "lark kdence", "zack dare", "zafira", "jon bonus", "andy flebbe", "div div", "present nov", "a domains", "united", "script urls", "div a", "script domains", "discover", "moved", "insert", "x0 tw", "urls", "cloudfront x", "title error", "url analysis", "reverse dns", "servers", "name servers", "united states", "all ipv4", "aaaa", "ip address", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "evasion att", "t1480 execution", "ascii text", "mitre att", "pattern match", "null", "error", "click", "hybrid", "general", "local", "path", "starfield", "strings", "refresh", "tools", "meta", "onload", "span", "data upload", "extraction", "type", "extra", "referen https", "include review", "exclude sugges", "stop", "aivoes typ", "passive dns", "date", "united states", "status", "domain add", "files", "hostname", "read c", "medium", "search", "show", "memcommit", "high", "checks", "windows", "delete", "execution", "dock", "write", "persistence", "capture", "next", "amazon02", "as autonomous", "system", "asn16509", "domain", "current dns", "a record", "as16509", "december", "ip information", "ipasns ip", "google", "fastly", "googlecl", "akamaias", "cloudflar", "domain tree", "links ip", "address as", "cisco", "umbrella rank", "general full", "url https", "software", "resource hash", "protocol h2", "security tls", "hostname add", "challengescript", "captchascript", "name", "value", "source level", "url text", "automatic", "webgl", "please", "extr data", "data", "size", "title", "yara detections", "filehash", "av detections", "ids detections", "alerts", "analysis date", "file score", "low risk", "entries", "rgba", "unicode", "asnone", "malware", "port", "destination", "tlsv1", "tls handshake", "failure", "roboto", "msie", "windows nt", "wow64", "slcc2", "media center", "expiration", "url http", "no expiration", "present jan", "unknown ns", "certificate", "body", "present oct", "present may", "present dec", "present sep", "present feb", "showing", "next associated", "all se", "pulse pulses", "http", "files domain", "files related", "pulses none", "debiak", "tsara brashears", "ai", "palantir", "muso ai", "sort", "artists", "royalties", "music", "songwriter", "collect", "view", "malicious app", "false claims" ], "references": [ "https://credits.muso.ai/profile/ad62a9c1-de4a-4b3a-91d4-8f1ca6b5ad7a", "22.hio52.r.cloudfront.net", "us-gov-west-1.gov.reveal-global.com", "us-g0v-wact-1anvrav\u0645al=\u0635\u0639 \u0627\u062d\u0637\u0645\u0644\u0647", "MD5 be5eae9bd85769bce02d6e52a4927bcd Pulses Integrations C EXIF Data: HTML:Title\tINetSim default HTML page", "External Hosts Israel Unique Countries 2 Unique ASNs 2 IP", "ASN 82.80.204.63 www5.incredimail.com \u2022 Israel", "United States | ASNone 82.80.204.5 cen.incredibar.com \u2022 Israel", "AS8551 bezeq international-Itd 3.163.24.31 www5l.incredimail.com \u2022 Israel", "Antivirus Detections: Win.Malware.Incredimail-6804483-0 IDS Detections: Misspelled Mozilla User-Agent (Mozila)", "IP\u2019s Contacted : 82.80.204.63 3.163.24.31 82.80.204.5", "Domains Contacted: cen.incredibar.com www5l.incredimail.com www5.incredimail.com", "medallion-compute.washington.palantircloud.com \u2022 graviera-compute.palantirfedstart.com", "caerphilly-containers.palantirfedstart.com \u2022 equilibrium.palantirfoundry.com \u2022 palantirfoundry.com", "upstreamx.palantirfoundry.com \u2022 https://usw-2-dev.palantirfoundry.com", "https://upstreamx.palantirfoundry.com \u2022 edwards.palantirfoundry.com \u2022 stagwellmarketingcloud.palantirfoundry.com", "https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.ce31c01d-0b84-4e29-906f-1b8057568d49/master", "https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.878cb49b-395c-4c82-8db8-5e2bb0e628ce/master", "https://paloma.palantirfoundry.com https://lucyw.palantirfoundry.com \u2022 http://edwards.palantirfoundry.com/", "http://dasima-containers.palantirfoundry.com \u2022 http://usw-2-dev.palantirfoundry.com", "https://kt-presales.palantirfoundry.co \u2022 https://glare.palantirfoundry.com", "engage.palantirfoundry.com \u2022 http://engage.palantirfoundry.com", "https://equilibrium.palantirfoundry.com \u2022\u2019https://engage.palantirfoundry.com", "http://upstreamx.palantirfoundry.com/ \u2022 https://equilibrium.palantirfoundry.com/", "https://glare.pali om. \u2022 http://engage.palantirfou?", "What? patch.virtualworldweb.com \u2022 s.palantirfoundry.com \u2022 http://u tirfoundry.co", "(patch.virtualworldweb.com) why does this sound so creepy? DIT , simulation, OWO ,sentient weird.", "www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process\t\u2022", "www.endgame \u2022 http://battlefront.com/matrixgames.html \u2022 prometheus.services.myscript.com - Wild!", "campdeadwood2026.com", "http://www.mobile-connection-alert.fyi/eb/bn/bn-9-nopop/9-nopop-1.html?var=&var2=&var3=$device=MOBILE&brand=Apple&model=iPhone&city=San%20Antonio&os=IOS&osversion=IOS%2011.4&country=US&countryname=United%20States&carrier=&referrerdomain=&language=en&connectiontype=CABLE&ip=76.185.246.58®ion=Texas&cep=W-gWTncHS9Jzl2WpUnQW3DI5dgjcKdwNWM11yWj-BtNBDFNTD52Baezh0F6DNui3qOYcu9zUPktlUvTulBlF6GONqMgW0w5NXdG42lOJGAp8P79kEUkAM3xGHBcIuf2PfSpz0mTGxnhbXyAteh4g-wCUR45SdW6fMtSANbFpDDpNDCq8LpN8mLeQJjdLUA_TGOXW9mubTgOyAGy", "Pornhub to your phone. Dumping or by request?", "https://soerkvingo.msnstyle.dk/vaginas-escort-girl-ukraina-pure-nudisme-dyresex-noveller-sukker-pris-porno-med-norsk-tale/", "www.killer333.club So I\u2019m right." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Incredimail-6804483-0", "display_name": "Win.Malware.Incredimail-6804483-0", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "TA0028", "name": "Persistence", "display_name": "TA0028 - Persistence" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1017", "name": "Application Deployment Software", "display_name": "T1017 - Application Deployment Software" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10686, "hostname": 2427, "domain": 1094, "FileHash-MD5": 175, "FileHash-SHA1": 65, "FileHash-SHA256": 1118, "email": 4, "SSLCertFingerprint": 14 }, "indicator_count": 15583, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "68 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6962b68da732abc66a0c2caf", "name": "Der Zugriff \u2022 Kanna \u2022 MyDoom \u2022 Sigur - Pahamify Pegasus", "description": "Pahamify Pegasus | Execution Attack, Access Attack | Drive by Compromise | \nSifting through Pahamify Pegasus this is no longer your computer , injection, google connects, remote connections, remote mouse movement, remote access, Google espionage, bad traffic, Apple complicit access. This is your Google account and browser, this is your appleid. Still researching\u2026. || \n*https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_ ||\nMalware: Der Zugriff ,\nKanna ,\nMyDoom ,\nSigur \n#firebase #google_connection #bible_gateway_honeypot #crypto #hidden_users #who_else", "modified": "2026-02-09T19:00:09.890000", "created": "2026-01-10T20:29:01.675000", "tags": [ "ip address", "status code", "kb body", "iocs", "deny age", "cloudfront", "utc google", "tag manager", "g8t6ln06z40", "utc na", "google tag", "injection", "t1055 malware", "tree", "help v", "defense evasion", "injection t1055", "resolved ips", "get http", "dns resolutions", "v memory", "pattern domains", "full reports", "v help", "memory pattern", "urls https", "hashes", "tiktok", "microsoft", "dashboard falcon", "request", "windows nt", "win64", "khtml", "gecko", "response", "appleid", "united", "name servers", "aaaa", "servers", "moved", "script urls", "passive dns", "urls", "data upload", "extraction", "failed", "jsvendor", "jsapp", "script script", "cssapp", "jsfirebase", "pegasus", "encrypt", "title error", "ipv4", "files", "reverse dns", "united states", "malware", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "execution att", "t1204 user", "script", "beginstring", "bad traffic", "et info", "null", "title", "refresh", "span", "strings", "error", "tools", "meta", "look", "verify", "restart", "mitre att", "ascii text", "pattern match", "ck matrix", "tls handshake", "hybrid", "general", "local", "path", "click", "ck techniques", "access att", "div div", "a li", "ul div", "record value", "emails", "accept", "referen https", "microsoft-falcon.net", "proxy", "status", "certificate", "updated date", "whois server", "zipcode", "entries http", "scans show", "search", "matches x", "type", "gmt cache", "all ipv4", "america flag", "america asn", "sameorigin", "urls show", "date checked", "url hostname", "server response", "google safe", "results jan", "ipv4 add", "win32mydoom jan", "trojan", "worm", "expiration date", "files show", "date hash", "avast avg", "win32mydoom", "backdoor", "found", "gmt connection", "control", "content type", "twitter", "dynamicloader", "medium", "high", "msie", "wow64", "slcc2", "media center", "write", "global", "domain name", "hostname", "apple", "racebook", "mouse movement", "remote mouse", "domain", "hostname add", "url analysis", "crlf line", "ff d5", "unicode text", "utf8", "ee fc", "yara rule", "f0 ff", "ff bb", "music", "push", "autorun", "unknown", "present sep", "present may", "present jan", "present aug", "cname", "present nov", "present jun", "apache", "body", "pragma", "found registry", "able", "model", "indicator", "source", "show technique", "file", "internet", "errore", "erreur", "download", "service", "crypto", "compiler", "installer", "yang", "updater", "shutdown", "thunk", "este", "install", "reboot", "code", "downloader", "sigur", "kanna", "der zugriff", "google", "chrome", "Pahamify Pegasus", "christoper p. ahmann", "law enforcement", "retaliation", "phone", "espionage", "united states", "m brian sabey", "quasi government", "target", "monitored targeting", "aig", "therahand (old name)", "target: tsara brashears", "douglas county, co", "sheriff", "industry and commerce", "worker\u2019s compensation", "crime", "financial crime", "danger", "nem tih", "amazon", "aws", "amazon aws", "deal", "deal with it lawfully", "pay victim", "protecting reimer" ], "references": [ "https://pegasus.pahamify.com/ \u2022 pahamify.com \u2022 pegasus.pahamify.com \u2022 activation.pahamify.com \u2022 httpspegasus.pahamify.com", "https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_", "Der Zugriff\u2022 Kanna \u2022 MyDoom \u2022 Sigur", "Pahamify Pegasus", "Matches rule ET INFO Observed Google DNS over HTTPS Domain (dns google in TLS SNI)", "https://graph.facebook.com/v3.3/590584968016991/mobile_sdk_gk?fields=gatekeepers&format=json&sdk_version=5.0.0&sdk=android&platform=android", "https://4.base.maps.ls.hereapi.com/maptile/2.1/maptile/newest/normal.day.mobile/{z}/{x}/{y}/256/PNG8?apiKey=wzEuHW02YdaEjU0Em-SwWQBtxbfF86-OfUuq1z93NI4", "tv.apple.com", "dashboard-proxy-sc-ncus-j7ynx.falcon- core.microsoft-falcon.net", "Antivirus Detections: Win.Trojan.Gamarue-9832405-0 , Trojan:Win32/Pariham.A", "IDS : Commonly Abused File Sharing Site Domain Observed (sendspace .com in DNS Lookup)", "IDS: Commonly Abused File Sharing Site Domain Observed (sendspace .com in TLS SNI)", "IDS: TLS Handshake Failure", "Yara Detections BackdoorWin32Simda", "Google_Chrome_64bit_v136.0.7103.49.exe", "https://hybrid-analysis.com/sample/e4306740e79c65c90242aef93fceeb93fa6da74577570c7b4a04399879349c37/696298b7667c4a112d04eac7", "https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t \u2022 wallpapers-nature.com", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io \u2022", "https://wallpapers-nature.com/tsara-brashears/urlscan-io" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Pariham.A", "display_name": "Trojan:Win32/Pariham.A", "target": "/malware/Trojan:Win32/Pariham.A" }, { "id": "MyDoom", "display_name": "MyDoom", "target": null }, { "id": "Virus:Win95/Cerebrus", "display_name": "Virus:Win95/Cerebrus", "target": "/malware/Virus:Win95/Cerebrus" }, { "id": "AutoRunIt", "display_name": "AutoRunIt", "target": null }, { "id": "Sigur", "display_name": "Sigur", "target": null }, { "id": "Kanna", "display_name": "Kanna", "target": null }, { "id": "Der Zugriff", "display_name": "Der Zugriff", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" }, { "id": "T1543.003", "name": "Windows Service", "display_name": "T1543.003 - Windows Service" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1055.003", "name": "Thread Execution Hijacking", "display_name": "T1055.003 - Thread Execution Hijacking" }, { "id": "T1134.001", "name": "Token Impersonation/Theft", "display_name": "T1134.001 - Token Impersonation/Theft" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1134.002", "name": "Create Process with Token", "display_name": "T1134.002 - Create Process with Token" }, { "id": "T1070.006", "name": "Timestomp", "display_name": "T1070.006 - Timestomp" }, { "id": "T1564.003", "name": "Hidden Window", "display_name": "T1564.003 - Hidden Window" }, { "id": "T1497.003", "name": "Time Based Evasion", "display_name": "T1497.003 - Time Based Evasion" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1497.002", "name": "User Activity Based Checks", "display_name": "T1497.002 - User Activity Based Checks" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1027.005", "name": "Indicator Removal from Tools", "display_name": "T1027.005 - Indicator Removal from Tools" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1074.001", "name": "Local Data Staging", "display_name": "T1074.001 - Local Data Staging" }, { "id": "T1560.002", "name": "Archive via Library", "display_name": "T1560.002 - Archive via Library" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" } ], "industries": [ "Civil Society", "Legal", "Government", "Technology", "Telecommunications", "Financial" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6094, "domain": 1195, "hostname": 2001, "FileHash-SHA256": 2598, "FileHash-MD5": 546, "FileHash-SHA1": 403, "email": 16, "CVE": 2, "SSLCertFingerprint": 3 }, "indicator_count": 12858, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "69 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "5fa57698ac0f6638b7b9a8ba", "name": "Pool's Closed", "description": "Two paupers from the meadow spring forth an upheaval of nasty sites on the world wide web.", "modified": "2025-12-27T05:02:34.910000", "created": "2020-11-06T16:15:20.139000", "tags": [ "Timothy Pool", "Christopher Pool", "Pool's Closed" ], "references": [ "Pool Closed", "Pool's Closed" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Media", "ad fraud" ], "TLP": "white", "cloned_from": null, "export_count": 61, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 4, "follower_count": 0, "vote": 0, "author": { "username": "scnrscnr", "id": "126475", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_126475/resized/80/avatar_67ca5b7bae.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 8098, "URL": 23426, "hostname": 9590, "domain": 4727, "SSLCertFingerprint": 22, "FileHash-MD5": 696, "FileHash-SHA1": 457, "CIDR": 78, "email": 3, "CVE": 2 }, "indicator_count": 47099, "is_author": false, "is_subscribing": null, "subscriber_count": 133, "modified_text": "113 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6923408464566e39caf32285", "name": "Discord- DNS | Malvertizing | Ransom/Msilzilla (sifting IoC\u2019s created by scnrscnr)", "description": "TAGS\nActive\n443 ma2592000\nChristopher Pool\nPool's Closed\nTimothy Pool\na li\n google\namerica att\napache\napache ip\nasn as46606\nauditmode force\nbehavior\nbinary\nbinary file\nbk role\nchat\ncheck\nchrome\nck ids\ncommon stealer\ncookie\ndata upload\ndefender\ndelete c\ndirectui\ndiscord\ndns lookup\ndomain add\ndrop\ndynamicloader\neb d8\nee fc\nerror oct\nexplorer\nexternal ip\nextraction\nf0 ff\nfailed\nff bb\nff d5\nff ff\nfiles\nfoundry\ngmt content\ngmt etag\ngmt server\ngoogle chrome\nguard\nhigh\ninsert\nlolminer\nmalware\nmedia\nmeta\nmoved\nmovie\nmsie\nmsvisualbasic60\nmtb aug -present \nneversend\npowershell\nrelated nids\nresponse ip\nself\nservice domain\nsingapore\nsmartassembly\nspan\nspan a\nsx08x00x00a\ntargeting\ntls sni\ntrojan\ntrojandropper\ntwitter\ntx08x00x00n\nunique\nuser agent\nux08x00x00h\nvirtool\nvirustotal api\nvoice\nvx08x00x00j\nwrite\nwrite c\nwx08x00x00\nx08x00x00b\nx08x00x00x00\nyara\nyara rule\nyx08x00x00l\nz3je\nz3uwq7\nzx08x00x00", "modified": "2025-12-23T16:04:54.329000", "created": "2025-11-23T17:12:36.917000", "tags": [ "no expiration", "expiration", "url https", "url http", "filehashsha256", "hostname", "domain", "filehashmd5", "filehashsha1", "ipv4", "code", "pool", "timothy pool", "z3je z3uwq7", "creation date", "ip address", "emails", "expiration date", "status", "hostname add", "pulse pulses", "passive dns", "urls", "date" ], "references": [ "https://otx.alienvault.com/pulse/5fa57698ac0f6638b7b9a8ba", "Examining pulse created by scnrscnr is worth reviewing. I was surprised tonal see a targets name.I didn\u2019t see Foundry highlighted", "http://aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html \u2022 blogspot.com", "https://aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html \u2022 blogspot.com \u2022 www.techcult.com/judge-the-simpsons-parody-is-child-pornography/ Whitelisted domain techcult.com\t Domain blogspot.com Whitelisted domain blogspot.com\t Domain techcult.com Whitelisted domain techcult.com\t Hostname aninditaannisa.blogspot.com \u2022 domain blogspot.com", "www.techcult.com", "http://foundry.tartarynova.com phishing \u2022 https://foundry.tartarynova.com \u2022 foundry.tartarynova.com", "https://trail.truefoundry.com/api/t/c/usr_NEDuPPvnqv5DXyhti/tsk_X2YECqnpAow7t6JuE/enc_U2FsdGVkX1_wWHRx9nPGCEspZpUcIwc1yphMTxaaQ2ZAbsxOqRR4ibXcaYtcmgJ1UgabTFCHVVBLx2oAnBAW2h8el_edjHN72Ug0yKQePjKnSJEOnQvtq8MUPo0vkU1N", "https://trail.truefoundry.com/api/track/open/usr_NEDuPPvnqv5DXyhti/tsk_L9bYYgL2HGng9mDsC", "https://trail.truefoundry.com/api/track/open/usr_NEDuPPvnqv5DXyhti/tsk_X2YECqnpAow7t6JuE", "truefoundry.com \u2022 assets.production.truefoundry.com \u2022 cpt.llm-gateway.truefoundry.com", "yyz.llm-gateway.truefoundry.com \u2022 trail.truefoundry.com \u2022 sin.llm-gateway.truefoundry.com", "lm-gateway.truefoundry.com \u2022 https://assets.production.truefoundry.com/sample-openapi.json", "162.159.128.233 \u2022 http://tsar.vicly.org \u2022 https://tsar.vicly.org \u2022 tsar.vicly.org \u2022 vicly.org \u2022 https://tsar.vicly.org/", "http://scteamcommunity.com/4k-high-res-porn-videos/squirt phishing", "http://pic.porn.hub-accessories.site \u2022 https://pic.porn.hub-accessories.site \u2022 pic.porn.hub-accessories.site", "2022ww11.pornhubgsy.com \u2022 http://scteamcommunity.com/4k-high-res-porn-videos/squirt", "IDS Detections: Observed Discord Domain in DNS Lookup (discord .com) Discord Chat Service Domain in DNS Lookup (discord .com)", "IDS Detections: Observed Discord Domain (discord .com in TLS SNI)", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "IDS Detections: Observed Discord Domain (discordapp .com in TLS SNI) Observed Discord Service Domain (discord .com) in TLS SNI Less", "Yara: Detections ConventionEngine_Term_Users", "Yara: ConventionEngine_Anomaly_MultiPDB_Double , ConventionEngine_Term_Documents", "Alerts: infostealer_browser infostealer_cookies binary_yara procmem_yara static_pe_anomaly", "Alerts: pe_compile_timestomping antiav_detectfile antidebug_guardpages encrypted_ioc", "Alerts: dynamic_function_loading injection_write_process reads_memory_remote_process", "Alerts : network_cnc_https_generic reads_self packer_entropy injection_rwx uses_windows_utilities antivm_checks_available_memory queries_computer_name queries_user_name", "Yara : MS_Visual_Basic_6_0 ,", "Yara : UPX , Nrv2x , UPX_OEP_place , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser", "Alerts : ransomware_file_modifications stealth_file procmem_yara static_pe_anomaly", "Alerts: disables_folder_options stealth_hidden_extension stealth_hiddenreg anomalous_deletefile", "Alerts: mouse_movement_detect", "Couldn\u2019t pulse 1st pulse so here\u2019s what\u2019s left", "scnrscnr pulse is good. I\u2019m assuming they\u2019re targets.", "Foundry stalking." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanDropper:Win32/VB.IL0", "display_name": "TrojanDropper:Win32/VB.IL0", "target": "/malware/TrojanDropper:Win32/VB.IL0" }, { "id": "ALF:Trojan:Win32/Cassini_56a3061!ibt", "display_name": "ALF:Trojan:Win32/Cassini_56a3061!ibt", "target": null }, { "id": "Win.Ransomware.Msilzilla-10014498-0", "display_name": "Win.Ransomware.Msilzilla-10014498-0", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1443", "name": "Remotely Install Application", "display_name": "T1443 - Remotely Install Application" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 773, "FileHash-SHA1": 684, "FileHash-SHA256": 1910, "CVE": 2, "SSLCertFingerprint": 4, "URL": 3783, "domain": 878, "email": 7, "hostname": 1913 }, "indicator_count": 9954, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "117 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6891bf5f58c1ae303f6d313e", "name": "Jeeng | Powerbox | Tracking | Mirai \u2022 Palantir plugin", "description": "#ELF:Mirai-ALC\\ [Trj]\n* [https://d1-myadmin.dpdlocal.co.uk/login]\n\u2022 [cf20ed53-cb6d-4dfd-a4e8-794fbe163efc.pcap]\nAlfper:BrowserModifier:Win32/DeepSync.C\n#prometheus #trojan #malware #elf #mirai dpd #palantir # plugin #tracking #monitoring #call #tracker #spyware #worm #virus #election_ news", "modified": "2025-09-04T08:05:56.240000", "created": "2025-08-05T08:22:55.113000", "tags": [ "url https", "indicator role", "title added", "active related", "pulses url", "entries", "url http", "type indicator", "role title", "added active", "related pulses", "showing", "iocs", "learn more", "filehashsha256", "types", "indicators show", "search", "present jul", "present jun", "present may", "present aug", "present apr", "present mar", "present feb", "united", "unknown aaaa", "all ipv4", "pulse pulses", "passive dns", "urls", "files", "reverse dns", "location united", "america flag", "america asn", "open", "registrar", "limited ta", "com laude", "nomiq", "creation date", "ip address", "date", "domain", "hostname", "files ip", "address", "asn as21342", "scan", "ipv4", "pulses", "servers", "hostname add", "pulse submit", "url analysis", "verdict", "france unknown", "name servers", "present", "whois show", "record value", "domain name", "expiration date", "status", "domain add", "filehashmd5", "idhttp", "tidcustomhttp", "classes", "medium", "crlf line", "show", "registry", "service", "copy", "patch", "write", "next", "markus", "delphi", "win32", "persistence", "execution", "http", "files domain", "files related", "pulses none", "related tags", "none google", "refresh57959", "windows xp", "pack", "shows", "cc08", "f06a6b", "pulses hostname", "germany unknown", "aaaa", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "ssl certificate", "spawns", "development att", "sha1", "copy md5", "copy sha1", "copy sha256", "sha256", "ascii text", "pattern match", "mitre att", "show technique", "format", "august", "hybrid", "local", "path", "click", "strings", "filehashsha1", "palantir feb", "difference feb" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3809, "hostname": 1197, "domain": 456, "FileHash-MD5": 170, "FileHash-SHA256": 579, "FileHash-SHA1": 161, "CVE": 1, "email": 1, "SSLCertFingerprint": 6 }, "indicator_count": 6380, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "227 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688b056df6e0c1138d15c74c", "name": "LinkedIn | packer_ce1a", "description": "1 researched expanded IOC\u2019s from LinkedIn of alleged \u2018HM\u2019 [FileHash-SHA256\n69d0fb49a546c40c1829baba60df9f9d898190a6af9207a24ec393243843f7fa]\n\n\u2022 Win.Packer.pkr_ce1a-9980177-0\nAlerts:\n#injection_inter_process\n#injection_create_remote_thread\n#creates_largekey\n#network_bind\n#persistence_autorun\n#persistence_autorun_tasks\n#spawns_dev_util\n#cape_detected_threat\n#injection_process_hollowing\n#antivm_generic_disk\n#antivm_generic_services\n#deletes_executed_files\n#injection_runpe\n#persistence_ads\n#suspicious_command\n#hitm@n #whohiredyou", "modified": "2025-08-30T05:01:26.795000", "created": "2025-07-31T05:55:57.885000", "tags": [ "dynamicloader", "xc0xd5xb4x16x", "lxc6nf", "ix18xcblt", "fxeey", "x93xeb", "xa5x07x88x1c", "xb4x9fxf6gp", "xaex16x99", "txebwxbex83", "grum", "tofsee", "accept", "unknown", "copy", "stream", "powershell", "write", "xcaon", "win64", "united", "search", "entries", "delete c", "show", "windows nt", "wow64", "delete", "as15169" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 107, "FileHash-SHA1": 103, "FileHash-SHA256": 1280, "URL": 1166, "domain": 236, "hostname": 379 }, "indicator_count": 3271, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "232 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6665d9ae1b06b560698b2a70", "name": "Assurance [a Prudential company] S0094-Remote Access", "description": "Assurance experienced an abrupt shutdown April 2024. Health Insurance agents were notified mid business; Prudential [Assurance partner] had fully taken over thus ending all contracts amid business. Cyber investigations date back to 2023. Trojan.Karagany [old] is a modular remote access tool used for recon and linked to Dragonfly/Crouching Yeti and more. Infostealer, malware and unwanted programs downloader.\nPersistence. Severe | S0094 - Remote Access\nCVE-2023-22518 | CVE-2023-4966", "modified": "2024-07-09T15:02:04.111000", "created": "2024-06-09T16:34:54.161000", "tags": [ "falcon sandbox", "sha256", "sha1", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "pattern match", "ascii text", "null", "hybrid", "refresh", "body", "span", "june", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "contact", "historical ssl", "referrer", "httponly", "path", "secure", "maxage31557600", "expiresmon", "samesitenone", "expireswed", "etag w", "setcookie dids", "maxage864000", "http response", "final url", "serving ip", "address", "status code", "html document", "history", "utc names", "html info", "title assurance", "meta tags", "script tags", "anchor hrefs", "code", "requestid", "hostid", "xml file", "accessdenied", "message", "signature", "expires", "awsaccesskeyid", "log id", "gmtn", "passive dns", "urls", "digicert global", "g2 tls", "rsa sha256", "tls web", "full name", "self", "false", "united", "as8075", "unknown", "gmt server", "scan endpoints", "all scoreblue", "ipv4", "pulse submit", "url analysis", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "aaaa", "meta", "link", "search", "creation date", "wheels up", "moved", "homepage", "servers", "service", "name servers", "hostname", "next", "japan unknown", "as2510 fujitsu", "status", "page", "ltd dba", "com laude", "record value", "ireland", "germany", "australia", "as44786 adobe", "whitelisted", "win32", "present may", "trojan", "karaganye", "regsetvalueexa", "regdword", "default", "show", "presto", "regbinary", "medium", "create c", "query", "double", "malware", "copy", "karagany", "write", "showing", "as35908 krypt", "as45102 alibaba", "hong kong", "data service", "script script", "div div", "title", "entries", "files", "japan asn", "dns resolutions", "memory pattern", "ip traffic", "domains", "urls https", "files c", "filesgoogle c", "written c", "extensions", "as20446", "as14061", "emails", "threat roundup", "bashlite", "jupyter rising", "vmware", "security blog", "april", "september", "december", "january", "enemybot", "core" ], "references": [ "Assurance", "IDS Detections: Trojan Internet Connectivity Check TrojanDownloader.Win32/Karagany.H checkin 2", "IDS Detections: Query for .cc TLD Suspicious User-Agent (Presto) Double User-Agent (User-Agent User-Agent)", "Alerts: network_icmp modifies_proxy_wpad network_http suspicious_tld allocates_rwx creates_exe antivm_network_adapters checks_debugger", "Domains Contacted: simplesausages.cx.cc adobe.com", "https://test2.ditproducts.com/dat/wannacry1.html", "http://email.critizr.com/asm/unsubscribe/?user_id=1464008&data=anW5I3azQrbEzQ84_I2zsSfJkpp1WTl08_zW0p5h4i5oMDAwdTAwMIqknJPIfal-ld9TvXgRLVf_F", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "CVE-2023-22518 | CVE-2023-4966" ], "public": 1, "adversary": "Berserk Bear (also known as BROMINE, Crouching Yeti, Dragonfly,", "targeted_countries": [ "United States of America", "Netherlands" ], "malware_families": [ { "id": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn", "target": null }, { "id": "Win32:Karagany-D\\ [Trj]", "display_name": "Win32:Karagany-D\\ [Trj]", "target": null }, { "id": "Win.Trojan.Xtoober-650", "display_name": "Win.Trojan.Xtoober-650", "target": null }, { "id": "Trojan:Win32/Startpage.SS", "display_name": "Trojan:Win32/Startpage.SS", "target": "/malware/Trojan:Win32/Startpage.SS" }, { "id": "Win.Packed.Pincav-7537597-0", "display_name": "Win.Packed.Pincav-7537597-0", "target": null }, { "id": "Trojan.Karagany - S0094", "display_name": "Trojan.Karagany - S0094", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Healthcare", "Technology", "Telecommunications", "Finance - Insurance Sector" ], "TLP": "green", "cloned_from": null, "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2950, "FileHash-MD5": 193, "FileHash-SHA1": 171, "FileHash-SHA256": 1885, "URL": 8907, "domain": 2945, "SSLCertFingerprint": 2, "email": 11, "CVE": 2 }, "indicator_count": 17066, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "649 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6665d55d941729c5f283b3f7", "name": "S0094-Remote Access - Assurance [a Prudential company]", "description": "Assurance experienced an abrupt shutdown April 2024. Health Insurance agents were notified mid business; Prudential [Assurance partner] had fully taken over thus ending all contracts amid business. Cyber investigations date back to 2023. health insurance agents Trojan.Karagany [old] is a modular remote access tool used for recon and linked to Dragonfly. Infostealer, malware and unwanted programs downloader.\nPersistence. Severe | S0094 - Remote Access\nCVE-2023-22518 | CVE-2023-4966", "modified": "2024-07-09T15:02:04.111000", "created": "2024-06-09T16:16:29.634000", "tags": [ "falcon sandbox", "sha256", "sha1", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "pattern match", "ascii text", "null", "hybrid", "refresh", "body", "span", "june", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "contact", "historical ssl", "referrer", "httponly", "path", "secure", "maxage31557600", "expiresmon", "samesitenone", "expireswed", "etag w", "setcookie dids", "maxage864000", "http response", "final url", "serving ip", "address", "status code", "html document", "history", "utc names", "html info", "title assurance", "meta tags", "script tags", "anchor hrefs", "code", "requestid", "hostid", "xml file", "accessdenied", "message", "signature", "expires", "awsaccesskeyid", "log id", "gmtn", "passive dns", "urls", "digicert global", "g2 tls", "rsa sha256", "tls web", "full name", "self", "false", "united", "as8075", "unknown", "gmt server", "scan endpoints", "all scoreblue", "ipv4", "pulse submit", "url analysis", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "aaaa", "meta", "link", "search", "creation date", "wheels up", "moved", "homepage", "servers", "service", "name servers", "hostname", "next", "japan unknown", "as2510 fujitsu", "status", "page", "ltd dba", "com laude", "record value", "ireland", "germany", "australia", "as44786 adobe", "whitelisted", "win32", "present may", "trojan", "karaganye", "regsetvalueexa", "regdword", "default", "show", "presto", "regbinary", "medium", "create c", "query", "double", "malware", "copy", "karagany", "write", "showing", "as35908 krypt", "as45102 alibaba", "hong kong", "data service", "script script", "div div", "title", "entries", "files", "japan asn", "dns resolutions", "memory pattern", "ip traffic", "domains", "urls https", "files c", "filesgoogle c", "written c", "extensions", "as20446", "as14061", "emails", "threat roundup", "bashlite", "jupyter rising", "vmware", "security blog", "april", "september", "december", "january", "enemybot", "core" ], "references": [ "Assurance", "IDS Detections: Trojan Internet Connectivity Check TrojanDownloader.Win32/Karagany.H checkin 2", "IDS Detections: Query for .cc TLD Suspicious User-Agent (Presto) Double User-Agent (User-Agent User-Agent)", "Alerts: network_icmp modifies_proxy_wpad network_http suspicious_tld allocates_rwx creates_exe antivm_network_adapters checks_debugger", "Domains Contacted: simplesausages.cx.cc adobe.com", "https://test2.ditproducts.com/dat/wannacry1.html", "http://email.critizr.com/asm/unsubscribe/?user_id=1464008&data=anW5I3azQrbEzQ84_I2zsSfJkpp1WTl08_zW0p5h4i5oMDAwdTAwMIqknJPIfal-ld9TvXgRLVf_F", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "CVE-2023-22518 | CVE-2023-4966" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands" ], "malware_families": [ { "id": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn", "target": null }, { "id": "Win32:Karagany-D\\ [Trj]", "display_name": "Win32:Karagany-D\\ [Trj]", "target": null }, { "id": "Win.Trojan.Xtoober-650", "display_name": "Win.Trojan.Xtoober-650", "target": null }, { "id": "Trojan:Win32/Startpage.SS", "display_name": "Trojan:Win32/Startpage.SS", "target": "/malware/Trojan:Win32/Startpage.SS" }, { "id": "Win.Packed.Pincav-7537597-0", "display_name": "Win.Packed.Pincav-7537597-0", "target": null }, { "id": "Trojan.Karagany - S0094", "display_name": "Trojan.Karagany - S0094", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Healthcare", "Technology", "Telecommunications", "Finance - Insurance Sector" ], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2950, "FileHash-MD5": 193, "FileHash-SHA1": 171, "FileHash-SHA256": 1885, "URL": 8907, "domain": 2945, "SSLCertFingerprint": 2, "email": 11, "CVE": 2 }, "indicator_count": 17066, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "649 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659331589faf01b909c1802d", "name": "Agent Tesla | Spyware | Tracking Android & Apple users | Malware Attack", "description": "", "modified": "2024-01-31T14:03:30.344000", "created": "2024-01-01T21:40:40.413000", "tags": [ "maxads0", "kld1063", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "hostnames", "urls http", "ssl certificate", "whois record", "contacted", "referrer", "historical ssl", "march", "communicating", "copy", "january", "collections", "execution", "malware", "startpage", "malicious", "ransomware", "agent tesla", "attack", "android", "name verdict", "falcon sandbox", "reports", "falcon", "windir", "path", "programfiles", "pe32", "ms windows", "getprocaddress", "file type", "mitre att", "ck id", "show technique", "win64", "date", "open", "hybrid", "cookie", "tracking", "apple", "spyware", "malware", "tablet", "superwebbysearch", "hallrender", "pegasus", "briansabey", "aig", "abuse", "tulach" ], "references": [ "findbetterresults.com", "https://hybrid-analysis.com/sample/bba36b3ae7c49d1cffcc5f8e045d81e9307a2e1a86b923f89008e9377d171fb6", "https://www.virustotal.com/gui/url/eed406872c2e6ef550b948510fe0b7b4c71f752f58551c2f8e61d31a19d2a153/summary", "http://www.applerewards.website/pl/3/index.html?voluumdata=BASE64dmlkLi4wMDAwMDAwMi00NGFiLTQzNDktODAwMC0wMDAwMDAwMDAwMDBfX3ZwaWQuLjJhYWQzMDAwLWJiMzYtMTFlNi04YTYyLTBlYzcxZTllMDMzMV9fY2FpZC4uNjBhMjIwOWUtNWMzNC00OGQ4LWIyNDctYWM5YzVkOTM3MzZhX19ydC4uUl9fbGlkLi4yYTRjOTA4My0zY2RmLTQyNDktOGJmOS0yODMxZWYzNGRhYTlfX29pZDEuLjUwMGE4NDhjLTA2NGEtNDYyZi05MDNmLTgxYzY4ODNmODEwZl9fdmFyMS4uNjA4OTYxX192YXIyLi42NzEwMjhfX3JkLi5vbmNsaWNrYWRzXC5cbmV0X19haWQuLl9fYWIuLl9fc2lkLi4&zoneid=608961&campaignid=671028&visitor_id=4003954", "www2.megawebfind.com [command_and_control]", "https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command= [command_and_control] stolec kradnie krypto" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2368, "FileHash-SHA256": 4539, "hostname": 2892, "URL": 9741, "FileHash-MD5": 836, "FileHash-SHA1": 461, "CVE": 1 }, "indicator_count": 20838, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "809 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://lock.mobiletoolapps.com/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://lock.mobiletoolapps.com/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776638687.6704998 }